Windows Firewall filters inbound and outbound traffic to protect systems from unauthorized access and network attacks. It applies rules that allow or block connections based on protocols and ports to maintain a secure environment. Monitoring log data generated by these rules provides essential visibility into connection attempts, enabling administrators to assess security posture in real time.

Firewall logs capture details such as source IP, destination IP, protocol (e.g., TCP, UDP), and network port usage. Reviewing this data helps identify suspicious patterns or repeated block events that may indicate malware activity or misconfigurations. Observing both allowed and blocked connections can uncover unauthorized attempts and pinpoint vulnerabilities or unusual traffic flows.

Access to these logs is critical for auditing, diagnostics, and ensuring alignment with security policies. The default pfirewall.log file collects and stores all logged events for thorough examination. Verifying dropped or permitted traffic on each firewall profile guides administrators in refining configuration, addressing threats, and maintaining overall network security.

Steps to enable and view firewall logs on Windows:

  1. Open Windows Defender Firewall.

    Press Windows Key + S and search for “Windows Defender Firewall” to locate the tool.

  2. Select Advanced Settings.

    In the left pane, click on Advanced Settings for detailed traffic control and rule configuration.

  3. Open Firewall Properties.

    Right-click Windows Defender Firewall with Advanced Security on Local Computer to access the properties for your firewall profiles.

  4. Enable logging for a specific profile.
  5. Enable logging options.

    Check both Log dropped packets and Log successful connections.

    This will log both allowed and blocked network connections for easier troubleshooting.

  6. Define log file location and size.

    C:\Windows\System32\LogFiles\Firewall\pfirewall.log

    The default log file location is used unless specified otherwise. Adjust log size based on expected network traffic volume.

  7. Access the firewall log.

    Navigate to C:\Windows\System32\LogFiles\Firewall\ and open the pfirewall.log file.

  8. Review the log contents.
    2024-10-19 14:35:22 ALLOW TCP 192.168.1.10 3249 192.168.1.1 80  
    2024-10-19 14:35:25 DROP UDP 10.0.0.5 50222 8.8.8.8 53

    Each entry includes details like the action taken (ALLOW or DROP), protocol, source IP, and destination IP.

Discuss the article:

Comment anonymously. Login not required.