Event ID 4949 — Firewall Rule Processing

Updated: December 16, 2008

Applies To: Windows Server 2008 R2

yellow

Windows Firewall with Advanced Security receives its rules from local security policy stored in the system registry, and from Group Policy delivered by Active Directory. After receiving a new or modified policy, Windows Firewall must process each rule in the applied policies to interpret what network traffic is to be blocked, allowed, or protected by using Internet Protocol security (IPsec).

When appropriate auditing events are enabled (http://go.microsoft.com/fwlink/?linkid=92666), Windows reports successes and failures, both in retrieving policy and in processing the rules defined in the policy.

Event Details

Product: Windows Operating System
ID: 4949
Source: Microsoft-Windows-Security-Auditing
Version: 6.1
Symbolic Name: SE_AUDITID_ETW_FIREWALL_RESTORE_DEFAULTS
Message: Windows Firewall settings were restored to the default values.

Resolve

Review the rules applied to the computer for the current network location type

If Windows Firewall is allowing unexpected traffic in or out of the local computer, then ensure that the firewall is enabled, and that the rules currently in place for the active profile are correct.

Confirm that the computer is using the correct policy settings

If the computer is receiving its firewall configuration from Group Policy, confirm that the latest policy is in place on the computer.

To refresh Group Policy applied to the local computer:

  1. Start an administrative command prompt. Click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.
  2. If the User Account Control dialog box appears, ensure that it is for an action that you requested, and then click Continue.
  3. At the command prompt, type gpupdate /force.
  4. When the command finishes applying policy, continue with the diagnostic and troubleshooting procedures below.

Confirm that the firewall is enabled for the currently detected network location type

Windows supports multiple firewall profiles and dynamically switches them based on the network location type detected through the connected network adapters.

To determine the current network location type and firewall state of the computer:

  1. Click Start, type wf.msc in the Start Search box, and then press ENTER.
  2. If the User Account Control dialog box appears, ensure that it is for an action that you requested, and then click Continue.
  3. In the navigation pane, click the top node: Windows Firewall with Advanced Security.
  4. The currently active profile is displayed with the words "is Active" in the Overview section in the details pane.
  5. Ensure that for each profile type, the text "Windows Firewall is on" appears under each profile. If it is not, click Windows Firewall Properties, and then select the appropriate tab and change the Firewall state to On.

Confirm that the firewall is enabled for each network adapter on the computer

Windows Firewall enables you to turn it off for individual network adapters.

To view the firewall state for each network adapter:

  1. Click Start, click Control Panel, click Security, and then click Windows Firewall.
  2. If the User Account Control dialog box appears, ensure that it is for an action that you requested, and then click Continue.
  3. Click Change Settings.
  4. Click the Advanced tab.
  5. Under Network Connections, ensure that the check box next to each network connection is selected.

Evaluate the firewall rules in place for the current profile

Finally, if the procedures described above did not help you resolve the issue, you must inspect the firewall rules themselves:

  1. If you still have the Windows Firewall with Advanced Security MMC snap-in open, then skip to step 4.
  2. Click Start, type mmc wf.msc in the Start Search box, and then press ENTER.
  3. If the User Account Control dialog box appears, ensure that it is for an action that you requested, and then click Continue.
  4. In the navigation pane, click Inbound Rules or Outbound Rules as appropriate.
  5. Click the column headers to sort the rules list by the values that can help you find the rules you want to evaluate.
  6. For each rule that you to evaluate, make sure that the following rule attributes are true or correct:
    • The rule is active.
    • The rule is configured to block or allow traffic as appropriate.
    • The rule is referencing the proper program path for the application.
    • If the application is a service, make sure that the service list is properly scoped.
    • That the addresses, subnet, ports and protocols are correct for the traffic you want to block or allow.
    • That the traffic direction (inbound or outbound) is correct.
    • The profiles associated with the rule are correct.

Verify

You can verify that your computer is successfully retrieving and processing firewall and Internet Protocol security (IPsec) settings and rules by examining the Event Viewer logs and looking for messages that indicate successful firewall policy processing. To ensure that your computer is creating the appropriate events as required, see http://go.microsoft.com/fwlink/?linkid=92666.

To verify that firewall policy is being retrieved and processed correctly:

  1. Refresh Group Policy. Open an administrative command prompt. Click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator. At that command prompt, run the command gpupdate /force.
  2. After the policy refresh is complete, examine the Event log for the following event IDs:
    • 4945-4948. These messages indicate successful processing of locally stored firewall policy.
    • 4954-4955. This message indicates successful processing of Group Policy-provided firewall policy.
    • 5040-5049. These messages indicate successful processing of IPsec policy.

The presence of one or more of those event messages when a changed policy is received is an indication that policy is being received and processed correctly.

You can also change a rule (in locally stored policy or a Group Policy object), and then examine the rules on the computer to confirm that the changed rule was received and processed correctly. Use the Windows Firewall with Advanced Security Microsoft Management Console (MMC) snap-in or the netsh advfirewall command-line tool to examine the rules on the local computer. The exact branch in the snap-in or the netsh command to use depends on the rule that you want to change.

Related Management Information

Firewall Rule Processing

Windows Firewall with Advanced Security

Community Additions

ADD
Show: