From 69428242703c27f768b02fcd5b8845563324f56a Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Wed, 12 Aug 2020 14:26:33 -0700 Subject: [PATCH 1/6] adding topic, started formatting --- .../troubleshooting-uwp-firewall.md | 2074 +++++++++++++++++ 1 file changed, 2074 insertions(+) create mode 100644 windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md diff --git a/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md b/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md new file mode 100644 index 0000000000..dbc2f8af22 --- /dev/null +++ b/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md @@ -0,0 +1,2074 @@ +--- +title: Troubleshooting UWP App Connectivity Issues in Windows Firewall +description: Troubleshooting UWP App Connectivity Issues in Windows Firewall + +ms.reviewer: +ms.author: dansimp +ms.prod: w10 +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: dansimp +manager: dansimp +ms.collection: M365-security-compliance +ms.topic: troubleshooting +--- + +# Troubleshooting UWP App Connectivity Issues + +This document is intended to help network admins, support engineers, and developers to +investigate UWP app network connectivity issues. + +# Introduction + +This document guides you through steps to debug different Universal Windows Platform (UWP) app network connectivity issues by providing practical case examples. + +UWP app network connectivity issues typically stem from one of the following causes: + +1. The UWP app was not permitted to receive loopback traffic (this must be configured as, by default, a UWP app is not allowed to receive loopback traffic). +2. The UWP app is missing the proper capability tokens. +3. The private range is configured incorrectly (i.e. set incorrectly through GP/MDM policies, etc.) + +To understand these causes more thoroughly, there are several concepts that should be reviewed. + +The traffic of network packets (e.g. what's permitted and what’s not) on Windows is ultimately determined by the Windows Filtering Platform (WFP). When a UWP app +or the private range is configured incorrectly, it affects how the UWP app’s network traffic will be processed by WFP. + +When a packet is processed by WFP, the characteristics of that packet must explicitly match all the conditions of a filter to either be permitted or dropped to its target address. Connectivity issues typically happen when the packet does not match the filter conditions of any filters, leading the packet to be dropped by a default block filter. The presence of the default block +filters ensures network isolation for UWP applications. Specifically, it guarantees a network drop for a packet that does not have the correct capabilities for the resource it is trying to reach, ensuring the application’s granular access to each resource type and preventing the application from “escaping” its environment. + +For more information on the filter arbitration algorithm and network isolation, +please read [Filter +Arbitration](https://docs.microsoft.com/en-us/windows/win32/fwp/filter-arbitration) +and +[Isolation](https://docs.microsoft.com/en-us/windows/win32/secauthz/appcontainer-isolation). + +The next sections will cover debugging case examples for loopback and +non-loopback UWP app network connectivity issues. + +> [!NOTE] +> As improvements to debugging and diagnostics around the Windows Filtering Platform are made, the trace examples in this document may not exactly match the +traces collected on an older Windows build. + +# Debugging UWP App Loopback scenarios + +If you have a scenario where you are establishing a TCP/IP connection between two processes on the same host where one of them is a UWP app, you must enable loopback. + +To enable loopback for client outbound connections, run the following in a command prompt: + +`CheckNetIsolation.exe LoopbackExempt -a -n=\` + +To enable loopback for server inbound connections, please run the following in a +command prompt: + +`CheckNetIsolation.exe LoopbackExempt -is -n=\` + +You can ensure loopback is enabled by checking the appx manifests of both the +sender and receiver. + +For more information about loopback scenarios, please read [Communicating with +localhost +(loopback)](https://docs.microsoft.com/en-us/windows/iot-core/develop-your-app/loopback) + +# Debugging Live Drops + +If the issue happened recently, but you find you are not able to reproduce the +issue, go to Debugging Past Drops for the appropriate trace commands. + +If you can consistently reproduce the issue, then you can run the following in +an admin command prompt to gather a fresh trace: + +``` +Netsh wfp capture start keywords=19 +\ +Netsh wfp capture stop +``` + +The above commands will generate a wfpdiag.cab. Inside the .cab exists a +wfpdiag.xml, which contains any allow or drop netEvents and filters that existed +during that repro. Without “keywords=19”, the trace will only collect drop +netEvents. + +Inside the wfpdiag.xml, search for netEvents which have +FWPM_NET_EVENT_TYPE_CLASSIFY_DROP as the netEvent type. To find the relevant +drop events, search for the drop events with matching destination IP address, +package SID, or application ID name. The characters in the application ID name +will be separated by periods: +``` +(ex) + +\ + +\\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.w.i.n.d.o.w.s.\\.s.y.s.t.e.m.3.2.\\.s.v.c.h.o.s.t...e.x.e... + +\ +``` +The netEvent will have more information about the packet that was dropped +including information about its capabilities, the filter that dropped the +packet, and much more. + +## Case 1: UWP app connects to Internet target address with all capabilities + +In this example, the UWP app successfully connects to bing.com +[2620:1ec:c11::200]. + +A packet from a UWP app needs the correct networking capability token for the +resource it is trying to reach. + +In this scenario, the app could successfully send a packet to the Internet +target because it had an Internet capability token. + +The following shows the allow netEvent of the app connecting to the target IP. +The netEvent contains information about the packet including its local address, +remote address, capabilities, etc. + +```**Classify Allow netEvent, Wfpdiag-Case-1.xml** + +\ +\ +> \2020-05-21T17:25:59.070Z\ +> \ +> \FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET\ +> \FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET\ +> \FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET\ +> \FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET\ +> \FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET\ +> \FWPM_NET_EVENT_FLAG_APP_ID_SET\ +> \FWPM_NET_EVENT_FLAG_USER_ID_SET\ +> \FWPM_NET_EVENT_FLAG_IP_VERSION_SET\ +> \FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET\ +> \ +> \FWP_IP_VERSION_V6\ +> \6\ +> \2001:4898:30:3:256c:e5ba:12f3:beb1\ \2620:1ec:c11::200\ +\52127\ +\443\ +\0\ +\ +> \5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e00310030002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000\ +> \\\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m. +> .f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...1.0...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e...\ +\ +\S-1-5-21-2993214446-1947230185-131795049-1000\ +\FWP_AF_INET6\ +\S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936\ +\ +\0\ +\ +\ +\FWPM_NET_EVENT_TYPE_CLASSIFY_ALLOW\ +\ +> \125918\ +> \50\ +> \0\ +> \1\ +> \1\ +\ +\ +\ +\0000000000000000\ +\ +> \FWP_CAPABILITIES_FLAG_INTERNET_CLIENT\ \FWP_CAPABILITIES_FLAG_INTERNET_CLIENT_SERVER\ +> \FWP_CAPABILITIES_FLAG_PRIVATE_NETWORK\ +\ +\0\ +\ +\ +> \ + \125918\ +> \FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH\ + \FWP_ACTION_PERMIT\ +> \ +> \ + \121167\ + \FWPP_SUBLAYER_INTERNAL_FIREWALL_WF\ + \FWP_ACTION_PERMIT\ + \ +\ +\ +\ +``` + +The following is the filter that permitted the packet to be sent to the target +address according to the terminatingFiltersInfo in the netEvent. This packet was +allowed by Filter \#125918 which is from the InternetClient Default Rule. + +**InternetClient Default Rule Filter \#125918, Wfpdiag-Case-1.xml** +``` +\ + +> \{3389708e-f7ae-4ebc-a61a-f659065ab24e}\ + +> \ + +> \InternetClient Default Rule\ + +> \InternetClient Default Rule\ + +> \ + +> \ + +> \FWPM_PROVIDER_MPSSVC_WSH\ + +> \ + +> \ad2b000000000000\ + +> \.+......\ + +> \ + +> \FWPM_LAYER_ALE_AUTH_CONNECT_V6\ + +> \FWPM_SUBLAYER_MPSSVC_WSH\ + +> \ + +> \FWP_EMPTY\ + +> \ + +> \ + +> \ + +> \FWPM_CONDITION_ALE_PACKAGE_ID\ + +> \FWP_MATCH_NOT_EQUAL\ + +> \ + +> \FWP_SID\ + +> \S-1-0-0\ + +> \ + +> \ + +> \ + +> \FWPM_CONDITION_IP_REMOTE_ADDRESS\ + +> \FWP_MATCH_RANGE\ + +> \ + +> \FWP_RANGE_TYPE\ + +> \ + +> \ + +> \FWP_BYTE_ARRAY16_TYPE\ + +> \::\ + +> \ + +> \ + +> \FWP_BYTE_ARRAY16_TYPE\ + +> \ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff\ + +> \ + +> \ + +> \ + +> \ + +> \ + +> \FWPM_CONDITION_ORIGINAL_PROFILE_ID\ + +> \FWP_MATCH_EQUAL\ + +> \ + +> \FWP_UINT32\ + +> \1\ + +> \ + +> \ + +> \ + +> \FWPM_CONDITION_CURRENT_PROFILE_ID\ + +> \FWP_MATCH_EQUAL\ + +> \ + +> \FWP_UINT32\ + +> \1\ + +> \ + +> \ + +> \ + +> \FWPM_CONDITION_ALE_USER_ID\ + +> \FWP_MATCH_EQUAL\ + +> \ + +> \FWP_SECURITY_DESCRIPTOR_TYPE\ + +> \O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)\ + +> \ + +> \ + +> \ + +> \ + +> \FWP_ACTION_PERMIT\ + +> \ + +> \ + +> \0\ + +> \ + +> \125918\ + +> \ + +> \FWP_UINT64\ + +> \103079219136\ + +> \ + +\ +``` +One condition is + +**Capabilities Condition in Filter \#125918, Wfpdiag-Case-1.xml** +``` +\ + +> \FWPM_CONDITION_ALE_USER_ID\ + +> \FWP_MATCH_EQUAL\ + +> \ + +> \FWP_SECURITY_DESCRIPTOR_TYPE\ + +> \O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)\ + +> \ + +\ +``` +which is the condition for checking capabilities in this filter. + +The important part of this condition is S-1-15-3-1, which is the capability SID +for INTERNET_CLIENT privileges. + +From the netEvent’s capabilities section, +``` +Capabilities from netEvent, Wfpdiag-Case-1.xml + +\ + +> **\FWP_CAPABILITIES_FLAG_INTERNET_CLIENT\** \FWP_CAPABILITIES_FLAG_INTERNET_CLIENT_SERVER\ + +\FWP_CAPABILITIES_FLAG_PRIVATE_NETWORK\ + +\ +``` +it shows the packet came from an app with an Internet client token +(FWP_CAPABILITIES_FLAG_INTERNET_CLIENT) which matches the capability SID in the +filter. All the other conditions are also met for the filter, so the packet is +allowed. + +Something to note is that the only capability token required for the packet to +reach bing.com was the Internet client token, even though this example showed +the packet having all capabilities. + +## Case 2: UWP APP cannot reach Internet target address and has no capabilities + +In this example, the UWP app is unable to connect to bing.com +[2620:1ec:c11::200]. + +The following is a drop netEvent that was captured in the traces during this +repro. + +**Classify Drop netEvent, Wfpdiag-Case-2.xml** +``` +\ +\ +\2020-03-30T23:53:09.720Z\ +\ +\FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET\ +\FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET\ +\FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET\ +\FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET\ +\FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET\ +\FWPM_NET_EVENT_FLAG_APP_ID_SET\ +\FWPM_NET_EVENT_FLAG_USER_ID_SET\ +\FWPM_NET_EVENT_FLAG_IP_VERSION_SET\ +\FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET\ +\ +\FWP_IP_VERSION_V6\ +\6\ +\2001:4898:1a:1045:8469:3351:e6e2:543\ +\2620:1ec:c11::200\ +\63187\ +\443\ +\0\ +\ +\5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e0034002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000\ +\\\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m. +.f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...4...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e...\ +\ +\S-1-5-21-2788718703-1626973220-3690764900-1000\ +\FWP_AF_INET6\ +\S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936\ +\ +\0\ +\ +\ +\FWPM_NET_EVENT_TYPE_CLASSIFY_DROP\ +\ +\68893\ +\50\ +\0\ +\1\ +\1\ +\MS_FWP_DIRECTION_OUT\ +\false\ +\ +\0\ +\0\ +\ +\ +\ +\0000000000000000\ +\ +\0\ +\ +\ +\ +\68893\ +\FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH\ +\FWP_ACTION_BLOCK\ +\ +\ +\68879\ +\FWPP_SUBLAYER_INTERNAL_FIREWALL_WF\ +\FWP_ACTION_PERMIT\ +\ +\ +\ +\ +``` +The first thing that should be checked in the netEvent is the capabilities +field\*. In this example, the capabilities field is empty, indicating that the +UWP app was not configured with any capability tokens to allow it to connect to +a network. + +**Internal Fields from netEvent, Wfpdiag-Case-2.xml** +``` +\ +\ +\0000000000000000\ +**\** +\0\ +\ +\ +\ +\68893\ +\FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH\ +\FWP_ACTION_BLOCK\ +\ +\ +\68879\ +\FWPP_SUBLAYER_INTERNAL_FIREWALL_WF\ +\FWP_ACTION_PERMIT\ +\ +\ +\ +``` +The netEvent also gives us information about the filter that explicitly dropped +this packet, like the FilterId, listed under classify drop + +**Classify Drop from netEvent, Wfpdiag-Case-2.xml** +``` +\ +**\68893\** +\50\ +\0\ +\1\ +\1\ +\MS_FWP_DIRECTION_OUT\ +\false\ +\ +\0\ +\0\ +\ +``` +If we search for that filter, \#68893, in Wfpdiag-Case2.xml, we will see that +the packet was dropped by a Block Outbound Default Rule filter. + +**Block Outbound Default Rule Filter \#68893, Wfpdiag-Case-2.xml** + +``` +\ +> \{6d51582f-bcf8-42c4-afc9-e2ce7155c11b}\ +> \ +> \**Block Outbound Default Rule**\ +> \Block Outbound Default Rule\ +> \ +> \ +> \{4b153735-1049-4480-aab4-d1b9bdc03710}\ +> \ +> \b001000000000000\ +> \........