Microsoft-Windows-WFP

40 events across 5 channels

Event ID	Title	Channel
1001	WFP: Packet Dropped - Filter Run-Time ID: %14, Layer Run-Time ID: %15.	Analytic
1003	IPsec: Packet Dropped - Error Code: %9, Filter Run-Time ID: %12, Layer Run-Time …	Analytic
1005	IPsec: Main Mode Failure	Operational
1007	IPsec: Quick Mode Failure	Operational
1009	IPsec: Extended Mode Failure	Operational
1011	IPsec DoS Protection: Packet Dropped	Analytic
1013	IPsec: Main Mode SA Terminated	Operational
1013	IPsec: Main Mode SA Terminated	Debug
1014	IPsec: Main Mode SA Established	Debug
1015	IPsec: Main Mode SA Established	Debug
1016	IPsec: Extended Mode and Main Mode SAs Established	Debug
1017	IPsec: Extended Mode and Main Mode SAs Established	Debug
1018	IPsec: Extended Mode and Main Mode SAs Established	Debug
1019	IPsec: Extended Mode and Main Mode SAs Established	Debug
1020	IPsec DoS Protection Enabled	Operational
1021	IPsec DoS Protection Disabled	Operational
1022	IPsec DoS Protection failed to create state because the maximum number of …	Operational
1023	IPsec: Negotiation Request Initiated	Debug
1024	IPsec: Send ISAKMP Packet	Debug
1025	IPsec: Receive ISAKMP Packet	Debug
1026	WFP: User Mode Error	Debug
1027	An IPsec quick mode security association ended.	Operational
1027	An IPsec quick mode security association ended.	Debug
1028	An IPsec quick mode security association was established.	Operational
1029	WFP: Packet Dropped - Filter Run-Time ID: %10, Layer Run-Time ID: %11.	Analytic
1030	Transaction Watchdog Timeout The filtering engine has exceeded the configured …	Operational
1031	File path trigger increment due to match for %2, counter value %1.	Operational
1032	File path trigger decrement due to match for %2, counter value %1.	Operational
1033	Modern app trigger increment due to match for %2, counter value %1.	Operational
1034	Modern app trigger decrement due to match for %2, counter value %1.	Operational
1035	Modern app trigger decrement due to match for %2, counter value %1.	Operational
1036	Modern app trigger decrement due to match for %2, counter value %1.	Operational
1037	Trigger increment due to NRPT lookup, counter value %1.	Operational
1038	Trigger decrement due to NRPT idle, counter value %1.	Operational
1039	Trigger increment due to flow creation, counter value: %1, local address: %3, …	Operational
1040	Trigger decrement due to flow deletion, counter value: %1, local address: %3, …	Operational
1041	Connect occurred due to unexpected disconnect, counter value %1.	Operational
1042	Disconnecting after expiration of debounce interval	Operational
1043	IPsec: Main Mode SA Established	Operational
1044	Received the first packet on low power enabled IKE tunnel with SPI.	Operational

Event ID 1001 — WFP: Packet Dropped - Filter Run-Time ID: %14, Layer Run-Time ID: %15.

Provider: Microsoft-Windows-WFP
Channel: Analytic

Message

WFP: Packet Dropped - Filter Run-Time ID: %14, Layer Run-Time ID: %15

Fields

Name	Description
`Timestamp`	—
`LocalAddressLength`	—
`LocalAddress`	—
`RemoteAddressLength`	—
`RemoteAddress`	—
`ScopeId`	—
`AppId`	—
`UserSID`	—
`ReauthReason`	—
`OriginalProfile`	—
`CurrentProfile`	—
`PacketDirection`	—
`Loopback`	—
`FilterId`	—
`LayerId`	—
`vSwitchId`	—
`SourcevSwitchPort`	—
`DestinationvSwitchPort`	—
`EnterpriseId`	—
`PolicyFlags`	—
`EffectiveName`	—

Event ID 1003 — IPsec: Packet Dropped - Error Code: %9, Filter Run-Time ID: %12, Layer Run-Time ID: %13.

