To stay updated on your favorite discussions, please create an account or log in. Then, click the Bookmark icon to subscribe and receive notifications.

Computer Protection: firewall log file

xwim
xwim W/ Alumni Posts: 13 Security Scout
in WithSecure Elements Endpoint Protection

Hellom

 

How i can identify what rule in psb portal/profile/firewall is responsible for block action.

 

In log file i have numbers like [1070.5f94]

 2.png

 

Where can find it in psb portal?

 

4.png

Comments

  • fedool
    fedool W/ Staff, W/ Article Coordinator Posts: 162 W/ Staff

    What is the name of a filter in Blocks.log?

    Filter names are provided by Windows Firewall and not always have the same name as you define in profile editor.

    For instance, I just created rule "Test block skype" and got this in Blocks.log (note that name of filter is the same as I used in portal):

    2018-09-10 14:08:00.960 [62fc.5e50]  I: Type: FWPM_NET_EVENT_TYPE_CLASSIFY_DROP. Dropped by filter: Test Block skype, . Dropped by layer: ALE Connect v4 Layer. Direction: outbound. Local port: 61537. Remote port: 5061. IPv4 local address: N.N.N.N. IPv4 remote address: N.N.N.N. Application: \device\harddiskvolume4\...\lync.exe

     

     

    In case if name does not match, to guess rule which blocked it, you would need to check other params like ports, IP addresses etc and Application and try to map it to one of rules in currently selected firewall profile.

This discussion has been closed.

Categories