Firewall. EventId 5152 and 5157.

Tue, 01 Apr 2008 04:09:48 Z

In my security eventlog event with ID 5157 (The Windows Filtering Platform has blocked a connection) is always followed by event with id 5152 (The Windows Filtering Platform blocked a packet). What a difference between this events? Can I safely ignore the 5157 events when I design OpsMgr ACS reports?

Firewall. EventId 5152 and 5157.

Wed, 02 Apr 2008 08:45:06 Z

Hi,

ID Message

5152 The Windows Filtering Platform blocked a packet.

5157 The Windows Filtering Platform has blocked a connection.

Event 5157 indicates that a connection (Transport layer) is blocked while Event 5152 indicates that a packet (IP layer) is blocked.

It is expected that system first logs the event of blocking a connection then the event of blocking a packet when a connection is restricted by a block rule.

For Event 5157 and Event 5152 are general Windows Firewall security audit, you should look into the event detail of the blocked connection attempt to decide whether that attempt should be allowed. If the connection attempt is malicious or not necessary in your environment, you can safely ignore it.

Please try to check the detail to indentify the connection:

------------

The Windows Filtering Platform has blocked a connection.

Application Information:
Process ID: PID

Application Name: process_name

Network Information:
Direction: outbound or inbound
Source Address: source_ip

Source Port:
Destination Address: des_ip

Destination Port:
Protocol:

------------

By the way, just for your information, if you want to disable the security audit from the Windows Firewall, run 'auditpol.exe /set /SubCategory:"MPSSVC rule-level Policy Change","Filtering Platform policy change","IPsec Main Mode","IPsec Quick Mode","IPsec Extended Mode","IPsec Driver","Other System Events","Filtering Platform Packet Drop","Filtering Platform Connection" /successisable /failureisable' in the command prompt.

More information about Windows Firewall feature in Windows Server 2008

http://technet2.microsoft.com/windowsserver2008/en/library/c042b3c5-dee1-4a31-ac35-e90e846290441033.mspx

Hope it helps.

Firewall. EventId 5152 and 5157.

Wed, 02 Apr 2008 12:53:49 Z

Thank you Miles.

Please try to check the detail to indentify the connection

Of course I did. I can't understand this:

First (and most important):

In the "Protocol:" field of event I see UDP or ICMP protocol numbers. In both (5152 and 5157) events. ICMP can establish a connection?

Second:

Can you block a connection and dont drop a corresponding packets? Can you drop a packets and dont break a corresponding connection? Why we need 2 different events?

Firewall. EventId 5152 and 5157.

Tue, 08 Apr 2008 05:31:20 Z

Hi,

It is not so accurate in my last post.

"Event 5157 indicates that a connection (Transport layer) is blocked while Event 5152 indicates that a packet (IP layer) is blocked."

The meaning of the word 'connection' in Event 5157 is not the same as the connection in OSI model transport layer.

There are three kinds of flows that are defined as CONNECTION:

TCP ALE Flow

UDP ALE Flow (Protocols that are not TCP or ICMP are treated like UDP.)

ICMP ALE Flow

As UDP and ICMP are not connection-oriented protocols, the request and echo flows are defined as pseudo-connections here. In this case, WFP is dropping an ICMP packet and blocking a pseudo-connection (a request and echo flow) at the same time.

So, this should be expected.

For more information about ALE Filtering:

Application Layer Enforcement (ALE) Stateful Filtering

http://msdn2.microsoft.com/en-us/library/bb613463(VS.85).aspx

Hope it helps.

Firewall. EventId 5152 and 5157.

Tue, 25 Aug 2009 17:01:46 Z

I have searched all over the forums and websites, pulled out my propellor after installing hotfixes and I cannot get these event id's to go away on a Windows 2000 Server, any ideas?

Event Type: Error
Event Source: Perflib
Event Category: None
Event ID: 1015
Date:  24.Aug.09
Time:  20:42:00
User:  N/A
Computer: PISERVER
Description:
The timeout waiting for the performance data collection function "PerfDisk" in the "C:\WINNT\system32\perfdisk.dll" Library to finish has expired. There may be a problem with this extensible counter or the service it is collecting data from or the system may have been very busy when this call was attempted.

Event Type: Warning
Event Source: MRxSmb
Event Category: None
Event ID: 3034
Date:  25.Aug.09
Time:  09:33:44
User:  N/A
Computer: PISERVER
Description:
The redirector was unable to initialize security context or query context attributes.
Data:
0000: 00 00 08 00 02 00 56 00   ......V.
0008: 00 00 00 00 da 0b 00 80   ....Ú..€
0010: 00 00 00 00 5f 00 00 c0   ...._..À
0018: 00 00 00 00 00 00 00 00   ........
0020: 00 00 00 00 00 00 00 00   ........
0028: f3 04 00 00 5f 00 00 c0   ó..._..À

eph61820