Monitor Windows Firewall status

Is anyone monitoring whether the local Windows firewall has been turned off on SCOM monitored servers, and if so how? Is there a nice and easy PowerShell oneliner I could implement?

Thanks!

1 Like

Hey Peter,

I had the same idea and tried very hard. Finally I gave up. Here is why:
In our environment with use GPOs to for firewall rules

I only know that you can get some details about the firewall when running the following command:

netsh advfirewall show allprofiles

When testing I found that this command doesn’t give reliable information. - Please try it yourself and let me know if it works.

In case it works fine for you, I can help you with a PowerShell script that you can use in the PowerShell.Community.MP.

Best regards

Ruben

1 Like

Query the registry?
Something like this? (tested on win2016):

PS>(Get-Itemproperty Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile).EnableFirewall

PS>(Get-Itemproperty Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile).EnableFirewall

PS>(Get-Itemproperty Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile).EnableFirewall

Thx&Rgds - M.

2 Likes

Hi Marcus,

do these values change when you disable the firewall? - E.g. if you disable the public profile for instance, how will those registry values look like?

Ruben

1 Like

On 2016, yes (did not test other OS versions, but I’m assuming it’s probably similar, if not the same).

Enabled returns 1
Disabled returns 0

Note: the StandardProfile key is the key for the Private Profile in the GUI

Thx&Rgds - M.

1 Like

Another thing I have been trying to get an alert for regarding firewall status. Is what profile that is active. We had a problem when some machines entered public-network instead of domain. And then the firewall rules was all wrong for that computer.

Thanks Marcus, used this and the Community PowerShell management pack to create a 2 state monitor.

Hi All, I’ve updated my Windows Domain firewall monitor, it’s a bit crude but it seems to work:

param([string]$Arguments)

$ScomAPI = New-Object -comObject "MOM.ScriptAPI"
$PropertyBag = $ScomAPI.CreatePropertyBag()

#get Windows Domain FW state from Registry
$FWState=(Get-Itemproperty Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile).EnableFirewall
$PropertyBag.AddValue("FWState",$fwstate)

$fwoff = Get-WinEvent -LogName "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" | Where-Object {$_.Id -eq 2003 -and $_.Message -clike "*Enable*" -and $_.Message -clike "*No*"}
$SID = $fwoff.properties.value.value
$objSID = New-Object System.Security.Principal.SecurityIdentifier($SID)
$objUser = $objSID.Translate([System.Security.Principal.NTAccount])
$PropertyBag.AddValue("username: ", $objUser.Value)
             
# Send output to SCOM
$PropertyBag

Unhealthy Expression is:
Property[@Name=‘FWState’] Equals 0
Healthy Expression is:
Property[@Name=‘FWState’] Equals 1

Alert description is:
'The Windows Firewall (Domain) has been disabled by $Data/Context/Property[@Name='username: ']$

This is calculated by a customer monitor using a PowerShell Script that queries the registry every 15 minutes for the value of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile).EnableFirewall.’

looks like:

1 Like