I don't really know nmap, but for the windows firewall log, you should be able to change the size limit in the same area where you enabled it to log dropped packets-I have ours set at 4096kb. If it's grayed out, something is overriding from policies.
Any chance you changed the location of the pfirewall.log file? If so, check permissions to make sure it can be written by the service. Also, any drops that are logged to the file also end up in the security event log, so you might be able to search there. From: Ziots, Edward [mailto:[email protected]] Sent: Thursday, March 17, 2011 10:10 AM To: NT System Admin Issues Subject: RE: Windows Firewall question WIndows 2008 R2 I am not seeing dropped packets from my NMAP scans, in the Windows Firewall Log. The default is to block incoming connections that don't have a rule written, so I should be seeing the drops, when I have both connections and dropped packets logging. That and the 32K limit on the firewall log kinda puts a damper on things Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:[email protected] Cell:401-639-3505 From: Miller Bonnie L. [mailto:[email protected]] Sent: Thursday, March 17, 2011 12:07 PM To: NT System Admin Issues Subject: RE: Windows Firewall question WIndows 2008 R2 Maybe I misunderstood what you're not seeing. Are you saying that you are not seeing dropped packets in the nmap firewall log, scanning from your workstation? But, are you seeing the dropped packets in the windows pfirewall.log, local to the server? From: Ziots, Edward [mailto:[email protected]] Sent: Thursday, March 17, 2011 6:00 AM To: NT System Admin Issues Subject: RE: Windows Firewall question WIndows 2008 R2 Yep, it is the NIC accordingly, what I am trying to ascertain is why I don't see the dropped packets when I do my NMAP scans which would validate that the Firewall Inbound and Outbound rules are working. Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:[email protected] Cell:401-639-3505 From: Miller Bonnie L. [mailto:[email protected]] Sent: Wednesday, March 16, 2011 3:46 PM To: NT System Admin Issues Subject: RE: Windows Firewall question WIndows 2008 R2 Under control panel, Network & Sharing Center, can you confirm that NIC is actually using the domain profile and not a different one? From: Ziots, Edward [mailto:[email protected]] Sent: Wednesday, March 16, 2011 9:08 AM To: NT System Admin Issues Subject: RE: Windows Firewall question WIndows 2008 R2 Also turned off the firewall on the domain profile, still didn't make a difference. Still can't see the ports open from an Nmap scan, and I can't see any packets dropped on the firewall logs which I should be able to see. I have inbound connections that don't match a rule are dropped. The Default settings for inbound connections are block on the Firewall with Advanced settings. I am logging both successful and blocked connections. Any other ideas? Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:[email protected] Cell:401-639-3505 From: Ziots, Edward [mailto:[email protected]] Sent: Wednesday, March 16, 2011 11:45 AM To: NT System Admin Issues Subject: RE: Windows Firewall question WIndows 2008 R2 Even allowing ALL IP's from the for the rule doesn't seem to help show that port as open. Under scope Local IP's I selected all, and under remort IP's I selected all. ( Should allow any IP to talk to this server locally and process to talk to any remote IP) if I am reading it right. Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:[email protected] Cell:401-639-3505 From: Ziots, Edward [mailto:[email protected]] Sent: Wednesday, March 16, 2011 11:36 AM To: NT System Admin Issues Subject: Windows Firewall question WIndows 2008 R2 I am following the documentation for getting the firewall rule for an application ( Inbound port and Outbound Server) to work and verify that packets from any other host are dropped. We are utilizing the Domain Profile, and I have turned on logging to for the Domain Profile for Logging and created the Pfirewall.log , but I am doing an NMAP Scan from my PC and not getting any dropped packets in the firewall log. All I have in place right now is an In-bound packet rule that allows port X on the local host ( Its IP) to talk to port X on the remote host on its IP. SO local IP I put the IP Address of my Windows 2008 R2 SP1 system and the remote host I put the IP Address of the remote system. DO I need to add an equal rule to the outbound rules on the R2 host to get the 2way communication to work, or is it smart enough to do stateful packet inspection and if inbound is allowed allow the equal and opposite to outbound? Ideas? Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:[email protected] Cell:401-639-3505 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
