Recent Firewall Events Window

To access:

In the Firewall Odometer pane, click View event history.

What it does:

The Recent Firewall Events window provides real-time monitoring of Internet communications and shows all the recent Internet activity. The window also has a section for detailed historical statistics.

Viewing event history is useful to analyze possible security breaches and reveal suspicious patterns. For example, unusually high traffic on a rarely used port could indicate malware is on your computer. Analyzing the filtering done by the firewall can also help you perfect your configurations.

Instructions:

You can view a list of recent events, filter the list of events, read details for a selected event, open or close related ports, and view detailed historical statistics.

To clear all the events that are displaying, click Clear all events; all the events that currently display are cleared, but moving forward, events will still display.

Viewing events

The recent communication attempts display on the right side of the window. Columns are resizable, - Point to the divider between the column headers until you see a double arrow, and then drag the divider right or left sortable, - Click on a column header once to sort the column in ascending order; click again to sort in descending order and movable. - You can change the order of how the columns display. Click on the column header, hold the mouse down, drag the column to the new position, then release the mouse

The following displays:

Date. The date and time of the attempted or successful communication.
Action. Indicates whether the communication was Blocked or Allowed.
Local Program. The location and program on your computer that was involved in the attempted or successful communication. Click on the link to open the Windows Properties window for the file.

For an ICMP event, the field will display [System:ICMP / Type], where Type is the ICMP type, such as Echo or Source Quench.

Remote Address. The remote computer or Web site that was involved in the attempted or successful communication. Click on the link to attempt access to this outside location.
Direction. The direction of the attempted or successful communication: Incoming or Outgoing.
Port. The port number and protocol for the applicable port.
Zone. The Zone that the communication was attempted or completed in: Trusted Zone or Internet Zone.
Attack. Indicates whether the attempt was an attack: Yes or No.
IntelliDefense. Indicates whether the IntelliDefense controls were used in blocking or allowing access: Yes or No.

Note: As a default, 25 events display. You can change this number on the Settings window, Keep the last [X] most recent events field.

Filtering events

To filter the events that display on the window, click the Filter link on the bottom of the window. A menu opens with the following filtering options:

"Show incoming communication" or "Hide incoming communication"
"Show outgoing communication" or "Hide outgoing communication"
"Show allowed communication" or "Hide allowed communication"
"Show blocked communication" or "Hide blocked communication"

Viewing details for a selected event

To view details for a selected event, click on the desired row on the right side of the window. The following information displays in the Selected Event section on the top, left side of the window:

Local Program. The program on your computer that was involved in the attempted or successful communication.

Click on the location to open a Windows Explorer window for the file's folder.
Click on the program name to open the Windows Properties window for the file.

Note: For an ICMP event, there are no hyperlinks; the field will display [System:ICMP / Type], where Type is the ICMP type, such as Echo or Source Quench.

IntelliDefense Category. The classification and description of the program. (More on IntelliDefense.)
Remote Address. The remote computer or Web site that was involved in the attempted or successful communication.
Direction. The direction of the communication attempt: Incoming or Outgoing.
Port. The port number and protocol for the applicable port.

You can click the "Allow" or "Block" link in this section to open or close the port. The port settings for the Zone will update for the current direction and protocol. See below for more information.

Zone. The Zone that the communication was attempted or completed in: Trusted Zone or Internet Zone.

Opening or closing the port to communication

To open or close a port to communication, click on the desired row. In the Port section of the Selected Event section, click the link to allow or block access to that port. The text of the link has the direction and the protocol; for example, "Block Outgoing UDP access" or "Allow Incoming TCP access".

If a communication attempt was blocked, the link will let you open the port (if the port isn't open already; if it is open, no link displays). If the communication was allowed, the link will let you close the port (if the port isn't closed already; if it is closed, no link displays).

If the port is defined, the Defined Port settings will be updated to allow access (in the current direction and Zone).
If the port is not defined, a Custom Port rule will be created to allow access (in the current direction, protocol, and Zone).

I see a "Confirm" window:

If you are using one of the set security levels for the Zone (Low, Medium, or High), the firewall will need to change the security to the Custom level, so that it can include these customized port settings.

A Confirm window will display giving you the option of making this update; click OK to continue. The firewall will change the security of the Zone to Custom and will add the port setting, but all other settings will be the same as the security level you had previously: Low, Medium, or High.

Viewing historical statistics

The Firewall Historical Statistics section displays the same information that shows on the Firewall Odometer pane, plus it also:

Shows the number of ports and programs that have been allowed communication.
Further categorizes statistics into incoming and outgoing communication.

This section is on the bottom, left side of the window and is divided into two subsections:

Since Install (Date of install)

Since you installed iolo Personal Firewall, shows:

The number of ports and programs that have been allowed and blocked, separated into incoming and outgoing communication.
The number of attacks that have been blocked, separated into incoming and outgoing communication.

Since Date and time of last reset

Since the day and time you last clicked Reset (which you can click to restart the count from zero), shows:

The number of ports and programs that have been allowed and blocked, separated into incoming and outgoing communication.
The number of attacks that have been blocked, separated into incoming and outgoing communication.

Note: Clicking Reset also resets the "Threats Blocked Today" and the "Since Date and time of last reset" statistics on the Firewall Odometer pane.