Windows Filtering Platform (WFP) Drivers Tests

The Hardware Certification tests consist of three test suites; two for validating WFP specific operations and one for validating interoperability with Transition Technologies (currently targeted at Teredo). The suites consist of multiple parts.

In this section:

Each test maps directly to a requirement and is named identically to that requirement. An overall test encompasses the tests. You can use this overall test to run one job and wait for the others start, or to run each job individually. 

The following table describes the requirements that are related to these tests.

RequirementDescription

Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign.AppContainers.SupportModernApplications

Windows® Filtering Platform (WFP)–based products must not block App Container applications that are operating within their declared network intentions by default, and should do so only when they are following specific user/administrator intention or attempting to protect the system against a specific threat.

Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign.CleanUninstall

This is to ensure that host firewalls do not leave unused objects after uninstallation, thereby potentially causing diagnostic issues if another separate host firewall is installed on the same computer. The following WFP objects must be cleaned up: Provider, providerContext, Filter, subLayer, or callout. In addition, additional installation requirements for applications (via the Software Certification Program) must be met.

Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign.ConnectionProxying.NoDeadlocks

WFP-based products that redirect or proxy at redirect layers (connect redirect) must use the new proxying API so that other WFP-based products can determine that the connection has been proxied.

Filter.Driver.WindowsFilteringPlatform.Architectura.Design.FwpmFilters.MaintainOneTerminating

A terminating filter is one that returns a permit/block decision. It may exist as a static filter or within a callout. The intent behind this requirement is to ensure that premium host firewalls perform at least one permit or block decision and not simply maintain filters only for inspection purposes.

Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign.FwpmProviders.AssociateWithObjects

WFP-based products must associate all of their provider contexts, filters, sublayers, and callouts with their corresponding identifying provider object.

Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign.FwpmProviders.MaintainIdentifying

WFP-based products must create and maintain at least one identifying FWPM_PROVIDER provider object.

Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign.FwpmSublayers.UseOwnOrBuiltIn

WFP-based products must use only their own sublayer or one of the built-in sublayers.

Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign.NetworkDiagnosticsFramework.MaintainHelperClass

WFP-based products must include a Network Diagnostics Framework (NDF) helper class that extends the Filtering Platform Helper Class (FPHC).

Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign.NoAccessViolations

WFP-based products must not cause any access violation under high load or during driver load/unload (while under network load or not).

Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign.NoTamperingWith3rdPartyObjects

WFP-based products must not attempt to remove or alter another WFP-based product's WFP objects and built-in objects. This ensures interoperability between multiple host firewalls' WFP objects within the operating system.

Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign.PacketInjection.NoDeadlocks

WFP-based products must not continually modify network packets that have already been modified and re-injected, because this can create potential deadlocks.

Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign.StreamInjection.NoStreamStarvation

To "not starve" means that stream-layer callout indications should not be pended to queue more than 8 megabytes (MB) of data. This requirement ensures that the host firewall drivers do not cause starvation of resources on the computer.

Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign.SupportPowerManagedStates

WFP-based products must ensure network connectivity upon recovering from power managed states. This ensures that host firewalls do not break network connectivity on the computer upon resuming from various power management states.

Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign.WFPObjectsACLs

WFP-based products must ACL all their objects in a way that any other WFP-based product can at least enumerate those objects by using the corresponding WFP enumeration APIs. This ensures that all WFP objects on the system can be enumerated by any host firewall or application for diagnostic purposes.

Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign.Winsock

Kernel-mode filter drivers are designed to maximize the reliability and functionality of Windows Sockets, and to interact accurately with the core components of the operating system.

Filter.Driver.WindowsFilteringPlatform.Firewall.DisableWindowsFirewallProperly

Host firewalls must disable Windows Firewall by using only the supported method.

Filter.Driver.WindowsFilteringPlatform.Firewall.NotOnlyPermitAllFilters

Host firewalls must not circumvent the intent of the Windows Filtering Platform API tests by simply maintaining all permit_all filters for all kinds of network traffic, which is not meaningful filtering of network traffic. This applies to bot, static, and callout filters.

Filter.Driver.WindowsFilteringPlatform.Firewall.Support5TupleExceptions

All host-based firewalls must be able to block or allow by 5-tuple parts, including port (Internet Control Message Protocol [ICMP] type and code, User Datagram Protocol [UDP], and Transmission Control Protocol [TCP]), IP address, and protocol.

