AIMultiple ResearchAIMultiple ResearchAIMultiple Research
We follow ethical norms & our process for objectivity.
This research is not funded by any sponsors.
FW Audit
Updated on Jan 7, 2025

Comprehensive Guide of Windows Firewall Audit Mode ['25]

Headshot of Cem Dilmegani
MailLinkedinX

Windows Firewall is a security feature within the Windows operating system, designed to protect devices from malware and unauthorized access. Windows firewall audit log analysis might be done manually or via a Windows Firewall log analyzer.

Explore the procedures and benefits of conducting a Windows Firewall audit, ensuring your network remains secure and resilient against threats:

Windows Firewall log analyzers

Table 1. Top 3 Windows Firewall event logs analyzers

Last Updated at 05-27-2024
ToolUser RatingEmployee SizeFree Trial
ManageEngine EventLog Analyzer4.8 out of 14 reviews387✅ (30 days)
SolarWinds Firewall Log & Event Manager3.3 out of 164 reviews2,626✅ (30 days)
Corner Bowl Event Log Manager4.8 out of 61 reviews1

A Windows Firewall log analyzer enables organizations to monitor activity, receive detailed graphical reports, and gain insights. It also allows full control over firewall settings and policies through configuration audits, and provides real-time security alerts to swiftly identify and mitigate network attacks.

If you are in search of a tool for a comprehensive firewall rule audit, check firewall audit software.

Windows Firewall overview

Windows Defender Firewall is a security feature that filters network traffic entering and exiting your device based on criteria like source and destination IP addresses, IP protocol, and port numbers.

Figure 1. Windows Defender Firewall dashboard

The Windows Firewall service is a host-based firewall included and enabled by default on all Windows editions, supporting Internet Protocol security (IPsec).1 IPsec can be used to require authentication for any device attempting to communicate, blocking unauthenticated devices from accessing your system.

Importance of Windows Firewall Audits mode

Recent test results highlight that the firewall successfully defended against 0-day malware attacks and detected prevalent malware with 100% accuracy, significantly surpassing the industry average of 99.4%.2

By configuring firewall rules, security administrators can block or allow traffic based on the services and applications installed, ensuring only authorized inbound connections are permitted. This feature provides an additional layer of network security and can be tailored to manage incoming traffic effectively, which is crucial for both domain network environments and public networks.

Additionally, firewall rules and settings can be managed using group policy on a domain network, enabling security administrators to maintain consistent security across multiple systems within an organization.

How to enable Windows Firewall Audit manually

By default, Windows Firewall with Advanced Security does not generate audit events for the Windows Firewall service or IPsec. To enable event logging for Windows Server 2008 or Windows Vista, you must manually turn it on, which is recommended only for troubleshooting purposes due to the potential high volume of events generated.

First, make sure that you have a local administrators group membership or appropriate authority to enable Windows Firewall audit mode. For this, open an administrative command prompt and execute the following command3 :

auditpol.exe /set /SubCategory:”MPSSVC rule-level Policy Change”,”Filtering Platform policy change”,”IPsec Main Mode”,”IPsec Quick Mode”,”IPsec Extended Mode”,”IPsec Driver”,”Other System Events”,”Filtering Platform Packet Drop”,”Filtering Platform Connection” /success:enable /failure:enable

After running the command, restart the Windows Firewall service with:

net stop MPSSVC

net start MPSSVC

To disable event logging later, use the same command but use:

/success:disable /failure:disable

How to reach audit event logs manually

An audit event is a security-relevant occurrence in the system, such as changes to the security state or violations of access control policies. These events are detected by programs and kernel modules, reported to the system audit logger, and include the event name, success or failure, and additional security-related information.4

To view the Windows Firewall audit log files in Event Viewer,

1-Open Event Viewer by clicking Start, typing eventvwr in the Start Search box, and pressing ENTER.

2-Confirm any User Account Control dialog boxes that appear and click Continue.

Figure 2. Event Viewer Dashboard

This image shows Event Viewer Dashboard, for seeing event audits of Windows Firewall audit

3-In the navigation pane of Event Viewer, expand the Windows Logs branch.

Figure 3. Event Viewer Windows event logs

This image shows Event Viewer Dashboard, for seeing event audits of Windows Firewall audit.

4-Right-click on Security and select Filter Current Log.

Figure 4. Filtering logs in Event Viewer

This image shows Event Viewer Dashboard, for seeing event audits of Windows Firewall audit.

5-In the Includes/Excludes Event IDs box, type 4600-5500 to filter the events related to Windows Firewall audit.

Figure 5. Typing event ID in Event Viewer

This image shows Event Viewer Dashboard, for seeing event audits of Windows Firewall audit.

6-Click OK to apply the filter.

Figure 6. Filtered Windows firewall event logs

This image shows Event Viewer Dashboard, for seeing event audits of Windows Firewall audit.

Windows Firewall logs can be viewed in Notepad++ or MS Excel to extract fields and analyze them for troubleshooting purposes.

FAQs

What is the purpose of a firewall audit?

A firewall audit is a thorough examination of firewall rules, configurations, and policies to assess the security posture of an organization’s network. It involves scrutinizing the firewall rule base, evaluating the firewall’s physical and virtual aspects, and ensuring compliance with internal policies and industry standards.
If you are looking for a firewall audit solution, you may check firewall audit software.

How secure is Windows Defender Firewall?

Recent test results highlight that the firewall successfully defended against 0-day malware attacks and detected prevalent malware with 100% accuracy, significantly surpassing the industry average of 99.4%. This exceptional performance emphasizes the importance of regular Windows Firewall audits to maintain this high level of security.

How do users evaluate Windows Defender Firewall?

Recent test results highlight its effectiveness, showcasing a solid protection score based on nearly 16K user experience.5

Further reading

If you need help finding a vendor or have any questions, feel free to contact us:

Find the Right Vendors

External Resources

Share This Article
MailLinkedinX
Cem has been the principal analyst at AIMultiple since 2017. AIMultiple informs hundreds of thousands of businesses (as per similarWeb) including 55% of Fortune 500 every month.

Cem's work has been cited by leading global publications including Business Insider, Forbes, Washington Post, global firms like Deloitte, HPE and NGOs like World Economic Forum and supranational organizations like European Commission. You can see more reputable companies and resources that referenced AIMultiple.

Throughout his career, Cem served as a tech consultant, tech buyer and tech entrepreneur. He advised enterprises on their technology decisions at McKinsey & Company and Altman Solon for more than a decade. He also published a McKinsey report on digitalization.

He led technology strategy and procurement of a telco while reporting to the CEO. He has also led commercial growth of deep tech company Hypatos that reached a 7 digit annual recurring revenue and a 9 digit valuation from 0 within 2 years. Cem's work in Hypatos was covered by leading technology publications like TechCrunch and Business Insider.

Cem regularly speaks at international technology conferences. He graduated from Bogazici University as a computer engineer and holds an MBA from Columbia Business School.
Ezgi is an Industry Analyst at AIMultiple, specializing in sustainability, survey and sentiment analysis for user insights, as well as firewall management and procurement technologies.

Next to Read

Comments

Your email address will not be published. All fields are required.

0 Comments