See Firewall Activity in Windows Defender Firewall Logs

Purpose

You need to determine a cause for connection issues related to the Windows Firewall.

Resolution

We may find this info on a target by logging the dropped packets while replicating the steps in PDQ Deploy or Inventory that we are receiving the error or connection problems.

To enable logging dropped packets on a failing target: 

1. Launch the Windows Firewall Console on the Target Computer.

2. Select the Windows Defender Firewall tab and click Properties in the Actions menu.

WindowsFirewall_01.png

3. Inside the Properties tab, select the Customize button under Logging.

WindowsFirewall_02.png

4. Select Yes in the Log Dropped Packets dropdown menu.

WindowsFirewall_03.png

5. Press OK to close the Logging Settings menu and again to close the Windows Defender Firewall Properties.

6. Verify you are able to read the log file. If not, open the Log Files Security tab and enable Read permissions for your account.

  • You can find the log at:  C:\Windows\System32\LogFiles\Firewall.
  • By default, the log is named pfirewall.log .

7. After verifying the log can be opened and read, attempt to replicate the error received. You may need to close and reopen the file after each test to see updates.

Note: If you do not see any dropped packets while logging the Domain Firewall, go back and turn off logging in the Domain Firewall and perform the steps to log the Private and Public firewall (one at a time). 

See Also: 

Article - Firewall Ports and External Exceptions

 

Still have a question or want to share what you have learned? Visit our Community to get help and collaborate with others.