Sometimes is would be great to see what’s going on, with the firewall on the local computer / server, here is a quick way to do so 🙂
To enable logging on packets:
1. Launch the Windows Firewall Console on the Target Computer.
2. Select the Windows Defender Firewall tab and click Properties in the Actions menu.
3. Inside the Properties tab, select the Customize button under Logging.
4. Select Yes in the Log Dropped Packets & Log successful connections dropdown menu.
5. Press OK to close the Logging Settings menu and again to close the Windows Defender Firewall Properties.
6. Verify you are able to read the log file. If not, open the Log Files Security tab and enable Read permissions for your account.
- You can find the log at:
C:\Windows\System32\LogFiles\Firewall
. - By default, the log is named
pfirewall.log
.
If you are running on a DC, you need to modify permissions to the folder:
create folder %systemroot%\system32\LogFiles\Firewall\
add full control to the folder for user “NT Service\MPSSVC”
Reboot the server
Powershell to the aid:
Get log output as the file gets written (Live):
Get-Content C:\Windows\System32\LogFiles\Firewall\pfirewall.log -wait
Find everything with “53” in ex.DNS in the content
Get-Content C:\Windows\System32\LogFiles\Firewall\pfirewall.log -wait | Select-String -pattern ’53’
Use this great parser from http://daniel.streefkerkonline.com
#requires -version 3
<#
.SYNOPSIS
Get-WindowsFirewallLog – A quick and dirty Windows Firewall log parser
.DESCRIPTION
Not designed to do anything fancy.
Just parses the Windows Firewall log and displays it in a PowerShell GridView
.LINK
https://github.com/dstreefkerk/PowerShell/blob/master/Get-WindowsFirewallLog.ps1
.NOTES
Written By: Daniel Streefkerk
Website: http://daniel.streefkerkonline.com
Twitter: http://twitter.com/dstreefkerk
Todo: Nothing at the moment
Change Log
v1.0, 01/11/2018 – Initial version
#>
function Get-WindowsFirewallLog {
param(
[parameter(Position=0,Mandatory=$false)]
[ValidateScript({Test-Path $_})]
[string]$LogFilePath = “$env:SystemRoot\System32\LogFiles\Firewall\pfirewall.log”
)
# CSV header fields, to be used later when converting each line of the tailed log from CSV
$headerFields = @(“date”,”time”,”action”,”protocol”,”src-ip”,”dst-ip”,”src-port”,”dst-port”,”size”,”tcpflags”,”tcpsyn”,”tcpack”,”tcpwin”,”icmptype”,”icmpcode”,”info”,”path”)
# Read in the firewall log
$firewallLogs = Get-Content $LogFilePath | ConvertFrom-Csv -Header $headerFields -Delimiter ‘ ‘
# Output logs into a gridview
$firewallLogs | Out-GridView
}
Get-WindowsFirewallLog