11 Replies
-
Is it the same source every time? If so, look into that machine. Protocol 17 is UDP. Port 15600 could have a number of options.
Was this post helpful?
thumb_up
thumb_down
-
Use WireShark to see what the source machine is send to it
Was this post helpful?
thumb_up
thumb_down
-
Also, check out the destination address: 192.168.40.255 , the broadcast address Other machines seeing this?
Was this post helpful?
thumb_up
thumb_down
-
there source IPs are different throughout different events. (mostly from other machines on the network)
some are even 0.0.0.0
and some destination addresses are also ending in x.255 which isn’t even valid
and some are destined to 255.255.255.255
Was this post helpful?
thumb_up
thumb_down
-
What about the destination port? Is that always the same?
Was this post helpful?
thumb_up
thumb_down
-
They are almost either 255.255.255.255 or 40.255 which are the broadcast addresses.
Was this post helpful?
thumb_up
thumb_down
-
I was asking about the port. Is it always 15600? That doesn’t seem like a random number. If it’s always that, it might point things in the right direction.
Was this post helpful?
thumb_up
thumb_down
-
Hey, Sorry i misread.
The destination ports are also different.
15600,8610,67,60103,etc..
Was this post helpful?
thumb_up
thumb_down
-
I’d probably start by tracking the destination ports. If they’re completely random, that’s one thing, but if it’s the same handful over and over, that’s something to go on.
Was this post helpful?
thumb_up
thumb_down
-
Thanks.
This was happening across the network on lots of computers. the group policy settings were set as not configured regarding this filtering platform packet drop.
the solution seems to have reduced the amount of logs were being generated.
Cheers!
Was this post helpful?
thumb_up
thumb_down
- Remove From My Forums
-
Question
-
HOW do you stop the Base Filtering Engine from filtering ports and programs?
I have used BING (Because it’s not Google) and Google and the TechNet forums and the Microsoft forums and anything else that came up . No Luck finding this situation or anything like it except to turn off auditing. No thank you.
Situation is we have a business Active Directory Domain (2012r2 Standard) Hosting a DNS internally for 100+ endpoints and a few weeks ago we started experiencing Latency in our network to the Internet and this has just gotten
worse and worse and worse. The Intranet is working fine to our internally hosted sites and services from our internally hosted DNS. We originally thought it was some setting in our Firewall (cisco and the firepower configurations). Nope, Turned it off and
still latent. Finally drilled down to our DNS Forwarders are not resolving to the Internet. (if you hit f5 enough you get through eventually) If you change the DNS to Directly go to a DNS Provider on the internet (e.g. 8.8.8.8) no problems, immediately
access.This is affecting Both the Primary and Alt Domain Controller that are hosting DNS Services Internally. After throwing everything against the wall we can think of we finally determined that DNS (port 53) is being blocked by the Base Fileting Engine. When
you disable this BFE service, This is actually the only service we stop and after this is stopped (yes, the dependent services also stopped). IT WORKS Again. Whala! DNS works with the Forwarders and all network computers are all happy and can go
anywhere their hearts desire on the internet after my firewall filters them.Having this BFE service off is not a good idea according to the internet unless you are a Trojan.
Attempted:
— Firewall on and off. (with access allowed.)
— Antivirus on and off.
— Different DNS Forwarders.
— SFC /Scannow
C:Windowssystem32>sfc /scannow
Beginning system scan. This process will take some time.
Beginning verification phase of system scan.
Verification 100% complete.Windows Resource Protection did not find any integrity violations.
— Read documentation on the server on Microsoft.
Now Attempting to post a question on the TechNet Forums. Next I think we will start uninstalling updates till it starts working again. (maybe)
The Events below from the event log helped us narrow this down with some Internet search’s for how to disable this BFE service.
Event 5152
The Windows Filtering Platform has blocked a packet.
Application Information:
Process ID: 4992
Application Name: deviceharddiskvolume6windowssystem32dns.exe
Network Information:
Direction: Inbound
Source Address: 192.168.xxx.xxx (Network PC)
Source Port: 4279
Destination Address: 192.168.xxx.xxx (DNS Server)
Destination Port: 53
Protocol: 17
Filter Information:
Filter Run-Time ID: 69167
Layer Name: Receive/Accept
Layer Run-Time ID: 44
EVENT ID 5157
The Windows Filtering Platform has blocked a connection.
Application Information:
Process ID: 1904
Application Name: deviceharddiskvolume6windowssystem32dns.exe
Network Information:
Direction: Inbound
Source Address: 192.168.xxx.xxx (DNS Server)
Source Port: 53
Destination Address: 192.168.xxx.xxx (Network PC)
Destination Port: 53541
Protocol: 17
Filter Information:
Filter Run-Time ID: 67692
Layer Name: Receive/Accept
Layer Run-Time ID: 44
- Remove From My Forums
-
Question
-
We have a Windows Server 2008 R2 DC. The Event Viewer Security log on this server is generating lots of 5152 events ffrom various source IP addresses saying that the Windows Filtering Platform blocked a packet to port 389.
