January 20, 2006

How to get more out of your Windows Firewall

So have you ever wondered how to tell if your Windows firewall is working? Ever notice that there is no information really telling you what is going on? Why not turn on the logging facilities for the firewall so you can see dropped packets and allowed connections?

To enable logging of dropped packets:

netsh firewall set logging droppedpackets=enable

To enable logging of connections:

netsh firewall set logging connections=enable

If you want to see the firewall configuration for logging:

netsh firewall show logging

There you have it. Turn it on and you will now be able to look at the log (default %windir%\pfirewall.log) and do your bidding.

Update: Fixed type in cmd line option for logging. Thanks Tom!

Posted by SilverStr at January 20, 2006 12:25 PM | TrackBack
Comments

The set commands didn't work for me. Here's what did work (need to add the 'logging' keyword):

netsh firewall set logging droppedpackets=enable
and
netsh firewall set logging connections=enable

Posted by: Tom at January 20, 2006 03:40 PM

Whoops. Good catch. Typo on my part. All fixed now. Thanks Tom!

Posted by: Dana Epp at January 20, 2006 04:11 PM

You also missed how to set the logfile size...

eg:

netsh set logging set logging maxfilesize=20480

or its location:

netsh set logging %windir%\pfirewall.log

Posted by: Stephen Gennard at January 23, 2006 09:02 AM

Hey Stephen,

Didn't miss it. The default of 4096KB in the Windows directory seems to work pretty well for most situations. I wouldn't change it unless you have a special need to.

Posted by: Dana Epp at January 23, 2006 09:10 AM