\ +> \ +> \FWPM_LAYER_ALE_AUTH_CONNECT_V6\ +> \{b3cdd441-af90-41ba-a745-7c6008ff2300}\ +> \ +> \FWP_EMPTY\ +> \ +> \ +> \ +> \FWPM_CONDITION_ALE_PACKAGE_ID\ +> \FWP_MATCH_NOT_EQUAL\ +> \ +> \FWP_SID\ +> \S-1-0-0\ +> \ +> \ +> \ +> \ +> \FWP_ACTION_BLOCK\ +> \ +> \ +> \0\ +> \ +> \68893\ +> \ +> \FWP_UINT64\ +> \68719476736\ +> \ +\ +``` + +A packet will reach a default block filter if the packet was unable to match any of the conditions of other filters, and thus not allowed by the other filters in +the same sublayer. + +If the packet had the correct capability token, +FWP_CAPABILITIES_FLAG_INTERNET_CLIENT, it would have matched a condition for a +non-default block filter and would have been permitted to reach bing.com. +Without the correct capability tokens, the packet will be explicitly dropped by +a default block outbound filter. + +## Case 3: UWP app cannot reach Internet target address without Internet Client capability + +In this example, the app is unable to connect to bing.com [2620:1ec:c11::200]. + +The app in this scenario only has private network capabilities (Client and +Server). The app is trying to connect to an Internet resource (bing.com), but +only has a private network token. Therefore, the packet will be dropped. + +**Classify Drop netEvent, Wfpdiag-Case-3.xml** +``` +\ +\ +\2020-03-31T16:57:18.570Z\ +\ +\FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET\ +\FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET\ +\FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET\ +\FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET\ +\FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET\ +\FWPM_NET_EVENT_FLAG_APP_ID_SET\ +\FWPM_NET_EVENT_FLAG_USER_ID_SET\ +\FWPM_NET_EVENT_FLAG_IP_VERSION_SET\ +\FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET\ +\ +\FWP_IP_VERSION_V6\ +\6\ +\2001:4898:1a:1045:9c65:7805:dd4a:cc4b\ +\2620:1ec:c11::200\ +\64086\ +\443\ +\0\ +\ +\5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e0035002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000\ +\\\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m. +.f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...5...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e...\ +\ +\S-1-5-21-2788718703-1626973220-3690764900-1000\ +\FWP_AF_INET6\ +\S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936\ +\ +\0\ +\ +\ +\FWPM_NET_EVENT_TYPE_CLASSIFY_DROP\ +\ +\68893\ +\50\ +\0\ +\1\ +\1\ +\MS_FWP_DIRECTION_OUT\ +\false\ +\ +\0\ +\0\ +\ +\ +\ +\0000000000000000\ +**\** +**\FWP_CAPABILITIES_FLAG_PRIVATE_NETWORK\** +**\** +\0\ +\ +\ +\ +\68893\ +\FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH\ +\FWP_ACTION_BLOCK\ +\ +\ +\68879\ +\FWPP_SUBLAYER_INTERNAL_FIREWALL_WF\ +\FWP_ACTION_PERMIT\ +\ +\ +\ +\ +``` + +## Case 4: UWP app cannot reach Intranet target address without Private Network capability + +In this example, the UWP app is unable to reach the Intranet target address, +10.50.50.50, because it does not have a Private Network capability. + +**Classify Drop netEvent, Wfpdiag-Case-4.xml** + +\ + +\ + +> \2020-05-22T21:29:28.601Z\ + +> \ + +> \FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET\ + +> \FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET\ + +> \FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET\ + +> \FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET\ + +> \FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET\ + +> \FWPM_NET_EVENT_FLAG_APP_ID_SET\ + +> \FWPM_NET_EVENT_FLAG_USER_ID_SET\ + +> \FWPM_NET_EVENT_FLAG_IP_VERSION_SET\ + +> \FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET\ + +> \ + +> \FWP_IP_VERSION_V4\ + +> \6\ + +> \10.216.117.17\ + +> \10.50.50.50\ + +> \52998\ + +> \53\ + +> \0\ + +> \ + +> \5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e00310031002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000\ + +> \\\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m. +> .f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...1.1...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e...\ + +> \ + +> \S-1-5-21-2993214446-1947230185-131795049-1000\ + +> \FWP_AF_INET\ + +> \S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936\ + +> \ + +> \0\ + +> \ + +\ + +> \FWPM_NET_EVENT_TYPE_CLASSIFY_DROP\ + +> \ + +> \121180\ + +> \48\ + +> \0\ + +> \1\ + +> \1\ + +> \MS_FWP_DIRECTION_OUT\ + +> \false\ + +> \ + +> \0\ + +> \0\ + +\ + +\ + +> \ + +> \0000000000000000\ + +> \ + +> \FWP_CAPABILITIES_FLAG_INTERNET_CLIENT\ + +> \FWP_CAPABILITIES_FLAG_INTERNET_CLIENT_SERVER\ + +> \ + +> \0\ + +> \ + +> \ + +> \ + +> \121180\ + +> \FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH\ + +> \FWP_ACTION_BLOCK\ + +> \ + +> \ + +> \121165\ + +> \FWPP_SUBLAYER_INTERNAL_FIREWALL_WF\ + +> \FWP_ACTION_PERMIT\ + +> \ + +> \ + +\ + +\ + +## Case 5: UWP app cannot reach “Intranet” target address with Private Network capability + +In this example, the UWP app is unable to reach the Intranet target address, +10.1.1.1, even though it has a Private Network capability token. + +**Classify Drop netEvent, Wfpdiag-Case-5.xml** + +\ + +> \ + +> \2020-05-22T20:54:53.499Z\ + +> \ + +> \FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET\ + +> \FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET\ + +> \FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET\ + +> \FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET\ + +> \FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET\ + +> \FWPM_NET_EVENT_FLAG_APP_ID_SET\ + +> \FWPM_NET_EVENT_FLAG_USER_ID_SET\ + +> \FWPM_NET_EVENT_FLAG_IP_VERSION_SET\ + +> \FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET\ + +> \ + +> \FWP_IP_VERSION_V4\ + +> \6\ + +> \10.216.117.17\ + +> \10.1.1.1\ + +> \52956\ + +> \53\ + +> \0\ + +> \ + +> \5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e00310033002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000\ + +> \\\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m. +> .f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...1.3...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e...\ + +> \ + +> \S-1-5-21-2993214446-1947230185-131795049-1000\ + +> \FWP_AF_INET\ + +> \S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936\ + +> \ + +> \0\ + +> \ + +\ + +> \FWPM_NET_EVENT_TYPE_CLASSIFY_DROP\ + +> \ + +> \121180\ + +> \48\ + +> \0\ + +> \1\ + +> \1\ + +> \MS_FWP_DIRECTION_OUT\ + +> \false\ + +> \ + +> \0\ + +> \0\ + +> \ + +> \ + +> \ + +> \0000000000000000\ + +> \ + +> \FWP_CAPABILITIES_FLAG_PRIVATE_NETWORK\ + +> \ + +> \0\ + +> \ + +> \ + +> \ + +> \121180\ + +> \FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH\ + +> \FWP_ACTION_BLOCK\ + +> \ + +> \ + +> \121165\ + +> \FWPP_SUBLAYER_INTERNAL_FIREWALL_WF\ + +> \FWP_ACTION_PERMIT\ + +> \ + +> \ + +> \ + +\ + +The following shows the filter that blocked the event: + +**Block Outbound Default Rule Filter \#121180, Wfpdiag-Case-5.xml** + +\ + +> \{e62a1a22-c80a-4518-a7f8-e7d1ef3a9ff6}\ + +> \ + +> \Block Outbound Default Rule\ + +> \Block Outbound Default Rule\ + +> \ + +> \ + +> \FWPM_PROVIDER_MPSSVC_WSH\ + +> \ + +> \c029000000000000\ + +> \.)......\ + +> \ + +> \FWPM_LAYER_ALE_AUTH_CONNECT_V4\ + +> \FWPM_SUBLAYER_MPSSVC_WSH\ + +> \ + +> \FWP_EMPTY\ + +> \ + +> \ + +> \ + +> \FWPM_CONDITION_ALE_PACKAGE_ID\ + +> \FWP_MATCH_NOT_EQUAL\ + +> \ + +> \FWP_SID\ + +> \S-1-0-0\ + +> \ + +> \ + +> \ + +> \ + +> \FWP_ACTION_BLOCK\ + +> \ + +> \ + +> \0\ + +> \ + +> \121180\ + +> \ + +> \FWP_UINT64\ + +> \274877906944\ + +> \ + +\ + +If the target was in the private range, then it should have been allowed by a +PrivateNetwork Outbound Default Rule filter. + +The following PrivateNetwork Outbound Default Rule filters have conditions for +matching Intranet IP addresses. Since the expected Intranet target address, +10.1.1.1, is not included in these filters it becomes clear that the address is +not in the private range. Check the policies which configure the private range +on the machine (MDM, GP, etc) and make sure it includes the private target +address you wanted to reach. + +**PrivateNetwork Outbound Default Rule Filters, Wfpdiag-Case-5.xml** + +\ + +> \{fd65507b-e356-4e2f-966f-0c9f9c1c6e78}\ + +> \ + +> \PrivateNetwork Outbound Default Rule\ + +> \PrivateNetwork Outbound Default Rule\ + +> \ + +> \ + +> \FWPM_PROVIDER_MPSSVC_WSH\ + +> \ + +> \f22d000000000000\ + +> \.-......\ + +> \ + +> \FWPM_LAYER_ALE_AUTH_CONNECT_V4\ + +> \FWPM_SUBLAYER_MPSSVC_WSH\ + +> \ + +> \FWP_EMPTY\ + +> \ + +> \ + +> \ + +> \FWPM_CONDITION_ALE_PACKAGE_ID\ + +> \FWP_MATCH_NOT_EQUAL\ + +> \ + +> \FWP_SID\ + +> \S-1-0-0\ + +> \ + +> \ + +> \ + +> \FWPM_CONDITION_IP_REMOTE_ADDRESS\ + +> \FWP_MATCH_EQUAL\ + +> \ + +> \FWP_UINT32\ + +> \1.1.1.1\ + +> \ + +> \ + +> \ + +> \FWPM_CONDITION_ORIGINAL_PROFILE_ID\ + +> \FWP_MATCH_EQUAL\ + +> \ + +> \FWP_UINT32\ + +> \1\ + +> \ + +> \ + +> \ + +> \FWPM_CONDITION_CURRENT_PROFILE_ID\ + +> \FWP_MATCH_EQUAL\ + +> \ + +> \FWP_UINT32\ + +> \1\ + +> \ + +> \ + +> \ + +> \FWPM_CONDITION_ALE_USER_ID\ + +> \FWP_MATCH_EQUAL\ + +> \ + +> \FWP_SECURITY_DESCRIPTOR_TYPE\ + +> \O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)\ + +> \ + +> \ + +> \ + +> \ + +> \FWP_ACTION_PERMIT\ + +> \ + +> \ + +> \0\ + +> \ + +> \129656\ + +> \ + +> \FWP_UINT64\ + +> \144115600392724416\ + +> \ + +> \ + +> \ + +> \{b11b4f8a-222e-49d6-8d69-02728681d8bc}\ + +> \ + +> \PrivateNetwork Outbound Default Rule\ + +> \PrivateNetwork Outbound Default Rule\ + +> \ + +> \ + +> \FWPM_PROVIDER_MPSSVC_WSH\ + +> \ + +> \f22d000000000000\ + +> \.-......\ + +> \ + +> \FWPM_LAYER_ALE_AUTH_CONNECT_V4\ + +> \FWPM_SUBLAYER_MPSSVC_WSH\ + +> \ + +> \FWP_EMPTY\ + +> \ + +> \ + +> \ + +> \FWPM_CONDITION_ALE_PACKAGE_ID\ + +> \FWP_MATCH_NOT_EQUAL\ + +> \ + +> \FWP_SID\ + +> \S-1-0-0\ + +> \ + +> \ + +> \ + +> \FWPM_CONDITION_IP_REMOTE_ADDRESS\ + +> \FWP_MATCH_RANGE\ + +> \ + +> \FWP_RANGE_TYPE\ + +> \ + +> \ + +> \FWP_UINT32\ + +> \172.16.0.0\ + +> \ + +> \ + +> \FWP_UINT32\ + +> \172.31.255.255\ + +> \ + +> \ + +> \ + +> \ + +> \ + +> \FWPM_CONDITION_ORIGINAL_PROFILE_ID\ + +> \FWP_MATCH_EQUAL\ + +> \ + +> \FWP_UINT32\ + +> \1\ + +> \ + +> \ + +> \ + +> \FWPM_CONDITION_CURRENT_PROFILE_ID\ + +> \FWP_MATCH_EQUAL\ + +> \ + +> \FWP_UINT32\ + +> \1\ + +> \ + +> \ + +> \ + +> \FWPM_CONDITION_ALE_USER_ID\ + +> \FWP_MATCH_EQUAL\ + +> \ + +> \FWP_SECURITY_DESCRIPTOR_TYPE\ + +> \O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)\ + +> \ + +> \ + +> \ + +> \ + +> \FWP_ACTION_PERMIT\ + +> \ + +> \ + +> \0\ + +> \ + +> \129657\ + +> \ + +> \FWP_UINT64\ + +> \36029209335832512\ + +> \ + +\ + +\ + +> \{21cd82bc-6077-4069-94bf-750e5a43ca23}\ + +> \ + +> \PrivateNetwork Outbound Default Rule\ + +> \PrivateNetwork Outbound Default Rule\ + +> \ + +> \ + +> \FWPM_PROVIDER_MPSSVC_WSH\ + +> \ + +> \f22d000000000000\ + +> \.-......\ + +> \ + +> \FWPM_LAYER_ALE_AUTH_CONNECT_V4\ + +> \FWPM_SUBLAYER_MPSSVC_WSH\ + +> \ + +> \FWP_EMPTY\ + +> \ + +> \ + +> \ + +> \FWPM_CONDITION_ALE_PACKAGE_ID\ + +> \FWP_MATCH_NOT_EQUAL\ + +> \ + +> \FWP_SID\ + +> \S-1-0-0\ + +> \ + +> \ + +> \ + +> \FWPM_CONDITION_IP_REMOTE_ADDRESS\ + +> \FWP_MATCH_RANGE\ + +> \ + +> \FWP_RANGE_TYPE\ + +> \ + +> \ + +> \FWP_UINT32\ + +> \192.168.0.0\ + +> \ + +> \ + +> \FWP_UINT32\ + +> \192.168.255.255\ + +> \ + +> \ + +> \ + +> \ + +> \ + +> \FWPM_CONDITION_ORIGINAL_PROFILE_ID\ + +> \FWP_MATCH_EQUAL\ + +> \ + +> \FWP_UINT32\ + +> \1\ + +> \ + +> \ + +> \ + +> \FWPM_CONDITION_CURRENT_PROFILE_ID\ + +> \FWP_MATCH_EQUAL\ + +> \ + +> \FWP_UINT32\ + +> \1\ + +> \ + +> \ + +> \ + +> \FWPM_CONDITION_ALE_USER_ID\ + +> \FWP_MATCH_EQUAL\ + +> \ + +> \FWP_SECURITY_DESCRIPTOR_TYPE\ + +> \O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)\ + +> \ + +> \ + +> \ + +> \ + +> \FWP_ACTION_PERMIT\ + +> \ + +> \ + +> \0\ + +> \ + +> \129658\ + +> \ + +> \FWP_UINT64\ + +> \36029209335832512\ + +> \ + +\ + +# Debugging Past Drops + +If you are debugging a network drop from the past or from a remote machine, you +may have traces already collected from Feedback Hub, such as nettrace.etl and +wfpstate.xml. Once nettrace.etl is converted, nettrace.txt will have the +netEvents of the reproduced event, and wfpstate.xml will contain the filters +that were present on the machine at the time. + +If you **do not** have a live repro or traces already collected, you can still +collect traces after the UWP network connectivity issue has happened by running +these commands in an Admin command prompt + +> \ + +> Netsh wfp show netevents + +> Netsh wfp show state + +“Netsh wfp show netevents” will generate netevents.xml, which contains the past +net events. “Netsh wfp show state” will generate wfpstate.xml, which contains +the current filters present on the machine. + +Unfortunately, collecting traces after the UWP network connectivity issue is not +always reliable. + +NetEvents on the machine are stored in a buffer. Once that buffer has reached +max capacity, the buffer will overwrite older net events. Due to the buffer +overwrite, it is possible that the collected netevents.xml will not contain the +net event associated with the UWP network connectivity issue if it was +overwritten. Additionally, filters on the machine can get deleted and re-added +with different filterIds due to miscellaneous events on the machine. Because of +this, a filterId from “netsh wfp show netevents” may not necessarily match any +filter in “netsh wfp show state” because that filterId may be outdated. + +If you can reproduce the UWP network connectivity issue consistently, we would +recommend using the commands from Debugging Live Drops instead. + +Additionally, you can still follow the examples from Debugging Live Drops +section using the trace commands in this section, even if you do not have a live +repro. The netEvents and filters are stored in one file in Debugging Live Drops +as opposed to two separate files in the following Debugging Past Drops examples. + +## Case 7: Debugging Past Drop - UWP app cannot reach Internet target address and has no capabilities + +In this example, the UWP app is unable to connect to bing.com. + +Classify Drop Net Event, NetEvents-Case-7.xml + +\ + +\ + +\2020-05-04T22:04:07.039Z\ + +\ + +\FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET\ + +\FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET\ + +\FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET\ + +\FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET\ + +\FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET\ + +\FWPM_NET_EVENT_FLAG_APP_ID_SET\ + +\FWPM_NET_EVENT_FLAG_USER_ID_SET\ + +\FWPM_NET_EVENT_FLAG_IP_VERSION_SET\ + +\FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET\ + +\ + +\FWP_IP_VERSION_V4\ + +\6\ + +\10.195.36.30\ + +\204.79.197.200\ + +\57062\ + +\443\ + +\0\ + +\ + +\5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e00310032002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000\ + +\\\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m. +.f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...1.2...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e...