Step 8: Enabling Firewall Logging
Updated: December 7, 2009
Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista
When you create or modify firewall rules, you can sometimes end up with a rule set that allows traffic that you do not want, or that blocks traffic that you require. To help troubleshoot these types of problems, Windows Firewall with Advanced Security provides several different ways to capture details about the failure to help you diagnose the connection.
Windows Firewall with Advanced Security in Windows 7 and Windows Server 2008 R2 support the following logging/tracing tools:
The firewall log file that records allowed or dropped network packets as configured by the firewall Group Policy settings.
The Windows Firewall with Advanced Security operational event logs that can be viewed in Event Viewer. The events in this log show the operational status of Windows Firewall with Advanced Security and changes in its configuration.
As in Windows Vista, Windows 7 continues to support audit events that can track certain symptoms and errors in Windows Firewall with Advanced Security. Audit events must be enabled before they appear in the Event Viewer.
The netsh wfp capture command that captures detailed diagnostic information about networking operations on the computer during the capture session.
The nesh trace commands to enable network tracing with filters that capture network traffic relevant to a selected scenario. The WFP-IPsec scenario, for example, captures information specifically related to the operation of the Windows Filtering Platform (WFP) and IPsec.
Each of these is introduced in the next several procedures.
First, you configure your server GPO to create a local file that logs both allowed packets and dropped packets. Later in this guide, after you create and test some firewall rules, you examine this log file to see the kinds of entries created there.
On MBRSVR1, in Group Policy Management, in the navigation pane, right-click Firewall Settings for Windows Servers, and then click Edit. Be sure to open the SERVER GPO, not the client one.
In the Group Policy Management Editor, right-click the top node in the navigation pane, and then click Properties.
Select the Disable User Configuration settings check box.
In the confirmation dialog box, click Yes, and then click OK.
In the navigation pane, expand Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, and then expand Windows Firewall with Advanced Security.
Right-click Windows Firewall with Advanced Security - LDAP://cn={GUID},cn=policies,cn=system,DC=contoso,DC=com, and then click Properties.
On the Domain Profile tab, in the Logging section, click Customize.
Clear both Not configured check boxes. You can use the default values for path and maximum size.
Change Log dropped packets to Yes.
Change Log successful connections to Yes.
Click OK two times to save your GPO.
Close the Group Policy Management Editor.
To apply this GPO to the correct set of computers, link the GPO to the OU.
Note
For simplicity, you do not create a WMI filter or security group as you did with the client GPO, but the exact same principles could be applied here to filter the GPO only to member servers in the domain that are running Windows Server 2008 or Windows Server 2008 R2.
On MBRSVR1, in the Group Policy Management console, right-click the OU MyMemberServers that you created earlier, and then click Link an Existing GPO.
In the Select GPO dialog box, select Firewall Settings for Windows Servers, and then click OK.
Still on MBRSVR1, in the Administrator: Command Prompt, run gpupdate /force. Wait for the command to finish.
Open the Windows Firewall with Advanced Security snap-in.
In the navigation pane, right-click Windows Firewall with Advanced Security on Local Computer, and then click Properties.
On the Domain Profile tab, in the Logging section, click Customize.
Confirm that the settings in your GPO now appear as the active settings for this computer.
Click OK two times to close the dialog boxes.
Leave Administrator: Command Prompt and the Windows Firewall with Advanced Security snap-in open.
Windows also writes operational events to the event log that is viewable by using Event Viewer. In earlier versions of Windows, most information of interest to an administrator was found in the System and Application logs. Starting with Windows Vista and later versions of Windows, the Event Viewer includes many predefined filtered views. The original, unfiltered System and Application logs can be found under Windows Logs . The filtered list of Windows Firewall with Advanced Security events can be found under Application and Services Logs, Microsoft, Windows, Windows Firewall with Advanced Security.
On MBRSVR1, click Start, click Administrative Tools, and then click Event Viewer.
In the navigation pane, expand Applications and Service Logs, expand Microsoft, expand Windows, and then expand Windows Firewall with Advanced Security.
Examine the four categories under the Windows Firewall with Advanced Security node. The two main functions of Windows Firewall with Advanced Security, IPsec and host-based Firewall have their events stored under the ConnectionSecurity and Firewall nodes, respectively. The ConnectionSecurityVerbose and FirewallVerbose nodes are disabled by default.
In the navigation pane, select the Firewall node.
There are a variety of events already present. These events document configuration changes to the operational state of the firewall. Among the events should be those with Event IDs 2002, 2003, 2004, 2008, 2010, 2011, and 2012. If you open Event Viewer on CLIENT1, you will also see Event IDs 2005, and 2006 that document modifying and then deleting the rule “A Test Rule”.
Select the topmost event with an Event ID number of 2003. If you followed the steps in this guide, this event is the changing of Log File Path setting in the Domain profile, caused by applying your modified member server GPO.
To enable the verbose logs, right-click ConnectionSecurityVerbose and FirewallVerbose, and then click Enable log.
Windows 7 and Windows Server 2008 R2 introduce the new netsh wfp context that enables you to capture diagnostic trace sessions of the behavior of the Windows Filtering Platform which is the base engine that implements your firewall and connection security rules. Starting a capture session, reproducing the problem, and then stopping the capture results in a log that can help you or Microsoft Customer Support Services (CSS) troubleshoot connectivity problems on your computers.
On MBRSVR1, open and administrative command prompt.
At the command prompt, change the current folder to your desktop by running the command: cd %userprofile%\desktop
To start the capture, run the command netsh wfp capture start.
At this point in a real troubleshooting situation, you would reproduce the problem. For our purposes, just wait a few seconds.
To complete the capture, run the command netsh wfp capture stop. The output file is stored in the current folder.
Double-click the .cab file that is on the desktop.
The .cab file contains an .xml file and an .etl file. The .etl file is a binary file that is intended for use by CSS. The .xml file can be loaded and read locally. Because of the size of the .xml files produced by this process we recommend that you acquire an XML Reader program, instead of using a Web browser or Notepad to open the file.
Drag the wfpdiag.xml file to the desktop from the .cab file.
Open the file with your XML reader of choice and examine the contents. Note the main sections:
sysInfo – This section contains information about the computer on which the trace was captured.
initialState – This section contains information about the state of the WFP and the currently configured rules before the problem was reproduced.
Events – This section contains information about things that occurred while the capture session was running.
finalState – This section contains the same information as initialState, but was captured when you ran the wfp capture stop command. You can directly compare the two sections to look for differences that might relate to the connection problem you are trying to diagnose.
Similarly, you can use the netsh trace and netsh trace stop commands to capture a variety of diagnostic information customized to a selected scenario, such as wfp-ipsec.
By using one or more of the logging techniques demonstrated earlier in this section, you can learn much about why a particular connection does or does not work.
At an Administrator: Command Prompt, run the command netsh trace start scenario=wfp-ipsec tracefile=%userprofile%\desktop\SampleTrace.cab
The output of the command shows you that the trace is running, the file to which the data is written, and details of other possible parameters.
In a production troubleshooting environment, this is where you would attempt to reproduce the problem.
In this sample, after a few seconds, run the command netsh trace stop.
The computer takes a few moments to compile the collected trace data into a .cab file at your specified location.
On the desktop, double-click sampletrace, and examine its contents. A variety of text files, .xml files, event log files, and other types are included. Double-click some of them to view their contents.
When you have finished examining the files, close the .cab file, and the command prompt.
Next topic: Creating Rules that Allow Required Inbound Network Traffic