Viewing Firewall and IPsec Events in Event Viewer

Applies To: Windows 7, Windows Server 2008 R2

Note

This topic applies to computers that are running Windows 7 and Windows Server 2008 R2 only. To view firewall and IPsec events on computers that are running previous versions of Windows, see Enabling Audit Events for Windows Firewall with Advanced Security

Windows 7 and Windows Server 2008 R2 automatically log significant firewall and IPsec events in the computer’s event log. You can view events in the log by using Event Viewer.

To view events for Windows Firewall with Advanced Security in Event Viewer

  1. Event Viewer is available as part of Computer Management. Click Start, right-click Computer, and then click Manage. Under System Tools, click Event Viewer.

  2. In the navigation tree, expand Event Viewer, expand Applications and Services, expand Microsoft, expand Windows, and then expand Windows Firewall with Advanced Security.

  3. There are four views of operational events provided:

    • ConnectionSecurity. This log maintains events that relate to the configuration of IPsec rules and settings. For example, when a connection security rule is added or removed or the settings of IPsec are modified, an event is added here.

    • ConnectionSecurityVerbose. This log maintains events that relate to the operational state of the IPsec engine. For example, when a connection security rule become active or when crypto sets are added or removed, an event is added here. This log is disabled by default. To enable this log, right-click ConnectionSecurityVerbose, and then click Enable Log.

    • Firewall. This log maintains events that relate to the configuration of Windows Firewall. For example, when a rule is added, removed, or modified, or when a network interface changes its profile, an event is added here.

    • FirewallVerbose. This log maintains events that relate to the operational state of the firewall. For example, when a firewall rule become active, or when the settings of a profile are changed, an event is added here. This log is disabled by default. To enable this log, right-click FirewallVerbose, and then click Enable Log.

  4. Each event includes a General tab that summarizes the information contained in the event. For more information about an event, click Event Log Online Help to open a web page in the Windows Server Technical Library that contains detailed information and prescriptive guidance.

    The event also includes a Details tab that displays the raw data associated with the event. You can copy and paste the information in the Details tab by selecting the text (CTRL+A selects it all) and then pressing CTRL-C.