Windows Firewall Is Blocking a Program

Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista

One of the most common problems when using a network firewall is that it sometimes blocks network traffic that you want to allow. The following sections discuss reasons that the firewall might be blocking traffic.

Verify that Windows Firewall is enabled for your network location

The first step in diagnosing dropped or blocked traffic situations is to determine if the firewall is turned on and which network location profile is active: domain, private, or public.

To verify that the firewall is enabled for the current network location profile

  • Perform either of the following:

    • At a command prompt, run the command:

      netsh advfirewall show currentprofile

      The first line of the output indicates the currently active network location profile. The second line of the output indicates if the firewall is on or off for the currently active network location profile. For example:

      C>netsh advfirewall show currentprofile

      Domain Profile Settings:

      -------------------------------------------------------

      State ON

      Firewall Policy BlockInbound,AllowOutbound

    • Click Start, click Control Panel, click Network and Internet, and then click Windows Firewall. The details pane indicates if the firewall is on or off. The entry for Network location indicates the currently active network location profile.

Most of the procedures that follow use the Windows Firewall with Advanced Security MMC snap-in, rather than the Windows Firewall Control Panel program.

To start the Windows Firewall with Advanced Security MMC snap-in

  • Do one of the following:

    • Click Start, click All Programs, click Administrative Tools, and then click Windows Firewall with Advanced Security.

    • At a command prompt, run the command:

      wf.msc

There is no active "allow" rule for the traffic

By default, Windows Firewall with Advanced Security blocks all unsolicited inbound network traffic, and allows all outbound network traffic. For unsolicited inbound network traffic to reach your computer, you must create an allow rule to permit that type of network traffic. If a network program cannot get access, verify that in the Windows Firewall with Advanced Security snap-in there is an active allow rule for the current profile. To verify that there is an active allow rule, double-click Monitoring and then click Firewall .If there is no active allow rule for the program, go to the Inbound Rules node and create a new rule for that program. Create either a program rule, or a service rule, or search for a group that applies to the feature and make sure all the rules in the group are enabled.

To permit the traffic, you must create a rule for the program that needs to listen for that traffic. If you know the TCP or UDP port numbers required by the program, you can additionally restrict the rule to only those ports, reducing the vulnerability of opening up all ports for the program.

Note

By default on Windows Vista, when the firewall detects a new program trying to listen on a network port, the firewall displays a pop-up message asking if the user wants to permit the program to listen. If the user approves, and has either Administrator or Network Operator permissions, then the program exception rule is created automatically with no further action from the user. On Windows Server 2008, the pop-up message does not display by default, and so the administrator must manually create or enable the appropriate inbound rules for the program.

To add an inbound rule for a program by using the Windows Firewall Control Panel program

  1. Click Start, click Control Panel, and then under Security, click Allow a program through Windows Firewall.

  2. On the Exceptions tab, check the list to see if an exception for your program already exists and just needs to be enabled. If you find one, select the box next to it, and then click OK.

  3. If a rule does not already exist, click Add program.

  4. In the Add a Program dialog box, either select your program from the list, or click the Browse button to enter the path to the executable file.

  5. If the program should only be accessed from certain network addresses, click Change Scope, and enter the appropriate subnet addresses or individual IP addresses. Click OK to return to the Add a Program dialog box.

  6. Click OK to return to the Windows Firewall Settings dialog box. Your new exception is displayed in the list in alphabetical order with a check mark in the box next to it. Click OK to save your new exception rule.

  7. Test your rule by running the network program that needs to be able to receive unsolicited network traffic.

To add an inbound rule for a program by using the Windows Firewall with Advanced Security MMC snap-in

  1. Click Start, click All Programs, click Administrative Tools, and then click Windows Firewall with Advanced Security.

  2. Click Inbound Rules and examine the list to see if an allow rule that meets your requirements already exists and just needs to be enabled. Disabled rules have a grey icon next to them, while enabled rules are red, green or yellow. The Enabled column also indicates Yes or No.

