4

I have an environment that is running Windows Server 2012 R2 and runs a variety of Java based IBM applications. There is a group policy in place that blocks local Windows Firewall rules from being created, but due to a system process the rule is added at the system level and supersedes the GPO. We have also added an explicit GPO to allow the Java JRE inbound/outbound through Windows Firewall, but the block rule is still added and impacts the applications.

I would like to know how I can determine why Windows Firewall is blocking the application?

How can I stop this from happening?

  • GPO is in place to allow Java.exe inbound and outbound.
  • GPO is in place to not allow local firewall rules.
  • GPO is in place to not allow user interaction upon blocking a program.
  • Local rule is added by a system process that is likely triggered by user action.
  • Local rule supersedes the GPO since it is added by a system authority.

Example Event Log: Added Rule: Rule ID: UDP Query User{8C6B2819-E805-459B-9483-821B8B51D772}D:\ibm\isa\isa5_jvm\jre\bin\javaw.exe Rule Name: Java(TM) Platform SE binary Origin: Local Active: Yes Direction: Inbound Profiles: Domain Action: Block Application Path: D:\ibm\isa\isa5_jvm\jre\bin\javaw.exe Service Name:
Protocol: UDP Security Options: None Edge Traversal: None Modifying User: NT SERVICE\MpsSvc Modifying Application: C:\Windows\System32\svchost.exe

This rule gets added despite having a program exception for both inbound/outbound for the specific JRE path

Grant C
  • 73
  • 2
  • 6
  • 1
    It sounds like you may be misinterpreting your results when you say a local rule is added by a system process. What rule is that? Can you identify it? Instead have you done any network monitoring or tracing to verify which ports are being used and what are not open on the firewall? Have you used something like `netstat` to see what ports are bound to the applications? I’ve not heard of a “system” process overriding GPO. GPO is a SYSTEM applied process. GPO is more than capable of opening the required ports. – Appleoddity Jun 07 '18 at 17:51
  • @Appleoddity is correct - an applied GPO overrides *any* local system setting. – Zac67 Jun 07 '18 at 18:14
  • Is the GPO actually applying the rule? What does a GPReport tell you? – Davidw Jun 08 '18 at 03:21
  • @Appleoddity Yes, I can see the rule in both the inbound and outbound rules in WinFW. This is what occurs in the event log when I look at the Windows Firewall events: Date: 5/25/2018 11:00:16 AM Event ID: 2011 Task Category: None Level: Information Keywords: User: LOCAL SERVICE Computer: Description: Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network. Reason:Inbound notifications are not enabled Application Path: E:\ibm\websphere\appserver\java\8.0\bin\java.exe – Grant C Jun 08 '18 at 16:51
  • @Davidw Yes, gpresult/rsop does confirm that the rule is applied. – Grant C Jun 08 '18 at 16:54
  • Apologies, here's a better example from the event log: Added Rule: Rule ID: UDP Query User{8C6B2819-E805-459B-9483-821B8B51D772}D:\ibm\isa\isa5\_jvm\jre\bin\javaw.exe Rule Name: Java(TM) Platform SE binary Origin: Local Active: Yes Direction: Inbound Profiles: Domain Action: Block Application Path: D:\ibm\isa\isa5\_jvm\jre\bin\javaw.exe Service Name: Protocol: UDP Security Options: None Edge Traversal: None Modifying User: NT SERVICE\MpsSvc Modifying Application: C:\Windows\System32\svchost.exe – Grant C Jun 08 '18 at 17:40

1 Answers1

1

If i wanted to prove if the windows firewall is dropping a connection, i would turn on logging. open MMC and add the snap-in on local machine for windows defender firewall. You can right-click on the line-item now and set properties for it. On the first page is logging settings where you can cause allowed AND denied connections to be logged and where the logfile goes. Review this.

If this doesn't get you what you want, fire up Wireshark to capture the traffic that is actually happening. If you set your firewall rules properly like you are saying so, maybe traffic isn't actually getting to the server or there is some other failure like packet loss or fragmentation.

If all above checks out, check event logs for your application for reasons why it might decide not to respond.

manbearpig
  • 66
  • 3
  • Agreed. The Windows Firewall log, netstat, and the packet capture program of your choice are your friends in diagnosing suspected network issues. – joeqwerty Jun 08 '18 at 02:56
  • 1
    @manbearpig Yes, we have full logging enabled for WinFW, for example what I can see is that the event log shows that port 49248 was blocked by Windows Firewall, but in the Windows Firewall log I see that traffic being allowed both inbound and outbound. – Grant C Jun 08 '18 at 16:58