Windows Firewall Discovery
xAssets can discover Windows Firewall configuration data from target computers during network discovery. This information supports cybersecurity audits, compliance reporting, and security posture assessments by giving IT teams visibility into which firewall rules are active across their estate.
Why Collect Firewall Data
Windows Firewall is a critical security control on every Windows computer. Knowing the firewall configuration across your estate helps you:
- Audit compliance -- verify that all computers have Windows Firewall enabled and configured according to your security policy
- Identify risk -- find computers with the firewall disabled, or with overly permissive inbound rules that expose services to the network
- Investigate incidents -- during a security incident, quickly determine which ports and services were accessible on an affected machine
- Track changes -- compare firewall configurations over time to detect unauthorised changes
What Data Is Collected
When Windows Firewall discovery is enabled, xAssets collects the following information from each discovered Windows computer:
| Data Item | Description |
|---|---|
| Firewall status | Whether Windows Firewall is enabled or disabled for each profile (Domain, Private, Public) |
| Inbound rules | Active inbound firewall rules, including rule name, port number, protocol, and action (Allow/Block) |
| Outbound rules | Active outbound firewall rules with the same detail |
| Rule scope | Whether rules apply to specific IP addresses, subnets, or all addresses |
| Profile assignment | Which firewall profile (Domain, Private, Public) each rule is associated with |
This data is stored against the asset record and can be viewed in the asset's specification data tabs or queried across the estate.
Prerequisites
- Target computers must be running Windows with Windows Firewall (Windows Vista/Server 2008 or later)
- The discovery method must have administrative access to the target computer (WMI credentials or the Discovery Agent)
- The discovery script must include the firewall data collection module
Enabling Firewall Discovery
For Agentless (WMI) Discovery
Firewall data collection is included in the standard WMI discovery scripts. If your discovery scripts are based on the default templates, firewall data may already be collected. To verify or enable it:
- Navigate to Admin > Discovery Scripts (or the equivalent menu path in your configuration)
- Open the discovery script used for Windows computers
- Verify that the firewall data collection section is enabled
- Save the script if you made changes -- it will be recompiled automatically
For Agent-Based Discovery
The Discovery Agent collects firewall data automatically as part of its standard scan. No additional configuration is required when using the agent.
Viewing Firewall Data
Once discovery has run with firewall collection enabled, you can view the data in several ways:
Per-Asset View
- Open an asset record by clicking its description link
- Navigate to the specification data tab that contains firewall information
- The firewall status and rules are displayed for that individual computer
Estate-Wide Queries
Use the pre-built queries or create custom queries to analyse firewall data across your estate:
- Computers with firewall disabled -- identify computers that are not protected
- Computers with specific ports open -- find machines with particular services exposed (e.g., port 3389 for RDP, port 445 for SMB)
- Firewall configuration changes -- compare current data with previous discovery data to detect changes
Security Audit Use Cases
| Audit Question | How to Answer |
|---|---|
| Are all computers running Windows Firewall? | Query for computers where firewall status is "Disabled" |
| Which computers have RDP (port 3389) open? | Query for inbound rules allowing port 3389 |
| Are there any computers with the firewall disabled on the Public profile? | Query for Public profile status = Disabled |
| Have any firewall rules changed since the last audit? | Compare discovery data between two time periods |
Tips
Tip: Schedule firewall discovery to run at least weekly so that changes are detected promptly. For high-security environments, the always-on Discovery Agent provides near-real-time visibility.
Tip: Combine firewall data with other discovery data (installed software, running services, open ports) for a comprehensive security posture assessment. A computer with RDP enabled, firewall port 3389 open, and no recent patches is a higher-risk asset than one with only one of those characteristics.
Tip: Export firewall data to Excel for inclusion in formal compliance reports. Use the View and Export function from any query result.
Warning: Firewall discovery reports the configuration as seen by the discovery method. If a third-party firewall product is in use and Windows Firewall is disabled, the discovery will report "Disabled" even though the machine may be protected by the alternative product.
Related Articles
- Discovering a Network -- overview of network discovery
- Running Discovery -- executing a discovery scan
- Credential Packs -- setting up credentials for remote access
- Discovery Agent -- always-on agent for continuous monitoring
- Analysing Discovered Data -- working with discovery results