Windows Firewall – Traffic debugging

Sometimes is would be great to see what’s going on, with the firewall on the local computer / server, here is a quick way to do so 🙂

To enable logging on packets:

1. Launch the Windows Firewall Console on the Target Computer.

2. Select the Windows Defender Firewall tab and click Properties in the Actions menu.

3. Inside the Properties tab, select the Customize button under Logging.

4. Select Yes in the Log Dropped Packets &  Log successful connections dropdown menu.

5. Press OK to close the Logging Settings menu and again to close the Windows Defender Firewall Properties.

6. Verify you are able to read the log file. If not, open the Log Files Security tab and enable Read permissions for your account.

  • You can find the log at: C:\Windows\System32\LogFiles\Firewall.
  • By default, the log is named pfirewall.log .

 

If you are running on a DC, you need to modify permissions to the folder:

create folder %systemroot%\system32\LogFiles\Firewall\
add full control to the folder for user “NT Service\MPSSVC”

Reboot the server

 

Powershell to the aid:

Get log output as the file gets written (Live):

Get-Content C:\Windows\System32\LogFiles\Firewall\pfirewall.log -wait

Find everything with “53” in ex.DNS in the content

Get-Content C:\Windows\System32\LogFiles\Firewall\pfirewall.log -wait | Select-String -pattern ’53’

Use this great parser from http://daniel.streefkerkonline.com

#requires -version 3
<#
.SYNOPSIS
Get-WindowsFirewallLog – A quick and dirty Windows Firewall log parser

.DESCRIPTION
Not designed to do anything fancy.

Just parses the Windows Firewall log and displays it in a PowerShell GridView

.LINK
https://github.com/dstreefkerk/PowerShell/blob/master/Get-WindowsFirewallLog.ps1

.NOTES
Written By: Daniel Streefkerk
Website: http://daniel.streefkerkonline.com
Twitter: http://twitter.com/dstreefkerk
Todo: Nothing at the moment

Change Log
v1.0, 01/11/2018 – Initial version
#>
function Get-WindowsFirewallLog {
param(
[parameter(Position=0,Mandatory=$false)]
[ValidateScript({Test-Path $_})]
[string]$LogFilePath = “$env:SystemRoot\System32\LogFiles\Firewall\pfirewall.log”
)

# CSV header fields, to be used later when converting each line of the tailed log from CSV
$headerFields = @(“date”,”time”,”action”,”protocol”,”src-ip”,”dst-ip”,”src-port”,”dst-port”,”size”,”tcpflags”,”tcpsyn”,”tcpack”,”tcpwin”,”icmptype”,”icmpcode”,”info”,”path”)

# Read in the firewall log
$firewallLogs = Get-Content $LogFilePath | ConvertFrom-Csv -Header $headerFields -Delimiter ‘ ‘

# Output logs into a gridview
$firewallLogs | Out-GridView
}

Get-WindowsFirewallLog

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close