Select the product you need help with
- Internet Explorer
- Windows Phone
- More products
Troubleshooting Windows Firewall settings in Windows XP Service Pack 2 for advanced users
Article ID: 875357 - View products that this article applies to.
To continue receiving security updates for Windows, make sure you're running Windows XP with Service Pack 3 (SP3).
For more information, refer to this Microsoft web page: Support is ending for some versions of Windows
|Date||Displays the year, month, and day that the recorded transaction occurred. Dates are recorded in the format YYYY-MM-DD, where YYYY is the year, MM is the month, and DD is the day.||2001-01-27|
|Time||Displays the hour, minute, and seconds when the recorded transaction occurred. Times are recorded in the format: HH:MM:SS, where HH is the hour in 24-hour format, MM is the number of minutes, and SS is the number of seconds.||21:36:59|
|Action||Indicates the operation that was observed by the firewall. The options available to the firewall are OPEN, CLOSE, DROP, and INFO-EVENTS-LOST. An INFO-EVENTS-LOST action indicates the number of events that occurred but that were not recorded in the log.||OPEN|
|Protocol||Displays the protocol that was used for the communication. A protocol entry can also be a number for packets that are not using TCP, UDP, or ICMP.||TCP|
|src-ip||Displays the source IP address, or the IP address of the computer, that is trying to establish communications.||192.168.0.1|
|dst-ip||Displays the destination IP address of a communication try.||192.168.0.1|
|src-port||Displays the source port number of the sending computer. A src-port entry is recorded in the form of a whole number, between 1 and 65,535. Only TCP and UDP display a valid src-port entry. All other protocols display a src-port entry of -.||4039|
|dst-port||Displays the port number of the destination computer. A dst-port entry is recorded in the form of a whole number, between 1 and 65,535. Only TCP and UDP display a valid dst-port entry. All other protocols display a dst-port entry of -.||53|
|size||Displays the packet size in bytes.||60|
|tcpflags||Displays the TCP control flags that are
found in the TCP header of an IP packet:
|tcpsyn||Displays the TCP sequence number in the packet.||1315819770|
|tcpack||Displays the TCP acknowledgement number in the packet.||0|
|tcpwin||Displays the TCP window size in bytes in the packet.||64240|
|icmptype||Displays a number that represents the Type field of the ICMP message.||8|
|icmpcode||Displays a number that represents the Code field of the ICMP message.||0|
|info||Displays an information entry that depends on the type of action that occurred. For example, an INFO-EVENTS-LOST action creates an entry for the number of events that occurred but were not recorded in the log from the time of the last occurrence of this event type.||23|
Note The hyphen (-) is used for fields where no information is available for an entry.
Using command-line supportWindows Firewall Netsh Helper was added to Windows XP in the Microsoft Advanced Networking Pack. This command-line helper previously applied to IPv6 Windows Firewall. With Windows XP Service Pack 2, the helper now includes support for configuring IPv4.
With Netsh Helper, you can now:
- Configure the default state of Windows Firewall. (Options include Off, On, and On with no exceptions.)
- Configure the ports that must be open.
- Configure the ports to enable global access or to restrict access to the local subnet.
- Set ports to be open on all interfaces or only on a specific interface.
- Configure the logging options.
- Configure the Internet Control Message Protocol (ICMP) handling options.
- Add or remove programs from the exceptions list.
Gathering diagnostic dataWindows Firewall configuration and status information can be retrieved at the command line by using the Netsh.exe tool. This tool adds IPv4 firewall support to the following Netsh context:
netsh firewallTo use this context, type netsh firewall at a command prompt, and then use additional Netsh commands as needed. The following commands are useful for gathering firewall status and configuration information:
- Netsh firewall show state
- Netsh firewall show config
Compare the output from these commands with the output from the netstat –ano command to identify the programs that may have listening ports open and that do not have corresponding exceptions in the firewall configuration. Supported data gathering and configuration commands are listed in the following tables.
Note Settings can be modified only by an administrator.
Collapse this tableExpand this table
|show allowedprogram||Displays the allowed programs.|
|show config||Displays the detailed local configuration information.|
|show currentprofile||Displays the current profile.|
|show icmpsetting||Displays the ICMP settings.|
|show logging||Displays the logging settings.|
|show opmode||Displays the operational mode.|
|show portopening||Displays the excepted ports.|
|show service||Displays the services.|
|show state||Displays the current state information.|
|show notifications||Displays the current settings for notifications.|
Collapse this tableExpand this table
|add allowedprogram||Used to add excepted traffic by specifying the program's file name.|
|set allowedprogram||Used to modify the settings of an existing allowed program.|
|delete allowedprogram||Used to delete an existing allowed program.|
|set icmpsetting||Used to specify allowed ICMP traffic.|
|set logging||Used to specify logging options for Windows Firewall either globally or for a specific connection (interface).|
|set opmode||Used to specify the operating mode of Windows Firewall either globally or for a specific connection (interface).|
|add portopening||Used to add excepted traffic by specifying a TCP or UDP port.|
|set portopening||Used to modify the settings of an existing open TCP or UDP port.|
|delete portopening||Used to delete an existing open TCP or UDP port.|
|set service||Used to enable or drop RPC and DCOM traffic, file and printer sharing, and UPnP traffic.|
|set notifications||Used to specify whether notifications to the user when programs try to open ports are enabled.|
|reset||Resets firewall configuration to default. This provides the same functionality as the Restore Defaults button in the Windows Firewall interface.|
Troubleshooting the firewallAlong with program compatibility issues, the Windows Firewall may experience other problems. Follow these steps to diagnose problems:
- To verify that TCP/IP is functioning correctly, use the ping command to test the loopback address (127.0.0.1) and the assigned IP address.
