Windows服务器自带防火墙查看启停记录信息

<section id="nice" data-tool="mdnice编辑器" data-website="https://www.mdnice.com" style="margin-top: 0px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; background-attachment: scroll; background-clip: border-box; background-color: rgba(0, 0, 0, 0); background-image: none; background-origin: padding-box; background-position-x: 0%; background-position-y: 0%; background-repeat: no-repeat; background-size: auto; width: auto; font-family: Optima-Regular, Optima, PingFangSC-regular, PingFangTC-regular, 'PingFang SC', Cambria, Cochin, Georgia, Times, 'Times New Roman', serif; font-size: 14px; color: rgb(0, 0, 0); line-height: 1.5em; word-spacing: 0em; letter-spacing: 0em; word-break: break-all; overflow-wrap: break-word; text-align: left; padding-top: 12px; padding-right: 12px; padding-bottom: 12px; padding-left: 12px;"><p data-tool="mdnice编辑器" style="color: rgb(0, 0, 0); font-size: 16px; line-height: 1.8em; letter-spacing: 0em; text-align: left; text-indent: 0em; margin-top: 0px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; padding-top: 8px; padding-bottom: 8px; padding-left: 0px; padding-right: 0px;">最近遇到一个案例：一套Windows故障转移群集（WSFC）中一个节点的防火墙（Windows系统自带的防火墙）关闭了，但是不清楚什么时间，什么原因被关闭了，那么是否可以通过日志查看Windows的日志查看防火墙的关闭时间吗？答案是可以，我们可以打开Windows系统的"事件查看器"，您可以通过按下Win + R打开运行对话框，输入eventvwr.msc，然后按回车键来打开"事件查看器",也可以通过控制面板进去找到“事件查看器”，下面在测试环境演示一下。</p>
<p data-tool="mdnice编辑器" style="color: rgb(0, 0, 0); font-size: 16px; line-height: 1.8em; letter-spacing: 0em; text-align: left; text-indent: 0em; margin-top: 0px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; padding-top: 8px; padding-bottom: 8px; padding-left: 0px; padding-right: 0px;">英文系统：</p>
<p data-tool="mdnice编辑器" style="color: rgb(0, 0, 0); font-size: 16px; line-height: 1.8em; letter-spacing: 0em; text-align: left; text-indent: 0em; margin-top: 0px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; padding-top: 8px; padding-bottom: 8px; padding-left: 0px; padding-right: 0px;">在"Event Viewer"——&gt; "Applications and Services Logs"——&gt; "Microsoft" ——&gt; "Windows" ——&gt; "Windows Firewall With Advanced Security"下选择Firewall文件，然后过滤事件ID为2003的记录。当Windows防火墙的配置被修改时，会生成事件ID 2003的日志记录。这可能包括对防火墙规则、例外设置、安全策略等方面的更改，当然关闭或启动防火墙也会记录ID为2003的日志记录。</p>
<figure data-tool="mdnice编辑器" style="margin-top: 10px; margin-bottom: 10px; margin-left: 0px; margin-right: 0px; padding-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; display: flex; flex-direction: column; justify-content: center; align-items: center;"><img src="https://files.mdnice.com/user/234/282aecfa-7c9a-4240-9aef-2000be692e5f.jpg" alt style="display: block; margin-top: 0px; margin-right: auto; margin-bottom: 0px; margin-left: auto; max-width: 100%; border-top-style: none; border-bottom-style: none; border-left-style: none; border-right-style: none; border-top-width: 3px; border-bottom-width: 3px; border-left-width: 3px; border-right-width: 3px; border-top-color: rgba(0, 0, 0, 0.4); border-bottom-color: rgba(0, 0, 0, 0.4); border-left-color: rgba(0, 0, 0, 0.4); border-right-color: rgba(0, 0, 0, 0.4); border-top-left-radius: 0px; border-top-right-radius: 0px; border-bottom-right-radius: 0px; border-bottom-left-radius: 0px; object-fit: fill; box-shadow: rgba(0, 0, 0, 0) 0px 0px 0px 0px;"></figure>
<p data-tool="mdnice编辑器" style="color: rgb(0, 0, 0); font-size: 16px; line-height: 1.8em; letter-spacing: 0em; text-align: left; text-indent: 0em; margin-top: 0px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; padding-top: 8px; padding-bottom: 8px; padding-left: 0px; padding-right: 0px;">中文系统：</p>
