Firewall and network security are necessary steps. The firewall is blocking the connection. Checking the Internet connection without a router

Control Panel contains all the necessary elements to configure your computer. We will now look at one of these components in more detail.

What is Windows Firewall?

How the Windows Firewall works.

Step 1 . Launch the control panel. To do this, click menu Start and chooseControl Panel.

Here we select the itemsystem and safety.

Step 2

. In order to proceed to the settings, in the window that appears, go to the sectionWindows Firewall by clicking on it once.

Step 3

. If you already have other antivirus software installed on your computer, I recommenddisable windows firewall.
If, on the contrary, you have not yet installed antivirus program, then I recommend a firewall turn on , this will protect your computer from viruses.
But you still need to use the recommended protection settings. To enable these parameters, click on the item.

Step 4 . In a new window in the block Home or work (private) network hosting options We put a switch in the Enable Windows Firewall field.

In the same part you can Mark ticked items:

- Blocking all incoming connections, including connections specified in the list of allowed programs.
- Notify when Windows Firewall blocks a new program.

I recommend doing it as shown in the picture.

In the block Public Network Posting Options put the switch on the field Turn on Windows Firewall.

Having selected all the necessary elements, click OK.

A firewall is, although useful, standard program. But to a greater extent, only Microsoft developers think so! I won’t argue, in a small way it helps to protect the computer a little from unwanted launches of various kinds of programs that carry some kind of danger. But it does much more harm than good. And if you came to this page, you probably verified this for yourself.

The main task of a firewall is to protect your computer from unwanted launches of additional software, which we noted earlier. But everything would be fine if he didn't block necessary software, and especially the Internet! Yes, yes, you heard right! And such problems happen quite often.

Internet problem solution

Solving the problem that causes your network connection to be blocked is quite easy, but you will have to spend a little precious time and effort by following these steps:

Treat this stage with understanding. An antivirus is necessary on a computer no matter what. Since there is a lot of unsafe material on the Internet. Antivirus will also replace firewall in the future.

1. Disable the firewall;

After installing the antivirus, you should disable the firewall. In this case, its necessity is canceled. For the reason, alternative protection.

1. Stopping firewall-related services;

The fact is that when the standard operating system defender is stopped, its services are not always disabled. And in exactly the same mode they continue to fulfill their purpose. Which leads to a recurrence of the problem. Therefore, be sure to open the services and double-check whether the defender services are enabled. If there are, deactivate them.

This is the final stage for every serious procedure related to computer software. Don't ignore this step! Make sure to restart your computer.

We did all the above but nothing helped. And the problem repeats itself again and again! The possibility of such software behavior cannot be ruled out. Moreover, if it is pirated, some kind of clumsy assembly, then in most cases it will be so! You can get out of this situation in the following ways:

1. Add a connection to the exclusion list;

Not always, but sometimes it helps to resolve this issue by adding your connection to the exclusion list. That being said, after you do this, turn Windows Defender on and off immediately.

One of the surest ways out of any situation is to use licensed software. The fact is that the original OS works much more stable, lasts longer and does not have as many bugs as pirated OSs. In addition, you can use new updates with peace of mind without fear that your system will crash.

1. Search and remove potentially unwanted software.

And the final way to fix Internet connection blocking is to search for and remove potentially unwanted programs. It seems like there is no connection between additional software and the network, but that was not the case. Virus software often works in hidden mode, that is, without the user seeing it. During this time, malicious files may be downloading. As a result, the OS defender reacts and bans the Internet.

Includes several security features to keep your computer secure and your data protected from malware and hackers. One such feature is Windows Firewall, which helps prevent unauthorized access to your computer and block potentially malicious applications.

Although the Firewall works smoothly and reliably most of the time, sometimes you may encounter problems. For example, Firewall services may fail to start, or error 80070424 or service error 5 (0x5) may occur. Additionally, sometimes applications or features, such as Remote Desktop Connection (Remote Assistant), may lose access to shared files and printers due to erroneous blocking by the system firewall.

If you come across any of these or similar problems, there are several steps you can take. You can use the Windows Firewall Troubleshooter, which is an automated tool that scans and fixes common problems. It is also possible to reset the firewall to default settings and manually manage the network access of applications blocked by the Firewall.