Filter.Driver.WindowsFilteringPlatform.Firewall.SupportApplicationExceptions

WFP-based products must support exceptions from corresponding applications.

Filter.Driver.WindowsFilteringPlatform.Firewall.SupportMACAddressExceptions

All host-based firewalls that have filters in L2 (native/media access control [MAC]) layers must be able to block or allow by MAC address.

Filter.Driver.WindowsFilteringPlatform.Firewall.UseWindowsFilteringPlatform

Firewalls must comply with WFP-based APIs for filtering network traffic on home user solutions.

Filter.Driver.WindowsFilteringPlatform.NetworkingFundamental.SupportARP

WFP-based products must support allowing for successful Address Resolution Protocol (ARP) exchanges. ARP is a fundamental protocol that allows only a specific computer in a subnet to receive packets. The host firewall should not break this capability.

Filter.Driver.WindowsFilteringPlatform.NetworkingFundamental.SupportDynamicAddressing

WFP-based products must support allowing for successful Dynamic Host Configuration Protocol (DHCP) exchanges over both IPv4 and IPv6. DHCP is a fundamental networking protocol. The computer should always be capable of being connected, and the host firewall should not break this experience.

Filter.Driver.WindowsFilteringPlatform.NetworkingFundamental.SupportIPv4

WFP-based products must support IPv4 traffic. This ensures that consumer host firewalls or other filtering components do not cause loss of basic IPv4 connectivity on the computer.

Filter.Driver.WindowsFilteringPlatform.NetworkingFundamental.SupportIPv6

Windows has IPv6 enabled by default. Host firewalls should not break native IPv6 connectivity (and therefore, Windows scenarios that are based on IPv6) for customers.

Filter.Driver.WindowsFilteringPlatform.NetworkingFundamental.SupportNameResolution

WFP-based products must support allowing for successful Domain Name System (DNS) client queries. DNS is a fundamental networking protocol that allows computers to have discoverable display names. Host firewalls should not break this experience.

Filter.Driver.WindowsFilteringPlatform.Scenario.Support6to4

WFP-based products must support 6to4.

Filter.Driver.WindowsFilteringPlatform.Scenario.SupportAutomaticUpdates

WFP-based products must support Automatic Updates in Windows. This is related to Automatic Updates and Windows Update, which is a key scenario through which important updates are installed on the computer.

Filter.Driver.WindowsFilteringPlatform.Scenario.SupportBasicWebsiteBrowsing

This is to ensure that basic Internet browsing experiences are supported upon installation of a host firewall on a Windows-based computer.

Filter.Driver.WindowsFilteringPlatform.Scenario.SupportFileAndPrinterSharing

This is to ensure that home users can share content to and from other computers inside their home networks, in addition to printing content on shared printers.

Filter.Driver.WindowsFilteringPlatform.Scenario.SupportICMPErrorMessages

This is to ensure that host firewalls support ICMP error messages (in compliance with RFC 4890 and RFC 2979 from the Internet Engineering Task Force [IETF]), as a core networking fundamental.

Filter.Driver.WindowsFilteringPlatform.Scenario.SupportInternetStreaming

WFP-based products must support Internet streaming and media sharing for media player network-sharing services. This is related to Automatic Updates and Windows Update, which is a key scenario through which important updates are installed on the computer.

Filter.Driver.WindowsFilteringPlatform.Scenario.SupportMediaExtenderStreaming

WFP-based products must support media-streaming scenarios based on extender technologies.

Filter.Driver.WindowsFilteringPlatform.Scenario.SupportMobileBroadBand

WFP-based products must allow mobile broadband devices that are compliant with the Windows mobile broadband driver model to function correctly. This is to ensure that host firewall functionality does not block the mobile broadband connectivity and that the firewall functionality works with mobile broadband devices.

Filter.Driver.WindowsFilteringPlatform.Scenario.SupportPeerNameResolution

Host firewalls support the Peer Name Resolution Protocol (PNRP) and the Peer-to-Peer Grouping Protocol, which some peer-to-Peer applications require. The PNRP provides security-enhanced, serverless name resolution, and the Peer-to-Peer Grouping Protocol provides security-enhanced, reliable multiparty communication.

