This security policy setting determines whether the operating system generates audit events when connections are allowed or blocked by the Windows Filtering Platform, such as when:

• The Windows Firewall service blocks an application from accepting incoming connections on the network.
• The Windows Filtering Platform allows or blocks a connection.
• The Windows Filtering Platform permits or blocks a bind to a local port.
• The Windows Filtering Platform permits or blocks the listening of an application or service on a port for incoming connections.

Event volume: High

If this policy setting is configured, the following events are generated. The events appear on computers running Windows Server 2008 R2, Windows Server 2008, Windows 7, or Windows Vista, unless otherwise noted.

• 5031: The Windows Firewall Service blocked an application from accepting incoming connections on the network.
• 5140: A network share object was accessed. (Note: This event is logged only on computers running Windows Server 2008 R2 or Windows 7.)
• 5150: The Windows Filtering Platform blocked a packet.
• 5151: A more restrictive Windows Filtering Platform filter has blocked a packet.
• 5154: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
• 5155: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.
• 5156: The Windows Filtering Platform has allowed a connection.
• 5157: The Windows Filtering Platform has blocked a connection.
• 5158: The Windows Filtering Platform has permitted a bind to a local port.
• 5159: The Windows Filtering Platform has blocked a bind to a local port.