The Windows Firewall on this server has the default Active Directory rules enabled allowing incoming connections on port 389 and I haven’t had any issues reported relating to Active Directory from users on the network.
Anybody have an idea why I’m getting these audit failures even with port 389 allowed through the Windows Firewall?
-
Edited by
Friday, March 30, 2012 12:50 PM
-
Edited by
Windows 11, the latest version of this series from Microsoft, is considered the most advanced and user-centric. However, error detection remains as frequent, if not more frequent, than in the previous version. In this article, we will look at that Windows filtering platform blocked problem with connection.
The error occurs when certain packets or connections are blocked by the underlying filtering mechanism. While the problem may seem daunting to most users, the solutions are fairly straightforward and are listed in the following sections.
For those facing the error in Windows 11, it is likely that the update was not successful and there is some error in Windows Firewall.
But before we get into the fixes, you need to understand the role of the Windows Filtering Platform and its core functionality.
How does the Windows Filtering Platform help developers?
The Windows Filtering Platform, set of system services, and APIs (Application Programming Interface) enable developers to create network filtering applications. It was first introduced in Windows Vista and has been part of the Windows ecosystem ever since.
It can also be used to build independent firewalls, antivirus and other network applications. This allows the application to access and modify the packages while they are being processed.
The three main features of the Windows Filtering Platform are:
- Basic engine filter
- Generic Filter Engine
- Callout modules
Now that you are familiar enough with the concept, let’s move on to the most efficient fixes for Windows filtering platform that blocked problem with connection in Windows 11.
How can I fix the connection error blocked by the Windows Filtering Platform in Windows 11?
1. Disable your firewall.
- Press Windows+, Sto open the menu Search … Enter Windows Defender Firewall into the text box at the top and click the corresponding search result that appears.
- Then press Turn Windows Defender Firewall on or off in the parameter list on the left.
- Check the boxes for Disable Windows Defender Firewall (not recommended) how in private network settings, so and Settings public network And click the OK below to save your changes.
After making the changes, restart the system and check if has the Windows filtering platform blocked problem with connection, fixed in Windows 11. If not, skip to the fix below.
2. Run the DISM tool.
- Press Windows+, Sto open the menu Search … Enter Windows Terminal into the text box at the top, right-click the relevant search result and select Release on behalf of administrator in the context menu.
- Press Yes in a pop-up window UAC (User Account Control) .
- Click the down arrow at the top and select Command line from the parameter list. Alternatively, you can press Ctrl+ Shift+, 2to start it command line in a new tab in Windows Terminal .
- Then paste the following command and press, Enterto execute it:
DISM/Online /Cleanup-image /Scanhealth
- Finally, run the following command:
DISM/Online /Cleanup-image /Restorehealth
3. Perform a quick SFC scan.
- Press Windows+, Rto run the command » Run « … Enter wt into the text box, press and hold the keys Ctrl+ Shiftand then either press OK or press, Enterto start it windows terminal with increased privileges .
- Press Yes в answer to request UAC (User Account Control) .
- Click the down arrow and select Command line in the menu that appears.
- Then type / paste the following command and click, Enterto start scanning SFC :
sfc /scannow
An SFC (System File Checker) scan is used to identify corrupted system files and, if found, replaces them with a cached copy stored on the system. So, if corrupted system files are the reason why Windows filtering platform blocked problem with connection on Windows 11, running an SFC scan should fix this.
After executing the command, wait for the scan to complete, then restart your computer and check if the problem is resolved.
4. Restart Windows Security Center.
- Press Windows+, Rto run the command » Run « … Enter services.msc in the text box and either click » OK», or press, Enterto run the application » Services « .
- Find and double click the service firewall Windows Defender .
- Make sure in service status indicated » Working» .
- If not, click the » Start «in section » Service status «, to start the service.
- Then press Windows +, Sto open the search menu. Enter Windows Terminal into the text box, right-click the corresponding search result that appears and select Release on behalf of administrator from the context menu.
- Press Yes in the emerging UAC (User Account Control) prompt .
- Then run the following command and restart your computer:
reg add "HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows Defender" /v "DisableAntiSpyware" /d 1 /t REG_DWORD /f
- After restarting your computer, paste the following command and click Enter:
reg add "HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows Defender" /v "DisableAntiSpyware" /d 0 /t REG_DWORD /f
After that, restart your computer again and check if has the Windows filtering platform blocked problem with connection in Windows 11.
