How to identify the firewall filter based on ID
Hi, We started to have strange problem and looks like Windows Firewall start blocking traffic even there is rules for the traffic. When I run the command netsh wfp show netevents I found from the XML file what this generates the following drop related to my traffic: <item> <filterId>1910059</filterId> <subLayer>FWPP_SUBLAYER_INTERNAL_FIREWALL_WF</subLayer> <actionType>FWP_ACTION_BLOCK</actionType> </item> Anybody knows how to identify what is this filter?
Internet Traffic blocked in Edge Sandbox Mode (Windows Defender Application Guard)
I have successfully activated Windows Defender Application Guard but it seems surfing in Edge Sandbox Mode has been impossible. All required gpos and addition requirements as described on here: https://learn.microsoft.com/en-us/windows/security/application-security/application-isolation/microsoft-defender-application-guard/configure-md-app-guard https://learn.microsoft.com/en-us/windows/security/application-security/application-isolation/microsoft-defender-application-guard/faq-md-app-guard have been configured accordingly. I had a tip from microsoft support that my firewall could be blocking traffic (NAT)coming from the Host Computer so should allow all IP subnets in the range of 172.x.x.x or 192.x.x.x. I have tested that by allowing this traffic in the Trellix including Remote Ports 49700–65535, as described in Trellix documentation here https://kcm.trellix.com/corporate/index?page=content&id=KB88788 but to no avail. Could there be any other underlying root causes in a typical Enterprise environment where systems have been hardened using Security policies defined by CIS. What rules can be exempted here in order to allow this kind of traffic. Anybody has experience with this kind of environment or issue. Some tips will be welcomed.
