I have a machine in a corporate network which has over 17 000 outbound and inbound firewall filters set. I can view them with the netsh command
netsh wfp show filters dir=OUT file=OutBoundFilters.xml
I have thousands of such filter rules for "InternetClientServer Outbound Default Rule"
<item>
<filterKey>{3c45917d-eff9-4895-b36f-bec4efccbf95}</filterKey>
<displayData>
<name>InternetClientServer Outbound Default Rule</name>
<description>InternetClientServer Outbound Default Rule</description>
</displayData>
<flags/>
<providerKey>{4b153735-1049-4480-aab4-d1b9bdc03710}</providerKey>
<providerData>
<data>3303000000000000</data>
<asString>3.......</asString>
</providerData>
<layerKey>FWPM_LAYER_ALE_AUTH_CONNECT_V4</layerKey>
<subLayerKey>{b3cdd441-af90-41ba-a745-7c6008ff2300}</subLayerKey>
<weight>
<type>FWP_EMPTY</type>
</weight>
<filterCondition numItems="5">
<item>
<fieldKey>FWPM_CONDITION_ALE_PACKAGE_ID</fieldKey>
<matchType>FWP_MATCH_NOT_EQUAL</matchType>
<conditionValue>
<type>FWP_SID</type>
<sid>S-1-0-0</sid>
</conditionValue>
</item>
<item>
<fieldKey>FWPM_CONDITION_IP_REMOTE_ADDRESS</fieldKey>
<matchType>FWP_MATCH_RANGE</matchType>
<conditionValue>
<type>FWP_RANGE_TYPE</type>
<rangeValue>
<valueLow>
<type>FWP_UINT32</type>
<uint32>10.10.55.127</uint32>
</valueLow>
<valueHigh>
<type>FWP_UINT32</type>
<uint32>10.10.56.0</uint32>
</valueHigh>
</rangeValue>
</conditionValue>
</item>
<item>
<fieldKey>FWPM_CONDITION_ORIGINAL_PROFILE_ID</fieldKey>
<matchType>FWP_MATCH_EQUAL</matchType>
<conditionValue>
<type>FWP_UINT32</type>
<uint32>3</uint32>
</conditionValue>
</item>
<item>
<fieldKey>FWPM_CONDITION_CURRENT_PROFILE_ID</fieldKey>
<matchType>FWP_MATCH_EQUAL</matchType>
<conditionValue>
<type>FWP_UINT32</type>
<uint32>3</uint32>
</conditionValue>
</item>
<item>
<fieldKey>FWPM_CONDITION_ALE_USER_ID</fieldKey>
<matchType>FWP_MATCH_EQUAL</matchType>
<conditionValue>
<type>FWP_SECURITY_DESCRIPTOR_TYPE</type>
<sd>O:LSD:(A;;CC;;;S-1-15-3-2)(A;;CC;;;WD)(A;;CC;;;AN)</sd>
</conditionValue>
</item>
</filterCondition>
<action>
<type>FWP_ACTION_PERMIT</type>
<filterType/>
</action>
<rawContext>0</rawContext>
<reserved/>
<filterId>391334</filterId>
<effectiveWeight>
<type>FWP_UINT64</type>
<uint64>225180806002261888</uint64>
</effectiveWeight>
</item>
These rules are for the Base Filtering Engine which is part of the Windows Firewall. There are not many firewall rules present in the MMC UI so I am a bit lost where the thousands of filters are coming from and which rule is responsible for them.
Now I want to get rid of some of the rules or at least find out where they are coming from. I have found the registry key
Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BFE\Parameters\Policy\Persistent\Filter
where some guids are present but I am not able to correlate my filter rules with some specific registry key. Where are the rules finally stored? Registry, a file or are they pushed via group policies into the registry? I have found the issue by checking out CPU consumption in the kernel where some large amount of CPU is spent in
https://docs.microsoft.com/en-us/windows/win32/fwp/ale-re-authorization
The high amount of CPU comes from these many firewall rules. How can I track things further. I have tried to do boot time logging into the firewall service when it consumes much more memory but I have found no indication who feeds the data into the firewall service. The actual data seems to be stored in a compact format which does not show up in CPU profiling which is an annoying issue.