  3. If you find a rule in the list, enable it by right-clicking the rule name, and then clicking Enable rule.

  4. If a rule does not already exist, then create a new rule for your program by following these steps:

    1. In the navigation pane, select Inbound Rules.

    2. In the Actions pane, click New Rule.

    3. On the Rule Type page, select Program, and then click Next.

    4. On the Program page, select This program path, then click Browse, and navigate to the program you want to be able to receive inbound network traffic. Click Next to continue.

    5. On the Action page, select Allow the connection, and then click Next.

    6. On the Profile page, select the profiles to which this rule should apply, and then click Next.

    7. On the Name page, type a name and a description for the rule.

      The rule is created and automatically enabled.

    8. Test your rule by running the network program that needs to be able to receive unsolicited network traffic.

There is an active "block" rule for the traffic

By default, Windows Firewall with Advanced Security blocks all unsolicited inbound network traffic, and allows all outbound network traffic. For network programs on your computer to send information to the network, you typically do not need to do anything. The default configuration of the firewall permits all outbound traffic. If a block rule is active, it can prevent network packets that match its criteria from being sent. A block rule can be present in either the Inbound Rules or Outbound Rules lists.

To check if an active block rule exists, and disable it if found

  1. Click Start, click All Programs, click Administrative Tools, and then click Windows Firewall with Advanced Security.

  2. Double-click Monitoring, and then click Firewall.

    The list of currently defined and active rules is displayed.

  3. If you find a rule that you suspect is interfering with required network traffic, note the value in the Direction column, Inbound or Outbound.

  4. In the navigation pane, click Inbound Rules or Outbound Rules, depending on the value you found in step 3.

  5. Right-click the suspect rule in the list, and then click Disable rule. We recommend that you do not disable the rule until you verify that it indeed was the offending rule, and that disabling it did not adversely affect other network traffic.

Rules are evaluated in a specific order

Windows Firewall with Advanced Security evaluates its rules in a specific order. A network packet might match several rules, and the order in which the rules are evaluated determines which rule applies to the packet.

Order number Rule type Description

1

Windows Service Hardening

This type of rule restricts services from establishing connections. Service restrictions are configured out-of-the-box so that Windows Services can only communicate in specific ways (i.e., restricting allowable traffic through a specific port) but until you create a firewall rule, traffic is not allowed.

Independent software vendors can make use of public Windows Service Hardening APIs to restrict their own services.

2

Connection security rules

This type of rule defines how and in which circumstances computers authenticate using IPsec. Connection security rules are used in establishing server and domain isolation, as well as in enforcing Network Access Protection (NAP) policy.

3

Authenticated bypass rules

This type of rule allows the connection of particular computers if the traffic is protected with IPsec, regardless of other inbound rules in place. Specified computers are allowed to bypass inbound rules that block traffic: examples of this are vulnerability scanners, programs that scan other programs, computers, and networks for weaknesses.

4

Block rules

This type of rule explicitly blocks a particular type of incoming or outgoing traffic.

5

Allow rules

This type of rule explicitly allows a particular type of incoming or outgoing traffic.

6

Default rules

These rules define the action that takes place when a connection does not meet any of the parameters of a higher order rule. Out-of-the-box, the inbound default is to block connections, and the outbound default is to allow connections.

Within each rule category listed in the preceding table, rules are matched by the degree of their specificity. For example, rule 1 and rule 2 are both in the same category. If rule 1 has parameters A and B specified and rule 2 has parameters A, B, and C specified, then rule 2 will be evaluated first. The first rule that is evaluated and matches all criteria is the rule applied to the network packet.

Group Policy does not allow local rules to be applied

When configuring the Windows Firewall with Advanced Security policy through Group Policy, the administrator can specify whether or not firewall or connection security rules created by local administrators are applied. If you have created a local firewall or connection security rule and it is not appearing in the corresponding monitoring node, this may be the reason.

To verify why local firewall and connection security rules do not appear in Monitoring

  1. In the Windows Firewall with Advanced Security snap-in, click Properties.

  2. Click the tab corresponding to the active profile.

  3. Click Customize in the Settings section.

  4. The Rule Merge section will tell you if local rules are applied.

Rules that require connection security might be blocking traffic

When you create an inbound or outbound firewall rule, one of the options for action is to Allow only secure connections. When you specify this option, you need to have a connection security rule or separate IPsec policy that causes the traffic to be secured. Otherwise, the traffic is always dropped.