Filter.Driver.WindowsFilteringPlatform.Scenario.SupportRemoteAssistance

WFP-based products must support Remote Assistance scenarios. The Remote Assistance scenario is used for a helper to connect to a computer and to show the user a solution to the problem.

Filter.Driver.WindowsFilteringPlatform.Scenario.SupportRemoteDesktop

WFP-based products must support Remote Desktop. Remote Desktop is a technology that enables a user to connect to a remote computer in a different location. Remote Desktop is a key Windows scenario that is relevant for consumers who have multiple computers at home and are trying to use one computer to access content that exists on another computer.

Filter.Driver.WindowsFilteringPlatform.Scenario.SupportTeredo

WFP-based products must support Teredo. As an IPv6 transition technology over IPv4 networks, Teredo may be used as a connectivity mechanism in certain Windows consumer scenarios, including Remote Assistance and Windows Live® Messenger. Host firewalls must correctly support Teredo to allow connectivity for these scenarios.

Filter.Driver.WindowsFilteringPlatform.Scenario.SupportVirtualPrivateNetworking

WFP-based products must support virtual private network (VPN) scenarios in Windows. This makes sure that firewalls support Internet Protocol security (IPsec) scenarios, such as IPsec VPN, which are used on client computers to establish security-enhanced connections over the Internet.

Filter.Driver.WindowsFilteringPlatform.Scenario.vSwitch.InteropWithOtherExtensions

WFP must not block traffic from another vSwitch extension (WFP or lightweight filter [LWF]) by default, and should do so only when it is following specific user/administrator intention or protecting the system against a specific threat.

Filter.Driver.WindowsFilteringPlatform.Scenario.vSwitch.NoEgressModification

WFP-based products that operate in the vmSwitch must not modify packets on the egress path of the vmSwitch.

Filter.Driver.WindowsFilteringPlatform.Scenario.vSwitch.SupportLiveMigration

WFP-based products that operate in the vmSwitch must present a minimal Microsoft® Operations Framework (MOF) for live migration. In the MOF, it must declare itself logo compliant for live migration and allow itself to be migrated or not block migration by default. The total time for migrations for live migration cannot be longer than 2 seconds.

Filter.Driver.WindowsFilteringPlatform.Scenario.vSwitch.SupportRemoval

WFP-based products that operate in the vmSwitch must be allowed to be removed when the administrator has disabled WFP for the vmSwitch instance.

Filter.Driver.WindowsFilteringPlatform.Scenario.vSwitch.SupportReordering

WFP-based products that operate in the vSwitch must respond to WFP vmSwitch reorder events.

 

Test Details

The first part of running the Windows Filtering Platform (WFP) Tests is copying the required binaries. This is accomplished by running the “Basic Firewall - Copy Binaries” library job.

Second, the Sparta Miniports must be installed and configured successfully. This is accomplished by running the “Install Sparta Miniport Interfaces (x4)” library job. You can verify the install succeeded by opening a command prompt and typing “IPConfig.exe /all”.

You should see four new Sparta interfaces named “Sparta Miniport Primary”, “Sparta Miniport Secondary”, “Sparta Miniport Tertiary”, and “Sparta Miniport Quaternary”.

Now the tests are capable of being run. The test suite will launch running each of the “REQ –“ library jobs. An initial dialog box, “WFPLogo Information Gathering”, requesting the form WFPTest.Info to be filled out will be displayed. Fill out the form accurately as the information provided is used to tailor the tests to meet the software’s behavior as well as for validation.

The form has been pre-populated with values for the built-in Microsoft Windows Firewall.

The form consists of the following:

Value’s NameDescription / UseDefault Value

CompanyName

Populate this value with the name of your company. This information is used to help validate the WFP Provider.

“”Microsoft Corporation”

ProductName

Populate this value with the name of the Product. This information is used to help validate the WFP Provider.

“Windows Firewall”

UseAnswerFile

Populate this value with 1 if you are supplying an answer file to automate the filter additions / deletions during the logo test’s run, else set to 0.

0

CalloutDriver

Populate this value with 1 if your software contains a callout driver, else set to 0.

1

IsAFirewall

Populate this value with 1 if your software is considered a firewall, else set to 0.

LayeredOnMicrosoftWindowsFirewall

Populate this value with 1 if your software adds filters and rules to Windows Firewall, else set to 0.

