Technical Tip: Validating FortiEDR collector host firewall enforcement and logging
| Description | This article describes how the FortiEDR collector host firewall works and how to validate that the enforcement is functioning correctly, including how to verify logging in both FortiEDR and Windows. |
| Scope | FortiEDR collector 6.1+. |
| Solution | Host firewall is a feature introduced in Collector 6.1+ that allows FortiEDR to enforce network traffic control at the endpoint level. FortiEDR does not implement its own firewall engine. It leverages the native Windows Filtering Platform (WFP) to instruct Windows to allow or block specific network connections. FortiEDR manages the policy, and Windows performs the actual enforcement at the kernel level.
Windows Filtering Platform (WFP) is the built-in Windows kernel framework responsible for network traffic filtering and firewall enforcement. WFP has been available since Windows Server 2008, so Host Firewall does not work on older Windows versions.
How to validate that a host firewall is working.
Before testing host firewall functionality, verify that:
The following example is set up using a public IP address (for example, a reachable Google IP 142.250.73.110).
If the block rule is enforced successfully, the output will show TCP connection failed.
Logging and visibility:
Example of a blocked event:
Because enforcement is performed by Windows Filtering Platform (WFP), Windows can also log the block event once Filtering Platform auditing is enabled. Once auditing is enabled, block events will appear in the security log in the Windows event viewer. The following common Event IDs can be used for filtering:
Example of a blocked event in Windows Event Viewer:
|
