none
Firewall Drops Connections without active blocking rule

    שאלה

  • Hello,

    in my company we use GPOs to configure our Windows 7 Firewall. In the Domain Profile, inbound and outbound traffic is completely open, except some special definied ports because we limited the hole domain traffic to the internet with an external hw firewall.

    Now sometimes (i guess about every 10-30 minutes) the problem occurs, that the DFW drops connections from the application "Hummingbird Exceed" (in different versions) . These connections where running without problems before and then suddenly one of the connections get dropped with an entry in the windows event log and the firewall log. In this entry you can see, that a port got blocked, which isn't defined in the firewall to be blocked. How is it possible that a connection got dropped when theres no rule for that action and the inbound and outbound traffic is allowed?

    Extract from the logs

    Windows Firewall:

    #Fields: date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path

    2012-02-15 12:27:46 DROP TCP %srcip% %dstip% 57095 6000 41 AP 3803115154 1212165392 8820 - - - RECEIVE
    2012-02-15 12:27:47 DROP TCP %srcip% %dstip% 55858 6000 41 AP 3495703269 2868133190 8820 - - - RECEIVE

    Windows 7 Log:

    - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    - <System>
      <Provider Name="Microsoft-Windows-Security-Auditing" Guid="x/>
      <EventID>5152</EventID>
      <Version>0</Version>
      <Level>0</Level>
      <Task>12809</Task>
      <Opcode>0</Opcode>
      <Keywords>0x8010000000000000</Keywords>
      <TimeCreated SystemTime="2012-02-15T11:20:13.215441600Z" />
      <EventRecordID>1708391</EventRecordID>
      <Correlation />
      <Execution ProcessID="4" ThreadID="56" />
      <Channel>Security</Channel>
      <Computer>x</Computer>
      <Security />
      </System>
    - <EventData>
      <Data Name="ProcessId">4784</Data>
      <Data Name="Application">\device\harddiskvolume3\program files (x86)\hummingbird\connectivity\13.00\exceed\exceed.exe</Data>
      <Data Name="Direction">%%14592</Data>
      <Data Name="SourceAddress">x</Data>
      <Data Name="SourcePort">59954</Data>
      <Data Name="DestAddress">x</Data>
      <Data Name="DestPort">6000</Data>
      <Data Name="Protocol">6</Data>
      <Data Name="FilterRTID">0</Data>
      <Data Name="LayerName">%%14610</Data>
      <Data Name="LayerRTID">44</Data>
      </EventData>
      </Event>

    יום רביעי 15 פברואר 2012 12:28

כל התגובות

  • Hi,
     
    I suggest you follow the steps below to check if the application has been enabled in Domain in Windows Firewall.
    1.       Click Start, click Control.
    2.       Open Windows Firewall, click Allow a program or feature through Windows Firewall.
     
    Please check if the application has been checked in Domain.
     
    If the application has been enabled in Windows Firewall, please temporarily disable Windows Firewall and check if the issue persists.
     

    I would like to share with you a useful article for your reference:

    http://blogs.technet.com/b/instan/archive/2009/01/08/the-windows-filtering-platform-has-blocked-a-bind-to-a-local-port.aspx


    Best regards,
    Della Li

    שבת 18 פברואר 2012 14:14
  • Hello Della Li,

    thank you for your answer. I did multiplie tests now and as result, one connection is still dropped after about 13 minutes, even if i allow every traffic in the wdf in and outgoing and have one additional allow rule for the specific port and no other rules (active or inactive). Curiously only one connection is been dropped even if i let the system running about 20 hours with multiple active connections.

    יום חמישי 23 פברואר 2012 08:35
  • As we discovered, the service netprofm causes the trouble or is involved. The error also only appears on laptops with Intel network cards. No Problems on Desktops or VMWare (maybe Intel Anti Theft?). It looks like the service switches the network profile from domain to public and back. All except some Exceed connections where reestablished. Also some updater processes were restartet what can be seen in the event log (e.g. Adobe Updater)

    We are not really sure, how to act now. An idea was to disable the netprofm service while exceed is startet (which prevents the appearance of the Problem) and restart the service after the exceed.exe process is killed. Other way would be the complete deactivation of this service for affected clients what on the other hand means, they can't see their network status anymore. I didn't find out any other cons of this step especially because only ~8 Clients are affected.

    Does someone has additions to these conclusions?

    יום רביעי 08 אוגוסט 2012 09:25