deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-29 05:37:22 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

more formatting

Browse Source
This commit is contained in:
Daniel Simpson 2020-08-12 17:03:33 -07:00
parent 847ebd5a2f
commit 8771fdd2ae
1 changed files with 30 additions and 270 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

300
windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md
View File

@ -122,8 +122,8 @@ The following shows the allow netEvent of the app connecting to the target IP.
The netEvent contains information about the packet including its local address, The netEvent contains information about the packet including its local address,
remote address, capabilities, etc. remote address, capabilities, etc.
```**Classify Allow netEvent, Wfpdiag-Case-1.xml** **Classify Allow netEvent, Wfpdiag-Case-1.xml**
```xml
\<netEvent\> \<netEvent\>
\<header\> \<header\>
> \<timeStamp\>2020-05-21T17:25:59.070Z\</timeStamp\> > \<timeStamp\>2020-05-21T17:25:59.070Z\</timeStamp\>
@ -194,7 +194,7 @@ address according to the terminatingFiltersInfo in the netEvent. This packet was
allowed by Filter \#125918 which is from the InternetClient Default Rule. allowed by Filter \#125918 which is from the InternetClient Default Rule.
**InternetClient Default Rule Filter \#125918, Wfpdiag-Case-1.xml** **InternetClient Default Rule Filter \#125918, Wfpdiag-Case-1.xml**
``` ```xml
\<item\> \<item\>
> \<filterKey\>{3389708e-f7ae-4ebc-a61a-f659065ab24e}\</filterKey\> > \<filterKey\>{3389708e-f7ae-4ebc-a61a-f659065ab24e}\</filterKey\>
> \<displayData\> > \<displayData\>
@ -279,7 +279,7 @@ allowed by Filter \#125918 which is from the InternetClient Default Rule.
One condition is One condition is
**Capabilities Condition in Filter \#125918, Wfpdiag-Case-1.xml** **Capabilities Condition in Filter \#125918, Wfpdiag-Case-1.xml**
``` ```xml
\<item\> \<item\>
> \<fieldKey\>FWPM_CONDITION_ALE_USER_ID\</fieldKey\> > \<fieldKey\>FWPM_CONDITION_ALE_USER_ID\</fieldKey\>
> \<matchType\>FWP_MATCH_EQUAL\</matchType\> > \<matchType\>FWP_MATCH_EQUAL\</matchType\>
@ -297,7 +297,7 @@ for INTERNET_CLIENT privileges.
From the netEvents capabilities section, From the netEvents capabilities section,
Capabilities from netEvent, Wfpdiag-Case-1.xml Capabilities from netEvent, Wfpdiag-Case-1.xml
``` ```xml
\<capabilities numItems="3"\> \<capabilities numItems="3"\>
> **\<item\>FWP_CAPABILITIES_FLAG_INTERNET_CLIENT\</item\>** \<item\>FWP_CAPABILITIES_FLAG_INTERNET_CLIENT_SERVER\</item\> > **\<item\>FWP_CAPABILITIES_FLAG_INTERNET_CLIENT\</item\>** \<item\>FWP_CAPABILITIES_FLAG_INTERNET_CLIENT_SERVER\</item\>
\<item\>FWP_CAPABILITIES_FLAG_PRIVATE_NETWORK\</item\> \<item\>FWP_CAPABILITIES_FLAG_PRIVATE_NETWORK\</item\>
@ -321,7 +321,7 @@ The following is a drop netEvent that was captured in the traces during this
repro. repro.
**Classify Drop netEvent, Wfpdiag-Case-2.xml** **Classify Drop netEvent, Wfpdiag-Case-2.xml**
``` ```xml
\<netEvent\> \<netEvent\>
\<header\> \<header\>
\<timeStamp\>2020-03-30T23:53:09.720Z\</timeStamp\> \<timeStamp\>2020-03-30T23:53:09.720Z\</timeStamp\>
@ -395,7 +395,7 @@ UWP app was not configured with any capability tokens to allow it to connect to
a network. a network.