\ + +\ + +\S-1-5-21-1578316205-4060061518-881547182-1000\ + +\FWP_AF_INET\ + +\S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936\ + +\ + +\0\ + +\ + +\ + +\FWPM_NET_EVENT_TYPE_CLASSIFY_DROP\ + +\ + +\206064\ + +\48\ + +\0\ + +\1\ + +\1\ + +\MS_FWP_DIRECTION_OUT\ + +\false\ + +\ + +\0\ + +\0\ + +\ + +\ + +\ + +\0000000000000000\ + +\ + +\0\ + +\ + +\ + +\ + +\206064\ + +\FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH\ + +\FWP_ACTION_BLOCK\ + +\ + +\ + +\206049\ + +\FWPP_SUBLAYER_INTERNAL_FIREWALL_WF\ + +\FWP_ACTION_PERMIT\ + +\ + +\ + +\ + +\ + +The Internal fields lists no active capabilities, and the packet is dropped at +filter 206064. + +This is a default block rule filter, meaning the packet passed through every +filter that could have allowed it, but because conditions didn’t match for any +those filters, the packet fell to the filter which blocks any packet that the +Security Descriptor doesn’t match. + +**Block Outbound Default Rule Filter \#206064, FilterState-Case-7.xml** + +\ + +\{f138d1ad-9293-478f-8519-c3368e796711}\ + +\ + +\Block Outbound Default Rule\ + +\Block Outbound Default Rule\ + +\ + +\ + +\FWPM_PROVIDER_MPSSVC_WSH\ + +\ + +\2e65000000000000\ + +\.e......\ + +\ + +\FWPM_LAYER_ALE_AUTH_CONNECT_V4\ + +\FWPM_SUBLAYER_MPSSVC_WSH\ + +\ + +\FWP_EMPTY\ + +\ + +\ + +\ + +\FWPM_CONDITION_ALE_PACKAGE_ID\ + +\FWP_MATCH_NOT_EQUAL\ + +\ + +\FWP_SID\ + +\S-1-0-0\ + +\ + +\ + +\ + +\ + +\FWP_ACTION_BLOCK\ + +\ + +\ + +\0\ + +\ + +\206064\ + +\ + +\FWP_UINT64\ + +\274877906944\ + +\ + +\ + +## Case 8: Debugging Past Drop - UWP app connects to Internet target address with all capabilities + +In this example, the UWP app successfully connects to bing.com [204.79.197.200]. + +**Classify Allow Net Event, NetEvents-Case-8.xml** + +\ + +> \ + +> \2020-05-04T18:49:55.101Z\ + +> \ + +> \FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET\ + +> \FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET\ + +> \FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET\ + +> \FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET\ + +> \FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET\ + +> \FWPM_NET_EVENT_FLAG_APP_ID_SET\ + +> \FWPM_NET_EVENT_FLAG_USER_ID_SET\ + +> \FWPM_NET_EVENT_FLAG_IP_VERSION_SET\ + +> \FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET\ + +> \ + +> \FWP_IP_VERSION_V4\ + +> \6\ + +> \10.195.36.30\ + +> \204.79.197.200\ + +> \61673\ + +> \443\ + +> \0\ + +> \ + +> \5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e00310030002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000\ + +> \\\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m. +> .f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...1.0...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e...\ + +> \ + +> \S-1-5-21-1578316205-4060061518-881547182-1000\ + +> \FWP_AF_INET\ + +> \S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936\ + +> \ + +> \0\ + +> \ + +> \ + +> \FWPM_NET_EVENT_TYPE_CLASSIFY_ALLOW\ + +> \ + +> \208757\ + +> \48\ + +> \0\ + +> \1\ + +> \1\ + +> \ + +> \ + +> \ + +> \0000000000000000\ + +> \ + +> \FWP_CAPABILITIES_FLAG_INTERNET_CLIENT\ + +> \FWP_CAPABILITIES_FLAG_INTERNET_CLIENT_SERVER\ + +> \FWP_CAPABILITIES_FLAG_PRIVATE_NETWORK\ + +> \ + +> \0\ + +> \ + +> \ + +> \ + +> \208757\ + +> \FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH\ + +> \FWP_ACTION_PERMIT\ + +> \ + +> \ + +> \206049\ + +> \FWPP_SUBLAYER_INTERNAL_FIREWALL_WF\ + +> \FWP_ACTION_PERMIT\ + +> \ + +> \ + +> \ + +\ + +Important things to note: all capabilities are enabled and the resulting filter +determining the flow of the packet is 208757. + +The filter stated above with action permit: + +**InternetClient Default Rule Filter \#208757, FilterState-Case-8.xml** + + \ + + \{e0f6f24e-1f0a-4f1a-bdd8-b9277c144fb5}\ + + \ + + \InternetClient Default Rule\ + + \InternetClient Default Rule\ + + \ + + \ + + \FWPM_PROVIDER_MPSSVC_WSH\ + + \ + + \e167000000000000\ + + \.g......\ + + \ + + \FWPM_LAYER_ALE_AUTH_CONNECT_V4\ + + \FWPM_SUBLAYER_MPSSVC_WSH\ + + \ + + \FWP_EMPTY\ + + \ + + \ + + \ + + \FWPM_CONDITION_ALE_PACKAGE_ID\ + + \FWP_MATCH_NOT_EQUAL\ + + \ + + \FWP_SID\ + + \S-1-0-0\ + + \ + + \ + + \ + + \FWPM_CONDITION_IP_REMOTE_ADDRESS\ + + \FWP_MATCH_RANGE\ + + \ + + \FWP_RANGE_TYPE\ + + \ + + \ + + \FWP_UINT32\ + + \0.0.0.0\ + + \ + + \ + + \FWP_UINT32\ + + \255.255.255.255\ + + \ + + \ + + \ + + \ + + \ + + \FWPM_CONDITION_ORIGINAL_PROFILE_ID\ + + \FWP_MATCH_EQUAL\ + + \ + + \FWP_UINT32\ + + \1\ + + \ + + \ + + \ + + \FWPM_CONDITION_CURRENT_PROFILE_ID\ + + \FWP_MATCH_EQUAL\ + + \ + + \FWP_UINT32\ + + \1\ + + \ + + \ + + \ + + \FWPM_CONDITION_ALE_USER_ID\ + + \FWP_MATCH_EQUAL\ + + \ + + \FWP_SECURITY_DESCRIPTOR_TYPE\ + + \O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)\ + + \ + + \ + + \ + + \ + + \FWP_ACTION_PERMIT\ + + \ + + \ + + \0\ + + \ + + \208757\ + + \ + + \FWP_UINT64\ + + \412316868544\ + + \ + + \ + +\*The capabilities field in a netEvent was added to the traces in the Windows 10 +May 2019 Update From 847ebd5a2f280aa41bb1bfaac54ff7f143879238 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Wed, 12 Aug 2020 16:25:33 -0700 Subject: [PATCH 2/6] checking in formatting --- .../troubleshooting-uwp-firewall.md | 518 +----------------- 1 file changed, 13 insertions(+), 505 deletions(-) diff --git a/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md b/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md index dbc2f8af22..4874e16c5e 100644 --- a/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md +++ b/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md @@ -196,163 +196,84 @@ allowed by Filter \#125918 which is from the InternetClient Default Rule. **InternetClient Default Rule Filter \#125918, Wfpdiag-Case-1.xml** ``` \ - > \{3389708e-f7ae-4ebc-a61a-f659065ab24e}\ - > \ - > \InternetClient Default Rule\ - > \InternetClient Default Rule\ - > \ - > \ - > \FWPM_PROVIDER_MPSSVC_WSH\ - > \ - > \ad2b000000000000\ - > \.+......\ - > \ - > \FWPM_LAYER_ALE_AUTH_CONNECT_V6\ - > \FWPM_SUBLAYER_MPSSVC_WSH\ - > \ - > \FWP_EMPTY\ - > \ - > \ - > \ - > \FWPM_CONDITION_ALE_PACKAGE_ID\ - > \FWP_MATCH_NOT_EQUAL\ - > \ - > \FWP_SID\ - > \S-1-0-0\ - > \ - > \ - > \ - > \FWPM_CONDITION_IP_REMOTE_ADDRESS\ - > \FWP_MATCH_RANGE\ - > \ - > \FWP_RANGE_TYPE\ - > \ - > \ - > \FWP_BYTE_ARRAY16_TYPE\ - > \::\ - > \ - > \ - > \FWP_BYTE_ARRAY16_TYPE\ - > \ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff\ - > \ - > \ - > \ - > \ - > \ - > \FWPM_CONDITION_ORIGINAL_PROFILE_ID\ - > \FWP_MATCH_EQUAL\ - > \ - > \FWP_UINT32\ - > \1\ - > \ - > \ - > \ - > \FWPM_CONDITION_CURRENT_PROFILE_ID\ - > \FWP_MATCH_EQUAL\ - > \ - > \FWP_UINT32\ - > \1\ - > \ - > \ - > \ - > \FWPM_CONDITION_ALE_USER_ID\ - > \FWP_MATCH_EQUAL\ - > \ - > \FWP_SECURITY_DESCRIPTOR_TYPE\ - > \O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)\ - > \ - > \ - > \ - > \ - > \FWP_ACTION_PERMIT\ - > \ - > \ - > \0\ - > \ - > \125918\ - > \ - > \FWP_UINT64\ - > \103079219136\ - > \ - \ ``` One condition is @@ -360,19 +281,12 @@ One condition is **Capabilities Condition in Filter \#125918, Wfpdiag-Case-1.xml** ``` \ - > \FWPM_CONDITION_ALE_USER_ID\ - > \FWP_MATCH_EQUAL\ - > \ - > \FWP_SECURITY_DESCRIPTOR_TYPE\ - > \O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)\ - > \ - \ ``` which is the condition for checking capabilities in this filter. @@ -381,15 +295,12 @@ The important part of this condition is S-1-15-3-1, which is the capability SID for INTERNET_CLIENT privileges. From the netEvent’s capabilities section, -``` + Capabilities from netEvent, Wfpdiag-Case-1.xml - +``` \ - > **\FWP_CAPABILITIES_FLAG_INTERNET_CLIENT\** \FWP_CAPABILITIES_FLAG_INTERNET_CLIENT_SERVER\ - \FWP_CAPABILITIES_FLAG_PRIVATE_NETWORK\ - \ ``` it shows the packet came from an app with an Internet client token @@ -665,842 +576,439 @@ In this example, the UWP app is unable to reach the Intranet target address, 10.50.50.50, because it does not have a Private Network capability. **Classify Drop netEvent, Wfpdiag-Case-4.xml** - +``` \ - \ - > \2020-05-22T21:29:28.601Z\ - > \ - > \FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET\ - > \FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET\ - > \FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET\ - > \FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET\ - > \FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET\ - > \FWPM_NET_EVENT_FLAG_APP_ID_SET\ - > \FWPM_NET_EVENT_FLAG_USER_ID_SET\ - > \FWPM_NET_EVENT_FLAG_IP_VERSION_SET\ - > \FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET\ - > \ - > \FWP_IP_VERSION_V4\ - > \6\ - > \10.216.117.17\ - > \10.50.50.50\ - > \52998\ - > \53\ - > \0\ - > \ - > \5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e00310031002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000\ - > \\\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m. > .f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...1.1...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e...\ - > \ - > \S-1-5-21-2993214446-1947230185-131795049-1000\ - > \FWP_AF_INET\ - > \S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936\ - > \ - > \0\ - > \ - \ - > \FWPM_NET_EVENT_TYPE_CLASSIFY_DROP\ - > \ - > \121180\ - > \48\ - > \0\ - > \1\ - > \1\ - > \MS_FWP_DIRECTION_OUT\ - > \false\ - > \ - > \0\ - > \0\ - \ - \ - > \ - > \0000000000000000\ - > \ - > \FWP_CAPABILITIES_FLAG_INTERNET_CLIENT\ - > \FWP_CAPABILITIES_FLAG_INTERNET_CLIENT_SERVER\ - > \ - > \0\ - > \ - > \ - > \ - > \121180\ - > \FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH\ - > \FWP_ACTION_BLOCK\ - > \ - > \ - > \121165\ - > \FWPP_SUBLAYER_INTERNAL_FIREWALL_WF\ - > \FWP_ACTION_PERMIT\ - > \ - > \ - \ - \ - +``` ## Case 5: UWP app cannot reach “Intranet” target address with Private Network capability In this example, the UWP app is unable to reach the Intranet target address, 10.1.1.1, even though it has a Private Network capability token. **Classify Drop netEvent, Wfpdiag-Case-5.xml** - +``` \ - > \ - > \2020-05-22T20:54:53.499Z\ - > \ - > \FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET\ - > \FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET\ - > \FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET\ - > \FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET\ - > \FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET\ - > \FWPM_NET_EVENT_FLAG_APP_ID_SET\ - > \FWPM_NET_EVENT_FLAG_USER_ID_SET\ - > \FWPM_NET_EVENT_FLAG_IP_VERSION_SET\ - > \FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET\ - > \ - > \FWP_IP_VERSION_V4\ - > \6\ - > \10.216.117.17\ - > \10.1.1.1\ - > \52956\ - > \53\ - > \0\ - > \ - > \5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e00310033002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000\ - > \\\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m. > .f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...1.3...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e...\ - > \ - > \S-1-5-21-2993214446-1947230185-131795049-1000\ - > \FWP_AF_INET\ - > \S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936\ - > \ - > \0\ - > \ - \ - > \FWPM_NET_EVENT_TYPE_CLASSIFY_DROP\ - > \ - > \121180\ - > \48\ - > \0\ - > \1\ - > \1\ - > \MS_FWP_DIRECTION_OUT\ - > \false\ - > \ - > \0\ - > \0\ - > \ - > \ - > \ - > \0000000000000000\ - > \ - > \FWP_CAPABILITIES_FLAG_PRIVATE_NETWORK\ - > \ - > \0\ - > \ - > \ - > \ - > \121180\ - > \FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH\ - > \FWP_ACTION_BLOCK\ - > \ - > \ - > \121165\ - > \FWPP_SUBLAYER_INTERNAL_FIREWALL_WF\ - > \FWP_ACTION_PERMIT\ - > \ - > \ - > \ - \ - +``` The following shows the filter that blocked the event: **Block Outbound Default Rule Filter \#121180, Wfpdiag-Case-5.xml** +``` \ - > \{e62a1a22-c80a-4518-a7f8-e7d1ef3a9ff6}\ - > \ - > \Block Outbound Default Rule\ - > \Block Outbound Default Rule\ - > \ - > \ - > \FWPM_PROVIDER_MPSSVC_WSH\ - > \ - > \c029000000000000\ - > \.)......\ - > \ - > \FWPM_LAYER_ALE_AUTH_CONNECT_V4\ - > \FWPM_SUBLAYER_MPSSVC_WSH\ - > \ - > \FWP_EMPTY\ - > \ - > \ - > \ - > \FWPM_CONDITION_ALE_PACKAGE_ID\ - > \FWP_MATCH_NOT_EQUAL\ - > \ - > \FWP_SID\ - > \S-1-0-0\ - > \ - > \ - > \ - > \ - > \FWP_ACTION_BLOCK\ - > \ - > \ - > \0\ - > \ - > \121180\ - > \ - > \FWP_UINT64\ - > \274877906944\ - > \ - \ - +``` If the target was in the private range, then it should have been allowed by a PrivateNetwork Outbound Default Rule filter. -The following PrivateNetwork Outbound Default Rule filters have conditions for -matching Intranet IP addresses. Since the expected Intranet target address, -10.1.1.1, is not included in these filters it becomes clear that the address is -not in the private range. Check the policies which configure the private range -on the machine (MDM, GP, etc) and make sure it includes the private target -address you wanted to reach. +The following PrivateNetwork Outbound Default Rule filters have conditions for matching Intranet IP addresses. Since the expected Intranet target address, +10.1.1.1, is not included in these filters it becomes clear that the address isnot in the private range. Check the policies which configure the private range +on the machine (MDM, GP, etc) and make sure it includes the private targetaddress you wanted to reach. **PrivateNetwork Outbound Default Rule Filters, Wfpdiag-Case-5.xml** - +``` \ - > \{fd65507b-e356-4e2f-966f-0c9f9c1c6e78}\ - > \ - > \PrivateNetwork Outbound Default Rule\ - > \PrivateNetwork Outbound Default Rule\ - > \ - > \ - > \FWPM_PROVIDER_MPSSVC_WSH\ - > \ - > \f22d000000000000\ - > \.-......\ - > \ - > \FWPM_LAYER_ALE_AUTH_CONNECT_V4\ - > \FWPM_SUBLAYER_MPSSVC_WSH\ - > \ - > \FWP_EMPTY\ - > \ - > \ - > \ - > \FWPM_CONDITION_ALE_PACKAGE_ID\ - > \FWP_MATCH_NOT_EQUAL\ - > \ - > \FWP_SID\ - > \S-1-0-0\ - > \ - > \ - > \ - > \FWPM_CONDITION_IP_REMOTE_ADDRESS\ - > \FWP_MATCH_EQUAL\ - > \ - > \FWP_UINT32\ - > \1.1.1.1\ - > \ - > \ - > \ - > \FWPM_CONDITION_ORIGINAL_PROFILE_ID\ - > \FWP_MATCH_EQUAL\ - > \ - > \FWP_UINT32\ - > \1\ - > \ - > \ - > \ - > \FWPM_CONDITION_CURRENT_PROFILE_ID\ - > \FWP_MATCH_EQUAL\ - > \ - > \FWP_UINT32\ - > \1\ - > \ - > \ - > \ - > \FWPM_CONDITION_ALE_USER_ID\ - > \FWP_MATCH_EQUAL\ - > \ - > \FWP_SECURITY_DESCRIPTOR_TYPE\ - > \O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)\ - > \ - > \ - > \ - > \ - > \FWP_ACTION_PERMIT\ - > \ - > \ - > \0\ - > \ - > \129656\ - > \ - > \FWP_UINT64\ - > \144115600392724416\ - > \ - > \ - > \ - > \{b11b4f8a-222e-49d6-8d69-02728681d8bc}\ - > \ - > \PrivateNetwork Outbound Default Rule\ - > \PrivateNetwork Outbound Default Rule\ - > \ - > \ - > \FWPM_PROVIDER_MPSSVC_WSH\ - > \ - > \f22d000000000000\ - > \.-......