How to Enable Logging in Windows Defender Firewall with Advanced Security (Mobile)
In this tutorial I will show you how to enable logging for Windows Firewall activity. This might be for SIEM tool ingestion or general logging purposes. It's easy enough to do, and I will show you how below
MOBILE
admin
1/7/2024
To begin, open Windows Defender Firewall with Advanced Security by searching for it in the windows search bar in the bottom left-hand side of your screen. It will open the following Window:
Once you have got to this menu, click "Windows Defender Firewall Properties" to bring up the properties menu, that looks like the following:
At the top of this window you will notice 4 tabs: "Domain Profile", "Private Profile", "Public Profile" and "IPsec Settings". For the sake of this tutorial, only the first three are important. To enable logging for any of these three profiles, begin by selecting the "Customize..." button, to bring up the next Window:
From here, you can see and configure the file location for the log file, size limit for the log file, the options to log dropped packets and / or successful connections. To begin logging all connections within the selected profile simply select "Yes" in both drop down menus:
Click the "OK" button to confirm. After you have done this the log file should start to be populated with data. To check that this is the case and the logging has been successfully enabled, open the log file location (Default location is: "C:\system32\LogFiles\Firewall\pfirewall.log") and ensure that its file size is larger than 0KB. If you can't find the file, copy the file location from the "Customize Logging Settings for the Profile" (Window from previous step) Window, remove "pfirewall.log" from the end and paste it in file explorer:
1.
2.
As you can see in the screenshot above, the pfirewall.log file size on my machine is 1KB, meaning traffic is being logged in the file. By default you won't have access to this file, (even if you are an administrator) so we can't just open it (I will be doing a video on file permissions in the near future, so you will be able to remediate this issue). Assuming everything has gone smoothly, your file size should also be increased from 0KB.
Make sure you follow this process for all of the profiles that you want to have logged (Domain, Private and Public). If you need any help with setting up logging on Windows Defender Firewall, feel free to get in touch below:
Need a hand?
©2023