0

DoesMACFiltering

0

DoesVSwitchFiltering

0

DoesPacketInjection

0

DoesStreamInjection

0

DoesConnectionProxying

0

 

The rest of the file contains attestations for all of the requirements. If the requirement is mandatory, the value must be set to 1, to indicate you have read the requirement, and believe your driver to meet it. For requirements that are marked if implemented, the value is ignored.

Finally, at the bottom of the for, replace the “YOUR NAME HERE” with the name or company name to attest that all of the information included is true to the best of your knowledge, and save the file.

After saving this form, and selecting OK in the dialog box, the WFP HCK tests will execute. You will be prompted to configure the software in various specific configurations prior to many of the tests execution, as well as removing the configuration after the test has executed. All required information to make the test succeed is provided in the dialog box.

Each of the following tests will request the software to be configured for the provided information:

Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign.SupportPowerManagedStates

  • Variation: Permit Outbound IPv4

    • Source / Local Address= Pseudo Random i.e. 1.0.0.1

    • Destination / Remote Address= Pseudo Random i.e. 1.0.0.254

    • Protocol= Pseudo Random i.e. TCP (6)

    • Source / Remote Port= Random i.e. 43990

    • Destination / Local Port= Random i.e. 45521

  • Variation: Block Outbound IPv4

    • Source / Local Address= Pseudo Random i.e. 1.0.0.1

    • Destination / Remote Address= Pseudo Random i.e. 1.0.0.254

    • Protocol= Pseudo Random i.e. UDP (17)

    • Source / Remote Port= Random i.e. 43990

    • Destination / Local Port= Random i.e. 45521

  • Variation: Permit Inbound IPv4

    • Source / Remote Address= Pseudo Random i.e. 1.0.0.254

    • Destination / Local Address= Pseudo Random i.e. 1.0.0.1

    • Protocol= Pseudo Random i.e. UDP (17)

    • Source / Remote Port= Random i.e. 43990

    • Destination / Local Port= Random i.e. 45521

  • Variation: Block Inbound IPv4

    • Source / Remote Address= Pseudo Random i.e. 1.0.0.254

    • Destination / Local Address= Pseudo Random i.e. 1.0.0.1

    • Protocol= Pseudo Random i.e. TCP (6)

    • Source / Remote Port= Random i.e. 45521

    • Destination / Local Port= Random i.e. 43990

  • Variation: Permit Outbound IPv6

    • Source / Local Address= Pseudo Random i.e. FE80::8D8C:ECCB:1589:F169

    • Destination / Remote Address= Pseudo Random i.e. FE80::1:0:0:FE

    • Protocol= Pseudo Random i.e. UDP (17)

    • Source / Remote Port= Random i.e. 45521

    • Destination / Local Port= Random i.e. 43990

  • Variation: Block Outbound IPv6

    • Source / Local Address= Pseudo Random i.e. FE80::8D8C:ECCB:1589:F169

    • Destination / Remote Address= Pseudo Random i.e. FE80::1:0:0:FE

    • Protocol= Pseudo Random i.e. TCP (6)

    • Source / Remote Port= Random i.e. 45521

    • Destination / Local Port= Random i.e. 43990

  • Variation: Permit Inbound IPv6

    • Source / Remote Address= Pseudo Random i.e. FE80::1:0:0:FE

    • Destination / Local Address= Pseudo Random i.e. FE80::8D8C:ECCB:1589:F169

    • Protocol= Pseudo Random i.e. UDP (17)

    • Source / Remote Port= Random i.e. 45521

    • Destination / Local Port= Random i.e. 43990

  • Variation: Block Inbound IPv6

    • Source / Remote Address= Pseudo Random i.e. FE80::1:0:0:FE

    • Destination / Local Address= Pseudo Random i.e. FE80::8D8C:ECCB:1589:F169

    • Protocol= Pseudo Random i.e. TCP (6)

    • Source / Remote Port= Random i.e. 45521

    • Destination / Local Port= Random i.e. 43990

Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign.StreamInjection.NoStreamStarvation

  • Variation: IPv4

    • Protocol= TCP (6)

    • Source / Remote Address= Pseudo Random i.e. 1.0.0.254

    • Destination / Local Address= Pseudo Random i.e. 1.0.0.1

    • Source / Remote Port= Random i.e. 43919

    • Destination / Local Port= Random i.e. 49037

  • Variation: IPv6

    • Protocol= TCP (6)

