🟑 Medium   ⏱ 5–30 min  Last verified: 29 May 2026
Affected versions: Windows Server 2022

πŸ“– ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

Security teams cannot confirm blocked/allowed flows, delaying root-cause analysis during outages or incidents.

Environment & Reproduction

Often discovered when expected pfirewall log output is absent.

Get-NetFirewallProfile
Get-NetFirewallProfile | Select Name,LogAllowed,LogBlocked,LogFileName
Get-Item -Path C:/Windows/System32/LogFiles/Firewall/pfirewall.log -ErrorAction SilentlyContinue

Root Cause Analysis

Profile logging toggles disabled by baseline drift, insufficient disk permissions, or overwritten policy settings.

Quick Triage

Confirm profile log settings and target path availability.

Get-NetFirewallProfile | Select Name,LogAllowed,LogBlocked,LogFileName,LogMaxSizeKilobytes
Test-Path C:/Windows/System32/LogFiles/Firewall

Step-by-Step Diagnosis

Validate policy source and write permissions to log directory.

Get-Acl C:/Windows/System32/LogFiles/Firewall
Get-NetFirewallProfile -PolicyStore ActiveStore
Get-WinEvent -LogName System -MaxEvents 20

Solution – Primary Fix

Enable firewall logging for allowed and blocked traffic on active profiles.

Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.

Set-NetFirewallProfile -Profile Domain,Private,Public -LogAllowed True -LogBlocked True -LogMaxSizeKilobytes 32767
Set-NetFirewallProfile -Profile Domain,Private,Public -LogFileName 'C:/Windows/System32/LogFiles/Firewall/pfirewall.log'

Solution – Alternative Approaches

Redirect logs to secured volume with SIEM collection.

Set-NetFirewallProfile -Profile Domain -LogFileName 'D:/SecLogs/pfirewall.log'
New-Item -ItemType Directory -Path D:/SecLogs -Force

Verification & Acceptance Criteria

New firewall events are written and can be parsed by operations tooling.

Get-NetFirewallProfile | Select Name,LogAllowed,LogBlocked
Get-Content C:/Windows/System32/LogFiles/Firewall/pfirewall.log -Tail 20

Rollback Plan

Revert to prior logging location and size limits if storage pressure increases unexpectedly.

Set-NetFirewallProfile -Profile Domain,Private,Public -LogMaxSizeKilobytes 4096

Prevention & Hardening

Enforce logging defaults with policy and validate continuously.

Get-NetFirewallProfile | Export-Csv firewall-profile-logging.csv -NoTypeInformation
Illustrative mockup for windows-server-2022 β€” terminal_or_powershell
Diagnostics commands in PowerShell β€” Illustrative mockup β€” Progressive Robot
Illustrative mockup for windows-server-2022 β€” event_or_log_viewer
Event log verification for Windows Server 2022 β€” Illustrative mockup β€” Progressive Robot

Missing logs frequently mask firewall denies that are misreported as app or DNS failures.

Related tutorial: View the step-by-step tutorial for Windows Server 2022.

View all Windows Server 2022 tutorials on the Tutorials Hub β†’

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Microsoft Learn: Windows Defender Firewall logging and monitoring configuration.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today β€” we respond within one business day.