Submit a ticketCall us

Looking to compare latest NPM features with previous versions of NPM?
The NPM new feature summary offers a comparison of new features and improvements offered with this release.

 

Home > Success Center > Log & Event Manager (LEM) > Disable Windows Filtering Platform Alerts Using Alert Distribution Policy

Disable Windows Filtering Platform Alerts Using Alert Distribution Policy

Description

Windows Filtering Platform (WFP) is a new application in Windows 7/8 and Windows Server 2008/2012 that logs firewall and IPsec related events to the System Security Log. We recommend tuning WFP in your Active Directory group policies to decrease the load it would otherwise create on your LEM Manager. These alerts represent "background" events which can consume additional resources on the LEM to process these events, and are not necessary for an optimized LEM deployment. Tuning out the “windows noise” in the group policies will reduce the space these events occupy in the Security Event log, will reduce network activity, and will not consume precious resources on the LEM (CPU, memory, disk space).

Procedure

The alerts described in the tables

 

For information about disabling these alerts on the computer running WFP, see KB3263 and its related articles.

To modify your LEM Manager's Alert Distribution Policy:

  1. Open your LEM Console and log into your LEM Manager from the Manage > Appliances view.
  2. Click the gear icon next to your LEM Manager, and then select Policy.
  3. Locate the alerts you want to disable by either browsing the alert taxonomy or using the search box under Refine Results.
    Note: You can locate all of the alerts listed below by typing Windows Security in the search box.
  4. Check or uncheck the boxes in the Console, Database, Warehouse, or Rules columns as appropriate.
    Notes:
    • Uncheck the Console box to prevent your LEM Manager from showing the alert in your LEM Console.
    • Uncheck the Database box to prevent your LEM Manager from storing the alert on your LEM database.
    • Uncheck the Warehouse box to prevent your LEM Manager from sending the alert to an independent database warehouse.
    • Uncheck the Rules box to prevent your LEM Manager from processing the alert against your LEM rules.
    • Check any box to enable processing for the alert at any of the four levels listed above.
  5. If you want to save your changes and keep working, click Apply.
  6. If you want to save your changes and exit the Alert Distribution Policy window, click Save.

Table of Alerts with Windows Security Auditing Provider SIDs

Note: The ProviderSID value in the following alerts match the format, Windows Security Auditing Event ID, where Event ID is one of the Windows Event IDs listed below.

Alert Name Windows Event ID
TCPTrafficAudit 5152, 5154, 5156, 5157, 5158, 5159
IPTrafficAudit 5152, 5154, 5156, 5157, 5158, 5159
UDPTrafficAudit 5152, 5154, 5156, 5157, 5158, 5159
ICMPTrafficAudit 5152, 5156, 5157, 5158, 5159
RoutingTrafficAudit 5152, 5156
PPTPTrafficAudit 5152

Table of Descriptions by Event ID

Event ID Brief Description
5152 Windows Filtering Platform blocked a packet
5154 Windows Filtering Platform permitted an application or service to listen on a port for incoming connections
5156 Windows Filtering Platform allowed a connection
5157 Windows Filtering Platform blocked a connection
5158 Windows Filtering Platform permitted a bind to a local port
5159 Windows Filtering Platform blocked a bind to a local port
The alerts described in the tables can be filtered out (dropped) using your LEM Manager's Event Distribution Policy by unchecking their boxes in the Console, Database, Warehouse, and Rules columns. It’s important to note that the LEM still must process these events, thereby taking additional resources in the form of memory and CPU reservations.

</body></html>

Last modified
19:58, 22 Jun 2016

Tags

Classifications

Public