Solved Windows firewall log only recording initial one-way connection

[BlackLion]

Hello. I have enabled Windows firewall logging in Windows 7 Ultimate. I have noticed that Windows firewall logging only logs
the initial one-way connection e.g. connecting to the web server on the LAN produces the following event in the Windows firewall log:

2017-11-17 20:43:34 ALLOW TCP 192.168.2.35 192.168.2.19 49397 80 0 - 0 0 0 - - - SEND

This is an outbound packet from my machine (192.168.2.35), running Windows firewall log, to the web server (192.168.2.19). Windows firewall does not record any return traffic from the web server (192.168.2.19) back to my machine (192.168.2.35).

Similarly, when initiating an inbound connection from the web server (192.168.168.2.19) to a service listening on my machine (192.168.2.35), only the below event is recorded (and not the return outbound traffic, from my machine, which follows):

2017-11-18 10:29:47 ALLOW TCP 192.168.2.19 192.168.2.35 52437 1234 0 - 0 0 0 - - - RECEIVE

Is it possible for Windows firewall to log both inbound and outbound traffic for a connection, or is it only limited to recording the one-way initial traffic?

 

[Alejandro85]

What you're seeing is totally correct and the normal operation of Windows Firewall. The reason is simple: it works entirely on connections, not packets. Based on its rules, when a connection attempt is made from either side, it decides to allow it or drop altogether. The result of that decision is what becomes logged.

After a connection is allowed, the firewall does nothing more, it just let pass every packet on it. Remember that Windows Firewall is a rather simple firewall, with no stateful packet inspection capabilities, so it won't log (or care about) everything that happens on your network.

You probably what to look at a different tool for this job. A packet analyzer like Wireshark will fit you better that the logs.