To diagnose and fix Firewall problems, use the following steps:

1. Download the Windows Firewall Troubleshooter from Microsoft.
2. Run the file WindowsFirewall.diagcab by double-clicking on it.
3. Click Next.
4. Depending on the search results, select the option that will fix the problem.
5. If everything worked successfully, click the “Close” button to complete the troubleshooter.

If the tool fails to fix your issue, click the “View more information” link to see details of all the issues it tried to fix, including general access to files and printers, problems with Remote Assistant and firewall services.

Then you can find more information about the issue using search engines or ask for help in the comments below.

If the Windows Firewall troubleshooter fails to detect the problem, it is likely related to a specific setting on the system. In this scenario, you can try to delete the current configuration and return the settings to default.

Important: After restoring settings to default, you may need to reconfigure applications that request network access through the firewall.

To return your firewall settings to default, follow these steps:

1. In the left menu, select the “Restore Defaults” option.
2. Click the “Restore Defaults” button.
3. Click “Yes” to confirm the operation.

Once you complete these steps, the default rules and settings will be restored and all configuration issues will be resolved.

If the problem is that apps are being blocked by mistake, then you can use the following steps to allow apps to access the network.

1. Open Control Panel (click Windows key and enter the phrase “Control Panel”).
2. Select “System and Security”.
3. Click on the “Windows Firewall” section.
4. In the left menu, select the option “Allow an app or feature to interact with Windows Firewall.”
5. Select “Change Settings” using account device administrator.
6. Select the app or service you want to allow.
7. Select the network type “Private” if the application should only access local network or “Public” if the application must interact with the Internet.
8. Click OK.

Advice: If the apps or feature are not shown in the list, then click the “Allow another app” button to add it to the list.

you can use these instructions to reconfigure applications after restoring Windows Firewall to default settings.

Although we used Windows 10 in this example, you can use these same instructions to troubleshoot firewall issues in Windows 8.1 and Windows 7.

Found a typo? Highlight and press Ctrl + Enter

Windows 7 is protected from network threats by a special system service - the firewall. Sometimes it is also called a firewall or personal firewall. Microsoft doesn't recommend not using Network Defender, but if you have a third-party firewall installed, you can disable the firewall in Windows 7. Sometimes you may also need to whitelist certain programs from Network Defender.

What is a firewall and why is it needed?

The main purpose of this built-in utility is to filter Internet traffic. It uses a set of predefined rules to identify suspicious activity. Potentially dangerous connections are blocked, preventing attackers from gaining access to the user's computer. Restrictions can also be applied to sending outgoing packets. This ensures the confidentiality of data stored on the hard drive.

Similar functionality is present not only in operating system, but also on most router models. Between built-in Windows Defender and the router's firewall there is a fundamental difference. When this function is activated on the router, the network security of all home devices is ensured, and not just one PC. There are also separate programs with similar functions that are not included in the router firmware and the “Seven” package.

Note! A firewall and an antivirus should not be confused. The second type of application has different functionality, since it analyzes not network activity, but user files and code running programs. IN Microsoft systems There is a separate antivirus service - Windows Defender.

How to enable and configure the firewall

This system component is automatically enabled after installation. Therefore, no additional actions are required to activate the service. At the same time, you can easily check its current status. Just open Control Panel, then select Windows Firewall. There are other things you can do in this section:

• Disable firewall in Windows 7.
• Review the current settings.
• Restore the recommended properties of Network Defender.
• Change the order in which notifications about service activity are displayed.

If the service is disabled, home page settings, its status will be displayed in red. To enable protection, click the “Use recommended settings” button. For a more detailed configuration, go to the menu using the link that allows you to enable/disable the defender. This setting consists of separating firewall parameters when connecting to home and public networks. The second type of connection usually requires more stringent approaches to data transmission security.

Important! If blocking connections prevents the application you need from working correctly, add it to the exceptions list. This is done on a separate page, which can be enabled through the menu on the left side of the window. Next to the program name, check the boxes, then save the settings.

How to disable the firewall in Windows 7

You can disable the utility through the same control panel item in which you configure Network Defender. The system allows you to completely disable the firewall or stop it working only on private/public networks. After you turn off Defender, the OS will regularly display warnings and prompts to turn it on. To get rid of these messages, use the notification settings section.

