Submit a ticketCall us

Looking to compare latest NPM features with previous versions of NPM?
The NPM new feature summary offers a comparison of new features and improvements offered with this release.

 

Home > Success Center > Log & Event Manager (LEM) > Tune out Windows Filtering Platform on LEM and on Windows agent

Tune out Windows Filtering Platform on LEM and on Windows agent

Created by Interspire Import, last modified by MindTouch on Jun 23, 2016

Views: 44 Votes: 2 Revisions: 22

Overview

This article describes how to tune out Windows Filtering Platform (WFP) on LEM and on a Windows agent. WFP is a new application in Windows 7 and Windows 8 and Server 2008/2012 that logs firewall and IPsec related events to the System Security Log. These alerts represent accepted background alerts on LEM and consume additional resources on LEM while it processes these events. They are not necessary in an optimized LEM deployment.

Environment

  • All LEM versions
  • Windows 7, 8 and 8.1
  • Windows Server 2008, 2008 R2 and 2012

Steps

Modify the LEM Alert Distribution Policy

  1. Open LEM Console and log into your LEM Manager from the Manage > Appliances view.
  2. Click the gear icon next to your LEM Manager, and select Policy.
  3. Locate the alerts you want to disable by either browsing the Alert Taxonomy or using the search box under Refine Results.
    Note: You can locate all the alerts listed below by typing Windows Security in the search box.
  4. Tick or unmark the boxes in Console, Database, Warehouse or Rules, as appropriate.
    Note:
    • Untick the Console box to prevent your LEM Manager from showing the alerts in your LEM Console.
    • Untick the Database box to prevent your LEM Manager from storing the alerts in your LEM database.
    • Untick the Warehouse box to prevent your LEM Manager from sending the alerts to an independent database warehouse.
    • Untick the Rules box to prevent your LEM Manager from processing the alerts against your LEM rules.
    • Tick any box to enable processing of the alerts for any of the four levels listed above. 
  5. Click Apply if you want to save your changes and keep working, or click Save if you want to save your changes and exit the Alerts Distribution Policy window.

 

Table  of Alerts with Security Auditing Provider SIDs

Note: The ProviderSID value  in the following alerts match the format, Windows Security, Auditing Event ID,  where Event ID is one of the Windows Event ID listed below.

Alert Name Windows Event ID
TCPTrafficAudit     5152, 5154, 5156, 5157, 5158, 5159  
IPTrafficAudit 5152, 5154, 5156, 5157, 5158, 5159
UDPTrafficAudit 5152, 5154, 5156, 5157, 5158, 5159
ICMPTrafficAudit 5152, 5156, 5157, 5158, 5159
RoutingTrafficAudit   5152, 5156
PPTPTrafficAudit 5152

Table of Description by Event ID

Event ID  Brief Description 
5152 Windows Filtering Platform blocked a packet.
5154 Windows Filtering Platform permitted an application or service to listen on a port for incoming connections.
5156 Windows Filtering Platform allowed a connection.
5157 Windows Filtering Platform blocked a connection.
5158 Windows Filtering Platform permitted a bind to a local port.
5159 Windows Filtering Platform blocked a bind to a local port.

Additional Suggested Settings

Set the following subcategories to No Auditing to tune Windows Advanced Audit Policy logging for LEM implementation:

  • Logon/Logoff > Audit IPsec Extended Mode
  • Logon/Logoff > Audit IPsec Main Mode
  • Logon/Logoff > Audit IPsec Quick Mode
  • Object Access > Audit Filtering Platform Connection
  • Object Access > Audit Filtering Platform Packet Drop
  • Policy Change > Audit Filtering Platform Policy Change
  • System > Audit IPsec Driver

Set a WFP subcategory to No Auditing using Group Policies

  1. Launch Group Policy Management from Control Panel > Administrative Tools.
  2. Open Group Policy Management Editor for the domain policy you want to edit. For example, click Default Domain Policy, and then click Action > Edit.
  3. Under Computer Configuration, click Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies.
  4. Click each policy under this node to view and edit its subcategories.
  5. In the right pane, click the subcategory you want to edit, and then click Action > Properties.
  6. On the Policy tab, select Configure the following audit events. Do not select Success or Failure.
    Note: To edit WFP auditing using local policy instead, open Administrative Tools > Local Security Policy, and expand Advanced Audit Policy Configuration.

Additional Resources

For additional information about Advanced Audit Policy Configuration, see the Microsoft TechNet article, Advanced Security Auditing FAQ.

For information about tuning standard Windows audit policies for LEM implementation on a non-WFP computer, see:

 

Last modified
20:23, 22 Jun 2016

Tags

Classifications

Public