How Do I Check IPv6 Firewall Logs?

Understanding your firewall logs is essential for troubleshooting IPv6 connectivity issues, identifying security threats, and ensuring your network operates correctly. Whether you're experiencing connection problems or want to verify that your firewall is properly handling IPv6 traffic, knowing how to access and interpret firewall logs is a critical skill. This guide covers platform-specific log locations, enabling detailed logging, and interpreting common patterns.

Before diving into firewall logs, establish a baseline by testing your IPv6 connectivity at test-ipv6.run. This will help you understand whether connectivity issues stem from firewall configuration or other network problems.

Windows Firewall IPv6 Logging

Enabling Logging

By default, Windows Firewall logging is disabled. To enable it for IPv6 traffic analysis:

Method 1: Using GUI (Windows Firewall with Advanced Security)

1. Press Win + R, type wf.msc, and press Enter
2. Right-click "Windows Defender Firewall with Advanced Security" and select "Properties"
3. Select the appropriate profile tab (Domain, Private, or Public)
4. Under the "Logging" section, click "Customize..."
5. Configure the following settings:
   • Log dropped packets: Set to "Yes" to log blocked traffic
   • Log successful connections: Set to "Yes" to log allowed traffic
   • Size limit: Default is 4,096 KB (adjust as needed)
6. Note the log file path (default: %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log)
7. Click "OK" and repeat for other network profiles as needed

Method 2: Using PowerShell

# Enable logging for dropped packets on all profiles
Set-NetFirewallProfile -Profile Domain,Private,Public -LogBlocked True

# Enable logging for successful connections
Set-NetFirewallProfile -Profile Domain,Private,Public -LogAllowed True

# Set custom log file location
Set-NetFirewallProfile -Profile Domain,Private,Public -LogFileName "C:\CustomPath\firewall.log"

Method 3: Using Command Line (netsh)

# Enable logging for dropped connections on all profiles
netsh advfirewall set allprofiles logging droppedconnections enable

# Enable logging for allowed connections
netsh advfirewall set allprofiles logging allowedconnections enable

Log Location and Format

The default Windows Firewall log is located at:

%SystemRoot%\System32\LogFiles\Firewall\pfirewall.log

Typically this resolves to:

C:\Windows\System32\LogFiles\Firewall\pfirewall.log

Important: Windows Firewall uses a single unified log file for both IPv4 and IPv6 traffic. There is no separate IPv6-specific log location.

Reading Windows Firewall Logs

Windows Firewall logs use a space-delimited format with the following fields:

date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path

Example IPv6 log entries:

2025-10-20 14:32:15 DROP UDP 2001:db8:1234:5678::10 ff02::1:3 5355 5355 - - - - - - - RECEIVE
2025-10-20 14:33:42 ALLOW TCP 2001:db8:abcd:ef01::50 2606:4700::1111 52384 443 - - - - - - - SEND
2025-10-20 14:35:18 DROP ICMPv6 fe80::a1b2:c3d4:e5f6:7890 ff02::1 - - - - - 133 0 - RECEIVE

Key indicators for IPv6 traffic:

• RA6: Remote IPv6 address field (in some log formats)
• LA6: Local IPv6 address field (in some log formats)
• Colon notation addresses: Presence of colons (:) indicates IPv6 addresses
• ICMPv6: IPv6-specific ICMP protocol
• Link-local addresses: Addresses starting with fe80::
• Multicast addresses: Addresses starting with ff02::

Analyzing Windows Logs

To efficiently analyze Windows Firewall logs:

Using PowerShell:

# View last 50 IPv6-related entries
Get-Content C:\Windows\System32\LogFiles\Firewall\pfirewall.log -Tail 50 | Select-String ":"

# Count dropped IPv6 packets
(Get-Content C:\Windows\System32\LogFiles\Firewall\pfirewall.log | Select-String "DROP.*:").Count

# Find specific IPv6 address activity
Get-Content C:\Windows\System32\LogFiles\Firewall\pfirewall.log | Select-String "2001:db8"

# Export IPv6 drops to separate file
Get-Content C:\Windows\System32\LogFiles\Firewall\pfirewall.log | Select-String "DROP.*:" | Out-File ipv6-drops.txt

Linux IPv6 Firewall Logging (iptables/ip6tables)

Understanding ip6tables Logging

Linux uses separate tools for IPv4 (iptables) and IPv6 (ip6tables) firewall management, though modern systems may use nftables or firewalld as unified interfaces.

