RV320 Firewall rules, VLAN, and IP Aliasing

Similar Messages

• SA520W - IPv4 Firewall Rule not visible

  Hello,
  We have a cisco SA520W Security Appliance Model with several IPv4 firewall rules configured and we would like to remove one of the rules.
  The fact is as that this rule is not visible from the Security Appliance Configuration Utility, although it can be seen on the configuration backup file, it cannot be deleted…
  Any idea how to delete this rule avoiding to revert to factory default setting will be appreciated.
  Best regards,
  Nicolas MASSOT

  Is it one of the built in default rules or is it a rule that was created then deleted from the GUI? Can you paste the section of the config file with the ACL?
  Cisco Small Business Support Center
  Randy Manthey
  CCNA, CCNA - Security

• Vlan and firewall rules

  If I have 3 different vlans, are there any problems having different firewall rules between each vlan and the WAN link? I saw an earlier post about some issues with filtering between vlan's but this should'n be the same.
  /Andy

  Yes, this sounds different than the earlier post.
  Firewall rules can be applied for WAN to LAN or vice versa flows.
  As vlans are logically associated with LAN, firewall rules should be applicable for WAN to vlan traffic.
  Using source or destination IP address in the firewall rules should let one to control which rules to be applied for which vlan traffic.
  Regards,
  Richard

• VLAN to VLAN firewall rules support missing on RV180

  How do I submit an RFE (Request For Enhancement) to the Cisco SBR team to encourage them to  implement the missing support for VLAN to VLAN firewall rules that was available in the RVS4000 (See https://supportforums.cisco.com/message/3614106#3614106) and that was supposedly added to a beta release of the RV220W firmware (See  https://supportforums.cisco.com/message/3614106#3614106)?

  Hi Kelly, the RV220W does support LAN to LAN access rules on the 1.0.4.17 and it is released.
  To make a feature request, it is pretty simple. Call the SBSC, have a case created for you. Tell the engineer you'd like to make a feature request. It usually gets escalated in 3 days or less.
  -Tom
  Please mark answered for helpful posts

• Firewall Rules for Printing and Scanning through Windows Firewall

  Hello,
  I am having trouble determining the Ports, Programs, and Services required for printing and scanning with my AIO.
  I am using Windows Firewall in Windows 7, and am only allowing certain rules in and out.
  I know the firewall is the problem, for when I disable it, everything works fine.
  Which rules are required for printing and scanning through the firewall?

  4th Bump,
  Is there anyone who can help me with this?
  As I said before, other printer manufacturers such as Lexmark and Brother provide this exact information.
  Why doesn't hp have a document for this? Does everyone just disable their firewall or open every port?

• Home Hub 5 firewall rules and TP Link routers

  I am not yet a BT customer but am looking to sign up for Infinity and I understand I will get a Home Hub 5 unit ... however I would prefer to use my TP-Link AC1750 which has proven to be excellent with it's WIFI signal. My TP-Link is a cable version, not the ADSL version.
  I understand the HomeHub 5 now contains the VDSL modem built in (rather than separate) so I suspect I'll need to hang my TP-Link off one of the HomeHub 5 Gbe ports and disable Wireless on the Home Hub. Has anyone tried this? Do you know if the firewall rules can be set to put my TP Link in a "DMZ" , i.e. no firewall protection, because I'd prefer to do that as my TP Link is a router/firewall combined and it will make it easier for getting my VPN ports working etc.
  Alternatively do you know if the cable you would normally plug into the HomeHub5 "Broadband WAN" plug is just straightforward Gbe, i.e so I can put it straight into my TP Link and not use the HomeHub 5 at all?
  Thanks
  Solved!
  Go to Solution.

  Keith,
  Thanks very much for your reply. So I can't use the HomeHub 5 as a cable modem, but do you know what kind of broadband/WAN connection BT OpenReach provide that goes into the HomeHub? Is that straight-forward Gbe that I could probably plug into my TP Link, as it's designed to take a Gbe connection? (Currently it is connected into one of the LAN ports of my ADSL router/modem/firewall device as I'm still on ADSL but was planning my upgrade to Infinity)
  Alternatively, I could connect my TP Link into one of the Home Hub 5 LAN ports, so long as I can designate that port as a DMZ port (i.e. no firewall protection) so that my TP Link will be the only one controlling the firewall rules. Is it possible to make one port, or one device a DMZ device on the Home Hub 5?
  Thanks