**Internal Fields from netEvent, Wfpdiag-Case-2.xml** **Internal Fields from netEvent, Wfpdiag-Case-2.xml**
``` ```xml
\<internalFields\> \<internalFields\>
\<internalFlags/\> \<internalFlags/\>
\<remoteAddrBitmap\>0000000000000000\</remoteAddrBitmap\> \<remoteAddrBitmap\>0000000000000000\</remoteAddrBitmap\>
@ -420,7 +420,7 @@ The netEvent also gives us information about the filter that explicitly dropped
this packet, like the FilterId, listed under classify drop this packet, like the FilterId, listed under classify drop
**Classify Drop from netEvent, Wfpdiag-Case-2.xml** **Classify Drop from netEvent, Wfpdiag-Case-2.xml**
``` ```xml
\<classifyDrop\> \<classifyDrop\>
**\<filterId\>68893\</filterId\>** **\<filterId\>68893\</filterId\>**
\<layerId\>50\</layerId\> \<layerId\>50\</layerId\>
@ -439,7 +439,7 @@ the packet was dropped by a Block Outbound Default Rule filter.
**Block Outbound Default Rule Filter \#68893, Wfpdiag-Case-2.xml** **Block Outbound Default Rule Filter \#68893, Wfpdiag-Case-2.xml**
``` ```xml
\<item\> \<item\>
> \<filterKey\>{6d51582f-bcf8-42c4-afc9-e2ce7155c11b}\</filterKey\> > \<filterKey\>{6d51582f-bcf8-42c4-afc9-e2ce7155c11b}\</filterKey\>
> \<displayData\> > \<displayData\>
@ -499,7 +499,7 @@ Server). The app is trying to connect to an Internet resource (bing.com), but
only has a private network token. Therefore, the packet will be dropped. only has a private network token. Therefore, the packet will be dropped.
**Classify Drop netEvent, Wfpdiag-Case-3.xml** **Classify Drop netEvent, Wfpdiag-Case-3.xml**
``` ```xml
\<netEvent\> \<netEvent\>
\<header\> \<header\>
\<timeStamp\>2020-03-31T16:57:18.570Z\</timeStamp\> \<timeStamp\>2020-03-31T16:57:18.570Z\</timeStamp\>
@ -576,7 +576,7 @@ In this example, the UWP app is unable to reach the Intranet target address,
10.50.50.50, because it does not have a Private Network capability. 10.50.50.50, because it does not have a Private Network capability.
**Classify Drop netEvent, Wfpdiag-Case-4.xml** **Classify Drop netEvent, Wfpdiag-Case-4.xml**
``` ```xml
\<netEvent\> \<netEvent\>
\<header\> \<header\>
> \<timeStamp\>2020-05-22T21:29:28.601Z\</timeStamp\> > \<timeStamp\>2020-05-22T21:29:28.601Z\</timeStamp\>
@ -653,7 +653,7 @@ In this example, the UWP app is unable to reach the Intranet target address,
10.1.1.1, even though it has a Private Network capability token. 10.1.1.1, even though it has a Private Network capability token.
**Classify Drop netEvent, Wfpdiag-Case-5.xml** **Classify Drop netEvent, Wfpdiag-Case-5.xml**
``` ```xml
\<netEvent\> \<netEvent\>
> \<header\> > \<header\>
> \<timeStamp\>2020-05-22T20:54:53.499Z\</timeStamp\> > \<timeStamp\>2020-05-22T20:54:53.499Z\</timeStamp\>
@ -727,7 +727,7 @@ The following shows the filter that blocked the event:
**Block Outbound Default Rule Filter \#121180, Wfpdiag-Case-5.xml** **Block Outbound Default Rule Filter \#121180, Wfpdiag-Case-5.xml**
``` ```xml
\<item\> \<item\>
> \<filterKey\>{e62a1a22-c80a-4518-a7f8-e7d1ef3a9ff6}\</filterKey\> > \<filterKey\>{e62a1a22-c80a-4518-a7f8-e7d1ef3a9ff6}\</filterKey\>
> \<displayData\> > \<displayData\>
@ -776,7 +776,7 @@ The following PrivateNetwork Outbound Default Rule filters have conditions for m
on the machine (MDM, GP, etc) and make sure it includes the private targetaddress you wanted to reach. on the machine (MDM, GP, etc) and make sure it includes the private targetaddress you wanted to reach.
