Windows Filtering Platform (WFP) is a new application in Windows 7/8 and Windows Server 2008/2012 that logs firewall and IPsec related events to the System Security Log. We recommend tuning WFP in your Active Directory group policies to decrease the load it would otherwise create on your LEM Manager. These alerts represent "background" events which can consume additional resources on the LEM to process these events, and are not necessary for an optimized LEM deployment. Tuning out the “windows noise” in the group policies will reduce the space these events occupy in the Security Event log, will reduce network activity, and will not consume precious resources on the LEM (CPU, memory, disk space).
For information about disabling these alerts on the computer running WFP, see KB3263 and its related articles.
To modify your LEM Manager's Alert Distribution Policy:
Windows Securityin the search box.
Note: The ProviderSID value in the following alerts match the format,
Windows Security Auditing Event ID, where
Event ID is one of the Windows Event IDs listed below.
|Alert Name||Windows Event ID|
|TCPTrafficAudit||5152, 5154, 5156, 5157, 5158, 5159|
|IPTrafficAudit||5152, 5154, 5156, 5157, 5158, 5159|
|UDPTrafficAudit||5152, 5154, 5156, 5157, 5158, 5159|
|ICMPTrafficAudit||5152, 5156, 5157, 5158, 5159|
|Event ID||Brief Description|
|5152||Windows Filtering Platform blocked a packet|
|5154||Windows Filtering Platform permitted an application or service to listen on a port for incoming connections|
|5156||Windows Filtering Platform allowed a connection|
|5157||Windows Filtering Platform blocked a connection|
|5158||Windows Filtering Platform permitted a bind to a local port|
|5159||Windows Filtering Platform blocked a bind to a local port|