See Firewall Activity in Windows Defender Firewall Logs

In this article we'll walk you through the process of enabling logging to help troubleshoot connection issues related to the Windows Firewall

We may find this info on a target by logging the dropped packets while replicating the steps in PDQ Deploy or Inventory that we are receiving the error or connection problems.

Enable Manually

To manually enable logging dropped packets on a failing target:

1. Launch the Windows Firewall Console on the Target Computer.

2. Select the Windows Defender Firewall tab and click Properties in the Actions menu.

3. Inside the Properties tab, select the Customize button under Logging.

4. Select Yes in the Log Dropped Packets dropdown menu.

5. Press OK to close the Logging Settings menu and again to close the Windows Defender Firewall Properties.

Enable with PowerShell

Set-NetFirewallProfile -Profile Domain -LogBlocked True

Accessing the logs

Once logging is enabled, verify you are able to read the log file. If not, open the Log Files Security tab and enable Read permissions for your account.
You can find the logs at the following path:C:\Windows\System32\LogFiles\Firewall

By default, the log is named pfirewall.log

After verifying the log can be opened and read, attempt to replicate the error received. You may need to close and reopen the file after each test to see updates.

 

If you do not see any dropped packets while logging the Domain Firewall, go back and turn off logging in the Domain Firewall and perform the steps to log the Private and Public firewall (one at a time).

Was this article helpful?
Still have a question or want to share what you have learned? Visit our Community Discord to get help and collaborate with others.