SOLVED

Windows firewall logs on the endpoint.

%3CLINGO-SUB%20id%3D%22lingo-sub-2182099%22%20slang%3D%22en-US%22%3EWindows%20firewall%20logs%20on%20the%20endpoint.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2182099%22%20slang%3D%22en-US%22%3E%3CP%3EI%20was%20ran%20into%20an%20issue%20of%20the%20firewall%20blocking%20traffic%20but%20not%20reporting%20it%20in%20Microsoft%20Defender.%20When%20I%20went%20to%20turn%20on%20windows%20logging%20it%20was%20block%20by%20administrator.%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.howtogeek.com%2F220204%2Fhow-to-track-firewall-activity-with-the-windows-firewall-log%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3EHow%20to%20Track%20Firewall%20Activity%20with%20the%20Windows%20Firewall%20Log%20(howtogeek.com)%3C%2FA%3E%20I%20took%20a%20guess%20it%20was%20the%20firewall%20and%20disabled%20the%20rules.%20Where%20do%20I%20find%20this%20information%20when%20troubleshooting%20on%20the%20endpoint%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2182149%22%20slang%3D%22en-US%22%3ERE%3A%20Windows%20firewall%20logs%20on%20the%20endpoint.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2182149%22%20slang%3D%22en-US%22%3EFirewall%20events%20should%20be%20in%20the%20security%20event%20log%20if%20it%20has%20been%20turned%20on%3C%2FLINGO-BODY%3E
New Contributor

I was ran into an issue of the firewall blocking traffic but not reporting it in Microsoft Defender. When I went to turn on windows logging it was block by administrator. How to Track Firewall Activity with the Windows Firewall Log (howtogeek.com) I took a guess it was the firewall and disabled the rules. Where do I find this information when troubleshooting on the endpoint? 

6 Replies
Firewall events should be in the security event log if it has been turned on
Local users don't have rights to view the security log.

@Fish_Tacos When you go into the Firewall Logging section are the logs enabled and is "Log dropped packets;" configured to yes?

Rick_Munck_0-1614790932128.png

 

@Rick_Munck Shouldn't I get a pop up or alert when an application is blocked? See Screenshot. 


best response confirmed by Fish_Tacos (New Contributor)
Solution

@Fish_Tacos you should but it also depends on the type of block and the app in question.  You will need to look in the log I mentioned above to determine the block but by default it will not log dropped packets so you might have to step through it again to get it captured.