So, you’ve verified your firewall appliance is allowing your application traffic, you’ve ensured your routers are getting the traffic where it needs to go, and your access control lists on your switches are perfect. A packet cap on your switch shows the traffic getting to your Windows server. Why isn’t it working? I’ve run into the Windows server itself blocking traffic destined to its own applications far too often, and it has taken me more time than I’d like to admit to come to that conclusion. In this blog, I’d like to show you some of the techniques I use to troubleshoot when the only thing that makes sense is that the Windows OS itself is keeping me from success in my struggle. I’m hoping the time I spent learning this gives you a shortcut to success!
The two Windows technologies we’ll be exploring are Windows Filtering Platform (WFP) & Windows Firewall with Advanced Security (WFAS). WFP (Microsoft link here) is a set of API and system services for creating network filtering applications. It’s mainly leveraged by developers who design Windows applications, and something running on your machine may be utilizing it without your knowledge. WFAS (Microsoft link here) is far more well-known and you may already be familiar with it. In any case, let’s step through a few scenarios.
WFAS is More common, and it has a GUI, so let’s start there. I’ll show you the CLI afterwards (but it’s much faster).
I open Windows Firewall by pressing CMD+R, then typing wf.msc
If you’d prefer, you can just search for “firewall”, click the icon pictured below, then click on Advanced settings.
We can log dropped packets in our firewall log by going to the firewall properties and customizing the logging settings per profile. As you go through the steps, (unless it was changed) you’ll see the default log for all profiles is %systemroot%\system32\LogFiles\Firewall\pfirewall.log. If you want to turn dropped packet logging on for all profiles, you’ll be checking the same file for output. I’ll go through one example and let you decide if you need to check the other profiles (more info on firewall profiles here).
I don’t usually check WFP unless I’ve verified everything else as it’s far less common in my experience, but good to know about so you don’t end up like me pulling your hair out wondering what you missed. I’ve only worked with this from the command line, so we’ll start with an administrator command prompt again.
I would encourage you to explore netsh if you have some time. Try typing “netsh wfp ?” as well as “netsh advfirewall ?” to see the other commands available. I’m hoping this information is useful and saves someone a little time. Thanks for reading!
It just so happens that LookingPoint offers multiple IT services if you’re interested. Want more information, give us a call! Please reach out to us at sales@lookingpoint.com and we’ll be happy to help!