Firewall Rule Processing
Applies To: Windows Server 2008
Windows Firewall with Advanced Security receives its rules from local security policy stored in the system registry, and from Group Policy delivered by Active Directory. After receiving a new or modified policy, Windows Firewall must process each rule in the applied policies to interpret what network traffic is to be blocked, allowed, or protected by using Internet Protocol security (IPsec).
When appropriate auditing events are enabled (https://go.microsoft.com/fwlink/?linkid=92666), Windows reports successes and failures, both in retrieving policy and in processing the rules defined in the policy.
Events
| Event ID | Source | Message |
|---|---|---|
Microsoft-Windows-Security-Auditing |
A change has been made to Windows Firewall exception list. A rule was added. %t Profile Changed:%t%1 Added Rule: %tRule ID:%t%2 %tRule Name:%t%3 |
|
Microsoft-Windows-Security-Auditing |
A change has been made to Windows Firewall exception list. A rule was modified. %t Profile Changed:%t%1 Modified Rule: %tRule ID:%t%2 %tRule Name:%t%3 |
|
Microsoft-Windows-Security-Auditing |
A change has been made to Windows Firewall exception list. A rule was deleted. %t Profile Changed:%t%1 Deleted Rule: %tRule ID:%t%2 %tRule Name:%t%3 |
|
Microsoft-Windows-Security-Auditing |
A rule has been ignored because its major version number was not recognized by Windows Firewall. %t Profile:%t%1 Ignored Rule: %tID:%t%2 %tName:%t%3 |
|
Microsoft-Windows-Security-Auditing |
Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced. %t Profile:%t%1 Partially Ignored Rule: %tID:%t%2 %tName:%t%3 |
|
Microsoft-Windows-Security-Auditing |
A rule has been ignored by Windows Firewall because it could not parse the rule. %t Profile:%t%1 Reason for Rejection:%t%2 Rule: %tID:%t%3 %tName:%t%4 |
|
Microsoft-Windows-Security-Auditing |
Windows Firewall Group Policy settings has changed. The new settings have been applied. | |
Microsoft-Windows-Security-Auditing |
Windows Firewall did not apply the following rule: Rule Information: %tID:%t%1 %tName:%t%2 Error Information: %tReason:%t%3 resolved to an empty set. |
|
Microsoft-Windows-Security-Auditing |
Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer: Rule Information: %tID:%t%1 %tName:%t%2 Error Information: %tError:%t%3 %tReason:%t%4 |
|
Microsoft-Windows-Security-Auditing |
The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy. Error Code:%t%1 |
|
Microsoft-Windows-Security-Auditing |
The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy. Error Code:%t%1 |
|
Microsoft-Windows-Security-Auditing |
A change has been made to IPsec settings. An Authentication Set was added. %t Profile Changed:%t%t%1 Added Authentication Set: %tID:%t%t%t%2 %tName:%t%t%t%3 |
|
Microsoft-Windows-Security-Auditing |
A change has been made to IPsec settings. An Authentication Set was modified. %t Profile Changed:%t%t%1 Modified Authentication Set: %tID:%t%t%t%2 %tName:%t%t%t%3 |
|
Microsoft-Windows-Security-Auditing |
A change has been made to IPsec settings. An Authentication Set was deleted. %t Profile Changed:%t%t%1 Deleted Authentication Set: %tID:%t%t%t%2 %tName:%t%t%t%3 |
|
Microsoft-Windows-Security-Auditing |
A change has been made to IPsec settings. A Connection Security Rule was added. %t Profile Changed:%t%t%1 Added Connection Security Rule: %tID:%t%t%t%2 %tName:%t%t%t%3 |
|
Microsoft-Windows-Security-Auditing |
A change has been made to IPsec settings. A Connection Security Rule was modified. %t Profile Changed:%t%1 Modified Connection Security Rule: %tID:%t%t%t%2 %tName:%t%t%t%3 |
|
Microsoft-Windows-Security-Auditing |
A change has been made to IPsec settings. A Connection Security Rule was deleted. %t Profile Changed:%t%1 Deleted Connection Security Rule: %tID:%t%t%t%2 %tName:%t%t%t%3 |
|
Microsoft-Windows-Security-Auditing |
A change has been made to IPsec settings. A Crypto Set was added. %t Profile Changed:%t%1 Added Crypto Set: %tID:%t%t%t%2 %tName:%t%t%t%3 |
|
Microsoft-Windows-Security-Auditing |
A change has been made to IPsec settings. A Crypto Set was modified. %t Profile Changed:%t%1 Modified Crypto Set: %tID:%t%t%t%2 %tName:%t%t%t%3 |
|
Microsoft-Windows-Security-Auditing |
A change has been made to IPsec settings. A Crypto Set was deleted. %t Profile Changed:%t%1 Deleted Crypto Set: %tID:%t%t%t%2 %tName:%t%t%t%3 |
|
Microsoft-Windows-Security-Auditing |
An IPsec Security Association was deleted. %t Profile Changed:%t%1 Deleted SA: %tID:%t%t%t%2 %tName:%t%t%t%3 |