• SA 540 INBOUND FIREWALL RULES NOT WORKING

  Hi all,
  I am having trouble configuring the firewall for the SA 540.
  client 1 (160.222.46.154) ----- switch ------ sa 540 ------ cisco 887 W ------ client 2 (50.0.0.10).
  client 1 can ping client 2, however client 2 cannot ping client 1. The default outbound policy (allow all) is set on the sa 540, and I have tried configuring a blanket ipv4 rule on the sa 540 to allow 'all' to 'any' (for all services) related to traffic from the WAN to LAN, and visa versa. The output from the logs are as follows:
  Fri Jan 7 13:43:04 2000(GMT +1000) WARN FIREWALL 50.0.0.10 160.222.46.154 [firewall] LOG_PACKET[DROP] IN=WAN OUT=WAN SRC=50.0.0.10 DST=160.222.46.154 PROTO=ICMP TYPE=8 CODE=0
  Component: KERNEL
  Fri Jan 7 13:43:09 2000(GMT +1000) WARN FIREWALL 50.0.0.10 160.222.46.154 [firewall] LOG_PACKET[DROP] IN=WAN OUT=WAN SRC=50.0.0.10 DST=160.222.46.154 PROTO=ICMP TYPE=8 CODE=0
  Component: KERNEL
  Fri Jan 7 13:43:14 2000(GMT +1000) WARN FIREWALL 50.0.0.10 160.222.46.154 [firewall] LOG_PACKET[DROP] IN=WAN OUT=WAN SRC=50.0.0.10 DST=160.222.46.154 PROTO=UDP SPT=60737 DPT=53
  Component: KERNEL
  Basically any connection identified as coming in from the WAN (i.e. IN=WAN) is dropped. I set up a new vlan on the cisco 887 W, in the 160.222.46.x address space, and connected a spare port directly to the sa 540 and had no problem testing connectivity to any device via ping. Obviously the zone communication is LAN to LAN and firewall treats the traffice differently.
  I assumed that creating an all encompassing rule to allow all trafiic, for all services, between the LAN and WAN (in both directions) would be equivalent to placing the appliance in PASS THROUGH mode? There is no securtiy set on the 887 W or the switch.
  Also is anybody could explain what 'SELF' means in the conttext IN=SELF or OUT=SELF it would be much appreciated. Firmware is latest.
  Thank you.
  Regards
  Marc

  On closer analysis and with some help from Experts Exchange it did seem non sensical to have both the IN and OUT as the WAN interface, but I had literally exhausted every avenue possible bar 1- changing the routing mode to CLASSIC and configuring a static route (which was at a higher administrative level than my RIP advertised routes) and took preferece when forwarding the packets.
  Now the SA540 firewall rules work as I would expect and I can route between all zones. To summise it appears as if the Double NAT from the router (887W) and then the SA540 was the issue, and the innability to configure any workaround in the interface of the SA54O firewall rules.
  It really makes you appreciate the power of the command line and the full scope of CIsco's command line options. Does anybody know if (and how) it would be possible to configure Double NAT on the SA540?
  Regards
  Marc

• SA540 Firewall Rules Fail when Optional Port Configured to Failover

  Today, I configured a client's SA540 for failover.  The primary WAN port is FIOS with a static IP address.  The optional port is Road Runner cable with a static IP address.  The failover tested successfully.  However, now the SA540 cannot be accessed on its internal IP address (https://192.168.1.1) and none of the firewall rules work any longer.  There are several rules but to name two; remote desktop port forwarding to an internal server, and HTTPS to another internal server.  Both rules use IP addresses different than the SA540's WAN IP address.  Additional external IP addresses were configured previously and assigned and they worked up to the point were the failover was configured.
  Now here is the strange part.  If the optional port cable is removed from the port, everything returns to normal, but plug it back in and problems.  I even tried disabling failover in the SA540's configuration and it made no difference unless the cable was unplugged.
  As you might imagine the client is upset about this.  Anyone have any ideas? 
  The firmware is 2.1.18.
  Tony
  PS.  About an hour after I posted this, I tried moving the remote desktop external connection from one of the additional IP addresses configured in the SA540 to the dedicated WAN address and remote desktop sessions were then forwarded into the correct server.  Apparently, the additional IP addresses are not working with the two ISP failover configured, or at least it doesn't work in my configuration.  Any help on this would be much appreciated.  The additional IP addresses are configured in the same subnet as the dedicated (primary) WAN port.   Again, this worked until failover with another ISP was configured.

