Audit Filtering Platform Connection
Applies to
- Windows 10
- Windows Server 2016
Audit Filtering Platform Connection determines whether the operating system generates audit events when connections are allowed or blocked by the Windows Filtering Platform.
Windows Filtering Platform (WFP) enables independent software vendors (ISVs) to filter and modify TCP/IP packets, monitor or authorize connections, filter Internet Protocol security (IPsec)-protected traffic, and filter remote procedure calls (RPCs).
This subcategory contains Windows Filtering Platform events about blocked and allowed connections, blocked and allowed port bindings, blocked and allowed port listening actions, and blocked to accept incoming connections applications.
Event volume: High.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|---|---|---|---|---|---|
| Domain Controller | No | Yes | IF | Yes | Success auditing for this subcategory typically generates a very high volume of events, for example, one event for every connection that was made to the system. It is much more important to audit Failure events (blocked connections, for example). For recommendations for using and analyzing the collected information, see the Security Monitoring Recommendations sections. IF — Enable Success audit in case you need to monitor successful outbound or inbound connections to and from untrusted IP addresses on high value computers or devices. |
| Member Server | No | Yes | IF | Yes | Success auditing for this subcategory typically generates a very high volume of events, for example, one event for every connection that was made to the system. It is much more important to audit Failure events (blocked connections, for example). For recommendations for using and analyzing the collected information, see the Security Monitoring Recommendations sections. IF — Enable Success audit in case you need to monitor successful outbound or inbound connections to and from untrusted IP addresses on high value computers or devices. |
| Workstation | No | Yes | IF | Yes | Success auditing for this subcategory typically generates a very high volume of events, for example, one event for every connection that was made to the system. It is much more important to audit Failure events (blocked connections, for example). For recommendations for using and analyzing the collected information, see the Security Monitoring Recommendations sections. IF — Enable Success audit in case you need to monitor successful outbound or inbound connections to and from untrusted IP addresses on high value computers or devices. |
Events List:
5031(F): The Windows Firewall Service blocked an application from accepting incoming connections on the network.
5150(-): The Windows Filtering Platform blocked a packet.
5151(-): A more restrictive Windows Filtering Platform filter has blocked a packet.
5154(S): The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
5155(F): The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.
5156(S): The Windows Filtering Platform has permitted a connection.
5157(F): The Windows Filtering Platform has blocked a connection.
5158(S): The Windows Filtering Platform has permitted a bind to a local port.
5159(F): The Windows Filtering Platform has blocked a bind to a local port.
Аудит подключения платформы фильтрации Audit Filtering Platform Connection
Относится к: Applies to
- Windows 10 Windows 10
- Windows Server 2016 Windows Server 2016
Подключение платформы фильтрации аудита определяет, генерирует ли операционная система события аудита, если подключение разрешено или заблокировано платформой фильтрации Windows. Audit Filtering Platform Connection determines whether the operating system generates audit events when connections are allowed or blocked by the Windows Filtering Platform.
Платформа фильтрации Windows (WFP) позволяет независимым поставщикам программного обеспечения (ISVs) фильтровать и изменять пакеты TCP/IP, отслеживать или авторизовать подключения, фильтровать трафик, защищенный протоколом Интернета (IPsec) и фильтровать удаленные вызовы процедур (RPCs). Windows Filtering Platform (WFP) enables independent software vendors (ISVs) to filter and modify TCP/IP packets, monitor or authorize connections, filter Internet Protocol security (IPsec)-protected traffic, and filter remote procedure calls (RPCs).
В этом подкатегории содержатся события платформы фильтрации Windows о заблокированных и разрешенных подключениях, заблокированных и разрешенных привязках портов, заблокированных и разрешенных действиях прослушивания порта и заблокированных для приемов входящих подключений. This subcategory contains Windows Filtering Platform events about blocked and allowed connections, blocked and allowed port bindings, blocked and allowed port listening actions, and blocked to accept incoming connections applications.
