WFP Sublayers RRS feed

  • Question


    While configuring filters, some Microsoft samples use FWPM_SUBLAYER_UNIVERSAL as the subLayerKey while others use their own GUID.

    What's the difference in the functionality or behavior ?


    Thursday, March 20, 2014 6:28 PM

All replies

  • UNIVERSAL is the default sublayer if one is not specified.  Sublayers are used to arbitrate filters from various providers.

    If everyone sat at a single sublayer, then everyone would be fighting to be the filter weighted highest, because their decision is more reliable in their view than a provider they do not know.  Having people use their own sublayer, means they only have to worry about what filters they apply, and know that they had a say in the decision for the ultimate outcome of that layer.

    Arbitration is essentially:

    Starting with the highest weighted sublayer, find all matching filters within that sublayer, and arbitrate from highest to lowest until a terminating decision is made (PERMIT / BLOCK).

    Note the terminating decision and arbitrate the next sublayer.

    This happens until all sublayers have their say in the decision.  The filtering engine then enforces the final decision based off the arbitration.

    This allows someone at SUBLAYER A to say PERMIT and SUBLAYER B to say BLOCK and have the packet actually blocked.  Whereas if they were both sitting in the same sublayer, then the highest weighted makes the decision, and the other filter has no say.

    This was a very high-level, straight forward overview of the process.  There are other factors that can be involved (like the ABSORB flag) etc.  For a more comprehensive view, the following link should help:


    Hope this helps,

    Dusty Harper [MSFT]
    Microsoft Corporation
    This posting is provided "AS IS", with NO warranties and confers NO rights

    Thursday, March 20, 2014 10:36 PM