Auditing

The Windows Filtering Platform (WFP) provides auditing of firewall and IPsec related events. These events are stored in the system security log.

The audited events are as follows.

Auditing category Auditing subcategory Audited events
Policy Change
{6997984D-797A-11D9-BED3-505054503030}
 Filtering Platform Policy Change
{0CCE9233-69AE-11D9-BED3-505054503030}
[!Note]
The numbers represent the Event IDs as displayed by Event Viewer (eventvwr.exe).

WFP object addition and removal:
  • 5440 Persistent callout added
  • 5441 Boot-time or persistent filter added
  • 5442 Persistent provider added
  • 5443 Persistent provider context added
  • 5444 Persistent sub-layer added
  • 5446 Run-time callout added or removed
  • 5447 Run-time filter added or removed
  • 5448 Run-time provider added or removed
  • 5449 Run-time provider context added or removed
  • 5450 Run-time sub-layer added or removed
Object Access
{6997984A-797A-11D9-BED3-505054503030}
 Filtering Platform Packet Drop
{0CCE9225-69AE-11D9-BED3-505054503030}
 Packets dropped by WFP:
  • 5152 Packet dropped
  • 5153 Packet vetoed
Object Access
 Filtering Platform Connection
{0CCE9226-69AE-11D9-BED3-505054503030}
 Allowed and blocked connections:
  • 5154 Listen permitted
  • 5155 Listen blocked
  • 5156 Connection permitted
  • 5157 Connection blocked
  • 5158 Bind permitted
  • 5159 Bind blocked
[!Note]
Permitted connections do not always audit the ID of the associated filter. The FilterID for TCP will be 0 unless a subset of these filtering conditions are used: UserID, AppID, Protocol, Remote Port.

Object Access
 Other Object Access Events
{0CCE9227-69AE-11D9-BED3-505054503030}
[!Note]
This subcategory enables many audits. WFP specific audits are listed below.

Denial of Service prevention status:
  • 5148 WFP DoS prevention mode started
  • 5149 WFP DoS prevention mode stopped
Logon/Logoff
{69979849-797A-11D9-BED3-505054503030}
 IPsec Main Mode
{0CCE9218-69AE-11D9-BED3-505054503030}
 IKE and AuthIP Main Mode negotiation:
  • 4650, 4651 Security association established
  • 4652, 4653 Negotiation failed
  • 4655 Security association ended
Logon/Logoff
 IPsec Quick Mode
{0CCE9219-69AE-11D9-BED3-505054503030}
 IKE and AuthIP Quick Mode negotiation:
  • 5451 Security association established
  • 5452 Security association ended
  • 4654 Negotiation failed
Logon/Logoff
IPsec Extended Mode
{0CCE921A-69AE-11D9-BED3-505054503030}
 AuthIP Extended Mode negotiation:
  • 4978 Invalid negotiation packet
  • 4979, 4980, 4981, 4982 Security association established
  • 4983, 4984 Negotiation failed
System
{69979848-797A-11D9-BED3-505054503030}
 IPsec Driver
{0CCE9213-69AE-11D9-BED3-505054503030}
 Packets dropped by the IPsec driver:
  • 4963 Inbound clear text packet dropped

By default, auditing for WFP is disabled.

Auditing can be enabled on a per-category basis through either the Group Policy Object Editor MMC snap-in, the Local Security Policy MMC snap-in, or the auditpol.exe command.

For example, to enable the auditing of Policy Change events you may:

  • Use the Group Policy Object Editor

    1. Run gpedit.msc.
    2. Expand Local Computer Policy.
    3. Expand Computer Configuration.
    4. Expand Windows Settings.
    5. Expand Security Settings.
    6. Expand Local Policies.
    7. Click Audit Policy.
    8. Double-click Audit policy change in order to launch the Properties dialog box.
    9. Check the Success and Failure check-boxes.

  • Use the Local Security Policy

    1. Run secpol.msc.
    2. Expand Local Policies.
    3. Click Audit Policy.
    4. Double-click Audit policy change in order to launch the Properties dialog box.
    5. Check the Success and Failure check-boxes.

  • Use the auditpol.exe command

    • auditpol /set /category:"Policy Change" /success:enable /failure:enable

Auditing can be enabled on a per-subcategory basis only through the auditpol.exe command.

The auditing category and subcategory names are localized. To avoid localization for auditing scripts, the corresponding GUIDs may be used in place of the names.

For example, to enable the auditing of Filtering Platform Policy Change events you may use either one of the following commands:

  • auditpol /set /subcategory:"Filtering Platform Policy Change" /success:enable /failure:enable
  • auditpol /set /subcategory:"{0CCE9233-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable

Auditpol

Event Log

Group Policy