Internet Connection Firewall security log

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Internet Connection Firewall security log

The Internet Connection Firewall (ICF) security log allows advanced users to choose which information to log. With ICF security logging you can:

  • Log dropped packets. Log all dropped packets that originate from either the home or small office network or the Internet.

  • Log successful connections. Log all successful connections that originate from either the home or small office network or the Internet.

When you select the Log dropped packets check box, information is collected each time ICF detects and denies traffic attempts. For example, if your Internet Control Message Protocol (ICMP) settings are not set to allow incoming echo requests, such as those sent by the ping and tracert commands, and an echo request from outside your network is received, the echo request is dropped, and an entry is made in the log.

When you select the Log successful connections check box, information is collected each time ICF detects and permits traffic attempts. For example, when a computer on your network successfully connects to a Web site, an entry is produced in the log.

The ICF security log is produced using the W3C Extended Log File Format, a format similar to the format that is used in common log analysis tools. For information about how to view an ICF security log, see View the ICF security log. To save the ICF security log using your choice of name and location, see Change the path and file name of the ICF security log.

ICF security logging is considered an advanced option and is not enabled by default. In order for the ICF security log to accept new data, you must select one or both of the logging options. For more information, see Enable or disable ICF security log options.

The ICF security log has two sections:

  • The header provides information about the version of the ICF security log and the fields that are available for data entry. The header information is presented as a static list.

  • The body contains compiled data that is entered as a result of traffic attempting to cross the firewall. The fields in the body of the ICF security log are entered from left to right across the page. The body of the ICF security log is a dynamic list--new data entries are entered at the bottom of the log.

The following tables define the information that the ICF security log contains:

Header items

Item Description Example

#Version

Displays which edition of the ICF security log is installed.

1.0

#Software

Provides the name of the ICF security log.

Microsoft Internet Connection Firewall

#Time

Indicates that all of the timestamps in the log are in local time.

Local

#Fields

Displays a static list of the fields that are available for ICF security log entries, if data is available. Fields include: date, time, action, protocol, src-ip, dst-ip, src-port, dst-port, size, tcpflags, tcpsyn, tcpack, tcpwin, icmptype, icmpcode, and info.

Src-port, dst-port, size

Body data

Field Description Example

Date

Specifies the year, month, and day on which the recorded transactions occurred. Dates are recorded in the format:

YY-MM-DD

where YY is the year, MM is the month, and DD is the day.

2001-01-27

Time

Specifies the hour, minute, and seconds at which the recorded transaction occurred. Times are recorded in the format:

HH:MM:SS

where HH is the hour in 24 hour format, MM is minutes, and SS is seconds.

21:36:59

Action

Specifies which operation was observed by the firewall. The options available to the firewall are OPEN, CLOSE, DROP, and INFO-EVENTS-LOST. An INFO-EVENTS-LOST action indicates the number of events that happened but were not recorded in the log.

DROP

Protocol

Specifies which protocol was used for the communication. A protocol entry can be TCP, UDP, ICMP, or, if the protocol that was used was not TCP, UDP, or ICMP, a number.

ICMP

Src-ip

Specifies the source IP address (the IP address of the computer attempting to establish communications). The source IP is recorded in the dotted decimal format:

(number).(number).(number).(number)

192.168.0.0

Dst-ip

Specifies the destination IP address (the IP address of the destination for a communication attempt). The destination IP is recorded in the dotted decimal format:

(number).(number).(number).(number)

192.168.0.1

Src-port

Specifies the port number of the source (sending) computer. A src-port entry is recorded as a whole number, ranging from 1 to 65,535. Only TCP and UDP return a valid src-port entry. All other protocols are invalid for src-port and result in an entry of -.

4039

Dst-port

Specifies the port number of the destination computer. A dst-port entry is recorded as a whole number, ranging from 1 to 65,535. Only TCP and UDP return a valid dst-port entry. All other protocols are invalid for dst-port and result in an entry of -.

53

Size

Specifies the packet size in bytes.

60

Tcpflags

Specifies the TCP control flags found in the TCP header of an IP packet:

  • Ack-Acknowledgment field significant

  • Fin-No more data from sender

  • Psh-Push function

  • Rst-Reset the connection

  • Syn-Synchronize sequence numbers

  • Urg-Urgent pointer field significant

Flags are written as uppercase letters. The entry information for tcpflags is provided for users with an in-depth knowledge of Transmission Control Protocol (TCP). Additional information about TCP can be found in RFC 793.

AFP

Tcpsyn

Specifies the TCP sequence number in the packet. The entry information for tcpsyn is provided for users with an in-depth knowledge of TCP.

1315819770

Tcpack

Specifies the TCP acknowledgement number in the packet. The entry information for tcpack is provided for users with an in-depth knowledge of TCP.

0

Tcpwin

Specifies the TCP window size in the packet. The size is specified in bytes. The entry information for tcpack is provided for users with an in-depth knowledge of TCP.

64240

Icmptype

Specifies a number that represents the type field of the ICMP message.

8

Icmpcode

Specifies a number that represents the code field of the ICMP message.

0

Info

Specifies an information entry that depends on the type of action that occurred. For example, an INFO-EVENTS-LOST action displays the number of events that occurred but were not placed in the log since the last occurrence of this event type.

23

The character (-) is entered when no information is available for a field.

If ICF is enabled on two or more connections on a single computer, the ICF settings are global. If you select a setting or change a setting in Logging Options or Services on any one of the connections on which ICF is enabled, that setting is applied to all of the ICF firewalls on that computer.

Notes

  • If the maximum allowable size for pfirewall.log is exceeded, the information that pfirewall.log contains is saved as pfirewall.log.old, and new information is saved as pfirewall.log. If the maximum allowable size for pfirewall.log is exceeded again, the information that pfirewall.log contains is saved as pfirewall.log.old, and the information that had been in pfirewall.log.old is overwritten. New information is always saved in pfirewall.log.

  • You can obtain RFCs from the RFC Editor Web site. This Web site is currently maintained by members of the Information Sciences Institute (ISI) who publish a classified listing of all RFCs. RFCs are classified as one of the following: approved Internet standards, proposed Internet standards (circulated in draft form for review), Internet best practices, or For Your Information (FYI) documents.

  • Web addresses can change, so you might be unable to connect to the Web site or sites mentioned here.

  • This topic applies only to product features available in the original release of Windows Server 2003.

  • Internet Connection Firewall is included only in the original releases of Windows Server 2003, Standard Edition, and Windows Server 2003, Enterprise Edition.