To speed up your computer, it is also recommended to disable a similar service in the operating system. To do this, you need to enable the Start menu and type “msconfig”. Next, open the proposed program and go to the “Services” tab. All background processes that automatically start when the OS boots are displayed here. Find the service with the appropriate name and uncheck the box next to it. Then apply the changes using the button at the bottom of the window.

Important tip!

The System Configuration Utility can also be enabled by pressing the key combination “Win+R” (Run). In the window that appears, enter the name “msconfig” and click “OK”.

Useful video: Disabling protection in Windows 7

Read also:
Parental controls in Windows 7: restricting information from the Internet for children

Parental controls in Windows 8: programs and how to configure them for security OS Management Console (MMC) snap-in Windows Vista

™ is a network state firewall for workstations that filters incoming and outgoing connections according to specified settings. You can now configure firewall and IPsec settings using one snap-in. This article describes how Windows Firewall with Advanced Security works, common problems, and solutions.

How Windows Firewall with Advanced Security works Windows Firewall with Advanced Security is a network state logging firewall for workstations. Unlike router firewalls, which are deployed at the gateway between your local network and the Internet, Windows Firewall is designed to run on individual computers. It only tracks traffic workstation

: traffic incoming to the IP address of this computer, and outgoing traffic from the computer itself. Windows Firewall with Advanced Security performs the following basic operations:

The incoming packet is checked and compared with the list of allowed traffic. If the packet matches one of the list values, Windows Firewall passes the packet to TCP/IP for further processing. If the packet does not match any of the values ​​in the list, Windows Firewall blocks the packet and, if logging is enabled, creates an entry in the log file.

When a connection controlled by Windows Firewall with Advanced Security sends a packet, the firewall creates a value in the list to allow the return traffic to be accepted. Relevant incoming traffic will require additional permission.

When you create an allow rule for Windows Firewall with Advanced Security, the traffic for which you created the rule will be allowed on a computer that is running Windows Firewall. This computer will accept explicitly allowed incoming traffic when operating as a server, client computer, or peer-to-peer network host.

The first step to solving problems with Windows Firewall is to check which profile is active. Windows Firewall with Advanced Security is an application that monitors your network environment. The Windows Firewall profile changes as your network environment changes. A profile is a set of settings and rules that are applied depending on the network environment and current network connections.

The firewall distinguishes between three types of network environments: domain, public and private networks. A domain is a network environment in which connections are authenticated by a domain controller. By default, all other network connection types are treated as public networks. When a new one is discovered Windows connections Vista prompts the user to indicate whether this network private or public. The general profile is intended for use in public places, such as airports or cafes. The private profile is intended for use at home or in the office, as well as on a secure network. To define a network as private, the user must have appropriate administrative privileges.

Although the computer can be connected to networks simultaneously different types, only one profile can be active. The choice of active profile depends on the following reasons:

If all interfaces use domain controller authentication, the domain profile is used.

If at least one of the interfaces is connected to a private network, and all others are connected to a domain or private networks, the private profile is used.

In all other cases, the general profile is used.

To determine the active profile, click the node Observation in a snap Windows Firewall with Advanced Security. Above the text Firewall Status will indicate which profile is active. For example, if a domain profile is active, it will display at the top Domain profile is active.

By using profiles, Windows Firewall can automatically allow incoming traffic for specific computer management tools when the computer is in a domain, and block the same traffic when the computer is connected to a public or private network. Thus, determining the type of network environment ensures the protection of your local network without compromising the security of mobile users.

Common problems when running Windows Firewall with Advanced Security

The following are the main problems that occur when Windows Firewall with Advanced Security is running:

In the event that traffic is blocked, you should first check whether the firewall is enabled and which profile is active. If any of the applications are blocked, make sure that the snap-in Windows Firewall with Advanced Security There is an active allow rule for the current profile. To verify that an allowing rule exists, double-click the node Observation, and then select the section Firewall. If there are no active allowing rules for this program, go to the site and create a new rule for this program. Create a rule for a program or service, or specify a rule group that applies to this feature, and make sure that all rules in that group are enabled.

To verify that an allowing rule is not overridden by a blocking rule, follow these steps:

In the snap tree Windows Firewall with Advanced Security click the node Observation, and then select the section Firewall.

View a list of all active local and group policy. Prohibiting rules override allowing rules even if the latter are more precisely defined.

