Step 5: Viewing the Firewall Log

Published: November 2, 2007

Updated: December 7, 2009

Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista

You have created several connections to your server after turning on firewall logging, and you also had several connections blocked by the firewall rules you put in place. In this step, you examine the log that accumulated to this point and then you turn the logging back off.

  1. On MBRSVR1, if it is not already open, open the Windows Firewall with Advanced Security snap-in.

  2. In the navigation pane, click Monitoring. In the Details pane, under Logging Settings, click the file path next to File name. The log opens in Notepad.

  3. In Notepad, examine the entries. There are many more entries than those related directly to your activity for this guide. There are Domain Name System (DNS) queries, network basic input/output (NetBIOS) protocol connections, and so on.

  4. Search for lines that resemble the following examples. You can press CTRL-F to open a search dialog box, and enter a [space] 23 [space]. Be sure to include the spaces, so that you do not find the number 23 embedded in other numbers.

    The values in italic in the samples that follow might vary from those in your log. The final column is not shown here, but is often of interest, because it shows whether the packet was an inbound (RECEIVE) or outbound (SEND) packet.

    • The following entries represent the allowed Telnet connections on ports 23 and 25:

      2009-06-09 10:10:48 ALLOW TCP 52174 23

      2009-06-09 10:15:54 ALLOW TCP 52175 25

    • The following entry represents a blocked Telnet connection attempt on port 25:

      2009-06-09 10:28:28DROP TCP 52180 25

    • The following entries shows the allowed Remote Event Log connection:

      2009-06-09 10:49:59 ALLOW TCP 52191 135

      2009-06-09 10:50:00 ALLOW TCP 52192 49153

  5. Close Notepad.

In production troubleshooting scenarios, you can import your log file into Microsoft Excel to more easily search, sort, and filter the entries. Use the space character as the separator when you import the log file.

You should only turn on logging when you need it, such as when you are troubleshooting. Because we are finished, turn the logging off.

  1. Switch to the Group Policy Management Editor window that is configuring your Server GPO.

  2. In the navigation pane, right-click Windows Firewall with Advanced Security - LDAP://cn={GUID},cn=policies,cn=system,DC=contoso,DC=com, and then click Properties.

  3. On the Domain Profile tab, under Logging, click Customize.

  4. Change Log dropped packets to No (default).

  5. Change Log successful connections to No (default).

  6. Click OK two times to save your changes.

  7. At the Administrator: Command Prompt, run gpupdate /force. Wait until the command is finished.

Next topic:  Creating Rules that Block Unwanted Outbound Network Traffic

Community Additions