ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows security monitoring dashboard showing network firewall events and connection analysis
Event ID 5157InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 5157 – Windows Filtering Platform: Network Connection Blocked by Firewall

Event ID 5157 indicates Windows Filtering Platform blocked a network connection attempt. This security audit event helps administrators track blocked network traffic and firewall rule effectiveness.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 20269 min read 0
Event ID 5157Microsoft-Windows-Security-Auditing 5 methods 9 min
Event Reference

What This Event Means

Windows Event ID 5157 represents a security audit event generated by the Windows Filtering Platform when it blocks an inbound or outbound network connection. The Windows Filtering Platform operates at the kernel level, intercepting network traffic before it reaches applications or leaves the system. When WFP determines that a connection violates configured firewall rules, it blocks the traffic and generates this audit event.

The event contains comprehensive connection details including process information, network addresses, port numbers, and the specific filter rule that triggered the block. This granular information proves invaluable for security analysis, helping administrators understand what traffic is being blocked and why. The event also includes the application path and process ID responsible for the connection attempt, enabling precise identification of the source.

Event ID 5157 differs from other firewall events by focusing specifically on blocked connections rather than allowed traffic. The event fires for both inbound connections blocked by firewall rules and outbound connections restricted by application control policies. Modern Windows systems generate these events continuously as the firewall blocks various connection attempts from applications, services, and external sources.

Understanding Event ID 5157 patterns helps administrators identify potential security threats, troubleshoot legitimate application connectivity issues, and optimize firewall rule configurations. The event serves as a critical component of Windows security logging, providing the audit trail necessary for compliance requirements and incident response procedures.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Windows Defender Firewall blocking inbound connection attempts from external sources
  • Outbound application connections blocked by restrictive firewall rules
  • Third-party firewall software utilizing Windows Filtering Platform blocking traffic
  • Network isolation policies preventing communication between network segments
  • Application control rules blocking specific executables from network access
  • Port-based filtering rules denying access to specific TCP or UDP ports
  • Protocol-specific blocks preventing certain network protocols
  • Domain-based filtering blocking connections to specific IP ranges or domains
Resolution Methods

Troubleshooting Steps

01

Analyze Event Details in Event Viewer

Start by examining the specific details of Event ID 5157 to understand what connection was blocked and why.

  1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
  2. Navigate to Windows LogsSecurity
  3. Filter for Event ID 5157 by right-clicking the Security log and selecting Filter Current Log
  4. Enter 5157 in the Event IDs field and click OK
  5. Double-click a recent Event ID 5157 entry to view detailed information
  6. Review key fields in the event details:
    • Application Information: Process path and ID
    • Network Information: Source and destination IPs, ports
    • Filter Information: Filter ID and layer name that blocked the connection
  7. Note the Direction field to determine if this was inbound or outbound traffic
  8. Check the Protocol field to identify TCP, UDP, or other protocols involved

Use PowerShell to query multiple events efficiently:

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5157} -MaxEvents 50 | Select-Object TimeCreated, @{Name='ProcessName';Expression={($_.Message -split '\n' | Where-Object {$_ -like '*Application Name:*'}) -replace '.*Application Name:\s*',''}}, @{Name='SourceIP';Expression={($_.Message -split '\n' | Where-Object {$_ -like '*Source Address:*'}) -replace '.*Source Address:\s*',''}}
02

Review Windows Defender Firewall Rules

Examine current firewall rules to identify which rule is blocking the connection and determine if modification is needed.

  1. Open Windows Defender Firewall with Advanced Security by running wf.msc
  2. Review Inbound Rules and Outbound Rules sections
  3. Look for rules with Block action that match the blocked connection details
  4. Check rule properties including:
    • Scope (specific IP addresses or ranges)
    • Protocols and Ports settings
    • Programs and Services restrictions
  5. Use PowerShell to list all blocking rules:
# List all firewall rules that block connections
Get-NetFirewallRule | Where-Object {$_.Action -eq 'Block' -and $_.Enabled -eq 'True'} | Select-Object DisplayName, Direction, Action, Enabled | Format-Table -AutoSize

# Get detailed information about specific blocking rules
Get-NetFirewallRule -Action Block | Get-NetFirewallPortFilter | Select-Object InstanceID, Protocol, LocalPort, RemotePort
  1. Cross-reference the Filter ID from Event 5157 with firewall rule properties
  2. Document any rules that may be overly restrictive for legitimate applications
Pro tip: Use Get-NetFirewallRule -DisplayName "*keyword*" to quickly find rules related to specific applications or services.
03

Enable Advanced Firewall Logging

Configure detailed firewall logging to capture more information about blocked connections for ongoing analysis.

