1

Is it normal to get Windows Filtering Platform events in the Event Log while the firewall is off? I'm on Windows Server 2008 R2 Service Pack 1.

For example, I'm getting multiple 5156 events like this:

The Windows Filtering Platform has permitted a connection.

Application Information:
    Process ID:     6012
    Application Name:   \device\harddiskvolume1\localdomain\syslog\localdomainsyslogserver.exe

Network Information:
    Direction:      Outbound
    Source Address:     127.0.0.1
    Source Port:        52207
    Destination Address:    127.0.0.1
    Destination Port:       1433
    Protocol:       6

Filter Information:
    Filter Run-Time ID: 0
    Layer Name:     Connect
    Layer Run-Time ID:  48

while "netsh advfirewall" shows this:

C:\>netsh advfirewall show allprofiles state

Domain Profile Settings:
----------------------------------------------------------------------
State                                 OFF

Private Profile Settings:
----------------------------------------------------------------------
State                                 OFF

Public Profile Settings:
----------------------------------------------------------------------
State                                 OFF
Ok.

I know I can remove it be changing the auditing policy.

bibi195
  • 11
  • 2
  • 3
    [*"Windows Filtering Platform is a development platform and not a firewall itself. The firewall application that is built into Windows Vista, Windows Server 2008, and later operating systems – Windows Firewall with Advanced Security (WFAS) – is implemented using WFP."*](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366510(v=vs.85).aspx) Turning off Windows Firewall does not disable WFP. – jscott Jul 04 '17 at 21:50
  • @jscott: This should have been an answer, not a comment :) – Daniel May 12 '18 at 05:50

0 Answers0