To verify whether the rule or rules for your program require security

  1. In the Windows Firewall with Advanced Security snap-in, click the Inbound Rules in the tree. Select the rule you wan to verify and then click Properties in the Actions pane.

  2. Click the General tab and under Action verify that Allow only secure connections is selected.

  3. If the rule has the action Allow only secure connections, click Monitoring in the tree and then Connection Security Rules. Verify whether there are appropriate connection security rules in place to secure the traffic specified by the firewall rule.

Warning

If you have an active IP Security Policies policy, ensure that policy secures the desired traffic. Do not create connection security rules because the IP Security Policies policy and the connection security rules can conflict.

An outbound connection isn't being allowed.

  1. In the Windows Firewall with Advanced Security snap-in, click Monitoring. Expand the section for the active profile and verify under Firewall State that outbound connections that do not match a rule are allowed.

  2. Under Monitoring, click Firewall to verify that the outbound connection you want to allow does not have a block rule.

Mixed policies might cause dropped traffic

There are several interfaces in Windows that allow you to configure firewall and IPsec settings. Creating policies in multiple places can lead to conflicts that block traffic. The following configuration points are available:

  • Windows Firewall with Advanced Security. This policy is configured through the Windows Firewall with Advanced Security snap-in either locally or as part of a Group Policy. This policy configures both firewall and IPsec settings for computers running Windows Vista and Windows Server 2008.

  • Windows Firewall Administrative Template. This policy is configured through the Group Policy Management Editor under Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall. This interface contains the Windows Firewall settings that were available prior to Windows Vista and Windows Server 2008 and should be used when configuring a Group Policy object that controls earlier versions of Windows. These settings can be applied to computers running Windows Vista or Windows Server 2008, but it is recommended that you use the Windows Firewall with Advanced Security policy instead as it offers more flexibility and security. Note that some of the domain profile settings are shared between the Windows Firewall Administrative Template and the Windows Firewall with Advanced Security policy, so you can expect to see settings here if you have configured domain profiles settings in the Windows Firewall with Advanced Security snap-in.

  • IP Security Policies. This policy is configured through the IP Security Policies snap-in either locally or through the Group Policy Management Editor under Computer Configuration\Windows Settings\Security Settings\IP Security Policies. This policy configures IPsec settings that can be understood by earlier versions of Windows as well as Windows Vista and Windows Server 2008. You should not apply this policy and connection security rules from the Windows Firewall with Advanced Security policy on the same computer.

To view all these settings in their appropriate snap-ins create a custom MMC snap-in and add the Windows Firewall with Advanced Security snap-in, Group Policy Management snap-in, and the IP Security Monitor snap-in.

To create a custom MMC snap-in console

  1. Click Start, click All Programs, click Accessories, and then click Run.

  2. In the Open text box, type mmc, and then press ENTER.

  3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  4. On the File menu, click Add/Remove Snap-in.

  5. In the Available snap-ins list box, click Windows Firewall with Advanced Security, then click Add.

  6. Click OK.

  7. Repeat steps 1 through 6 to add Group Policy Management snap-in and IP Security Monitor.

  8. Before you close the snap-in, save and name the custom console for future use.

To verify which policies are active for the active profile, use the following procedure.

To verify which policies are applied

  1. At the command prompt, type mmc, and then press ENTER.

  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  3. On the File menu, click Add/Remove Snap-in.

  4. In the Available snap-ins list box, click Group Policy Management, then click Add.

  5. Click OK.

  6. In the tree, click the subnode (usually the forest in which the local computer resides) and click double-click Group Policy Results in the Detail pane.

  7. In the Actions pane, click More Actions and click Group Policy Results Wizard.

  8. Click Next. Click This computer or Another computer (type the computer name and path or click browse to locate it). Click Next again.

  9. Click Display policy settings for either Current user or Click a specific user. If you do not want to display settings for user policy and want to display computer policy settings only, click Do not display user policy settings in the results (display computer policy settings only), click Next, and Next again.

