Windows 7 / Networking

Troubleshooting Windows Firewall Using Auditing

You can use auditing to monitor Windows Firewall and IPsec activity and to troubleshoot issues that may arise. Auditing events for Windows Firewall and IPsec activity are written to the Security Event Log and have Event IDs in the range 4600 to 5500.

Auditing for Windows Firewall and IPsec activity can be enabled on targeted computers in two ways:

  • Using Group Policy
  • Using the Auditpol.exe command

To configure auditing for Windows Firewall and IPsec activity using Group Policy, use the audit policy subcategories found under the following location:

Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies

The audit policy subcategories available under this policy node. The audit policy subcategories relevant for Advanced Audit Policy Configuration are as follows:

  • Logon/Logoff
    • IPsec Main Mode
    • IPsec Quick Mode
    • IPsec Extended Mode
  • Object Access
    • Filtering Platform packet drop
    • Filtering Platform connection
  • Policy Change
    • MPSSVC rule-level policy change
    • Filtering Platform policy change
  • System
    • IPsec Driver
    • Other system events

To list all audit policy subcategories from the command line, type auditpol /list /subcategory:* at an administrative-level command prompt. To use Auditpol.exe to enable auditing for Windows Firewall activity, type the following command.

auditpol.exe /set /SubCategory:"MPSSVC rule-level Policy Change","Filtering Platform
policy change","Other System Events","Filtering Platform Packet Drop","Filtering
Platform Connection" /success:enable /failure:enable

To use Auditpol.exe to enable auditing for IPsec activity, type the following command.

auditpol.exe /set /SubCategory:"MPSSVC rule-level Policy Change","Filtering Platform
policy change","IPsec Main Mode","IPsec Quick Mode","IPsec Extended Mode","IPsec
Driver","Other System Events","Filtering Platform Packet Drop","Filtering Platform
Connection" /success:enable /failure:enable

Important Enabling auditing for Windows Firewall and IPsec activity can generate a large number of events in the Security Event Log, so be sure to enable it only when actively collecting troubleshooting information.

[Previous] [Contents] [Next]

In this tutorial:

  1. Configuring Windows Firewall and IPsec
  2. Understanding Windows Firewall with Advanced Security
  3. Improvements to Windows Firewall Introduced Previously in Windows Vista
  4. Additional Improvements to Windows Firewall in Windows 7
  5. Understanding the Windows Filtering Platform
  6. Windows Firewall and the Startup Process
  7. Understanding Windows Service Hardening
  8. Understanding Service SIDs
  9. Windows Firewall and WSH
  10. Windows Firewall and Service Triggers
  11. Understanding Multiple Active Firewall Profiles
  12. Understanding Rules
  13. Understanding Firewall Rules
  14. Inbound vs . Outbound Rules
  15. Allow vs . Block Rules
  16. Allow If Secure Rules
  17. Authenticated Bypass Rules
  18. Filtering Conditions FOR Firewall RULES
  19. Understanding Connection Security Rules
  20. Types of Connection Security Rules
  21. Supported IPsec Settings for Connection Security Rules
  22. Default IPsec Settings for Connection Security Rules
  23. Windows Firewall and Windows PE
  24. Understanding Default Rules
  25. Understanding WSH Rules
  26. Understanding Rules Processing
  27. Managing Windows Firewall with Advanced Security
  28. Tools for Managing Windows Firewall with Advanced Security
  29. Managing Windows Firewall Using Control Panel
  30. Managing Windows Firewall Using the Windows Firewall with Advanced Security Snap-in
  31. Managing Windows Firewall Using Group Policy
  32. Considerations When Managing Windows Firewall Using Group Policy
  33. Managing Windows Firewall Using the Netsh Command
  34. Common Management Tasks
  35. Enabling or Disabling Windows Firewall
  36. Configuring Firewall Profiles and IPsec Settings by Using Group Policy
  37. Creating and Configuring Firewall Rules
  38. Creating and Configuring Connection Security Rules
  39. Monitoring Windows Firewall
  40. Troubleshooting Windows Firewall
  41. Troubleshooting Windows Firewall Using Firewall Logs
  42. Troubleshooting Windows Firewall Using Event Logs
  43. Troubleshooting Windows Firewall Using Auditing
  44. Troubleshooting IPsec Issues Using Netsh Wfp
  45. Troubleshooting Windows Filtering Platform and IPsec Issues Using Netsh Trace