**PrivateNetwork Outbound Default Rule Filters, Wfpdiag-Case-5.xml** **PrivateNetwork Outbound Default Rule Filters, Wfpdiag-Case-5.xml**
``` ```xml
\<item\> \<item\>
> \<filterKey\>{fd65507b-e356-4e2f-966f-0c9f9c1c6e78}\</filterKey\> > \<filterKey\>{fd65507b-e356-4e2f-966f-0c9f9c1c6e78}\</filterKey\>
> \<displayData\> > \<displayData\>
@ -1021,11 +1021,11 @@ If you **do not** have a live repro or traces already collected, you can still
collect traces after the UWP network connectivity issue has happened by running collect traces after the UWP network connectivity issue has happened by running
these commands in an Admin command prompt these commands in an Admin command prompt
```xml
> \<Run UWP app\> > \<Run UWP app\>
> Netsh wfp show netevents > Netsh wfp show netevents
> Netsh wfp show state > Netsh wfp show state
```
“Netsh wfp show netevents” will generate netevents.xml, which contains the past “Netsh wfp show netevents” will generate netevents.xml, which contains the past
net events. “Netsh wfp show state” will generate wfpstate.xml, which contains net events. “Netsh wfp show state” will generate wfpstate.xml, which contains
@ -1057,136 +1057,74 @@ In this example, the UWP app is unable to connect to bing.com.
Classify Drop Net Event, NetEvents-Case-7.xml Classify Drop Net Event, NetEvents-Case-7.xml
```xml
\<item\> \<item\>
\<header\> \<header\>
\<timeStamp\>2020-05-04T22:04:07.039Z\</timeStamp\> \<timeStamp\>2020-05-04T22:04:07.039Z\</timeStamp\>
\<flags numItems="9"\> \<flags numItems="9"\>
\<item\>FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET\</item\> \<item\>FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET\</item\>
\<item\>FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET\</item\> \<item\>FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET\</item\>
\<item\>FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET\</item\> \<item\>FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET\</item\>
\<item\>FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET\</item\> \<item\>FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET\</item\>
\<item\>FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET\</item\> \<item\>FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET\</item\>
\<item\>FWPM_NET_EVENT_FLAG_APP_ID_SET\</item\> \<item\>FWPM_NET_EVENT_FLAG_APP_ID_SET\</item\>
\<item\>FWPM_NET_EVENT_FLAG_USER_ID_SET\</item\> \<item\>FWPM_NET_EVENT_FLAG_USER_ID_SET\</item\>
\<item\>FWPM_NET_EVENT_FLAG_IP_VERSION_SET\</item\> \<item\>FWPM_NET_EVENT_FLAG_IP_VERSION_SET\</item\>
\<item\>FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET\</item\> \<item\>FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET\</item\>
\</flags\> \</flags\>
\<ipVersion\>FWP_IP_VERSION_V4\</ipVersion\> \<ipVersion\>FWP_IP_VERSION_V4\</ipVersion\>
\<ipProtocol\>6\</ipProtocol\> \<ipProtocol\>6\</ipProtocol\>
\<localAddrV4\>10.195.36.30\</localAddrV4\> \<localAddrV4\>10.195.36.30\</localAddrV4\>
\<remoteAddrV4\>204.79.197.200\</remoteAddrV4\> \<remoteAddrV4\>204.79.197.200\</remoteAddrV4\>
\<localPort\>57062\</localPort\> \<localPort\>57062\</localPort\>
\<remotePort\>443\</remotePort\> \<remotePort\>443\</remotePort\>
\<scopeId\>0\</scopeId\> \<scopeId\>0\</scopeId\>
\<appId\> \<appId\>
\<data\>5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e00310032002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000\</data\> \<data\>5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e00310032002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000\</data\>
\<asString\>\\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m. \<asString\>\\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m.