\ - > \ - > \FWPM_LAYER_ALE_AUTH_CONNECT_V4\ - > \FWPM_SUBLAYER_MPSSVC_WSH\ - > \ - > \FWP_EMPTY\ - > \ - > \ - > \ - > \FWPM_CONDITION_ALE_PACKAGE_ID\ - > \FWP_MATCH_NOT_EQUAL\ - > \ - > \FWP_SID\ - > \S-1-0-0\ - > \ - > \ - > \ - > \FWPM_CONDITION_IP_REMOTE_ADDRESS\ - > \FWP_MATCH_RANGE\ - > \ - > \FWP_RANGE_TYPE\ - > \ - > \ - > \FWP_UINT32\ - > \172.16.0.0\ - > \ - > \ - > \FWP_UINT32\ - > \172.31.255.255\ - > \ - > \ - > \ - > \ - > \ - > \FWPM_CONDITION_ORIGINAL_PROFILE_ID\ - > \FWP_MATCH_EQUAL\ - > \ - > \FWP_UINT32\ - > \1\ - > \ - > \ - > \ - > \FWPM_CONDITION_CURRENT_PROFILE_ID\ - > \FWP_MATCH_EQUAL\ - > \ - > \FWP_UINT32\ - > \1\ - > \ - > \ - > \ - > \FWPM_CONDITION_ALE_USER_ID\ - > \FWP_MATCH_EQUAL\ - > \ - > \FWP_SECURITY_DESCRIPTOR_TYPE\ - > \O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)\ - > \ - > \ - > \ - > \ - > \FWP_ACTION_PERMIT\ - > \ - > \ - > \0\ - > \ - > \129657\ - > \ - > \FWP_UINT64\ - > \36029209335832512\ - > \ - \ - \ - > \{21cd82bc-6077-4069-94bf-750e5a43ca23}\ - > \ - > \PrivateNetwork Outbound Default Rule\ - > \PrivateNetwork Outbound Default Rule\ - > \ - > \ - > \FWPM_PROVIDER_MPSSVC_WSH\ - > \ - > \f22d000000000000\ - > \.-......\ - > \ - > \FWPM_LAYER_ALE_AUTH_CONNECT_V4\ - > \FWPM_SUBLAYER_MPSSVC_WSH\ - > \ - > \FWP_EMPTY\ - > \ - > \ - > \ - > \FWPM_CONDITION_ALE_PACKAGE_ID\ - > \FWP_MATCH_NOT_EQUAL\ - > \ - > \FWP_SID\ - > \S-1-0-0\ - > \ - > \ - > \ - > \FWPM_CONDITION_IP_REMOTE_ADDRESS\ - > \FWP_MATCH_RANGE\ - > \ - > \FWP_RANGE_TYPE\ - > \ - > \ - > \FWP_UINT32\ - > \192.168.0.0\ - > \ - > \ - > \FWP_UINT32\ - > \192.168.255.255\ - > \ - > \ - > \ - > \ - > \ - > \FWPM_CONDITION_ORIGINAL_PROFILE_ID\ - > \FWP_MATCH_EQUAL\ - > \ - > \FWP_UINT32\ - > \1\ - > \ - > \ - > \ - > \FWPM_CONDITION_CURRENT_PROFILE_ID\ - > \FWP_MATCH_EQUAL\ - > \ - > \FWP_UINT32\ - > \1\ - > \ - > \ - > \ - > \FWPM_CONDITION_ALE_USER_ID\ - > \FWP_MATCH_EQUAL\ - > \ - > \FWP_SECURITY_DESCRIPTOR_TYPE\ - > \O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)\ - > \ - > \ - > \ - > \ - > \FWP_ACTION_PERMIT\ - > \ - > \ - > \0\ - > \ - > \129658\ - > \ - > \FWP_UINT64\ - > \36029209335832512\ - > \ - \ - +``` # Debugging Past Drops If you are debugging a network drop from the past or from a remote machine, you From 8771fdd2ae4e44ffc834f3afca8252328b3a5f9b Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Wed, 12 Aug 2020 17:03:33 -0700 Subject: [PATCH 3/6] more formatting --- .../troubleshooting-uwp-firewall.md | 300 ++---------------- 1 file changed, 30 insertions(+), 270 deletions(-) diff --git a/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md b/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md index 4874e16c5e..fc7c29c60d 100644 --- a/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md +++ b/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md @@ -122,8 +122,8 @@ The following shows the allow netEvent of the app connecting to the target IP. The netEvent contains information about the packet including its local address, remote address, capabilities, etc. -```**Classify Allow netEvent, Wfpdiag-Case-1.xml** - +**Classify Allow netEvent, Wfpdiag-Case-1.xml** +```xml \ \ > \2020-05-21T17:25:59.070Z\ @@ -194,7 +194,7 @@ address according to the terminatingFiltersInfo in the netEvent. This packet was allowed by Filter \#125918 which is from the InternetClient Default Rule. **InternetClient Default Rule Filter \#125918, Wfpdiag-Case-1.xml** -``` +```xml \ > \{3389708e-f7ae-4ebc-a61a-f659065ab24e}\ > \ @@ -279,7 +279,7 @@ allowed by Filter \#125918 which is from the InternetClient Default Rule. One condition is **Capabilities Condition in Filter \#125918, Wfpdiag-Case-1.xml** -``` +```xml \ > \FWPM_CONDITION_ALE_USER_ID\ > \FWP_MATCH_EQUAL\ @@ -297,7 +297,7 @@ for INTERNET_CLIENT privileges. From the netEvent’s capabilities section, Capabilities from netEvent, Wfpdiag-Case-1.xml -``` +```xml \ > **\FWP_CAPABILITIES_FLAG_INTERNET_CLIENT\** \FWP_CAPABILITIES_FLAG_INTERNET_CLIENT_SERVER\ \FWP_CAPABILITIES_FLAG_PRIVATE_NETWORK\ @@ -321,7 +321,7 @@ The following is a drop netEvent that was captured in the traces during this repro. **Classify Drop netEvent, Wfpdiag-Case-2.xml** -``` +```xml \ \ \2020-03-30T23:53:09.720Z\ @@ -395,7 +395,7 @@ UWP app was not configured with any capability tokens to allow it to connect to a network. **Internal Fields from netEvent, Wfpdiag-Case-2.xml** -``` +```xml \ \ \0000000000000000\ @@ -420,7 +420,7 @@ The netEvent also gives us information about the filter that explicitly dropped this packet, like the FilterId, listed under classify drop **Classify Drop from netEvent, Wfpdiag-Case-2.xml** -``` +```xml \ **\68893\** \50\ @@ -439,7 +439,7 @@ the packet was dropped by a Block Outbound Default Rule filter. **Block Outbound Default Rule Filter \#68893, Wfpdiag-Case-2.xml** -``` +```xml \ > \{6d51582f-bcf8-42c4-afc9-e2ce7155c11b}\ > \ @@ -499,7 +499,7 @@ Server). The app is trying to connect to an Internet resource (bing.com), but only has a private network token. Therefore, the packet will be dropped. **Classify Drop netEvent, Wfpdiag-Case-3.xml** -``` +```xml \ \ \2020-03-31T16:57:18.570Z\ @@ -576,7 +576,7 @@ In this example, the UWP app is unable to reach the Intranet target address, 10.50.50.50, because it does not have a Private Network capability. **Classify Drop netEvent, Wfpdiag-Case-4.xml** -``` +```xml \ \ > \2020-05-22T21:29:28.601Z\ @@ -653,7 +653,7 @@ In this example, the UWP app is unable to reach the Intranet target address, 10.1.1.1, even though it has a Private Network capability token. **Classify Drop netEvent, Wfpdiag-Case-5.xml** -``` +```xml \ > \ > \2020-05-22T20:54:53.499Z\ @@ -727,7 +727,7 @@ The following shows the filter that blocked the event: **Block Outbound Default Rule Filter \#121180, Wfpdiag-Case-5.xml** -``` +```xml \ > \{e62a1a22-c80a-4518-a7f8-e7d1ef3a9ff6}\ > \ @@ -776,7 +776,7 @@ The following PrivateNetwork Outbound Default Rule filters have conditions for m on the machine (MDM, GP, etc) and make sure it includes the private targetaddress you wanted to reach. **PrivateNetwork Outbound Default Rule Filters, Wfpdiag-Case-5.xml** -``` +```xml \ > \{fd65507b-e356-4e2f-966f-0c9f9c1c6e78}\ > \ @@ -1021,11 +1021,11 @@ If you **do not** have a live repro or traces already collected, you can still collect traces after the UWP network connectivity issue has happened by running these commands in an Admin command prompt +```xml > \ - > Netsh wfp show netevents - > Netsh wfp show state +``` “Netsh wfp show netevents” will generate netevents.xml, which contains the past net events. “Netsh wfp show state” will generate wfpstate.xml, which contains @@ -1057,136 +1057,74 @@ In this example, the UWP app is unable to connect to bing.com. Classify Drop Net Event, NetEvents-Case-7.xml +```xml \ - \ - \2020-05-04T22:04:07.039Z\ - \ - \FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET\ - \FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET\ - \FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET\ - \FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET\ - \FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET\ - \FWPM_NET_EVENT_FLAG_APP_ID_SET\ - \FWPM_NET_EVENT_FLAG_USER_ID_SET\ - \FWPM_NET_EVENT_FLAG_IP_VERSION_SET\ - \FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET\ - \ - \FWP_IP_VERSION_V4\ - \6\ - \10.195.36.30\ - \204.79.197.200\ - \57062\ - \443\ - \0\ - \ - \5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e00310032002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000\ - \\\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m. .f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...1.2...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e...\ - \ - \S-1-5-21-1578316205-4060061518-881547182-1000\ - \FWP_AF_INET\ - \S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936\ - \ - \0\ - \ - \ - \FWPM_NET_EVENT_TYPE_CLASSIFY_DROP\ - \ - \206064\ - \48\ - \0\ - \1\ - \1\ - \MS_FWP_DIRECTION_OUT\ - \false\ - \ - \0\ - \0\ - \ - \ - \ - \0000000000000000\ - \ - \0\ - \ - \ - \ - \206064\ - \FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH\ - \FWP_ACTION_BLOCK\ - \ - \ - \206049\ - \FWPP_SUBLAYER_INTERNAL_FIREWALL_WF\ - \FWP_ACTION_PERMIT\ - \ - \ - \ - \ +``` The Internal fields lists no active capabilities, and the packet is dropped at filter 206064. @@ -1198,385 +1136,207 @@ Security Descriptor doesn’t match. **Block Outbound Default Rule Filter \#206064, FilterState-Case-7.xml** +```xml \ - \{f138d1ad-9293-478f-8519-c3368e796711}\ - \ - \Block Outbound Default Rule\ - \Block Outbound Default Rule\ - \ - \ - \FWPM_PROVIDER_MPSSVC_WSH\ - \ - \2e65000000000000\ - \.e......\ - \ - \FWPM_LAYER_ALE_AUTH_CONNECT_V4\ - \FWPM_SUBLAYER_MPSSVC_WSH\ - \ - \FWP_EMPTY\ - \ - \ - \ - \FWPM_CONDITION_ALE_PACKAGE_ID\ - \FWP_MATCH_NOT_EQUAL\ - \ - \FWP_SID\ - \S-1-0-0\ - \ - \ - \ - \ - \FWP_ACTION_BLOCK\ - \ - \ - \0\ - \ - \206064\ - \ - \FWP_UINT64\ - \274877906944\ - \ - \ - +``` ## Case 8: Debugging Past Drop - UWP app connects to Internet target address with all capabilities In this example, the UWP app successfully connects to bing.com [204.79.197.200]. **Classify Allow Net Event, NetEvents-Case-8.xml** +```xml \ - > \ - > \2020-05-04T18:49:55.101Z\ - > \ - > \FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET\ - > \FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET\ - > \FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET\ - > \FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET\ - > \FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET\ - > \FWPM_NET_EVENT_FLAG_APP_ID_SET\ - > \FWPM_NET_EVENT_FLAG_USER_ID_SET\ - > \FWPM_NET_EVENT_FLAG_IP_VERSION_SET\ - > \FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET\ - > \ - > \FWP_IP_VERSION_V4\ - > \6\ - > \10.195.36.30\ - > \204.79.197.200\ - > \61673\ - > \443\ - > \0\ - > \ - > \5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e00310030002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000\ - > \\\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m. > .f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...1.0...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e...\ - > \ - > \S-1-5-21-1578316205-4060061518-881547182-1000\ - > \FWP_AF_INET\ - > \S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936\ - > \ - > \0\ - > \ - > \ - > \FWPM_NET_EVENT_TYPE_CLASSIFY_ALLOW\ - > \ - > \208757\ - > \48\ - > \0\ - > \1\ - > \1\ - > \ - > \ - > \ - > \0000000000000000\ - > \ - > \FWP_CAPABILITIES_FLAG_INTERNET_CLIENT\ - > \FWP_CAPABILITIES_FLAG_INTERNET_CLIENT_SERVER\ - > \FWP_CAPABILITIES_FLAG_PRIVATE_NETWORK\ - > \ - > \0\ - > \ - > \ - > \ - > \208757\ - > \FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH\ - > \FWP_ACTION_PERMIT\ - > \ - > \ - > \206049\ - > \FWPP_SUBLAYER_INTERNAL_FIREWALL_WF\ - > \FWP_ACTION_PERMIT\ - > \ - > \ - > \ - \ - +``` Important things to note: all capabilities are enabled and the resulting filter determining the flow of the packet is 208757. The filter stated above with action permit: **InternetClient Default Rule Filter \#208757, FilterState-Case-8.xml** - - \ - - \{e0f6f24e-1f0a-4f1a-bdd8-b9277c144fb5}\ - - \ - - \InternetClient Default Rule\ - - \InternetClient Default Rule\ - +```xml +\ + \{e0f6f24e-1f0a-4f1a-bdd8-b9277c144fb5}\ + \ + \InternetClient Default Rule\ + \InternetClient Default Rule\ \ - \ - \FWPM_PROVIDER_MPSSVC_WSH\ - \ - \e167000000000000\ - \.g......\ - \ - \FWPM_LAYER_ALE_AUTH_CONNECT_V4\ - \FWPM_SUBLAYER_MPSSVC_WSH\ - \ - \FWP_EMPTY\ - \ - \ - \ - \FWPM_CONDITION_ALE_PACKAGE_ID\ - \FWP_MATCH_NOT_EQUAL\ - \ - \FWP_SID\ - \S-1-0-0\ - \ - \ - \ - \FWPM_CONDITION_IP_REMOTE_ADDRESS\ - \FWP_MATCH_RANGE\ - \ - \FWP_RANGE_TYPE\ - \ - \ - \FWP_UINT32\ - \0.0.0.0\ - \ - \ - \FWP_UINT32\ - \255.255.255.255\ - \ - \ - \ - \ - \ - \FWPM_CONDITION_ORIGINAL_PROFILE_ID\ - \FWP_MATCH_EQUAL\ - \ - \FWP_UINT32\ - \1\ - \ - \ - \ - \FWPM_CONDITION_CURRENT_PROFILE_ID\ - \FWP_MATCH_EQUAL\ - \ - \FWP_UINT32\ - \1\ - \ - \ - \ - \FWPM_CONDITION_ALE_USER_ID\ - \FWP_MATCH_EQUAL\ - \ - \FWP_SECURITY_DESCRIPTOR_TYPE\ - \O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)\ - \ - \ - \ - \ - \FWP_ACTION_PERMIT\ - \ - \ - \0\ - \ - \208757\ - \ - \FWP_UINT64\ - \412316868544\ - \ - \ - -\*The capabilities field in a netEvent was added to the traces in the Windows 10 +``` +The capabilities field in a netEvent was added to the traces in the Windows 10 May 2019 Update From cef561ea53b63153a87c18d7bb65c9810df0cc74 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 13 Aug 2020 16:23:35 -0700 Subject: [PATCH 4/6] more fixin --- .../troubleshooting-uwp-firewall.md | 210 +++++++++--------- 1 file changed, 100 insertions(+), 110 deletions(-) diff --git a/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md b/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md index fc7c29c60d..bc17fd0a75 100644 --- a/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md +++ b/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md @@ -19,174 +19,164 @@ ms.topic: troubleshooting This document is intended to help network admins, support engineers, and developers to investigate UWP app network connectivity issues. -# Introduction +This document guides you through steps to debug Universal Windows Platform (UWP) app network connectivity issues by providing practical examples. -This document guides you through steps to debug different Universal Windows Platform (UWP) app network connectivity issues by providing practical case examples. +## Typical causes of connectivity issues -UWP app network connectivity issues typically stem from one of the following causes: +UWP app network connectivity issues are typically caused by: -1. The UWP app was not permitted to receive loopback traffic (this must be configured as, by default, a UWP app is not allowed to receive loopback traffic). +1. The UWP app was not permitted to receive loopback traffic. This must be configured. By default, UWP apps are not allowed to receive loopback traffic. 