Quick Links

In the process of filtering Internet traffic, all firewalls have some type of logging feature that documents how the firewall handled various types of traffic. These logs can provide valuable information like source and destination IP addresses, port numbers, and protocols. You can also use the Windows Firewall log file to monitor TCP and UDP connections and packets that are blocked by the firewall.

Why and When Firewall Logging is Useful

  1. To verify if newly added firewall rules work properly or to debug them if they do not work as expected.
  2. To determine if Windows Firewall is the cause of application failures — With the Firewall logging feature you can check for disabled port openings, dynamic port openings, analyze dropped packets with push and urgent flags and analyze dropped packets on the send path.
  3. To help and identify malicious activity — With the Firewall logging feature you can check if any malicious activity is occurring within your network or not, although you must remember it does not provide the information needed to track down the source of the activity.
  4. If you notice repeated unsuccessful attempts to access your firewall and/or other high profile systems from one IP address (or group of IP addresses), then you might want to write a rule to drop all connections from that IP space (making sure that the IP address isn’t being spoofed).
  5. Outgoing connections coming from internal servers such as Web servers could be an indication that someone is using your system to launch attacks against computers located on other networks.

How to Generate the Log File

By default, the log file is disabled, which means that no information is written to the log file. To create a log file press “Win key + R” to open the Run box. Type “wf.msc” and press Enter. The “Windows Firewall with Advanced Security” screen appears. On the right side of the screen, click “Properties.”

A new dialog box appears. Now click the “Private Profile” tab and select “Customize” in the “Logging Section.”

A new window opens and from that screen choose your maximum log size, location, and whether to log only dropped packets, successful connection or both. A dropped packet is a packet that Windows Firewall has blocked. A successful connection refers both to incoming connections as well as any connection you have made over the Internet, but it doesn’t always mean that an intruder has successfully connected to your computer.

By default, Windows Firewall writes log entries to

        %SystemRoot%\System32\LogFiles\Firewall\Pfirewall.log
    

and stores only the last 4 MB of data. In most production environments, this log will constantly write to your hard disk, and if you change the size limit of the log file (to log activity over a long period of time) then it may cause a performance impact. For this reason, you should enable logging only when actively troubleshooting a problem and then immediately disable logging when you’re finished.

Next, click the “Public Profile” tab and repeat the same steps you did for “Private Profile” tab. You’ve now turned on the log for both private and public network connections. The log file will be created in a W3C extended log format (.log) that you can examine with a text editor of your choice or import them into a spreadsheet. A single log file can contain thousands of text entries, so if you are reading them through Notepad then disable word wrapping to preserve the column formatting. If you are viewing the log file in a spreadsheet then all the fields will be logically displayed in columns for easier analysis.

On the main “Windows Firewall with Advanced Security” screen, scroll down until you see the “Monitoring” link. In the Details pane, under “Logging Settings”, click the file path next to “File Name.” The log opens in Notepad.

Interpreting the Windows Firewall log

The Windows Firewall security log contains two sections. The header provides static, descriptive information about the version of the log, and the fields available. The body of the log is the compiled data that is entered as a result of traffic that tries to cross the firewall. It is a dynamic list, and new entries keep appearing at the bottom of the log. The fields are written from left to right across the page. The (-) is used when there is no entry available for the field.

According to the Microsoft Technet documentation the header of the log file contains:

Version — Displays which version of the Windows Firewall security log is installed.

Software — Displays the name of the software creating the log.

Time — Indicates that all the timestamp information in the log are in local time.

Fields — Displays a list of fields that are available for security log entries, if data is available.

While the body of the log file contains:

date — The date field identifies the date in the format YYYY-MM-DD.

time — The local time is displayed in the log file using the format HH:MM:SS. The hours are referenced in 24-hour format.

action — As the firewall processes traffic, certain actions are recorded. The logged actions are DROP for dropping a connection, OPEN for opening a connection, CLOSE for closing a connection, OPEN-INBOUND for an inbound session opened to the local computer, and INFO-EVENTS-LOST for events processed by the Windows Firewall, but were not recorded in the security log.

protocol — The protocol used such as TCP, UDP, or ICMP.

src-ip — Displays the source IP address (the IP address of the computer attempting to establish communication).

dst-ip — Displays the destination IP address of a connection attempt.

src-port — The port number on the sending computer from which the connection was attempted.

dst-port — The port to which the sending computer was trying to make a connection.

size — Displays the packet size in bytes.

tcpflags — Information about TCP control flags in TCP headers.

tcpsyn — Displays the TCP sequence number in the packet.

tcpack — Displays the TCP acknowledgement number in the packet.

tcpwin — Displays the TCP window size, in bytes, in the packet.

icmptype — Information about the ICMP messages.

icmpcode — Information about the ICMP messages.

info — Displays an entry that depends on the type of action that occurred.

path — Displays the direction of the communication. The options available are SEND, RECEIVE, FORWARD, and UNKNOWN.

As you notice, the log entry is indeed big and may have up to 17 pieces of information associated with each event. However, only the first eight pieces of information are important for general analysis. With the details in your hand now you can analyze the information for malicious activity or debug application failures.

If you suspect any malicious activity, then open the log file in Notepad and filter all the log entries with DROP in the action field and note whether the destination IP address ends with a number other than 255. If you find many such entries, then take a note of the destination IP addresses of the packets. Once you have finished troubleshooting the problem, you can disable the firewall logging.

Troubleshooting network problems can be quite daunting at times and a recommended good practice when troubleshooting Windows Firewall is to enable the native logs. Although the Windows Firewall log file is not useful for analyzing the overall security of your network, it still remains a good practice if you want to monitor what is happening behind the scenes.