5153 A more restrictive Windows Filtering Platform filter has blocked a packet (packet drop)
Written when a more restrictive Windows Filtering Platform (WFP) filter drops a packet. It indicates that, among multiple filters, the stricter one performed the discard.
Overview
The subcategory is Audit Filtering Platform Packet Drop. It is generated when, where multiple filters match the same packet, the more restrictive filter discards it. It is a variant of the basic drop 5152.
How it is triggered
- When multiple filters conflict and a packet is discarded by the more restrictive one.
Security review points
- Like 5152, it is normal filter behavior. Use aggregation of source, destination, and count for the context of scanning or unauthorized connections.
- Information on the applied restrictive filter helps in reviewing the filter configuration.
Notes for log review
- It appears in volume. Use it via aggregation/narrowing. Together with 5152, understand drop behavior.
Key fields
| Field | Meaning |
|---|---|
Source/Destination Address / Port | The dropped communication |
Filter information | The applied restrictive filter |