Group Policy prevents local rules from applying

If Windows Firewall with Advanced Security is configured by using Group Policy, your administrator can specify whether firewall rules or connection security rules created by local administrators will be used. This makes sense if there are configured local firewall rules or connection security rules that are not in the corresponding section of the settings.

To determine why local firewall rules or connection security rules are missing from the Monitoring section, follow these steps:

In the snap Windows Firewall with Advanced Security, click the link Windows Firewall Properties.

Select the active profile tab.

In chapter Options, press the button Tune.

If local rules apply, section Combining rules will be active.

Rules that require secure connections may block traffic

When creating a firewall rule for incoming or outgoing traffic, one of the parameters is . If selected this function, you must have an appropriate connection security rule or a separate IPSec policy that determines what traffic is secure. Otherwise, this traffic is blocked.

To verify that one or more application rules require secure connections, follow these steps:

In the snap tree Windows Firewall with Advanced Security click section Rules for incoming connections. Select the rule you want to check and click the link Properties in the console scope.

Select a tab Are common and check if the radio button value is selected Allow only secure connections.

If the rule is specified with the parameter Allow only secure connections, expand the section Observation in the snap-in tree and select section. Ensure that the traffic defined in the firewall rule has appropriate connection security rules.

Warning:

If you have an active IPSec policy, ensure that the policy protects the necessary traffic. Do not create connection security rules to avoid conflicting IPSec policy and connection security rules.

Unable to allow outgoing connections

In the snap tree Windows Firewall with Advanced Security Choose a section Observation. Select the active profile tab and in the section Firewall Status check that outgoing connections that do not fall under the allowing rule are allowed.

In chapter Observation Choose a section Firewall to ensure that required outgoing connections are not specified in the deny rules.

Mixed policies can lead to traffic blocking

You can configure firewall and IPSec settings using various Windows interfaces.

Creating policies in multiple places can lead to conflicts and traffic blocking. The following setting points are available:

Windows Firewall with Advanced Security. This policy is configured using the appropriate snap-in locally or as part of Group Policy. This policy defines firewall and IPSec settings on computers running Windows Vista.

Windows Firewall Administrative Template. This policy is configured using the Group Policy Object Editor in the section. This interface contains Windows Firewall settings that were available before emergence of Windows Vista, and is designed to configure a GPO that controls previous versions Windows. Although these parameters can be used for computers running Windows control Vista, it is recommended to use the policy instead Windows Firewall with Advanced Security, as it provides greater flexibility and security. Please note that some of the domain profile settings are common to the Windows Firewall Administrative Template and Policy Windows Firewall with Advanced Security, so you can see here the parameters configured in the domain profile using the snap-in Windows Firewall with Advanced Security.

IPSec Policies. This policy is configured using the local snap-in IPSec Policy Management or the Group Policy Object Editor in the Computer Configuration\Windows Configuration\Security Settings\IP Security Policies section on “Local Computer”. This policy defines IPSec settings that can be used by both previous versions of Windows and Windows Vista. Should not be used simultaneously on the same computer this policy and connection security rules defined in the policy Windows Firewall with Advanced Security.

To view all of these options in the appropriate snap-ins, create your own Management Console snap-in and add the snap-ins to it Windows Firewall with Advanced Security, And IP Security.

To create your own management console snap-in, follow these steps:

Click the button Start, go to menu All programs, then to the menu Standard and select Execute.

In a text field Open ENTER.

Continue.

On the menu Console select item.

On the list Available accessories select equipment Windows Firewall with Advanced Security and press the button Add.

Click the button OK.

Repeat steps 1 through 6 to add snaps Control group policy And IP Security Monitor.

To check which policies are active in an active profile, use the following procedure:

To check which policies are applied, follow these steps:

IN command line enter mmc and press the key ENTER.

If the User Account Control dialog box appears, confirm the requested action and click Continue.

On the menu Console select item Add or remove a snap-in.

On the list Available accessories select equipment Group Policy Management and press the button Add.

Click the button OK.

Expand a node in the tree (usually the tree of the forest in which the this computer) and double-click the section in the console details pane.

Select radio button value Show policy settings for from values current user or another user. If you do not want to display policy settings for users, but only policy settings for the computer, select the radio button Do not display user policy (only view computer policy) and press the button twice Further.