2. The UWP app is missing the proper capability tokens. -3. The private range is configured incorrectly (i.e. set incorrectly through GP/MDM policies, etc.) +3. The private range is configured incorrectly. For example, the private ranges is set incorrectly through GP/MDM policies, etc. -To understand these causes more thoroughly, there are several concepts that should be reviewed. +To understand these causes more thoroughly, there are several concepts to review. -The traffic of network packets (e.g. what's permitted and what’s not) on Windows is ultimately determined by the Windows Filtering Platform (WFP). When a UWP app +The traffic of network packets (what's permitted and what’s not) on Windows is determined by the Windows Filtering Platform (WFP). When a UWP app or the private range is configured incorrectly, it affects how the UWP app’s network traffic will be processed by WFP. -When a packet is processed by WFP, the characteristics of that packet must explicitly match all the conditions of a filter to either be permitted or dropped to its target address. Connectivity issues typically happen when the packet does not match the filter conditions of any filters, leading the packet to be dropped by a default block filter. The presence of the default block -filters ensures network isolation for UWP applications. Specifically, it guarantees a network drop for a packet that does not have the correct capabilities for the resource it is trying to reach, ensuring the application’s granular access to each resource type and preventing the application from “escaping” its environment. +When a packet is processed by WFP, the characteristics of that packet must explicitly match all the conditions of a filter to either be permitted or dropped to its target address. Connectivity issues typically happen when the packet does not match any of the filter conditions, leading the packet to be dropped by a default block filter. The presence of the default block +filters ensures network isolation for UWP applications. Specifically, it guarantees a network drop for a packet that does not have the correct capabilities for the resource it is trying to reach. This ensures the application’s granular access to each resource type and preventing the application from escaping its environment. For more information on the filter arbitration algorithm and network isolation, -please read [Filter +see [Filter Arbitration](https://docs.microsoft.com/en-us/windows/win32/fwp/filter-arbitration) and [Isolation](https://docs.microsoft.com/en-us/windows/win32/secauthz/appcontainer-isolation). -The next sections will cover debugging case examples for loopback and -non-loopback UWP app network connectivity issues. +The following sections cover debugging case examples for loopback and non-loopback UWP app network connectivity issues. > [!NOTE] -> As improvements to debugging and diagnostics around the Windows Filtering Platform are made, the trace examples in this document may not exactly match the -traces collected on an older Windows build. +> As improvements to debugging and diagnostics in the Windows Filtering Platform are made, the trace examples in this document may not exactly match the +traces collected on previous releases of Windows. # Debugging UWP App Loopback scenarios -If you have a scenario where you are establishing a TCP/IP connection between two processes on the same host where one of them is a UWP app, you must enable loopback. +If you need to establis a TCP/IP connection between two processes on the same host where one of them is a UWP app, you must enable loopback. -To enable loopback for client outbound connections, run the following in a command prompt: +To enable loopback for client outbound connections, run the following at a command prompt: -`CheckNetIsolation.exe LoopbackExempt -a -n=\` +```dos +CheckNetIsolation.exe LoopbackExempt -a -n=\ +``` -To enable loopback for server inbound connections, please run the following in a +To enable loopback for server inbound connections, run the following at a command prompt: +```dos +CheckNetIsolation.exe LoopbackExempt -is -n=\ +``` +You can ensure loopback is enabled by checking the appx manifests of both the sender and receiver. -`CheckNetIsolation.exe LoopbackExempt -is -n=\` - -You can ensure loopback is enabled by checking the appx manifests of both the -sender and receiver. - -For more information about loopback scenarios, please read [Communicating with +For more information about loopback scenarios, see [Communicating with localhost (loopback)](https://docs.microsoft.com/en-us/windows/iot-core/develop-your-app/loopback) # Debugging Live Drops -If the issue happened recently, but you find you are not able to reproduce the -issue, go to Debugging Past Drops for the appropriate trace commands. +If the issue happened recently, but you find you are not able to reproduce the issue, go to Debugging Past Drops for the appropriate trace commands. -If you can consistently reproduce the issue, then you can run the following in -an admin command prompt to gather a fresh trace: +If you can consistently reproduce the issue, then you can run the following in an admin command prompt to gather a fresh trace: -``` +```DOS Netsh wfp capture start keywords=19 \ Netsh wfp capture stop ``` -The above commands will generate a wfpdiag.cab. Inside the .cab exists a -wfpdiag.xml, which contains any allow or drop netEvents and filters that existed -during that repro. Without “keywords=19”, the trace will only collect drop -netEvents. +These commands generate a wfpdiag.cab. Inside the .cab exists a wfpdiag.xml, which contains any allow or drop netEvents and filters that existed during that repro. Without “keywords=19”, the trace will only collect drop netEvents. Inside the wfpdiag.xml, search for netEvents which have -FWPM_NET_EVENT_TYPE_CLASSIFY_DROP as the netEvent type. To find the relevant -drop events, search for the drop events with matching destination IP address, +FWPM_NET_EVENT_TYPE_CLASSIFY_DROP as the netEvent type. To find the relevant drop events, search for the drop events with matching destination IP address, package SID, or application ID name. The characters in the application ID name will be separated by periods: -``` + +```XML (ex) -\ - + \\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.w.i.n.d.o.w.s.\\.s.y.s.t.e.m.3.2.\\.s.v.c.h.o.s.t...e.x.e... \ ``` -The netEvent will have more information about the packet that was dropped -including information about its capabilities, the filter that dropped the -packet, and much more. + +The netEvent will have more information about the packet that was dropped including information about its capabilities, the filter that dropped the packet, and much more. ## Case 1: UWP app connects to Internet target address with all capabilities In this example, the UWP app successfully connects to bing.com [2620:1ec:c11::200]. -A packet from a UWP app needs the correct networking capability token for the -resource it is trying to reach. +A packet from a UWP app needs the correct networking capability token for the resource it is trying to reach. -In this scenario, the app could successfully send a packet to the Internet -target because it had an Internet capability token. +In this scenario, the app could successfully send a packet to the Internet target because it had an Internet capability token. -The following shows the allow netEvent of the app connecting to the target IP. -The netEvent contains information about the packet including its local address, +The following shows the allow netEvent of the app connecting to the target IP. The netEvent contains information about the packet including its local address, remote address, capabilities, etc. **Classify Allow netEvent, Wfpdiag-Case-1.xml** ```xml -\ -\ -> \2020-05-21T17:25:59.070Z\ -> \ -> \FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET\ -> \FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET\ -> \FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET\ -> \FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET\ -> \FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET\ -> \FWPM_NET_EVENT_FLAG_APP_ID_SET\ -> \FWPM_NET_EVENT_FLAG_USER_ID_SET\ -> \FWPM_NET_EVENT_FLAG_IP_VERSION_SET\ -> \FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET\ -> \ -> \FWP_IP_VERSION_V6\ -> \6\ -> \2001:4898:30:3:256c:e5ba:12f3:beb1\ \2620:1ec:c11::200\ -\52127\ -\443\ -\0\ -\ -> \5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e00310030002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000\ -> \\\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m. -> .f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...1.0...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e...\ -\ -\S-1-5-21-2993214446-1947230185-131795049-1000\ -\FWP_AF_INET6\ -\S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936\ -\ -\0\ -\ -\ -\FWPM_NET_EVENT_TYPE_CLASSIFY_ALLOW\ -\ -> \125918\ -> \50\ -> \0\ -> \1\ -> \1\ -\ -\ -\ -\0000000000000000\ -\ -> \FWP_CAPABILITIES_FLAG_INTERNET_CLIENT\ \FWP_CAPABILITIES_FLAG_INTERNET_CLIENT_SERVER\ -> \FWP_CAPABILITIES_FLAG_PRIVATE_NETWORK\ -\ -\0\ -\ -\ -> \ - \125918\ -> \FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH\ - \FWP_ACTION_PERMIT\ -> \ -> \ - \121167\ - \FWPP_SUBLAYER_INTERNAL_FIREWALL_WF\ - \FWP_ACTION_PERMIT\ - \ -\ -\ -\ + + + 2020-05-21T17:25:59.070Z\ + + FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET\ + FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET\ + FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET\ + FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET\ + FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET\ + FWPM_NET_EVENT_FLAG_APP_ID_SET\ + FWPM_NET_EVENT_FLAG_USER_ID_SET\ + FWPM_NET_EVENT_FLAG_IP_VERSION_SET\ + FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET\ + + FWP_IP_VERSION_V6\ + 6\ + 2001:4898:30:3:256c:e5ba:12f3:beb1\ \2620:1ec:c11::200\ +52127\ +443\ +0\ + + 5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e00310030002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000\ + \\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m. + .f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...1.0...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e...\ + +S-1-5-21-2993214446-1947230185-131795049-1000\ +FWP_AF_INET6\ +S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936\ + +0\ + + +FWPM_NET_EVENT_TYPE_CLASSIFY_ALLOW\ + + 125918\ + 50\ + 0\ + 1\ + 1\ + + + +0000000000000000\ + + FWP_CAPABILITIES_FLAG_INTERNET_CLIENT\ FWP_CAPABILITIES_FLAG_INTERNET_CLIENT_SERVER\ + FWP_CAPABILITIES_FLAG_PRIVATE_NETWORK\ + +0\ + + + + 125918\ + FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH\ + FWP_ACTION_PERMIT\ + + + 121167\ + FWPP_SUBLAYER_INTERNAL_FIREWALL_WF\ + FWP_ACTION_PERMIT\ + + + + ``` The following is the filter that permitted the packet to be sent to the target From 9aba80f3de8d2ec83e443b30afe63184a793c404 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 13 Aug 2020 18:09:28 -0700 Subject: [PATCH 5/6] so many --- .../troubleshooting-uwp-firewall.md | 2124 ++++++++--------- 1 file changed, 1060 insertions(+), 1064 deletions(-) diff --git a/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md b/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md index bc17fd0a75..fd79a67511 100644 --- a/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md +++ b/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md @@ -56,13 +56,13 @@ If you need to establis a TCP/IP connection between two processes on the same ho To enable loopback for client outbound connections, run the following at a command prompt: ```dos -CheckNetIsolation.exe LoopbackExempt -a -n=\ +CheckNetIsolation.exe LoopbackExempt -a -n= ``` To enable loopback for server inbound connections, run the following at a command prompt: ```dos -CheckNetIsolation.exe LoopbackExempt -is -n=\ +CheckNetIsolation.exe LoopbackExempt -is -n= ``` You can ensure loopback is enabled by checking the appx manifests of both the sender and receiver. @@ -78,7 +78,7 @@ If you can consistently reproduce the issue, then you can run the following in a ```DOS Netsh wfp capture start keywords=19 -\ + Netsh wfp capture stop ``` @@ -92,10 +92,10 @@ will be separated by periods: ```XML (ex) - + \\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.w.i.n.d.o.w.s.\\.s.y.s.t.e.m.3.2.\\.s.v.c.h.o.s.t...e.x.e... -\ + ``` The netEvent will have more information about the packet that was dropped including information about its capabilities, the filter that dropped the packet, and much more. @@ -114,187 +114,186 @@ remote address, capabilities, etc. **Classify Allow netEvent, Wfpdiag-Case-1.xml** ```xml - - - 2020-05-21T17:25:59.070Z\ - - FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET\ - FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET\ - FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET\ - FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET\ - FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET\ - FWPM_NET_EVENT_FLAG_APP_ID_SET\ - FWPM_NET_EVENT_FLAG_USER_ID_SET\ - FWPM_NET_EVENT_FLAG_IP_VERSION_SET\ - FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET\ - - FWP_IP_VERSION_V6\ - 6\ - 2001:4898:30:3:256c:e5ba:12f3:beb1\ \2620:1ec:c11::200\ -52127\ -443\ -0\ - - 5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e00310030002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000\ - \\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m. - .f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...1.0...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e...\ - -S-1-5-21-2993214446-1947230185-131795049-1000\ -FWP_AF_INET6\ -S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936\ - -0\ - - -FWPM_NET_EVENT_TYPE_CLASSIFY_ALLOW\ - - 125918\ - 50\ - 0\ - 1\ - 1\ - - - -0000000000000000\ - - FWP_CAPABILITIES_FLAG_INTERNET_CLIENT\ FWP_CAPABILITIES_FLAG_INTERNET_CLIENT_SERVER\ - FWP_CAPABILITIES_FLAG_PRIVATE_NETWORK\ - -0\ - - - - 125918\ - FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH\ - FWP_ACTION_PERMIT\ - - - 121167\ - FWPP_SUBLAYER_INTERNAL_FIREWALL_WF\ - FWP_ACTION_PERMIT\ - - - - + +
+ 2020-05-21T17:25:59.070Z + + FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET + FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET + FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET + FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET + FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET + FWPM_NET_EVENT_FLAG_APP_ID_SET + FWPM_NET_EVENT_FLAG_USER_ID_SET + FWPM_NET_EVENT_FLAG_IP_VERSION_SET + FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET + + FWP_IP_VERSION_V6 + 6 + 2001:4898:30:3:256c:e5ba:12f3:beb1 + 2620:1ec:c11::200 +52127 +443 +0 + + 5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e00310030002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000 + \\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m. + .f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...1.0...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e... + +S-1-5-21-2993214446-1947230185-131795049-1000 +FWP_AF_INET6 +S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936 + +0 + +
