Windows Firewall not writing to its logfiles

Windows Firewall not writing to its logfiles

As part of Group Policy Management guidelines from the Centre of Internet Security (CIS), the recommendation is to turn on Firewall logging on all Windows Servers, and to save each profile to their own log file.

Configuring this in Group Policy is pretty straight forward.  Just type in the new file name for each profile, set the size, ensure we log dropped and successful connections and away you go.

Windows Firewall

However…  it seems that unless the log files have already been created the firewall service actually doesn’t log anything, nor does it log any errors!

After pulling my hair out for a few hours, not finding anything on Google is always a bad sign, I finally realised that when setting firewall log file names via GPO you have to manually create the log files!  If you go into Windows Firewall on each server, go into each profile and click browse next to the file name, then the MMC nicely creates the file for you and sets the right permissions, but GPOs do not do this…

Per the comment below from Barnaby Arnott, a better way to solve this problem is to ensure that the parent folder exists and that the NT Service\mpssvc service account has Write permissions to that folder in order to be able to create the files itself

 

I created the following PowerShell function which will create a suitably permitted firewall logfile for you

Function New-FirewallLogFile
{
  param ([string]$filename)

  New-Item $FileName -Type File -Force
  $Acl = Get-Acl $FileName
  $Acl.SetAccessRuleProtection( $True, $False )
  $PermittedUsers = @( 'NT AUTHORITY\SYSTEM', 'BUILTIN\Administrators', 'BUILTIN\Network Configuration Operators', 'NT SERVICE\MpsSvc' )
  foreach( $PermittedUser in $PermittedUsers ) {
    $Permission = $PermittedUser, 'FullControl', 'Allow'
    $AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $Permission
    $Acl.AddAccessRule( $AccessRule )
  }
  
  $Acl.SetOwner( (new-object System.Security.Principal.NTAccount( 'BUILTIN\Administrators' )) )

  $Acl | Set-Acl $FileName  
}
So now you can create all of the log files you need (don’t forget about the .old ones).  For CIS you’d create the following 6 files
New-FirewallLogFile 'C:\Windows\System32\LogFiles\Firewall\domainfw.log'
New-FirewallLogFile 'C:\Windows\System32\LogFiles\Firewall\domainfw.log.old'
New-FirewallLogFile 'C:\Windows\System32\LogFiles\Firewall\privatefw.log'
New-FirewallLogFile 'C:\Windows\System32\LogFiles\Firewall\privatefw.log.old'
New-FirewallLogFile 'C:\Windows\System32\LogFiles\Firewall\publicfw.log'
New-FirewallLogFile 'C:\Windows\System32\LogFiles\Firewall\publicfw.log.old'
A final reboot and all is well again