5150 The Windows Filtering Platform blocked a packet
Written when the Windows Filtering Platform (WFP) blocks a packet. It reflects kernel-level packet filtering.
Overview
The subcategory is Audit Filtering Platform Connection. It is generated when WFP blocks a packet based on a filter. A block by a more restrictive filter is shown by 5151.
How it is triggered
- When a packet matching a WFP filter condition is blocked.
Security review points
- Individual blocks are normal filter behavior. For attack detection, aggregate the blocked communication’s source, destination, and port and use it to catch scanning or unauthorized connection attempts.
- If many blocks come from a specific source, consider port scanning or intrusion attempts.
Notes for log review
- It appears in extreme volume, so full volume always-on is impractical. Use aggregation by source, destination, and port, or monitoring narrowed to specific conditions.
- Its role overlaps with packet-drop events 5152/5153. Use them according to purpose.
Key fields
| Field | Meaning |
|---|---|
Source/Destination Address / Port | The communication’s source and destination |
Direction | The communication direction |
Filter information | The applied filter |