Getting alot of Event ID 5152
I just happen to check the security logs on my Exchange 2010 server and noticed a lot of these event logs coming up. I'm getting them for other servers and user computers. What's causing this?
May 9th, 2011 11:30pm

Hi, 5152 The Windows Filtering Platform blocked a packet. This is related to your firewall which block some traffic. Analyze the entire log to determine the source, the destination, the application/service that sent the packet , the protocol, and the port number. http://blog.simaju.fr - Partage de connaissances et retour d'expériences.
Free Windows Admin Tool Kit Click here and download it now
May 10th, 2011 10:30am

Hi, What is the operating system version on this server? Did you see the event 5157 at the same time in the Security log? ID Message 5152 The Windows Filtering Platform blocked a packet. Event 5152 indicates that a packet (IP layer) is blocked. Event 5157 and Event 5152 are general Windows Firewall security audit, you should look into the event detail of the blocked connection attempt to decide whether that attempt should be allowed. If the connection attempt is malicious or not necessary in your environment, you can safely ignore it. Please try to check the detail to identify. Just for your information, if you want to disable the security audit from Windows Firewall, run the following command: auditpol.exe /set /SubCategory:"MPSSVC rule-level Policy Change","Filtering Platform policy change","IPsec Main Mode","IPsec Quick Mode","IPsec Extended Mode","IPsec Driver","Other System Events","Filtering Platform Packet Drop","Filtering Platform Connection" /successisable /failureisable For more information, please refer to the following link: Enable IPsec and Windows Firewall Audit Events http://technet.microsoft.com/en-us/library/cc754714(WS.10).aspx Best Regards, Nina Liu TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
May 10th, 2011 1:26pm

Hi, Any update on this issue? If there is anything that I can do for you, please feel free to let me know. Thanks. NinaPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
May 13th, 2011 1:24pm

Hi guys I'm experiencing a similar problem too, however we don't have the Windows Firewall enabled. Below are the Audit Failures we're receiving: The Windows Filtering Platform has blocked a packet. Application Information: Process ID: 912 Application Name: \device\harddiskvolume1\windows\system32\svchost.exe Network Information: Direction: Inbound Source Address: 0.0.0.0 Source Port: 68 Destination Address: 255.255.255.255 Destination Port: 67 Protocol: 17 Filter Information: Filter Run-Time ID: 70779 Layer Name: Receive/Accept Layer Run-Time ID: 44 The Windows Filtering Platform has blocked a connection. Application Information: Process ID: 912 Application Name: \device\harddiskvolume1\windows\system32\svchost.exe Network Information: Direction: Inbound Source Address: 255.255.255.255 Source Port: 67 Destination Address: 0.0.0.0 Destination Port: 68 Protocol: 0 Filter Information: Filter Run-Time ID: 70779 Layer Name: Receive/Accept Layer Run-Time ID: 44 Then we get these: The Windows Filtering Platform has blocked a packet. Application Information: Process ID: 912 Application Name: \device\harddiskvolume1\windows\system32\svchost.exe Network Information: Direction: Inbound Source Address: 10.33.27.39 Source Port: 137 Destination Address: 10.33.27.255 Destination Port: 137 Protocol: 17 Filter Information: Filter Run-Time ID: 70779 Layer Name: Receive/Accept Layer Run-Time ID: 44 The Windows Filtering Platform has blocked a connection. Application Information: Process ID: 912 Application Name: \device\harddiskvolume1\windows\system32\svchost.exe Network Information: Direction: Inbound Source Address: 10.33.27.255 Source Port: 137 Destination Address: 10.33.27.39 Destination Port: 137 Protocol: 0 Filter Information: Filter Run-Time ID: 70779 Layer Name: Receive/Accept Layer Run-Time ID: 44 This server isn't running Exchange, it's running SQL Server 2008 on it. The OS for the servers is Windows Server 2008 R2
June 24th, 2011 3:01pm

The reason this is happening to the original posting user is that the firewall was most likely disabled in the services control panel. To stop the blocking it is not sufficient to just turn off the alerting via the audits, rather just ENABLING WINDOWS FIREWALL will immediately stop the blocking experienced as long as the firewall rules are set accordingly to allow/disallow traffic. Turning off the auditing is not recommended as the problem would not have become apparent until a diagnostic investigation would have uncovered the issue. The replies in this thread were all intelligent and decent attempts to answer the original post but after going through many of these articles I found no such response to just check if the firewall was turned off, and turn it back on. Simple answer fixes the problem that seemingly took a lot of time for many users to resolve. Success to all.
Free Windows Admin Tool Kit Click here and download it now
August 24th, 2011 12:53pm

Try running these powershell commands to get a better look at things. $events = Get-EventLog -Log Security | Where-Object {$_.InstanceID -eq 5152} $events | ForEach-Object {$_.message -match "Source Address:\s+(\S+)">$null;$_ | Add-Member -membertype noteproperty -name "SrcIP" -value $matches[1]} $events | ForEach-Object {$_.message -match "Destination Address:\s+(\S+)">$null;$_ | Add-Member -membertype noteproperty -name "DstIP" -value $matches[1]} $events | ForEach-Object {$_.message -match "Source Port:\s+(\S+)">$null;$_ | Add-Member -membertype noteproperty -name "SrcPort" -value $matches[1]} $events | ForEach-Object {$_.message -match "Destination Port:\s+(\S+)">$null;$_ | Add-Member -membertype noteproperty -name "DstPort" -value $matches[1]} $events | ForEach-Object {$_.message -match "Application Name:\s+(\S+)">$null;$_ | Add-Member -membertype noteproperty -name "AppName" -value $matches[1]} $events | ft SrcIP, SrcPort, DstIP, DstPort, AppName -autosize
August 24th, 2011 2:02pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics