Firewall events log not working??

no log of global block ip in even tho it does block some probes .
the only entrys are some wos icmp blocks. if i remove the rule so global rules are empty there are some events that are put in the log but not all of them ???. anyone that can help ?
CFP ver .276 x32 xp

The Block rule needs to have the “Log…” checkbox ticked for events to be logged. The ICMP block rule has the Log option included, but other blocks may not. To check, go to Firewall>Advanced>Network Security Policy and look at the rules listed there. A number of applications are not usable for attacks on your computer, so they do not need a block rule, but a number (svchost.exe; Services; explorer; your web browser; your email client and Windows Operating System - if present on your rules) need a block rule. If you want to see a log of blocked connection attempts, select a rule with a Block entry and click Edit. On the Edit dialog, select the Block rule and click Edit again. At the top of the dialog, there is the drop-down box with Block/Allow etc and beside it is a check box labeled “Log as a firewall event…”. This needs to be checked for the rule to show up on the Event log.

Anotherone can you tell me what rules you use for svchost, explorer and system and your global rule.

Sure - snaps attached. I have put a number of ICMP rules in the Global rules section and they are not strictly necessary unless I put a Block IP rule in as I was thinking of doing. I have put the Block rule in applications for now. You will see a reference to [LAN and local and special multicasting] which allows my local network and the multicasting address ranges. Most people will not need this (I don’t think that I need it!), but I put it in because some of my multimedia software wanted to check an address in that range. I have also added a Global rule for IP Out and In to the LAN and multicasting addresses which may be redundant, since the applications should handle that, but it is tidier in my mind. There is also an entry for ZD1211… which is the wireless adapter that CFP detected and configured as my local network. Basically a duplicate of the LAN and Multicasting rules above minus the multicasting range.

For Application rules, the “LAN and Multicasting” rules are Allow IP In/Out LAN and Multicasting <> LAN and Multicasting Any. Since all the source addresses are the same as the destination addresses, I don’t need separate rules for In and Out.

As you can see, WOS and Explorer are restricted to my LAN and the others are only allowed outgoing connections other than the LAN.

[attachment deleted by admin]

Thanks AnotherOne.