    • Source / Remote Address= Pseudo Random i.e. FE80::1:0:0:FE

    • Destination / Local Address= Pseudo Random i.e. FE80::8D8C:ECCB:1589:F169

    • Source / Remote Port= Random i.e. 43900

    • Destination / Local Port= Random i.e. 49005

Filter.Driver.WindowsFilteringPlatform.Firewall.Support5TupleExceptions (by IP Address)

  • Variation: Permit Outbound IPv4

    • Source / Local Address= Pseudo Random i.e. 1.0.0.1

    • Destination / Remote Address= Pseudo Random i.e. 1.0.0.254

  • Variation: Block Outbound IPv4

    • Source / Local Address= Pseudo Random i.e. 1.0.0.1

    • Destination / Remote Address= Pseudo Random i.e. 1.0.0.254

  • Variation: Permit Inbound IPv4

    • Source / Remote Address= Pseudo Random i.e. 1.0.0.254

    • Destination / Local Address= Pseudo Random i.e. 1.0.0.1

  • Variation: Block Inbound IPv4

    • Source / Remote Address= Pseudo Random i.e. 1.0.0.254

    • Destination / Local Address= Pseudo Random i.e. 1.0.0.1

  • Variation: Permit Outbound IPv6

    • Source / Local Address= Pseudo Random i.e. FE80::8D8C:ECCB:1589:F169

    • Destination / Remote Address= Pseudo Random i.e. FE80::1:0:0:FE

  • Variation: Block Outbound IPv6

    • Source / Local Address= Pseudo Random i.e. FE80::8D8C:ECCB:1589:F169

    • Destination / Remote Address= Pseudo Random i.e. FE80::1:0:0:FE

  • Variation: Permit Inbound IPv6

    • Source / Remote Address= Pseudo Random i.e. FE80::1:0:0:FE

    • Destination / Local Address= Pseudo Random i.e. FE80::8D8C:ECCB:1589:F169

  • Variation: Block Inbound IPv6

    • Source / Remote Address= Pseudo Random i.e. FE80::1:0:0:FE

    • Destination / Local Address= Pseudo Random i.e. FE80::8D8C:ECCB:1589:F169

Filter.Driver.WindowsFilteringPlatform.Firewall.Support5TupleExceptions (By IP Address)

  • Variation: Permit Outbound IPv4

    • Protocol= Pseudo Random i.e. UDP (17)

    • Source / Local Port= Random i.e. 42930

    • Destination / Remote Port= Random i.e. 47702

  • Variation: Block Outbound IPv4

    • Protocol= Pseudo Random i.e. Raw UDP (17)

    • Source / Local Port= Random i.e. 41468

    • Destination / Remote Port= Random i.e. 46747

  • Variation: Permit Inbound IPv4

    • Protocol= Pseudo Random i.e. Raw UDP (17)

    • Source / Remote Port= Random i.e. 44033

    • Destination / Local Port= Random i.e. 46859

  • Variation: Block Inbound IPv4

    • Protocol= Pseudo Random i.e. UDP (17)

    • Source / Remote Port= Random i.e. 41388

    • Destination / Local Port= Random i.e. 48370

  • Variation: Permit Outbound IPv6

    • Protocol= Pseudo Random i.e. TCP (6)

    • Source / Local Port= Random i.e. 41975

    • Destination / Remote Port= Random i.e. 47275

  • Variation: Block Outbound IPv6

    • Protocol= Pseudo Random i.e. Raw UDP (17)

    • Source / Local Port= Random i.e. 44754

    • Destination / Remote Port= Random i.e. 445305

  • Variation: Permit Inbound IPv6

    • Protocol= Pseudo Random i.e. TCP (6)

    • Source / Remote Port= Random i.e. 41008

    • Destination / Local Port= Random i.e. 46382

  • Variation: Block Inbound IPv6

    • Protocol= Pseudo Random i.e. UDP (17)

    • Source / Remote Port= Random i.e. 43990

    • Destination / Local Port= Random i.e. 45521

Filter.Driver.WindowsFilteringPlatform.Firewall.Support5TupleExceptions (By Ports)

  • Variation: Permit Outbound IPv4

    • Protocol= Pseudo Random i.e. Raw UDP (17)

