Some of my Windows Server 2008 R2 servers get their Security event logs filled up by blocked packet events from Windows Filtering Platform, causing more useful events to be overwritten. Looking at the destination ports, I can see that most of the blocked traffic is broadcasts by Dropbox and Drobo. Is it okay to disable auditing of packet drops? I just don't want to disable it and suddenly find myself needing to know where some malicious network activity came from (what's the best way to get that info?). The Windows Filtering Platform has blocked a packet. Application Information: Process ID: 0 Application Name: - Network Information: Direction: Inbound Source Address: xx.xx.xx.yyy Source Port: 17500 Destination Address: xx.xx.xx.255 Destination Port: 17500 Protocol: 17 Filter Information: Filter Run-Time ID: 352483 Layer Name: Transport Layer Run-Time ID: 13

Hi, Have you disabled the firewall service? First, I would like to explain that this event 5157 just an information event (Level: Information). In other words, it doesnt mean the system has issue/problem. If the auditing event is normally generate blocked connection, such as drop the broadcast. But its fill the security event log. Given this situation, I would like to recommend that we disable the auditing. Many 5159 events are logged in the Security event log after you disable Windows Firewall and enable the "Filtering Platform Connection" auditing policy http://support.microsoft.com/kb/969257 Enabling Audit Events for Windows Firewall with Advanced Security http://technet.microsoft.com/en-us/library/ff428143(WS.10).aspx The Windows Filtering Platform has blocked a bind to a local port http://blogs.technet.com/b/instan/archive/2009/01/08/the-windows-filtering-platform-has-blocked-a-bind-to-a-local-port.aspx Best Regards, Aiden TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.Aiden Cao TechNet Community Support

Hi, Have you disabled the firewall service? First, I would like to explain that this event 5157 just an information event (Level: Information). In other words, it doesnt mean the system has issue/problem. If the auditing event is normally generate blocked connection, such as drop the broadcast. But its fill the security event log. Given this situation, I would like to recommend that we disable the auditing. Many 5159 events are logged in the Security event log after you disable Windows Firewall and enable the "Filtering Platform Connection" auditing policy http://support.microsoft.com/kb/969257 Enabling Audit Events for Windows Firewall with Advanced Security http://technet.microsoft.com/en-us/library/ff428143(WS.10).aspx The Windows Filtering Platform has blocked a bind to a local port http://blogs.technet.com/b/instan/archive/2009/01/08/the-windows-filtering-platform-has-blocked-a-bind-to-a-local-port.aspx Best Regards, Aiden TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.Aiden Cao TechNet Community Support

Windows Firewall is on, and these are actually 5152 events. Does your suggestion remain the same?

Hi, Sorry for the delay. Event 5157 indicates that a connection (Transport layer) is blocked while Event 5152 indicates that a packet (IP layer) is blocked. Generally, we enable firewall security audit for the event detail of the blocked connection attempt to decide whether the attempt should be allowed. If the connection attempt is malicious or not necessary in your environment, you can safely ignore it. But if its filling your security event log, the suggestion is same, recommended to disable it. Best Regards, Aiden TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.Aiden Cao TechNet Community Support

Great, thanks for the info.