Event ID 4956 — Firewall Configuration

  • Article

Applies To: Windows Server 2008

Windows Firewall with Advanced Security supports several configuration settings that control how and when firewall and Internet Protocol security (IPsec) rules are applied. For example, changing the network location type, turning the firewall on or off, or resetting the firewall to its initial out-of-box configuration can affect which rules are applied to network traffic.

When appropriate auditing events are enabled (https://go.microsoft.com/fwlink/?linkid=92666), Windows reports when critical configuration changes occur that can affect the firewall and IPsec processing.

Event Details

Product: Windows Operating System
ID: 4956
Source: Microsoft-Windows-Security-Auditing
Version: 6.0
Symbolic Name: SE_AUDITID_ETW_FIREWALL_PROFILE_CHANGE
Message: Windows Firewall has changed the active profile.

New Active Profile:%t%1

Resolve

Review the rules applied to the computer for the current network location type

If Windows Firewall is allowing unexpected traffic in or out of the local computer, then ensure that the firewall is enabled, and that the rules currently in place for the active profile are correct.

Confirm that the computer is using the correct policy settings

If the computer is receiving its firewall configuration from Group Policy, confirm that the latest policy is in place on the computer.

To refresh Group Policy applied to the local computer:

  1. Start an administrative command prompt. Click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.
  2. If the User Account Control dialog box appears, ensure that it is for an action that you requested, and then click Continue.
  3. At the command prompt, type gpupdate /force.
  4. When the command finishes applying policy, continue with the diagnostic and troubleshooting procedures below.

Confirm that the firewall is enabled for the currently detected network location type

Windows supports multiple firewall profiles and dynamically switches them based on the network location type detected through the connected network adapters.

To determine the current network location type and firewall state of the computer:

  1. Click Start, type wf.msc in the Start Search box, and then press ENTER.
  2. If the User Account Control dialog box appears, ensure that it is for an action that you requested, and then click Continue.
  3. In the navigation pane, click the top node: Windows Firewall with Advanced Security.
  4. The currently active profile is displayed with the words "is Active" in the Overview section in the details pane.
  5. Ensure that for each profile type, the text "Windows Firewall is on" appears under each profile. If it is not, click Windows Firewall Properties, and then select the appropriate tab and change the Firewall state to On.

Confirm that the firewall is enabled for each network adapter on the computer

Windows Firewall enables you to turn it off for individual network adapters.

To view the firewall state for each network adapter:

  1. Click Start, click Control Panel, click Security, and then click Windows Firewall.
  2. If the User Account Control dialog box appears, ensure that it is for an action that you requested, and then click Continue.
  3. Click Change Settings.
  4. Click the Advanced tab.
  5. Under Network Connections, ensure that the check box next to each network connection is selected.

Evaluate the firewall rules in place for the current profile

Finally, if the procedures described above did not help you resolve the issue, you must inspect the firewall rules themselves:

  1. If you still have the Windows Firewall with Advanced Security MMC snap-in open, then skip to step 4.
  2. Click Start, type mmc wf.msc in the Start Search box, and then press ENTER.
  3. If the User Account Control dialog box appears, ensure that it is for an action that you requested, and then click Continue.
  4. In the navigation pane, click Inbound Rules or Outbound Rules as appropriate.
  5. Click the column headers to sort the rules list by the values that can help you find the rules you want to evaluate.
  6. For each rule that you to evaluate, make sure that the following rule attributes are true or correct:
    • The rule is active.
    • The rule is configured to block or allow traffic as appropriate.
    • The rule is referencing the proper program path for the application.
    • If the application is a service, make sure that the service list is properly scoped.
    • That the addresses, subnet, ports and protocols are correct for the traffic you want to block or allow.
    • That the traffic direction (inbound or outbound) is correct.
    • The profiles associated with the rule are correct.

Verify

To verify that the firewall rules are properly configured for a specific type of network traffic, you must run the application that generates the traffic, and then confirm that the rule works correctly. For example, to verify that firewall rules are properly blocking or allowing inbound Telnet network traffic to a specific computer on your network, use another computer on the network and attempt to use Telnet to connect to the protected computer. You can use Network Monitor to view the traffic on the network and to confirm whether the expected traffic is permitted or allowed, as defined by the firewall rules on the computer. Network Monitor can also indicate whether the traffic is authenticated or encrypted by using Intenet Protocol security (IPsec).

Firewall Configuration

Windows Firewall with Advanced Security