  • Variation: Block Outbound IPv4

    • Protocol= Pseudo Random i.e. UDP (17)

  • Variation: Permit Inbound IPv4

    • Protocol= Pseudo Random i.e. IP Raw (255)

  • Variation: Block Inbound IPv4

    • Protocol= Pseudo Random i.e. TCP (6)

  • Variation: Permit Outbound IPv6

    • Protocol= Pseudo Random i.e. IP Raw (255)

  • Variation: Block Outbound IPv6

    • Protocol= Pseudo Random i.e. IPv6 ICMP (58)

  • Variation: Permit Inbound IPv6

    • Protocol= Pseudo Random i.e. IPv6 ICMP (58)

  • Variation: Block Inbound IPv6

    • Protocol= Pseudo Random i.e. IPv6 ICMP (58)

Filter.Driver.WindowsFilteringPlatform.Firewall.Support5TupleExceptions (By ICMP Type and Code)

  • Variation: Permit Outbound IPv4

    • Protocol= IPv4 ICMP (1)

    • Type= Pseudo Random i.e. 8

    • Code= Pseudo Random i.e. 0

  • Variation: Block Outbound IPv4

    • Protocol= IPv4 ICMP (1)

    • Type= Pseudo Random i.e. 8

    • Code= Pseudo Random i.e. 0

  • Variation: Permit Inbound IPv4

    • Protocol= IPv4 ICMP (1)

    • Type= Pseudo Random i.e. 8

    • Code= Pseudo Random i.e. 0

  • Variation: Block Inbound IPv4

    • Protocol= IPv4 ICMP (1)

    • Type= Pseudo Random i.e. 8

    • Code= Pseudo Random i.e. 0

  • Variation: Permit Outbound IPv6

    • Protocol= IPv6 ICMP (58)

    • Type= Pseudo Random i.e. 128

    • Code= Pseudo Random i.e. 0

  • Variation: Block Outbound IPv6

    • Protocol= IPv6 ICMP (58)

    • Type= Pseudo Random i.e. 128

    • Code= Pseudo Random i.e. 0

  • Variation: Permit Inbound IPv6

    • Protocol= IPv6 ICMP (58)

    • Type= Pseudo Random i.e. 128

    • Code= Pseudo Random i.e. 0

  • Variation: Block Inbound IPv6

    • Protocol= IPv6 ICMP (58)

    • Type= Pseudo Random i.e. 128

    • Code= Pseudo Random i.e. 0

Filter.Driver.WindowsFilteringPlatform.Firewall.SupportApplicationExceptions: Similar to the preceding exceptions.

Filter.Driver.WindowsFilteringPlatform.Firewall.SupportMACAddressExceptions: Similar to the preceding exceptions.

Filter.Driver.WindowsFilteringPlatform.Firewall.DisableWindowsFirewallProperly: Validates that categories are taken rather than Windows Firewall being turned off.

Note that one can automate the addition / deletion of filters by modifying the WFPLogo.Answer file. This answer file is parsed by the logo tests to execute the command line specified for the applicable test. It is filled out by default to use the NetSh.exe command line tool to configure Windows Firewall for the tests. Using this method will allow for a more repeatable and faster test pass. The answer file will replace the following variables with the proper value being used during the test:

ParameterUseExample

%APPLICATION%

Replaced during Run-Time with the Application’s Name being used.

%WinDir%\System32\WFPLogo.Exe

%LOCAL_IP%

Replaced during Run-Time with the Local IP Address being used.

IPv4

1.0.0.1

IPv6

FE80::1:0:0:1

%REMOTE_IP%

Replaced during Run-Time with the Remote IP Address being used.

IPv4

1.0.0.254

IPv6

FE80::1:0:0:254

%PROTOCOL%

Replaced during Run-Time with the IP Protocol being used.

17

%LOCAL_PORT%

Replaced during Run-Time with the Local Port being used.

40960

%REMOTE_PORT%

Replaced during Run-Time with the Remote Port being used.

45056

%ICMP_TYPE%

Replaced during Run-Time with the ICMP Type being used.

8

%ICMP_CODE%

Replaced during Run-Time with the ICMP Code being used.

0

%IS_RAW%

Replaced during Run-Time with the Boolean value for if the socket is raw or not.

Raw Socket

1

Native Socket

0

%LOCAL_MAC%

Replaced during Run-Time with the Local MAC Address being used.

