Security

How To Check Your Firewall Logs On Windows

A Practical Guide to Enabling Logging and Interpreting Firewall Activity

How To Check Your Firewall Logs On Windows
Get Netdata!

Every Windows system comes equipped with a built-in firewall, a critical component of its security posture. The Microsoft Defender Firewall (previously Windows Firewall) acts as a gatekeeper, controlling incoming and outgoing network traffic based on predefined rules. While it diligently protects your system, its default configuration doesn’t tell you much about the traffic it’s allowing or blocking.

This is where Windows Firewall logs come in. These logs record detailed information about the firewall’s activity, providing invaluable insights for troubleshooting network connectivity problems, identifying potential security threats, and ensuring compliance. For developers, DevOps engineers, and SREs, knowing how to check firewall logs is a fundamental skill for maintaining secure and reliable Windows environments, whether on workstations or Windows Server instances. This guide will walk you through enabling, locating, interpreting, and managing these essential logs.

What is the Windows Defender Firewall?

The Windows Defender Firewall is a stateful host-based firewall included with Microsoft Windows operating systems. Its primary function is to filter network traffic travelling to and from your system. It examines the source and destination IP addresses, protocols, and port numbers of network packets and compares them against a set of configured rules to decide whether to allow or block the communication.

The Windows Defender Firewall with Advanced Security management console (accessible via wf.msc) provides granular control over these rules and settings, including the ability to configure logging.

Why Check Firewall Logs?

Firewall logs might seem like just another set of system files, but they contain crucial information. Here’s why checking them is important:

  1. Troubleshooting Connectivity: When an application can’t connect to a server, or users can’t access a resource, the firewall logs are often the first place to check. Logs showing dropped packets can pinpoint exactly which rule is blocking the necessary traffic.
  2. Security Monitoring: Regularly reviewing firewall logs helps detect suspicious activity. You can identify repeated attempts to connect to closed ports (port scanning), see unexpected successful connections that might indicate a misconfiguration or compromise, or monitor traffic blocked by specific security rules. This is a key aspect of firewall log monitoring.
  3. Auditing and Compliance: Many security standards and regulations require logging of network activity. Firewall logs provide an audit trail of allowed and blocked connections, helping organizations meet compliance mandates.
  4. Understanding Network Traffic: Logs provide a real-world view of the types of traffic hitting your system, helping you refine firewall rules for better security and performance.

Essentially, what is a firewall log? It’s a detailed record book of the firewall’s decisions, critical for both operational stability and security posture.

Enabling Windows Firewall Logging

By default, Windows Defender Firewall does not log its activity. You need to explicitly enable logging for the specific network profiles (Domain, Private, Public) you want to monitor. You can enable logging using several methods:

Method 1: Using Windows Defender Firewall with Advanced Security (GUI)

This is the most straightforward method for a single machine.

  1. Press Windows Key + R, type wf.msc, and press Enter. This opens the “Windows Defender Firewall with Advanced Security” console.
  2. In the left pane, right-click on “Windows Defender Firewall with Advanced Security” and select “Properties”. Alternatively, click “Windows Defender Firewall Properties” in the center Overview section.
  3. A dialog box with tabs for “Domain Profile,” “Private Profile,” and “Public Profile” will appear. Select the tab corresponding to the network profile you want to configure logging for (you may need to configure all three depending on your needs).
  4. Under the “Logging” section, click the “Customize…” button.
  5. Configure the logging settings:
    • Name (Log file path): The default location is %windir%\system32\logfiles\firewall\pfirewall.log. It’s highly recommended to change this to include the profile name (e.g., pfirewall_Private.log) especially if logging for multiple profiles. Ensure the specified folder exists and the firewall service has write permissions (more on this later).
    • Size limit (KB): The default is small (4,096 KB). Increase this significantly (e.g., 20,480 KB or 20MB) to prevent logs from overwriting too quickly. The maximum is 32,767 KB.
    • Log dropped packets: Change the dropdown to “Yes” to log connections or packets that the firewall blocked. This is essential for troubleshooting blocked connections.
    • Log successful connections: Change the dropdown to “Yes” to log connections that the firewall allowed. This is useful for auditing and detecting unusual allowed traffic.
  6. Click “OK” on the Customize Logging Settings window.
  7. Click “OK” on the Properties window.
  8. Repeat steps 3-7 for other profiles if needed.

Method 2: Using Group Policy (GPO)

In an Active Directory domain environment, Group Policy is the preferred method for configuring firewall logging consistently across multiple computers.

