Windows OS Hub
  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux
  • Home
  • About

Windows OS Hub

  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux

 Windows OS Hub / Windows 11 / How to Configure Windows Firewall Logging and Analyze Logs

February 17, 2025

How to Configure Windows Firewall Logging and Analyze Logs

If you suspect that the built-in Windows Defender firewall is blocking network connections (from a specific program or service), it is a bad idea to disable it completely. Instead, you can log all network traffic that passes through the Windows Defender Firewall, identify the filtered/dropped packets, find ports and source/destination IP addresses, and then create appropriate allow rules.

In this article, we’ll show how to enable network connection logging in Windows Firewall and how to analyze the logs.

Contents:
  • Enable Logging in Windows Firewall
  • Parsing Windows Firewall Logs with PowerShell
  • View Windows Firewall Logs in Event Viewer

Enable Logging in Windows Firewall

Windows Defender Firewall allows to log both successful and blocked network connections. Logging can be enabled separately for each network profile (Private, Public, or Domain Network). By default, traffic logging is disabled in the Windows Firewall. To turn on traffic debugging in the firewall :

  1. Open the snap-in Windows Firewall with Advanced Security MMC (wf.msc).
  2. Right-click on the root of the console and select Properties;
  3. Then go to the tab of the Windows network profile for which you want to enable logging (Domain, Private, or Public Profile).
    To check the network profile assigned to an active network interface in Windows, use the command:
    Get-NetConnectionProfile
    powershell - check network connection profile
  4. On the Profile tab, click the Customize button in the Logging section.
  5. Here you can configure the following settings:
    Name (log file): by default %systemroot%\system32\LogFiles\Firewall\pfirewall.log
    Size limit: increase the maximum log size from 4 MB to 20 MB (20480 KB)
    Log dropped packets: is it necessary to log dropped packet connections?
    Log successful connections: logging all successful network connections can result in a very large log file.
    Windows Firewall enable logging

To effectively monitor and understand which network profile (Domain, Private, or Public) is blocking or allowing specific network connections, you can configure Windows Firewall to log the activity of each profile in a separate log file. For example:

  • %windir%\system32\logfiles\firewall\pfirewall_domain.log
  • %windir%\system32\logfiles\firewall\pfirewall_private.log
  • %windir%\system32\logfiles\firewall\pfirewall_public.log

Windows Firewall logging options can also be configured through PowerShell:

Set-NetFireWallProfile -Profile Public -LogBlocked True -LogMaxSize 20480 -LogFileName "%systemroot%\system32\LogFiles\Firewall\pfirewall.log" -Verbose

Lists the current firewall logging settings for all profiles:

Get-NetFirewallProfile| select Name, Enabled, Log*|ft

Set-NetFireWallProfile - PowerShell - enable logging

Logging options can also be enabled in Windows Firewall via GPO.

Parsing Windows Firewall Logs with PowerShell

All network connections are now logged to a plain text file by the Windows Firewall. You can open the log file manually, or use PowerShell to search for specific connections in the log file (the Windows equivalent of the grep and tail commands is the Select-String cmdlet).

For example, the following command displays in real-time all filtered (DROP) network connections to TCP port 445 (SMB):

Get-Content C:\Windows\System32\LogFiles\Firewall\pfirewall.log -wait | Select-String -pattern "DROP.*TCP.*445"

grep view firewall log file

The following log file format is used:

date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path pid

Use this PowerShell function, which displays the log in a convenient Out-GridView graphical table, to analyze the firewall log files:

function Get-WindowsFirewallLog {
param(
[parameter(Position=0,Mandatory=$false)]
[ValidateScript({Test-Path $_})]
[string]$LogFilePath = "$env:SystemRoot\System32\LogFiles\Firewall\pfirewall.log"
)
$headerFields = @("date","time", "action","protocol","src-ip","dst-ip","src-port","dst-port","size", "tcpflags","tcpsyn", "tcpack","tcpwin","icmptype","icmpcode", "info","path")
$firewallLogs = Get-Content $LogFilePath | ConvertFrom-Csv -Header $headerFields -Delimiter ' '
$firewallLogs | Out-GridView
}
Get-WindowsFirewallLog

Filtering Windows firewall logs with Out-GridView

View Windows Firewall Logs in Event Viewer

It is sometimes more convenient to write Windows Firewall connection logs to the Event Viewer rather than to text files. This can be achieved by enabling audit policies in the local GPO:

  1. Open the local GPO editor (gpedit.msc)
  2. Go to Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies — Local Group Policy Object -> Object Access
  3. Blocked connection events can be sent to the Event Viewer using the Audit Filtering Platform Packet Drop policy. Enable the Failure option in the policy settings.GPO enable policy 'Audit Filtering Platform Packet Drop'
  4. Audit Filtering Platform Connection parameter used to log successful connections in Windows Firewall. This audit policy is rarely used because enabling it can result in many events being written to the log (this requires increasing the maximum size of the Event Viewer log)
  5. Update the GPO settings on the computer: gpupdate /force
This audit policy can be enabled with the command:

Auditpol /set /category:"System" /SubCategory:"Filtering Platform Packet Drop" /failure:enable

View the current Windows Firewall audit policy settings:

auditpol /get /subcategory:"Filtering Platform Packet Drop","Filtering Platform Connection"

auditpol: configure Filtering Platform Packet Drop

To view Windows Firewall events, open Event Viewer (eventvwr.msc). Expand Windows Logs -> Security. Enable the event filter for the Filtering Platform Packet Drop category.

