Getting alot of Event ID 5152

i happen check security logs on exchange 2010 server , noticed lot of these event logs coming up. i'm getting them other servers , user computers.

what's causing this?

hi,

 

what operating system version on server? did see event 5157 @ same time in security log?

 

id       message

5152  the windows filtering platform blocked packet.

 

event 5152 indicates packet (ip layer) blocked.

 

event 5157 and  event 5152 general windows firewall security audit, should event detail of blocked connection attempt decide whether attempt should allowed. if connection attempt malicious or not necessary in environment, can safely ignore it. please try check detail identify.

 

just information, if want disable security audit windows firewall, run following command:

 

auditpol.exe /set /subcategory:"mpssvc rule-level policy change","filtering platform policy change","ipsec main mode","ipsec quick mode","ipsec extended mode","ipsec driver","other system events","filtering platform packet drop","filtering platform connection" /successisable /failureisable

 

for more information, please refer following link:

 

enable ipsec , windows firewall audit events

http://technet.microsoft.com/en-us/library/cc754714(ws.10).aspx    

 

best regards,

 

nina liu

technet subscriber support in forum

if have feedback on our support, please contact tngfb@microsoft.com.   

---

please remember click “mark answer” on post helps you, , click “unmark answer” if marked post not answer question. can beneficial other community members reading thread.

Windows Server  >  Security