Internet Connection Firewall security log
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Internet Connection Firewall security log
The Internet Connection Firewall (ICF) security log allows advanced users to choose which information to log. With ICF security logging you can:
Log dropped packets. Log all dropped packets that originate from either the home or small office network or the Internet.
Log successful connections. Log all successful connections that originate from either the home or small office network or the Internet.
When you select the Log dropped packets check box, information is collected each time ICF detects and denies traffic attempts. For example, if your Internet Control Message Protocol (ICMP) settings are not set to allow incoming echo requests, such as those sent by the ping and tracert commands, and an echo request from outside your network is received, the echo request is dropped, and an entry is made in the log.
When you select the Log successful connections check box, information is collected each time ICF detects and permits traffic attempts. For example, when a computer on your network successfully connects to a Web site, an entry is produced in the log.
The ICF security log is produced using the W3C Extended Log File Format, a format similar to the format that is used in common log analysis tools. For information about how to view an ICF security log, see View the ICF security log. To save the ICF security log using your choice of name and location, see Change the path and file name of the ICF security log.
ICF security logging is considered an advanced option and is not enabled by default. In order for the ICF security log to accept new data, you must select one or both of the logging options. For more information, see Enable or disable ICF security log options.
The ICF security log has two sections:
The header provides information about the version of the ICF security log and the fields that are available for data entry. The header information is presented as a static list.
The body contains compiled data that is entered as a result of traffic attempting to cross the firewall. The fields in the body of the ICF security log are entered from left to right across the page. The body of the ICF security log is a dynamic list--new data entries are entered at the bottom of the log.
The following tables define the information that the ICF security log contains:
Header items
| Item | Description | Example |
|---|---|---|
#Version |
Displays which edition of the ICF security log is installed. |
1.0 |
#Software |
Provides the name of the ICF security log. |
Microsoft Internet Connection Firewall |
#Time |
Indicates that all of the timestamps in the log are in local time. |
Local |
#Fields |
Displays a static list of the fields that are available for ICF security log entries, if data is available. Fields include: date, time, action, protocol, src-ip, dst-ip, src-port, dst-port, size, tcpflags, tcpsyn, tcpack, tcpwin, icmptype, icmpcode, and info. |
Src-port, dst-port, size |
Body data
| Field | Description | Example |
|---|---|---|
Date |
Specifies the year, month, and day on which the recorded transactions occurred. Dates are recorded in the format: where YY is the year, MM is the month, and DD is the day. |
2001-01-27 |
Time |
Specifies the hour, minute, and seconds at which the recorded transaction occurred. Times are recorded in the format: where HH is the hour in 24 hour format, MM is minutes, and SS is seconds. |
21:36:59 |
Action |
Specifies which operation was observed by the firewall. The options available to the firewall are OPEN, CLOSE, DROP, and INFO-EVENTS-LOST. An INFO-EVENTS-LOST action indicates the number of events that happened but were not recorded in the log. |
DROP |
Protocol |
Specifies which protocol was used for the communication. A protocol entry can be TCP, UDP, ICMP, or, if the protocol that was used was not TCP, UDP, or ICMP, a number. |
ICMP |
Src-ip |
Specifies the source IP address (the IP address of the computer attempting to establish communications). The source IP is recorded in the dotted decimal format: |
192.168.0.0 |
Dst-ip |
Specifies the destination IP address (the IP address of the destination for a communication attempt). The destination IP is recorded in the dotted decimal format: |
192.168.0.1 |
Src-port |
Specifies the port number of the source (sending) computer. A src-port entry is recorded as a whole number, ranging from 1 to 65,535. Only TCP and UDP return a valid src-port entry. All other protocols are invalid for src-port and result in an entry of -. |
4039 |
Dst-port |
Specifies the port number of the destination computer. A dst-port entry is recorded as a whole number, ranging from 1 to 65,535. Only TCP and UDP return a valid dst-port entry. All other protocols are invalid for dst-port and result in an entry of -. |
53 |
Size |
Specifies the packet size in bytes. |
60 |
Tcpflags |
Specifies the TCP control flags found in the TCP header of an IP packet:
Flags are written as uppercase letters. The entry information for tcpflags is provided for users with an in-depth knowledge of Transmission Control Protocol (TCP). Additional information about TCP can be found in RFC 793. |
AFP |
Tcpsyn |
Specifies the TCP sequence number in the packet. The entry information for tcpsyn is provided for users with an in-depth knowledge of TCP. |
1315819770 |
Tcpack |
Specifies the TCP acknowledgement number in the packet. The entry information for tcpack is provided for users with an in-depth knowledge of TCP. |
0 |
Tcpwin |
Specifies the TCP window size in the packet. The size is specified in bytes. The entry information for tcpack is provided for users with an in-depth knowledge of TCP. |
64240 |
Icmptype |
Specifies a number that represents the type field of the ICMP message. |
8 |
Icmpcode |
Specifies a number that represents the code field of the ICMP message. |
0 |
Info |
Specifies an information entry that depends on the type of action that occurred. For example, an INFO-EVENTS-LOST action displays the number of events that occurred but were not placed in the log since the last occurrence of this event type. |
23 |
The character (-) is entered when no information is available for a field.
If ICF is enabled on two or more connections on a single computer, the ICF settings are global. If you select a setting or change a setting in Logging Options or Services on any one of the connections on which ICF is enabled, that setting is applied to all of the ICF firewalls on that computer.
Notes
If the maximum allowable size for pfirewall.log is exceeded, the information that pfirewall.log contains is saved as pfirewall.log.old, and new information is saved as pfirewall.log. If the maximum allowable size for pfirewall.log is exceeded again, the information that pfirewall.log contains is saved as pfirewall.log.old, and the information that had been in pfirewall.log.old is overwritten. New information is always saved in pfirewall.log.
You can obtain RFCs from the RFC Editor Web site. This Web site is currently maintained by members of the Information Sciences Institute (ISI) who publish a classified listing of all RFCs. RFCs are classified as one of the following: approved Internet standards, proposed Internet standards (circulated in draft form for review), Internet best practices, or For Your Information (FYI) documents.
Web addresses can change, so you might be unable to connect to the Web site or sites mentioned here.
This topic applies only to product features available in the original release of Windows Server 2003.
Internet Connection Firewall is included only in the original releases of Windows Server 2003, Standard Edition, and Windows Server 2003, Enterprise Edition.