top of page
Search

How to enable Windows firewall logging

  • Writer: Author
    Author
  • Aug 15, 2020
  • 1 min read

(Note: this method has been working at least on Windows 7, 10 Pro, Server 2012 R2)

Following steps will lead you to the rule blocking your connection:

  • Open a Windows console (with Administration rights) to enter commands

  • Enable the audit for Windows Filtering Platform (WFP):

  • run command: auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:enable /failure:enable

  • run command: auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable

  • (This may drown you in Event Log data - enabling only failure audits, and possibly only connection failures will reduce the number of log entries. Be selective about what you actually need)

  • Reproduce the issue

  • Run command: netsh wfp show state (this creates a XML file in the current folder)

  • Open the event viewer: Run (Windows+R) > eventvwr.msc

  • go to "Windows logs" > "Security"

  • in the list, identify the dropping packet log (hint: use the Search feature on the right menu, searching for items (source IP, destination port, etc.) specific to your issue)

  • in the log details, scroll down and note the filter ID used to block the packet

  • Open the generated XML file:

  • search for the noted filterID, and check out the rule name (element "displayData > name" on the corresponding XML node)

This will give you a good start to find the blocking rule.

When you're done, don't forget to turn off the audit:

  • run command: auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:disable /failure:disable

  • run command: auditpol /set /subcategory:"Filtering Platform Connection" /success:disable /failure:disable

Note: depending on your Windows language setting, the auditing service might use different non-English names. To find the subcategory names, run command: auditpol /get /category:* and find subcategories which correspond to "Filtering Platform Packet Drop" and "Filtering Platform Connection" in the system language.



 
 
 

Recent Posts

See All
Download videos from PluralSight

Source: https://www.quora.com/Tutorials-How-can-I-download-PluralSight-training-videos Ahmad Ismail, Software Artisan & Bookworm Updated...

 
 
 

Comments

Post: Blog2_Post

Subscribe Form

Thanks for submitting!

  • LinkedIn

©2020 by There Is No Spoon. Proudly created with Wix.com

bottom of page