.f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...1.2...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e...\</asString\> .f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...1.2...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e...\</asString\>
\</appId\> \</appId\>
\<userId\>S-1-5-21-1578316205-4060061518-881547182-1000\</userId\> \<userId\>S-1-5-21-1578316205-4060061518-881547182-1000\</userId\>
\<addressFamily\>FWP_AF_INET\</addressFamily\> \<addressFamily\>FWP_AF_INET\</addressFamily\>
\<packageSid\>S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936\</packageSid\> \<packageSid\>S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936\</packageSid\>
\<enterpriseId/\> \<enterpriseId/\>
\<policyFlags\>0\</policyFlags\> \<policyFlags\>0\</policyFlags\>
\<effectiveName/\> \<effectiveName/\>
\</header\> \</header\>
\<type\>FWPM_NET_EVENT_TYPE_CLASSIFY_DROP\</type\> \<type\>FWPM_NET_EVENT_TYPE_CLASSIFY_DROP\</type\>
\<classifyDrop\> \<classifyDrop\>
\<filterId\>206064\</filterId\> \<filterId\>206064\</filterId\>
\<layerId\>48\</layerId\> \<layerId\>48\</layerId\>
\<reauthReason\>0\</reauthReason\> \<reauthReason\>0\</reauthReason\>
\<originalProfile\>1\</originalProfile\> \<originalProfile\>1\</originalProfile\>
\<currentProfile\>1\</currentProfile\> \<currentProfile\>1\</currentProfile\>
\<msFwpDirection\>MS_FWP_DIRECTION_OUT\</msFwpDirection\> \<msFwpDirection\>MS_FWP_DIRECTION_OUT\</msFwpDirection\>
\<isLoopback\>false\</isLoopback\> \<isLoopback\>false\</isLoopback\>
\<vSwitchId/\> \<vSwitchId/\>
\<vSwitchSourcePort\>0\</vSwitchSourcePort\> \<vSwitchSourcePort\>0\</vSwitchSourcePort\>
\<vSwitchDestinationPort\>0\</vSwitchDestinationPort\> \<vSwitchDestinationPort\>0\</vSwitchDestinationPort\>
\</classifyDrop\> \</classifyDrop\>
\<internalFields\> \<internalFields\>
\<internalFlags/\> \<internalFlags/\>
\<remoteAddrBitmap\>0000000000000000\</remoteAddrBitmap\> \<remoteAddrBitmap\>0000000000000000\</remoteAddrBitmap\>
\<capabilities/\> \<capabilities/\>
\<fqbnVersion\>0\</fqbnVersion\> \<fqbnVersion\>0\</fqbnVersion\>
\<fqbnName/\> \<fqbnName/\>
\<terminatingFiltersInfo numItems="2"\> \<terminatingFiltersInfo numItems="2"\>
\<item\> \<item\>
\<filterId\>206064\</filterId\> \<filterId\>206064\</filterId\>
\<subLayer\>FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH\</subLayer\> \<subLayer\>FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH\</subLayer\>
\<actionType\>FWP_ACTION_BLOCK\</actionType\> \<actionType\>FWP_ACTION_BLOCK\</actionType\>
\</item\> \</item\>
\<item\> \<item\>
\<filterId\>206049\</filterId\> \<filterId\>206049\</filterId\>
\<subLayer\>FWPP_SUBLAYER_INTERNAL_FIREWALL_WF\</subLayer\> \<subLayer\>FWPP_SUBLAYER_INTERNAL_FIREWALL_WF\</subLayer\>
\<actionType\>FWP_ACTION_PERMIT\</actionType\> \<actionType\>FWP_ACTION_PERMIT\</actionType\>
\</item\> \</item\>
\</terminatingFiltersInfo\> \</terminatingFiltersInfo\>
\</internalFields\> \</internalFields\>
\</item\> \</item\>
```
The Internal fields lists no active capabilities, and the packet is dropped at The Internal fields lists no active capabilities, and the packet is dropped at
filter 206064. filter 206064.
@ -1198,385 +1136,207 @@ Security Descriptor doesnt match.
