Using Monitoring in Windows Firewall with Advanced Security

  • Article

Applies To: Windows 7, Windows Server 2008 R2

The first step you typically take in troubleshooting a Windows Firewall or IPsec problem is to view which rules are currently being applied to the computer. Using the Monitoring node in Windows Firewall with Advanced Security enables you to see the rules currently being applied both locally and by Group Policy.

To open the Monitoring node in Windows Firewall with Advanced Security

  1. In the Windows Firewall with Advanced Security MMC snap-in, in the navigation tree, select and then expand Monitoring.

  2. In the navigation tree, select Firewall to view the currently active inbound and outbound rules. You can double-click a rule to view its details.

  3. In the navigation tree, select Connection Security Rules to view the currently active connection security rules that implement IPsec requirements on network traffic. You can double-click a rule to view its details.

  4. For either Firewall or Connection Security Rules, you can determine where a rule came from. In the Actions pane, click View, and then click Add/Remove Columns. In the Available columns list, select Rule Source, click Add, position it in the Displayed columns list by clicking Move Up or Move Down, and then click OK. It can take a few seconds for the list to appear with the new information.

  5. In the navigation tree, expand Security Associations, and then select either Main Mode or Quick Mode to view the currently active security associations that are established between the local computer and various remote computers.

Troubleshooting considerations for firewall rules

  • Only one firewall rule is used to determine if a network packet is allowed or dropped. If the network packet matches multiple rules, then the rule that is used is selected using the following precedence:

    • Rules that specify the action Allow if Secure and also the option Block Override

    • Rules that specify the action Block

    • Rules that specify the action Allow

  • Only currently active rules are displayed in the Monitoring node. Rules might not appear in the list if:

    • The rule is disabled.

    • If the default inbound or outbound firewall behavior is configured to allow traffic that is not blocked by a rule, then allow rules of the specified direction are not displayed.

  • By default, the firewall rules in the groups identified in the following list are enabled. Additional rules might be enabled when you install certain Windows Features or programs.

    • Core Networking – all profiles

    • Remote Assistance – DCOM and RA Server TCP rules for domain profile only, other rules for both domain and private profiles

    • Network Discovery – private profile only