Monitoring and Logging

Monitoring and Logging

Effective firewall management requires comprehensive monitoring and logging. Windows provides multiple tools and techniques for tracking firewall activity and identifying security issues.

Configure enhanced logging:

# Enable verbose logging
auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:enable /failure:enable
auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

# Configure firewall log settings
netsh advfirewall set allprofiles logging filename %systemroot%\system32\LogFiles\Firewall\pfirewall.log
netsh advfirewall set allprofiles logging maxfilesize 32768
netsh advfirewall set allprofiles logging droppedconnections enable
netsh advfirewall set allprofiles logging allowedconnections enable

Monitor firewall activity with PowerShell:

# View recent blocked connections
Get-WinEvent -LogName "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" | 
    Where-Object {$_.Id -eq 5152} | 
    Select-Object -First 20

# Analyze allowed connections
Get-NetFirewallPortFilter | 
    Where-Object {$_.LocalPort -ne $null} | 
    Sort-Object LocalPort | 
    Format-Table Protocol, LocalPort, RemotePort

Create monitoring scripts:

# Monitor for suspicious activity
$events = Get-WinEvent -FilterHashtable @{LogName='Security'; ID=5152,5153,5154,5155,5156,5157} -MaxEvents 1000
$blockedConnections = $events | Where-Object {$_.Message -match "was blocked"}
$blockedConnections | Group-Object -Property {($_.Message -split '\s+')[0]} | 
    Sort-Object Count -Descending | 
    Select-Object -First 10