Windows Firewall - How to add

Add Windows Firewall

Enable Windows Firewall Logs

To monitor the Windows Firewall logs, you need to initially add the Windows host from which the Firewall logs are to be collected.

For EventLog Analyzer to collect Windows Firewall logs, you must modify the local audit policy of added the Windows host and enable all firewall related events. To do this, follow the below procedure:

  1. Open the command prompt.

  2. Execute the following commands to enable logging of all firewall-related events:
    auditpol.exe /set /category:"Policy Change" /subcategory:"MPSSVC rule-level policy change" /success:enable /failure:enable
    auditpol.exe /set /category:"Policy Change" /subcategory:"Filtering Platform policy change" /success:enable /failure:enable
    auditpol.exe /set /category:"Logon/Logoff" /subcategory:"IPsec Main Mode" /success:enable /failure:enable
    auditpol.exe /set /category:"Logon/Logoff" /subcategory:"IPsec Quick Mode" /success:enable /failure:enable
    auditpol.exe /set /category:"Logon/Logoff" /subcategory:"IPsec Extended Mode" /success:enable /failure:enable
    auditpol.exe /set /category:"System" /subcategory:"IPsec Driver" /success:enable /failure:enable
    auditpol.exe /set /category:"System" /subcategory:"Other system events" /success:enable /failure:enable
    auditpol.exe /set /category:"Object Access" /subcategory:"Filtering Platform packet drop" /success:enable /failure:enable
    auditpol.exe /set /category:"Object Access" /subcategory:"Filtering Platform connection" /success:enable /failure:enable

  3. Restart the host (or) force a manual refresh by using the following command: gpupdate /force