- Verify the configuration in the user interface to determine whether the firewall has been unintentionally set to Off or On with No Exceptions.
- Use the netsh commands for Status and Configuration information to look for unintended settings that could be interfering with expected behavior.
- Determine the status of the Windows
Firewall/Internet Connection Sharing service by typing the following
at a command prompt: sc query sharedaccess(The short name of this service is SharedAccess.) Troubleshoot service startup based on the Win32 exit code if this service does not start.
- Determine the status of the Ipnat.sys firewall driver by
typing the following at a command prompt:sc query ipnatThis command also returns the Win32 exit code from the last start try. If the driver is not starting, use troubleshooting steps that would apply to any other driver.
- If the driver and service are both running, and no related errors exist in the event logs, use the Restore Defaults option on the Advanced tab of Windows Firewall properties to eliminate any potential problem configuration.
- If the issue is still not resolved, look for policy settings that might produce the unexpected behavior. To do this, type GPResult /v > gpresult.txt at the command prompt, and then examine the resulting text file for configured policies that are related to the firewall.
Configuring Windows Firewall Group PolicyContact your network administrator to determine if a Group Policy setting prevents programs and scenarios from running in a corporate environment.
Windows Firewall Group Policy settings are located in the following Group Policy Object Editor snap-in paths:
- Computer Configuration/Administrative Templates/Network/Network Connections/Windows Firewall
- Computer Configuration/Administrative Templates/Network/Network Connections/Windows Firewall/ Domain Profile
- Computer Configuration/Administrative Templates/Network/Network Connections/Windows Firewall/ Standard Profile
From these locations, you can configure the following Group Policy settings:
- Windows Firewall: Allow authenticated Internet Protocol security (IPsec) bypass
- Windows Firewall: Protect all network connections
- Windows Firewall: Do not allow exceptions
- Windows Firewall: Define program exceptions
- Windows Firewall: Allow local program exceptions
- Windows Firewall: Allow remote administration exception
- Windows Firewall: Allow file and print sharing exception
- Windows Firewall: Allow ICMP exceptions
- Windows Firewall: Allow Remote Desktop exception
- Windows Firewall: Allow Universal Plug and Plan (UpnP) framework exception
- Windows Firewall: Prohibit notifications
- Windows Firewall: Allow logging
- Windows Firewall: Prohibit unicast response to multicast or broadcast requests
- Windows Firewall: Define port exceptions
- Windows Firewall: Allow local port exceptions
For more information about Windows Firewall Group Policy settings, download the following white paper:
Deploying Windows Firewall Settings for Microsoft Windows XP with Service Pack 2
(http://support.microsoft.com/kb/843090/ )Description of the Windows Firewall feature in Windows XP Service Pack 2
(http://support.microsoft.com/kb/892199/ )Certain Administrative Templates from the Windows XP Security Guide may prevent you from starting the Windows Firewall service in Windows XP Service Pack 2
(http://support.microsoft.com/kb/920074/ )You cannot start the Windows Firewall service in Windows XP SP2
(http://support.microsoft.com/kb/886257/ )How Windows Firewall affects the UPnP framework in Windows XP Service Pack 2
If these articles do not help you resolve the problem or if you experience symptoms that differ from those that are described in this article, search the Microsoft Knowledge Base for more information. To search the Microsoft Knowledge Base, visit the following Microsoft Web site:
http://support.microsoft.comThen, type the text of the error message that you receive, or type a description of the problem in the Search Support (KB) field.
- (الشرق الاوسط (العربية
- Brasil (Português)
- Česká republika (Čeština)
- Danmark (Dansk)
- Deutschland (Deutsch)
- Eesti (Eesti)
- España, Latinoamérica (Español)
- France (Français)
- Hrvatska (Hrvatski)
- Italia (Italiano)
- Latvija (Latviešu)
- Lietuva (Lietuvių)
- Magyarország (Magyar)
- Nederland (Nederlands)
- Norge (Norsk Bokmål)
- Polska (Polski)
- Portugal (Português)
- România (Română)
- Slovenija (Slovenščina)
- Slovenská Republika (Slovenčina)
- Srbija (Srpski)
- Suomi (Suomi)
- Sverige (Svenska)
- Türkiye (Türkçe)
- Ελλάδα (Ελληνικά)
- България (български)
- Россия (Русский)
- Україна (Україньска)
- भारत (हिंदी)
- ไทย (ไทย)
- 대한민국 (한국어)
- 中国 (简体中文)
- 台灣 (繁體中文)
- 日本 (日本語)