Use Microsoft Defender Firewall Logging to Track Blocked Connections in Windows 10/11

ChatGPT · Saturday at 10:27 PM

Use Microsoft Defender Firewall Logging to Track Blocked Connections in Windows 10/11

Difficulty: Intermediate | Time Required: 15 minutes
Microsoft Defender Firewall does a great job blocking unwanted network traffic, but by default it does not make it obvious what was blocked or why an app or service cannot connect. If you are troubleshooting a game, app, printer, VPN, remote desktop tool, or suspicious traffic, enabling firewall logging can give you a much clearer picture.
This tutorial shows you how to turn on Microsoft Defender Firewall logging in Windows 10 and Windows 11, where to find the log file, and how to read it so you can identify blocked connections more easily.

Why use firewall logging?

Firewall logging is useful when:

An app cannot connect to the internet or local network
A game launcher, VPN, or remote access tool fails unexpectedly
You want to audit blocked inbound or outbound traffic
You are troubleshooting device communication on your home or office network
You want more visibility into possible unwanted connection attempts

Windows stores this information in a log file called pfirewall.log, which you can review with Notepad or another text editor.

Prerequisites

Before you begin, make sure you have:

A Windows 10 or Windows 11 PC
An account with administrator privileges
A basic understanding of whether your network profile is:
- Domain
- Private
- Public

Note: Microsoft Defender Firewall can keep separate settings for each network profile. If you want complete coverage, check logging settings for all profiles you use.

Step 1: Open Windows Defender Firewall with Advanced Security

The logging options are not in the basic Firewall app page. You need the advanced console.

Press Windows + R to open Run.
Type wf.msc and press Enter.
The Windows Defender Firewall with Advanced Security console will open.

Windows 10/11 Tip: You can also search for Windows Defender Firewall with Advanced Security from Start.

Step 2: Open the firewall properties

You now need to access the profile-specific logging settings.

In the left pane, click Windows Defender Firewall with Advanced Security on Local Computer.
In the right pane, click Properties.

You will now see tabs for:

Domain Profile
Private Profile
Public Profile

Each profile can log dropped packets and successful connections separately.

Important: If your PC switches between home Wi-Fi, public hotspots, and work networks, review all three tabs.

Step 3: Enable logging for blocked connections

This is the most important step.

Select the profile you want to configure, such as Private Profile.
Under the Logging section, click Customize.

A new window will appear with logging options.

Set Log dropped packets to Yes.
Optionally, set Log successful connections to Yes if you want a broader activity record.
Review the Name field for the log file path.
- Default path is usually:
  C:\Windows\System32\LogFiles\Firewall\pfirewall.log
Review the Size limit (KB) setting.
- The default may be fairly small for busy systems.
- Consider increasing it, for example to 16384 KB or higher if you need more history.
Click OK.
Repeat these steps for other profiles if needed.
Click Apply, then OK in the main properties window.

Tip: If you are troubleshooting a short-term issue, enabling only Log dropped packets is usually enough and keeps the log easier to review.

Warning: Logging successful connections can create a much larger log file on systems with heavy network activity.

Step 4: Reproduce the connection problem

Now that logging is enabled, you need to trigger the issue so Windows records it.
Examples:

Open the app that is failing to connect
Try joining the game server again
Start your VPN connection
Access the shared printer or network folder
Attempt the remote desktop or remote management session

Give it a minute or two so the relevant traffic has time to appear in the log.

Step 5: Open the firewall log file

Once the issue has been reproduced, open the log file.

Open File Explorer.
Browse to:
C:\Windows\System32\LogFiles\Firewall\
Open pfirewall.log with Notepad.

If prompted, approve administrator access.

Alternative method: Press Windows + R, paste the log path, and press Enter.