  1. Open Windows Defender Firewall with Advanced Security
  2. Right-click Windows Defender Firewall with Advanced Security in the left pane
  3. Select Properties
  4. For each profile (Domain, Private, Public), configure logging:
  5. Click Customize next to Logging
  6. Set the following options:
    • Log dropped packets: Yes
    • Log successful connections: Yes (optional, for comparison)
    • Size limit: Increase to 32768 KB or higher
    • File path: Note the location (typically %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log)
  7. Click OK to apply settings

Use PowerShell to configure logging programmatically:

# Enable firewall logging for all profiles
Set-NetFirewallProfile -Profile Domain,Public,Private -LogAllowed True -LogBlocked True -LogMaxSizeKilobytes 32768

# Verify logging configuration
Get-NetFirewallProfile | Select-Object Name, LogAllowed, LogBlocked, LogMaxSizeKilobytes, LogFileName
  1. Monitor the firewall log file for real-time blocked connection details
  2. Use PowerShell to parse firewall logs:
# Parse recent firewall log entries
$logPath = "$env:SystemRoot\System32\LogFiles\Firewall\pfirewall.log"
Get-Content $logPath -Tail 100 | Where-Object {$_ -like "*DROP*"} | ForEach-Object {
    $fields = $_ -split ' '
    [PSCustomObject]@{
        Date = $fields[0]
        Time = $fields[1]
        Action = $fields[2]
        Protocol = $fields[3]
        SrcIP = $fields[4]
        DstIP = $fields[5]
        SrcPort = $fields[6]
        DstPort = $fields[7]
    }
}
04

Investigate Application-Specific Blocks

Focus on specific applications that are being blocked to determine if firewall exceptions are needed.

  1. Identify the application from Event ID 5157 details in the Application Name field
  2. Verify the application's legitimacy and network requirements
  3. Check if the application has existing firewall rules:
# Find firewall rules for a specific application
$appPath = "C:\Program Files\YourApp\app.exe"
Get-NetFirewallApplicationFilter | Where-Object {$_.Program -eq $appPath} | Get-NetFirewallRule | Select-Object DisplayName, Direction, Action, Enabled
  1. Create a new firewall rule if the application requires network access:
  2. Open Windows Defender Firewall with Advanced Security
  3. Right-click Inbound Rules or Outbound Rules and select New Rule
  4. Choose Program and specify the application path
  5. Select Allow the connection
  6. Choose appropriate profiles (Domain, Private, Public)
  7. Provide a descriptive name for the rule

Use PowerShell to create firewall rules programmatically:

# Create inbound rule for specific application
New-NetFirewallRule -DisplayName "Allow MyApp Inbound" -Direction Inbound -Program "C:\Program Files\MyApp\myapp.exe" -Action Allow -Profile Domain,Private

# Create outbound rule with specific ports
New-NetFirewallRule -DisplayName "Allow MyApp Outbound" -Direction Outbound -Program "C:\Program Files\MyApp\myapp.exe" -Protocol TCP -LocalPort 80,443 -Action Allow
  1. Test the application functionality after creating the rule
  2. Monitor Event ID 5157 to confirm the blocks are resolved
Warning: Only create firewall exceptions for trusted applications. Verify application signatures and sources before allowing network access.
05

Advanced WFP Filter Analysis and Troubleshooting

Perform deep analysis of Windows Filtering Platform filters and layers for complex blocking scenarios.

  1. Use the Windows Performance Toolkit to capture detailed WFP information:
  2. Install Windows SDK or download WPT separately
  3. Run Command Prompt as Administrator
  4. Capture WFP trace data:
# Start WFP tracing
netsh wfp capture start file=c:\temp\wfp.etl

# Reproduce the blocked connection issue
# Stop tracing after reproducing the issue
netsh wfp capture stop
  1. Analyze WFP filters and layers using netsh commands:
# Show all WFP filters
netsh wfp show filters file=c:\temp\filters.xml

# Show specific layer information
netsh wfp show state file=c:\temp\wfpstate.xml

# Display filter information for specific layer
netsh wfp show filters layer=FWPM_LAYER_ALE_AUTH_CONNECT_V4
  1. Cross-reference the Filter ID from Event 5157 with WFP filter output
  2. Examine filter conditions and weights to understand blocking logic
  3. Check for conflicting filters or unexpected filter priorities
  4. Use PowerShell to query WFP programmatically:
# Get WFP filter information using WMI
Get-CimInstance -Namespace root/StandardCimv2 -ClassName MSFT_NetFirewallRule | Where-Object {$_.Action -eq 3} | Select-Object InstanceID, DisplayName, Direction