Enabling ip6tables Logging

To log IPv6 traffic, add LOG target rules to your ip6tables configuration:

Basic logging syntax:

# Log all incoming IPv6 traffic before processing
ip6tables -A INPUT -j LOG --log-prefix "IPv6-INPUT: "

# Log dropped IPv6 packets
ip6tables -A INPUT -j LOG --log-prefix "IPv6-DROP: " --log-level 4
ip6tables -A INPUT -j DROP

# Log specific protocol (ICMPv6 example)
ip6tables -A INPUT -p icmpv6 -j LOG --log-prefix "ICMPv6: "

# Log with rate limiting to prevent log flooding
ip6tables -A INPUT -m limit --limit 5/min --limit-burst 10 -j LOG --log-prefix "IPv6-RATE: "

Important logging options:

• --log-prefix "TEXT": Adds identifying text to log entries (max 29 characters)
• --log-level: Sets syslog level (0-7, with 4 = warning, 6 = info)
• --log-tcp-options: Logs TCP header options
• --log-ip-options: Logs IPv6 header options
• -m limit: Rate limits log entries to prevent DoS attacks on log storage

Example Comprehensive ip6tables Logging Rules

#!/bin/bash
# IPv6 firewall logging configuration

# Create logging chain
ip6tables -N LOGGING

# Log with rate limiting
ip6tables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPv6-Dropped: " --log-level 4

# Drop after logging
ip6tables -A LOGGING -j DROP

# Log ICMPv6 Router Advertisements
ip6tables -A INPUT -p icmpv6 --icmpv6-type router-advertisement -j LOG --log-prefix "IPv6-RA: "

# Log ICMPv6 Neighbor Solicitation
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j LOG --log-prefix "IPv6-NS: "

# Send rejected packets to logging chain
ip6tables -A INPUT -j LOGGING

Log Locations on Linux

IPv6 firewall logs are written to standard Linux logging facilities:

Common log locations:

• /var/log/syslog (Debian/Ubuntu)
• /var/log/messages (RHEL/CentOS/Fedora)
• /var/log/kern.log (kernel-specific logs)
• journalctl (systemd-based systems)

Reading ip6tables Logs

Example ip6tables log entries:

Oct 20 15:42:13 server kernel: [12345.678] IPv6-INPUT: IN=eth0 OUT= MAC=00:11:22:33:44:55:66:77:88:99:aa:bb:86:dd SRC=2001:db8:1234::5 DST=2001:db8:5678::10 LEN=80 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=TCP SPT=54321 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0

Oct 20 15:43:28 server kernel: [12456.789] IPv6-DROP: IN=eth0 OUT= SRC=fe80::1234:5678:90ab:cdef DST=ff02::1 LEN=64 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=133 CODE=0

Oct 20 15:44:55 server kernel: [12567.890] ICMPv6: IN=eth0 OUT= SRC=2001:db8::1 DST=2001:db8::2 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=12345 SEQ=1

Key IPv6-specific fields:

• SRC/DST: Source and destination IPv6 addresses
• HOPLIMIT: IPv6 equivalent of TTL (Time To Live)
• TC: Traffic Class (IPv6 equivalent of TOS)
• FLOWLBL: Flow Label (unique to IPv6)
• LEN: Total packet length (IPv6 has variable header length)
• PROTO: Protocol (TCP, UDP, ICMPv6)
• TYPE/CODE: ICMPv6 message type and code

Analyzing Linux Logs

Using grep and standard tools:

