Auditing
The Windows Filtering Platform (WFP) provides auditing of firewall and IPsec related events. These events are stored in the system security log.
The audited events are as follows.
Auditing category | Auditing subcategory | Audited events |
---|---|---|
Policy Change {6997984D-797A-11D9-BED3-505054503030} |
Filtering Platform Policy Change {0CCE9233-69AE-11D9-BED3-505054503030} |
[!Note] WFP object addition and removal:
|
Object Access {6997984A-797A-11D9-BED3-505054503030} |
Filtering Platform Packet Drop {0CCE9225-69AE-11D9-BED3-505054503030} |
Packets dropped by WFP:
|
Object Access |
Filtering Platform Connection {0CCE9226-69AE-11D9-BED3-505054503030} |
Allowed and blocked connections:
[!Note] |
Object Access |
Other Object Access Events {0CCE9227-69AE-11D9-BED3-505054503030} |
[!Note] Denial of Service prevention status:
|
Logon/Logoff {69979849-797A-11D9-BED3-505054503030} |
IPsec Main Mode {0CCE9218-69AE-11D9-BED3-505054503030} |
IKE and AuthIP Main Mode negotiation:
|
Logon/Logoff |
IPsec Quick Mode {0CCE9219-69AE-11D9-BED3-505054503030} |
IKE and AuthIP Quick Mode negotiation:
|
Logon/Logoff |
IPsec Extended Mode {0CCE921A-69AE-11D9-BED3-505054503030} |
AuthIP Extended Mode negotiation:
|
System {69979848-797A-11D9-BED3-505054503030} |
IPsec Driver {0CCE9213-69AE-11D9-BED3-505054503030} |
Packets dropped by the IPsec driver:
|
By default, auditing for WFP is disabled.
Auditing can be enabled on a per-category basis through either the Group Policy Object Editor MMC snap-in, the Local Security Policy MMC snap-in, or the auditpol.exe command.
For example, to enable the auditing of Policy Change events you may:
Use the Group Policy Object Editor
- Run gpedit.msc.
- Expand Local Computer Policy.
- Expand Computer Configuration.
- Expand Windows Settings.
- Expand Security Settings.
- Expand Local Policies.
- Click Audit Policy.
- Double-click Audit policy change in order to launch the Properties dialog box.
- Check the Success and Failure check-boxes.
Use the Local Security Policy
- Run secpol.msc.
- Expand Local Policies.
- Click Audit Policy.
- Double-click Audit policy change in order to launch the Properties dialog box.
- Check the Success and Failure check-boxes.
Use the auditpol.exe command
- auditpol /set /category:"Policy Change" /success:enable /failure:enable
Auditing can be enabled on a per-subcategory basis only through the auditpol.exe command.
The auditing category and subcategory names are localized. To avoid localization for auditing scripts, the corresponding GUIDs may be used in place of the names.
For example, to enable the auditing of Filtering Platform Policy Change events you may use either one of the following commands:
- auditpol /set /subcategory:"Filtering Platform Policy Change" /success:enable /failure:enable
- auditpol /set /subcategory:"{0CCE9233-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable