About using monitor mode

You can enable monitor mode on test computers and use the Firewall Event Viewer to view which traffic, applications, and processes are being used.

You can then use the Event Viewer to create rules that allow or block reported traffic, applications, and processes, as described in Create a firewall event rule.
Note: When you create a rule using the Firewall Event Viewer and add it to the firewall policy, the firewall mode changes from Monitor to Custom.

If you do not want to allow unknown traffic by default, you can use interactive mode.

In interactive mode, the firewall prompts the user to allow or block any applications and traffic for which it does not have a rule. For details, see Interactive mode.