+FWPM_NET_EVENT_TYPE_CLASSIFY_ALLOW + + 125918 + 50 + 0 + 1 + 1 + + + +0000000000000000 + + FWP_CAPABILITIES_FLAG_INTERNET_CLIENT + FWP_CAPABILITIES_FLAG_INTERNET_CLIENT_SERVER + FWP_CAPABILITIES_FLAG_PRIVATE_NETWORK + +0 + + + + 125918 + FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH + FWP_ACTION_PERMIT + + + 121167 + FWPP_SUBLAYER_INTERNAL_FIREWALL_WF + FWP_ACTION_PERMIT + + + + ``` The following is the filter that permitted the packet to be sent to the target -address according to the terminatingFiltersInfo in the netEvent. This packet was -allowed by Filter \#125918 which is from the InternetClient Default Rule. +address according to the **terminatingFiltersInfo** in the **netEvent**. This packet was +allowed by Filter #125918, from the InternetClient Default Rule. -**InternetClient Default Rule Filter \#125918, Wfpdiag-Case-1.xml** +**InternetClient Default Rule Filter #125918, Wfpdiag-Case-1.xml** ```xml -\ -> \{3389708e-f7ae-4ebc-a61a-f659065ab24e}\ -> \ -> \InternetClient Default Rule\ -> \InternetClient Default Rule\ -> \ -> \ -> \FWPM_PROVIDER_MPSSVC_WSH\ -> \ -> \ad2b000000000000\ -> \.+......\ -> \ -> \FWPM_LAYER_ALE_AUTH_CONNECT_V6\ -> \FWPM_SUBLAYER_MPSSVC_WSH\ -> \ -> \FWP_EMPTY\ -> \ -> \ -> \ -> \FWPM_CONDITION_ALE_PACKAGE_ID\ -> \FWP_MATCH_NOT_EQUAL\ -> \ -> \FWP_SID\ -> \S-1-0-0\ -> \ -> \ -> \ -> \FWPM_CONDITION_IP_REMOTE_ADDRESS\ -> \FWP_MATCH_RANGE\ -> \ -> \FWP_RANGE_TYPE\ -> \ -> \ -> \FWP_BYTE_ARRAY16_TYPE\ -> \::\ -> \ -> \ -> \FWP_BYTE_ARRAY16_TYPE\ -> \ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff\ -> \ -> \ -> \ -> \ -> \ -> \FWPM_CONDITION_ORIGINAL_PROFILE_ID\ -> \FWP_MATCH_EQUAL\ -> \ -> \FWP_UINT32\ -> \1\ -> \ -> \ -> \ -> \FWPM_CONDITION_CURRENT_PROFILE_ID\ -> \FWP_MATCH_EQUAL\ -> \ -> \FWP_UINT32\ -> \1\ -> \ -> \ -> \ -> \FWPM_CONDITION_ALE_USER_ID\ -> \FWP_MATCH_EQUAL\ -> \ -> \FWP_SECURITY_DESCRIPTOR_TYPE\ -> \O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)\ -> \ -> \ -> \ -> \ -> \FWP_ACTION_PERMIT\ -> \ -> \ -> \0\ -> \ -> \125918\ -> \ -> \FWP_UINT64\ -> \103079219136\ -> \ -\ + + {3389708e-f7ae-4ebc-a61a-f659065ab24e} + + InternetClient Default Rule + InternetClient Default Rule + + + FWPM_PROVIDER_MPSSVC_WSH + + ad2b000000000000 + .+...... + + FWPM_LAYER_ALE_AUTH_CONNECT_V6 + FWPM_SUBLAYER_MPSSVC_WSH + FWP_EMPTY + + + + FWPM_CONDITION_ALE_PACKAGE_ID + FWP_MATCH_NOT_EQUAL + + FWP_SID + S-1-0-0 + + + + FWPM_CONDITION_IP_REMOTE_ADDRESS + FWP_MATCH_RANGE + + FWP_RANGE_TYPE + + + FWP_BYTE_ARRAY16_TYPE + :: + + + FWP_BYTE_ARRAY16_TYPE + ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff + + + + + + FWPM_CONDITION_ORIGINAL_PROFILE_ID + FWP_MATCH_EQUAL + + FWP_UINT32 + 1 + + + + FWPM_CONDITION_CURRENT_PROFILE_ID + FWP_MATCH_EQUAL + + FWP_UINT32 + 1 + + + + FWPM_CONDITION_ALE_USER_ID + FWP_MATCH_EQUAL + + FWP_SECURITY_DESCRIPTOR_TYPE + O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN) + + + + + FWP_ACTION_PERMIT + + + 0 + + 125918 + + FWP_UINT64 + 103079219136 + + ``` -One condition is **Capabilities Condition in Filter \#125918, Wfpdiag-Case-1.xml** ```xml -\ -> \FWPM_CONDITION_ALE_USER_ID\ -> \FWP_MATCH_EQUAL\ -> \ -> \FWP_SECURITY_DESCRIPTOR_TYPE\ -> \O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)\ -> \ -\ + + FWPM_CONDITION_ALE_USER_ID + FWP_MATCH_EQUAL + + FWP_SECURITY_DESCRIPTOR_TYPE + O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN) + + ``` -which is the condition for checking capabilities in this filter. +This is the condition for checking capabilities in this filter. -The important part of this condition is S-1-15-3-1, which is the capability SID -for INTERNET_CLIENT privileges. +The important part of this condition is **S-1-15-3-1**, which is the capability SID +for **INTERNET_CLIENT** privileges. -From the netEvent’s capabilities section, - -Capabilities from netEvent, Wfpdiag-Case-1.xml +From the **netEvent** capabilities section, +capabilities from netEvent, Wfpdiag-Case-1.xml. ```xml -\ -> **\FWP_CAPABILITIES_FLAG_INTERNET_CLIENT\** \FWP_CAPABILITIES_FLAG_INTERNET_CLIENT_SERVER\ -\FWP_CAPABILITIES_FLAG_PRIVATE_NETWORK\ -\ + + FWP_CAPABILITIES_FLAG_INTERNET_CLIENT FWP_CAPABILITIES_FLAG_INTERNET_CLIENT_SERVER + FWP_CAPABILITIES_FLAG_PRIVATE_NETWORK + ``` -it shows the packet came from an app with an Internet client token -(FWP_CAPABILITIES_FLAG_INTERNET_CLIENT) which matches the capability SID in the +This shows the packet came from an app with an Internet client token (**FWP_CAPABILITIES_FLAG_INTERNET_CLIENT**) which matches the capability SID in the filter. All the other conditions are also met for the filter, so the packet is allowed. @@ -307,175 +306,173 @@ the packet having all capabilities. In this example, the UWP app is unable to connect to bing.com [2620:1ec:c11::200]. -The following is a drop netEvent that was captured in the traces during this -repro. +The following is a drop netEvent that was captured in the trace. **Classify Drop netEvent, Wfpdiag-Case-2.xml** ```xml -\ -\ -\2020-03-30T23:53:09.720Z\ -\ -\FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET\ -\FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET\ -\FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET\ -\FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET\ -\FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET\ -\FWPM_NET_EVENT_FLAG_APP_ID_SET\ -\FWPM_NET_EVENT_FLAG_USER_ID_SET\ -\FWPM_NET_EVENT_FLAG_IP_VERSION_SET\ -\FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET\ -\ -\FWP_IP_VERSION_V6\ -\6\ -\2001:4898:1a:1045:8469:3351:e6e2:543\ -\2620:1ec:c11::200\ -\63187\ -\443\ -\0\ -\ -\5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e0034002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000\ -\\\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m. -.f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...4...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e...\ -\ -\S-1-5-21-2788718703-1626973220-3690764900-1000\ -\FWP_AF_INET6\ -\S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936\ -\ -\0\ -\ -\ -\FWPM_NET_EVENT_TYPE_CLASSIFY_DROP\ -\ -\68893\ -\50\ -\0\ -\1\ -\1\ -\MS_FWP_DIRECTION_OUT\ -\false\ -\ -\0\ -\0\ -\ -\ -\ -\0000000000000000\ -\ -\0\ -\ -\ -\ -\68893\ -\FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH\ -\FWP_ACTION_BLOCK\ -\ -\ -\68879\ -\FWPP_SUBLAYER_INTERNAL_FIREWALL_WF\ -\FWP_ACTION_PERMIT\ -\ -\ -\ -\ + +
+2020-03-30T23:53:09.720Z + + FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET + FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET + FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET + FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET + FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET + FWPM_NET_EVENT_FLAG_APP_ID_SET + FWPM_NET_EVENT_FLAG_USER_ID_SET + FWPM_NET_EVENT_FLAG_IP_VERSION_SET + FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET + +FWP_IP_VERSION_V6 +6 +2001:4898:1a:1045:8469:3351:e6e2:543 +2620:1ec:c11::200 +63187 +443 +0 + +5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e0034002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000 +\\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m. +.f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...4...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e... + +S-1-5-21-2788718703-1626973220-3690764900-1000 +FWP_AF_INET6 +S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936 + +0 + +
+FWPM_NET_EVENT_TYPE_CLASSIFY_DROP + +68893 +50 +0 +1 +1 +MS_FWP_DIRECTION_OUT +false + +0 +0 + + + +0000000000000000 + +0 + + + +68893 +FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH +FWP_ACTION_BLOCK + + +68879 +FWPP_SUBLAYER_INTERNAL_FIREWALL_WF +FWP_ACTION_PERMIT + + + + ``` -The first thing that should be checked in the netEvent is the capabilities -field\*. In this example, the capabilities field is empty, indicating that the +The first thing that you should check in the **netEvent** is the capabilities +field. In this example, the capabilities field is empty, indicating that the UWP app was not configured with any capability tokens to allow it to connect to a network. **Internal Fields from netEvent, Wfpdiag-Case-2.xml** ```xml -\ -\ -\0000000000000000\ -**\** -\0\ -\ -\ -\ -\68893\ -\FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH\ -\FWP_ACTION_BLOCK\ -\ -\ -\68879\ -\FWPP_SUBLAYER_INTERNAL_FIREWALL_WF\ -\FWP_ACTION_PERMIT\ -\ -\ -\ + + +0000000000000000 + +0 + + + +68893 +FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH +FWP_ACTION_BLOCK + + +68879 +FWPP_SUBLAYER_INTERNAL_FIREWALL_WF +FWP_ACTION_PERMIT + + + ``` -The netEvent also gives us information about the filter that explicitly dropped -this packet, like the FilterId, listed under classify drop +The **netEvent** also shows information about the filter that explicitly dropped this packet, like the **FilterId**, listed under classify drop. **Classify Drop from netEvent, Wfpdiag-Case-2.xml** ```xml -\ -**\68893\** -\50\ -\0\ -\1\ -\1\ -\MS_FWP_DIRECTION_OUT\ -\false\ -\ -\0\ -\0\ -\ + +68893 +50 +0 +1 +1 +MS_FWP_DIRECTION_OUT +false + +0 +0 + ``` -If we search for that filter, \#68893, in Wfpdiag-Case2.xml, we will see that +If you search for the filter #68893 in Wfpdiag-Case2.xml, you'll see that the packet was dropped by a Block Outbound Default Rule filter. -**Block Outbound Default Rule Filter \#68893, Wfpdiag-Case-2.xml** +**Block Outbound Default Rule Filter #68893, Wfpdiag-Case-2.xml** ```xml -\ -> \{6d51582f-bcf8-42c4-afc9-e2ce7155c11b}\ -> \ -> \**Block Outbound Default Rule**\ -> \Block Outbound Default Rule\ -> \ -> \ -> \{4b153735-1049-4480-aab4-d1b9bdc03710}\ -> \ -> \b001000000000000\ -> \........\ -> \ -> \FWPM_LAYER_ALE_AUTH_CONNECT_V6\ -> \{b3cdd441-af90-41ba-a745-7c6008ff2300}\ -> \ -> \FWP_EMPTY\ -> \ -> \ -> \ -> \FWPM_CONDITION_ALE_PACKAGE_ID\ -> \FWP_MATCH_NOT_EQUAL\ -> \ -> \FWP_SID\ -> \S-1-0-0\ -> \ -> \ -> \ -> \ -> \FWP_ACTION_BLOCK\ -> \ -> \ -> \0\ -> \ -> \68893\ -> \ -> \FWP_UINT64\ -> \68719476736\ -> \ -\ + + {6d51582f-bcf8-42c4-afc9-e2ce7155c11b} +/t + **Block Outbound Default Rule** + Block Outbound Default Rule + + + {4b153735-1049-4480-aab4-d1b9bdc03710} + + b001000000000000 + ........ + + FWPM_LAYER_ALE_AUTH_CONNECT_V6 + {b3cdd441-af90-41ba-a745-7c6008ff2300} + + FWP_EMPTY + + + + FWPM_CONDITION_ALE_PACKAGE_ID + FWP_MATCH_NOT_EQUAL + + FWP_SID + S-1-0-0 + + + + + FWP_ACTION_BLOCK + + + 0 + + 68893 + + FWP_UINT64 + 68719476736 + + ``` -A packet will reach a default block filter if the packet was unable to match any of the conditions of other filters, and thus not allowed by the other filters in +A packet will reach a default block filter if the packet was unable to match any of the conditions of other filters, and not allowed by the other filters in the same sublayer. If the packet had the correct capability token, -FWP_CAPABILITIES_FLAG_INTERNET_CLIENT, it would have matched a condition for a +**FWP_CAPABILITIES_FLAG_INTERNET_CLIENT**, it would have matched a condition for a non-default block filter and would have been permitted to reach bing.com. Without the correct capability tokens, the packet will be explicitly dropped by a default block outbound filter. @@ -490,74 +487,74 @@ only has a private network token. Therefore, the packet will be dropped. **Classify Drop netEvent, Wfpdiag-Case-3.xml** ```xml -\ -\ -\2020-03-31T16:57:18.570Z\ -\ -\FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET\ -\FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET\ -\FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET\ -\FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET\ -\FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET\ -\FWPM_NET_EVENT_FLAG_APP_ID_SET\ -\FWPM_NET_EVENT_FLAG_USER_ID_SET\ -\FWPM_NET_EVENT_FLAG_IP_VERSION_SET\ -\FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET\ -\ -\FWP_IP_VERSION_V6\ -\6\ -\2001:4898:1a:1045:9c65:7805:dd4a:cc4b\ -\2620:1ec:c11::200\ -\64086\ -\443\ -\0\ -\ -\5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e0035002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000\ -\\\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m. -.f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...5...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e...\ -\ -\S-1-5-21-2788718703-1626973220-3690764900-1000\ -\FWP_AF_INET6\ -\S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936\ -\ -\0\ -\ -\ -\FWPM_NET_EVENT_TYPE_CLASSIFY_DROP\ -\ -\68893\ -\50\ -\0\ -\1\ -\1\ -\MS_FWP_DIRECTION_OUT\ -\false\ -\ -\0\ -\0\ -\ -\ -\ -\0000000000000000\ -**\** -**\FWP_CAPABILITIES_FLAG_PRIVATE_NETWORK\** -**\** -\0\ -\ -\ -\ -\68893\ -\FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH\ -\FWP_ACTION_BLOCK\ -\ -\ -\68879\ -\FWPP_SUBLAYER_INTERNAL_FIREWALL_WF\ -\FWP_ACTION_PERMIT\ -\ -\ -\ -\ + +
+2020-03-31T16:57:18.570Z + +FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET +FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET +FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET +FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET +FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET +FWPM_NET_EVENT_FLAG_APP_ID_SET +FWPM_NET_EVENT_FLAG_USER_ID_SET +FWPM_NET_EVENT_FLAG_IP_VERSION_SET +FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET + +FWP_IP_VERSION_V6 +6 +2001:4898:1a:1045:9c65:7805:dd4a:cc4b +2620:1ec:c11::200 +64086 +443 +0 + +5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e0035002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000 +\\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m. +.f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...5...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e... + +S-1-5-21-2788718703-1626973220-3690764900-1000 +FWP_AF_INET6 +S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936 + +0 + +
