Comprehensive Guide of Windows Firewall Audit Mode ['25]

Windows Firewall is a security feature within the Windows operating system, designed to protect devices from malware and unauthorized access. Windows firewall audit log analysis might be done manually or via a Windows Firewall log analyzer.

Explore the procedures and benefits of conducting a Windows Firewall audit, ensuring your network remains secure and resilient against threats:

Windows Firewall log analyzers

Table 1. Top 3 Windows Firewall event logs analyzers

A Windows Firewall log analyzer enables organizations to monitor activity, receive detailed graphical reports, and gain insights. It also allows full control over firewall settings and policies through configuration audits, and provides real-time security alerts to swiftly identify and mitigate network attacks.

If you are in search of a tool for a comprehensive firewall rule audit, check firewall audit software.

Windows Firewall overview

Windows Defender Firewall is a security feature that filters network traffic entering and exiting your device based on criteria like source and destination IP addresses, IP protocol, and port numbers.

Figure 1. Windows Defender Firewall dashboard

The Windows Firewall service is a host-based firewall included and enabled by default on all Windows editions, supporting Internet Protocol security (IPsec).¹ IPsec can be used to require authentication for any device attempting to communicate, blocking unauthenticated devices from accessing your system.

Importance of Windows Firewall Audits mode

Recent test results highlight that the firewall successfully defended against 0-day malware attacks and detected prevalent malware with 100% accuracy, significantly surpassing the industry average of 99.4%.²

By configuring firewall rules, security administrators can block or allow traffic based on the services and applications installed, ensuring only authorized inbound connections are permitted. This feature provides an additional layer of network security and can be tailored to manage incoming traffic effectively, which is crucial for both domain network environments and public networks.

Additionally, firewall rules and settings can be managed using group policy on a domain network, enabling security administrators to maintain consistent security across multiple systems within an organization.

How to enable Windows Firewall Audit manually

By default, Windows Firewall with Advanced Security does not generate audit events for the Windows Firewall service or IPsec. To enable event logging for Windows Server 2008 or Windows Vista, you must manually turn it on, which is recommended only for troubleshooting purposes due to the potential high volume of events generated.

First, make sure that you have a local administrators group membership or appropriate authority to enable Windows Firewall audit mode. For this, open an administrative command prompt and execute the following command³ :

auditpol.exe /set /SubCategory:”MPSSVC rule-level Policy Change”,”Filtering Platform policy change”,”IPsec Main Mode”,”IPsec Quick Mode”,”IPsec Extended Mode”,”IPsec Driver”,”Other System Events”,”Filtering Platform Packet Drop”,”Filtering Platform Connection” /success:enable /failure:enable

After running the command, restart the Windows Firewall service with:

net stop MPSSVC

net start MPSSVC

To disable event logging later, use the same command but use:

/success:disable /failure:disable

How to reach audit event logs manually

An audit event is a security-relevant occurrence in the system, such as changes to the security state or violations of access control policies. These events are detected by programs and kernel modules, reported to the system audit logger, and include the event name, success or failure, and additional security-related information.⁴

To view the Windows Firewall audit log files in Event Viewer,

1-Open Event Viewer by clicking Start, typing eventvwr in the Start Search box, and pressing ENTER.

2-Confirm any User Account Control dialog boxes that appear and click Continue.

Figure 2. Event Viewer Dashboard

3-In the navigation pane of Event Viewer, expand the Windows Logs branch.

Figure 3. Event Viewer Windows event logs

4-Right-click on Security and select Filter Current Log.

Figure 4. Filtering logs in Event Viewer

5-In the Includes/Excludes Event IDs box, type 4600-5500 to filter the events related to Windows Firewall audit.

Figure 5. Typing event ID in Event Viewer

6-Click OK to apply the filter.

Figure 6. Filtered Windows firewall event logs

Windows Firewall logs can be viewed in Notepad++ or MS Excel to extract fields and analyze them for troubleshooting purposes.

FAQs

Further reading

• Top 12 Firewall Audit Software & Integration-Based Comparison
• Top 7 Open Source Firewall Audit Tools: Analysis & Comparison
• 5 Firewall Best Practices for SMEs and Large-Enterprises
• AI Firewall vs NGFWs: Detailed Analysis & Comparison

If you need help finding a vendor or have any questions, feel free to contact us:

External Resources

• 1. Enable IPsec and Windows Firewall Audit Events. Microsoft. Accessed: 24/May/2024.
• 2. AV-TEST Product Review and Certification Report. AV-TEST. Accessed: 24/May/2024.
• 3. Enable IPsec and Windows Firewall Audit Events. Microsoft. Accessed: 24/May/2024.
• 4. Audit events. IBM. Accessed: 24/May/2024.
• 5. AV-TEST Product Review and Certification Report. AV-TEST. Accessed: 24/May/2024.