4956 Windows Firewall has changed the active profile
Written when the Windows Firewall changes its active profile. It captures the switch of the applied rule set following a change of connected network.
Overview
The subcategory is Audit MPSSVC Rule-Level Policy Change. It is generated when, due to a change in the network environment, the firewall switches the profile it applies (Domain/Private/Public). Each profile has different active rules and default behavior.
How it is triggered
- A profile switch following a change in network connection (corporate LAN to public Wi-Fi, VPN connection, and so on).
Security review points
- When the profile changes, the applied rule set changes too. For example, switching from Domain to Public stops internal allow rules from taking effect, changing the defensive baseline.
- It is unlikely that an attacker tricks the network-type detection to apply a looser profile, but an unexpected profile switch (Public when it should be corporate) is material for checking the connection environment.
Notes for log review
- It occurs normally and frequently on portable devices. Note unexpected profile changes on fixed environments such as servers.
- Understand the post-switch profile and the rules active in it.
Key fields
| Field | Meaning |
|---|---|
| New active profile | The profile after the switch |