As a value-added reseller (VAR) or service provider, you may find yourself configuring a customer's Windows XP firewall. As I explain in the first two articles in this series on firewall troubleshooting, the settings that control the Windows firewall are hierarchical in nature, and a higher-priority setting may override a setting that you implement. One way to ensure that the firewall is operating as you intended is to audit it. In this article, I show you how to audit the Windows XP firewall.
To begin the process of creating a firewall log, open the Control Panel and click on the Security Center link. When the Security Center window opens, click the Windows Firewall link. Windows will open the Windows Firewall properties sheet. Now, select the properties sheet's Advanced tab, and then click the Settings button that's found in the Security Logging section, as shown in Figure A.
Figure A: Click the Settings button found in the Security Logging section.
At this point, Windows displays the Log Settings dialog box, shown in Figure B. As you can see, this dialog box is fairly simple. The first thing that I want to point out is the Name field. By default, the logged data will be placed into a file named PFIREWALL.LOG, which will reside in the Windows directory. You do have the option of changing the path or filename, but I recommend going with the default unless you have some compelling reason to change it. It's important to note that this file is the only location to which firewall data is logged. Firewall data is not logged to the Windows event logs.
Figure B: The logging options are controlled through the Log Settings dialog box.
Just below the log file name is a setting that allows you to limit the log file size. By default, the log is limited to 4 MB, but you can adjust this setting up or down. Before you do, however, keep in mind that the log is text-based and that looking for a specific log entry in 4 MB of text can be like looking for the proverbial needle in a haystack. So unless you plan on doing some in-depth forensics, consider setting the maximum log file size to something a bit more manageable.
At the top of the dialog box are two checkboxes that you can use to control exactly what is logged. Dropped packets are packets that the firewall filters out because they are not allowed by the machine's firewall policy. Successful connections are logged when packets are allowed to pass through the firewall. Keep in mind that no useful data is logged unless you select at least one of these checkboxes.
As soon as you click OK, the firewall begins creating the log. As you can see in Figure C, the log file can be difficult to read at first glance, but everything is organized in a meaningful way. The fourth line of text in the screen capture lists what the various fields are.
Figure C: This is what the log file looks like.
The amount of data shown in this particular screen capture is limited, so it isn't too tough to match each column with its field name. Notice though, that there are several dashes at the end of each row of data. These dashes represent empty fields that could potentially contain data. In Figure D, you can see that some, or all, of these fields may be filled in further down the file. Furthermore, the field names are no longer on the screen, so that can make it difficult to figure out exactly what each piece of data represents.
Figure D: The firewall log can be tough to read as you get further into it.
My advice is that if you are trying to figure out if the firewall is working (or if you need to perform forensics), you should open the log in Microsoft Excel. Opening the file in Excel also makes it easier to search for various information or to spot trends. Unfortunately, the log file isn't in CSV format, so it won't open cleanly without a little bit of work.
How to open firewall logs in Excel
The actual technique for opening the firewall logs in Excel varies from version to version of Excel. For the purposes of this article, I use Excel 2007.
Begin by opening Excel and selecting the Data tab. Now click the From Text icon, and then open the firewall log file. Keep in mind that Excel doesn't recognize the .LOG file format, so you have to use the All Files option in the File of Type section when browsing for the file. Once you locate the firewall log file, select it, and click the Import button. When you do, you will see the screen shown in Figure E.
Figure E: You must specify the options for importing the log.
There are a couple of things that you must do on this screen. First, select the Delimited option. Technically, the file isn't delimited by commas or tabs, but after the first five rows of the file, it could be considered to be space-delimited. Therefore, you must select the Delimited option, and then set the Start at Row option to 6.
Click Next, and you will see the screen that's shown in Figure F. You must now select the character that will be used as a delimiter. Select the checkbox next to Space, and clear the other checkboxes.
Figure F: Configure Excel to use a Space as a delimiter.
Click Finish, followed by OK, and the data will be imported. As you can see in Figure G, at this point, there are two problems with the spreadsheet. The columns are not labeled and some of the columns are too narrow.
Figure G: This is what the raw data looks like when it's imported.
I recommend manually inserting a row at the top of the spreadsheet and then typing the column headers. You can then adjust the column widths. You can see the completed spreadsheet shown in Figure H. In the figure, I have deleted a number of rows of data so you can see how some of the fields on the far right look when they are populated.
Figure H: This is the completed spreadsheet.
Now that you know how to import firewall log data into a spreadsheet for auditing purposes, using that data should be simple. You can perform tests against the firewall, and then use the logs to confirm the firewall's response. In the next article in this series on troubleshooting the windows firewall, I show you techniques for allowing various types of traffic through the Windows firewall.
About the author