Help
FortiEDR
FortiEDR automates the protection against advanced threats, pre and post-execution, with real time orchestrated incident response functionality.
bksol92
Staff
Staff

Created on ‎06-29-2025 11:14 PM

Article Id 398815

Technical Tip: How to determine if a Windows Filtering Platform filter is interfering with collector communication

Description This article describes how Windows Filtering Platform (WFP) filters could interfere with collector communication.
Scope All collector versions.
Solution

In certain cases, an endpoint may not be able to perform a Telnet to the cloud aggregator service on port 8081, even though the service is allowed on the firewall processing outbound traffic from the endpoint.

 

In such cases, it is natural to try to see if there is a misconfigured rule on Windows Firewall, but there are also less obvious factors to consider. A misconfigured Windows Filtering Platform (WFP) filter could also be one such factor preventing the collector from reaching the required ports to function properly. WFP filters can not be seen on the Windows Firewall GUI; they can only be retrieved by running the following CMD command:

 

netsh wfp show filters

 

The command output can be reviewed for filters that may be blocking collector traffic:

 

<providerKey>{aa6a7d87-7f8f-4d2a-be53-fda555cd5fe3}</providerKey>
<providerData/>
<layerKey>FWPM_LAYER_INBOUND_TRANSPORT_V4</layerKey>
<subLayerKey>FWPM_SUBLAYER_UNIVERSAL</subLayerKey>
<weight>
<type>FWP_EMPTY</type>
</weight>
<filterCondition numItems="4">
<item>
<fieldKey>FWPM_CONDITION_IP_LOCAL_ADDRESS</fieldKey>
<matchType>FWP_MATCH_EQUAL</matchType>
<conditionValue>
<type>FWP_UINT32</type>
<uint32>192.168.30.164</uint32>
</conditionValue>
</item>
<item>
<fieldKey>FWPM_CONDITION_IP_REMOTE_PORT</fieldKey>
<matchType>FWP_MATCH_EQUAL</matchType>
<conditionValue>
<type>FWP_UINT16</type>
<uint16>8081</uint16>
</conditionValue>
</item>
<item>
<fieldKey>FWPM_CONDITION_IP_PROTOCOL</fieldKey>
<matchType>FWP_MATCH_EQUAL</matchType>
<conditionValue>
<type>FWP_UINT8</type>
<uint8>17</uint8>
</conditionValue>
</item>
<item>
<fieldKey>FWPM_CONDITION_IP_LOCAL_ADDRESS_TYPE</fieldKey>
<matchType>FWP_MATCH_EQUAL</matchType>
<conditionValue>
<type>FWP_UINT8</type>
<uint8>1</uint8>
</conditionValue>
</item>
</filterCondition>
<action>
<type>FWP_ACTION_BLOCK</type>
<filterType/>
</action>

 

The filter's provider key aa6a7d87-7f8f-4d2a-be53-fda555cd5fe3 can be cross-referenced with the following registry key to determine which service is responsible for the WFP rule:

 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Provider

 

reg-value-bfe.png

 

In this case, the provider key belongs to the IPsec Policy agent, a service hosted by polstore.dll:

 

Provider ID: {aa6a7d87-7f8f-4d2a-be53-fda555cd5fe3}
Provider Name: IPsec Policyagent
Provider Type: Persistent

 

polstore.png

 

Windows Security Log Event ID 5442

 

Disabling the service should disable the offending WFP rule, but the Windows Filtering Platform could also be abused to disable collector communication for malicious reasons, like EDRSilencer.

 

26037
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.