How To Check Windows Firewall Logs

Elementary Network Monitoring With Windows Firewall Logging And Reporting

The Windows native firewall has been around for some time now. Information technology first fabricated its advent in Windows XP as the Net Connection Sharing Firewall, which was a basic inbound firewall. In Windows XP SP2 it was turned on by default and in Windows Vista, information technology had grown up to be both in and outbound capable.

Currently the firewall supports a number of cardinal features that rival desktop firewalls available from security vendors. Information technology supports inbound and outbound rules, it has support for various protocols and awarding configurations and it supports profiles for Domain, Private and Public networks. Information technology is manageable through Grouping Policy, PowerShell, Netsh and the GUI.

Just there is one big missing component. Like a person with really low self-esteem, information technology fails in telling you what it does!

By default, the Windows firewall does not log its actions. There are also no native tools to bear witness yous what information technology does or help you track potential issues.

This is where WebSpy Vantage can stride in and help. Past enabling Windows Firewall logging and using WebSpy Vantage to centrally study beyond all Windows Firewall logs, you can have a uncomplicated network monitoring solution up and running in moments.

This article will stride through the process of kickoff enabling and configuring logging in Windows Firewall. The second role will show you how to use Webspy Vantage to analyse and report on the logs.

Enabling and Configuring Windows Firewall Logging

Every bit mentioned earlier, there are many ways of configuring Windows firewall. For this commodity, I volition show you how to enable Windows Firewall logging using the Windows Firewall GUI, and PowerShell.

Method one: Windows Firewall GUI

1. Open the Advanced Firewall Management Snap-in (WF.msc)
2. Select the Activeness | Backdrop from the chief menu
3. On the Domain Contourtab, clickCustomizeunder theLoggingsection.
4. Increase the file maximum size.
5. Turn on logging for dropped packets
6. Turn on logging for successful connections

Method 2 – PowerShell

1. Open up a PowerShell window as Administrator and execute:

   Gear up-NetFirewallProfile -name domain -LogMaxSizeKilobytes 10240 -LogAllowed true -LogBlocked true

Past default your firewall will commencement logging to %systemroot%\system32\LogFiles\Firewall\pfirewall.log. You may similar to change this to a central logging server.

Check that the log is being populated

You tin now use the robust Windows reporting solution supplied past Microsoft to brand sure the log is existence written to. Notepad!

Okay, information technology's not that robust, but it is enough to evidence you that information is coming in. If you lot kept the default log location, navigate to "%systemroot%\system32\LogFiles\Firewall\pfirewall.log" and open the log.

Yous will notice that the data is quite bones, just fifty-fifty this level of metadata can exist very valuable when used in the right context.

Using WebSpy Vantage to Analyse Windows Firewall logs

WebSpy Vantage is a powerful log assay and reporting framework and can exist used for far more than just reporting Internet web usage. You will see below how it can enable you to make use of data that y'all might otherwise ignore.

Create a Storage and Import the Windows Firewall logs

1. Open the WebSpy Vantage console on your server (xxx Day free trial bachelor)
2. SelectStorages | Import Logs
3. Specify a name for your storage (such as Windows Firewall) and click Side by side
4. For the input type choose Local or networked files or folders
5. For loader selection choose Microsoft ICF (internet Connexion Firewall)
6. For Input selection clickAdd | Folder and select your log file path (e.g. C:\WINDOWS\System32\system32\LogFiles\Firewall\)
7. Click OK to start importing your logs (do not worry about the additional three 'advanced' pages in the wizard)

You lot volition encounter your log file(s) begin to import and will be notified when information technology has completed. Yous might like to become to the Tasks tab at this stage and add a new Daily task (say for 1 am) to import new hits into existing storage automatically.

Analyzing Windows Firewall logs

Now that yous have imported your Windows Firewall logs into a WebSpy Vantage storage, you tin use that Storage for assay and reporting. Fifty-fifty if you delete the original log files, your Storage volition non be afflicted.

1. Select the Summaries tab and click New Analysis
2. Select the Windows Firewall Storage created earlier and click Adjacent
3. Select Ad-hoc assay and click OK.

You can run into that even using the very basic log data from Windows Firewall, valuable information tin can be manipulated using the Summaries tab. For example, the screenshot below shows how you can drilldown to investigate the Destination Ports that Windows Firewall allowed on a specific IP address.

Reporting on Windows Firewall Logs

You can besides create report templates to excerpt information into a unmarried document such as the near active devices or the most blocked traffic. You can filter, graph and table the information to your ain designs and specification.

Analyzing Multiple Windows Firewall Logs

What makes Windows Firewall great is that yous literally have them everywhere, and so yous can employ them to listen to the network and tell you what is happening. In the same way a botnet works, the collective is far more powerful than the sum of its members.

Webspy Vantage is able to import logs from multiple machines and combine them into a unmarried storage. Alternatively, y'all tin can import them into discreet/dissever storages. You can so generate an assay or study on one or more than storages.

Having this collective view of your network is very powerful, and information technology enables yous to mine useful information by combining the fragments of the larger network traffic film.

If all of this sounds like a lot of effort, don't worry,  yous can automate all of the tasks and receive daily, weekly or monthly reports past email, showing what is happening on individual machines, and across your network.

Determination

WebSpy Vantage allows you to consolidate your Windows Firewall logs, enabling primal monitoring and reporting beyond your network. By adding the missing reporting component, you bring Windows Firewall in line with some of the other vendor's desktop firewall products.

Depending on the compliance y'all are trying to attain for your environment, you would at present be able to prove that you take a managed firewall strategy that is actively protecting your desktops.

See besides:

Based in Greatcoat Town, South Africa, Etienne is an IT Professional working in various environments edifice, testing and maintaining systems for a large national retail chain. An It professional since 1996, Etienne has worked in various environments and is certified by (ISC)2, Comptia, Dell and Microsoft. Etienne is the technical blogger and primary technical consultant for FixMyITsystem.com a solutions provider company based in Greatcoat Town with a global client base.

Source: https://www.webspy.com/blog/simple-network-monitoring-with-windows-firewall-logging-and-reporting/

Posted by: labombardtrage1936.blogspot.com

Share this post