Share via

WFP bug or issue? or behavior change in Windows 11?

Jaehong Park 1 Reputation point
2026-03-17T17:49:11.95+00:00

OS Name Microsoft Windows 11 Enterprise

Version 10.0.22631 Build 22631

I see very strange behavior of WFP on this version of windows. <type>FWPM_NET_EVENT_TYPE_PUBLIC_CLASSIFY_ALLOW</type> <classifyAllow> <filterId>983018</filterId> <layerId>48</layerId> <reauthReason>0</reauthReason> <originalProfile>3</originalProfile> <currentProfile>3</currentProfile> </classifyAllow> <internalFields> <internalFlags/> <capabilities numItems="2"> <item>FWP_CAPABILITIES_FLAG_INTERNET_CLIENT</item> <item>FWP_CAPABILITIES_FLAG_PRIVATE_NETWORK</item> </capabilities> <fqbnVersion>0</fqbnVersion> <fqbnName/> <terminatingFiltersInfo numItems="6"> <item> <filterId>983018</filterId> <subLayer>32770</subLayer> <actionType>20482</actionType> </item> <item> <filterId>987166</filterId> <subLayer>32769</subLayer> <actionType>FWP_ACTION_PERMIT</actionType> </item> <item> <filterId>965222</filterId> <subLayer>32766</subLayer> <actionType>20482</actionType> </item> <item> <filterId>988702</filterId> <subLayer>32763</subLayer> <actionType>20482</actionType> </item> <item> <filterId>961330</filterId> <subLayer>9</subLayer> <actionType>FWP_ACTION_BLOCK</actionType> </item> <item> <filterId>988895</filterId> <subLayer>FWPP_SUBLAYER_INTERNAL_FIREWALL_APP_ISOLATION</subLayer> <actionType>FWP_ACTION_PERMIT</actionType> </item> </terminatingFiltersInfo> The packet is classified as allowed, while there is an ACTION BLOCK which is against all the WFP arbitration rules.

I checked with other windows version (windows 10 and before) I don't see such issues. Is this a bug or some undocumented behavior changes?

On top of that, in any sdk or documentation I cannot find event like FWPM_NET_EVENT_TYPE_PUBLIC_CLASSIFY_ALLOW. Can you point me the documentation? Previously it was simply FWPM_NET_EVENT_TYPE_CLASSIFY_ALLOW

Windows for business | Windows Client for IT Pros | Networking | Software-defined networking
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Domic Vo 22,440 Reputation points Independent Advisor
    2026-03-17T18:49:16.2833333+00:00

    Hello Jaehong Park,

    What you are observing is indeed unusual behavior in Windows Filtering Platform (WFP) on Windows 11 Enterprise build 22631. The event type FWPM_NET_EVENT_TYPE_PUBLIC_CLASSIFY_ALLOW is not documented in the official SDKs or prior versions of Windows. Historically, the event you would expect is FWPM_NET_EVENT_TYPE_CLASSIFY_ALLOW. The fact that you are seeing a “Public Classify Allow” event suggests that Microsoft has introduced an internal differentiation in how classification results are logged, likely tied to the new firewall and network isolation layers introduced in Windows 11 23H2/24H2 builds.

    The arbitration anomaly you describe—where a terminating filter reports FWP_ACTION_BLOCK but the packet is ultimately allowed—points to changes in how multiple sublayers are prioritized. In Windows 11, Microsoft added internal sublayers such as FWPP_SUBLAYER_INTERNAL_FIREWALL_APP_ISOLATION and extended Delivery Optimization/Network Isolation logic. These sublayers can override a block if the traffic is deemed essential for system functionality or if the block filter is scoped differently (for example, applying only to certain profiles or capabilities). That explains why you see both a block and a permit action in the terminating filters list, with the final disposition being “allow.”

    As for documentation, Microsoft has not yet published details on FWPM_NET_EVENT_TYPE_PUBLIC_CLASSIFY_ALLOW in the Windows SDK headers or the WFP API reference. The closest you will find is in the Windows Filtering Platform documentation for Windows 11, where FWPM_NET_EVENT_TYPE_CLASSIFY_ALLOW is still the defined constant. The “Public” variant appears to be an internal extension not yet exposed in the public SDK. This means you won’t find it in fwpmtypes.h or the official API docs, and at this point it should be treated as undocumented behavior.

    I hope you've found something useful here. If it helps you get more insight into the issue, it's appreciated to accept the answer. Should you have more questions, feel free to leave a message. Have a nice day!

    Domic Vo.

    Was this answer helpful?

    0 comments

  2. AI answer

    2026-03-17T17:49:25.9933333+00:00

    FWP_ACTION_BLOCK still overrides permit actions according to the documented WFP arbitration rules. Within a given layer, actions are evaluated in sub-layer priority order, and:

    1. Actions are evaluated from highest-priority sub-layer to lowest.
    2. Block overrides Permit.
    3. A Block that is not overridable (no FWPS_RIGHT_ACTION_WRITE) is final and stops evaluation; the packet is discarded.

    This behavior is unchanged and is the only arbitration model documented.

    The behavior being observed (FWPM_NET_EVENT_TYPE_PUBLIC_CLASSIFY_ALLOW with a terminating filter showing FWP_ACTION_BLOCK, yet the event is “allow”) cannot be explained or validated from the available documentation. The context only documents:

    • The FWPM_NET_EVENT_CLASSIFY_ALLOW0 structure, which describes allowed traffic and includes fields such as filterId, layerId, reauthReason, originalProfile, currentProfile, msFwpDirection, and isLoopback.
    • General auditing and logging behavior for WFP (packet drop events 5152/5153, policy change events, and the use of filter IDs in logs).
    • The filter arbitration rules and the FWPS_RIGHT_ACTION_WRITE override semantics.
    • The list of WFP net-event–related structures and functions added in newer Windows versions (for example FWPM_NET_EVENT_HEADER2, FwpmNetEventEnum2, FwpmNetEventSubscribe1), but not the specific event type FWPM_NET_EVENT_TYPE_PUBLIC_CLASSIFY_ALLOW.

    There is no documentation in the provided material for FWPM_NET_EVENT_TYPE_PUBLIC_CLASSIFY_ALLOW, nor any description of a changed arbitration model in Windows 11 that would allow a final FWP_ACTION_BLOCK to result in an “allow” classify event. The only documented “allow” event structure is FWPM_NET_EVENT_CLASSIFY_ALLOW0, and the only documented arbitration behavior is the standard “Block overrides Permit” model with FWPS_RIGHT_ACTION_WRITE controlling overridability.

    From the available documentation, the following can be stated:

    • FWPM_NET_EVENT_CLASSIFY_ALLOW0 is the structure used to report allowed traffic events.
    • WFP auditing logs packet drops (5152/5153) and policy changes, and filter IDs can be used for correlation, but filter IDs can change and are not guaranteed stable.
    • Arbitration rules are as described in the filter arbitration documentation; no alternative rules are documented.
    • FWPM_NET_EVENT_TYPE_PUBLIC_CLASSIFY_ALLOW and any behavior specific to it are not documented in the provided references.

    Because FWPM_NET_EVENT_TYPE_PUBLIC_CLASSIFY_ALLOW is not documented here, its semantics, its relationship to FWPM_NET_EVENT_TYPE_CLASSIFY_ALLOW, and any Windows 11–specific changes to how terminatingFiltersInfo is populated or interpreted cannot be confirmed from this context.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.