Firewall configuration Monitor

  • ID:  Microsoft.Windows.FileServices.Service.iSCSITarget.6.2.FirewallSettings
  • Description:  Monitors if the iSCSI target port has a firewall exclusion rule set
  • Target:  iSCSI Target Service (Windows Server 2012)
  • Enabled:  Yes

Operational States

Name State Description
Firewall configured Success  
Firewall not configured Error  

Overridable Parameters

Parameter Name Default Value Description Override
Frequency (seconds) 7200  
Sync Time    
Script timeout (seconds) 300  
TCP port to check 3260  

Alert Details

Monitor State Message Priority Severity Auto Resolution
Firewall not configured (Error) iSCSI target firewall configuration invalid Medium Match Monitor Health Yes

Run As Profiles

Name
File Services Role Monitoring Account

Monitor Knowledgebase

Summary

This monitor checks the configuration of inbound firewall rules for the iSCSI Target Service and generates an alert if the iSCSI port is blocked. The monitor checks for TCP port 3260 by default although this can be changed by an override on the monitor if required.

If the inbound port is not enabled, no remote iSCSI initiators will be able to connect to the server and iSCSI disks will not be available for use.

If the health state is unknown, monitoring has either not begun or the monitor may have been disabled for this object.

Causes

This monitor can be unhealthy for the following reasons:

  • Windows Firewall is not running.

  • An inbound TCP firewall rule for the iSCSI target is not set.

  • The default iSCSI target port (3260) was changed and the monitor has not been updated to probe the new port.

Resolutions

Determine if Windows Firewall is enabled

To determine if Windows Firewall is enabled, use the following procedure on the affected server:

  • At an elevated command prompt on the affected server, type: sc query mpssvc and press ENTER.

  • If Windows Firewall is not running, type the following command: net start mpssvc.

Determine if firewall rules are enabled

To determine if the firewall rules for the ports are enabled, use the following procedure on the affected server:

  • Open Control Panel on the affected server, click System and Security, and then click Windows Firewall.

  • In the left pane, click Advanced Settings and then click Inbound Rules.

  • Verify that the Microsoft iSCSI Software Target Service (TCP-In) rule is enabled and that Action is set to Allow.

  • Verify that the correct TCP port (3260 by default) is specified in the rule.

  • If firewall rules are not enabled, click the applicable rule, and on the Action menu, click Enable Rule.

This monitor automatically resets to a Healthy state after you resolve the issue although there may be a long delay as the monitor does not perform this check frequently. To force the monitor to reset and check the state again, select the monitor from Health Explorer and click Reset Health.

Update the monitor configuration

If the iSCSI Target has been configured to use a non-default port, follow the configuration steps in the management pack guide to update the monitor configuration with the new port number.

External References
This monitor does not contain any external references.

See Also for Windows Server File & iSCSI Services Management Pack


Downloads for Windows Server File & iSCSI Services Management Pack

AZURE OPTIMIZATION ASSESSMENT GET STARTED
MIGRATION TO AZURE GET STARTED
SYSTEM CENTER MIGRATION TO AZURE GET STARTED
MIGRATION TO AZURE FOR SQL AND WINDOWS 2008 GET STARTED