Is it possible to configure Windows Advanced Firewall to log message size when the action is not DROP?

Question

Hi, I am trying to configure Windows Advanced Firewall to log data sent and received for some basic monitoring on users network activities, similar to netflow from my firewalls, but I want it to work even when they are not connected to my network.

What I am seeing it that the only traffic where size is logged is traffic that is dropped. I have configured Windows Firewall locally but my intention is to make this a GPO if I get it working.

Here is what I see (just a few lines from the thousands in my log file):

2024-07-03 11:45:12 DROP UDP 192.168.1.123 239.255.255.250 60941 1900 301 - - - - - - - RECEIVE 4108

2024-07-03 11:45:13 ALLOW TCP 192.168.1.123 35.201.101.243 6598 443 0 - 0 0 0 - - - SEND 18340

2024-07-03 11:45:13 ALLOW UDP 192.168.1.123 74.125.20.154 52881 443 0 - - - - - - - SEND 18340

I reviewed this Q&A but I don't feel its correct:

https://learn.microsoft.com/en-us/answers/questions/88068/packet-size-of-windows-firewall-log-is-zero

The only log entries that I see with any non-0 packet size are dropped packets.

Is it possible to log the size at all for packets that are allowed?

Why do all the TCP entries have the additional zeroes in tcpsyn tcpack tcpwin? Does the zero mean its a SYN-ACK (should be a one in the packet but maybe the 0 is the way it is represented in logs), and if so, why are no other packets logged? Is this the behavior of the stateful firewall, log a SYN-ACK and nothing else?

Any help is appreciated. Thanks!

Answer 1

Hello,

 

Thank you for posting in Q&A forum. The zeros you got in the TCP entries seem to indicate specific parameter flags in the packet. The firewall log could be configured as only log the TCP connection status instead of every detailed message.

 

Best regards， Jill Zhou

 

If the Answer is helpful, please click "Accept Answer" and upvote it.