Udostępnij za pośrednictwem


Audit Filtering Platform Packet Drop

Audit Filtering Platform Packet Drop determines whether the operating system generates audit events when packets are dropped by the Windows Filtering Platform.

Windows Filtering Platform (WFP) enables independent software vendors (ISVs) to filter and modify TCP/IP packets, monitor or authorize connections, filter Internet Protocol security (IPsec)-protected traffic, and filter remote procedure calls (RPCs).

A high rate of dropped packets may indicate that there have been attempts to gain unauthorized access to computers on your network.

Event volume: High.

Computer Type General Success General Failure Stronger Success Stronger Failure Comments
Domain Controller No No No No Failure events volume typically is very high for this subcategory and typically used for troubleshooting. If you need to monitor blocked connections, it is better to use “5157(F): The Windows Filtering Platform has blocked a connection,” because it contains almost the same information and generates per-connection, not per-packet.
There is no recommendation to enable Success auditing, because Success events in this subcategory rarely occur.
Member Server No No No No Failure events volume typically is very high for this subcategory and typically used for troubleshooting. If you need to monitor blocked connections, it is better to use “5157(F): The Windows Filtering Platform has blocked a connection,” because it contains almost the same information and generates per-connection, not per-packet.
There is no recommendation to enable Success auditing, because Success events in this subcategory rarely occur.
Workstation No No No No Failure events volume typically is very high for this subcategory and typically used for troubleshooting. If you need to monitor blocked connections, it is better to use “5157(F): The Windows Filtering Platform has blocked a connection,” because it contains almost the same information and generates per-connection, not per-packet.
There is no recommendation to enable Success auditing, because Success events in this subcategory rarely occur.

Events List:

  • 5152(F): The Windows Filtering Platform blocked a packet.

  • 5153(S): A more restrictive Windows Filtering Platform filter has blocked a packet.