Share via


Event ID 5027 — Firewall Rule Processing

Applies To: Windows Server 2008

Windows Firewall with Advanced Security receives its rules from local security policy stored in the system registry, and from Group Policy delivered by Active Directory. After receiving a new or modified policy, Windows Firewall must process each rule in the applied policies to interpret what network traffic is to be blocked, allowed, or protected by using Internet Protocol security (IPsec).

When appropriate auditing events are enabled (https://go.microsoft.com/fwlink/?linkid=92666), Windows reports successes and failures, both in retrieving policy and in processing the rules defined in the policy.

Event Details

Product: Windows Operating System
ID: 5027
Source: Microsoft-Windows-Security-Auditing
Version: 6.0
Symbolic Name: SE_AUDITID_ETW_MPSFIREWALL_GET_POLICY_FAILURE
Message: The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.

Error Code:%t%1

Resolve

Free up memory resources

Windows was not able to retrieve the firewall or Internet Protocol security (IPsec) policy from the local registry, or process the policy that it found there.

This error indicates one of two situations, low memory resources or registry corruption. Both can result in similar symptoms.  Attempt the resolution in the Low memory resources section first.

Low memory resources

If excessive demands are placed on the memory resources of a computer, such as when more programs are running than the computer can adequately support, then common operating system functions can fail.

To solve this situation perform one or more of the following steps:

  • Stop unneeded programs to free up memory.
  • Restart the computer and start fewer programs so that resources are not under an excessive load.
  • If the problem persists, you might need to add more RAM to the system to support the number of programs that you want to run.

Registry corruption

If the system registry is corrupted, then the policy cannot be retrieved. The only supported solution to this condition is to reinstall the operating system. Registry corruption cannot be reliably repaired.

Verify

You can verify that your computer is successfully retrieving and processing firewall and Internet Protocol security (IPsec) settings and rules by examining the Event Viewer logs and looking for messages that indicate successful firewall policy processing. To ensure that your computer is creating the appropriate events as required, see https://go.microsoft.com/fwlink/?linkid=92666.

To verify that firewall policy is being retrieved and processed correctly:

  1. Refresh Group Policy. Open an administrative command prompt. Click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator. At that command prompt, run the command gpupdate /force.
  2. After the policy refresh is complete, examine the Event log for the following event IDs:
    • 4945-4948. These messages indicate successful processing of locally stored firewall policy.
    • 4954-4955. This message indicates successful processing of Group Policy-provided firewall policy.
    • 5040-5049. These messages indicate successful processing of IPsec policy.

The presence of one or more of those event messages when a changed policy is received is an indication that policy is being received and processed correctly.

You can also change a rule (in locally stored policy or a Group Policy object), and then examine the rules on the computer to confirm that the changed rule was received and processed correctly. Use the Windows Firewall with Advanced Security Microsoft Management Console (MMC) snap-in or the netsh advfirewall command-line tool to examine the rules on the local computer. The exact branch in the snap-in or the netsh command to use depends on the rule that you want to change.

Firewall Rule Processing

Windows Firewall with Advanced Security