5. Disable your antivirus.
- Press Windows+, Sto open the menu Search … Enter Windows security into the text box at the top, and then click the corresponding search result that appears.
- Click the Protection from viruses and threats .
- Click » Settings Management «in section » Virus and threat protection settings ”.
- Then press the switch in the section Protection в real time, to disable the antivirus.
- Finally press Yes в the UAC (User Account Control) prompt that appears .
Antivirus is often known to conflict with network settings and lead to many errors. This usually happens with third-party antiviruses, but Windows built-in security is sometimes at fault as well.
Hence, if the above fixes did not work, you can try disabling your antivirus and check if Has the Windows filtering platform blocked problem with connection, fixed in Windows 11.
If the error persists, uninstall the third-party antivirus app and check if that changes the situation.
6. Create a new local account.
In many cases, it was the damage to the user account that caused Windows filtering platform blocked problem with connection… If this is the case and the above methods fixed it, you can create a new local account on your Windows 11 PC.
While there is a lot of controversy about whether you should use a Microsoft account or a local account, the latter should be the best choice here as it is not tied to any servers and can be used independently on the device.
After creating a new local account, the error should no longer appear in event viewer.
Which is better, Windows 11 or Windows 10?
After Windows 11 finally launched, most of them were only too happy to get their hands on the latest version. But many users are skeptical about the upgrade due to various factors.
The main reason is that they are used to Windows 10 and it will take a while to get familiar with the new OS. But that’s not a compelling enough reason, as Windows 11 offers a slightly better user experience as well as many other features and security enhancements designed to improve your experience.
That’s all there is to it Windows filtering platform that blocked problem with connection in Windows 11 along with the most appropriate fixes for it.
In case the above methods do not eliminate that Windows filtering platform blocked mistake package, you can either perform a system restore or reset Windows 11 to factory settings.
Tell us which fix worked and your thoughts on the debate between Windows 11 and Windows 10 in general in the comments section below.
I’m running Windows 2008 R2 and I have IIS7/MySQL hosting several websites. However, I’ve recently been having seemingly random connection errors, perhaps one out of 50 times.
I took a look at the event viewer and there are lots of blocked packets to post 80 from many different IPs at the time of the problems, including my own (event viewer log attached at bottom of post).
It looks like WFP is blocking some legitimate requests, but I’ve set up the firewall to allow all port 80 web traffic connections… so how can they be blocked?
LOG:
The Windows Filtering Platform has blocked a packet.
Application Information:
Process ID: 0
Application Name: -
Network Information:
Direction: Inbound
Source Address: xxx.xxx.xxx.xxx
Source Port: 57578
Destination Address: xxx.xxx.xxx.xxx
Destination Port: 80
Protocol: 6
Filter Information:
Filter Run-Time ID: 74587
Layer Name: Transport
Layer Run-Time ID: 13
rsbarro
3301 silver badge10 bronze badges
asked Aug 10, 2011 at 18:15
1
If you really want to get the bottom of this kind of problem you will have to perform a WFP (Windows Filtering Platform) capture.
To start a capture use the following command:
netsh wfp capture start
Then you should reproduce your problem to include it in the capture. After that you use the following command to stop the capture:
netsh wfp capture stop
The result of the capture is stored in the file wfpdiag.cab in the current directory. I believe this file only is intended for internal use by Microsoft but if you want to you can extract the two files in the archive and have a look yourself.
The .etl can be opened using Event Log. However, I’m not sure how to interpret the contents. The interesting file is the .xml file. If you spend some time you should be able to figure out the structure of the contents. What you should be looking for is the following:
Filter Run-Time ID: 74587
By inspecting the XML you need to find which filter has run-time ID 74587. This will tell you which rule in the firewall blocked the connection. Note that the firewall has some hidden rules (e.g. Windows Firewall service hardening rules).
answered Aug 18, 2012 at 22:50
As mentioned here, it is likely these Event Log entries (with Event ID 5152) are due to malicious requests, possibly sent by legitimate users of your web site that have virus infected machines. Viruses such as Code Red propogated in this manner by infecting IIS powered websites. IIS/WFP is most likely blocking and logging the malicious requests.
Assuming that this is the case, there’s not much to do here. If you determine that all of the requests are coming from one IP, you could block that IP at the firewall level. If they’re from all over the place and you don’t want to be bothered with the Event Log entries anymore, then you could turn off the Audit Logging of these events (not that I would necessarily recommend doing so). If you do want to disable logging, you can make use of the auditpol.exe command.
