Auditing
The Windows Filtering Platform (WFP) provides auditing of firewall and IPsec related events. These events are stored in the system security log.
The audited events are as follows.
| Auditing category | Auditing subcategory | Audited events |
|---|---|---|
| Policy Change {6997984D-797A-11D9-BED3-505054503030} |
Filtering Platform Policy Change {0CCE9233-69AE-11D9-BED3-505054503030} |
Note: The numbers represent the Event IDs as displayed by Event Viewer (eventvwr.exe). WFP object addition and removal: - 5440 Persistent callout added - 5441 Boot-time or persistent filter added - 5442 Persistent provider added - 5443 Persistent provider context added - 5444 Persistent sub-layer added - 5446 Run-time callout added or removed - 5447 Run-time filter added or removed - 5448 Run-time provider added or removed - 5449 Run-time provider context added or removed - 5450 Run-time sub-layer added or removed |
| Object Access {6997984A-797A-11D9-BED3-505054503030} |
Filtering Platform Packet Drop {0CCE9225-69AE-11D9-BED3-505054503030} |
Packets dropped by WFP:
|
| Object Access |
Filtering Platform Connection {0CCE9226-69AE-11D9-BED3-505054503030} |
Allowed and blocked connections: - 5154 Listen permitted - 5155 Listen blocked - 5156 Connection permitted - 5157 Connection blocked - 5158 Bind permitted - 5159 Bind blocked Note: Permitted connections do not always audit the ID of the associated filter. The FilterID for TCP will be 0 unless a subset of these filtering conditions are used: UserID, AppID, Protocol, Remote Port. |
| Object Access |
Other Object Access Events {0CCE9227-69AE-11D9-BED3-505054503030} |
Note: This subcategory enables many audits. WFP specific audits are listed below. Denial of Service prevention status: - 5148 WFP DoS prevention mode started - 5149 WFP DoS prevention mode stopped |
| Logon/Logoff {69979849-797A-11D9-BED3-505054503030} |
IPsec Main Mode {0CCE9218-69AE-11D9-BED3-505054503030} |
IKE and AuthIP Main Mode negotiation:
|
| Logon/Logoff |
IPsec Quick Mode {0CCE9219-69AE-11D9-BED3-505054503030} |
IKE and AuthIP Quick Mode negotiation:
|
| Logon/Logoff |
IPsec Extended Mode {0CCE921A-69AE-11D9-BED3-505054503030} |
AuthIP Extended Mode negotiation:
|
| System {69979848-797A-11D9-BED3-505054503030} |
IPsec Driver {0CCE9213-69AE-11D9-BED3-505054503030} |
Packets dropped by the IPsec driver:
|
By default, auditing for WFP is disabled.
Auditing can be enabled on a per-category basis through either the Group Policy Object Editor MMC snap-in, the Local Security Policy MMC snap-in, or the auditpol.exe command.
For example, to enable the auditing of Policy Change events you may:
Use the Group Policy Object Editor
- Run gpedit.msc.
- Expand Local Computer Policy.
- Expand Computer Configuration.
- Expand Windows Settings.
- Expand Security Settings.
- Expand Local Policies.
- Click Audit Policy.
- Double-click Audit policy change in order to launch the Properties dialog box.
- Check the Success and Failure check-boxes.
Use the Local Security Policy
- Run secpol.msc.
- Expand Local Policies.
- Click Audit Policy.
- Double-click Audit policy change in order to launch the Properties dialog box.
- Check the Success and Failure check-boxes.
Use the auditpol.exe command
- auditpol /set /category:"Policy Change" /success:enable /failure:enable
Auditing can be enabled on a per-subcategory basis only through the auditpol.exe command.
The auditing category and subcategory names are localized. To avoid localization for auditing scripts, the corresponding GUIDs may be used in place of the names.
For example, to enable the auditing of Filtering Platform Policy Change events you may use either one of the following commands:
- auditpol /set /subcategory:"Filtering Platform Policy Change" /success:enable /failure:enable
- auditpol /set /subcategory:"{0CCE9233-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable