Monitoring Windows Firewall with Advanced Security

  • Article

Updated: January 20, 2009

Applies To: Windows 7, Windows Server 2008 R2

The Monitoring item in the Windows Firewall with Advanced Security MMC snap-in allows you to monitor the active firewall rules and connection security rules on the computer. Policies created using the IP Security Policy snap-in cannot be viewed using Windows Firewall with Advanced Security.

The overview page shows which profiles are active (domain, private, public) and the current settings for each of the active profiles.

Note

Only rules that apply to the currently active profiles are displayed. A rule for another profile might be enabled, but if the profile to which it is assigned is not active, then neither is the rule.

Firewall

Use this to monitor all of the enabled firewall rules, including firewall rules for the active profile and firewall rules distributed by using Group Policy objects (GPOs). Only active (applied) firewall rules are monitored.

Note

Allow rules are only displayed in the list when the default behavior is to block traffic. When the default behavior is to allow traffic, allow rules have no function, so they are not displayed.

Connection security rules

Lists all of the active connection security rules with detailed information about their settings.

Security associations

Lists all of the currently active main mode and quick mode security associations (SAs) with detailed information about their settings and endpoints.

Main Mode

Lists all of the main mode SAs with detailed information about their settings and endpoints. You can use this folder to view the IP addresses of the endpoints and the methods and algorithms that were used for authentication.

Quick Mode

Lists all of the quick mode SAs with detailed information about their settings and endpoints. You can use this folder to view the IP addresses of the endpoints and the integrity and encryption algorithms in use to protect traffic exchanged between the two endpoints.

Event logs

You can use the ConnectionSecurity and Firewall operational event logs to view events related to Windows Firewall with Advanced Security. These logs are helpful for troubleshooting.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.

To view the Windows Firewall with Advanced Security event logs

  1. Open Event Viewer. Click Start, click Administrative Tools, and then click Event Viewer.

  2. In the navigation pane, expand Applications and Services Logs, expand Microsoft, expand Windows, expand Windows Firewall with Advanced Security, and then click ConnectionSecurity or Firewall.

  3. You can also choose to enable the ConnectionSecurityVerbose and FirewallVerbose logs. In the navigation pane, click ConnectionSecurityVerbose or FirewallVerbose, and then in the Actions pane, click Enable Log.

To avoid performance problems, we recommend that you disable logging when you have finished troubleshooting. To disable logging, in the Actions pane, click Disable Log.