All the connections that are blocked by the Windows Firewall will be available in the Event viewer. These events have EventID 5152 ( The Windows Filtering Platform has blocked a packet ). The event description includes network packet information: protocol number (TCP – 6, UDP 17, ICMP 1), IP address and source/destination port, direction (Inbound, Outbound), process name (for outgoing connections).

Event Viewer: Filtering Platform Packet Drop events contain firewall logs

Use the Get-WinEvent PowerShell cmdlet to search and filter Windows Firewall events in Event Viewer. The following PowerShell script finds all connection attempts that are blocked by the Windows Firewall on port 3388 and returns a table with the time and source of the connection:

$destinationPort = "3388"
$filterXml = @"
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*[System[(EventID=5152)]]
and
*[EventData[Data[@Name='DestPort'] and (Data='$destinationPort')]]
</Select>
</Query>
</QueryList>
"@
$FirewallLogs = @()
$events=Get-WinEvent -FilterXml $filterXml
foreach ($event in $events) {
$eventXml = [xml]$event.ToXml()
$SourceAddress = $eventXml.Event.EventData.Data | Where-Object { $_.Name -eq 'SourceAddress' } | Select-Object -ExpandProperty '#text'
$DestPort = $eventXml.Event.EventData.Data | Where-Object { $_.Name -eq 'DestPort' } | Select-Object -ExpandProperty '#text'
$FirewallLog = New-Object PSObject -Property @{
SourceAddress= $SourceAddress
Time=$event.TimeCreated
DestPort=$DestPort
}
$FirewallLogs += $FirewallLog
}
$FirewallLogs

Parsing Firewall logs with PowerShell

Enabling firewall logging allows you to inspect all allowed and dropped network connections, helping identify errors in your Windows Firewall rules and create accurate ones.

0 comment
2
Facebook Twitter Google + Pinterest
PowerShellWindows 11Windows Server 2022
previous post
Remote Desktop fix: The number of connections to this computer is limited
next post
Windows: How to Turn Off Monitor with Command Line

Related Reading

Create a Custom Windows Image with Pre-installed Apps

February 28, 2024

Upgrading to Windows 11 on Unsupported Hardware

March 6, 2024

How to Assign (Passthrough) a Physical GPU to...

June 11, 2024

Configuring RemoteApps Hosted on Windows 10/11 (without Windows...

January 25, 2025

Disable BitLocker Automatic Drive Encryption in Windows 11

October 16, 2024

Enable Hyper-V on Windows 10/11 Pro and Home...

August 12, 2024

Fix: Your IT Administrator Has Limited Access to...

March 22, 2024

Get Started with Docker on Windows (WSL2) without...

September 4, 2024

Leave a Comment Cancel Reply

join us telegram channel https://t.me/woshub
Join WindowsHub Telegram channel to get the latest updates!

Recent Posts

  • Map a Network Drive over SSH (SSHFS) in Windows

    May 13, 2025
  • Configure NTP Time Source for Active Directory Domain

    May 6, 2025
  • Cannot Install Network Adapter Drivers on Windows Server

    April 29, 2025
  • Change BIOS from Legacy to UEFI without Reinstalling Windows

    April 21, 2025
  • How to Prefer IPv4 over IPv6 in Windows Networks

    April 9, 2025
  • Load Drivers from WinPE or Recovery CMD

    March 26, 2025
  • How to Block Common (Weak) Passwords in Active Directory

    March 25, 2025
  • Fix: The referenced assembly could not be found error (0x80073701) on Windows

    March 17, 2025
  • Exclude a Specific User or Computer from Group Policy

    March 12, 2025
  • AD Domain Join: Computer Account Re-use Blocked

    March 11, 2025

Follow us

  • Facebook
  • Twitter
  • Telegram
Popular Posts
  • How to Assign (Passthrough) a Physical GPU to a Hyper-V Virtual Machine
  • Run PowerShell Scripts on a Schedule with Task Scheduler
  • Check Windows 11 Hardware Readiness with PowerShell Script
  • Extend an Expired User Password in Active Directory
  • Check the Software Installation/Removal History in Windows
  • How to Add or Remove Pinned Folders to Quick Access with PowerShell and GPO
  • How to Enable and Configure Wake-on-LAN (WoL) in Windows
Footer Logo

@2014 - 2024 - Windows OS Hub. All about operating systems for sysadmins


Back To Top