Event Id | 4956 |
Source | Microsoft-Windows-Security-Auditing |
Description | Windows Firewall has changed the active profile. New Active Profile:%t%1 |
Event Information | According to Microsoft : Cause : This event is logged Windows Firewall has changed the active profile. Resolution : Review the rules applied to the computer for the current network location type If Windows Firewall is allowing unexpected traffic in or out of the local computer, then ensure that the firewall is enabled, and that the rules currently in place for the active profile are correct. Confirm that the computer is using the correct policy settings If the computer is receiving its firewall configuration from Group Policy, confirm that the latest policy is in place on the computer. To refresh Group Policy applied to the local computer: 1.Start an administrative command prompt. ClickStart, clickAll Programs, clickAccessories, right-click Command Prompt, and then clickRun as administrator. 2.If theUser Account Control dialog box appears, ensure that it is for an action that you requested, and then clickContinue. 3.At the command prompt, typegpupdate /force. 4.When the command finishes applying policy, continue with the diagnostic and troubleshooting procedures below. Confirm that the firewall is enabled for the currently detected network location type Windows supports multiple firewall profiles and dynamically switches them based on the network location type detected through the connected network adapters. To determine the current network location type and firewall state of the computer: 1.ClickStart, typewf.msc in theStart Search box, and then press ENTER. 2.If the User Account Control dialog box appears, ensure that it is for an action that you requested, and then clickContinue. 3.In the navigation pane, click the top node:Windows Firewall with Advanced Security. 4.The currently active profile is displayed with the words "is Active" in theOverview section in the details pane. 5.Ensure that for each profile type, the text "Windows Firewall is on" appears under each profile. If it is not, clickWindows Firewall Properties, and then select the appropriate tab and change theFirewall state toOn. Confirm that the firewall is enabled for each network adapter on the computer Windows Firewall enables you to turn it off for individual network adapters. To view the firewall state for each network adapter: To view the firewall state for each network adapter: 1.ClickStart, clickControl Panel, clickSecurity, and then clickWindows Firewall. 2.If theUser Account Control dialog box appears, ensure that it is for an action that you requested, and then clickContinue. 3.ClickChange Settings. 4.Click theAdvanced tab. 5.Under Network Connections, ensure that the check box next to each network connection is selected. Evaluate the firewall rules in place for the current profile Finally, if the procedures described above did not help you resolve the issue, you must inspect the firewall rules themselves: 1.If you still have the Windows Firewall with Advanced Security MMC snap-in open, then skip to step 4. 2.ClickStart, typemmc wf.msc in theStart Search box, and then press ENTER. 3.If theUser Account Control dialog box appears, ensure that it is for an action that you requested, and then clickContinue. 4.In the navigation pane, clickInbound Rules or Outbound Rules as appropriate. 5.Click the column headers to sort the rules list by the values that can help you find the rules you want to evaluate. 6.For each rule that you to evaluate, make sure that the following rule attributes are true or correct: a)The rule is active. b)The rule is configured to block or allow traffic as appropriate. c)The rule is referencing the proper program path for the application. d)If the application is a service, make sure that the service list is properly scoped. e)That the addresses, subnet, ports and protocols are correct for the traffic you want to block or allow. f)That the traffic direction (inbound or outbound) is correct. g)The profiles associated with the rule are correct. Verify : To verify that the firewall rules are properly configured for a specific type of network traffic, you must run the application that generates the traffic, and then confirm that the rule works correctly. For example, to verify that firewall rules are properly blocking or allowing inbound Telnet network traffic to a specific computer on your network, use another computer on the network and attempt to use Telnet to connect to the protected computer. You can use Network Monitor to view the traffic on the network and to confirm whether the expected traffic is permitted or allowed, as defined by the firewall rules on the computer. Network Monitor can also indicate whether the traffic is authenticated or encrypted by using Intenet Protocol security (IPsec). |
Reference Links | Event ID 4956 from Microsoft-Windows-Security-Auditing |
Catch threats immediately
We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.