Click the button Ready. The Group Policy Results Wizard generates a report in the details pane of the console. The report contains tabs Summary, Options And Political events.

To verify that there is no conflict with IP security policies, after generating the report, select the tab Options and open Computer Configuration\Windows Configuration\Security Settings\IP Security Settings in the Active Directory directory service. If the last section is missing, then the IP security policy has not been set. Otherwise, the name and description of the policy and the GPO to which it belongs will be displayed. If you use an IP security policy and a Windows Firewall with Advanced Security policy at the same time with connection security rules, these policies may conflict. It is recommended to use only one of these policies. The optimal solution will use IP security policies along with Windows Firewall with Advanced Security rules for incoming or outgoing traffic. If parameters are configured in different places and are not consistent with each other, policy conflicts that are difficult to resolve may arise.

There may also be conflicts between policies defined in local Group Policy Objects and scripts configured by the IT department. Check all IP security policies using the IP Security Monitor program or by entering the following command at the command prompt:

To view the settings defined in the Windows Firewall Administrative Template, expand Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall.

To view the latest events related to the current policy, you can go to the tab Policy Events in the same console.

To view the policy used by Windows Firewall with Advanced Security, open the snap-in on the computer you are diagnosing and review the settings under Observation.

To view administrative templates, open the snap-in Group Policy and in the section Group Policy Results Review whether there are settings inherited from Group Policy that may cause traffic to be rejected.

To view IP security policies, open the IP Security Monitor snap-in. Select in tree local computer. In the console scope, select the link Active policy, Basic mode or Fast mode. Check for competing policies that may result in traffic being blocked.

In chapter Observation rigging Windows Firewall with Advanced Security You can view existing rules for both local and group policy. For getting additional information refer to the section " Using the watch feature in a snap-in Windows Firewall with Advanced Security » of this document.

To stop the IPSec Policy Agent, follow these steps:

Click the button Start and select a section Control Panel.

Click the icon System and its maintenance and select a section Administration.

Double-click the icon Services. Continue.

Find a service in the list IPSec Policy Agent

If the service IPSec Agent is running, right-click on it and select the menu item Stop. You can also stop the service IPSec Agent from the command line using the command

Peer-to-peer policy may cause traffic to be rejected

For connections that use IPSec, both computers must have compatible IP security policies. These policies can be defined using the Windows Firewall connection security rules snap-in IP security or another IP security provider.

To check IP security policy settings on a peer-to-peer network, follow these steps:

In the snap Windows Firewall with Advanced Security select node Observation And Connection security rules to make sure that IP security policy is configured on both network nodes.

If one of the computers in a peer-to-peer network is running more than early version Windows than Windows Vista, ensure that at least one of the native mode cipher suites and one of the fast mode cipher suites use algorithms that are supported by both hosts.

1. Click section Basic mode, in the console details pane, select the connection you want to test, then click the link Properties in the console scope. Review the connection properties for both nodes to ensure they are compatible.

   Repeat step 2.1 for the partition Fast mode. Review the connection properties for both nodes to ensure they are compatible.

If you are using Kerberos version 5 authentication, ensure that the host is in the same or a trusted domain.

If you are using certificates, make sure the required boxes are checked. For certificates that use Internet Key Exchange (IKE) IPSec, you must digital signature. Certificates that use Authenticated Internet Protocol (AuthIP) require client authentication (depending on the server's authentication type). For more information about AuthIP certificates, please refer to the article IP Authentication in Windows Vista AuthIP in Windows Vista on the Microsoft website.

Windows Firewall with Advanced Security cannot be configured

Windows Firewall with Advanced Security settings are grayed out (grayed out) in the following cases:

The computer is connected to a network with centralized management, and the network administrator uses Group Policies to configure Windows Firewall with Advanced Security settings. In this case, at the top of the snap Windows Firewall with Advanced Security You will see the message "Some settings are controlled by Group Policy." Your network administrator configures the policy, thereby preventing you from changing Windows Firewall settings.

A computer running Windows Vista is not connected to a centrally managed network, but Windows Firewall settings are determined by local Group Policy.

