Event ID 5159 – The Windows Filtering Platform has blocked a bind to a local port.
Event ID | 5159 |
Category | Object Access: Filtering Platform Connection |
Type | Failure Audit |
Whenever a client or server application is prevented from binding to a port by the WFP, event ID 5159 is logged. This hinders further TCP/UDP communications.
An example of 5159 event log:
The Windows Filtering Platform has blocked a bind to a local port.
Application Information:
Process ID:%1
Application Name:%2
Network Information:
Source Address:%3
Source Port:%4
Protocol:%5
Filter Information:
Filter Run-Time ID:%6
Layer Name:%7
Why does event ID 5159 need to be monitored?
- To ensure specific applications do not perform certain operations
- To monitor restricted applications
- To ensure that the source address is preferably from the same computer
- To monitor whether the destination address is an IP address from the Internet
- To ensure only whitelisted IP addresses are connected to
- To check the protocol that is being used by certain applications
Event 5159 applies to the following operating systems:
- Windows 2008 R2 and 7
- Windows 2012 R2 and 8.1
- Windows 2016 and 10
Explore Active Directory auditing and reporting with ADAudit Plus.
- Related Products
- ADManager Plus Active Directory Management & Reporting
- ADAudit Plus Real-time Active Directory Auditing and UBA
- EventLog Analyzer Real-time Log Analysis & Reporting
- ADSelfService Plus Self-Service Password Management
- AD360 Integrated Identity & Access Management
- Log360 (On-Premise | Cloud) Comprehensive SIEM and UEBA
- AD Free Tools Active Directory FREE Tools