  1. Open the Group Policy Management Console (gpmc.msc).
  2. Create a new GPO or edit an existing one that applies to the desired computers.
  3. Navigate to: Computer Configuration > Policies > Windows Settings > Security Settings > Windows Defender Firewall with Advanced Security > Windows Defender Firewall with Advanced Security - LDAP://...
  4. Right-click and select “Properties” or click “Windows Defender Firewall Properties” in the main pane.
  5. Configure the logging settings on the Domain, Private, and Public profile tabs just as described in the GUI method (Step 5 above).
  6. Link the GPO to the appropriate Organizational Units (OUs).

Method 3: Using Command Line (netsh)

You can enable logging quickly using the netsh command-line utility. Open Command Prompt or PowerShell as an administrator.

  • To enable logging for dropped packets on all profiles: 
    netsh advfirewall set allprofiles logging droppedconnections enable
  • To enable logging for successful connections on all profiles: 
    netsh advfirewall set allprofiles logging allowedconnections enable
  • To set the log file location for the domain profile (example): 
    netsh advfirewall set domainprofile logging filename "%windir%\system32\logfiles\firewall\pfirewall_Domain.log"
  • To set the maximum log size for the domain profile (example 20MB): 
    netsh advfirewall set domainprofile logging maxfilesize 20480

    (Repeat set <profile>profile commands for privateprofile and publicprofile as needed)

Method 4: Using PowerShell

PowerShell provides cmdlets for managing the firewall. Open PowerShell as an administrator.

  • To enable logging for blocked packets on the Domain profile: 
    Set-NetFirewallProfile -Profile Domain -LogBlocked True
  • To enable logging for allowed connections on the Domain profile: 
    Set-NetFirewallProfile -Profile Domain -LogAllowed True
  • To set the log file location for the Private profile: 
    Set-NetFirewallProfile -Profile Private -LogFileName "%windir%\system32\logfiles\firewall\pfirewall_Private.log"
  • To set the maximum log size for the Public profile (example 32MB): 
    Set-NetFirewallProfile -Profile Public -LogMaxSizeKilobytes 32767

    (Adjust the -Profile parameter (Domain, Private, Public) as needed)

Locating the Firewall Log File

Unless you specified a custom path during configuration, the default Windows firewall log location is:

C:\Windows\System32\LogFiles\Firewall\pfirewall.log

You can also use the environment variable: %windir%\System32\LogFiles\Firewall\pfirewall.log

If you followed the recommendation to use profile-specific names, you’ll find files like pfirewall_Domain.log, pfirewall_Private.log, etc., in that same directory. You’ll need administrative privileges to access this folder and view the log files.

Understanding the Firewall Log Format

The pfirewall.log file is a plain text file, typically using the W3C Extended Log File Format. It can be opened with any text editor (like Notepad, Notepad++, VS Code).

The log has two main sections:

  1. Header: Starts with #. Provides metadata about the log version, start time, and the fields included in the log entries. Key lines include:
    • #Version: Indicates the log format version.
    • #Software: Identifies the logging software (Microsoft Windows Defender Firewall).
    • #Fields: Defines the columns present in the log body.
  2. Body: Contains the actual log entries, one per line. Each entry details a specific packet or connection attempt that matched the logging criteria (dropped or successful).

Here’s a breakdown of common fields you’ll find in the #Fields: line and the log body:

  • date: Date the event occurred.
  • time: Time the event occurred (UTC).
  • action: The action taken by the firewall (DROP, ALLOW, OPEN-INBOUND, CLOSE-INBOUND, etc.).
  • protocol: The network protocol used (TCP, UDP, ICMP, etc.).
  • src-ip: Source IP address of the packet.
  • dst-ip: Destination IP address of the packet.
  • src-port: Source port number (for TCP/UDP).
  • dst-port: Destination port number (for TCP/UDP).
  • size: Packet size in bytes.
  • tcpflags: TCP flags (e.g., SYN, ACK, FIN).
  • tcpsyn: TCP sequence number.
  • tcpack: TCP acknowledgment number.
  • tcpwin: TCP window size.
  • icmptype: ICMP type number.
  • icmpcode: ICMP code number.
  • info: Additional information (can vary).
  • path: Direction of the traffic (RECEIVE, SEND, FORWARD).

