Massive 5157 and 5152 Security Events Windows Filtering Platform
One of our Windows 2008 Servers is logging massive erros very similar to the ones below. 3-4 per second. All the posts on this matter point to solutions that either don't apply or the suggestion is to turn off auditing, which seems like bad practice to me. These errors are all over the map of our network. No specific service or obvious cuplrit. DOes any one know how to quiet this chatter down without turning off auditing? It's only happening on this one server. It is a Domain Controller. The Windows Filtering Platform has blocked a connection. Application Information: Process ID: 4 Application Name: System Network Information: Direction: Inbound Source Address: X.X.X.X Source Port: 5 Destination Address: X.X.X.X Destination Port: 0 Protocol: 1 Filter Information: Filter Run-Time ID: 0 Layer Name: Receive/Accept Layer Run-Time ID: 44
April 29th, 2011 11:08pm

Hi, According to my research, Event 5157 indicates that a connection (Transport layer) is blocked while Event 5152 indicates that a packet (IP layer) is blocked. As UDP and ICMP are not connection-oriented protocols, the request and echo flows are defined as pseudo-connections here. In this case, WFP is dropping an ICMP packet and blocking a pseudo-connection (a request and echo flow) at the same time. So, the behavior is expected. To stop the events, you can disable the auditing accordingly by using the aduitpol tool. For the detailed information, please refer to the following threads: Firewall. EventId 5152 and 5157. http://social.technet.microsoft.com/forums/en-US/winserversecurity/thread/9cb175a1-78fb-452e-b59d-0416940c2d20/ Event IDs: 5152, 5157, 5159 - Windows firewall is turned off http://social.technet.microsoft.com/Forums/en/winserversecurity/thread/8fe9fe1a-15ee-48f8-951e-0717877e1741 Regards, Arthur Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com . Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
May 2nd, 2011 6:15am

I was hoping to avoid turning off auditing as I've seen similar answers to this same question elsewhere. However, based on your response it appears as though I can safely turn off auditing on these events.
May 3rd, 2011 12:45am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics