5151 A more restrictive Windows Filtering Platform filter has blocked a packet
Written when a more restrictive Windows Filtering Platform (WFP) filter blocks a packet. It indicates that, among multiple filters, the stricter one was applied.
Overview
The subcategory is Audit Filtering Platform Connection. It is generated when, where multiple filters match the same packet, the more restrictive filter performs the block. It is a variant of the basic block 5150.
How it is triggered
- When multiple filters conflict and a packet is blocked by the more restrictive one.
Security review points
- Like 5150, it is basically normal filter behavior. Use aggregation of source, destination, and port for the context of unauthorized connections or scanning.
- Which filter was applied helps in reviewing the filter configuration (WFP rules).
Notes for log review
- It appears in volume. Use it via aggregation/narrowing. Together with 5150, understand filtering behavior.
Key fields
| Field | Meaning |
|---|---|
Source/Destination Address / Port | The communication’s source and destination |
Filter information | The applied restrictive filter |