Is it a bad idea to turn off filtering platform packet drop auditing?
Some of my Windows Server 2008 R2 servers get their Security event logs filled up by blocked packet events from Windows Filtering Platform, causing more useful events to be overwritten. Looking at the destination ports, I can see that most of the blocked
traffic is broadcasts by Dropbox and Drobo. Is it okay to disable auditing of packet drops? I just don't want to disable it and suddenly find myself needing to know where some malicious network activity came from (what's the best way to get that info?).
The Windows Filtering Platform has blocked a packet.
Application Information:
Process ID:
0
Application Name:
-
Network Information:
Direction:
Inbound
Source Address:
xx.xx.xx.yyy
Source Port:
17500
Destination Address:
xx.xx.xx.255
Destination Port:
17500
Protocol:
17
Filter Information:
Filter Run-Time ID:
352483
Layer Name:
Transport
Layer Run-Time ID:
13
July 5th, 2012 2:39pm
Hi,
Have you disabled the firewall service? First, I would like to explain that this event 5157 just an information event (Level: Information). In other words, it doesnt mean the system has issue/problem. If the auditing event is normally generate blocked connection,
such as drop the broadcast. But its fill the security event log. Given this situation, I would like to recommend that we disable the auditing.
Many 5159 events are logged in the Security event log after you disable Windows Firewall and enable the "Filtering Platform Connection" auditing policy
http://support.microsoft.com/kb/969257
Enabling Audit Events for Windows Firewall with Advanced Security
http://technet.microsoft.com/en-us/library/ff428143(WS.10).aspx
The Windows Filtering Platform has blocked a bind to a local port
http://blogs.technet.com/b/instan/archive/2009/01/08/the-windows-filtering-platform-has-blocked-a-bind-to-a-local-port.aspx
Best Regards,
Aiden
TechNet Subscriber Support
If you are
TechNet Subscription
user and have any feedback on our support quality, please send your feedback
here.Aiden Cao
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
July 5th, 2012 11:00pm
Hi,
Have you disabled the firewall service? First, I would like to explain that this event 5157 just an information event (Level: Information). In other words, it doesnt mean the system has issue/problem. If the auditing event is normally generate blocked connection,
such as drop the broadcast. But its fill the security event log. Given this situation, I would like to recommend that we disable the auditing.
Many 5159 events are logged in the Security event log after you disable Windows Firewall and enable the "Filtering Platform Connection" auditing policy
http://support.microsoft.com/kb/969257
Enabling Audit Events for Windows Firewall with Advanced Security
http://technet.microsoft.com/en-us/library/ff428143(WS.10).aspx
The Windows Filtering Platform has blocked a bind to a local port
http://blogs.technet.com/b/instan/archive/2009/01/08/the-windows-filtering-platform-has-blocked-a-bind-to-a-local-port.aspx
Best Regards,
Aiden
TechNet Subscriber Support
If you are
TechNet Subscription
user and have any feedback on our support quality, please send your feedback
here.Aiden Cao
TechNet Community Support
July 5th, 2012 11:09pm
Windows Firewall is on, and these are actually 5152 events. Does your suggestion remain the same?
Free Windows Admin Tool Kit Click here and download it now
July 6th, 2012 7:23pm
Hi,
Sorry for the delay.
Event 5157 indicates that a connection (Transport layer) is blocked while Event 5152 indicates that a packet (IP layer) is blocked. Generally, we enable firewall security audit for the event detail of the blocked connection attempt to decide whether the
attempt should be allowed. If the connection attempt is malicious or not necessary in your environment, you can safely ignore it. But if its filling your security event log, the suggestion is same, recommended to disable it.
Best Regards,
Aiden
TechNet Subscriber Support
If you are
TechNet Subscription
user and have any feedback on our support quality, please send your feedback
here.Aiden Cao
TechNet Community Support
July 10th, 2012 10:03pm
Great, thanks for the info.
Free Windows Admin Tool Kit Click here and download it now
July 11th, 2012 11:48am