<p data-tool="mdnice编辑器" style="color: rgb(0, 0, 0); font-size: 16px; line-height: 1.8em; letter-spacing: 0em; text-align: left; text-indent: 0em; margin-top: 0px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; padding-top: 8px; padding-bottom: 8px; padding-left: 0px; padding-right: 0px;">打开"事件查看器"，在导航窗格中，依次展开“应用程序和服务日志”——&gt; Microsoft——&gt; Windows ——&gt; “高级安全 Windows 防火墙（windows Firewall With Advanced Security）”。然后过滤事件ID为2003的记录就能找到什么时候启用或停用Windows服务器防火墙的停止日志。</p>
<p data-tool="mdnice编辑器" style="color: rgb(0, 0, 0); font-size: 16px; line-height: 1.8em; letter-spacing: 0em; text-align: left; text-indent: 0em; margin-top: 0px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; padding-top: 8px; padding-bottom: 8px; padding-left: 0px; padding-right: 0px;">如下所示，这里会看到2025-01-10 8:41：48有三条记录，分别表示私有网络设置，局域网设置、公共网络设置，Value变为No，表示禁用防火墙。</p>
<pre class="custom" data-tool="mdnice编辑器" style="border-radius: 5px; box-shadow: rgba(0, 0, 0, 0.55) 0px 2px 10px; text-align: left; margin-top: 10px; margin-bottom: 10px; margin-left: 0px; margin-right: 0px; padding-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px;"><span style="display: block; background: url(https://files.mdnice.com/user/3441/876cad08-0422-409d-bb5a-08afec5da8ee.svg); height: 30px; width: 100%; background-size: 40px; background-repeat: no-repeat; background-color: #282c34; margin-bottom: -7px; border-radius: 5px; background-position: 10px 10px;"></span><code class="hljs" style="overflow-x: auto; padding: 16px; color: #abb2bf; padding-top: 15px; background: #282c34; border-radius: 5px; display: -webkit-box; font-family: Consolas, Monaco, Menlo, monospace; font-size: 12px;">A&nbsp;Windows&nbsp;Defender&nbsp;Firewall&nbsp;setting&nbsp;<span class="hljs-keyword" style="color: #c678dd; line-height: 26px;">in</span>&nbsp;the&nbsp;Public&nbsp;profile&nbsp;has&nbsp;changed.<br>New&nbsp;Setting:<br>&nbsp;Type:&nbsp;Enable&nbsp;Windows&nbsp;Defender&nbsp;Firewall<br>&nbsp;Value:&nbsp;No<br>&nbsp;Modifying&nbsp;User:&nbsp;***\***duat<br>&nbsp;Modifying&nbsp;Application:&nbsp;C:\Windows\System32\dllhost.exe<br></code></pre>
<figure data-tool="mdnice编辑器" style="margin-top: 10px; margin-bottom: 10px; margin-left: 0px; margin-right: 0px; padding-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; display: flex; flex-direction: column; justify-content: center; align-items: center;"><img src="https://files.mdnice.com/user/234/1710c1ae-8f27-4f46-93d8-3c42f4dda2ee.png" alt style="display: block; margin-top: 0px; margin-right: auto; margin-bottom: 0px; margin-left: auto; max-width: 100%; border-top-style: none; border-bottom-style: none; border-left-style: none; border-right-style: none; border-top-width: 3px; border-bottom-width: 3px; border-left-width: 3px; border-right-width: 3px; border-top-color: rgba(0, 0, 0, 0.4); border-bottom-color: rgba(0, 0, 0, 0.4); border-left-color: rgba(0, 0, 0, 0.4); border-right-color: rgba(0, 0, 0, 0.4); border-top-left-radius: 0px; border-top-right-radius: 0px; border-bottom-right-radius: 0px; border-bottom-left-radius: 0px; object-fit: fill; box-shadow: rgba(0, 0, 0, 0) 0px 0px 0px 0px;"></figure>
<p data-tool="mdnice编辑器" style="color: rgb(0, 0, 0); font-size: 16px; line-height: 1.8em; letter-spacing: 0em; text-align: left; text-indent: 0em; margin-top: 0px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; padding-top: 8px; padding-bottom: 8px; padding-left: 0px; padding-right: 0px;">虽然这里能看到防火墙被关闭的记录信息，但是仅仅从日志还无法判断防火墙处于什么原因被关闭。因为有时候安装系统补丁或人为操作都有可能。此时就必须接合其他日志（例如，跳板机日志记录）或手段才能进一步分析原因。</p>
</section>