I'm trying to set up a computer to accept all incoming traffic but only allow outgoing traffic to a specific IP. I have set an allow all rule for Incoming and an Allow rule that specifies an IP address as the only acceptable Outgoing address. I have also set up a deny all Outgoing rule, assuming that the other rule will take precedence.
The problem I am having is that all traffic is being blocked, even the traffic going to the IP that I specified as being allowed.
I am looking for a way to trace traffic through the firewall and see exactly what rule is blocking the traffic. The log generated by the firewall monitoring tells me that traffic was dropped but not which rule blocked it.
Best Answer
(Note: this method has been working at least on Windows 7, 10 Pro, Server 2012 R2)
Following steps will lead you to the rule blocking your connection:
auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:enable /failure:enable
auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable
netsh wfp show state
(this creates a XML file in the current folder)eventvwr.msc
This will give you a good start to find the blocking rule.
When you're done, don't forget to turn off the audit:
auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:disable /failure:disable
auditpol /set /subcategory:"Filtering Platform Connection" /success:disable /failure:disable
Note: depending on your Windows language setting, the auditing service might use different non-English names. To find the subcategory names, run command:
auditpol /get /category:*
and find subcategories which correspond to "Filtering Platform Packet Drop" and "Filtering Platform Connection" in the system language.