About lockdown mode
A critical function of a firewall is to react to an attack. When an attack occurs, it may seem that the first line of defense is to disconnect from the Internet, isolating the compromised network from malicious outsiders. However, this is not the recommended approach. Although the attack must be handled, normal network connectivity must be resumed as quickly as possible, and the source of the attack must be identified.
Microsoft Forefront Threat Management Gateway provides a lockdown feature that combines the need for isolation with the need to stay connected. Whenever the Microsoft Firewall service shuts down, Forefront TMG enters lockdown mode. This occurs when:
- An event triggers an alert that is configured to shut down the Firewall service. For example, by default, the Log Failure alert is configured to shut down the Firewall service. You can also configure alert definitions to shut down the Firewall service in response to specific events. Essentially, you can specify the circumstances under which Forefront TMG enters lockdown mode.
- The Microsoft Firewall service (fwsrv) is manually shut down from a command line or in Forefront TMG Management. If you become aware of malicious attacks, you can shut down the Firewall service, while configuring the Forefront TMG computer and the network to handle the attacks.
In lockdown mode, the following functionality applies:
- The kernel-mode packet filter driver (fweng) applies the firewall policy.
- Outgoing traffic from the Local Host network to all networks is allowed. If an outgoing connection is established, that connection can be used to respond to incoming traffic. For example, a DNS query can receive a DNS response on the same connection.
- The following system policy rules continue to allow incoming traffic to the Local Host network unless they are disabled:
- Allow remote management from selected computers using MMC.
- Allow remote management from selected computers using Terminal Server.
- Allow DHCP replies from DHCP servers to Forefront TMG.
- Allow ICMP (PING) requests from selected computers to Forefront TMG.
- VPN remote access clients cannot access Forefront TMG. Similarly, access is denied to remote site networks in site-to-site VPN scenarios.
- Any changes to the network configuration that are made in lockdown mode are applied only after the Firewall service restarts and Forefront TMG exits lockdown mode.
- Forefront TMG does not issue any alerts.
Thus, Dynamic Host Configuration Protocol (DHCP) traffic is always allowed. DHCP requests on User Datagram Protocol (UDP) port 67 are allowed from the Local Host network to all networks, and DHCP replies on UDP port 68 are allowed back in.
Leaving lockdown mode
When the Firewall service restarts, Forefront TMG exits lockdown mode and continues functioning, as previously. Any changes made to the Forefront TMG configuration are applied after Forefront TMG exits lockdown mode.
Lockdown mode and logging
Logging failures raise an event that triggers the built-in Log Failure alert, whose default action shuts down the Microsoft Firewall service and causes Forefront TMG to go into lockdown mode.
When an attack occurs, many events are logged. By default, if resources are depleted by an attack and Forefront TMG becomes unable to continue logging activity, Forefront TMG generates an event that triggers the Log Failure alert, whose default action shuts down the Microsoft Firewall service and causes Forefront TMG to go into lockdown mode. If you disable the action of the Log Failure alert, the Firewall service continues to run when logging failures occur. For more information about modifying this behavior, see Configuring logging to avoid lockdown.