  This issue has been resolved. After much testing and discussions with the great guys at Cisco TAC, we determined that Verizon FIOS is doing something on their routers to defeat use of IP aliasing. If you have FIOS and you must have more than one IP address and expect to create an IP alias to direct traffic in a 1 to 1 NAT to a node on your network, FIOS doesn’t work. Contact with Verizon technical support is no help. They are oblivious to the problem and don’t want to be bothered.
  Tony Lombardi

• RV120w DMZ Firewall Rules

  Hello,
  I am trying to set up a DMZ server.  I have an internal LAN IP address (192.168.1.10) that I would like to make a DMZ server. 
  In the GUI, I set this IP address to be the DMZ server.
  For firewall rules, I want to permit only one port from the WAN to the DMZ and none from the DMZ to the LAN.
  In my firewall rules, I don't see any options for DMZ options.  I only see WAN to LAN and LAN to WAN.
  I presume the DMZ setting doesn't do anything per se execept allow the firewall rules to have a target.  Is this correct?
  I am running the latest firmware.
  How do I get the DMZ firewall rules to show up?
  Thanks,
  John

  Hello,
  I have to say that this DMZ definition is not what I would excect Cisco to use.
  Basically, my DMZ host is fully exposed to the internet and if someone penetrates it, they are fully on my LAN.
  The manual says:
  Configuring a DMZ Host
  The Cisco RV120W supports DMZ options. A DMZ is a sub-network that is open to
  the public but behind the firewall. DMZ allows you to redirect packets going to
  your WAN port IP address to a particular IP address in your LAN. It is
  recommended that hosts that must be exposed to the WAN (such as web or e-mail
  servers) be placed in the DMZ network. Firewall rules can be allowed to permit
  access to specific services and ports to the DMZ from both the LAN or WAN. In
  the event of an attack on any of the DMZ nodes, the LAN is not necessarily
  vulnerable as well.
  You must configure a fixed (static) IP address for the endpoint that will be
  designated as the DMZ host. The DMZ host should be given an IP address in the
  same subnet as the router's LAN IP address but it cannot be identical to the IP
  address given to the LAN interface of this gateway.
  The bold section indicates that the LAN is not vulnerable if the DMZ host falls.  This is different from what you were talking about.  Can you double check this?
  I would like to know if there is a plan to add DMZ firewall rules.  Or, can I get into the box and use IPtables to create my own (knowing that I would be in an unsupported mode)?
  Or, make port access control lists on the inter VLAN routing option?
  Thanks for fully explaining this.  The manually is woefully inadequate in discussing what exactly the DMZ does.
  Can you please forward these concerns to product management.  Basically the DMZ is a security hole that I can't mitigate.  It provides no value to me beyond not having to port forward manually. 
  If I am mistaken, please provide the correct information.
  Thanks,
  John

• Need help configuring multiple VLANs and SSIDs

  Hi,
  We bought a Cisco SGE2000P 24Port switch and 10 WAP4410N access points. Our intent is to provide a secure network to our LAN, and a guest network to the Internet.
  We are thinking 3 VLANs would be best for this: VLAN 100 connected to the LAN, VLAN 1000 for the Internet Router and Filter, and VLAN 1100 for the Guest Wireless access.
  We have the switch configured for all three of these, and 1 initial access point configured for the VLANS, too.
  We have not yet moved the current Internet connection to VLAN 1000 because we aren't sure how to setup routing between VLANS.
  Here are some specifics on how the traffic needs to route:
  1. We have the DHCP server, which is the PDC, handling both scopes for the LAN and Guest VLAN.
  2. The web filter in VLAN 1100 needs to authenticate with the DHCP server as there are different filter rules based on authenticated user. Any users coming from VLAN 1100 will have a default filter rule without requiring any authentication.
  3. Certain traffic coming in from the Internet needs to be able to get to VLAN 100. The router has a built-in firewall that handles NAT and port forwarding, so as long as traffic can be forwarded to VLAN 100 we should be good.
  4. Traffic on VLAN 1100 (guest Wireless network) should only be allowed to go to Internet (VLAN 1000).
  Right now I have the VLANs configured and the ports assigned to the Access Points are set for TAGGED and on VLAN 100 and VLAN 1100.
  The SGE2000P has the following IP addresses assigned to the VLANS:
  10.7.3.252 - VLAN 100
  10.7.40.254 - VLAN 1000
  192.168.254.254 - VLAN 1100
  Has anyone been able to setup a similar configuration? We have scoured the Internet for documentation but it seems to be very difficult to find!
  Thank you!
  Gary Smith

