..
    generated, remove this comment to keep this file

``firewall.logs``
=================

.. code-block:: console

    $ target-query <path/to/target> -f firewall.logs


.. list-table:: Details
    :widths: 20 80

    * - Module
      - ``dissect.target.plugins.os.windows.firewall.WindowsFirewallPlugin``
    * - Output
      - ``records``

**Module documentation**

Windows Firewall plugin.

**Function documentation**

Parse Windows Firewall log files.

Currently parses ``pfirewall*`` files in ``sysvol\Windows\System32\LogFiles\Firewall\`` only.
Does not yet parse dynamically set log locations e.g. ``netsh advfirewall set currentprofile logging filename``.

References:
    - https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/configure-logging

Yields Windows Firewall log records with the following fields:

.. code-block:: text

    ts (datetime): The timestamp of the log entry.
    hostname (string): The target hostname.
    domain (string): The target domain.
    action (string): Allow or Block.
    protocol (string): TCP, UDP or other IANA protocol value.
    src_ip (net.ipaddress): Source IP address.
    dst_ip (net.ipaddress): Destination IP address.
    src_port (varint): Source port number.
    dst_port (varint): Destination port number.
    size (filesize): Size in bytes of the packet(s).
    tcpflags (string): TCP header control flags.
    tcpsyn (string): TCP sequence number.
    tcpack (string): TCP acknowledgement number.
    tcpwin (string): TCP window size in bytes.
    icmptype (string): ICMP packet type.
    icmpcode (string): ICMP packet code.
    info (string): Additional information.
    path (string): Direction of the traffic, either SEND, RECEIVE, FORWARD or UNKNOWN.
    source (path): Source path of the record log line.