Event ID - 4957

Event Id4957
SourceMicrosoft-Windows-Security-Auditing
DescriptionWindows Firewall did not apply the following rule:
Rule Information: %tID:%t%1
%tName:%t%2
Error Information:
%tReason:%t%3 resolved to an empty set.
Event Information According to Microsoft :

Cause :

This event is logged when Windows Firewall did not apply the rule.

Resolution :

Review rule for applicability to local computer

Windows Firewall with Advanced Security processed a rule that contains parameters that cannot be resolved on the local computer. The rule is therefore not enforcable on the computer and so is excluded from the runtime state of the firewall. This is not necessarily an error. Examine the rule for applicability on the computers to which it was applied.

For example, if a connection security rule indicates that network traffic is to be encrypted with a specific security algorithm, and that algorithm is not available on the computer, then the rule cannot be successfully applied. To resolve this condition, review the rule to ensure that it uses only those features that are supported by the versions of Windows to which it will be applied.

Verify :

You can verify that your computer is successfully retrieving and processing firewall and Internet Protocol security (IPsec) settings and rules by examining the Event Viewer logs and looking for messages that indicate successful firewall policy processing.

To verify that firewall policy is being retrieved and processed correctly:
  1. Refresh Group Policy. Open an administrative command prompt. Click Start , click All Programs , click Accessories , right-click Command Prompt , and then click Run as administrator . At that command prompt, run the command gpupdate /force .
  2. After the policy refresh is complete, examine the Event log for the following event IDs:
  • 4945-4948 . These messages indicate successful processing of locally stored firewall policy.
  • 4954-4955 . This message indicates successful processing of Group Policy-provided firewall policy.
  • 5040-5049 . These messages indicate successful processing of IPsec policy.
The presence of one or more of those event messages when a changed policy is received is an indication that policy is being received and processed correctly.

You can also change a rule (in locally stored policy or a Group Policy object), and then examine the rules on the computer to confirm that the changed rule was received and processed correctly. Use the Windows Firewall with Advanced Security Microsoft Management Console (MMC) snap-in or the netsh advfirewall command-line tool to examine the rules on the local computer. The exact branch in the snap-in or the netsh command to use depends on the rule that you want to change.
Reference LinksEvent ID 4957 from Microsoft-Windows-Security-Auditing

Catch threats immediately

We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.

See what we caught

Did this information help you to resolve the problem?

Yes: My problem was resolved.
No: The information was not helpful / Partially helpful.