Getting alot of Event ID 5152
I just happen to check the security logs on my Exchange 2010 server and noticed a lot of these event logs coming up. I'm getting them for other servers and user computers.
What's causing this?
May 9th, 2011 4:35pm
Hi,
5152 The Windows Filtering Platform blocked a packet.
This is related to your firewall which block some traffic.
Analyze the entire log to determine the source, the destination, the application/service that sent the packet , the protocol, and the port number.
http://blog.simaju.fr - Partage de connaissances et retour d'expériences.
Free Windows Admin Tool Kit Click here and download it now
May 10th, 2011 3:30am
Hi,
What is the operating system version on this server? Did you see the event 5157 at the same time in the Security log?
ID
Message
5152
The Windows Filtering Platform blocked a packet.
Event 5152 indicates that a packet (IP layer) is blocked.
Event 5157 and
Event 5152 are general Windows Firewall security audit, you should look into the event detail of the blocked connection attempt to decide whether that attempt should be allowed. If the connection attempt is malicious or not necessary in your environment,
you can safely ignore it. Please try to check the detail to identify.
Just for your information, if you want to disable the security audit from Windows Firewall, run the following command:
auditpol.exe /set /SubCategory:"MPSSVC rule-level Policy Change","Filtering Platform policy change","IPsec Main Mode","IPsec Quick Mode","IPsec Extended Mode","IPsec
Driver","Other System Events","Filtering Platform Packet Drop","Filtering Platform Connection" /successisable /failureisable
For more information, please refer to the following link:
Enable IPsec and Windows Firewall Audit Events
http://technet.microsoft.com/en-us/library/cc754714(WS.10).aspx
Best Regards,
Nina Liu
TechNet Subscriber Support in forum
If you have any feedback on our support, please contact
tngfb@microsoft.com. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
May 10th, 2011 6:26am
Hi,
Any update on this issue? If there is anything that I can do for you, please feel free to let me know.
Thanks.
NinaPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
May 13th, 2011 6:25am
Hi guys
I'm experiencing a similar problem too, however we don't have the Windows Firewall enabled. Below are the Audit Failures we're receiving:
The Windows Filtering Platform has blocked a packet.
Application Information:
Process ID:
912
Application Name:
\device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction:
Inbound
Source Address:
0.0.0.0
Source Port:
68
Destination Address:
255.255.255.255
Destination Port:
67
Protocol:
17
Filter Information:
Filter Run-Time ID:
70779
Layer Name:
Receive/Accept
Layer Run-Time ID:
44
The Windows Filtering Platform has blocked a connection.
Application Information:
Process ID:
912
Application Name:
\device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction:
Inbound
Source Address:
255.255.255.255
Source Port:
67
Destination Address:
0.0.0.0
Destination Port:
68
Protocol:
0
Filter Information:
Filter Run-Time ID:
70779
Layer Name:
Receive/Accept
Layer Run-Time ID:
44
Then we get these:
The Windows Filtering Platform has blocked a packet.
Application Information:
Process ID:
912
Application Name:
\device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction:
Inbound
Source Address:
10.33.27.39
Source Port:
137
Destination Address:
10.33.27.255
Destination Port:
137
Protocol:
17
Filter Information:
Filter Run-Time ID:
70779
Layer Name:
Receive/Accept
Layer Run-Time ID:
44
The Windows Filtering Platform has blocked a connection.
Application Information:
Process ID:
912
Application Name:
\device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction:
Inbound
Source Address:
10.33.27.255
Source Port:
137
Destination Address:
10.33.27.39
Destination Port:
137
Protocol:
0
Filter Information:
Filter Run-Time ID:
70779
Layer Name:
Receive/Accept
Layer Run-Time ID:
44
This server isn't running Exchange, it's running SQL Server 2008 on it. The OS for the servers is Windows Server 2008 R2
June 24th, 2011 8:02am