  Based on your description of a 'Hybrid Port' this sounds like Cisco's 'Multi-VLAN Port' that was a feature of the 2900XL/3500XL series switches. This feature has however long since gone......
  With a Cisco switch an access port supporting an Access VLAN & a Voice VLAN is effectively a Trunk with only one Tagged VLAN and the Native VLAN:
  interface FastEthernet0/1
  switchport mode access
  switchport access vlan 10
  switchport voice vlan 100
  This results in the same configuration as:
  interface FastEthernet0/1
  switchport mode trunk
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 10
  switchport trunk allowed vlan 100
  With the exception of CDP packets being sent advertising the Voice VLAN.
  With regards to other IP Phone vendors and DHCP Vendor Options - the answer is it depends....
  Nortel use Vendor Option 144 to inform the IP Phone of the Voice VLAN and Option 128 for the Server (PBX) to use. Ericsson uses Vendor Option 43 that can be configured to tell the IP Phone the VLAN and the Web server to read the config file from.
  I don't think you will get this working automatically with your 3Com switches, you can however manually configure the VLAN on the Cisco IP Phones.
  HTH
  Andy

• How to reload firewall rules from command line on firewall ?

  Hi all,
  I am trying to create script that controls firewall on server. OS version is OS X Server 10.5.6.
  Part of firewall rules is created using firewall admin tools, part of Server Admin Tools. My first question is where are those rules stored permanently ? As far as I understood it should be set of ipfw rules but they are not stored in /etc/ipfilter/ipfw.conf.
  Idea of script is this:
  I have set of rules that should be controlled by Server Admin Tools.
  Also, I have some dynamic rules.
  Whenever some change occurs, I created script that does following:
  /sbin/ipfw -f flush - to flush all existing rules
  /sbin/serveradmin stop ipfilter - to stop existing firewall
  /sbin/serveradmin start ipfilter - to restart firewall and reload permanent rules
  Add my set of rules...
  After flushing all rules and issuing stop and start ipfilter none of rules set through Server Admin Tools are not reloaded. So how should I reload them ? How to save them permanently in the first place ?
  Please note that I do not have access to server (for security reasons). I am developing script on my Mac, sending to client and he tests it. So I cannot do a lot of testing.
  Thank you in advance.
  Best regards,
  Dusan

  Unix and Terminal queries are best posted to the Unix forum under OS X Technologies where those mavens frolic.

• Can't add a new Firewall Rule

  I have a very curious issue: I cannot add any new firewall rules at all! Clicking on the New Button does nothing and on the console I get
  System Preferences[487] * -[NSCFString objectForKey:]: selector not recognized [self = 0x3f11b0]
  I have flushed the firewall with ipfw, deleted the plist file, repaired permissions but the problem ist still there. Any suggestions? (apart from reinstallation)
  Adding Firewall Rules through ipfw works...

  Whenever I use ipfw I lose the ability to use System Preferences. At first I thought that it compared kernel memory with the plist file and if it found a difference, assumed another firewall was running and disabled itself. But I also deleted the plist file (assuming it would build one from kmem) but that didn't work. Right now I assume there's another file somewhere. It wouldn't make any sense to keep another table in kmem. The weird part is that rules can be the same, but different sequence numbers will cause this problem. There weren't sequence numbers in the plist file, so there's probably another file somewhere.
  I think your error is from the missing plist file. A reboot should clear it up.