**Block Outbound Default Rule Filter \#206064, FilterState-Case-7.xml** **Block Outbound Default Rule Filter \#206064, FilterState-Case-7.xml**
```xml
\<item\> \<item\>
\<filterKey\>{f138d1ad-9293-478f-8519-c3368e796711}\</filterKey\> \<filterKey\>{f138d1ad-9293-478f-8519-c3368e796711}\</filterKey\>
\<displayData\> \<displayData\>
\<name\>Block Outbound Default Rule\</name\> \<name\>Block Outbound Default Rule\</name\>
\<description\>Block Outbound Default Rule\</description\> \<description\>Block Outbound Default Rule\</description\>
\</displayData\> \</displayData\>
\<flags/\> \<flags/\>
\<providerKey\>FWPM_PROVIDER_MPSSVC_WSH\</providerKey\> \<providerKey\>FWPM_PROVIDER_MPSSVC_WSH\</providerKey\>
\<providerData\> \<providerData\>
\<data\>2e65000000000000\</data\> \<data\>2e65000000000000\</data\>
\<asString\>.e......\</asString\> \<asString\>.e......\</asString\>
\</providerData\> \</providerData\>
\<layerKey\>FWPM_LAYER_ALE_AUTH_CONNECT_V4\</layerKey\> \<layerKey\>FWPM_LAYER_ALE_AUTH_CONNECT_V4\</layerKey\>
\<subLayerKey\>FWPM_SUBLAYER_MPSSVC_WSH\</subLayerKey\> \<subLayerKey\>FWPM_SUBLAYER_MPSSVC_WSH\</subLayerKey\>
\<weight\> \<weight\>
\<type\>FWP_EMPTY\</type\> \<type\>FWP_EMPTY\</type\>
\</weight\> \</weight\>
\<filterCondition numItems="1"\> \<filterCondition numItems="1"\>
\<item\> \<item\>
\<fieldKey\>FWPM_CONDITION_ALE_PACKAGE_ID\</fieldKey\> \<fieldKey\>FWPM_CONDITION_ALE_PACKAGE_ID\</fieldKey\>
\<matchType\>FWP_MATCH_NOT_EQUAL\</matchType\> \<matchType\>FWP_MATCH_NOT_EQUAL\</matchType\>
\<conditionValue\> \<conditionValue\>
\<type\>FWP_SID\</type\> \<type\>FWP_SID\</type\>
\<sid\>S-1-0-0\</sid\> \<sid\>S-1-0-0\</sid\>
\</conditionValue\> \</conditionValue\>
\</item\> \</item\>
\</filterCondition\> \</filterCondition\>
\<action\> \<action\>
\<type\>FWP_ACTION_BLOCK\</type\> \<type\>FWP_ACTION_BLOCK\</type\>
\<filterType/\> \<filterType/\>
\</action\> \</action\>
\<rawContext\>0\</rawContext\> \<rawContext\>0\</rawContext\>
\<reserved/\> \<reserved/\>
\<filterId\>206064\</filterId\> \<filterId\>206064\</filterId\>
\<effectiveWeight\> \<effectiveWeight\>
\<type\>FWP_UINT64\</type\> \<type\>FWP_UINT64\</type\>
\<uint64\>274877906944\</uint64\> \<uint64\>274877906944\</uint64\>
\</effectiveWeight\> \</effectiveWeight\>
\</item\> \</item\>
```
## Case 8: Debugging Past Drop - UWP app connects to Internet target address with all capabilities ## Case 8: Debugging Past Drop - UWP app connects to Internet target address with all capabilities
In this example, the UWP app successfully connects to bing.com [204.79.197.200]. In this example, the UWP app successfully connects to bing.com [204.79.197.200].