To change Windows Firewall with Advanced Security settings using Local Group Policy, use the snap-in Local Computer Policy. To open this snap-in, enter secpol at the command prompt. If the User Account Control dialog box appears, confirm the requested action and click Continue. Go to Computer Configuration\Windows Configuration\Security Settings\Windows Firewall with Advanced Security to configure Windows Firewall with Advanced Security policy settings.

The computer does not respond to ping requests

The main way to test connectivity between computers is to use the Ping utility to test connectivity to a specific IP address. During a ping, an ICMP echo message (also known as an ICMP echo request) is sent and an ICMP echo response is requested in return. By default, Windows Firewall rejects incoming ICMP echo messages, so the computer cannot send an ICMP echo response.

Allowing incoming ICMP echo messages will allow other computers to ping your computer. On the other hand, this will make the computer vulnerable to attacks using ICMP echo messages. However, it is recommended to temporarily allow incoming ICMP echo messages if necessary, and then disable them.

To allow ICMP echo messages, create new inbound rules that allow ICMPv4 and ICMPv6 echo request packets.

To resolve ICMPv4 and ICMPv6 echo requests, follow these steps:

In the snap tree Windows Firewall with Advanced Security select node Rules for incoming connections and click the link New rule in the console action area.

Customizable and press the button Further.

Specify the switch value All programs and press the button Further.

In the dropdown list Protocol type select value ICMPv4.

Click the button Tune for item ICMP Protocol Parameters.

Set the radio button to Specific ICMP Types, check the box Echo request, press the button OK and press the button Further.

At the stage of selecting local and remote IP addresses corresponding to this rule, set the switches to the values Any IP address or Specified IP addresses. If you select the value Specified IP addresses, specify the required IP addresses, click the button Add and press the button Further.

Specify the switch value Allow connection and press the button Further.

At the profile selection stage, select one or more profiles (domain profile, private or public profile) in which you want to use this rule and click the button Further.

In field Name enter the name of the rule, and in the field Description– optional description. Click the button Ready.

Repeat the above steps for the ICMPv6 protocol, selecting Protocol type dropdown value ICMPv6 instead of ICMPv4.

If you have active connection security rules, temporarily excluding ICMP from the IPsec requirements may help resolve problems. To do this, open in the snap Windows Firewall with Advanced Security dialog window Properties, go to the tab IPSec Settings and specify the value in the drop-down list Yes for parameter Exclude ICMP from IPSec.

Note

Windows Firewall settings can only be changed by administrators and network operators.

Unable to share files and printers

If you can't share files and printers on a computer with Windows Firewall active, make sure all group rules are enabled Access to files and printers Windows Firewall with Advanced Security select node Rules for incoming connections Access to files and printers Enable rule in the console scope.

Attention:

It is strongly recommended not to enable file and printer sharing on computers that are directly connected to the Internet, as attackers may try to access shared files and harm you by damaging your personal files.

Windows Firewall cannot be administered remotely

If you are unable to remotely administer a computer with Windows Firewall active, make sure that all rules in the default group are enabled Remote Windows Firewall Management active profile. In the snap Windows Firewall with Advanced Security select node Rules for incoming connections and scroll the list of rules to the group Remote control. Make sure these rules are enabled. Select each of the disabled rules and click the button Enable rule in the console scope. Additionally, make sure that the IPSec Policy Agent service is enabled. This service is required for remote control Windows Firewall.

To verify that the IPSec Policy Agent is running, follow these steps:

Click the button Start and select a section Control Panel.

Click the icon System and its maintenance and select a section Administration.

Double-click the icon Services.

If the User Account Control dialog box appears, enter the required user information with the appropriate permissions and click Continue.

Find a service in the list IPSec Policy Agent and make sure it has a "Running" status.

If the service IPSec Agent stopped, right-click on it and select in context menu paragraph Launch. You can also start the service IPSec Agent from the command line using net commands start policy agent.

Note

Default service IPSec Policy Agent launched. This service should work unless it was stopped manually.

Windows Firewall Troubleshooters

This section describes tools and techniques that can be used to solve common problems. This section consists of the following subsections:

Use monitoring features in Windows Firewall with Advanced Security

The first step to solving Windows Firewall problems is to review the current rules. Function Observation allows you to view the rules used based on local and group policies. To view the current inbound and outbound rules in the snap-in tree Windows Firewall with Advanced Security Choose a section Observation, and then select the section Firewall. In this section you can also view current connection security rules And security associations (Main and Quick modes).