Объем событий: High. Event volume: High.
| Тип компьютера Computer Type | Общий успех General Success | Общий сбой General Failure | Более сильный успех Stronger Success | Более сильный сбой Stronger Failure | Комментарии Comments |
|---|---|---|---|---|---|
| Контроллер домена Domain Controller | Нет No | Да Yes | IF IF | Да Yes | Аудит успешности для этой подкатегории обычно создает очень большой объем событий, например одно событие для каждого подключения к системе. Success auditing for this subcategory typically generates a very high volume of events, for example, one event for every connection that was made to the system. Гораздо важнее аудит событий сбоя (например, заблокированных подключений). It is much more important to audit Failure events (blocked connections, for example). Рекомендации по использованию и анализу собранной информации см. в разделах Рекомендации по мониторингу безопасности. For recommendations for using and analyzing the collected information, see the Security Monitoring Recommendations sections. IF . Включить аудит успешности в случае необходимости отслеживать успешные исходящие или входящие подключения к неоправданым IP-адресам на компьютерах или устройствах с высоким значением. IF — Enable Success audit in case you need to monitor successful outbound or inbound connections to and from untrusted IP addresses on high value computers or devices. |
| Сервер участника Member Server | Нет No | Да Yes | IF IF | Да Yes | Аудит успешности для этой подкатегории обычно создает очень большой объем событий, например одно событие для каждого подключения к системе. Success auditing for this subcategory typically generates a very high volume of events, for example, one event for every connection that was made to the system. Гораздо важнее аудит событий сбоя (например, заблокированных подключений). It is much more important to audit Failure events (blocked connections, for example). Рекомендации по использованию и анализу собранной информации см. в разделах Рекомендации по мониторингу безопасности. For recommendations for using and analyzing the collected information, see the Security Monitoring Recommendations sections. IF . Включить аудит успешности в случае необходимости отслеживать успешные исходящие или входящие подключения к неоправданым IP-адресам на компьютерах или устройствах с высоким значением. IF — Enable Success audit in case you need to monitor successful outbound or inbound connections to and from untrusted IP addresses on high value computers or devices. |
| Workstation Workstation | Нет No | Да Yes | IF IF | Да Yes | Аудит успешности для этой подкатегории обычно создает очень большой объем событий, например одно событие для каждого подключения к системе. Success auditing for this subcategory typically generates a very high volume of events, for example, one event for every connection that was made to the system. Гораздо важнее аудит событий сбоя (например, заблокированных подключений). It is much more important to audit Failure events (blocked connections, for example). Рекомендации по использованию и анализу собранной информации см. в разделах Рекомендации по мониторингу безопасности. For recommendations for using and analyzing the collected information, see the Security Monitoring Recommendations sections. IF . Включить аудит успешности в случае необходимости отслеживать успешные исходящие или входящие подключения к неоправданым IP-адресам на компьютерах или устройствах с высоким значением. IF — Enable Success audit in case you need to monitor successful outbound or inbound connections to and from untrusted IP addresses on high value computers or devices. |
Список событий: Events List:
5031(F). Служба брандмауэра Windows заблокировала прием входящих подключений в сети. 5031(F): The Windows Firewall Service blocked an application from accepting incoming connections on the network.
5150(-): Платформа фильтрации Windows заблокировала пакет. 5150(-): The Windows Filtering Platform blocked a packet.
5151(-): Более строгий фильтр платформы фильтрации Windows заблокировал пакет. 5151(-): A more restrictive Windows Filtering Platform filter has blocked a packet.
5154(S). Платформа фильтрации Windows разрешила приложению или службе прослушивать в порту для входящих подключений. 5154(S): The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
5155(F): Платформа фильтрации Windows заблокировала прослушивание приложения или службы в порту для входящих подключений. 5155(F): The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.
5156(S): Платформа фильтрации Windows разрешила подключение. 5156(S): The Windows Filtering Platform has permitted a connection.
5157(F): Платформа фильтрации Windows заблокировала подключение. 5157(F): The Windows Filtering Platform has blocked a connection.
5158(S). Платформа фильтрации Windows разрешила привязку к локальному порту. 5158(S): The Windows Filtering Platform has permitted a bind to a local port.
5159(F): Платформа фильтрации Windows заблокировала привязку к локальному порту. 5159(F): The Windows Filtering Platform has blocked a bind to a local port.
5152(F): The Windows Filtering Platform blocked a packet.
Applies to
- Windows 10
- Windows Server 2016
Event Description:
This event generates when Windows Filtering Platform has blocked a network packet.
