none
Windows Server 2008 R2 Firewall does not log dropped packets from a Block / Deny Rule RRS feed

  • Question

  • We have a GPO which applies a simple firewall rule to a 2008 R2 server to block TCP / ICMPv4 Time Exceeded (TTL=0) Packets. The default inbound rule action is to allow all other traffic. (we have an application that crashes on receipt of a TTL = 0 condition).

    The Logging is switched on using the default log location, size and Log dropped packets is set to Yes.

    I have checked the security on the log file and also toggled on the Log Successful Connections to prove the log file is ok (it is).

    The rule works fine in every way except it does not log anything when we receive the ICMPv4 Time Exceeded packet. I am expecting to see a DROP log for the IP that sent the packet but nothing appears in the log.

    I am simulating the ICMP Time Exceeded (TTL =0) by creating a network loop and running a trace route to the loop

    Tracing route to 192.168.10.18 over a maximum of 30 hops

      1    <1 ms    <1 ms    <1 ms  192.168.5.190
      2    <1 ms    <1 ms    <1 ms  192.168.8.5
      3    <1 ms    <1 ms    <1 ms  192.168.8.6
      4    <1 ms    <1 ms    <1 ms  192.168.8.5
      5    <1 ms    <1 ms    <1 ms  192.168.8.6

    I can see via wireshark the Time exceeded packet arrive on the interface   

    Internet Protocol Version 4, Src: 192.168.8.6 (192.168.8.6), Dst: 192.168.5.131 (192.168.5.131)
    Internet Control Message Protocol
    Type: 11 (Time-to-live exceeded)
    Code: 0 (Time to live exceeded in transit)
    Checksum: 0xf4ff [correct]

    Why no DROP log I guess is the question?

    Thanks

    Paul

    Tuesday, December 2, 2014 9:10 AM

Answers

  • Hi Paul,

    According to the command result, the packet drop category is set to No auditing.

    Please run the command in this article below to enable auditing:

    Enable IPsec and Windows Firewall Audit Events

    http://technet.microsoft.com/en-us/library/cc754714(v=WS.10).aspx

    The command should be:

    Auditpol /Set /SubCategory:“Filtering Platform Packet Drop” /success:enable [/failure:enable]

    You can use /get option to check the current status afterwards.

    Best Regards,

    Amy


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, December 10, 2014 6:06 AM
    Moderator

All replies

  • Hi Paul,

    Please run Auditpol.exe on the local machine to see how audit policy settings are configured.

    For example, we can run:

    Auditpol /get /user:username /category:*

    If the corresponding audit policy is not configured, we can use Group Policy Management or Auditpol /set option to configure.

    More information for you:

    Auditpol

    http://technet.microsoft.com/en-us/library/cc731451.aspx

    Step 8: Enabling Firewall Logging

    http://technet.microsoft.com/en-us/library/cc754451(v=WS.10).aspx

    Best Regards,

    Amy

    Wednesday, December 3, 2014 4:54 AM
    Moderator
  • Hi Amy, thanks for the reply here is the output from the auditpol command:

    C:\Users\testuser1>auditpol /get /user:test\testuser1 /category:*
    No audit policy is defined for the user account.

    C:\Users\testuser1>auditpol /get /category:*
    System audit policy
    Category/Subcategory                      Setting
    System
      Security System Extension               No Auditing
      System Integrity                        Success and Failure
      IPsec Driver                            No Auditing
      Other System Events                     Success and Failure
      Security State Change                   Success
    Logon/Logoff
      Logon                                   Success and Failure
      Logoff                                  Success
      Account Lockout                         Success
      IPsec Main Mode                         No Auditing
      IPsec Quick Mode                        No Auditing
      IPsec Extended Mode                     No Auditing
      Special Logon                           Success
      Other Logon/Logoff Events               No Auditing
      Network Policy Server                   Success and Failure
    Object Access
      File System                             No Auditing
      Registry                                No Auditing
      Kernel Object                           No Auditing
      SAM                                     No Auditing
      Certification Services                  No Auditing
      Application Generated                   No Auditing
      Handle Manipulation                     No Auditing
      File Share                              No Auditing
      Filtering Platform Packet Drop          No Auditing
      Filtering Platform Connection           No Auditing
      Other Object Access Events              No Auditing
      Detailed File Share                     No Auditing
    Privilege Use
      Sensitive Privilege Use                 No Auditing
      Non Sensitive Privilege Use             No Auditing
      Other Privilege Use Events              No Auditing
    Detailed Tracking
      Process Termination                     No Auditing
      DPAPI Activity                          No Auditing
      RPC Events                              No Auditing
      Process Creation                        No Auditing
    Policy Change
      Audit Policy Change                     Success
      Authentication Policy Change            Success
      Authorization Policy Change             No Auditing
      MPSSVC Rule-Level Policy Change         No Auditing
      Filtering Platform Policy Change        No Auditing
      Other Policy Change Events              No Auditing
    Account Management
      User Account Management                 Success
      Computer Account Management             Success
      Security Group Management               Success
      Distribution Group Management           No Auditing
      Application Group Management            No Auditing
      Other Account Management Events         No Auditing
    DS Access
      Directory Service Changes               No Auditing
      Directory Service Replication           No Auditing
      Detailed Directory Service Replication  No Auditing
      Directory Service Access                Success
    Account Logon
      Kerberos Service Ticket Operations      Success
      Other Account Logon Events              No Auditing
      Kerberos Authentication Service         Success
      Credential Validation                   Success

    C:\Users\testuser1>

    The pfirewall log file does log okay when I enable "Log successful connections"

    2014-12-01 16:49:26 ALLOW TCP 192.168.5.131 192.168.5.1 50293 389 0 - 0 0 0 - - - SEND
    2014-12-01 16:49:26 ALLOW TCP 192.168.5.131 192.168.5.159 50294 445 0 - 0 0 0 - - - SEND
    2014-12-01 16:49:26 ALLOW UDP 192.168.5.131 192.168.5.159 62334 53 0 - - - - - - - SEND
    2014-12-01 16:49:27 ALLOW UDP 192.168.5.131 192.168.5.159 63254 53 0 - - - - - - - SEND

    I have followed the 'Enabling Firewall Logging' document (apart from the netsh diagnostics) and it all checks out okay.

    Thanks & regards

    Paul

     

     

     

     

     

     

    Wednesday, December 3, 2014 8:55 AM
  • Hi Paul,

    According to the command result, the packet drop category is set to No auditing.

    Please run the command in this article below to enable auditing:

    Enable IPsec and Windows Firewall Audit Events

    http://technet.microsoft.com/en-us/library/cc754714(v=WS.10).aspx

    The command should be:

    Auditpol /Set /SubCategory:“Filtering Platform Packet Drop” /success:enable [/failure:enable]

    You can use /get option to check the current status afterwards.

    Best Regards,

    Amy


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, December 10, 2014 6:06 AM
    Moderator