How to access and view Windows Firewall logs

Windows Firewall logging records blocked and allowed connection attempts so troubleshooting and incident reviews have concrete evidence instead of assumptions. The log quickly answers which host was blocked, which port was targeted, and which action was applied.

Logging options in Windows Defender Firewall with Advanced Security write traffic events to pfirewall.log using a W3C-style format with a Fields header that defines the column order. Settings are configured per firewall profile (Domain, Private, Public), so each profile can record dropped packets, successful connections, or neither.

Enabling successful-connection logging can generate large amounts of data and expose internal addressing and service usage patterns. Adjust the maximum log size to prevent rapid rollover, keep the log on a volume with sufficient free space, and note that the log file may not appear until matching traffic is processed and written.

1. Press Windows Key + R to open Run.
2. Run wf.msc to open Windows Defender Firewall with Advanced Security.
3. Open Windows Defender Firewall with Advanced Security on Local Computer → Properties.
4. Select the target profile tab (Domain Profile, Private Profile, or Public Profile).

   Logging is configured per profile; repeat for other profiles when traffic can move between network types.

5. Click Customize in the Logging section.
6. Set Log dropped packets to Yes.
7. Set Log successful connections to Yes.

   Log successful connections can grow pfirewall.log quickly and record sensitive metadata (internal IPs, ports, destinations); enable only when required and size the log accordingly.

8. Confirm the log path and maximum size in Customize Logging Settings.

   The default path is usually C:\Windows\System32\LogFiles\Firewall\pfirewall.log (also shown as \%systemroot\%\system32\logfiles\firewall\pfirewall.log) with a default maximum size often set to 4096 KB; increase the limit on busy hosts to reduce rollover.

9. Click OK to save Customize Logging Settings.
10. Click OK to apply the profile changes in Firewall Properties.
11. Open C:\Windows\System32\LogFiles\Firewall\pfirewall.log in Notepad.

    If “Access is denied” appears, start Notepad using Run as administrator and reopen the file.

12. Inspect the Fields header in pfirewall.log to determine the column order.

    #Version: 1.5
    #Software: Microsoft Windows Firewall
    #Time Format: Local
    #Fields: date time action protocol src-ip dst-ip src-port dst-port ##### snipped #####
    2025-12-22 14:35:22 ALLOW TCP 192.168.1.10 192.168.1.1 3249 80 ##### snipped #####
    2025-12-22 14:35:25 DROP UDP 10.0.0.5 8.8.8.8 50222 53 ##### snipped #####

    

    Match src-ip and src-port to the initiating endpoint, and dst-ip and dst-port to the target service; the action column indicates ALLOW or DROP.

13. Verify logging by reading the newest entries from PowerShell.

    PS C:\> Get-Content -Path 'C:\Windows\System32\LogFiles\Firewall\pfirewall.log' -Tail 5
    2025-12-22 14:35:25 DROP UDP 10.0.0.5 8.8.8.8 50222 53 ##### snipped #####

    

    Add -Wait to follow appended log lines in real time.