locked
firewall assist RRS feed

  • Question


  • Hi, I need to log dropped packets and troubleshoot blocked applications and services. What would be the simplest way to get a handle to an application or service after its blocked by vista firewall.

    Tuesday, December 30, 2008 6:28 AM

Answers

  • In Vista, you can utilize the FWPM_LAYER_xxx_DISCARD.  Place your filter(s)  and callout(s) that do your logging and troubleshooting at these layers to retrieve the relevant information for the blocked operation.

    From a Win7+ perspective, you can add your filter(s) and callout(s) to the FWPM_SUBLAYER_INSPECTION at the FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT, FWPM_LAYER_ALE_AUTH_CONNECT, and FWPM_LAYER_ALE_AUTH_RECV_ACCEPT.

    Note that the discard layers are also supported in Win7, however new layers will not implement them, and use the inspection sublayer method(which is supported in both Vista and Win7+)

     

     

    Tuesday, January 6, 2009 7:15 PM
    Moderator