Technical Tip: Understanding 'Windows Firewall is enabled' ZTNA tag rule

In FortiClient EMS, there is a ZTNA tag rule for the condition 'Windows Firewall is enabled'.

For an endpoint to be tagged properly, below criteria must be matched:

1. There must be no other third-party Firewall security software taking precedence over Windows Firewall:
   Go to Start -> Windows Security -> Firewall & Network protection, on the right side, select Manage Providers:
                                                                                           
   
   Firewall provider must be 'Windows Firewall'.
                                                         
                                                                 
2. Open a command prompt and run the command: netsh advfirewall show currentprofile.
   The current network profile firewall status must be ON. Example output:
                                                                                        
   

There may be rare cases whereby Firewall is showing 'enabled' in the GUI, but it is showing State = OFF in the command output.
In such cases, go to Start -> Registry Editor and look for the registry value below:

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\

FirewallPolicy\DomainProfile

Check the registry 'EnableFirewall' value = 1.

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\

FirewallPolicy\StandardProfile

Check the registry 'EnableFirewall' value = 1.

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\

FirewallPolicy\PublicProfile

Check the registry 'EnableFirewall' value = 1.

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mpssvc

Check the registry 'Start' value = 2.

If noticed these values were changed somehow after a period of time, run the command: gpresult /h c:\temp\gpo.html. In the gpo.html output, identify if there is an unexpected Group Policy that changed the firewall setting.