# Analyze network connections and their states
Get-NetTCPConnection | Where-Object {$_.State -eq 'Listen'} | Select-Object LocalAddress, LocalPort, OwningProcess, @{Name='ProcessName';Expression={(Get-Process -Id $_.OwningProcess).ProcessName}}
  1. Review third-party security software that might be adding WFP filters
  2. Check for Group Policy settings that might be creating restrictive filters
  3. Document findings and create comprehensive firewall rule modifications
Pro tip: Use netsh wfp show options to display current WFP configuration options and troubleshooting settings.

Overview

Event ID 5157 fires when Windows Filtering Platform (WFP) blocks a network connection attempt based on configured firewall rules. This audit event appears in the Security log when network connection auditing is enabled through Group Policy or local security settings. The event captures critical details including source and destination IP addresses, ports, protocols, and the specific filter that triggered the block.

Windows Filtering Platform serves as the foundation for Windows Defender Firewall and third-party security solutions. When WFP blocks traffic, Event ID 5157 provides forensic evidence for security investigations and helps administrators validate firewall rule effectiveness. This event becomes particularly valuable during security incidents, compliance audits, and network troubleshooting scenarios.

The event generates automatically when audit policies are configured for filtering platform connection events. System administrators rely on these logs to monitor blocked connection attempts, identify potential security threats, and fine-tune firewall configurations for optimal network security posture.

Frequently Asked Questions

What does Event ID 5157 mean and when should I be concerned?+
Event ID 5157 indicates that Windows Filtering Platform blocked a network connection attempt. This is typically normal behavior when your firewall is working correctly to block unwanted traffic. You should be concerned if legitimate applications are being blocked, if you see unusual patterns of blocked connections from internal systems, or if the volume of blocked connections suddenly increases significantly, which might indicate a security threat or misconfigured firewall rules.
How can I determine which firewall rule is causing Event ID 5157?+
The Event ID 5157 details include a Filter ID and Layer Name that correspond to specific Windows Filtering Platform filters. You can cross-reference this information by using 'netsh wfp show filters' command or by examining your Windows Defender Firewall rules in the Advanced Security console. Look for rules with 'Block' action that match the source/destination IPs, ports, and protocols shown in the event. The filter weight and conditions will help you identify the exact rule responsible for the block.
Why am I seeing Event ID 5157 for applications that should be allowed?+
This typically occurs when firewall rules are too restrictive or when there are conflicting rules. Check if the application has proper firewall exceptions configured for both inbound and outbound traffic. Verify that the application path in the firewall rule matches exactly with the path shown in Event ID 5157. Also, ensure that the firewall rule applies to the correct network profiles (Domain, Private, Public) based on your current network connection type. Third-party security software might also be adding additional WFP filters that block the connection.
Can Event ID 5157 help me identify security threats?+
Yes, Event ID 5157 is valuable for security monitoring. Look for patterns such as repeated connection attempts from external IP addresses, unusual applications trying to establish outbound connections, connections to suspicious ports or IP ranges, or high volumes of blocked connections from internal systems that might indicate malware activity. Correlate these events with other security logs and consider implementing automated monitoring rules to alert on suspicious patterns. The source IP, destination port, and application information in these events provide crucial forensic evidence.
How do I reduce the volume of Event ID 5157 entries without compromising security?+
You can reduce event volume by fine-tuning your audit policy settings to focus on specific scenarios. Use Group Policy to configure 'Audit Filtering Platform Connection' to log only failures or specific types of connections. Consider excluding routine blocked traffic like broadcast packets or known scanning attempts by creating specific firewall rules that silently drop this traffic. You can also adjust firewall logging settings to focus on specific IP ranges or applications. However, ensure you maintain adequate logging for security monitoring and compliance requirements before reducing event generation.
Documentation

References (2)

1
Microsoft Learn - Windows Filtering Platform ArchitectureComprehensive overview of Windows Filtering Platform architecture and componentshttps://learn.microsoft.com/en-us/windows/win32/fwp/windows-filtering-platform-architecture-overview
2
Microsoft Docs - Security Auditing EventsOfficial documentation covering Windows security auditing events and configurationhttps://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-5157#windows-firewall#network-security

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...