Windows Firewall

Windows Firewall provides local protection from network attacks that might pass through your perimeter network or originate inside your organization. It also provides computer-to-computer connection security by allowing you to require authentication and data protection for communications.

NXLog Agent can be configured to collect Windows Firewall logs.

Logging Windows Firewall traffic information

The Windows Firewall can be configured to log traffic information via the Advanced Security Log. These logs can provide valuable information like source and destination IP addresses, port numbers, and protocols for both blocked and allowed traffic.

Log sample
#Software: Microsoft Windows Firewall
#Time Format: Local
#Fields: date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path

2018-10-16 08:20:36 ALLOW UDP 127.0.0.1 127.0.0.1 54348 53 0 - - - - - - - SEND
2018-10-16 08:20:36 ALLOW UDP 127.0.0.1 127.0.0.1 54348 53 0 - - - - - - - RECEIVE
2018-10-16 08:20:36 ALLOW 250 127.0.0.1 127.0.0.1 - - 0 - - - - - - - SEND

Several different actions that can be logged in the action field: DROP for dropping a connection, OPEN for opening a connection, CLOSE for closing a connection, OPEN-INBOUND for an inbound session opened to the local computer, and INFO-EVENTS-LOST for events processed by the Windows Firewall but which were not recorded in the Security Log.

For information about configuring the Windows Firewall Security log, please refer to Configure the Windows Defender Firewall with Advanced Security Log on Microsoft Docs.

Example 1. Collecting events from the Advanced Security Log

This example configuration collects and parses firewall logs using the im_file and xm_w3c modules.

nxlog.conf
define EMPTY_EVENT_REGEX /(^$|^\s+$)/

<Extension w3c_parser>
    Module      xm_w3c
</Extension>

<Input pfirewall>
    Module      im_file
    File        'C:\Windows\system32\LogFiles\Firewall\pfirewall.log'
    InputType   w3c_parser
    Exec        if $raw_event =~ %EMPTY_EVENT_REGEX% drop();
</Input>

Auditing the activity of Windows Firewall

Change auditing of Windows Firewall is part of a defense-in-depth strategy because it can be used to generate alerts about malicious software that is attempting to modify firewall settings. Auditing can also help administrators determine the network needs of their applications and design appropriate policies for deployment to users.

There are several ways to enable Windows Firewall audit logging.

Enabling auditing locally via the GUI
  1. Open the Local Security Settings console.

  2. In the console tree, click Local Policies, and then click Audit Policy.

  3. In the details pane of the Local Security Settings console, double-click Audit policy change. Select Success and Failure, and then click OK.

  4. In the details pane of the Local Security Settings console, double-click Audit process tracking. Select Success and Failure, and then click OK.

Enabling auditing via Group Policy

Alternatively, audit logging can be enabled for multiple computers in an Active Directory domain using Group Policy. Modify the Audit Policy Change and Audit Process Tracking settings at Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy for the Group Policy objects in the appropriate domain system containers.

Auditing with the auditpol.exe

Finally, the following command can be used to enable Windows Firewall audit logs.

> auditpol.exe /set /SubCategory:"MPSSVC rule-level Policy Change","Filtering Platform policy change","IPsec Main Mode","IPsec Quick Mode","IPsec Extended Mode","IPsec Driver","Other System Events","Filtering Platform Packet Drop","Filtering Platform Connection" /success:enable /failure:enable

After audit logging is enabled, audit events can be viewed in the Security event log or collected with NXLog Agent. For a full list of Windows Security Audit events, download the Windows security audit events spreadsheet from the Microsoft Download Center.

Example 2. Collecting Windows Firewall and Advanced Security Events from Windows Event Log

This example collects Windows Firewall events from Windows Event Log using the im_msvistalog module.

<Input WinFirewallEventLog>
    Module  im_msvistalog
    <QueryXML>
        <QueryList>
            <Query Id="0">
                <Select Path="Microsoft-Windows-Windows Firewall With Advanced
                    Security/ConnectionSecurity">*</Select>
                <Select Path="Microsoft-Windows-Windows Firewall With Advanced
                    Security/ConnectionSecurityVerbose">*</Select>
                <Select Path="Microsoft-Windows-Windows Firewall With Advanced
                    Security/Firewall">*</Select>
                <Select Path="Microsoft-Windows-Windows Firewall With Advanced
                    Security/FirewallVerbose">*</Select>
                <Select Path="Network Isolation Operational">*</Select>
            </Query>
        </QueryList>
    </QueryXML>
</Input>

Collecting Windows Firewall logs from ETW

Event Tracing for Windows (ETW) is a logging and tracing mechanism used by developers. ETW includes event logging and tracing capabilities provided by the operating system. Implemented in the kernel, it traces events in user mode applications, the operating system kernel, and kernel-mode device drivers. For more information, see Event Tracing on Microsoft Docs.

Example 3. Collecting Windows Firewall and Advanced Security Traces from ETW

This configuration uses the im_etw module to collect Windows Firewall related traces from Event Tracing for Windows.

nxlog.conf
<Input etw>
    Module    im_etw
    Provider  Microsoft-Windows-Firewall
</Input>

<Input etw2>
    Module    im_etw
    Provider  Microsoft-Windows-Windows Firewall With Advanced Security
</Input>
Disclaimer

While we endeavor to keep the information in our guides up to date and correct, NXLog makes no representations or warranties of any kind, express or implied about the completeness, accuracy, reliability, suitability, or availability of the content represented here. We update our screenshots and instructions on a best-effort basis.

Last revision: 27 December 2018