4951(F): A rule has been ignored because its major version number wasn't recognized by Windows Firewall.
Subcategory: Audit MPSSVC Rule-Level Policy Change
Event Description:
When you create or edit a Windows Firewall rule, the settings that you can include depend upon the version of Windows you use when creating the rule. As new settings are added to later versions of Windows or to service packs for existing versions of Windows, the version number of the rules processing engine is updated, and that version number is stamped into rules that are created by using that version of Windows. For example, Windows Vista produces firewall rules that are stamped with version "v2.0". Future versions of Windows might use "v2.1", or "v3.0" to indicate, respectively, minor or major changes and additions.
If you create a firewall rule on a newer version of Windows that references firewall settings that aren't available on earlier versions of Windows, and then try to deploy that rule to computers running the earlier version of Windows, the firewall engine produces this error to indicate that it can't process the rule.
The only solution is to remove the incompatible rule, and then deploy a compatible rule.
Note For recommendations, see Security Monitoring Recommendations for this event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4951</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13571</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2015-10-07T21:49:06.951537900Z" />
<EventRecordID>1052309</EventRecordID>
<Correlation />
<Execution ProcessID="524" ThreadID="556" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="Profile">All</Data>
<Data Name="RuleId">{08CBB349-D158-46BE-81E1-2ABC59BDD523}</Data>
<Data Name="RuleName">-</Data>
</EventData>
</Event>
Required Server Roles: None.
Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Profile [Type = UnicodeString]: the name of the profile of the ignored rule. Possible values are:
All
Domain, Public
Domain, Private
Private, Public
Public
Domain
Private
Ignored Rule:
ID [Type = UnicodeString]: the unique identifier for ignored firewall rule.
To see the unique ID of the rule, you need to navigate to “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules” registry key and you'll see the list of Windows Firewall rule IDs (Name column) with parameters:
- Name [Type = UnicodeString]: the name of the rule that was ignored. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (wf.msc), check “Name” column:
Security Monitoring Recommendations
For 4951(F): A rule has been ignored because its major version number wasn't recognized by Windows Firewall.
- This event can be a sign of software issues, Windows Firewall registry errors or corruption, or Group Policy setting misconfigurations. We recommend monitoring this event and investigating the reason for the condition. Typically this event indicates configuration issues, not security issues.