More details on each settings:
Disabling Event 5156
Event ID 5156 should occur if the Success or Failure audit was enabled for Filtering Platform Connection in Advanced Audit Policy Configuration setting which is available from Windows 2008 R2 and later versions.
Category: Object Access Subcategory: Filtering Platform Connection
You will get the following Event IDs if the Filtering Platform Connection is enabled.
5031 - The Windows Firewall Service blocked an application from accepting incoming connections on the network. 5154 - The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. 5155 - The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. 5156 - The Windows Filtering Platform has allowed a connection 5157 - The Windows Filtering Platform has blocked a connection 5158 - The Windows Filtering Platform has permitted a bind to a local port. 5159 -The Windows Filtering Platform has blocked a bind to a local port.
We should disable the audit policy setting Filtering Platform Connection in Advanced Audit Policy Configuration to stop this event. We can do it in the following ways.
Possible Solution: 1- using Auditpol exe
If you would like to get rid of this Filtering Platform Connection event 5156 then you need to run the following commands in an elevated command prompt (Run As Administrator):
Auditpol /set /subcategory:"Filtering Platform Connection" /Success:disable
Then update gpo by this command
Possible Solution: 2 - using Local Security Policy
You can also disable Filtering Platform Connection in Advanced Audit Policy Configuration of Local Security Policy.
1. Press the key Windows + R 2. Type command secpol.msc, click OK 3. Then go to the node Advanced Audit Policy Configuration->Object Access. 4. Check the audit setting Audit Filtering Platform Connection If it is configured as Success, you can revert it Not Configured and Apply the setting.
Possible Solution: 3 - using Group Policy Object
If the setting is inherited from any other GPO to Local Security Policy,You need to edit the specific GPO which is configured with the setting Audit Filtering Platform Connection. You can find the GPO by running Resultant Set of Policy.
1. Press the key Windows + R 2. Type command rsop.msc, click OK. 3. Now you can the below result window. Then go to the node Computer Configuration ->Windows Settings ->Local Polices-> Audit Policy.
4. Now, you can see the Source GPO of the setting Audit Object Access which is the root Setting for Audit Filtering Platform Connection.
5. Then you can edit the Audit Filtering Platform Connection of corresponding GPO by running GPMC.msc command through Run window or command window.
Note:You need run the command GPUpdate /force after every changes to apply group policy to system immediately.