+FWPM_NET_EVENT_TYPE_CLASSIFY_DROP + +68893 +50 +0 +1 +1 +MS_FWP_DIRECTION_OUT +false + +0 +0 + + + +0000000000000000 +**** +**FWP_CAPABILITIES_FLAG_PRIVATE_NETWORK** +**** +0 + + + +68893 +FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH +FWP_ACTION_BLOCK + + +68879 +FWPP_SUBLAYER_INTERNAL_FIREWALL_WF +FWP_ACTION_PERMIT + + + + ``` ## Case 4: UWP app cannot reach Intranet target address without Private Network capability @@ -567,75 +564,75 @@ In this example, the UWP app is unable to reach the Intranet target address, **Classify Drop netEvent, Wfpdiag-Case-4.xml** ```xml -\ -\ -> \2020-05-22T21:29:28.601Z\ -> \ -> \FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET\ -> \FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET\ -> \FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET\ -> \FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET\ -> \FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET\ -> \FWPM_NET_EVENT_FLAG_APP_ID_SET\ -> \FWPM_NET_EVENT_FLAG_USER_ID_SET\ -> \FWPM_NET_EVENT_FLAG_IP_VERSION_SET\ -> \FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET\ -> \ -> \FWP_IP_VERSION_V4\ -> \6\ -> \10.216.117.17\ -> \10.50.50.50\ -> \52998\ -> \53\ -> \0\ -> \ -> \5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e00310031002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000\ -> \\\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m. -> .f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...1.1...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e...\ -> \ -> \S-1-5-21-2993214446-1947230185-131795049-1000\ -> \FWP_AF_INET\ -> \S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936\ -> \ -> \0\ -> \ -\ -> \FWPM_NET_EVENT_TYPE_CLASSIFY_DROP\ -> \ -> \121180\ -> \48\ -> \0\ -> \1\ -> \1\ -> \MS_FWP_DIRECTION_OUT\ -> \false\ -> \ -> \0\ -> \0\ -\ -\ -> \ -> \0000000000000000\ -> \ -> \FWP_CAPABILITIES_FLAG_INTERNET_CLIENT\ -> \FWP_CAPABILITIES_FLAG_INTERNET_CLIENT_SERVER\ -> \ -> \0\ -> \ -> \ -> \ -> \121180\ -> \FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH\ -> \FWP_ACTION_BLOCK\ -> \ -> \ -> \121165\ -> \FWPP_SUBLAYER_INTERNAL_FIREWALL_WF\ -> \FWP_ACTION_PERMIT\ -> \ -> \ -\ -\ + +
+ 2020-05-22T21:29:28.601Z + + FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET + FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET + FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET + FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET + FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET + FWPM_NET_EVENT_FLAG_APP_ID_SET + FWPM_NET_EVENT_FLAG_USER_ID_SET + FWPM_NET_EVENT_FLAG_IP_VERSION_SET + FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET + + FWP_IP_VERSION_V4 + 6 + 10.216.117.17 + 10.50.50.50 + 52998 + 53 + 0 + + 5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e00310031002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000 + \\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m. + .f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...1.1...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e... + + S-1-5-21-2993214446-1947230185-131795049-1000 + FWP_AF_INET + S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936 + + 0 + +
+ FWPM_NET_EVENT_TYPE_CLASSIFY_DROP + + 121180 + 48 + 0 + 1 + 1 + MS_FWP_DIRECTION_OUT + false + + 0 + 0 + + + + 0000000000000000 + + FWP_CAPABILITIES_FLAG_INTERNET_CLIENT + FWP_CAPABILITIES_FLAG_INTERNET_CLIENT_SERVER + + 0 + + + + 121180 + FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH + FWP_ACTION_BLOCK + + + 121165 + FWPP_SUBLAYER_INTERNAL_FIREWALL_WF + FWP_ACTION_PERMIT + + + + ``` ## Case 5: UWP app cannot reach “Intranet” target address with Private Network capability @@ -644,360 +641,360 @@ In this example, the UWP app is unable to reach the Intranet target address, **Classify Drop netEvent, Wfpdiag-Case-5.xml** ```xml -\ -> \ -> \2020-05-22T20:54:53.499Z\ -> \ -> \FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET\ -> \FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET\ -> \FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET\ -> \FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET\ -> \FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET\ -> \FWPM_NET_EVENT_FLAG_APP_ID_SET\ -> \FWPM_NET_EVENT_FLAG_USER_ID_SET\ -> \FWPM_NET_EVENT_FLAG_IP_VERSION_SET\ -> \FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET\ -> \ -> \FWP_IP_VERSION_V4\ -> \6\ -> \10.216.117.17\ -> \10.1.1.1\ -> \52956\ -> \53\ -> \0\ -> \ -> \5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e00310033002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000\ -> \\\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m. -> .f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...1.3...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e...\ -> \ -> \S-1-5-21-2993214446-1947230185-131795049-1000\ -> \FWP_AF_INET\ -> \S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936\ -> \ -> \0\ -> \ -\ -> \FWPM_NET_EVENT_TYPE_CLASSIFY_DROP\ -> \ -> \121180\ -> \48\ -> \0\ -> \1\ -> \1\ -> \MS_FWP_DIRECTION_OUT\ -> \false\ -> \ -> \0\ -> \0\ -> \ -> \ -> \ -> \0000000000000000\ -> \ -> \FWP_CAPABILITIES_FLAG_PRIVATE_NETWORK\ -> \ -> \0\ -> \ -> \ -> \ -> \121180\ -> \FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH\ -> \FWP_ACTION_BLOCK\ -> \ -> \ -> \121165\ -> \FWPP_SUBLAYER_INTERNAL_FIREWALL_WF\ -> \FWP_ACTION_PERMIT\ -> \ -> \ -> \ -\ + +
+ 2020-05-22T20:54:53.499Z + + FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET + FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET + FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET + FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET + FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET + FWPM_NET_EVENT_FLAG_APP_ID_SET + FWPM_NET_EVENT_FLAG_USER_ID_SET + FWPM_NET_EVENT_FLAG_IP_VERSION_SET + FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET + + FWP_IP_VERSION_V4 + 6 + 10.216.117.17 + 10.1.1.1 + 52956 + 53 + 0 + + 5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e00310033002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000 + \\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m. + .f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...1.3...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e... + + S-1-5-21-2993214446-1947230185-131795049-1000 + FWP_AF_INET + S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936 + + 0 + +
+ FWPM_NET_EVENT_TYPE_CLASSIFY_DROP + + 121180 + 48 + 0 + 1 + 1 + MS_FWP_DIRECTION_OUT + false + + 0 + 0 + + + + 0000000000000000 + + FWP_CAPABILITIES_FLAG_PRIVATE_NETWORK + + 0 + + + + 121180 + FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH + FWP_ACTION_BLOCK + + + 121165 + FWPP_SUBLAYER_INTERNAL_FIREWALL_WF + FWP_ACTION_PERMIT + + + + ``` The following shows the filter that blocked the event: **Block Outbound Default Rule Filter \#121180, Wfpdiag-Case-5.xml** ```xml -\ -> \{e62a1a22-c80a-4518-a7f8-e7d1ef3a9ff6}\ -> \ -> \Block Outbound Default Rule\ -> \Block Outbound Default Rule\ -> \ -> \ -> \FWPM_PROVIDER_MPSSVC_WSH\ -> \ -> \c029000000000000\ -> \.)......\ -> \ -> \FWPM_LAYER_ALE_AUTH_CONNECT_V4\ -> \FWPM_SUBLAYER_MPSSVC_WSH\ -> \ -> \FWP_EMPTY\ -> \ -> \ -> \ -> \FWPM_CONDITION_ALE_PACKAGE_ID\ -> \FWP_MATCH_NOT_EQUAL\ -> \ -> \FWP_SID\ -> \S-1-0-0\ -> \ -> \ -> \ -> \ -> \FWP_ACTION_BLOCK\ -> \ -> \ -> \0\ -> \ -> \121180\ -> \ -> \FWP_UINT64\ -> \274877906944\ -> \ -\ + + {e62a1a22-c80a-4518-a7f8-e7d1ef3a9ff6} + + Block Outbound Default Rule + Block Outbound Default Rule + + + FWPM_PROVIDER_MPSSVC_WSH + + c029000000000000 + .)...... + + FWPM_LAYER_ALE_AUTH_CONNECT_V4 + FWPM_SUBLAYER_MPSSVC_WSH + + FWP_EMPTY + + + + FWPM_CONDITION_ALE_PACKAGE_ID + FWP_MATCH_NOT_EQUAL + + FWP_SID + S-1-0-0 + + + + + FWP_ACTION_BLOCK + + + 0 + + 121180 + + FWP_UINT64 + 274877906944 + + ``` If the target was in the private range, then it should have been allowed by a PrivateNetwork Outbound Default Rule filter. The following PrivateNetwork Outbound Default Rule filters have conditions for matching Intranet IP addresses. Since the expected Intranet target address, -10.1.1.1, is not included in these filters it becomes clear that the address isnot in the private range. Check the policies which configure the private range -on the machine (MDM, GP, etc) and make sure it includes the private targetaddress you wanted to reach. +10.1.1.1, is not included in these filters it becomes clear that the address is not in the private range. Check the policies that configure the private range +on the device (MDM, Group Policy, etc) and make sure it includes the private targetaddress you wanted to reach. **PrivateNetwork Outbound Default Rule Filters, Wfpdiag-Case-5.xml** ```xml -\ -> \{fd65507b-e356-4e2f-966f-0c9f9c1c6e78}\ -> \ -> \PrivateNetwork Outbound Default Rule\ -> \PrivateNetwork Outbound Default Rule\ -> \ -> \ -> \FWPM_PROVIDER_MPSSVC_WSH\ -> \ -> \f22d000000000000\ -> \.-......\ -> \ -> \FWPM_LAYER_ALE_AUTH_CONNECT_V4\ -> \FWPM_SUBLAYER_MPSSVC_WSH\ -> \ -> \FWP_EMPTY\ -> \ -> \ -> \ -> \FWPM_CONDITION_ALE_PACKAGE_ID\ -> \FWP_MATCH_NOT_EQUAL\ -> \ -> \FWP_SID\ -> \S-1-0-0\ -> \ -> \ -> \ -> \FWPM_CONDITION_IP_REMOTE_ADDRESS\ -> \FWP_MATCH_EQUAL\ -> \ -> \FWP_UINT32\ -> \1.1.1.1\ -> \ -> \ -> \ -> \FWPM_CONDITION_ORIGINAL_PROFILE_ID\ -> \FWP_MATCH_EQUAL\ -> \ -> \FWP_UINT32\ -> \1\ -> \ -> \ -> \ -> \FWPM_CONDITION_CURRENT_PROFILE_ID\ -> \FWP_MATCH_EQUAL\ -> \ -> \FWP_UINT32\ -> \1\ -> \ -> \ -> \ -> \FWPM_CONDITION_ALE_USER_ID\ -> \FWP_MATCH_EQUAL\ -> \ -> \FWP_SECURITY_DESCRIPTOR_TYPE\ -> \O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)\ -> \ -> \ -> \ -> \ -> \FWP_ACTION_PERMIT\ -> \ -> \ -> \0\ -> \ -> \129656\ -> \ -> \FWP_UINT64\ -> \144115600392724416\ -> \ -> \ -> \ -> \{b11b4f8a-222e-49d6-8d69-02728681d8bc}\ -> \ -> \PrivateNetwork Outbound Default Rule\ -> \PrivateNetwork Outbound Default Rule\ -> \ -> \ -> \FWPM_PROVIDER_MPSSVC_WSH\ -> \ -> \f22d000000000000\ -> \.-......\ -> \ -> \FWPM_LAYER_ALE_AUTH_CONNECT_V4\ -> \FWPM_SUBLAYER_MPSSVC_WSH\ -> \ -> \FWP_EMPTY\ -> \ -> \ -> \ -> \FWPM_CONDITION_ALE_PACKAGE_ID\ -> \FWP_MATCH_NOT_EQUAL\ -> \ -> \FWP_SID\ -> \S-1-0-0\ -> \ -> \ -> \ -> \FWPM_CONDITION_IP_REMOTE_ADDRESS\ -> \FWP_MATCH_RANGE\ -> \ -> \FWP_RANGE_TYPE\ -> \ -> \ -> \FWP_UINT32\ -> \172.16.0.0\ -> \ -> \ -> \FWP_UINT32\ -> \172.31.255.255\ -> \ -> \ -> \ -> \ -> \ -> \FWPM_CONDITION_ORIGINAL_PROFILE_ID\ -> \FWP_MATCH_EQUAL\ -> \ -> \FWP_UINT32\ -> \1\ -> \ -> \ -> \ -> \FWPM_CONDITION_CURRENT_PROFILE_ID\ -> \FWP_MATCH_EQUAL\ -> \ -> \FWP_UINT32\ -> \1\ -> \ -> \ -> \ -> \FWPM_CONDITION_ALE_USER_ID\ -> \FWP_MATCH_EQUAL\ -> \ -> \FWP_SECURITY_DESCRIPTOR_TYPE\ -> \O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)\ -> \ -> \ -> \ -> \ -> \FWP_ACTION_PERMIT\ -> \ -> \ -> \0\ -> \ -> \129657\ -> \ -> \FWP_UINT64\ -> \36029209335832512\ -> \ -\ -\ -> \{21cd82bc-6077-4069-94bf-750e5a43ca23}\ -> \ -> \PrivateNetwork Outbound Default Rule\ -> \PrivateNetwork Outbound Default Rule\ -> \ -> \ -> \FWPM_PROVIDER_MPSSVC_WSH\ -> \ -> \f22d000000000000\ -> \.-......\ -> \ -> \FWPM_LAYER_ALE_AUTH_CONNECT_V4\ -> \FWPM_SUBLAYER_MPSSVC_WSH\ -> \ -> \FWP_EMPTY\ -> \ -> \ -> \ -> \FWPM_CONDITION_ALE_PACKAGE_ID\ -> \FWP_MATCH_NOT_EQUAL\ -> \ -> \FWP_SID\ -> \S-1-0-0\ -> \ -> \ -> \ -> \FWPM_CONDITION_IP_REMOTE_ADDRESS\ -> \FWP_MATCH_RANGE\ -> \ -> \FWP_RANGE_TYPE\ -> \ -> \ -> \FWP_UINT32\ -> \192.168.0.0\ -> \ -> \ -> \FWP_UINT32\ -> \192.168.255.255\ -> \ -> \ -> \ -> \ -> \ -> \FWPM_CONDITION_ORIGINAL_PROFILE_ID\ -> \FWP_MATCH_EQUAL\ -> \ -> \FWP_UINT32\ -> \1\ -> \ -> \ -> \ -> \FWPM_CONDITION_CURRENT_PROFILE_ID\ -> \FWP_MATCH_EQUAL\ -> \ -> \FWP_UINT32\ -> \1\ -> \ -> \ -> \ -> \FWPM_CONDITION_ALE_USER_ID\ -> \FWP_MATCH_EQUAL\ -> \ -> \FWP_SECURITY_DESCRIPTOR_TYPE\ -> \O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)\ -> \ -> \ -> \ -> \ -> \FWP_ACTION_PERMIT\ -> \ -> \ -> \0\ -> \ -> \129658\ -> \ -> \FWP_UINT64\ -> \36029209335832512\ -> \ -\ + + {fd65507b-e356-4e2f-966f-0c9f9c1c6e78} + + PrivateNetwork Outbound Default Rule + PrivateNetwork Outbound Default Rule + + + FWPM_PROVIDER_MPSSVC_WSH + + f22d000000000000 + .-...... + + FWPM_LAYER_ALE_AUTH_CONNECT_V4 + FWPM_SUBLAYER_MPSSVC_WSH + + FWP_EMPTY + + + + FWPM_CONDITION_ALE_PACKAGE_ID + FWP_MATCH_NOT_EQUAL + + FWP_SID + S-1-0-0 + + + + FWPM_CONDITION_IP_REMOTE_ADDRESS + FWP_MATCH_EQUAL + + FWP_UINT32 + 1.1.1.1 + + + + FWPM_CONDITION_ORIGINAL_PROFILE_ID + FWP_MATCH_EQUAL + + FWP_UINT32 + 1 + + + + FWPM_CONDITION_CURRENT_PROFILE_ID + FWP_MATCH_EQUAL + + FWP_UINT32 + 1 + + + + FWPM_CONDITION_ALE_USER_ID + FWP_MATCH_EQUAL + + FWP_SECURITY_DESCRIPTOR_TYPE + O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN) + + + + + FWP_ACTION_PERMIT + + + 0 + + 129656 + + FWP_UINT64 + 144115600392724416 + + + + {b11b4f8a-222e-49d6-8d69-02728681d8bc} + + PrivateNetwork Outbound Default Rule + PrivateNetwork Outbound Default Rule + + + FWPM_PROVIDER_MPSSVC_WSH + + f22d000000000000 + .-...... + + FWPM_LAYER_ALE_AUTH_CONNECT_V4 + FWPM_SUBLAYER_MPSSVC_WSH + + FWP_EMPTY + + + + FWPM_CONDITION_ALE_PACKAGE_ID + FWP_MATCH_NOT_EQUAL + + FWP_SID + S-1-0-0 + + + + FWPM_CONDITION_IP_REMOTE_ADDRESS + FWP_MATCH_RANGE + + FWP_RANGE_TYPE + + + FWP_UINT32 + 172.16.0.0 + + + FWP_UINT32 + 172.31.255.255 + + + + + + FWPM_CONDITION_ORIGINAL_PROFILE_ID + FWP_MATCH_EQUAL + + FWP_UINT32 + 1 + + + + FWPM_CONDITION_CURRENT_PROFILE_ID + FWP_MATCH_EQUAL + + FWP_UINT32 + 1 + + + + FWPM_CONDITION_ALE_USER_ID + FWP_MATCH_EQUAL + + FWP_SECURITY_DESCRIPTOR_TYPE + O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN) + + + + + FWP_ACTION_PERMIT + + + 0 + + 129657 + + FWP_UINT64 + 36029209335832512 + + + + {21cd82bc-6077-4069-94bf-750e5a43ca23} + + PrivateNetwork Outbound Default Rule + PrivateNetwork Outbound Default Rule + + + FWPM_PROVIDER_MPSSVC_WSH + + f22d000000000000 + .