If the file looks empty:

Make sure logging was enabled for the correct profile
Confirm the blocked event actually occurred after logging was turned on
Try reproducing the problem again
Check whether another firewall product is controlling traffic instead

Step 6: Understand the log format

The firewall log is plain text and includes a header explaining the fields. You may see entries similar to this:
2025-01-15 14:22:31 DROP TCP 192.168.1.50 203.0.113.10 51724 443 0 - 0 0 - - - SEND
Common fields include:

Date
Time
Action
- DROP means blocked
- OPEN may indicate allowed traffic if successful logging is enabled
Protocol
- TCP, UDP, ICMP, etc.
Source IP
Destination IP
Source Port
Destination Port
Direction or flags depending on the entry format

What to look for

Focus on these details:

Repeated DROP entries
The destination port being blocked
A known server IP or local device IP
Whether traffic is inbound or outbound
Whether the app tries multiple ports

For example:

Port 443 usually indicates HTTPS traffic
Port 80 often indicates HTTP
Port 3389 is associated with Remote Desktop
Port 53 is DNS
Port 445 is commonly SMB/file sharing

Tip: If you know the IP address or port your app uses, search for it in Notepad with Ctrl + F.

Step 7: Match the blocked entry to the app or service

The firewall log does not always directly show the app name, so you may need to correlate what you find.
Ways to do that:

Note the destination IP and port from the blocked log entry.
Compare it with what the app is trying to access.
Use Task Manager, Resource Monitor, or netstat to identify which process is using that connection.

Helpful command

Open Command Prompt as Administrator and run:
netstat -abno
This can help associate active connections and listening ports with:

Process IDs
Executable names
Network endpoints

Note: netstat -abno may take a little time and requires administrative rights.

You can also use Resource Monitor:

Press Windows + R
Type resmon
Open the Network tab
Review TCP Connections, Listening Ports, and process activity

This makes it easier to determine whether the blocked traffic belongs to a trusted app or something unexpected.

Step 8: Adjust firewall rules if needed

Once you confirm that legitimate traffic is being blocked, you can update the firewall rules.

Go back to Windows Defender Firewall with Advanced Security.
Select either:
- Inbound Rules
- Outbound Rules
Look for an existing rule related to the app or port.
If needed, create a new rule using New Rule... in the right pane.
Choose the appropriate rule type:
- Program
- Port
- Predefined
- Custom
Allow only the traffic you trust.

Warning: Do not create overly broad “allow all” rules unless absolutely necessary. It is safer to allow only a specific app, port, protocol, or remote address.

Tips and troubleshooting notes

Make sure you configure the correct profile

If your PC is currently on a home Wi-Fi network, the Private profile may be active. On a public hotspot, Public is often used instead. Logging the wrong profile may result in no useful entries.

Check which profile is active

Go to:
Settings > Network & Internet > Properties
Windows will usually indicate whether the current network is Public or Private.

Increase the log size if entries disappear

If the issue happens frequently, the log may overwrite older entries quickly. Increase the log size in the firewall logging settings to preserve more history.

Use logging only as long as needed

Firewall logging is helpful, but extensive logging can generate a lot of data. If you enabled successful connections, consider turning that back off after troubleshooting.

Look for third-party firewall software

If you use another security suite, it may control filtering instead of Microsoft Defender Firewall. In that case, the Windows firewall log may not tell the full story.

Log file access issues

If you cannot open the log file:

Run Notepad as Administrator
Copy the log file to your desktop first
Verify the folder permissions

Advanced environments

On business PCs joined to a domain, firewall settings may be controlled by Group Policy. If changes do not stick, your IT administrator may be enforcing them centrally.

Conclusion

Microsoft Defender Firewall logging is one of the simplest built-in ways to track blocked connections in Windows 10 and Windows 11. By enabling dropped packet logging, reproducing the problem, and reviewing the pfirewall.log file, you can quickly identify which traffic is being blocked and make smarter firewall decisions.
It is especially useful for diagnosing app connectivity problems, network device communication issues, and suspicious connection attempts without installing extra tools.
Key Takeaways:

Firewall logging helps reveal which connections Windows is blocking
The log file is usually stored at C:\Windows\System32\LogFiles\Firewall\pfirewall.log
You can enable logging separately for Domain, Private, and Public profiles
Reviewing IP addresses, ports, and protocols helps pinpoint the source of a problem
Logging should be used carefully and firewall exceptions should be as limited as possible

This tutorial was generated to help WindowsForum.com users get the most out of their Windows experience.

Use Microsoft Defender Firewall Logging to Track Blocked Connections in Windows 10/11