• Appending Firewall Rules to vShield Edge with PowerCLI Script

  Hi,
  I have a script which enables us to upload 4k worth of firewall rules, but every time it executes, all existing rules are over written.
  Is this something to do with the API or just a scripting issue - if so, can anyone suggest how to append on to the existing set?
  Update:
  So obviously the following line seems to create a new instance of the firewall:
  $fwService = New-Object vmware.vimautomation.cloud.views.firewallservice
  Because the next 3 lines after are setting the main firewall parameters again - something you wouldn't need to do if we were just adding new rules to the existing firewall.
  $fwService.DefaultAction = "drop"
  $fwService.LogDefaultAction = $false
  $fwService.IsEnabled = $true
  Is there a way to use a PowerShell command such as add-member rather than new-object?
  param (
  [parameter(Mandatory = $true, HelpMessage="vCD Server")][alias("-server","s")][ValidateNotNullOrEmpty()][string[]]$CIServer,
  [parameter(Mandatory = $true, HelpMessage="Org")][alias("-vOrg","o")][ValidateNotNullOrEmpty()][string[]]$orgName,
  [parameter(Mandatory = $true, HelpMessage="OrgNet")][alias("-orgNet","n")][ValidateNotNullOrEmpty()][string[]]$orgNet,
  [parameter(Mandatory = $true, HelpMessage="CSV Path")][alias("-file","f")][ValidateNotNullOrEmpty()][string[]]$csvFile
  # Add in the VI Toolkit
  if ( (Get-PSSnapin -Name VMware.VimAutomation.Core -ErrorAction SilentlyContinue) -eq $null ) {
  Add-PSsnapin VMware.VimAutomation.Core
  if ( (Get-PSSnapin -Name VMware.VimAutomation.Cloud -ErrorAction SilentlyContinue) -eq $null ) {
  Add-PSsnapin VMware.VimAutomation.Cloud
  try {
  Connect-CIServer -Server $CIServer 2>&1 | out-null
  } catch {
  Exit
  #Search EdgeGW
  try {
    $myOrgNet = Get-Org -Name $orgName | Get-OrgNetwork -Name $orgNet
    $edgeHREF = $myOrgNet.ExtensionData.EdgeGateway.Href
    $edgeView = Search-Cloud -QueryType EdgeGateway -ErrorAction Stop | Get-CIView | where {$_.href -eq $edgeHREF}
  } catch {
  [System.Windows.Forms.MessageBox]::Show("Exception: " + $_.Exception.Message + " - Failed item:" + $_.Exception.ItemName ,"Error.",0,[System.Windows.Forms.MessageBoxIcon]::Exclamation)
    Exit
  #Item to Configure Services
  $edgeView.Configuration.EdgeGatewayServiceConfiguration
  $fwService = New-Object vmware.vimautomation.cloud.views.firewallservice
  $fwService.DefaultAction = "drop"
  $fwService.LogDefaultAction = $false
  $fwService.IsEnabled = $true
  $fwService.FirewallRule = @()
  Ipcsv -path $csvFile |
  foreach-object
  $fwService.FirewallRule += New-Object vmware.vimautomation.cloud.views.firewallrule
  $rowNum = $_.Num -as [int]
  $fwService.FirewallRule[$rowNum].description = $_.Descr
  $fwService.FirewallRule[$rowNum].protocols = New-Object vmware.vimautomation.cloud.views.firewallRuleTypeProtocols
  switch ($_.Proto)
  "tcp" { $fwService.FirewallRule[$rowNum].protocols.tcp = $true }
  "udp" { $fwService.FirewallRule[$rowNum].protocols.udp = $true }
  "any" { $fwService.FirewallRule[$rowNum].protocols.any = $true }
  default { $fwService.FirewallRule[$rowNum].protocols.any = $true }
  $fwService.FirewallRule[$rowNum].sourceip = $_.SrcIP
  if ($_.SrcPort -eq "any" ) { $srcPort = "-1" } else { $srcPort = $_.SrcPort }
  $fwService.FirewallRule[$rowNum].sourceport = $srcPort
  $fwService.FirewallRule[$rowNum].destinationip = $_.DstIP
  $fwService.FirewallRule[$rowNum].destinationportrange = $_.DstPortRange
  $fwService.FirewallRule[$rowNum].policy = $_.Policy
  #$fwService.FirewallRule[$rowNum].direction = $_.Direction
  #$fwService.FirewallRule[$rowNum].MatchOnTranslate = [System.Convert]::ToBoolean($_.MatchOnTranslate)
  $fwService.FirewallRule[$rowNum].isenabled = [System.Convert]::ToBoolean($_.isEnabled)
  $fwService.FirewallRule[$rowNum].enablelogging = [System.Convert]::ToBoolean($_.EnableLogging)
  #configure Edge
  $edgeView.ConfigureServices($fwService)
  Thanks,
  Scott.

