Enable IPsec and Windows Firewall Audit Events

Applies To: Windows Server 2008, Windows Vista

By default, Windows Firewall with Advanced Security does not generate audit events for either the Windows Firewall service or Internet Protocol security (IPsec). To see the events, you must enable event logging. Because the Windows Firewall and IPsec components can potentially generate a large number of events, consider turning logging on only when you need to troubleshoot Windows Firewall and IPsec issues, and then turn the events off again when you are done.

To perform these procedures, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority. If you do not have the required permissions, then the commands fail and display an error message.

• To enable IPsec and Windows Firewall audit events

• To view the current settings for IPsec and Windows Firewall audit events

• To see the new audit events in Event Viewer

To enable Windows Firewall with Advanced Security audit events

1. Open an administrative command prompt. Click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.

2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

3. At the command prompt, type the following command. You can copy and paste this command into the Command Prompt window:

   auditpol.exe /set /SubCategory:"MPSSVC rule-level Policy Change","Filtering Platform policy change","IPsec Main Mode","IPsec Quick Mode","IPsec Extended Mode","IPsec Driver","Other System Events","Filtering Platform Packet Drop","Filtering Platform Connection" /success:enable /failure:enable

4. Restart the Windows Firewall service by typing the following commands, ending each by pressing ENTER:

   net stop MPSSVC

   net start MPSSVC

5. When you are ready to disable event logging, run the same command as in step 3, but use /success:disable /failure:disable at the end of the command. Then restart the service by performing step 4 again.

To view the current settings for IPsec and Windows Firewall audit events

1. Open an administrative command prompt. Click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.

2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

3. At the command prompt, type the following command. You can copy and paste this command into a batch file, then and run it that way if you want:

   auditpol.exe /get /SubCategory:"MPSSVC rule-level Policy Change","Filtering Platform policy change","IPsec Main Mode","IPsec Quick Mode","IPsec Extended Mode","IPsec Driver","Other System Events","Filtering Platform Packet Drop","Filtering Platform Connection"

   The command displays all of the current audit events settings for each category.

To see the new audit events in Event Viewer

1. Open the Event Viewer. Click Start, type eventvwr in the Start Search box, and then press ENTER.

2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

3. In the navigation pane, expand the Windows Logs branch.

4. Right-click Security, and then click Filter Current Log.

5. In the Includes/Excludes Event IDs box, type 4600-5500, and then click OK.

   Event Viewer displays any events that match the criteria. If you just enabled the audit events, there might be only a few events to view at first.