**Classify Allow Net Event, NetEvents-Case-8.xml** **Classify Allow Net Event, NetEvents-Case-8.xml**
```xml
\<item\> \<item\>
> \<header\> > \<header\>
> \<timeStamp\>2020-05-04T18:49:55.101Z\</timeStamp\> > \<timeStamp\>2020-05-04T18:49:55.101Z\</timeStamp\>
> \<flags numItems="9"\> > \<flags numItems="9"\>
> \<item\>FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET\</item\> > \<item\>FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET\</item\>
> \<item\>FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET\</item\> > \<item\>FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET\</item\>
> \<item\>FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET\</item\> > \<item\>FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET\</item\>
> \<item\>FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET\</item\> > \<item\>FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET\</item\>
> \<item\>FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET\</item\> > \<item\>FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET\</item\>
> \<item\>FWPM_NET_EVENT_FLAG_APP_ID_SET\</item\> > \<item\>FWPM_NET_EVENT_FLAG_APP_ID_SET\</item\>
> \<item\>FWPM_NET_EVENT_FLAG_USER_ID_SET\</item\> > \<item\>FWPM_NET_EVENT_FLAG_USER_ID_SET\</item\>
> \<item\>FWPM_NET_EVENT_FLAG_IP_VERSION_SET\</item\> > \<item\>FWPM_NET_EVENT_FLAG_IP_VERSION_SET\</item\>
> \<item\>FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET\</item\> > \<item\>FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET\</item\>
> \</flags\> > \</flags\>
> \<ipVersion\>FWP_IP_VERSION_V4\</ipVersion\> > \<ipVersion\>FWP_IP_VERSION_V4\</ipVersion\>
> \<ipProtocol\>6\</ipProtocol\> > \<ipProtocol\>6\</ipProtocol\>
> \<localAddrV4\>10.195.36.30\</localAddrV4\> > \<localAddrV4\>10.195.36.30\</localAddrV4\>
> \<remoteAddrV4\>204.79.197.200\</remoteAddrV4\> > \<remoteAddrV4\>204.79.197.200\</remoteAddrV4\>
> \<localPort\>61673\</localPort\> > \<localPort\>61673\</localPort\>
> \<remotePort\>443\</remotePort\> > \<remotePort\>443\</remotePort\>
> \<scopeId\>0\</scopeId\> > \<scopeId\>0\</scopeId\>
> \<appId\> > \<appId\>
> \<data\>5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e00310030002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000\</data\> > \<data\>5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e00310030002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000\</data\>
> \<asString\>\\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m. > \<asString\>\\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m.
> .f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...1.0...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e...\</asString\> > .f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...1.0...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e...\</asString\>
> \</appId\> > \</appId\>
> \<userId\>S-1-5-21-1578316205-4060061518-881547182-1000\</userId\> > \<userId\>S-1-5-21-1578316205-4060061518-881547182-1000\</userId\>
> \<addressFamily\>FWP_AF_INET\</addressFamily\> > \<addressFamily\>FWP_AF_INET\</addressFamily\>
> \<packageSid\>S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936\</packageSid\> > \<packageSid\>S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936\</packageSid\>
> \<enterpriseId/\> > \<enterpriseId/\>
> \<policyFlags\>0\</policyFlags\> > \<policyFlags\>0\</policyFlags\>
> \<effectiveName/\> > \<effectiveName/\>
> \</header\> > \</header\>
> \<type\>FWPM_NET_EVENT_TYPE_CLASSIFY_ALLOW\</type\> > \<type\>FWPM_NET_EVENT_TYPE_CLASSIFY_ALLOW\</type\>
