Firewall. EventId 5152 and 5157.
- 0
In my security eventlog event with ID 5157 (The Windows Filtering Platform has blocked a connection) is always followed by event with id 5152 (The Windows Filtering Platform blocked a packet). What a difference between this events? Can I safely ignore the 5157 events when I design OpsMgr ACS reports?
Answers
- 0
Hi,
It is not so accurate in my last post.
"Event 5157 indicates that a connection (Transport layer) is blocked while Event 5152 indicates that a packet (IP layer) is blocked."
The meaning of the word 'connection' in Event 5157 is not the same as the connection in OSI model transport layer.
There are three kinds of flows that are defined as CONNECTION:
TCP ALE Flow
UDP ALE Flow (Protocols that are not TCP or ICMP are treated like UDP.)
ICMP ALE Flow
As UDP and ICMP are not connection-oriented protocols, the request and echo flows are defined as pseudo-connections here. In this case, WFP is dropping an ICMP packet and blocking a pseudo-connection (a request and echo flow) at the same time.
So, this should be expected.
For more information about ALE Filtering:
Application Layer Enforcement (ALE) Stateful Filtering
http://msdn2.microsoft.com/en-us/library/bb613463(VS.85).aspx
Hope it helps.
All Replies
- 0
Hi,
ID Message
5152 The Windows Filtering Platform blocked a packet.
5157 The Windows Filtering Platform has blocked a connection.
Event 5157 indicates that a connection (Transport layer) is blocked while Event 5152 indicates that a packet (IP layer) is blocked.
It is expected that system first logs the event of blocking a connection then the event of blocking a packet when a connection is restricted by a block rule.
For Event 5157 and Event 5152 are general Windows Firewall security audit, you should look into the event detail of the blocked connection attempt to decide whether that attempt should be allowed. If the connection attempt is malicious or not necessary in your environment, you can safely ignore it.
Please try to check the detail to indentify the connection:
------------
The Windows Filtering Platform has blocked a connection.
Application Information:
Process ID: PIDApplication Name: process_name
Network Information:
Direction: outbound or inbound
Source Address: source_ipSource Port:
Destination Address: des_ipDestination Port:
Protocol:------------
By the way, just for your information, if you want to disable the security audit from the Windows Firewall, run 'auditpol.exe /set /SubCategory:"MPSSVC rule-level Policy Change","Filtering Platform policy change","IPsec Main Mode","IPsec Quick Mode","IPsec Extended Mode","IPsec Driver","Other System Events","Filtering Platform Packet Drop","Filtering Platform Connection" /success
isable /failureisable' in the command prompt.More information about Windows Firewall feature in Windows Server 2008
Hope it helps.
- 0
Thank you Miles.
Please try to check the detail to indentify the connection Of course I did. I can't understand this:
First (and most important):
In the "Protocol:" field of event I see UDP or ICMP protocol numbers. In both (5152 and 5157) events. ICMP can establish a connection?
Second:
Can you block a connection and dont drop a corresponding packets? Can you drop a packets and dont break a corresponding connection? Why we need 2 different events?
