none
Windows firewall is not logging dropped packets RRS feed

  • Question

  • I have several 2008 R2 domain controllers that are not logging dropped packets to the specified log file.  I am using the default path and name for the file of the log file that I would like to use for logging dropped packets.  

    • The "domain profile" is active.  
    • File Name: %systemroot%\system32\LogFiles\Firewall\pfirewall.log
    • File maximum size (KB): 16384
    • Log dropped packets: Yes
    • Log successful connections: Yes

    when I select the monitoring tab and select the link to the file name the file opens up but there are no new entries.  This seemed to start when the member server was promoted to a domain controller.   Is this a firewall logging bug or is it possible I have a configuration problem?  Also, I have just stopped enforcing settings with Group Policy so all settings are being made locally.  Actually, it seems that All my DC's are failing to log dropped packets.

    Thanks

    EDIT: I have multiple domains and all my 2008 R2 DC's behave similarly. 
    • Edited by Jrmares Wednesday, June 12, 2013 6:10 PM
    Wednesday, June 12, 2013 6:08 PM

All replies

  • This might be a known issue. Please check this thread:


    Issue Configuring Windows Firewall Using GPO: Unable to enable logging & settings remain after removing GPO
    http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/546c284e-521e-48cc-a0eb-62d8f80d82ad


    I think that what you are referring to is the "old" (Windows XP) GPO node. As you can see, there are only "Domain Profile" and "Standard Profile".

    The "new" (Vista/Win 7) GPO node is found under

    Computer Configuration/Policies/Windows Settings/Security Settings/Windows Firewall With Advanced Security/(long LDAP Name)

    As you will see, there are now three profiles: Domain, Private, Public.

    I totally agree with the OP, and I would add that:

        the behaviour of the GPO GUI is bizarre, as the settings do not "stick"
        if you specify an alternate location, no log file is created at that location
        it appears that the events are actually put in the Windows Event Log (security) instead, and they fill it up, pronto!
        You need to specify in your GPO not to log in the Windows Event Log under Computer Configuration/Policies/Windows Settings/Security Settings/Advanced Audit Configuration/Object Access


    TechNet Subscriber Support |If you have any feedback on Technet forum, please contact tnmff@microsoft.com.

    Thursday, June 13, 2013 7:34 AM
    Moderator
  • Thanks for  your reply, Cheers.  This may be a "known setting" but there doesn't seem to be any resolution for it.  It would be nice if there was a fix or workaround available.  

    I just installed a standalone win2008 r2 server and ran dcpromo.  I configured the windows firewall but was unable to get any logging output to the text file.  Have you (or anyone else) been able to reproduce this?

    Thanks.  

    Thursday, June 13, 2013 5:17 PM
  • In my case, it happened after promoting a Windows 2012R2 as a Domain Controller.

    Adding the NT SERVICE\MPSSVC account with Full Controll permissions on the C:\Windows\System32\LogFiles\Firewall folder and restarting the server solved my problem.

    Friday, July 7, 2017 3:02 PM