08-19-2024 04:53 PM
Is there a report that will show if Windows Defender Firewall is Enabled or Disabled?
08-27-2024 10:17 PM
Probably. These reports scan the Microsoft Event Security logs looking for Eventcode = 5025 for the past 7 days. I believe it was written looking at the Microsoft firewall. If your firewall posts events there, and there 5025, then it should find them.
Chances are that you'll have to find where your firewall writes events out, find the code and adjust the report to scour those logs for the firewall status.
Good luck.
08-27-2024 08:21 PM
Nothing in the reports is a good thing. It means that the services are enabled and running.
If something shows, it's either disabled or stopped.
08-27-2024 08:46 PM
That's what has me confused. We have the firewall disabled on our network but nothing is showing in the report.
08-27-2024 09:52 PM
Just to confirm the report is accurate I tested it on a Windows 7 VM with the Firewall disabled on all network models (Domain to Public) and also disabled in the services. Both reports reflected the disabled and off states properly.
See when the last scan took place and whether or not there were errors scanning the asset.
08-27-2024 09:57 PM
I performed a scan last Tuesday and the scan will run tonight. We do have a 3rd party firewall, will that make a difference?
08-27-2024 07:03 PM
I think I got these from Lansweeper somewhere.
Windows Firewall Service Disabled Query
Select Top 1000000 tblAssets.AssetID,
tblAssets.AssetName,
tblAssets.Domain,
tblAssets.Username,
tblAssets.Userdomain,
Coalesce(tsysOS.Image, tsysAssetTypes.AssetTypeIcon10) As icon,
tblAssets.IPAddress,
tsysIPLocations.IPLocation,
tblAssetCustom.Manufacturer,
tblAssetCustom.Model,
tsysOS.OSname As OS,
tblNtlog.Eventcode,
tblNtlogSource.Sourcename,
tblNtlogMessage.Message,
tblNtlog.TimeGenerated,
Case
When tblErrors.ErrorText Is Not Null Or
tblErrors.ErrorText != '' Then
'Scanning Error: ' + tsysasseterrortypes.ErrorMsg
Else ''
End As ScanningErrors,
tblAssets.Lastseen,
tblAssets.Lasttried
From tblAssets
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype
Inner Join tsysIPLocations On tsysIPLocations.LocationID =
tblAssets.LocationID
Inner Join tblNtlog On tblAssets.AssetID = tblNtlog.AssetID
Inner Join tblNtlogMessage On tblNtlogMessage.MessageID = tblNtlog.MessageID
Inner Join tblNtlogSource On tblNtlogSource.SourcenameID =
tblNtlog.SourcenameID
Inner Join tblState On tblState.State = tblAssetCustom.State
Left Join tsysOS On tsysOS.OScode = tblAssets.OScode
Left Join (Select Distinct Top 1000000 tblErrors.AssetID As ID,
Max(tblErrors.Teller) As ErrorID
From tblErrors
Group By tblErrors.AssetID) As ScanningError On tblAssets.AssetID =
ScanningError.ID
Left Join tblErrors On ScanningError.ErrorID = tblErrors.Teller
Left Join tsysasseterrortypes On tsysasseterrortypes.Errortype =
tblErrors.ErrorType
Where tblNtlog.Eventcode = 5025 And tblNtlog.TimeGenerated > GetDate() - 7 And
tblAssetCustom.State = 1
Order By tblAssets.Domain,
tblAssets.AssetName
Windows Firewall Service Stopped Event Query
Select Top 1000000 tblAssets.AssetID,
tblAssets.AssetName,
tblAssets.Domain,
tblAssets.Username,
tblAssets.Userdomain,
Coalesce(tsysOS.Image, tsysAssetTypes.AssetTypeIcon10) As icon,
tblAssets.IPAddress,
tsysIPLocations.IPLocation,
tblAssetCustom.Manufacturer,
tblAssetCustom.Model,
tsysOS.OSname As OS,
tblNtlog.Eventcode,
tblNtlogSource.Sourcename,
tblNtlogMessage.Message,
tblNtlog.TimeGenerated,
Case
When tblErrors.ErrorText Is Not Null Or
tblErrors.ErrorText != '' Then
'Scanning Error: ' + tsysasseterrortypes.ErrorMsg
Else ''
End As ScanningErrors,
tblAssets.Lastseen,
tblAssets.Lasttried
From tblAssets
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype
Inner Join tsysIPLocations On tsysIPLocations.LocationID =
tblAssets.LocationID
Inner Join tblNtlog On tblAssets.AssetID = tblNtlog.AssetID
Inner Join tblNtlogMessage On tblNtlogMessage.MessageID = tblNtlog.MessageID
Inner Join tblNtlogSource On tblNtlogSource.SourcenameID =
tblNtlog.SourcenameID
Inner Join tblState On tblState.State = tblAssetCustom.State
Left Join tsysOS On tsysOS.OScode = tblAssets.OScode
Left Join (Select Distinct Top 1000000 tblErrors.AssetID As ID,
Max(tblErrors.Teller) As ErrorID
From tblErrors
Group By tblErrors.AssetID) As ScanningError On tblAssets.AssetID =
ScanningError.ID
Left Join tblErrors On ScanningError.ErrorID = tblErrors.Teller
Left Join tsysasseterrortypes On tsysasseterrortypes.Errortype =
tblErrors.ErrorType
Where tblNtlog.Eventcode = 5025 And tblNtlog.TimeGenerated > GetDate() - 7 And
tblAssetCustom.State = 1
Order By tblAssets.Domain,
tblAssets.AssetName
08-27-2024 07:13 PM
Thank you for your response. If nothing shows on the report does that mean Firewall is Disabled?
Experience Lansweeper with your own data. Sign up now for a 14-day free trial.
Try Now