  10. Click Finish. Group Policy Results will generate a report in the Details pane. The report tabs include: Summary, Settings, and Policy Events.

  11. To make sure there is not a conflicting IP Security Policies policy, after the reports are generated, use the Settings tab and locate Computer Configuration\Windows Settings\Security Settings\IP Security Policies on Active Directory. If that last node is not present, then there is no policy from the IPsec Policy Agent. If the last node is present, the policy name, description, and Group Policy object (GPO) from which the policy originated is displayed. If you have both an IP Security Policies policy and a Windows Firewall with Advanced Security policy using connection security rules, then your connectivity issue could be a result of policy conflicts. We recommend using one policy or the other, but not both. It is fine to use IP Security Policies and Inbound or Outbound rules from Windows Firewall with Advanced Security. Policy conflicts can arise and troubleshooting can become more difficult if settings are configured in one place and not considered when configured in another.

    There could still be conflicting policies from local Group Policy objects or from scripts your IT department may have run. Verify all IPsec policies using IP Security Monitor or at the command prompt type the following command:

    netsh ipsec dynamic show all

  12. To see the settings applied by the Windows Firewall Administrative Template, see Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall.

  13. In the same console, you can look at the Policy Events tab to see if there have been any recent issues applying policy.

  14. To see which policy is applied by Windows Firewall with Advanced Security, open the snap-in for the computer you are troubleshooting and review the settings in Monitoring.

To view Administrative Templates, open the Group Policy Management snap-in and under Group Policy Results, verify if any legacy settings are being applied that might be causing traffic to be blocked.

To view IP Security Policies, open the IP Security Monitor snap-in. Click the local computer in the tree. In the Detail pane, click either Active Policy, Main Mode or Quick Mode. Search for any competing policies that might be causing traffic to be blocked.

By using Monitoring in the Windows Firewall with Advanced Security snap-in, you can see rules that are currently being applied from both local and Group Policy. See "Use monitoring in the Windows Firewall with Advanced Security snap-in" later in this document for more details.

If there are no IPsec rules configured in Windows Firewall with Advanced Security, stop IPsec Policy Agent. This will allow you to see if dropped traffic results from IPsec or Windows Firewall.

To stop IPsec Policy Agent

  1. Click Start and click Control Panel.

  2. Click System and Maintenance and click Administrative Tools.

  3. Double-click Services and at the User Account Control prompt, supply the correct credentials if required. Click Continue.

  4. Locate IPsec Policy Agent in the list of services and verify in the Status column that the service is started.

  5. If the IPsec Policy Agent is started, right click IPsec Policy Agent, and then click Stop. Alternatively, you can stop the IPsec Policy Agent at the command prompt by typing net stop policy agent.

Peer computer policy might cause dropped traffic

For communications to be established using IPsec, both computers must have compatible IPsec policies. This policy can be specified through connection security rules in Windows Firewall with Advanced Security, through the IP Security Policies snap-in, or through another IPsec provider.

Peer computer may not have a complimentary policy

  1. In the Windows Firewall with Advanced Security snap-in, click Monitoring and Connection Security Rules to verify whether both peers have an IPsec policy configured.

  2. If a peer computer is running an earlier version of Windows than Windows Vista, verify that at least one Main Mode cryptographic suite and one Quick Mode cryptographic suite use algorithms that are supported on both peers.

    1. Click Main Mode, click the connection you want to check in the Details pane, then click Properties in the Actions Pane. View the connection details for both peers to verify that they are compatible.

    2. Repeat step 2a, this time substituting Quick Mode. View the connection details for both peers to verify that they are compatible.

  3. If Kerberos V5 authentication is used, verify that the peer is in the same domain or in a trusted domain.

  4. If a certificate is used, verify that it has the appropriate flags. Certificates that use Internet Key Exchange (IKE) only require digital signature as a usage type. Certificates that use AuthIP need client authentication (and depending on the scenario server authentication) as a usage type. For more details on AuthIP certificates see "AuthIP in Windows Vista" (https://go.microsoft.com/fwlink/?LinkId=76867) on the Microsoft Web site.