> \<classifyAllow\> > \<classifyAllow\>
> \<filterId\>208757\</filterId\> > \<filterId\>208757\</filterId\>
> \<layerId\>48\</layerId\> > \<layerId\>48\</layerId\>
> \<reauthReason\>0\</reauthReason\> > \<reauthReason\>0\</reauthReason\>
> \<originalProfile\>1\</originalProfile\> > \<originalProfile\>1\</originalProfile\>
> \<currentProfile\>1\</currentProfile\> > \<currentProfile\>1\</currentProfile\>
> \</classifyAllow\> > \</classifyAllow\>
> \<internalFields\> > \<internalFields\>
> \<internalFlags/\> > \<internalFlags/\>
> \<remoteAddrBitmap\>0000000000000000\</remoteAddrBitmap\> > \<remoteAddrBitmap\>0000000000000000\</remoteAddrBitmap\>
> \<capabilities numItems="3"\> > \<capabilities numItems="3"\>
> \<item\>FWP_CAPABILITIES_FLAG_INTERNET_CLIENT\</item\> > \<item\>FWP_CAPABILITIES_FLAG_INTERNET_CLIENT\</item\>
> \<item\>FWP_CAPABILITIES_FLAG_INTERNET_CLIENT_SERVER\</item\> > \<item\>FWP_CAPABILITIES_FLAG_INTERNET_CLIENT_SERVER\</item\>
> \<item\>FWP_CAPABILITIES_FLAG_PRIVATE_NETWORK\</item\> > \<item\>FWP_CAPABILITIES_FLAG_PRIVATE_NETWORK\</item\>
> \</capabilities\> > \</capabilities\>
> \<fqbnVersion\>0\</fqbnVersion\> > \<fqbnVersion\>0\</fqbnVersion\>
> \<fqbnName/\> > \<fqbnName/\>
> \<terminatingFiltersInfo numItems="2"\> > \<terminatingFiltersInfo numItems="2"\>
> \<item\> > \<item\>
> \<filterId\>208757\</filterId\> > \<filterId\>208757\</filterId\>
> \<subLayer\>FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH\</subLayer\> > \<subLayer\>FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH\</subLayer\>
> \<actionType\>FWP_ACTION_PERMIT\</actionType\> > \<actionType\>FWP_ACTION_PERMIT\</actionType\>
> \</item\> > \</item\>
> \<item\> > \<item\>
> \<filterId\>206049\</filterId\> > \<filterId\>206049\</filterId\>
> \<subLayer\>FWPP_SUBLAYER_INTERNAL_FIREWALL_WF\</subLayer\> > \<subLayer\>FWPP_SUBLAYER_INTERNAL_FIREWALL_WF\</subLayer\>
> \<actionType\>FWP_ACTION_PERMIT\</actionType\> > \<actionType\>FWP_ACTION_PERMIT\</actionType\>
> \</item\> > \</item\>
> \</terminatingFiltersInfo\> > \</terminatingFiltersInfo\>
> \</internalFields\> > \</internalFields\>
\</item\> \</item\>
```
Important things to note: all capabilities are enabled and the resulting filter Important things to note: all capabilities are enabled and the resulting filter
determining the flow of the packet is 208757. determining the flow of the packet is 208757.
The filter stated above with action permit: The filter stated above with action permit:
**InternetClient Default Rule Filter \#208757, FilterState-Case-8.xml** **InternetClient Default Rule Filter \#208757, FilterState-Case-8.xml**
```xml
\<item\> \<item\>
\<filterKey\>{e0f6f24e-1f0a-4f1a-bdd8-b9277c144fb5}\</filterKey\>
\<filterKey\>{e0f6f24e-1f0a-4f1a-bdd8-b9277c144fb5}\</filterKey\> \<displayData\>
\<name\>InternetClient Default Rule\</name\>
\<displayData\> \<description\>InternetClient Default Rule\</description\>
\<name\>InternetClient Default Rule\</name\>
\<description\>InternetClient Default Rule\</description\>
\</displayData\> \</displayData\>
\<flags/\> \<flags/\>
\<providerKey\>FWPM_PROVIDER_MPSSVC_WSH\</providerKey\> \<providerKey\>FWPM_PROVIDER_MPSSVC_WSH\</providerKey\>
\<providerData\> \<providerData\>
\<data\>e167000000000000\</data\> \<data\>e167000000000000\</data\>
\<asString\>.g......\</asString\> \<asString\>.g......\</asString\>
\</providerData\> \</providerData\>
\<layerKey\>FWPM_LAYER_ALE_AUTH_CONNECT_V4\</layerKey\> \<layerKey\>FWPM_LAYER_ALE_AUTH_CONNECT_V4\</layerKey\>
\<subLayerKey\>FWPM_SUBLAYER_MPSSVC_WSH\</subLayerKey\> \<subLayerKey\>FWPM_SUBLAYER_MPSSVC_WSH\</subLayerKey\>
