Blumira integrates with Microsoft Windows operating systems to provide automated threat detection and actionable response for Windows Firewall. Blumira supports the following Microsoft Windows server operating systems:
Blumira provides broad coverage for windows server including collecting logs using NXLog, Command Line Logging, DNS Debugging and Winlogbeat.
Get your free account with Blumira and secure your Microsoft 365 environment in minutes. No credit card required.
Recommended: Use Blumira’s automated Windows log setup agent, Poshim (PowerShell Shim), designed to help ensure you’re collecting the right data from hosts across your entire environment. Poshim handles the installation and configuration for NXLog and Sysmon to ship logs over Sysmon to a targeted IP.
If using Poshim, nothing further is needed on this page. For manual config, continue reading below.
You will need to first install and configure NXLog on the windows host using these instructions: https://www.blumira.com/integration/windows-server/
*Tested from Server 2012 to Current
Windows Firewall Logging has some significant benefits, but does increase the amount of logs and data being extracted from your host. Blumira recommends implementing this configuration in areas where you do not have good visibility within the network.
NOTE: Successful logging requires the on-host firewall to be enabled and functioning in the appropriate policies. In situations where your Windows Firewall has been disabled this will only set the FirewallProfile and not necessarily enable it. Please review Microsoft documentation pertaining to your on-host firewall for more details. Blumira always recommends least-access, only expected protocols should be allowed when possible, however even just having it to default policies and enabled will allow log collection to function.
You will need to ensure that logging is enabled for the Windows FW via GPO for Dropped packets only. Adding successful packets will most likely be unnecessarily verbose unless you require visibility due to lack of segmentation.
#, starting at
#</Route>above the Windows Firewall Logs END block.
net stop nxlog && net start nxlog