Windows Firewall logs can be crucial to working out specific problems:
A program you’re using can’t seem to connect to the internet, despite the fact no other software has this problem. In this case, one step toward fixing the problem would be to make sure Windows Firewall isn’t squashing the program’s connection requests and denying it service. You suspect your computer is being used to transmit data by malicious software and want to monitor the network traffic as it leaves your firewall for any suspicious connection requests. Perhaps you’ve created new firewall rules for allowing and blocking connections and just want to see if Windows Firewall is working the way you expect it to.
Regardless of your reasons, enabling logs for Windows Firewall can be a complicated task that requires a lot of menu diving and settings. Let’s break it down into more manageable steps and guide you through how to log your Windows Firewall activity.
Accessing Windows Firewall
First, you want to access Windows Firewall Advanced settings. Open the Control Panel, then click on “Windows Firewall” if you’re in Small/Large Icon view. If you’re in Category view, click “System and Security,” then “Windows Firewall”. Icon view: Category view:
In the Windows Firewall window, click “Advanced settings” on the left bar.
You’ll have the following screen presented to you.
What you’re seeing is the more technical side to Windows Firewall. This is where you want to go if you want to allow or block a program from accessing the Internet. You can set what can and can’t come in (inbound) or leave (outbound) your PC. This is also where you can set up the log – but it’s not immediately obvious where you can do this.
Accessing the Log Settings
First, select “Windows Firewall with Advanced Security on Local Computer” on the left box.
On the bar on the right side, click ‘”Properties.”
This is where things get a little confusing. If you click through the tabs at the top of the Properties window, you’ll notice that the first three tabs have exactly the same content within them but cover different “profiles” as stated in their tab name. You may also notice the ‘Logging’ option in these tabs which is definitely what you want. However, each log will correspond to each profile, and you’ll want to enable the logging on the profile you currently use. So, which profile are you using?
Here’s what each profile means: Domain Profile is when your computer connects with its WiFi to a network where the domain is given by a domain controller. If you’re not sure about what any of that meant, it’s highly likely you don’t want this profile! Private Profile is for connections to a network you have deemed “private.” This includes home and personal networks and is therefore the selection you’re most likely to want. Public Profile is for connections to a network deemed “public.” This is used when connecting to a public WiFi connection such as in cafés, airports, libraries, and public institution networks. If you’re at home connected to your own personal network, click the Private Profile tab. If you’re on a public network, go onto the Public Profile tab. Once on the right tab, click “Customize…” under “Logging.”
Starting the Logging Process
In this window you can set the location and max size of your log. You can set a more memorable location for your log, but it doesn’t really matter where it goes; you’ll see why later. If you just want to start logging right away, change both drop-down menus to “Yes” and OK out of the box. Leaving the logger going all the time can result in some performance issues, so only turn it on if you want to monitor connections. To turn it off, simply set all the drop-down menus to “No.”
Reading the Log
Now your computer is logging all firewall activity. To view the log, simply go back to the main Advanced Settings window, click “Monitoring” on the left, then under “Logging Settings” click the link by “File Name.”
This will then open the log. There’s a lot going on in the log, so you may be confused about what you’re seeing. Here’s a brief analysis of the more important parts.
- The date and time of the connection.
- What happened to the connection. “Allow” means the firewall let the connection through, while “drop” means it blocked it. If you’re diagnosing a connection error with software, you can pinpoint Windows Firewall as the problem if the connection is being dropped.
- The type of connection, TCP or UDP.
- In order: the IP of the origin of the connection (your PC), the IP of the destination (the recipient you want, such as a webpage), and the port used on your computer. This is handy for spotting any ports that require opening for software to work. Also, keep an eye for any suspicious-looking connections being made; it might be malware in play!
- Whether or not this connection was your computer sending a packet of data or receiving one. The above should allow you to get started with figuring out connection issues. There’s more the logger can log, such as the destination port and TCP acknowledgement number. If you’re interested in those finer details, you can look at the “#Fields” line at the top of the log to identify what each number means. Don’t forget to turn the logger off again when finished!
Smarter Network Diagnostics
By using the Windows Firewall log, you can better analyse the kind of data your PC is handling. You can then diagnose if network issues are due to the firewall or if something else is disrupting your connections. With these steps you can peek into the inner workings of your firewall and get an idea as to what is happening on your network. Image credit: Firewall