Enable and use security auditing using the auditpol command-line tool

By default, audit options are disabled. To configure them, use the auditpol.exe command-line tool, which changes the audit policy settings on the local computer. Auditpol can be used to enable or disable the display of different categories of events and then view them later in the snap-in Event Viewer.

To view a list of categories supported by auditpol, enter at the command prompt:

• To view a list of subcategories that are included in a given category (for example, the Policy Change category), enter at the command line:

  auditpol.exe /list /category:"Policy changes"

• To enable display of a category or subcategory, enter at the command line:

  /SubCategory:" NameCategory"

For example, to set audit policies for a category and its subcategory, you would enter the following command:

auditpol.exe /set /category:"Changing policy" /subcategory:"Changing policy at the MPSSVC rule level" /success:enable /failure:enable

Policy change

Changing Policy at the MPSSVC Rule Level

Changing the filtering platform policy

Enter exit

IPsec Basic Mode

IPsec Fast Mode

IPsec Enhanced Mode

System

IPSEC Driver

Other system events

Access to objects

Packet drop by filtering platform

Connecting the filtration platform

For security audit policy changes to take effect, you must restart the local computer or force a manual policy update. To force a policy update, enter at the command prompt:

secedit/refreshpolicy<название_политики>

After diagnostics are complete, you can disable event auditing by replacing the enable parameter in the above commands with disable and running the commands again.

View security audit events in the event log

After you enable auditing, use Event Viewer to view audit events in the Security Event Log.

To open Event Viewer in the Administrative Tools folder, follow these steps:

1. Click the button Start.

   Choose a section Control Panel. Click the icon System and its maintenance and select a section Administration.

   Double-click the icon Event Viewer.

To add Event Viewer to the MMC, follow these steps:

Click the button Start, go to menu All programs, then to the menu Standard and select Execute.

In a text field Open enter mmc and press the key ENTER.

If the User Account Control dialog box appears, confirm the requested action and click Continue.

On the menu Console select item Add or remove a snap-in.

On the list Available accessories select equipment Event Viewer and press the button Add.

Click the button OK.

Before closing the snap-in, save the console for future use.

In the snap Event Viewer expand the section Windows logs and select a node Safety. In the console work area, you can view security audit events. All events are displayed at the top of the console work area. Click on an event at the top of the console work area to display detailed information at the bottom of the panel. On the tab Are common There is a description of the events in the form of clear text. On the tab Details The following event display options are available: Clear presentation And XML mode.

Configure the firewall log for a profile

Before you can view firewall logs, you must configure Windows Firewall with Advanced Security to generate log files.

To configure logging for a Windows Firewall with Advanced Security profile, follow these steps:

In the snap tree Windows Firewall with Advanced Security Choose a section Windows Firewall with Advanced Security and press the button Properties in the console scope.

Select the profile tab for which you want to configure logging (domain profile, private profile, or public profile), and then click Tune In chapter Logging.

Specify the name and location of the log file.

Specify maximum size log file (from 1 to 32767 kilobytes)

In the dropdown list Log missing packets enter the value Yes.

In the dropdown list Record successful connections enter the value Yes and then click the button OK.

View firewall log files

Open the file you specified during the previous procedure, “Configuring the Firewall Log for a Profile.” To access the firewall log, you must have local administrator rights.

You can view the log file using Notepad or any text editor.

Analyzing Firewall Log Files

The information recorded in the log is shown in the following table. Some data is specified only for certain protocols (TCP flags, ICMP type and code, etc.), and some data is specified only for dropped packets (size).