-...... + + FWPM_LAYER_ALE_AUTH_CONNECT_V4 + FWPM_SUBLAYER_MPSSVC_WSH + + FWP_EMPTY + + + + FWPM_CONDITION_ALE_PACKAGE_ID + FWP_MATCH_NOT_EQUAL + + FWP_SID + S-1-0-0 + + + + FWPM_CONDITION_IP_REMOTE_ADDRESS + FWP_MATCH_RANGE + + FWP_RANGE_TYPE + + + FWP_UINT32 + 192.168.0.0 + + + FWP_UINT32 + 192.168.255.255 + + + + + + FWPM_CONDITION_ORIGINAL_PROFILE_ID + FWP_MATCH_EQUAL + + FWP_UINT32 + 1 + + + + FWPM_CONDITION_CURRENT_PROFILE_ID + FWP_MATCH_EQUAL + + FWP_UINT32 + 1 + + + + FWPM_CONDITION_ALE_USER_ID + FWP_MATCH_EQUAL + + FWP_SECURITY_DESCRIPTOR_TYPE + O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN) + + + + + FWP_ACTION_PERMIT + + + 0 + + 129658 + + FWP_UINT64 + 36029209335832512 + + ``` # Debugging Past Drops @@ -1007,38 +1004,38 @@ wfpstate.xml. Once nettrace.etl is converted, nettrace.txt will have the netEvents of the reproduced event, and wfpstate.xml will contain the filters that were present on the machine at the time. -If you **do not** have a live repro or traces already collected, you can still +If you do not have a live repro or traces already collected, you can still collect traces after the UWP network connectivity issue has happened by running -these commands in an Admin command prompt +these commands in an admin command prompt ```xml -> \ -> Netsh wfp show netevents -> Netsh wfp show state + + Netsh wfp show netevents + Netsh wfp show state ``` -“Netsh wfp show netevents” will generate netevents.xml, which contains the past -net events. “Netsh wfp show state” will generate wfpstate.xml, which contains +**Netsh wfp show netevents** creates netevents.xml, which contains the past +net events. **Netsh wfp show state** creates wfpstate.xml, which contains the current filters present on the machine. Unfortunately, collecting traces after the UWP network connectivity issue is not always reliable. -NetEvents on the machine are stored in a buffer. Once that buffer has reached -max capacity, the buffer will overwrite older net events. Due to the buffer +NetEvents on the device are stored in a buffer. Once that buffer has reached +maximum capacity, the buffer will overwrite older net events. Due to the buffer overwrite, it is possible that the collected netevents.xml will not contain the -net event associated with the UWP network connectivity issue if it was -overwritten. Additionally, filters on the machine can get deleted and re-added -with different filterIds due to miscellaneous events on the machine. Because of -this, a filterId from “netsh wfp show netevents” may not necessarily match any -filter in “netsh wfp show state” because that filterId may be outdated. +net event associated with the UWP network connectivity issue. It could have been ov +overwritten. Additionally, filters on the device can get deleted and re-added +with different filterIds due to miscellaneous events on the device. Because of +this, a **filterId** from **netsh wfp show netevents** may not necessarily match any +filter in **netsh wfp show state** because that **filterId** may be outdated. -If you can reproduce the UWP network connectivity issue consistently, we would +If you can reproduce the UWP network connectivity issue consistently, we recommend using the commands from Debugging Live Drops instead. Additionally, you can still follow the examples from Debugging Live Drops section using the trace commands in this section, even if you do not have a live -repro. The netEvents and filters are stored in one file in Debugging Live Drops +repro. The **netEvents** and filters are stored in one file in Debugging Live Drops as opposed to two separate files in the following Debugging Past Drops examples. ## Case 7: Debugging Past Drop - UWP app cannot reach Internet target address and has no capabilities @@ -1048,72 +1045,72 @@ In this example, the UWP app is unable to connect to bing.com. Classify Drop Net Event, NetEvents-Case-7.xml ```xml -\ -\ -\2020-05-04T22:04:07.039Z\ -\ -\FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET\ -\FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET\ -\FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET\ -\FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET\ -\FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET\ -\FWPM_NET_EVENT_FLAG_APP_ID_SET\ -\FWPM_NET_EVENT_FLAG_USER_ID_SET\ -\FWPM_NET_EVENT_FLAG_IP_VERSION_SET\ -\FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET\ -\ -\FWP_IP_VERSION_V4\ -\6\ -\10.195.36.30\ -\204.79.197.200\ -\57062\ -\443\ -\0\ -\ -\5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e00310032002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000\ -\\\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m. -.f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...1.2...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e...\ -\ -\S-1-5-21-1578316205-4060061518-881547182-1000\ -\FWP_AF_INET\ -\S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936\ -\ -\0\ -\ -\ -\FWPM_NET_EVENT_TYPE_CLASSIFY_DROP\ -\ -\206064\ -\48\ -\0\ -\1\ -\1\ -\MS_FWP_DIRECTION_OUT\ -\false\ -\ -\0\ -\0\ -\ -\ -\ -\0000000000000000\ -\ -\0\ -\ -\ -\ -\206064\ -\FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH\ -\FWP_ACTION_BLOCK\ -\ -\ -\206049\ -\FWPP_SUBLAYER_INTERNAL_FIREWALL_WF\ -\FWP_ACTION_PERMIT\ -\ -\ -\ -\ + +
+2020-05-04T22:04:07.039Z + +FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET +FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET +FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET +FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET +FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET +FWPM_NET_EVENT_FLAG_APP_ID_SET +FWPM_NET_EVENT_FLAG_USER_ID_SET +FWPM_NET_EVENT_FLAG_IP_VERSION_SET +FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET + +FWP_IP_VERSION_V4 +6 +10.195.36.30 +204.79.197.200 +57062 +443 +0 + +5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e00310032002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000 +\\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m. +.f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...1.2...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e... + +S-1-5-21-1578316205-4060061518-881547182-1000 +FWP_AF_INET +S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936 + +0 + +
+FWPM_NET_EVENT_TYPE_CLASSIFY_DROP + +206064 +48 +0 +1 +1 +MS_FWP_DIRECTION_OUT +false + +0 +0 + + + +0000000000000000 + +0 + + + +206064 +FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH +FWP_ACTION_BLOCK + + +206049 +FWPP_SUBLAYER_INTERNAL_FIREWALL_WF +FWP_ACTION_PERMIT + + + + ``` The Internal fields lists no active capabilities, and the packet is dropped at @@ -1127,45 +1124,45 @@ Security Descriptor doesn’t match. **Block Outbound Default Rule Filter \#206064, FilterState-Case-7.xml** ```xml -\ -\{f138d1ad-9293-478f-8519-c3368e796711}\ -\ -\Block Outbound Default Rule\ -\Block Outbound Default Rule\ -\ -\ -\FWPM_PROVIDER_MPSSVC_WSH\ -\ -\2e65000000000000\ -\.e......\ -\ -\FWPM_LAYER_ALE_AUTH_CONNECT_V4\ -\FWPM_SUBLAYER_MPSSVC_WSH\ -\ -\FWP_EMPTY\ -\ -\ -\ -\FWPM_CONDITION_ALE_PACKAGE_ID\ -\FWP_MATCH_NOT_EQUAL\ -\ -\FWP_SID\ -\S-1-0-0\ -\ -\ -\ -\ -\FWP_ACTION_BLOCK\ -\ -\ -\0\ -\ -\206064\ -\ -\FWP_UINT64\ -\274877906944\ -\ -\ + +{f138d1ad-9293-478f-8519-c3368e796711} + +Block Outbound Default Rule +Block Outbound Default Rule + + +FWPM_PROVIDER_MPSSVC_WSH + +2e65000000000000 +.e...... + +FWPM_LAYER_ALE_AUTH_CONNECT_V4 +FWPM_SUBLAYER_MPSSVC_WSH + +FWP_EMPTY + + + +FWPM_CONDITION_ALE_PACKAGE_ID +FWP_MATCH_NOT_EQUAL + +FWP_SID +S-1-0-0 + + + + +FWP_ACTION_BLOCK + + +0 + +206064 + +FWP_UINT64 +274877906944 + + ``` ## Case 8: Debugging Past Drop - UWP app connects to Internet target address with all capabilities @@ -1174,159 +1171,158 @@ In this example, the UWP app successfully connects to bing.com [204.79.197.200]. **Classify Allow Net Event, NetEvents-Case-8.xml** ```xml -\ -> \ -> \2020-05-04T18:49:55.101Z\ -> \ -> \FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET\ -> \FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET\ -> \FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET\ -> \FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET\ -> \FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET\ -> \FWPM_NET_EVENT_FLAG_APP_ID_SET\ -> \FWPM_NET_EVENT_FLAG_USER_ID_SET\ -> \FWPM_NET_EVENT_FLAG_IP_VERSION_SET\ -> \FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET\ -> \ -> \FWP_IP_VERSION_V4\ -> \6\ -> \10.195.36.30\ -> \204.79.197.200\ -> \61673\ -> \443\ -> \0\ -> \ -> \5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e00310030002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000\ -> \\\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m. -> .f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...1.0...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e...\ -> \ -> \S-1-5-21-1578316205-4060061518-881547182-1000\ -> \FWP_AF_INET\ -> \S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936\ -> \ -> \0\ -> \ -> \ -> \FWPM_NET_EVENT_TYPE_CLASSIFY_ALLOW\ -> \ -> \208757\ -> \48\ -> \0\ -> \1\ -> \1\ -> \ -> \ -> \ -> \0000000000000000\ -> \ -> \FWP_CAPABILITIES_FLAG_INTERNET_CLIENT\ -> \FWP_CAPABILITIES_FLAG_INTERNET_CLIENT_SERVER\ -> \FWP_CAPABILITIES_FLAG_PRIVATE_NETWORK\ -> \ -> \0\ -> \ -> \ -> \ -> \208757\ -> \FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH\ -> \FWP_ACTION_PERMIT\ -> \ -> \ -> \206049\ -> \FWPP_SUBLAYER_INTERNAL_FIREWALL_WF\ -> \FWP_ACTION_PERMIT\ -> \ -> \ -> \ -\ + +
+ 2020-05-04T18:49:55.101Z + + FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET + FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET + FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET + FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET + FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET + FWPM_NET_EVENT_FLAG_APP_ID_SET + FWPM_NET_EVENT_FLAG_USER_ID_SET + FWPM_NET_EVENT_FLAG_IP_VERSION_SET + FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET + + FWP_IP_VERSION_V4 + 6 + 10.195.36.30 + 204.79.197.200 + 61673 + 443 + 0 + + 5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e00310030002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000 + \\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m. + .f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...1.0...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e... + + S-1-5-21-1578316205-4060061518-881547182-1000 + FWP_AF_INET + S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936 + + 0 + +
+ FWPM_NET_EVENT_TYPE_CLASSIFY_ALLOW + + 208757 + 48 + 0 + 1 + 1 + + + + 0000000000000000 + + FWP_CAPABILITIES_FLAG_INTERNET_CLIENT + FWP_CAPABILITIES_FLAG_INTERNET_CLIENT_SERVER + FWP_CAPABILITIES_FLAG_PRIVATE_NETWORK + + 0 + + + + 208757 + FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH + FWP_ACTION_PERMIT + + + 206049 + FWPP_SUBLAYER_INTERNAL_FIREWALL_WF + FWP_ACTION_PERMIT + + + + ``` -Important things to note: all capabilities are enabled and the resulting filter -determining the flow of the packet is 208757. +All capabilities are enabled and the resulting filter determining the flow of the packet is 208757. The filter stated above with action permit: **InternetClient Default Rule Filter \#208757, FilterState-Case-8.xml** ```xml -\ - \{e0f6f24e-1f0a-4f1a-bdd8-b9277c144fb5}\ - \ - \InternetClient Default Rule\ - \InternetClient Default Rule\ - \ - \ - \FWPM_PROVIDER_MPSSVC_WSH\ - \ - \e167000000000000\ - \.g......\ - \ - \FWPM_LAYER_ALE_AUTH_CONNECT_V4\ - \FWPM_SUBLAYER_MPSSVC_WSH\ - \ - \FWP_EMPTY\ - \ - \ - \ - \FWPM_CONDITION_ALE_PACKAGE_ID\ - \FWP_MATCH_NOT_EQUAL\ - \ - \FWP_SID\ - \S-1-0-0\ - \ - \ - \ - \FWPM_CONDITION_IP_REMOTE_ADDRESS\ - \FWP_MATCH_RANGE\ - \ - \FWP_RANGE_TYPE\ - \ - \ - \FWP_UINT32\ - \0.0.0.0\ - \ - \ - \FWP_UINT32\ - \255.255.255.255\ - \ - \ - \ - \ - \ - \FWPM_CONDITION_ORIGINAL_PROFILE_ID\ - \FWP_MATCH_EQUAL\ - \ - \FWP_UINT32\ - \1\ - \ - \ - \ - \FWPM_CONDITION_CURRENT_PROFILE_ID\ - \FWP_MATCH_EQUAL\ - \ - \FWP_UINT32\ - \1\ - \ - \ - \ - \FWPM_CONDITION_ALE_USER_ID\ - \FWP_MATCH_EQUAL\ - \ - \FWP_SECURITY_DESCRIPTOR_TYPE\ - \O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)\ - \ - \ - \ - \ - \FWP_ACTION_PERMIT\ - \ - \ - \0\ - \ - \208757\ - \ - \FWP_UINT64\ - \412316868544\ - \ - \ + + {e0f6f24e-1f0a-4f1a-bdd8-b9277c144fb5} + + InternetClient Default Rule + InternetClient Default Rule + + + FWPM_PROVIDER_MPSSVC_WSH + + e167000000000000 + .g...... + + FWPM_LAYER_ALE_AUTH_CONNECT_V4 + FWPM_SUBLAYER_MPSSVC_WSH + + FWP_EMPTY + + + + FWPM_CONDITION_ALE_PACKAGE_ID + FWP_MATCH_NOT_EQUAL + + FWP_SID + S-1-0-0 + + + + FWPM_CONDITION_IP_REMOTE_ADDRESS + FWP_MATCH_RANGE + + FWP_RANGE_TYPE + + + FWP_UINT32 + 0.0.0.0 + + + FWP_UINT32 + 255.255.255.255 + + + + + + FWPM_CONDITION_ORIGINAL_PROFILE_ID + FWP_MATCH_EQUAL + + FWP_UINT32 + 1 + + + + FWPM_CONDITION_CURRENT_PROFILE_ID + FWP_MATCH_EQUAL + + FWP_UINT32 + 1 + + + + FWPM_CONDITION_ALE_USER_ID + FWP_MATCH_EQUAL + + FWP_SECURITY_DESCRIPTOR_TYPE + O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN) + + + + + FWP_ACTION_PERMIT + + + 0 + + 208757 + + FWP_UINT64 + 412316868544 + + ``` The capabilities field in a netEvent was added to the traces in the Windows 10 -May 2019 Update +May 2019 Update. From 4fc5bf0a7578056c563da078292ac7791fe903f8 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 13 Aug 2020 18:19:38 -0700 Subject: [PATCH 6/6] fixing H1s --- .../windows-firewall/troubleshooting-uwp-firewall.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md b/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md index fd79a67511..1ea6cce448 100644 --- a/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md +++ b/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md @@ -39,9 +39,9 @@ filters ensures network isolation for UWP applications. Specifically, it guarant For more information on the filter arbitration algorithm and network isolation, see [Filter -Arbitration](https://docs.microsoft.com/en-us/windows/win32/fwp/filter-arbitration) +Arbitration](https://docs.microsoft.com/windows/win32/fwp/filter-arbitration) and -[Isolation](https://docs.microsoft.com/en-us/windows/win32/secauthz/appcontainer-isolation). +[Isolation](https://docs.microsoft.com/windows/win32/secauthz/appcontainer-isolation). The following sections cover debugging case examples for loopback and non-loopback UWP app network connectivity issues. @@ -49,7 +49,7 @@ The following sections cover debugging case examples for loopback and non-loopba > As improvements to debugging and diagnostics in the Windows Filtering Platform are made, the trace examples in this document may not exactly match the traces collected on previous releases of Windows. -# Debugging UWP App Loopback scenarios +## Debugging UWP App Loopback scenarios If you need to establis a TCP/IP connection between two processes on the same host where one of them is a UWP app, you must enable loopback. @@ -68,9 +68,9 @@ You can ensure loopback is enabled by checking the appx manifests of both the se For more information about loopback scenarios, see [Communicating with localhost -(loopback)](https://docs.microsoft.com/en-us/windows/iot-core/develop-your-app/loopback) +(loopback)](https://docs.microsoft.com/windows/iot-core/develop-your-app/loopback) -# Debugging Live Drops +## Debugging Live Drops If the issue happened recently, but you find you are not able to reproduce the issue, go to Debugging Past Drops for the appropriate trace commands. @@ -996,7 +996,7 @@ on the device (MDM, Group Policy, etc) and make sure it includes the private tar ``` -# Debugging Past Drops +## Debugging Past Drops If you are debugging a network drop from the past or from a remote machine, you may have traces already collected from Feedback Hub, such as nettrace.etl and