This event is generated for every received network packet.
NoteВ В For recommendations, see Security Monitoring Recommendations for this event.
Event XML:
Required Server Roles: None.
Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Application Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the process to which blocked network packet was sent. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process has been created” Process Information\New Process ID.
Application Name [Type = UnicodeString]: full path and the name of the executable for the process.
Logical disk is displayed in format \device\harddiskvolume#. You can get all local volume numbers by using diskpart utility. The command to get volume numbers using diskpart is “list volume”:
Network Information:
Direction [Type = UnicodeString]: direction of blocked connection.
Inbound – for inbound connections.
Outbound – for unbound connections.
Source Address [Type = UnicodeString]: local IP address on which application received the packet.
:: — all IP addresses in IPv6 format
0.0.0.0 — all IP addresses in IPv4 format
127.0.0.1 , ::1 — localhost
Source Port [Type = UnicodeString]: port number on which application received the packet.
Destination Address [Type = UnicodeString]: IP address from which packet was received or initiated.
:: — all IP addresses in IPv6 format
0.0.0.0 — all IP addresses in IPv4 format
127.0.0.1 , ::1 — localhost
Destination Port [Type = UnicodeString]: port number that was used from remote machine to send the packet.
Protocol [Type = UInt32]: number of the protocol that was used.
| Service | Protocol Number |
|---|---|
| Internet Control Message Protocol (ICMP) | 1 |
| Transmission Control Protocol (TCP) | 6 |
| User Datagram Protocol (UDP) | 17 |
| General Routing Encapsulation (PPTP data over GRE) | 47 |
| Authentication Header (AH) IPSec | 51 |
| Encapsulation Security Payload (ESP) IPSec | 50 |
| Exterior Gateway Protocol (EGP) | 8 |
| Gateway-Gateway Protocol (GGP) | 3 |
| Host Monitoring Protocol (HMP) | 20 |
| Internet Group Management Protocol (IGMP) | 88 |
| MIT Remote Virtual Disk (RVD) | 66 |
| OSPF Open Shortest Path First | 89 |
| PARC Universal Packet Protocol (PUP) | 12 |
| Reliable Datagram Protocol (RDP) | 27 |
| Reservation Protocol (RSVP) QoS | 46 |
Filter Information:
Filter Run-Time ID [Type = UInt64]: unique filter ID that blocked the packet.
To find a specific Windows Filtering Platform filter by ID, run the following command: netsh wfp show filters. As a result of this command, the filters.xml file will be generated. Open this file and find specific substring with required filter ID ( ), for example:
Layer Name [Type = UnicodeString]: Application Layer Enforcement layer name.
Layer Run-Time ID [Type = UInt64]: Windows Filtering Platform layer identifier. To find a specific Windows Filtering Platform layer ID, run the following command: netsh wfp show state. As a result of this command wfpstate.xml file will be generated. Open this file and find specific substring with required layer ID ( ), for example:
Security Monitoring Recommendations
For 5152(F): The Windows Filtering Platform blocked a packet.
If you have a pre-defined application that should be used to perform the operation that was reported by this event, monitor events with “Application” not equal to your defined application.
You can monitor to see if “Application” is not in a standard folder (for example, not in System32 or Program Files) or is in a restricted folder (for example, Temporary Internet Files).
If you have a pre-defined list of restricted substrings or words in application names (for example, “mimikatz” or “cain.exe”), check for these substrings in “Application.”
Check that Source Address is one of the addresses assigned to the computer.
If the computer or device should not have access to the Internet, or contains only applications that don’t connect to the Internet, monitor for 5152 events where Destination Address is an IP address from the Internet (not from private IP ranges).
If you know that the computer should never contact or should never be contacted by certain network IP addresses, monitor for these addresses in Destination Address.
If you have an allow list of IP addresses that the computer or device is expected to contact or to be contacted by, monitor for IP addresses in “Destination Address” that are not in the allow list.
If you need to monitor all inbound connections to a specific local port, monitor for 5152 events with that “Source Port.”
Monitor for all connections with a “Protocol Number” that is not typical for this device or computer, for example, anything other than 1, 6, or 17.
If the computer’s communication with “Destination Address” should always use a specific “Destination Port,” monitor for any other “Destination Port.”