Field	Description	Example
	Displays the year, month and day on which the event was recorded. The date is written in the format YYYY-MM-DD, where YYYY is the year, MM is the month, and DD is the day.
	Displays the hour, minute and second at which the event was recorded. Time is written in the format HH:MM:SS, where HH is the hour in 24-hour format, MM is the minute, and SS is the second.
Action	Indicates the action performed by the firewall. The following actions exist: OPEN, CLOSE, DROP and INFO-EVENTS-LOST. The INFO-EVENTS-LOST action indicates that multiple events occurred but were not logged.
Protocol	Displays the protocol used for the connection. This entry can also be the number of packets that do not use TCP, UDP, or ICMP.
	Displays the IP address of the sending computer.
	Displays the IP address of the recipient computer.
	Displays the source port number of the sending computer. The source port value is written as an integer from 1 to 65535. The correct source port value is displayed for TCP and UDP protocols only. For other protocols, “-” is written as the source port.
	Displays the port number of the destination computer. The destination port value is written as an integer from 1 to 65535. The correct destination port value is displayed for TCP and UDP protocols only. For other protocols, “-” is written as the destination port.
	Displays the packet size in bytes.
	Displays the TCP protocol control flags found in the TCP header of an IP packet. Ack. Acknowledgment field significant (confirmation field) Fin. No more data from sender (no more data to transfer) Psh. Push function (push function) Rst. Reset the connection Syn. Synchronize sequence numbers (queue number synchronization) Urg. Urgent Pointer field significant (urgent pointer field enabled) The flag is designated by the first capital letter of its name. For example, flag Fin denoted as F.
	Displays the TCP queue number in the packet.
	Displays the TCP acknowledgment number in the packet.
	Displays the TCP packet window size in bytes.
	Type in an ICMP message.
	Displays a number representing a field Code in an ICMP message.
	Displays information based on the action performed. For example, for the INFO-EVENTS-LOST action, the value of this field indicates the number of events that have occurred but not been logged since the last occurrence of an event of this type.

Note

The hyphen (-) is used in fields of the current record that do not contain any information.

Creating netstat and tasklist text files

You can create two custom log files, one for viewing network statistics(list of all listening ports) and another - to view lists of tasks of services and applications. The task list contains the process identifier (PID) for events contained in the network statistics file. The procedure for creating these two files is described below.

For creating text files network statistics and task list, follow these steps:

At the command prompt, enter netstat -ano > netstat.txt and press the key ENTER.

At the command prompt, enter tasklist > tasklist.txt and press the key ENTER. If you need to create a text file with a list of services, enter tasklist /svc > tasklist.txt.

Open the tasklist.txt and netstat.txt files.

Find the code of the process you are diagnosing in the tasklist.txt file and compare it with the value contained in the netstat.txt file. Record the protocols used.

Example of issuing Tasklist.txt and Netstat.txt files

Netstat.txt
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:XXX 0.0.0.0:0 LISTENING 122
TCP 0.0.0.0:XXXXX 0.0.0.0:0 LISTENING 322
Tasklist.txt
Image Name PID Session Name Session# Mem Usage
==================== ======== ================ =========== ============
svchost.exe 122 Services 0 7,172 K
XzzRpc.exe 322 Services 0 5,104 K

Note

The real IP addresses are changed to "X" and the RPC service is changed to "z".

Make sure essential services are running

The following services must be running:

Basic Filtering Service

Group Policy Client

IPsec key modules for Internet key exchange and IP authentication

IP Ancillary Service

IPSec Policy Agent Service

Network Location Service

Network List Service

Windows Firewall

To open the Services snap-in and verify that the required services are running, follow these steps:

Click the button Start and select a section Control Panel.

Click the icon System and its maintenance and select a section Administration.

Double-click the icon Services.

If the User Account Control dialog box appears, enter the required user information with the appropriate permissions and click Continue.

Make sure the services listed above are running. If one or more services are not running, right-click the service name in the list and select Launch.

Additional way to solve problems

As a last resort, you can restore your Windows Firewall settings to their defaults. Restoring default settings will lose all settings made after installing Windows Vista. This may cause some programs to stop working. Also, if you control the computer remotely, the connection to it will be lost.

Before restoring default settings, make sure that you have saved your current firewall configuration. This will allow you to restore your settings if necessary.

Below are the steps to save your firewall configuration and restore the default settings.

To save the current firewall configuration, follow these steps:

In the snap Windows Firewall with Advanced Security click link Export Policy in the console scope.

To restore your firewall settings to default, follow these steps:

In the snap Windows Firewall with Advanced Security click link Restore Defaults in the console scope.

When you receive a Windows Firewall with Advanced Security prompt, click Yes to restore default values.

Conclusion

There are many ways to diagnose and resolve problems with Windows Firewall with Advanced Security. Among them:

Using the function Observation to view firewall actions, connection security rules, and security associations.

Analyze security audit events related to Windows Firewall.

Creating text files tasklist And netstat for comparative analysis.