Microsoft Windows Defender Firewall
- Miguel Lauriano
- Aparna Rr
About the Device
Windows Defender Firewall with Advanced Security is an important part of a layered security model. By providing host-based, two-way network traffic filtering for a device, Windows Defender Firewall blocks unauthorized network traffic flowing into or out of the local device.
Device Information
Entity | Particulars |
|---|---|
Vendor Name | Microsoft |
Product Name | Windows Defender Firewall |
Type of Device | Hosted |
Collection Method
Log Type | Ingestion label | Preferred Logging Protocol - Format | Log collection method |
|---|---|---|---|
Windows Firewall | WINDOWS_FIREWALL | Syslog - Structured | CyberHub |
Port Requirements
Source | Destination | Port |
|---|---|---|
Microsoft Windows Defender Firewall | CyberHub | 10014(TCP) |
To facilitate secure communication and align with our best practice, we strongly encourage the use of Transport Layer Security (TLS) between your security devices and our Adaptive MxDR platform for event forwarding.
While we understand that TLS support may not be available on all devices, if your devices do support TLS communication, we recommend utilizing port 10014 for seamless integration.
In some cases, the upgraded version of the device might incorporate TLS support without prior notice. If you come across such a scenario or for further assistance in configuring TLS, we kindly ask you to reach out to your dedicated Adaptive MxDR Service Delivery Lead.
Device Configuration
To configure Microsoft Windows Defender Firewall
Open the Group Policy Management Console and navigate to Windows Defender Firewall with Advanced Security.
In the details pane, in Overview, click Windows Defender Firewall Properties.
For each network location type (Domain, Private, Public), perform the following steps.
Click the tab that corresponds to the network location type (Domain, Private, Public).
In Logging, click Customize.
The default path for the log is %windir%\system32\logfiles\firewall\pfirewall.log
The default file location must have permissions assigned that permit the Windows Defender Firewall service to write to the log file.
d. The default maximum file size for the log is 4,096 kilobytes (KB). If you want to change this size, uncheck the Not configured, and type in the new size in KB, or select a size. When the file reaches its size limit, old log entries are deleted to accommodate new ones, ensuring it doesn't exceed the specified size.
e. To create a log entry when Windows Defender Firewall drops an incoming network packet, change Log dropped packets to Yes.
f. To create a log entry when Windows Defender Firewall allows an inbound connection, change Log successful connections to Yes.
g. Click OK twice
h. Repeat above steps for all three network location type Domain, Private and Public.
To configure Windows NxLog Agent for TLS TCP Log flow on port 10014
Download and Install NxLog agent from Download
Navigate to services.msc and stop the nxlog service
Navigate to folder C:\Program Files (x86)\nxlog\data and delete configcache.dat
For Windows Agent, navigate to the installed location C:\Program Files (x86)\nxlog\conf
Rename below mentioned file to nxlog.conf and copy it C:\Program Files (x86)\nxlog\conf folder.
Replace “CyberHub_IP_Address” with actual CyberHub IP address in nxlog.conf.
Provide the file location for the CA certificate on line number 77 in nxlog.conf file
Now start the nxlog service from services.msc
NxLog agent logs will be available at location C:\Program Files (x86)\nxlog\data\nxlog.log
The log flow should work, and you can check it using tcpdump with the command
tcpdump -AA port 10014
Integration Parameters
Parameters required from customer for Integration.
Property | Default Value | Description |
|---|---|---|
IP Address | Microsoft Windows Defender Firewall interface IP address | Hostname or IP address of the device which forwards logs to the CyberHub |
About Accenture:
Accenture is a leading global professional services company that helps the world’s leading businesses, governments and other organizations build their digital core, optimize their operations, accelerate revenue growth and enhance citizen services—creating tangible value at speed and scale. We are a talent and innovation led company with 738,000 people serving clients in more than 120 countries. Technology is at the core of change today, and we are one of the world’s leaders in helping drive that change, with strong ecosystem relationships. We combine our strength in technology with unmatched industry experience, functional expertise and global delivery capability. We are uniquely able to deliver tangible outcomes because of our broad range of services, solutions and assets across Strategy & Consulting, Technology, Operations, Industry X and Accenture Song. These capabilities, together with our culture of shared success and commitment to creating 360° value, enable us to help our clients succeed and build trusted, lasting relationships. We measure our success by the 360° value we create for our clients, each other, our shareholders, partners and communities. Visit us at www.accenture.com.
About Accenture Security
Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.
Legal notice: Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. This document is intended for general informational purposes only and does not take into account the reader’s specific circumstances, and may not reflect the most current developments. Accenture disclaims, to the fullest extent permitted by applicable law, any and all liability for the accuracy and completeness of the information in this presentation and for any acts or omissions made based on such information. Accenture does not provide legal, regulatory, audit, or tax advice. Readers are responsible for obtaining such advice from their own legal counsel or other licensed professionals.