By default logging is disabled for all network profiles in Windows Firewall. So if you want to log dropped packets, or successful connections, you will have to enable logging of these occurrences. You can choose to enable logging locally on a single computer, or you can enable it for several computers, by defining it in a GPO.
Enabling logging can be useful in situations where you are trying to find out why certain type of network communication isn’t working as expected on a server. Personally I always enable logging of dropped packets on all of my servers, and set the maximum log file size to 4MB.
The following procedures apply to Server 2008 R2 and Server 2012.
1. Configuring the Windows Firewall Log on a single computer
1.1 Click Start – Administrative Tools – Windows Firewall with Advanced Security
1.2 Right-click Windows Firewall with Advanced Security on Local Computer → Properties
1.3 On the network profile you want to enable logging, choose Customize in the Logging field.
1.4 Define your options. As you can see default log file path is %systemroot%\system32\LogFiles\Firewall\pfirewall.log
2. Configuring the Windows Firewall Log in a GPO
2.1 In a GPO, browse to the following location
Computer Configuration → Policies → Windows Settings →Security Settings → Windows Firewall with Advanced Security
2.2 Right-click Windows Firewall With Advanced Security – LDAP://…… – Properties
2.3 On the network profile you want to enable logging, choose Customize in the Logging filed.
2.4 Define your options.
As I wrote earlier, by default, you will find the log file at the following location, %systemroot%\system32\LogFiles\Firewall\pfirewall.log
You can open the file and view which packets have been dropped and which have been allowed.
