I just happen to check the security logs on my Exchange 2010 server and noticed a lot of these event logs coming up. I'm getting them for other servers and user computers. What's causing this?

Hi, 5152 The Windows Filtering Platform blocked a packet. This is related to your firewall which block some traffic. Analyze the entire log to determine the source, the destination, the application/service that sent the packet , the protocol, and the port number. http://blog.simaju.fr - Partage de connaissances et retour d'expériences.

Hi, What is the operating system version on this server? Did you see the event 5157 at the same time in the Security log? ID Message 5152 The Windows Filtering Platform blocked a packet. Event 5152 indicates that a packet (IP layer) is blocked. Event 5157 and Event 5152 are general Windows Firewall security audit, you should look into the event detail of the blocked connection attempt to decide whether that attempt should be allowed. If the connection attempt is malicious or not necessary in your environment, you can safely ignore it. Please try to check the detail to identify. Just for your information, if you want to disable the security audit from Windows Firewall, run the following command: auditpol.exe /set /SubCategory:"MPSSVC rule-level Policy Change","Filtering Platform policy change","IPsec Main Mode","IPsec Quick Mode","IPsec Extended Mode","IPsec Driver","Other System Events","Filtering Platform Packet Drop","Filtering Platform Connection" /successisable /failureisable For more information, please refer to the following link: Enable IPsec and Windows Firewall Audit Events http://technet.microsoft.com/en-us/library/cc754714(WS.10).aspx Best Regards, Nina Liu TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, Any update on this issue? If there is anything that I can do for you, please feel free to let me know. Thanks. NinaPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi guys I'm experiencing a similar problem too, however we don't have the Windows Firewall enabled. Below are the Audit Failures we're receiving: The Windows Filtering Platform has blocked a packet. Application Information: Process ID: 912 Application Name: \device\harddiskvolume1\windows\system32\svchost.exe Network Information: Direction: Inbound Source Address: 0.0.0.0 Source Port: 68 Destination Address: 255.255.255.255 Destination Port: 67 Protocol: 17 Filter Information: Filter Run-Time ID: 70779 Layer Name: Receive/Accept Layer Run-Time ID: 44 The Windows Filtering Platform has blocked a connection. Application Information: Process ID: 912 Application Name: \device\harddiskvolume1\windows\system32\svchost.exe Network Information: Direction: Inbound Source Address: 255.255.255.255 Source Port: 67 Destination Address: 0.0.0.0 Destination Port: 68 Protocol: 0 Filter Information: Filter Run-Time ID: 70779 Layer Name: Receive/Accept Layer Run-Time ID: 44 Then we get these: The Windows Filtering Platform has blocked a packet. Application Information: Process ID: 912 Application Name: \device\harddiskvolume1\windows\system32\svchost.exe Network Information: Direction: Inbound Source Address: 10.33.27.39 Source Port: 137 Destination Address: 10.33.27.255 Destination Port: 137 Protocol: 17 Filter Information: Filter Run-Time ID: 70779 Layer Name: Receive/Accept Layer Run-Time ID: 44 The Windows Filtering Platform has blocked a connection. Application Information: Process ID: 912 Application Name: \device\harddiskvolume1\windows\system32\svchost.exe Network Information: Direction: Inbound Source Address: 10.33.27.255 Source Port: 137 Destination Address: 10.33.27.39 Destination Port: 137 Protocol: 0 Filter Information: Filter Run-Time ID: 70779 Layer Name: Receive/Accept Layer Run-Time ID: 44 This server isn't running Exchange, it's running SQL Server 2008 on it. The OS for the servers is Windows Server 2008 R2