How Windows Firewall with Advanced Security Works
Updated: January 20, 2009
Applies To: Windows Server 2008, Windows Vista
Windows Firewall with Advanced Security is a stateful, host-based firewall. Unlike router-based firewalls deployed at the boundary of a private network and the Internet, Windows Firewall with Advanced Security is only designed to act as a firewall for host-based traffic—traffic destined to an IP address on which the computer is listening and traffic originating from the computer itself. Windows Firewall with Advanced Security is available on computers that are running Windows Vista and later versions of Windows.
The basic operation of Windows Firewall with Advanced Security is the following:
An incoming packet is inspected and compared against a list of allowed traffic. If the packet matches an entry in the list, Windows Firewall passes the packet to the TCP/IP protocol for further processing. If the packet does not match an entry in the list, Windows Firewall discards the packet and, if logging is enabled, creates an entry in the Windows Firewall logging file.
The list of allowed traffic is populated in two ways:
When the connection on which Windows Firewall with Advanced Security is enabled sends a packet, the firewall creates an entry in the list so that the response to the traffic will be allowed. The response traffic is incoming solicited traffic.
When you create allow rules in Windows Firewall with Advanced Security, the traffic to which the rule applies is allowed by a computer using Windows Firewall. This computer accepts unsolicited incoming traffic when acting as a server, a listener, or a peer.
The first step in troubleshooting Windows Firewall problems is to verify which profile is active. The Windows Firewall with Advanced Security is a network location aware application. As the network locations that the computer is connected to change, the Windows Firewall profile changes. The profiles describe the Windows Firewall settings and rules that are applied depending on the network location type of active network connections.
There are three network location types: domain, public, and private. A network is classified as the domain network location type if the connection is authenticated to a domain controller for the domain of which it is a member. By default, all other networks are initially classified as public networks. Windows then asks the user to identify the network as either public or private. The public profile is intended for use when in public locations such as airports or coffee shops. The private network location is intended for use when connected at a home or office and behind an edge device. To classify a network as a private network, the user must have administrator credentials to identify the network as private.
While a computer may be connected to multiple network locations at the same time, only one profile can be active at a time. The active profile is determined as follows:
If all interfaces are authenticated to the domain controller for the domain of which the computer is a member, the domain profile is applied.
If at least one interface is connected to a private network location and all other interfaces are either authenticated to the domain controller or are connected to private network locations, the private profile is applied.
Otherwise, the public profile is applied.
To view which profile is active, click Monitoring in Windows Firewall with Advanced Security. Above the text Firewall State will be a sentence indicating which profile is the currently active profile. For example, if the domain profile is the active profile, the text is Domain Profile is Active.
Using profiles, the Windows Firewall can automatically allow incoming traffic for a specific desktop management tool when the computer is on domain networks but block similar traffic when the computer is connected to public or private networks. In this way, network location awareness can provide flexibility on your internal network without sacrificing security when mobile users travel.