View the Audit Logging settings for Events 5152 and 5153:
auditpol /get /subcategory:"Filtering Platform Packet Drop"
Disable the Audit Logging of failures for Events 5152 and 5153:
auditpol /set /subcategory:"Filtering Platform Packet Drop" /failure:disable
More information on the Audit Policies be found at:
http://msdn.microsoft.com/en-us/library/windows/desktop/bb309058(v=vs.85).aspx
answered Dec 13, 2011 at 18:26
rsbarrorsbarro
3301 silver badge10 bronze badges
| Operating Systems |
Windows 2008 R2 and 7
Windows 2012 R2 and 8.1 Windows 2016 and 10 Windows Server 2019 and 2022 |
|
Category • Subcategory |
Object Access • Filtering Platform Connection |
| Type | Success |
|
Corresponding events in Windows 2003 and before |
5150: The Windows Filtering Platform has blocked a packet.
On this page
- Description of this event
- Field level details
- Examples
- Discuss this event
- Mini-seminars on this event
The Windows Filtering Platform has blocked a packet.
This event is documented as appearing new to Windows 2008 Release 2 and Windows 7. But we’ve never seen it logged. See event ID 5152 instead.
Free Security Log Resources by Randy
- Free Security Log Quick Reference Chart
- Windows Event Collection: Supercharger Free Edtion
- Free Active Directory Change Auditing Solution
- Free Course: Security Log Secrets
Description Fields in
5150
Network Information:
Direction: %1
Source Address: %2
Destination Address: %3
EtherType: %4
EncapMethod: %5
SnapControl: %6
SnapOui: %7
VlanTag: %8
Filter Information:
Filter Run-Time ID: %9
Layer Name: %10
Layer Run-Time ID: %11
Supercharger Free Edition
Your entire Windows Event Collection environment on a single pane of glass.
Free.
Examples of 5150
Top 10 Windows Security Events to Monitor
Free Tool for Windows Event Collection
Mini-Seminars Covering Event ID 5150
- How to Monitor Network Activity with the Windows Security & Firewall Logs to Detect Inbound and Outbound Attacks
|
Upcoming Webinars |
Additional Resources |
Если у вас в журнале безопасности регистрируется довольно много сообщений с Event ID 5156, которые сообщают что
The Windows Filtering Platform has allowed a connection
и вы хотите их отключить, сделайте следующее:
- Запустите gpedit.msc
- Перейдите в ветку «Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options».
- Убедитесь что у вас, в Windows 2008, включена опция: «Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings».
После этого нужно воспользоваться командой «auditpol». Введите команду:
auditpol /set /subcategory:"Filtering Platform Connection" /success:disable /failure:enable
Если же вам хочется еще отключить и такие сообщения:
The Windows Filtering Platform blocked a packet
То выполняем команду:
auditpol /set /subcategory:"Filtering Platform Packet Drop" /failure:disable
Хотя, если честно, после жалоб «безопасника» на сообщения не несущие полезную информацию сообщения я отключаю вот так :
auditpol /set /subcategory:"Filtering Platform Connection" /success:disable /failure:disable auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:disable /failure:disable
Чтоб посмотреть синтаксис этой команды введите в командной строке:
auditpol /?
Чтоб получить список всех категорий и под категорий введите:
auditpol /list /subcategory:*
Чтоб отобразить текущую политику аудита для всех категорий и подкатегорий введите:
auditpol /get /category:*
Начиная с Windows Server 2008 R2 (серверные ОС) и Windows 7 (не серверные ОС) в политиках по адресу «Computer Configuration/Windows Settings/Security Settings/Advanced Audit Policy Configuration» появились более тонкие настройки аудита из более чем 50-ти различных настроек политики — Advanced Security Audit Policy Settings.
Если при использовании команды auditpol выскакивает «ошибка 0x00000057 произошла: Параметр задан неверно.», то скорее всего вы используете не тот язык в названии категорий, если ОС на русском языке, то категории аудита нужно писать на русском языке.
Понравилось? =) Поделись с друзьями:
Currently using Windows 2012 RDSH to present apps to the users. I had an interesting event yesterday where users reported sluggishness on an app from one of the RDS servers and saw these entries in the audit logs.
The Windows Filtering Platform has blocked a packet.
Application Information:
Process ID: 0
Application Name: —
Network Information:
Direction: Bidirectional
Source Address: 172.16.255.245
Source Port: 49155
Destination Address: 172.16.10.30
Destination Port: 58564
Protocol: 17
Filter Information:
Filter Run-Time ID: 70905
Layer Name: Datagram Data
Considering that protocol 17 is UDP and their using PCoIP it’s pretty safe to say that it may have been windows firewall causing grief for the end users and their experience. I looked at the firewall and the firewall profiles for the domain was off while private and public were on.
has anyone encountered this previously? Windows blocking/dropping UDP packets because of filtering but not all the time just sometimes?
Larry