# View recent IPv6 firewall logs
tail -f /var/log/syslog | grep "IPv6"

# Count dropped IPv6 packets
grep "IPv6-DROP" /var/log/syslog | wc -l

# Find logs for specific IPv6 address
grep "2001:db8:1234" /var/log/syslog

# Show logs from the last hour
grep "IPv6" /var/log/syslog | grep "$(date '+%b %d %H')"

# Extract source addresses from dropped packets
grep "IPv6-DROP" /var/log/syslog | grep -oP 'SRC=\K[0-9a-f:]+' | sort | uniq -c | sort -rn

Using journalctl (systemd systems):

# View recent IPv6 kernel messages
journalctl -k | grep "IPv6"

# Follow IPv6 logs in real-time
journalctl -kf | grep "IPv6"

# Show logs from last 2 hours with IPv6 content
journalctl -k --since "2 hours ago" | grep -i ipv6

# Filter by log priority
journalctl -k -p warning | grep IPv6

Using firewalld Logging

For systems using firewalld as a frontend:

# Enable logging for dropped packets
firewall-cmd --set-log-denied=all
firewall-cmd --runtime-to-permanent

# View firewalld logs
journalctl -xe | grep -i rejected
journalctl -u firewalld

# Check firewall logging status
firewall-cmd --get-log-denied

Router and Network Appliance Logs

Common Consumer Router Log Access

Most consumer routers provide web-based interfaces to access firewall logs:

1. Access router admin panel: Typically at 192.168.1.1 or 192.168.0.1
2. Navigate to logs section: Often under "Administration," "System," "Logs," or "Security"
3. Filter for IPv6 entries: Look for colon notation addresses or IPv6-specific filters

Common router log patterns:

[FW.IPv6 FORWARD DROP] from source 2001:db8::1234, port 12345, Sunday, Oct 20, 2025 15:30:22
[FW.IPv6 INPUT DROP] from source fe80::a1b2:c3d4:e5f6, port 5355, Sunday, Oct 20, 2025 15:31:45
[FW.WANATTACK DROP] DST=2606:4700::1111, Sunday, Oct 20, 2025 15:33:10

Enterprise Firewall Appliances

pfSense/OPNsense:

• Navigate to Status > System Logs > Firewall
• Use filter option to show only IPv6 traffic
• Logs display in real-time with color-coded actions (red=block, green=pass)
• Export to syslog server for long-term analysis

Cisco ASA/Firepower:

# View IPv6 access list logs
show logging | include IPv6

# Enable detailed logging
logging enable
logging timestamp
logging list IPv6-LOG level informational

Palo Alto Networks:

• Navigate to Monitor > Logs > Traffic
• Filter by: (addr.src in IPv6) or (addr.dst in IPv6)
• Export to CSV or send to external SIEM

Fortinet FortiGate:

# View IPv6 logs via CLI
execute log filter field subtype forward
execute log filter field srcip6 2001:db8::1
execute log display

Interpreting IPv6 Firewall Logs

Common Blocked Traffic Patterns

Understanding normal versus suspicious traffic helps prioritize security responses:

1. **ICMPv6 Traffic (Often Legitimate)**

TYPE=133 CODE=0  # Router Solicitation (normal IPv6 behavior)
TYPE=134 CODE=0  # Router Advertisement (normal from gateway)
TYPE=135 CODE=0  # Neighbor Solicitation (IPv6 ARP equivalent)
TYPE=136 CODE=0  # Neighbor Advertisement (normal response)
TYPE=128 CODE=0  # Echo Request (ping6)
TYPE=129 CODE=0  # Echo Reply (ping6 response)

Analysis: ICMPv6 is essential for IPv6 operation. Blocking types 133-136 will break IPv6 connectivity. However, rate limiting is recommended to prevent abuse. For more information on how these protocols work together, see Neighbor Discovery Protocol (NDP).

2. **Link-Local and Multicast Traffic (Usually Normal)**

SRC=fe80::xxxx  DST=ff02::1      # Link-local to all-nodes multicast
SRC=fe80::xxxx  DST=ff02::1:ffxx # Solicited-node multicast
DPT=5355        # LLMNR (Link-Local Multicast Name Resolution)
DPT=547         # DHCPv6 client
DPT=546         # DHCPv6 server

Analysis: This traffic is normal network housekeeping. High volumes may indicate misconfiguration but are rarely malicious.

