This article describes how to check if Windows Firewall is enabled on all the LAN Connections on a server. I am going to make this post as short as possible but with all the required details…
I want to check if Windows Firewall is enabled on all of my LAN Connections. For this, I need to get a list of all the LAN Connections on my machine. After I get the list of all the connections on my machine, for each connection in the list, I need to go and check for the Windows Firewall status. So here, we will need to use nested data sources. I will show you how to!
Create the first WMI data source as follows:
WMI Class Name: HNet_Connection
Create a Setting under the first data source as follows:
The above defined Data source / Setting pair will get you all the LAN Connections on your machine! If you see, there is a new property we populated in the Setting called Substitution. Substitution behaves like a place holder. In our scenario, I get a list of all the connections on my PC. After that, for each connection, I need to query another WMI class. While querying the second WMI class, I need to specify the Where Clause. Because I want to check if firewall is enabled for that particular connection. While specifying the Where Clause, I need an ID so that I can identify the connection. That id is the __RELPATH. By using Substitution variable, I am storing the value of the __RELPATH property for each connection in the Substitution variable. As simple as that!
Now, lets create a Nested data source within the previous data source. Why do we need to create a nested data source? Because, this is not an individual query. From the first data source / setting, I got a list of connections. Now for each connection, I need to get its properties from a different WMI Class. Here are the details of the second WMI Data source:
WMI Class Name: HNet_ConnectionProperties
Where Clause of WQL: Connection = '%ConnectionPath%'
Note: While creating the Where Clause, type Connection=’ and then click Append Substitution button. A popup would come up and show you the ConnectionPath substitution variable that we saved earlier. Select the variable and click Add. It would get appended. Type a single quote again to mark the ending.Let me explain you with an example:
Let’s say I have 2 connections on my server. Because of the first data source / setting pair, I have got a hold to both the connections.
Lets say, the details are:
Connection1’s __ RELPATH: 1111 and Connection2’s __RELPATH: 2222
Now when I create the second nested WMI data source, the Where clause will automatically get converted to: Connection = '1111' for the first connection and Connection = '2222’ for the second connection! This happens automatically because of the substitution variable that we used. Basically the Substitution variable gets substituted!
Now create a Setting element under the second data source as follows:
Now create a rule under this Setting checking for the Firewall status as follows:
Rule Query: $. != 'True'
Event Description: Firewall is not enabled!
Event ID: 123
Let me know if you have any questions! Thanks.
Once u have created the complete manifest, it would like similar to the diagram below.