Where are my Firewall rules stored?

I have a machine in a corporate network which has over 17 000 outbound and inbound firewall filters set. I can view them with the netsh command

netsh wfp show filters dir=OUT file=OutBoundFilters.xml

I have thousands of such filter rules for "InternetClientServer Outbound Default Rule"

<item> <filterKey>{3c45917d-eff9-4895-b36f-bec4efccbf95}</filterKey> <displayData> <name>InternetClientServer Outbound Default Rule</name> <description>InternetClientServer Outbound Default Rule</description> </displayData> <flags/> <providerKey>{4b153735-1049-4480-aab4-d1b9bdc03710}</providerKey> <providerData> <data>3303000000000000</data> <asString>3.......</asString> </providerData> <layerKey>FWPM_LAYER_ALE_AUTH_CONNECT_V4</layerKey> <subLayerKey>{b3cdd441-af90-41ba-a745-7c6008ff2300}</subLayerKey> <weight> <type>FWP_EMPTY</type> </weight> <filterCondition numItems="5"> <item> <fieldKey>FWPM_CONDITION_ALE_PACKAGE_ID</fieldKey> <matchType>FWP_MATCH_NOT_EQUAL</matchType> <conditionValue> <type>FWP_SID</type> <sid>S-1-0-0</sid> </conditionValue> </item> <item> <fieldKey>FWPM_CONDITION_IP_REMOTE_ADDRESS</fieldKey> <matchType>FWP_MATCH_RANGE</matchType> <conditionValue> <type>FWP_RANGE_TYPE</type> <rangeValue> <valueLow> <type>FWP_UINT32</type> <uint32>10.10.55.127</uint32> </valueLow> <valueHigh> <type>FWP_UINT32</type> <uint32>10.10.56.0</uint32> </valueHigh> </rangeValue> </conditionValue> </item> <item> <fieldKey>FWPM_CONDITION_ORIGINAL_PROFILE_ID</fieldKey> <matchType>FWP_MATCH_EQUAL</matchType> <conditionValue> <type>FWP_UINT32</type> <uint32>3</uint32> </conditionValue> </item> <item> <fieldKey>FWPM_CONDITION_CURRENT_PROFILE_ID</fieldKey> <matchType>FWP_MATCH_EQUAL</matchType> <conditionValue> <type>FWP_UINT32</type> <uint32>3</uint32> </conditionValue> </item> <item> <fieldKey>FWPM_CONDITION_ALE_USER_ID</fieldKey> <matchType>FWP_MATCH_EQUAL</matchType> <conditionValue> <type>FWP_SECURITY_DESCRIPTOR_TYPE</type> <sd>O:LSD:(A;;CC;;;S-1-15-3-2)(A;;CC;;;WD)(A;;CC;;;AN)</sd> </conditionValue> </item> </filterCondition> <action> <type>FWP_ACTION_PERMIT</type> <filterType/> </action> <rawContext>0</rawContext> <reserved/> <filterId>391334</filterId> <effectiveWeight> <type>FWP_UINT64</type> <uint64>225180806002261888</uint64> </effectiveWeight>
</item>

These rules are for the Base Filtering Engine which is part of the Windows Firewall. There are not many firewall rules present in the MMC UI so I am a bit lost where the thousands of filters are coming from and which rule is responsible for them.

Now I want to get rid of some of the rules or at least find out where they are coming from. I have found the registry key

Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BFE\Parameters\Policy\Persistent\Filter

where some guids are present but I am not able to correlate my filter rules with some specific registry key. Where are the rules finally stored? Registry, a file or are they pushed via group policies into the registry? I have found the issue by checking out CPU consumption in the kernel where some large amount of CPU is spent in

enter image description here

The high amount of CPU comes from these many firewall rules. How can I track things further. I have tried to do boot time logging into the firewall service when it consumes much more memory but I have found no indication who feeds the data into the firewall service. The actual data seems to be stored in a compact format which does not show up in CPU profiling which is an annoying issue.

enter image description here

2 Answers

In the Registry.

Firewall rules are stored under the Software\Policies\Microsoft\WindowsFirewall\FirewallRules key. Each value under the key is a firewall rule -

3

I believe you can find the (many) firewall rules here:

HKLM\SYSTEM\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter
1

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

You Might Also Like