locked
Windows Packet Filtering Issue. RRS feed

  • Question

  • Hello,

    I am using windows server 2012 r2 Standard Edition, in windows packet Filtering (WPF) it is blocking inbound connection which I can see in event log under that in the security audit log that the inbound connection is blocked by WFP

    Direction = Inbound

    Source Address = x.x.x.x

    Source Port = 53849

    Destination Address = 127.0.0.1

    Destination Port = 9191

    Protocol = 6

    Blocked by WFP

    Is there any way we can disable WFP or can tweak it to allow the connection,

    Thanks


    Wednesday, July 1, 2020 9:48 AM

All replies

  • Hi moizezzy,

    In regard to your issue of ‘windows packet filtering’ , I want to confirm that whether your event log is Event 5157. For more detailed information, you can refer to the following link:
    5157(F): The Windows Filtering Platform has blocked a connection.

    Because disabling WPF can make the computer vulnerable to attack, for security, we suggest that you can add port 9191 in Firewall to allow the inbound connection.
    Please follow: Windows Firewall with advanced security> Inbound rules> New rule

    Hope my answer will help you, thanks!


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, July 2, 2020 7:11 AM
  • Hello Gloria,

    The are a lot of Event ID 5152 Audit Failure in the security section of the Event Viewer

    "the windows server filtering platform has blocked a packet"

    I wondered if it's firewall related but allowing port in firewall had no affect on preventing these to pile up and they are generating almost every minute.

    Aslo i Monitored that some of the connections are blocked by WPF else the connection is established.

    Friday, July 3, 2020 4:27 AM
  • Hi moizezzy,

    If the connection can be successfully establish but event viewer still keep repeating this error. You can configure these two policy through: Local security policy> Advanced audit policy configuration> Object access, and check the event viewer again.

    Hope my answer will help you, thanks!


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    • Edited by Gloria Gu Friday, July 3, 2020 8:45 AM
    Friday, July 3, 2020 8:45 AM
  • Hello,

    Currently it us Un-Checked So do i need to mark it checked.

    Friday, July 3, 2020 8:49 AM
  • Hi moizezzy,

    Yeah, you can choose the option 'Configure the following audit events' as the screenshot showed.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, July 3, 2020 8:56 AM
  • Hello Gloria,

    I think there is some confusion, Lets take an Example:-

    We have 7000 IOT Devices Which Connects to the Windows Server From Diffrent IP,s From Which 5000 Devices Can Connect With the Server but the rest Can,t Connect, So when i checked security audit there was the log that WPF was blocking the Inbound Connection And the source ip was of one of our IOT Devices and when i check that particular Device it was disconnected and have the IP which was showing in in the Security Audit log.

    I hope you got the whole Scenario i want that 7000 Connection is to be made none of the connection should be blocked.

    Friday, July 3, 2020 9:25 AM
  • Hi,

    Since that the error message you provided was general, so we can only find some general methodes to solve this problem. We've tried them but none of them worked.

    I would  suggest you contact Microsoft Customer Support and Services where more in-depth investigation can be done so that you would get a more satisfying explanation and solution to this issue. 
    Global Customer Service phone numbers

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, July 6, 2020 8:32 AM
  • Hi,
     
    Just want to confirm the current situations.
     
    Please feel free to let us know if you need further assistance.

    Best regards,
    Gloria

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, July 31, 2020 8:13 AM