Windows Defender Firewall: Allow logging

Allows Windows Defender Firewall to record information about the unsolicited incoming messages that it receives.

If you enable this policy setting, Windows Defender Firewall writes the information to a log file. You must provide the name, location, and maximum size of the log file. The location can contain environment variables. You must also specify whether to record information about incoming messages that the firewall blocks (drops) and information about successful incoming and outgoing connections. Windows Defender Firewall does not provide an option to log successful incoming messages.

If you are configuring the log file name, ensure that the Windows Defender Firewall service account has write permissions to the folder containing the log file. Default path for the log file is %systemroot%\system32\LogFiles\Firewall\pfirewall.log.

If you disable this policy setting, Windows Defender Firewall does not record information in the log file. If you enable this policy setting, and Windows Defender Firewall creates the log file and adds information, then upon disabling this policy setting, Windows Defender Firewall leaves the log file intact.

If you do not configure this policy setting, Windows Defender Firewall behaves as if the policy setting were disabled.

Supported on: At least Windows XP Professional with SP2

Disable Policy:
Registry HiveRegistry PathValue NameValue TypeValue
HKEY_LOCAL_MACHINESOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\LoggingLogDroppedPacketsREG_SZ0
HKEY_LOCAL_MACHINESOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\LoggingLogSuccessfulConnectionsREG_SZ0

Log dropped packets
Registry HiveHKEY_LOCAL_MACHINE
Registry PathSOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging
Value NameLogDroppedPackets
Value TypeREG_DWORD
Default Value0
True Value1
False Value0
Log successful connections
Registry HiveHKEY_LOCAL_MACHINE
Registry PathSOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging
Value NameLogSuccessfulConnections
Value TypeREG_DWORD
Default Value0
True Value1
False Value0
Log file path and name:

Registry HiveHKEY_LOCAL_MACHINE
Registry PathSOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging
Value NameLogFilePath
Value TypeREG_SZ
Default Value%systemroot%\system32\LogFiles\Firewall\pfirewall.log
Size limit (KB):

Registry HiveHKEY_LOCAL_MACHINE
Registry PathSOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging
Value NameLogFileSize
Value TypeREG_DWORD
Default Value4096
Min Value128
Max Value32767

windowsfirewall.admx

Administrative Templates (Computers)

Administrative Templates (Users)