none
Firewall Folder missing and files not being written RRS feed

  • Question

  • Me
    <bdi class="ng-binding" ng-bind-html="message.text | linkify" style="box-sizing:border-box;">Windows 10 Pro in Workgroup

    Windows 10 Version 1709 (OS Build 16299.431

    %systemroot%\system32\LogFiles\Firewall\pfirewall.log is missing

    Have explicitly added the folder Firewall to %systemroot%\system32\LogFiles\

    See pfirewall.log 0 bytes

    Have copied log to another folder and still nothing.

    How do we test Firewall blocking, presently have Public

    Cannot stop service and start to recheck.

    Can stop within the program wf.msc</bdi>

    Tuesday, July 3, 2018 7:36 PM

Answers

All replies

  • Firewall service cannot be stopped, it is part of the networking stack \ a security feature.

    Firewall does not log blocked connections if there is nothing listening on that port. So you will need something listening on a blocked port to see the connection blocked.

    Tuesday, July 3, 2018 9:27 PM
  • Did you not see?

    %systemroot%\system32\LogFiles\Firewall\pfirewall.log is missing

    What does this mean?   It worked just fine before the recent updates.    I could always look in %systemroot%\system32\LogFiles\Firewall\pfirewall.log and see he blocked ports

    Firewall does not log blocked connections if there is nothing listening on that port. So you will need something listening on a blocked port to see the connection blocked.

    Wednesday, July 4, 2018 7:46 PM
  • The 'See pfirewall.log 0 bytes' suggest it exists and is zero bytes.

    From an admin PowerShell prompt, what does the following show? (post the command and result in a reply)

    Get-Content -Path C:\Windows\System32\LogFiles\Firewall\pfirewall.log

    Wednesday, July 4, 2018 8:58 PM
  • PS C:\WINDOWS\system32> Get-Content -Path C:\Windows\System32\LogFiles\Firewall\pfirewall.log
    PS C:\WINDOWS\system32>

    • Edited by dkrohn Wednesday, July 4, 2018 9:52 PM
    Wednesday, July 4, 2018 9:45 PM
  • Went back in and enabled blocking on Public profile and went through wizard to point pfirewall.log

    Now blocks and logs

    PS C:\WINDOWS\system32> Get-Content -Path C:\Windows\System32\LogFiles\Firewall\pfirewall.log
    #Version: 1.5
    #Software: Microsoft Windows Firewall
    #Time Format: Local
    #Fields: date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path
    2018-07-04 14:54:43 ALLOW TCP 192.168.2.101 34.232.255.189 65082 80 0 - 0 0 0 - - - SEND
    2018-07-04 14:54:43 ALLOW TCP 127.0.0.1 127.0.0.1 65083 14107 0 - 0 0 0 - - - SEND
    2018-07-04 14:54:43 ALLOW TCP 127.0.0.1 127.0.0.1 65083 14107 0 - 0 0 0 - - - RECEIVE
    2018-07-04 14:54:50 ALLOW TCP 73.220.189.99 192.168.2.101 56396 21 0 - 0 0 0 - - - RECEIVE
    2018-07-04 14:54:50 DROP TCP 73.220.189.99 192.168.2.101 56397 65086 52 S 3349866772 0 65535 - - - RECEIVE
    2018-07-04 14:54:53 ALLOW TCP 192.168.2.101 34.232.255.189 65087 80 0 - 0 0 0 - - - SEND
    2018-07-04 14:54:53 DROP TCP 73.220.189.99 192.168.2.101 56397 65086 52 S 3349866772 0 65535 - - - RECEIVE
    2018-07-04 14:54:59 DROP TCP 73.220.189.99 192.168.2.101 56397 65086 52 S 3349866772 0 65535 - - - RECEIVE
    2018-07-04 14:55:01 ALLOW TCP 73.220.189.99 192.168.2.101 56403 21 0 - 0 0 0 - - - RECEIVE
    2018-07-04 14:55:01 DROP TCP 73.220.189.99 192.168.2.101 56404 65088 52 S 1977515941 0 65535 - - - RECEIVE
    2018-07-04 14:55:02 ALLOW UDP 192.168.2.103 192.168.2.255 138 138 0 - - - - - - - RECEIVE
    2018-07-04 14:55:03 ALLOW TCP 192.168.2.101 34.232.255.189 65089 80 0 - 0 0 0 - - - SEND
    2018-07-04 14:55:04 DROP TCP 73.220.189.99 192.168.2.101 56404 65088 52 S 1977515941 0 65535 - - - RECEIVE

    Wednesday, July 4, 2018 9:58 PM
  • Hi,

    This is correct log format.

    So was your issue resolved?

    If no, I suggest you update to the latest build Windows 10 1803 (OS build 17134.137). Then configure the Windows Defender Firewall with Advanced Security Log as below:

    Configure the Windows Defender Firewall with Advanced Security Log

    https://docs.microsoft.com/en-us/windows/security/identity-protection/windows-firewall/configure-the-windows-firewall-log


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Thursday, July 5, 2018 8:16 AM
    Moderator
  • Went back in and enabled blocking on Public profile and went through wizard to point pfirewall.log

    Now blocks and logs


    • Marked as answer by dkrohn Friday, July 6, 2018 8:27 PM
    Friday, July 6, 2018 8:27 PM