Enabling Windows Firewall audit logging

Windows Firewall with Advanced Security can log firewall activity such as dropped packets or successful connections. By default the firewall log is:

%windir%\system32\logfiles\firewall\pfirewall.log

You can configure firewall logging by using Group Policy if desired. But what if you want to collect more detailed logging of firewall activity such as kernel mode connections/drops and other filtering activity? You can do this by enabling Windows Filtering Platform (WFP) audit logging as follows:

Auditpol /set /category:”System” /SubCategory:”Filtering Platform Packet Drop” /success:enable /failure:enable

Auditpol /set /category:”System” /SubCategory:”Filtering Platform Connection” /success:enable /failure:enable

Note that this form of logging may be very verbose, so be careful when enabling this on a computer in your production environment.

Mitch Tulloch is a eight-time recipient of the Microsoft Most Valuable Professional (MVP) award and widely recognized expert on Windows administration, deployment and virtualization.  This tip was excerpted from his new book Installing and Configuring Windows Server 2012 Training Guide published by Microsoft Press which is available from Amazon.  For more tips by Mitch you can follow him on Twitter or friend him on Facebook.

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top