01:02:03:04:05:06

%REMOTE_MAC%

Replaced during Run-Time with the Remote MAC Address being used.

01:02:03:04:05:06

%FRAME_TYPE%

Replaced during Run-Time with the MAC Frame Type being used.

0x806

 

After running the tests successfully, the “Basic Firewall - Uninstall Sparta Miniport Interfaces (x4)” library job will remove the Sparta Miniport interfaces.

Finally run the “Basic Firewall - Remove Binaries” library job will delete the copied files.

Note  

Running the "Basic Firewall - Remove Binaries" library job deletes the copied files.

 

SoftwareDevice.FilterDriver.WindowsFilteringPlatform.TransitionTechnologies_Tests

Test Details

The first part of running the SoftwareDevice.FilterDriver.WindowsFilteringPlatform.TransitionTechnologies_Tests is to copy the required binary files. You do this by running the "Transition Technologies - Copy Binaries" library job.

Next, the Sparta Miniport drivers must be installed and configured correctly. You do this by running the "Transition Technologies - Install Sparta Miniport (x1)" library job. To confirm that the drivers were installed correctly, open a command prompt and type IPConfig.exe /all. You should see one Sparta interface.

Now you can run the tests. The test suite starts the "REQ - WFP-based products must support Teredo" library job. The following variations are run:

  • S1 - Check DNS query for Teredo server succeeds.

  • S2 - Teredo qualifies as if behind a port preserving symmetric NAT.

  • S3 - Sequential symmetric NAT. Send and receive traffic on peer ports.

To succeed, these tests must meet the following requirements.

S1 - Check DNS query for Teredo server succeeds

This test verifies that the system can send a DNS query for the Teredo server address and receive the DNS response. If the test is successful, the Teredo client will be in the dormant state.

For the test to finish successfully, make sure that the firewall does not block any DNS traffic. Most firewalls allow DNS requests and responses by default. The test uses the following configuration:

  • (Spoofed) Teredo Server : 5.5.1.21

  • (Spoofed) DNS Server : 5.5.1.21 (port 53)

  • DNS query sent : teredo.ipv6.microsoft.com

S2 - Teredo qualifies as if behind a port preserving symmetric NAT

The test verifies that the system can send and receive multiple Router Solicitation (RS) and Router Advertisement (RA) messages. In this case, the Teredo client acts as if it is behind a port, preserving symmetric NAT.

For the test to be successful, it must receive inbound Teredo packets (over UDP) on the local port 7000. Before the test starts, you are prompted to create a firewall exception to allow inbound UDP packets on the local port 7000. Create a firewall exception according to the prompts, and then click OK to resume the test.

Warning  

Do not click OK on the prompt before you add the firewall exception. Doing so causes the test to resume and might cause the test to fail. The following is the configuration for the firewall exception:

  • Protocol: UDP

  • Local Port: 7000

  • Direction of traffic: Inbound

  • Action: ALLOW

 

S3 - Sequential symmetric NAT. Send and receive traffic on peer ports

The test verifies that the system can send and receive multiple RS and RA messages. In this case, the Teredo client acts as if it is behind a sequential symmetric NAT, and the system can send and receive Teredo traffic by using random ports.

For the test to be successful, it must receive inbound Teredo packets (over UDP) on the local port 7000 and send outbound Teredo packets (over UDP) on any random local port (in the range 5001–65535). Before the test starts, you are prompted to create firewall exceptions to allow inbound UDP packets on port 7000 and outbound UDP packets on all the local ports (5001-65535). Create the firewall exceptions accordingly, and then click OK to complete the test.

Warning  

Do not click OK on the prompt before you add the firewall exceptions. Doing so causes the test to resume and might cause the test to fail. The following is the configuration for the firewall exception:

  • Protocol: UDP

  • Local Port: 7000

  • Direction of traffic: Inbound

  • Action: ALLOW

  • Protocol: UDP

  • Local Port: ANY or in the range 5001–65535

  • Direction of traffic: Outbound

  • Action: ALLOW

 

After the tests run successfully, the "Transition Technologies - Uninstall Sparta Miniport Interface (x1)" library job removes the Sparta Miniport interface.

Finally, the "Transition Technologies - Remove Binaries" library job deletes the copied files.