  Hi,
  Agree with Ed, you can publish CAS array VIP to internet, and use it to configure Federated Delegation.
  Thanks.
  Niko Cheng
  TechNet Community Support

• ISE 1.1.1 firewall rules distributed deployment

  My question is in reference to the following link:
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/installation_guide/ise_app_e-ports.html
  Basically I am struggling in some areas to work out my firewall rules for a distributed deployment. The referenced documentation is not entirely clear in my opinion. In some instances it is easy to work out what ports need to be opened eg Admin node TCP 22,80,443 for management from administrator hosts/ranges. In other instances it difficult to work out eg TCP 1521 Database listener and AQ is this for ISE nodes only or for access devices aswell
  My question is whether there is a better document that details these requirements. What rules are meant to be ISE node - ISE node communications and which rules are for access device - ISE, or ISE - access device. One of the rules I am pretty confused about is the PSN CoA ports. SHould the rule be WLC - PSN on 1700 and 3799 or is it the otherway round or unidirectional?
  I am pretty sure that the ports are meant to be ISE-ISE in most instances barring the PSN for Radius and CoA.

  Try this for size.
  In answer to the specific CoA question, I see no need for the WLC to send CoA to PSN, so just PSN to WLC as far as I can see.
  You might be able to cut this list down, and you might have to add to it for any specific requirements.
  From PSN to AD (potentially all AD nodes):
  TCP 389, 3268, 445, 88, 464
  UDP 389, 3268
  From PSN to Monitoring nodes:
  TCP 443
  UDP 20514
  PSN to Admin Nodes (2Way):
  TCP 443, 1521
  ICMP echo and reply (heartbeat)
  WLC to PSN:
  TCP 443, 8443, 80, 8080
  UDP 1645, 1646, 1812, 1813, 1700, 3799, 161, 162, 9993, 67
  PSN to other PSN’s (2 way)
  UDP 30514, 45588, 45990
  Endpoint (Laptop) to PSN (Guest laptops just need to get to external PSN’s, internal users just to internal PSN’s)
  TCP 8443, 8905
  UDP 8905
  Admin/Sponsor to all ISE nodes:
  TCP 22, 80, 443, 8080, 8443
  UDP 161
  PSN access to DNS servers:
  TCP/UDP 53
  PSN access to NTP servers:
  UDP 123

• [Solved] Windows Firewall rule that allows Windows Update

  Can anyone kindly give me a Windows Firewall rule that allows Windows Update? Assume I'm running MMC's "Windows Firewall with Advanced Security" snap-in as Administrator. Note that a "solution" that takes down the outbound firewall is
  not acceptable.
  Thank You.
  ===== Solution =====
  Suppose that, as the default, you've set the outbound firewall to block (see
  To close the outbound firewall, below). In order for Windows Update to check whether an update is available and then to download the update files, you first need an outbound firewall
  allow-rule that allows the Windows Update service to pass through the outbound firewall.
  Prerequisite: Knowledge of the Microsoft Management Console (MMC) and its "Windows Firewall with Advanced Security" plug-in.
  What you will do: You will use the "Windows Firewall with Advanced Security" MMC plug-in to create an outbound firewall rule that
  allows '%SystemRoot%\System32\svchost.exe' (the generic service driver) to pass through the outbound firewall on behalf of 'wuauserv' (the name of the specific service that performs the update).
  Warning: If you don't know what I'm writing about, get help.
  Name: Allow Windows Update (...or any name you prefer - it doesn't matter)
  Group:
  Profile: Public
  Enabled: Yes
  Action: Allow
  Program: %SystemRoot%\System32\svchost.exe
  Local Address: Any
  Remote Address: Any
  Protocol: Any
  Local Port: Any
  Remote Port: Any
  Allowed Computers: Any
  Status: OK
  Service: wuauserv
  Rule Source: Local Setting
  Interface Type: All interface types
  Excepted Computers: None
  Description:
  To open the outbound firewall:
  More accurate wording would be
  Outbound connections are allowed unless explicitly blocked by a rule.
  If you look at the standard rules you will find no block-rules. That means that nothing is blocked, everything is allowed, and the outbound firewall is wide open.
  To close the outbound firewall:
  More accurate wording would be
  Outbound connections are blocked unless explicitly allowed by a rule.
  If you look at the standard rules you will find only allow-rules that have been crafted to allow the vital Windows connections to pass through the outbound firewall. To an informed observer it's obvious that the firewall engineers crafted these
  allow-rules so that users who closed the outbound firewall wouldn't have to write them. But the firewall engineers left out Windows Update.

  Hi mark,
  Thanks for sharing, it will help other users who have similar issue.
  Regards