Spotlight on the Windows Filtering Platform

Windows Filtering Platform (WFP) is a new architecture introduced in Windows Vista and Windows Server 2008. WFP allows independent software vendors (ISVs) to filter and modify TCP/IP packets, monitor or authorize connections, filter Internet Protocol security (IPsec)-protected traffic, and filter remote procedure calls (RPCs). With WFP, you can examine or modify outgoing and incoming packets within various points in the TCP/IP packet processing path and more easily create firewalls, antivirus software, diagnostic software, and other types of applications and services.

Note: WFP is not a firewall. It is a set of system services and user-mode and kernel-mode APIs that enable you to develop firewalls and other connection-monitoring or packet-processing software. For example, Windows Firewall with Advanced Security in Windows Vista and Windows Server 2008 uses WFP.

If you create your packet-processing components with WFP, the advantages are higher performance, a built-in filtering engine for both Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6) traffic, less programming complexity, built-in diagnostic support, and a strong security framework in which correctly configured filters cannot be bypassed.

To get started learning about WFP, see the Windows Filtering Platform WHDC article (written by yours truly :>). See the “Resources” section at the end for links to MSDN content and community resources.

WFP has been updated for Windows 7 and Windows Server 2008 R2. Check out this whitepaper for the details. For example, there is a new set of commands in the wfp context of the Network Shell (Netsh) command-line tool to do the following:

      Display all the effective filters

      Display recent network events, such as packet drops

      Display the current state of WFP and IPsec



Joe Davies
Principal Technical Writer
Windows Server Networking Documentation Team