none
Windows Firewall Logging - Headers Only RRS feed

  • Question

  • Hi Everyone

    Server 2012R2, fully patched.

    I've turned windows firewall on for a server and set a custom log location. It's set to log and the policy is ANY-ANY, so there's nothing being blocked. I have it set to Log dropped packets and successful connections. The log file size is set to 30MB and it applies to Domain, private and public.

    The first issue I had was that the log file didn't get created when I applied these settings but I fixed that by giving the MpsSvc account full control over the log folder.

    The issue I have now is that the log file creates and it adds the headers, but nothing is logged.

    I've removed the FW entries from the registry, cleaned the local policy, ran AUDITPOL /Clear and double checked that MpsSvc has access to the folder and file.

    If I apply identical settings to Server 2016 it works perfectly, but it fails on Server 2012R2

    Can anyone think what the issue could be?

    Thanks,


    • Edited by TQuestions Tuesday, February 28, 2017 6:01 PM
    Tuesday, February 28, 2017 5:54 PM

Answers

  • Ok I worked this out with a LOT of trial and error!

    The GPO I used to apply the FW settings didn't like the system32\... location for log files, so I pointed it to C:\FIREWALL.

    Annoyingly when you manually set this in Windows Firewall it'll create the folder and stamp the permissions but in the GPO it won't and the logging will fail (As the folder doesn't exist).

    So have the GPO create a folder and put the right permissions on it (which is NT SERVICE\MPSSVC full control) and it should work.

    EDIT: You also need to add LOCAL SERVICE (Full Control) in the GPO


    • Marked as answer by TQuestions Tuesday, February 28, 2017 11:36 PM
    • Edited by TQuestions Wednesday, March 1, 2017 12:33 AM
    Tuesday, February 28, 2017 11:36 PM

All replies

  • To add to this, I noticed that when I ran

    NetSh ADVFirewall Show AllProfiles

     I got this:

     
    NetSh ADVFirewall Show AllProfiles
    
    Domain Profile Settings:
    ----------------------------------------------------------------------
    State                                 OFF
    Firewall Policy                       BlockInbound,AllowOutbound
    LocalFirewallRules                    N/A (GPO-store only)
    LocalConSecRules                      N/A (GPO-store only)
    InboundUserNotification               Disable
    RemoteManagement                      Disable
    UnicastResponseToMulticast            Enable
    
    Logging:
    LogAllowedConnections                 Disable
    LogDroppedConnections                 Disable
    FileName                              C:\Temp\domain_firewall.log
    MaxFileSize                           4096
    
    
    Private Profile Settings:
    ----------------------------------------------------------------------
    State                                 OFF
    Firewall Policy                       BlockInbound,AllowOutbound
    LocalFirewallRules                    N/A (GPO-store only)
    LocalConSecRules                      N/A (GPO-store only)
    InboundUserNotification               Disable
    RemoteManagement                      Disable
    UnicastResponseToMulticast            Enable
    
    Logging:
    LogAllowedConnections                 Disable
    LogDroppedConnections                 Disable
    FileName                              C:\Windows\System32\LogFiles\Firewall\private\private_firewall.log
    MaxFileSize                           4096
    
    
    Public Profile Settings:
    ----------------------------------------------------------------------
    State                                 OFF
    Firewall Policy                       BlockInbound,AllowOutbound
    LocalFirewallRules                    N/A (GPO-store only)
    LocalConSecRules                      N/A (GPO-store only)
    InboundUserNotification               Disable
    RemoteManagement                      Disable
    UnicastResponseToMulticast            Enable
    
    Logging:
    LogAllowedConnections                 Disable
    LogDroppedConnections                 Disable
    FileName                              %systemroot%\system32\LogFiles\Firewall\pfirewall.log
    MaxFileSize                           4096
    
    Ok.
    


    But if I look at the Firewall GUI everything looks fine (sorry it won't let me post a screen shot but it's all working correctly).

    


    • Edited by TQuestions Tuesday, February 28, 2017 6:18 PM
    Tuesday, February 28, 2017 6:13 PM
  • Ok I worked this out with a LOT of trial and error!

    The GPO I used to apply the FW settings didn't like the system32\... location for log files, so I pointed it to C:\FIREWALL.

    Annoyingly when you manually set this in Windows Firewall it'll create the folder and stamp the permissions but in the GPO it won't and the logging will fail (As the folder doesn't exist).

    So have the GPO create a folder and put the right permissions on it (which is NT SERVICE\MPSSVC full control) and it should work.

    EDIT: You also need to add LOCAL SERVICE (Full Control) in the GPO


    • Marked as answer by TQuestions Tuesday, February 28, 2017 11:36 PM
    • Edited by TQuestions Wednesday, March 1, 2017 12:33 AM
    Tuesday, February 28, 2017 11:36 PM
  • Hi,

    Thank you for sharing to us.


    Best Regards
    Cartman
    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, March 1, 2017 7:52 AM
    Moderator