3. **Port Scan Attempts (Suspicious)**

SRC=2001:db8:xxxx  DPT=22    # SSH scan
SRC=2001:db8:xxxx  DPT=23    # Telnet scan
SRC=2001:db8:xxxx  DPT=3389  # RDP scan
SRC=2001:db8:xxxx  DPT=445   # SMB scan
# Multiple destination ports from same source in short time

Analysis: Sequential port scanning from external IPv6 addresses suggests reconnaissance. Block source addresses and consider implementing rate limiting.

4. **FW.IPv6 FORWARD DROP (Configuration Issue)**

[FW.IPv6 FORWARD DROP] High frequency from internal addresses

Analysis: Indicates blocked internal-to-external IPv6 traffic. Common when IPv6 is partially enabled but routing/firewalling isn't properly configured. Check:

• IPv6 routing tables
• Firewall forwarding rules
• NAT66 or NPT66 configuration (if applicable)

5. **Brute Force Attempts (Malicious)**

Multiple connection attempts to SSH/RDP/web services from same IPv6 prefix
SRC=2001:db8:xxxx:xxxx::1 DPT=22 [repeated]
SRC=2001:db8:xxxx:xxxx::2 DPT=22 [repeated]
SRC=2001:db8:xxxx:xxxx::3 DPT=22 [repeated]

Analysis: Attacker may be using IPv6 privacy extensions or multiple addresses from a /64 allocation. Implement fail2ban or similar intrusion prevention at the /64 or /48 prefix level.

Log Analysis Tools and Scripts

Basic Bash Script for Log Analysis

#!/bin/bash
# ipv6-log-analyzer.sh - Analyze IPv6 firewall logs

LOGFILE="/var/log/syslog"
OUTPUT="ipv6-analysis.txt"

echo "IPv6 Firewall Log Analysis - $(date)" > "$OUTPUT"
echo "=======================================" >> "$OUTPUT"

# Count total IPv6 entries
echo -e "\nTotal IPv6 log entries:" >> "$OUTPUT"
grep -i "ipv6\|::" "$LOGFILE" | wc -l >> "$OUTPUT"

# Top 10 blocked source addresses
echo -e "\nTop 10 Blocked IPv6 Sources:" >> "$OUTPUT"
grep "DROP.*SRC=" "$LOGFILE" | grep -oP 'SRC=\K[0-9a-f:]+' | sort | uniq -c | sort -rn | head -10 >> "$OUTPUT"

# Top 10 destination ports
echo -e "\nTop 10 Targeted Destination Ports:" >> "$OUTPUT"
grep "DROP.*DPT=" "$LOGFILE" | grep -oP 'DPT=\K[0-9]+' | sort | uniq -c | sort -rn | head -10 >> "$OUTPUT"

# ICMPv6 type breakdown
echo -e "\nICMPv6 Type Distribution:" >> "$OUTPUT"
grep "ICMPv6.*TYPE=" "$LOGFILE" | grep -oP 'TYPE=\K[0-9]+' | sort | uniq -c | sort -rn >> "$OUTPUT"

# Unique blocked prefixes (/64)
echo -e "\nUnique /64 Prefixes Blocked:" >> "$OUTPUT"
grep "DROP.*SRC=" "$LOGFILE" | grep -oP 'SRC=\K[0-9a-f:]+' | sed 's/::[^:]*$/::\/64/' | sort -u | wc -l >> "$OUTPUT"

echo -e "\nAnalysis complete. Results saved to $OUTPUT"

Python Script for Advanced Analysis

#!/usr/bin/env python3
# ipv6_log_parser.py - Advanced IPv6 log parsing

import re
from collections import Counter
from datetime import datetime

def parse_ipv6_logs(logfile):
    ipv6_pattern = re.compile(r'SRC=([0-9a-f:]+).*DST=([0-9a-f:]+).*DPT=(\d+)')

    sources = []
    destinations = []
    ports = []

    with open(logfile, 'r') as f:
        for line in f:
            if 'IPv6' in line or '::' in line:
                match = ipv6_pattern.search(line)
                if match:
                    sources.append(match.group(1))
                    destinations.append(match.group(2))
                    ports.append(int(match.group(3)))

    print(f"Analysis Results for {logfile}")
    print("="*50)
    print(f"\nTotal IPv6 firewall events: {len(sources)}")
    print(f"\nTop 5 Source Addresses:")
    for addr, count in Counter(sources).most_common(5):
        print(f"  {addr}: {count}")

    print(f"\nTop 5 Targeted Ports:")
    for port, count in Counter(ports).most_common(5):
        print(f"  {port}: {count}")

if __name__ == "__main__":
    parse_ipv6_logs("/var/log/syslog")

