Enable logging for Windows Firewall (2008R2)

When troubleshooting problems with the internal Windows firewall it might be beneficial to know exactly what traffic is being blocked. One can of course just turn the firewall off to test if things start working, and then search for documentation for the failing application or service. Sadly, such an approach causes security issues during testing, and documentation is often not complete as to which ports an application actually depends on. The firewall log makes it somewhat easier to troubleshoot without having to disable the firewall completely.

Configuration

Start with bringing up the firewall properties from the Windows Firewall from the Advanced Security mmc snap-in:

image

You can configure logging for each of the profiles (domain, public and private). By default they all log to the same file, %windir%\SYSTEM32\Logfiles\firewall\pfirewall.log. It might be smart to use different log files if you have connections on more than one profile, e.g. if you have one lan and one wan adapter. Logging dropped packages only is recommended, as logging successful connections will fill up the log quickly on a busy server.

image

I would recommend turning logging of when troubleshooting is finished and leaving the log size limit at 4 096 KiB. If you specify a different folder than the default folder you must make sure that the firewall service have the necessary file system permissions. Unlike the w3svc log the firewall log is limited to two files, the main .log and a .old file. This ensures that the disk is not filled with firewall log files, and translates to a maximum disk space allocation of 2 times the size limit.

Analysis

The log files are space delimited, and can be imported into a spreadsheet for analysis, but it is easier to use a specialized log analyzer such as Sawmill (large professional tool) or ZedLan Firewall Log Analyser (freeware).