Jetzt Ausprobieren
Pro Tips

Windows Firewall Monitoring

3 min. read
11/02/2022
By Esben Dochy
Pro Tips with Esben 15 Windows Firewall Monitoring

Pro Tips with Esben #15

The Windows Firewall is a basic component for protecting Windows devices, ensuring it is always on it therefore pretty important to say the least. Today I’ll be covering a couple of methods to help you stay on top of the firewall status in your environment.

Windows Firewall

Windows firewall, first introduced with Windows XP and Windows Server 2003 back in 2001 as the “Internet Connection Firewall“. The Windows firewall is designed to keep unauthorized users and applications from accessing files and resources on your computer. Therefore, you want to make sure it is always enabled on computers and servers in your environment.

Getting the Service Status

Lansweeper easily scans the status of all Windows services, this obviously includes the Windows Firewall Service as well. One way to keep an eye on the firewall status is to obviously to use the report below.

However, using the alert report dashboard widget, you can more easily quickly check it every time you open Lansweeper. With the button in the bottom-right corner, you can head to the settings and adjust which reports are shown in the widget.

Either create a new page for the widget or adjust an existing one (the page called “Dashboard” is used by default).

Alert report Firewall widget

Auditing Status Events

Another way is using Windows events, I already covered some Windows firewall events in Pro Tips #8, but now I’ve made a report for event ID 5025 indicating that the Windows Firewall Service has been stopped. To scan this event, you will have to turn on “Scan Success audit events” in the Server Options of your Lansweeper installation.

Similar to the service status report above, you can embed this one in your alert report widget to quickly take a glance every morning just to make sure nothing out of the ordinary is going on.

Windows Firewall Alerts

If you’re in the market for something quicker than just taking a look every morning, alerts are the way to go. Both a report alert and eventlog alert can be used in this example. Just make sure you have a mailbox ready Lansweeper can use to send alerts and that you create an email group for the alerts to be sent to.

Lets start with the easy one, the eventlog alert. Simply create a new alert with the event ID 5025 and a corresponding description. Once the event is scanned by Lansweeper, you’ll immediately get an email notification.

Don’t forget, there are eventlog only scanning targets if you want assets to be scanned more frequently for eventlog changes. An alert can only be as fast as the data is scanned.

Event log alert

For the report alert it bears repeating that they will only be sent if the report has data. As long as there are no services turned off or no 5025 events scanned, the report alerts will not be sent. However, you might want to adjust the reports depending on how frequently your alerts are sent so you don’t get alerts with the same data as yesterday.

Adjusting the “Getdate() -7” in the report queries with the number of previous days data you want in the report will do the trick.