Windows Firewall Logging

Table of Contents

Needed files
Introduction
Turning on logging for all network locations
Following logs with Tail for Win32
Conclusion

Needed files  

Introduction  

This howto describes how to enable logging for all network locations in the Windows Firewall on Windows Vista and later.

Usually the log file created by the Windows Firewall is located at

%systemroot%\system32\logfiles\firewall\pfirewall.log

which in most cases translates to:

C:\Windows\system32\logfiles\firewall\pfirewall.log

To view log files, you could open them with Notepad, but there is a better solution called Tail for Win32 to follow rapidly updated text files. Although the application name Tail for Win32 might suggest it would not run on current Windows versions, it also works on 64-bit systems — its setup will be described later.

The intention behind logging firewall activity is to be able to verify if newly added rules work properly or to debug them if they do not work as expected. Because a log files also contains a lot of information you probably did not want to see, coloring the output is a means to visually separate important entries from others. Tail for Win32 lets you specify colors to highlight user defined keywords.

When analyzing the behaviour of the Windows Firewall, the following information is important and can be used to form keywords from:

  • The system's local private IP address
  • The system's public IP address when being connected to a VPN service
  • Certain protocols used, e.g. UDP or TCP
  • State of certain packet, e.g. ALLOW or DROP

Turning on logging for all network locations 

If you have not already opened the Windows Firewall Management Console, start it through opening the Start menu, entering wf.msc in the search field and selecting wf.msc from the Programs list.

On the left pane, select Windows Firewall with Advanced Security on Local Computer. Then click Properties on the right pane.

wfmsc_01.png

A property dialog appears. Make sure you are on the Domain Profile tab. Select Customize in the Logging context.

wflog_02.png

Set both Log dropped packets and Log successful connections to Yes. Remember the default path for the logfile as stated in the introduction. Click OK.

wflog_03.png

Switch to the Private Profile tab. Select Customize in the Logging context.

wflog_04.png

Set both Log dropped packets and Log successful connections to Yes again and click OK.

wflog_05.png

Finally switch to the Public Profile tab. Select Customize in the Logging context.

wflog_06.png

Also set both Log dropped packets and Log successful connections to Yes again and click OK.

wflog_07.png

Following logs with Tail for Win32  

Download Tail for Win32 and install it. A program icon should have been created on your Desktop.

The Windows Firewall creates log files as administrator. To be able to open these log files, you need to run Tail for Win32 as administrator. Right click on its Desktop icon and select Run as administrator.

From the File menu select Open.

tail_win_01.png

A dialog box appears. If you did not change the path of the Windows Firewall log file, navigate to C:\Windows\system32\logfiles\firewall and select pfirewall.log. Click Open.

tail_win_02.png

You now see the contents of pfirewall.log organized into different columns, showing details about logged packets, e.g. time stamp, state (dropped/passed), source and destination IP addresses.

To ease the observation of the log file, you can highlight the output depending on keywords. Open the Settings menu and select Keywords.

tail_win_03.png

Another dialog appears letting you define which keywords should be highlighted with a certain color.

In this example the keyword 10.211.55.3 was added to mark all appearances of this IP address in red — which is the local IP address of the used system.

tail_win_04.png

After having defined your keywords, click OK to close this dialog.

tail_win_05.png

New lines added to the log now get colored:

tail_win_06.png

Conclusion  

You should now be able to debug your Windows Firewall settings by viewing its log file and to color those entries in the log file that are of importance for your current debugging task.

If you receive a lot of output in the log file and you are not able to save all important entries because they got overwritten again, you can increase the size of the log file. To change the amount of logs that can be saved you need to get back into the Windows Firewall Management Console and customize this setting for every connection profile.

Remember to turn off firewall logging when it is not needed anymore, because logging decreases the firewall's performance and thus can result in slower connections on busy/fast lines. From a privacy point of view, you do not want to keep these logs anyways ;)