Firewall Logs Example Entry:

#Version: 1.5 #Software: Microsoft Windows Firewall #Time Format: Local #Fields: date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path

2025-04-30 10:15:30 DROP TCP 192.168.1.105 10.0.0.5 51234 1433 60 S 12345678 0 64240 - - - RECEIVE

This example shows: On April 30, 2025, at 10:15:30 AM, the firewall DROPped a TCP packet coming from 192.168.1.105 (source IP) port 51234 (source port) attempting to reach the local machine (10.0.0.5 destination IP) on port 1433 (destination port, commonly SQL Server). The S flag indicates it was a SYN packet (attempting to initiate a connection). This log entry is crucial if you were expecting SQL Server connections from 192.168.1.105 but they were failing.

Common Issues and Troubleshooting

Sometimes, logging doesn’t work as expected. Here are common problems:

  • Log File Not Created or Updated: This is often a permissions issue. The Windows Defender Firewall service runs under the NT SERVICE\mpssvc account. This account needs FullControl permissions on the log file and the directory containing it (C:\Windows\System32\LogFiles\Firewall by default).
  • Checking/Fixing Permissions: You can check permissions using PowerShell (run as administrator): 
    $LogPath = "$env:windir\System32\LogFiles\Firewall"
(Get-Acl -Path $LogPath).Access | Where-Object {$_.IdentityReference -like "*mpssvc*"}

    If NT SERVICE\mpssvc doesn’t have FullControl, you can grant it:

    $LogPath = "$env:windir\System32\LogFiles\Firewall"
$acl = Get-Acl -Path $LogPath
$identity = "NT SERVICE\mpssvc"
$rights = "FullControl"
$inheritance = "ContainerInherit, ObjectInherit"
$propagation = "None"
$type = "Allow"
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($identity, $rights, $inheritance, $propagation, $type)
$acl.SetAccessRule($rule)
Set-Acl -Path $LogPath -AclObject $acl
  • Folder Doesn’t Exist: If you specified a custom log path, ensure the folder exists. Create it manually if needed and apply the correct permissions for mpssvc.
  • Restart Required: After changing logging settings or fixing permissions, you might need to restart the “Windows Defender Firewall” service (mpssvc) or simply restart the computer for changes to take full effect.

Best Practices for Firewall Logging

  • Enable Wisely: Log dropped packets for troubleshooting and security. Log successful connections for auditing or detecting anomalous traffic, but be aware this generates much more log data.
  • Increase Log Size: Set the maximum size to at least 20MB (20480 KB), or the maximum 32MB (32767 KB), to retain history.
  • Separate Log Files: Use distinct file names for Domain, Private, and Public profiles (e.g., pfirewall_Domain.log) for easier analysis.
  • Regular Review: Manually checking logs on individual machines is tedious. Implement firewall log monitoring.
  • Centralized Logging: Forward logs to a central system like a Security Information and Event Management (SIEM) platform or a log analytics service.

Forwarding and Analyzing Logs

Manually reviewing text logs across many machines isn’t scalable. Consider these options:

  • Windows Event Forwarding (WEF): A built-in Windows feature to collect logs from multiple computers onto a central Windows Event Collector (WEC) server.
  • SIEM Systems: Products like Azure Sentinel, Splunk, QRadar, or ELK Stack can ingest firewall logs, correlate them with other events, generate alerts, and provide powerful analysis capabilities.
  • Log Management Services: Cloud services like Azure Monitor Logs allow you to collect and query log data using powerful query languages (like KQL).

Centralizing logs dramatically improves windows firewall monitoring efficiency and enables proactive threat hunting and faster incident response.

Conclusion

Windows Defender Firewall logs are a vital resource for maintaining the security and operational health of your Windows systems. By learning how to enable windows firewall logging, locate the pfirewall.log file, understand its contents, and troubleshoot common issues, you gain crucial visibility into the network traffic interacting with your machines.

Whether you’re diagnosing a connection failure, investigating suspicious activity, or fulfilling compliance requirements, these logs provide the necessary evidence. Remember that effective firewall log monitoring, especially in larger environments, relies on increasing log sizes, using distinct files per profile, and ideally, forwarding logs to a centralized analysis platform.

Proactive monitoring and analysis of firewall activity are key components of a robust security strategy. Integrating insights from firewall logs with other system and application monitoring data provides a more complete picture of your infrastructure’s health and security.

Need comprehensive, real-time visibility into your entire infrastructure, including network traffic and system performance? Check out Netdata for powerful monitoring and troubleshooting capabilities.