This subcategory reports when connections are allowed or blocked by WFP. These events can be high in volume. Events for this subcategory include: ? 5031: The Windows Firewall Service blocked an application from accepting incoming connections on the network. ? 5154: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. ? 5155 : The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. ? 5156: The Windows Filtering Platform has allowed a connection. ? 5157: The Windows Filtering Platform has blocked a connection. ? 5158: The Windows Filtering Platform has permitted a bind to a local port. ? 5159: The Windows Filtering Platform has blocked a bind to a local port. Refer to the Microsoft Knowledgebase article ?Description of security events in Windows Vista and in Windows Server 2008? for the most recent information about this setting: http://support.microsoft.com/default.aspx/kb/947226. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Object Access!Audit Policy: Object Access: Filtering Platform Connection (2) WMI: ###