"firewall enabled of <firewall profile>" doesn't appear to work

Hello!

I’m currently experiencing an issue where I have machines with their windows firewall disabled with Group Policy (and the firewall is thus disabled) yet BigFix is reporting the firewall to be enabled for that particular network profile.

This has been reported before but not really followed up on: Windows firewall inspector library question

The inspector appears to correctly report if an end user disables the firewall but if the firewall is disabled using Group Policy the inspector doesn’t seem to notice and reports the state of the firewall IF group policy was not being applied.

Here is my test machine:

Screen Shot 2016-04-23 at 6.53.36 PM.png1552×714 30.4 KB

My currently impacted relevance is:

(type of it, firewall enabled of it) of profiles of local policy of firewall

Luckily there are only three firewall profiles so I currently am using the following instead as a temporary workaround:

("Domain", firewall enabled of domain profile of local policy of firewall and not exists (value "EnableFirewall" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" of native registry as string | "-1") whose (it = "0"));("Public", firewall enabled of public profile of local policy of firewall and not exists (value "EnableFirewall" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" of native registry as string | "-1") whose (it = "0"));("Private", firewall enabled of private profile of local policy of firewall and not exists (value "EnableFirewall" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" of native registry as string | "-1") whose (it = "0"))

Any thoughts?

Bill

Is there a specific version of the platform involved or is this across multiple versions?

@AlanM I’m currently seeing it in 9.2.7 and 9.5 – I don’t have any clients older than 9.2.7 unfortunately

I hope this is a valid test but this is from QnA 8.1

Screen Shot 2016-04-25 at 8.12.11 PM.png1308×906 38.5 KB

There were other inspectors added since 8.1 but firewall logic is our own little hell

Did you base your relevance off BES Support fixlet 288 ?

And here it is in QnA v6 (my new favorite version of QnA):

Screen Shot 2016-04-25 at 8.30.06 PM.png1232×890 22.7 KB

Relevance part 7 from fixlet 288 looks to properly capture what my workaround does

Seems like this could work to check all of the GPO options:

not exists values "EnableFirewall" whose(it = "0") of keys of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall" of (x64 registries; x32 registries)

Seems like this would handle the normal case:

not exists firewalls enabled whose(FALSE=it) of profiles of local policies of firewalls

I have a tendency to use “current profile of local policy of firewall” to look at only the currently-active profile.

Current Firewall Profile: (“Domain”, “Public”, “Private”, “Standard”)
type of current profile of local policy of firewall as string

Firewall Enabled - Local Policy (True/False)
exists firewall whose (firewall enabled of current profile of local policy of firewall)

Firewall Enabled - Group Policy (True/False)
exists values "EnableFirewall" whose (it as integer = 1) of keys ("HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\" & current profile type of firewall as string & "Profile") of native registry

Firewall Configuration - Group Policy (returns “Enabled”, “Disabled”, or “Not Configured”)
(if exists value "EnableFirewall" of it then if value "EnableFirewall" of it as integer = 1 then "Enabled" else "Disabled" else "Not Configured") of keys ("HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\" & current profile type of firewall as string & "Profile") of native registry

Firewall Enabled - Active Configuration (True/False) - A couple of different ways of getting at it. I’m still playing with these.
(if exists value "EnableFirewall" of it then if value "EnableFirewall" of it as integer = 1 then True else False else firewall enabled of current profile of local policy of firewall) of keys ("HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\" & current profile type of firewall as string & "Profile") of native registry

exists values "EnableFirewall" whose (it as integer = 1) of keys ("HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\" & current profile type of firewall as string & "Profile") of native registry OR ( firewall enabled of current profile of local policy of firewall AND not exists (value "EnableFirewall" of key ("HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\" & current profile type of firewall as string & "Profile") of native registry as string | "-1") whose (it = "0") )

It looks like current profile doesn’t work either when you have multiple active profiles:

Active Profiles:

Q: profile types of firewall
A: Domain
A: Public

First

Q: type of current profile of local policy of firewall as string
E: Singular expression refers to nonexistent object.

Second

Q: exists firewall whose (firewall enabled of current profile of local policy of firewall)
A: False
T: 83.131 ms

Third

Q: exists values "EnableFirewall" whose (it as integer = 1) of keys ("HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\" & current profile type of firewall as string & "Profile") of native registry
E: Singular expression refers to nonexistent object.

Fourth

Q: (if exists value "EnableFirewall" of it then if value "EnableFirewall" of it as integer = 1 then "Enabled" else "Disabled" else "Not Configured") of keys ("HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\" & current profile type of firewall as string & "Profile") of native registry 
E: Singular expression refers to nonexistent object.

Fifth

Q: (if exists value "EnableFirewall" of it then if value "EnableFirewall" of it as integer = 1 then True else False else firewall enabled of current profile of local policy of firewall) of keys ("HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\" & current profile type of firewall as string & "Profile") of native registry 
E: Singular expression refers to nonexistent object.

Last

Q: exists values "EnableFirewall" whose (it as integer = 1) of keys ("HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\" & current profile type of firewall as string & "Profile") of native registry OR  ( firewall enabled of current profile of local policy of firewall AND not exists (value "EnableFirewall" of key ("HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\" & current profile type of firewall as string & "Profile") of native registry as string | "-1") whose (it = "0") )
E: Singular expression refers to nonexistent object.

The use case for this is when you have multiple active adapters with different security levels.

For example:

• Domain Joined machine with a local network connection (Domain Network) with an active VPN Connection (Public Network)
• Domain Joined FileServer with a local network connection (Domain Network) private SAN network (Private Network)

So…I guess the “current profile” inspector is no good. Awesome.

I see in your earlier relevance where you’re checking the three profiles - have you figured out how to check which one(s) are active?

This will tell you which profile types are active

Q: profile types of firewall
A: Domain
A: Public

Hmmm… back to a personal aggravation of mine, that all the Registry creation classes require “of registry”. So I can’t do something like
exists profile types whose (exists values "EnableFirewall" of key ("HKLM\Software\Policies\Microsoft\WindowsFirewall\" & it & "Profile") of native registry) of firewall

I haven’t found a construct where “it” can refer to the profile type, rather than the native registry. This is a case that would be simpler with
exists profile types whose (exists values "EnableFirewall" of native registry key ("HKLM\Software\Policies\Microsoft\WindowsFirewall\" & it & "Profile") ) of firewall

Sigh, if only there were a “native registry key” creation class (hint hint @AlanM)