# Firewall Rules

## Overview

**Evidence:** Firewall Rules\
**Description:** Enumerate Firewall Rules\
**Category:** Network\
**Platform:** windows\
**Short Name:** frwl\
**Is Parsed:** Yes\
**Sent to Investigation Hub:** Yes\
**Collect File(s):** No

## Background

Windows Firewall (Windows Defender Firewall) controls network traffic to and from the system based on configurable rules. Attackers often modify firewall rules to allow malicious traffic, open backdoors, or disable security controls.

Firewall rules can be configured per-profile (Domain, Private, Public) and can allow or block traffic based on application, port, protocol, and IP address.

## Data Collected

This collector gathers structured data about firewall rules.

### Firewall Rules Data

| Field             | Description                   | Example                        |
| ----------------- | ----------------------------- | ------------------------------ |
| `Name`            | Rule name                     | Block Outbound Telnet          |
| `Description`     | Rule description              | Blocks outbound telnet traffic |
| `ApplicationName` | Application path              | C:\Windows\System32\telnet.exe |
| `ServiceName`     | Service name                  | RemoteAccess                   |
| `Protocol`        | IP protocol                   | TCP                            |
| `LocalPort`       | Local port(s)                 | 80,443                         |
| `RemotePort`      | Remote port(s)                | Any                            |
| `ICMPType`        | ICMP type and code            | 8:\*                           |
| `Local`           | Local addresses               | Any                            |
| `Remote`          | Remote addresses              | Any                            |
| `Direction`       | Traffic direction             | In/Out                         |
| `Action`          | Rule action                   | Allow/Block                    |
| `RuleEnabled`     | Whether rule is active        | TRUE                           |
| `FirewallProfile` | Profile(s) where rule applies | Domain Private Public          |
| `Interface`       | Network interfaces            |                                |
| `InterfaceType`   | Interface type filter         | All                            |
| `Grouping`        | Rule group                    | Remote Desktop                 |
| `EdgeTraversal`   | Edge traversal setting        | FALSE                          |

## Collection Method

This collector uses the Windows Firewall COM API to:

* Create `INetFwPolicy2` instance
* Retrieve all firewall rules via `get_Rules`
* Enumerate each rule and extract configuration details
* Parse application paths and file information

## Forensic Value

Firewall rules provide critical evidence for detecting unauthorized network access, backdoors, and security control tampering. Investigators use this data to identify suspicious allow rules for malware, detect disabled security controls, track unauthorized remote access rules, identify data exfiltration paths, detect lateral movement enablers, and correlate firewall changes with security incidents.