Return to
Portfolio

98. Windows Firewall

Windows Firewall provides local protection from network attacks that might pass through your perimeter network or originate inside your organization. It also provides computer-to-computer connection security by allowing you to require authentication and data protection for communications.

98.1. Traffic Logging

The Windows Firewall can be configured to log traffic information via the Advanced Security Log. These logs can provide valuable information like source and destination IP addresses, port numbers, and protocols for both blocked and allowed traffic. The log file follows the standard W3C format—see W3C Extended Log File Format section for more information.

Log Sample
#Software: Microsoft Windows Firewall
#Time Format: Local
#Fields: date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path

2018-10-16 08:20:36 ALLOW UDP 127.0.0.1 127.0.0.1 54348 53 0 - - - - - - - SEND
2018-10-16 08:20:36 ALLOW UDP 127.0.0.1 127.0.0.1 54348 53 0 - - - - - - - RECEIVE
2018-10-16 08:20:36 ALLOW 250 127.0.0.1 127.0.0.1 - - 0 - - - - - - - SEND

There are several different actions that can be logged in the action field: DROP for dropping a connection, OPEN for opening a connection, CLOSE for closing a connection, OPEN-INBOUND for an inbound session opened to the local computer, and INFO-EVENTS-LOST for events processed by the Windows Firewall but which were not recorded in the Security Log.

For information about configuring the Windows Firewall Security log, please refer to Configure the Windows Defender Firewall with Advanced Security Log on Microsoft Docs.

Example 412. Collecting Events From the Advanced Security Log

This example configuration collects and parses firewall logs using the im_file and xm_w3c modules.

nxlog.conf [Download file]
1
2
3
4
5
6
7
8
9
10
11
12
define EMPTY_EVENT_REGEX /(^$|^\s+$)/

<Extension w3c_parser>
    Module      xm_w3c
</Extension>

<Input pfirewall>
    Module      im_file
    File        'C:\Windows\system32\LogFiles\Firewall\pfirewall.log'
    InputType   w3c_parser
    Exec        if $raw_event =~ %EMPTY_EVENT_REGEX% drop();
</Input>

98.2. Change Auditing

Auditing the activity of Windows Firewall is part of a defense-in-depth strategy because it can be used to generate alerts about malicious software that is attempting to modify firewall settings. Auditing can also help administrators determine the network needs of their applications and design appropriate policies for deployment to users.

There are several ways to enable Windows Firewall audit logging.

Enabling locally via the GUI
  1. Open the Local Security Settings console.

  2. In the console tree, click Local Policies, and then click Audit Policy.

  3. In the details pane of the Local Security Settings console, double-click Audit policy change. Select Success and Failure, and then click OK.

  4. In the details pane of the Local Security Settings console, double-click Audit process tracking. Select Success and Failure, and then click OK.

Using Group Policy

Alternatively, audit logging can be enabled for multiple computers in an Active Directory domain using Group Policy. Modify the Audit Policy Change and Audit Process Tracking settings at Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy for the Group Policy objects in the appropriate domain system containers.

With auditpol.exe

Finally, the following command can be used to enable Windows Firewall audit logs.

> auditpol.exe /set /SubCategory:"MPSSVC rule-level Policy Change","Filtering Platform policy change","IPsec Main Mode","IPsec Quick Mode","IPsec Extended Mode","IPsec Driver","Other System Events","Filtering Platform Packet Drop","Filtering Platform Connection" /success:enable /failure:enable

After audit logging is enabled, audit events can be viewed in the Security event log or collected with NXLog. For a full list of Windows Security Audit events, download the Windows security audit events spreadsheet from the Microsoft Download Center.

Example 413. Collecting Windows Firewall and Advanced Security Events from the EventLog

This example collects Windows Firewall events from the EventLog using the im_msvistalog module.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
<Input WinFirewallEventLog>
    Module  im_msvistalog
    <QueryXML>
        <QueryList>
            <Query Id="0">
                <Select Path="Microsoft-Windows-Windows Firewall With Advanced
                    Security/ConnectionSecurity">*</Select>
                <Select Path="Microsoft-Windows-Windows Firewall With Advanced
                    Security/ConnectionSecurityVerbose">*</Select>
                <Select Path="Microsoft-Windows-Windows Firewall With Advanced
                    Security/Firewall">*</Select>
                <Select Path="Microsoft-Windows-Windows Firewall With Advanced
                    Security/FirewallVerbose">*</Select>
                <Select Path="Network Isolation Operational">*</Select>
            </Query>
        </QueryList>
    </QueryXML>
</Input>

98.3. Event Tracing

Event Tracing for Windows (ETW) is a logging and tracing mechanism used by developers. ETW includes event logging and tracing capabilities provided by the operating system. Implemented in the kernel, it traces events in user mode applications, the operating system kernel, and kernel-mode device drivers. For more information, see Event Tracing on Microsoft Docs.

Example 414. Collecting Windows Firewall and Advanced Security Traces from ETW

This configuration uses the im_etw module to collect Windows Firewall related traces from Event Tracing for Windows.

nxlog.conf [Download file]
1
2
3
4
5
6
7
8
9
<Input etw>
    Module    im_etw
    Provider  Microsoft-Windows-Firewall
</Input>

<Input etw2>
    Module    im_etw
    Provider  Microsoft-Windows-Windows Firewall With Advanced Security
</Input>