none
Issue Configuring Windows Firewall Using GPO: Unable to enable logging & settings remain after removing GPO RRS feed

  • Question

  • Hello,

    I am having two issues when attempting to configure firewall settings on Windows 7 clients in our domain.

    First:

    I am trying to turn on firewall logging for Windows 7 clients as part of a Group Policy Object.   I am using the following resource as a reference point.  http://technet.microsoft.com/en-us/library/cc742433.aspx

    I am having an unusual issue when attempting to log connections.  Each time I uncheck the Not Configured box for the file save location and save the GPO the box is rechecked when I re-open the GPO.

    For example:

    After clicking on the Customize Setting for Logging I select:

    The default path for logging: %systemroot%\system32\logfiles\firewall\pfirewall.log
    Uncheck the box for Not Configured
    Leave the Size limit set to the Default 4096
    Uncheck
    the box for Not Configured
    Set Log Dropped Packets: Yes
    Set Log Successful Connections: Yes

    When I reopen the GPO all settings remain except:

    The default path for logging: %systemroot%\system32\logfiles\firewall\pfirewall.log
    Not Configured is now checked

    I have also noticed some other unusual behavior from this GPO.  The GPO applies a few specific firewall rules to clients, such as allowing FTP communication to specific servers.  If I remove servers from the computer group receiving the GPO and\or unlink the GPO the GPO settings continue to apply to the clients.  The only way I am able to remove the applied firewall settings is to remove the computers from the domain.

    Any suggestions on these issues would be appreciated.

    Thank You,

    Tuesday, March 15, 2011 4:43 PM

Answers

  •  

    Hi,

     

    For the first issue, as you said that "Uncheck the box for Not Configured" and "Not Configured is now checked", please help clarify it? Did you Enable the policy, but it changed to “Not Configure” automatically after reopening the GPO? Did you configure the GPO on a DC or member server? Did the issue only occur on one DC or member server? Please check it. What is the influence on client side?

     

    For the second issue, the settings should be defined via the following node:

     

    Computer Configuration > Administrative Templates > Network > Network connections > Windows Firewall

     

    The settings should be saved under the following registry on the client:

     

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall

     

    This issue can be caused due to the registry settings remained although the GPO is removed or unlinked, please check it on your side. You can change or remove the registry keys on one client as a test, if it works, you can deploy the changes to multiple machines via group policy.

     

    Thanks.
    Nina


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Friday, March 18, 2011 4:47 PM
    Moderator

All replies

  •  

    Hi,

     

    For the first issue, as you said that "Uncheck the box for Not Configured" and "Not Configured is now checked", please help clarify it? Did you Enable the policy, but it changed to “Not Configure” automatically after reopening the GPO? Did you configure the GPO on a DC or member server? Did the issue only occur on one DC or member server? Please check it. What is the influence on client side?

     

    For the second issue, the settings should be defined via the following node:

     

    Computer Configuration > Administrative Templates > Network > Network connections > Windows Firewall

     

    The settings should be saved under the following registry on the client:

     

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall

     

    This issue can be caused due to the registry settings remained although the GPO is removed or unlinked, please check it on your side. You can change or remove the registry keys on one client as a test, if it works, you can deploy the changes to multiple machines via group policy.

     

    Thanks.
    Nina


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Friday, March 18, 2011 4:47 PM
    Moderator
  • When I reopen the GPO all settings remain except:

    The default path for logging: %systemroot%\system32\logfiles\firewall\pfirewall.log
    Not Configured is now checked

     

    I experience exactly the same issue: whe i try to enable Firewall logging via Group Policy i tiuntich the "not configured" box for the log file name and when i close the dialog and reopen it again the box is checked again.

    This behaviour can be reproduced both in GPEdit (local policy) and gpmc (domain policy). As a consequence, no logs are created.

    Any help would be appreciated!

    Thank You!

     

    Wednesday, March 30, 2011 10:13 AM
  • I have the same issue.  I enter the log file name,  click OK, re-enter the customized logging screen and not configured is now checked and the file name I just entered is greyed out.

    The GPO is enabled and works fine for the other firewall settings.

    Ws2K3Sp2 DCs

    Installed the WS2K8 Group Policy Manaagement app on 2 WIN7 PCs.  Both installations of GPM exhibit this issue when editing the firewall GPO.  These GPM apps works fine for our other W7 GPOs.  Have pointed one GPM to another DC and tried again.  Same result.  Not Configured is checked.  On client Win7 PCs, I view the Windows Firewall GUI for the firewall logfile name and location, they exhibit the default firewall log name, location.  But that is expected as Apply local firewall rules is asserted (for now).

    On a side note:

      - On the local PC, tried blanking out the firewall log file name but it won't accept a blank field.

       - Where does the OS keep the firewall log file name that's actually used? 

          Didn't find it under HKLM\Software\Policies\Microsoft\Windows Firewall\

    If there are any other tests I should run, let me know.

    Thanks for your time!

     

    Wednesday, April 6, 2011 8:52 PM
  • I also saw this same issue where the "not configured" box won't stay unchecked after hitting OK.  I saw it when editing both domain and local policies using Windows 7.

    I then tried to set the option directly in the local machine advance firewall options with no group policy applied but the box is not there at all.  It seems like the firewall logging is actually enabled when you turn on the dropped/successful logging and this extra "not configured" check box in group policy doesn't correspond to a real local option.

    I found that logging is working with this policy applied, even though the "not configured" box is checked in the policy.  I thought I'd post my findings for others since this looks like a confusing UI bug that doesn't actually impact functionality.

    Andrew


    Friday, April 15, 2011 1:12 AM
  •  

    Hi,

     

    (snip) 

    the settings should be defined via the following node:

     

    Computer Configuration > Administrative Templates > Network > Network connections > Windows Firewall

     

    (snip)

     

    Thanks.
    Nina

    I think that what you are referring to is the "old" (Windows XP) GPO node. As you can see, there are only "Domain Profile" and "Standard Profile".

    The "new" (Vista/Win 7) GPO node is found under

    Computer Configuration/Policies/Windows Settings/Security Settings/Windows Firewall With Advanced Security/(long LDAP Name)

    As you will see, there are now three profiles: Domain, Private, Public.

    I totally agree with the OP, and I would add that:

    • the behaviour of the GPO GUI is bizarre, as the settings do not "stick"
    • if you specify an alternate location, no log file is created at that location
    • it appears that the events are actually put in the Windows Event Log (security) instead, and they fill it up, pronto!
    • You need to specify in your GPO not to log in the Windows Event Log under Computer Configuration/Policies/Windows Settings/Security Settings/Advanced Audit Configuration/Object Access

    HTH - I wish that the alleged "Unmark as Answer" button actually existed!


    --Aargh!
    • Proposed as answer by Ocelaris Monday, March 28, 2016 4:46 PM
    • Unproposed as answer by Ocelaris Monday, March 28, 2016 4:46 PM
    Thursday, June 2, 2011 7:30 PM
  • I know this an old dead thread, but I thought I would share my solution. I realized after importing a default policy where the logging was set, it would not let me change it under Computer Configuration/Security Settings/Windows Firewall with Advanced Protection/Windows Firewall with Advanced Protection. However there is another policy under Administrative Templates/Network/Network Connections/Windows Firewall/Domain Profile (or Standard Profile) which over rides the "Security Settings" object. Check that "Allow Logging" under the Administrative templates to see if there is a setting configured, because this over rides the "Security Settings" object.
    • Proposed as answer by Ocelaris Monday, March 28, 2016 4:51 PM
    Monday, March 28, 2016 4:51 PM