\<weight\> \<weight\>
\<type\>FWP_EMPTY\</type\> \<type\>FWP_EMPTY\</type\>
\</weight\> \</weight\>
\<filterCondition numItems="5"\> \<filterCondition numItems="5"\>
\<item\> \<item\>
\<fieldKey\>FWPM_CONDITION_ALE_PACKAGE_ID\</fieldKey\> \<fieldKey\>FWPM_CONDITION_ALE_PACKAGE_ID\</fieldKey\>
\<matchType\>FWP_MATCH_NOT_EQUAL\</matchType\> \<matchType\>FWP_MATCH_NOT_EQUAL\</matchType\>
\<conditionValue\> \<conditionValue\>
\<type\>FWP_SID\</type\> \<type\>FWP_SID\</type\>
\<sid\>S-1-0-0\</sid\> \<sid\>S-1-0-0\</sid\>
\</conditionValue\> \</conditionValue\>
\</item\> \</item\>
\<item\> \<item\>
\<fieldKey\>FWPM_CONDITION_IP_REMOTE_ADDRESS\</fieldKey\> \<fieldKey\>FWPM_CONDITION_IP_REMOTE_ADDRESS\</fieldKey\>
\<matchType\>FWP_MATCH_RANGE\</matchType\> \<matchType\>FWP_MATCH_RANGE\</matchType\>
\<conditionValue\> \<conditionValue\>
\<type\>FWP_RANGE_TYPE\</type\> \<type\>FWP_RANGE_TYPE\</type\>
\<rangeValue\> \<rangeValue\>
\<valueLow\> \<valueLow\>
\<type\>FWP_UINT32\</type\> \<type\>FWP_UINT32\</type\>
\<uint32\>0.0.0.0\</uint32\> \<uint32\>0.0.0.0\</uint32\>
\</valueLow\> \</valueLow\>
\<valueHigh\> \<valueHigh\>
\<type\>FWP_UINT32\</type\> \<type\>FWP_UINT32\</type\>
\<uint32\>255.255.255.255\</uint32\> \<uint32\>255.255.255.255\</uint32\>
\</valueHigh\> \</valueHigh\>
\</rangeValue\> \</rangeValue\>
\</conditionValue\> \</conditionValue\>
\</item\> \</item\>
\<item\> \<item\>
\<fieldKey\>FWPM_CONDITION_ORIGINAL_PROFILE_ID\</fieldKey\> \<fieldKey\>FWPM_CONDITION_ORIGINAL_PROFILE_ID\</fieldKey\>
\<matchType\>FWP_MATCH_EQUAL\</matchType\> \<matchType\>FWP_MATCH_EQUAL\</matchType\>
\<conditionValue\> \<conditionValue\>
\<type\>FWP_UINT32\</type\> \<type\>FWP_UINT32\</type\>
\<uint32\>1\</uint32\> \<uint32\>1\</uint32\>
\</conditionValue\> \</conditionValue\>
\</item\> \</item\>
\<item\> \<item\>
\<fieldKey\>FWPM_CONDITION_CURRENT_PROFILE_ID\</fieldKey\> \<fieldKey\>FWPM_CONDITION_CURRENT_PROFILE_ID\</fieldKey\>
\<matchType\>FWP_MATCH_EQUAL\</matchType\> \<matchType\>FWP_MATCH_EQUAL\</matchType\>
\<conditionValue\> \<conditionValue\>
\<type\>FWP_UINT32\</type\> \<type\>FWP_UINT32\</type\>
\<uint32\>1\</uint32\> \<uint32\>1\</uint32\>
\</conditionValue\> \</conditionValue\>
\</item\> \</item\>
\<item\> \<item\>
\<fieldKey\>FWPM_CONDITION_ALE_USER_ID\</fieldKey\> \<fieldKey\>FWPM_CONDITION_ALE_USER_ID\</fieldKey\>
\<matchType\>FWP_MATCH_EQUAL\</matchType\> \<matchType\>FWP_MATCH_EQUAL\</matchType\>
\<conditionValue\> \<conditionValue\>
\<type\>FWP_SECURITY_DESCRIPTOR_TYPE\</type\> \<type\>FWP_SECURITY_DESCRIPTOR_TYPE\</type\>
\<sd\>O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)\</sd\> \<sd\>O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)\</sd\>
\</conditionValue\> \</conditionValue\>
\</item\> \</item\>
\</filterCondition\> \</filterCondition\>
\<action\> \<action\>
\<type\>FWP_ACTION_PERMIT\</type\> \<type\>FWP_ACTION_PERMIT\</type\>
\<filterType/\> \<filterType/\>
\</action\> \</action\>
\<rawContext\>0\</rawContext\> \<rawContext\>0\</rawContext\>
\<reserved/\> \<reserved/\>
\<filterId\>208757\</filterId\> \<filterId\>208757\</filterId\>
\<effectiveWeight\> \<effectiveWeight\>
\<type\>FWP_UINT64\</type\> \<type\>FWP_UINT64\</type\>
\<uint64\>412316868544\</uint64\> \<uint64\>412316868544\</uint64\>
\</effectiveWeight\> \</effectiveWeight\>
\</item\> \</item\>
```
\*The capabilities field in a netEvent was added to the traces in the Windows 10 The capabilities field in a netEvent was added to the traces in the Windows 10
May 2019 Update May 2019 Update