To improve Windows Server I suggest you ...

Dedicated Event Log for Windows Firewall Activity (pfirewall.log in the event logs)

A dedicated Windows Event log for Windows Firewall activity - like pfirewall.log provides - would make centralized logging and reporting much easier and lead to greater adoption of the built in firewall. IPSec logging to the security Event Log is not a robust answer, as it causes too much log churn for most enterprises.

19 votes
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    I agree to the terms of service
    Signed in as (Sign out)

    We’ll send you updates on this idea

    Anonymous shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    1 comment

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      I agree to the terms of service
      Signed in as (Sign out)
      Submitting...
      • Nathan commented  ·   ·  Flag as inappropriate

        While I suspect ETW could handle the event volume for a majority of end users, my instinct is to use this opportunity to implement a flag on each firewall rule that indicates whether hits should be logged. This would provide a mechanism for high-traffic hosts to only log hits on interesting rules to reduce log volume and also allow security administrators to limit the volume of events that reach their SIEM system.

        To the actual suggestion, for my use cases, this fits under the category "Nice to Have" but is not a deterrent from using Windows Firewall. That said, outside of a lab environment, I've never used Windows Firewall Security Associations to provide IPsec between domain computers, so I have no sense for the suitability of the existing logging with respect to Security Associations. It's tabled as a future enhancement for hardening inter-server communication but likewise it's more of a "Nice to Have" rather than a priority.

      Feedback and Knowledge Base