SoftwareDevice.FilterDriver.WindowsFilteringPlatform.AppContainers_Tests

Test Details

The first part of running the SoftwareDevice.FilterDriver.WindowsFilteringPlatform.AppContainers_Tests is to copy the required binary files. You do this by running the "AppContainers - Copy Binaries" library job.

Next, the Sparta Miniport drivers must be installed and configured correctly. You do this by running the "AppContainers - Install Sparta Miniport (x1)" library job. To confirm that the drivers were installed correctly, open a command prompt and type IPConfig.exe /all. You should see one Sparta interface.

Now you can run the tests. The test suite starts the " REQ - WFP-based products must not block App Container apps operating within their declared network intentions by default" library job. The following variations are run:

Test: Public profile IPv4 AppContainer traffic

The following parameters are fixed for this test:

  • Sparta interface NLM network category= Public

  • IP Version= IPv4

  • Destination / Remote address= 1.0.0.2

  • Port= Random

  • Direction=Outbound

  • Destination / Remote address is a proxy server= False

The following parameters are varied:

  • IP Protocol= { TCP, UDP }

  • AppContainer capability= { PrivateNetworkClientServer, InternetClient, InternetClientServer, No capability }

Expectation: Traffic is only permitted for AppContainer’s which have either the InternetClient or InternetClientServer capabilities.

Test: Public profile IPv6 AppContainer traffic

The following parameters are fixed for this test:

  • Sparta interface NLM network category= Public

  • IP Version= IPv6

  • Destination / Remote address= fe80::1:0:0:FE

  • Port= Random

  • Direction=Outbound

  • Destination / Remote address is a proxy server= False

The following parameters are varied:

  • IP Protocol= { TCP, UDP }

  • AppContainer capability= { PrivateNetworkClientServer, InternetClient, InternetClientServer, No capability }

Expectation: Traffic is only permitted for AppContainer’s which have either the InternetClient or InternetClientServer capabilities.

Test: Private profile IPv4 AppContainer traffic

The following parameters are fixed for this test:

  • Sparta interface NLM network category= Private

  • IP Version= IPv4

  • Destination / Remote address= 1.0.0.2

  • Port= Random

  • Direction=Outbound

  • Destination / Remote address is a proxy server= False

The following parameters are varied:

  • IP Protocol= { TCP, UDP }

  • AppContainer capability= { PrivateNetworkClientServer, InternetClient, InternetClientServer, No capability }

Expectation: Traffic is only permitted for AppContainer’s which have the PrivateNetworkClientServer capability.

Test: Private profile IPv6 AppContainer traffic

The following parameters are fixed for this test:

  • Sparta interface NLM network category= Private

  • IP Version= IPv6

  • Destination / Remote address= fe80::1:0:0:FE

  • Port= Random

  • Direction=Outbound

  • Destination / Remote address is a proxy server= False

The following parameters are varied:

  • IP Protocol= { TCP, UDP }

  • AppContainer capability= { PrivateNetworkClientServer, InternetClient, InternetClientServer, No capability }

Expectation: Traffic is only permitted for AppContainer’s which have the PrivateNetworkClientServer capability.

Test: Private profile IPv4 AppContainer traffic to a proxy server

The following parameters are fixed for this test:

  • Sparta interface NLM network category= Private

  • IP Version= IPv4

  • IP Protocol= TCP

  • Destination / Remote address= 1.0.0.100

  • Port= Random

  • Direction=Outbound

  • Destination / Remote address is a proxy server= True

The following parameters are varied:

  • AppContainer capability= { PrivateNetworkClientServer, InternetClient, InternetClientServer, No capability }

Expectation: Traffic is only permitted for AppContainer’s which have either the InternetClient or InternetClientServer capabilities.

For the tests to be successful, your product must not block AppContainer applications that are operating within their declared network intentions.After the tests run successfully, the "AppContainers - Uninstall Sparta Miniport Interface (x1)" library job removes the Sparta Miniport interface.Finally, the "AppContainers - Remove Binaries" library job deletes the copied files.

More Information

For information about test prerequisites and file lists, see Windows Filtering Platform (WFP) Drivers Testing Prerequisites.

For troubleshooting information, see Troubleshooting Windows Filtering Platform (WFP) Driver Testing.

Related topics

Windows Filtering Platform (WFP) Drivers Testing

 

 

Send comments about this topic to Microsoft

Show: