FWP_E_ACTION_INCOMPATIBLE_WITH_LAYER 0X8032002C Fix

Quick answer for advanced users

Run netsh wfp reset from an elevated command prompt, then reboot. If that fails, manually remove the offending rule via netsh advfirewall firewall delete rule name="YourRuleName".

What the hell is this error?

This error shows up when Windows Filtering Platform (WFP) — the low-level firewall engine since Vista — has a rule that tries to apply an action (like Block or Permit) at a layer where that action isn't allowed. Think of it like trying to put a highway exit ramp in the middle of a residential street. WFP layers are specific: some only allow Block at the AUTH_RECV_ACCEPT layer, but you've got a Permit there. It just doesn't work. Usually happens after a third-party firewall install/uninstall, a VPN client (I've seen this with Palo Alto GlobalProtect and Cisco AnyConnect), or a Windows Update that borked the rules.

Had a client last month whose entire print queue died because of this — the error popped when their accounting software tried to open a network printer port. The firewall rule was blocking traffic at the wrong layer, and the print spooler just sat there spinning.

How to fix it — step by step

Identify the culprit. Open Event Viewer (eventvwr.msc), go to Windows Logs > System, filter for WFP in the source column. You'll see the exact rule name and GUID. Write that down.
Reset WFP. Open Command Prompt as Administrator. Type:
```
netsh wfp reset
```
Press Enter. This clears the entire WFP state including all filters. Your firewall will revert to defaults. Reboot.
If it still shows — kill the rule directly. If you know the rule name from step 1, run:
```
netsh advfirewall firewall delete rule name="RuleNameHere"
```
If you don't know the name, dump all rules:
```
netsh advfirewall firewall show rule name=all
```
Then delete the one that's causing it.
Recreate the rule properly. When you add it back, make sure the action matches the layer. For example, if you're blocking outbound traffic, use dir=out and action=block. Don't mix action=block with dir=in at a layer that only allows permit. I've seen people blindly copy-paste PowerShell commands from forums and create mismatched rules that way.

If the main fix doesn't work

Sometimes the registry for WFP gets corrupted too. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE and delete the Parameters key. Reboot. This forces a fresh load of the service. I've had to do this for a client running a custom VPN that left a trail of broken WFP rules after uninstall.

Another thing: check if you have any old third-party firewall leftover services. Tools like Autoruns can show you if, say, McAfee or Norton left a WFP driver behind. Disable those services, reboot.

Prevention tip

Before you install any VPN or firewall software, create a System Restore point. Seriously. WFP gets hammered by these apps. When you uninstall them, run netsh wfp reset right after, just to clean up any orphaned rules. Also, avoid mixing Windows Defender Firewall with third-party firewalls — they step on each other's layers. Pick one. I've seen enough dumb errors from Norton and Windows Firewall fighting each other to last a lifetime.