In my security eventlog event with ID 5157 (The Windows Filtering Platform has blocked a connection) is always followed by event with id 5152 (The Windows Filtering Platform blocked a packet). What a difference between this events? Can I safely ignore the 5157 events when I design OpsMgr ACS reports?

Hi, ID Message 5152 The Windows Filtering Platform blocked a packet. 5157 The Windows Filtering Platform has blocked a connection. Event 5157 indicates that a connection (Transport layer) is blocked while Event 5152 indicates that a packet (IP layer) is blocked. It is expected that system first logs the event of blocking a connection then the event of blocking a packet when a connection is restricted by a block rule. For Event 5157 and Event 5152 are general Windows Firewall security audit, you should look into the event detail of the blocked connection attempt to decide whether that attempt should be allowed. If the connection attempt is malicious or not necessary in your environment, you can safely ignore it. Please try to check the detail to indentify the connection: ------------ The Windows Filtering Platform has blocked a connection. Application Information:Process ID:PID Application Name:process_name Network Information:Direction:outbound or inboundSource Address:source_ip Source Port: Destination Address:des_ip Destination Port:Protocol: ------------ By the way, just for your information, if you want to disable the security audit from the Windows Firewall, run 'auditpol.exe /set /SubCategory:"MPSSVC rule-level Policy Change","Filtering Platform policy change","IPsec Main Mode","IPsec Quick Mode","IPsec Extended Mode","IPsec Driver","Other System Events","Filtering Platform Packet Drop","Filtering Platform Connection" /successisable /failureisable' in the command prompt. More information about Windows Firewall feature in Windows Server 2008 http://technet2.microsoft.com/windowsserver2008/en/library/c042b3c5-dee1-4a31-ac35-e90e846290441033.mspx Hope it helps.

Thank you Miles. Please try to check the detail to indentify the connection Of course I did. I can't understand this: First (and most important): In the "Protocol:" field of event I see UDP or ICMP protocol numbers. In both (5152 and 5157) events. ICMP can establish a connection? Second: Can youblock a connection and dont drop a corresponding packets? Can you drop a packets and dont break a corresponding connection? Why we need 2 different events?

Hi, It is not so accurate in my last post. "Event 5157 indicates that a connection (Transport layer) is blocked while Event 5152 indicates that a packet (IP layer) is blocked." The meaning of the word 'connection' in Event 5157 is not the same as the connection in OSI model transport layer. There are three kinds of flows that are defined as CONNECTION: TCP ALE Flow UDP ALE Flow (Protocols that are not TCP or ICMP are treated like UDP.) ICMP ALE Flow As UDP and ICMP are not connection-oriented protocols, the request and echo flows are defined as pseudo-connections here. In this case, WFP is dropping an ICMP packet and blocking a pseudo-connection (a request and echo flow) at the same time. So, this should be expected. For more information about ALE Filtering: Application Layer Enforcement (ALE) Stateful Filtering http://msdn2.microsoft.com/en-us/library/bb613463(VS.85).aspx Hope it helps.

I have searched all over the forums and websites, pulled out my propellor after installing hotfixes and I cannot get these event id's to go away on a Windows 2000 Server, any ideas?Event Type:ErrorEvent Source:PerflibEvent Category:NoneEvent ID:1015Date:24.Aug.09Time:20:42:00User:N/AComputer:PISERVERDescription:The timeout waiting for the performance data collection function "PerfDisk" in the "C:\WINNT\system32\perfdisk.dll" Library to finish has expired. There may be a problem with this extensible counter or the service it is collecting data from or the system may have been very busy when this call was attempted. Event Type:WarningEvent Source:MRxSmbEvent Category:NoneEvent ID:3034Date:25.Aug.09Time:09:33:44User:N/AComputer:PISERVERDescription:The redirector was unable to initialize security context or query context attributes. Data:0000: 00 00 08 00 02 00 56 00 ......V.0008: 00 00 00 00 da 0b 00 80 ......€0010: 00 00 00 00 5f 00 00 c0 ...._..0018: 00 00 00 00 00 00 00 00 ........0020: 00 00 00 00 00 00 00 00 ........0028: f3 04 00 00 5f 00 00 c0 ..._..eph61820