Using SIEM and Log Analysis Platforms

For enterprise environments, integrate firewall logs with Security Information and Event Management (SIEM) systems:

Splunk query examples:

# Search for IPv6 DROP events
sourcetype=firewall "IPv6" action=drop | stats count by src_ip

# Identify scanning activity
sourcetype=firewall src_ip="2001:db8::*" | stats dc(dest_port) as ports by src_ip | where ports > 10

# Detect brute force attempts
sourcetype=firewall dest_port=22 | stats count by src_ip | where count > 50

ELK Stack (Elasticsearch) query:

{
  "query": {
    "bool": {
      "must": [
        { "match": { "protocol": "IPv6" }},
        { "match": { "action": "drop" }}
      ]
    }
  },
  "aggs": {
    "top_sources": {
      "terms": { "field": "src_ip.keyword", "size": 10 }
    }
  }
}

Troubleshooting with Firewall Logs

Scenario 1: IPv6 Connectivity Test Fails

If test-ipv6.run shows IPv6 failures:

1. Enable firewall logging on both endpoints
2. Initiate test from the IPv6 test site
3. Check logs immediately for dropped packets to test destinations
4. Look for patterns:
   • Drops to ports 80/443: Web firewall rules too restrictive
   • ICMPv6 drops: Essential IPv6 protocol blocked
   • No log entries: Traffic not reaching firewall (routing issue)

Scenario 2: Intermittent IPv6 Connectivity

1. Enable timestamp logging with high precision
2. Monitor logs during failure periods
3. Check for:
   • Router Advertisement gaps (TYPE=134)
   • Neighbor Solicitation failures (TYPE=135)
   • Sudden spikes in dropped traffic
   • State table exhaustion messages

Scenario 3: Security Investigation

When investigating potential security incidents:

1. Identify timeframe of suspicious activity
2. Extract all related log entries for that period
3. Map attack timeline: First contact, scanning phase, exploitation attempts
4. Identify attack source: Note IPv6 prefix, not just individual addresses
5. Check correlated events: Multiple services targeted, lateral movement attempts

Best Practices for IPv6 Firewall Logging

1. Enable logging selectively: Don't log everything; focus on denied traffic and security-relevant events
2. Implement rate limiting: Prevent log flooding attacks using iptables limit module or similar
3. Rotate logs regularly: Use logrotate or similar tools to prevent disk exhaustion
4. Centralize logging: Send logs to dedicated syslog server or SIEM for correlation
5. Set up alerts: Configure automated alerts for:
   • High volume of drops from single source
   • Scanning patterns (multiple ports from one source)
   • Brute force attempts (repeated connection attempts)
   • Unusual protocol usage
6. Review regularly: Schedule weekly reviews of firewall logs to identify trends
7. Baseline normal traffic: Understand what normal IPv6 traffic looks like in your environment
8. Document incidents: Keep records of security events and remediation actions
9. Test changes: After modifying firewall rules, verify with test-ipv6.run and check logs. For detailed guidance on firewall configuration, see How to Configure a Firewall for IPv6

Conclusion

IPv6 firewall logging is an essential tool for network troubleshooting, security monitoring, and compliance. By understanding platform-specific log locations, enabling appropriate logging levels, and interpreting common traffic patterns, you can effectively diagnose connectivity issues and identify security threats. Remember to establish a baseline with test-ipv6.run before diving deep into logs, and always balance detailed logging with performance and storage considerations.

Regular log analysis combined with automated alerting provides the visibility needed to maintain secure and functional IPv6 connectivity in modern networks.