Windows Firewall not writing to its logfiles

As part of Group Policy Management guidelines from the Centre of Internet Security (CIS), the recommendation is to turn on Firewall logging on all Windows Servers, and to save each profile to their own log file.

Configuring this in Group Policy is pretty straight forward.  Just type in the new file name for each profile, set the size, ensure we log dropped and successful connections and away you go.

Windows Firewall

However…  it seems that unless the log files have already been created the firewall service actually doesn’t log anything, nor does it log any errors!

After pulling my hair out for a few hours, not finding anything on Google is always a bad sign, I finally realised that when setting firewall log file names via GPO you have to manually create the log files!  If you go into Windows Firewall on each server, go into each profile and click browse next to the file name, then the MMC nicely creates the file for you and sets the right permissions, but GPOs do not do this…

Per the comment below from Barnaby Arnott, a better way to solve this problem is to ensure that the parent folder exists and that the NT Service\mpssvc service account has Write permissions to that folder in order to be able to create the files itself

 

I created the following PowerShell function which will create a suitably permitted firewall logfile for you

Function New-FirewallLogFile
{
  param ([string]$filename)

  New-Item $FileName -Type File -Force
  $Acl = Get-Acl $FileName
  $Acl.SetAccessRuleProtection( $True, $False )
  $PermittedUsers = @( 'NT AUTHORITY\SYSTEM', 'BUILTIN\Administrators', 'BUILTIN\Network Configuration Operators', 'NT SERVICE\MpsSvc' )
  foreach( $PermittedUser in $PermittedUsers ) {
    $Permission = $PermittedUser, 'FullControl', 'Allow'
    $AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $Permission
    $Acl.AddAccessRule( $AccessRule )
  }
  
  $Acl.SetOwner( (new-object System.Security.Principal.NTAccount( 'BUILTIN\Administrators' )) )

  $Acl | Set-Acl $FileName  
}
So now you can create all of the log files you need (don’t forget about the .old ones).  For CIS you’d create the following 6 files
New-FirewallLogFile 'C:\Windows\System32\LogFiles\Firewall\domainfw.log'
New-FirewallLogFile 'C:\Windows\System32\LogFiles\Firewall\domainfw.log.old'
New-FirewallLogFile 'C:\Windows\System32\LogFiles\Firewall\privatefw.log'
New-FirewallLogFile 'C:\Windows\System32\LogFiles\Firewall\privatefw.log.old'
New-FirewallLogFile 'C:\Windows\System32\LogFiles\Firewall\publicfw.log'
New-FirewallLogFile 'C:\Windows\System32\LogFiles\Firewall\publicfw.log.old'
A final reboot and all is well again

Twan van Beers

Twan is a senior consultant with over 20 years of experience. He has a wide range of skills including Messaging, Active Directory, SQL, Networking and Firewalls. Twan loves to write scripts and get deep and dirty into debugging code, in order to understand and resolve the most complex of problems.

This Post Has 3 Comments

  1. No, you don’t need to create the files. You need to grant Write access to ‘NT Service\MpsSvc’ to the folder (which needs to exist), so the service can create the file.

  2. Thank you very much for this post. I was also desperately stuck with this problem after following CIS guidelines until I read this post. In my case, MpsSvc had write permissions for the folder but logs were not getting created until Windows Firewall browse function. Thank you very much.

Leave a Reply

Your email address will not be published. Required fields are marked *

Search