Firewall. EventId 5152 and 5157.
In my security eventlog event with ID 5157 (The Windows Filtering Platform has blocked a connection) is always followed by event with id 5152 (The Windows Filtering Platform blocked a packet). What a difference between this events? Can I safely ignore the 5157 events when I design OpsMgr ACS reports?
Respuestas
Hi,
It is not so accurate in my last post.
"Event 5157 indicates that a connection (Transport layer) is blocked while Event 5152 indicates that a packet (IP layer) is blocked."
The meaning of the word 'connection' in Event 5157 is not the same as the connection in OSI model transport layer.
There are three kinds of flows that are defined as CONNECTION:
TCP ALE Flow
UDP ALE Flow (Protocols that are not TCP or ICMP are treated like UDP.)
ICMP ALE Flow
As UDP and ICMP are not connection-oriented protocols, the request and echo flows are defined as pseudo-connections here. In this case, WFP is dropping an ICMP packet and blocking a pseudo-connection (a request and echo flow) at the same time.
So, this should be expected.
For more information about ALE Filtering:
Application Layer Enforcement (ALE) Stateful Filtering
http://msdn2.microsoft.com/en-us/library/bb613463(VS.85).aspx
Hope it helps.
Todas las respuestas
Hi,
ID Message
5152 The Windows Filtering Platform blocked a packet.
5157 The Windows Filtering Platform has blocked a connection.
Event 5157 indicates that a connection (Transport layer) is blocked while Event 5152 indicates that a packet (IP layer) is blocked.
It is expected that system first logs the event of blocking a connection then the event of blocking a packet when a connection is restricted by a block rule.
For Event 5157 and Event 5152 are general Windows Firewall security audit, you should look into the event detail of the blocked connection attempt to decide whether that attempt should be allowed. If the connection attempt is malicious or not necessary in your environment, you can safely ignore it.
Please try to check the detail to indentify the connection:
------------
The Windows Filtering Platform has blocked a connection.
Application Information:
Process ID: PIDApplication Name: process_name
Network Information:
Direction: outbound or inbound
Source Address: source_ipSource Port:
Destination Address: des_ipDestination Port:
Protocol:------------
By the way, just for your information, if you want to disable the security audit from the Windows Firewall, run 'auditpol.exe /set /SubCategory:"MPSSVC rule-level Policy Change","Filtering Platform policy change","IPsec Main Mode","IPsec Quick Mode","IPsec Extended Mode","IPsec Driver","Other System Events","Filtering Platform Packet Drop","Filtering Platform Connection" /success
isable /failureisable' in the command prompt.More information about Windows Firewall feature in Windows Server 2008
Hope it helps.
Thank you Miles.
Please try to check the detail to indentify the connection Of course I did. I can't understand this:
First (and most important):
In the "Protocol:" field of event I see UDP or ICMP protocol numbers. In both (5152 and 5157) events. ICMP can establish a connection?
Second:
Can you block a connection and dont drop a corresponding packets? Can you drop a packets and dont break a corresponding connection? Why we need 2 different events?
Hi,
It is not so accurate in my last post.
"Event 5157 indicates that a connection (Transport layer) is blocked while Event 5152 indicates that a packet (IP layer) is blocked."
The meaning of the word 'connection' in Event 5157 is not the same as the connection in OSI model transport layer.
There are three kinds of flows that are defined as CONNECTION:
TCP ALE Flow
UDP ALE Flow (Protocols that are not TCP or ICMP are treated like UDP.)
ICMP ALE Flow
As UDP and ICMP are not connection-oriented protocols, the request and echo flows are defined as pseudo-connections here. In this case, WFP is dropping an ICMP packet and blocking a pseudo-connection (a request and echo flow) at the same time.
So, this should be expected.
For more information about ALE Filtering:
Application Layer Enforcement (ALE) Stateful Filtering
http://msdn2.microsoft.com/en-us/library/bb613463(VS.85).aspx
Hope it helps.
I have searched all over the forums and websites, pulled out my propellor after installing hotfixes and I cannot get these event id's to go away on a Windows 2000 Server, any ideas?
Event Type: Error
Event Source: Perflib
Event Category: None
Event ID: 1015
Date: 24.Aug.09
Time: 20:42:00
User: N/A
Computer: PISERVER
Description:
The timeout waiting for the performance data collection function "PerfDisk" in the "C:\WINNT\system32\perfdisk.dll" Library to finish has expired. There may be a problem with this extensible counter or the service it is collecting data from or the system may have been very busy when this call was attempted.
Event Type: Warning
Event Source: MRxSmb
Event Category: None
Event ID: 3034
Date: 25.Aug.09
Time: 09:33:44
User: N/A
Computer: PISERVER
Description:
The redirector was unable to initialize security context or query context attributes.
Data:
0000: 00 00 08 00 02 00 56 00 ......V.
0008: 00 00 00 00 da 0b 00 80 ....Ú..€
0010: 00 00 00 00 5f 00 00 c0 ...._..À
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........
0028: f3 04 00 00 5f 00 00 c0 ó..._..À
eph61820