Provider: Microsoft-Windows-WFP
Channel: Analytic

Message

IPsec: Packet Dropped - Error Code: %9, Filter Run-Time ID: %12, Layer Run-Time ID: %13

Fields

Name	Description
`Timestamp`	—
`LocalAddressLength`	—
`LocalAddress`	—
`RemoteAddressLength`	—
`RemoteAddress`	—
`ScopeId`	—
`AppId`	—
`UserSID`	—
`FailureStatus`	—
`Direction`	—
`SPI`	—
`FilterId`	—
`LayerId`	—

Event ID 1005 — IPsec: Main Mode Failure

Provider: Microsoft-Windows-WFP
Channel: Operational

Message

IPsec: Main Mode Failure

Fields

Name	Description
`Timestamp`	—
`LocalAddressLength`	—
`LocalAddress`	—
`RemoteAddressLength`	—
`RemoteAddress`	—
`ScopeId`	—
`AppId`	—
`UserSID`	—
`LocalSpn`	—
`PeerSpn`	—
`LocalGroupSidCount`	—
`LocalGroupSidLength`	—
`LocalGroupSids`	—
`RemoteGroupSidCount`	—
`RemoteGroupSidLength`	—
`RemoteGroupSids`	—
`FailureErrorCode`	—
`FailurePoint`	—
`Flags`	—
`KeyingModuleType`	—
`MmState`	—
`SaRole`	—
`MMAuthMethod`	—
`EndCertHash`	—
`MMId`	—
`MMFilterId`	—
`ProviderContextKey`	—

Event ID 1007 — IPsec: Quick Mode Failure

Provider: Microsoft-Windows-WFP
Channel: Operational

Message

IPsec: Quick Mode Failure

Fields

Name	Description
`Timestamp`	—
`LocalAddressLength`	—
`LocalAddress`	—
`RemoteAddressLength`	—
`RemoteAddress`	—
`ScopeId`	—
`AppId`	—
`UserSID`	—
`FailureErrorCode`	—
`FailurePoint`	—
`KeyingModuleType`	—
`QMState`	—
`SaRole`	—
`SaTrafficType`	—
`QMFilterId`	—
`MMSaLuid`	—
`MMProviderContextKey`	—

Event ID 1009 — IPsec: Extended Mode Failure

Provider: Microsoft-Windows-WFP
Channel: Operational

Message

IPsec: Extended Mode Failure

Fields

Name	Description
`Timestamp`	—
`LocalAddressLength`	—
`LocalAddress`	—
`RemoteAddressLength`	—
`RemoteAddress`	—
`ScopeId`	—
`AppId`	—
`UserSID`	—
`LocalSpn`	—
`PeerSpn`	—
`LocalGroupSidCount`	—
`LocalGroupSidLength`	—
`LocalGroupSids`	—
`RemoteGroupSidCount`	—
`RemoteGroupSidLength`	—
`RemoteGroupSids`	—
`FailureErrorCode`	—
`FailurePoint`	—
`Flags`	—
`EMState`	—
`SaRole`	—
`EMAuthMethod`	—
`EndCertHash`	—
`MMId`	—
`QMFilterId`	—

Event ID 1011 — IPsec DoS Protection: Packet Dropped

Provider: Microsoft-Windows-WFP
Channel: Analytic

Message

IPsec DoS Protection: Packet Dropped

Fields

Name	Description
`Timestamp`	—
`LocalAddressLength`	—
`LocalAddress`	—
`RemoteAddressLength`	—
`RemoteAddress`	—
`ScopeId`	—
`AppId`	—
`UserSID`	—
`InternetHostAddress`	—
`CorpnetHostAddress`	—
`FailureStatus`	—
`Direction`	—

Event ID 1013 — IPsec: Main Mode SA Terminated

Provider: Microsoft-Windows-WFP
Channel: Operational

Fields

Name	Description
`MainModeLocalAddressLength`	—
`MainModeLocalAddress`	—
`MainModePeerAddressLength`	—
`MainModePeerAddress`	—
`KeyingModule`	—
`SaLuid`	—
`ICookie`	—
`RCookie`	—

Event ID 1013 — IPsec: Main Mode SA Terminated

Provider: Microsoft-Windows-WFP
Channel: Debug

Message

IPsec: Main Mode SA Terminated

Fields

Name	Description
`MainModeLocalAddressLength`	—
`MainModeLocalAddress`	—
`MainModePeerAddressLength`	—
`MainModePeerAddress`	—
`KeyingModule`	—
`SaLuid`	—
`ICookie`	—
`RCookie`	—

Event ID 1014 — IPsec: Main Mode SA Established

Provider: Microsoft-Windows-WFP
Channel: Debug

Message

IPsec: Main Mode SA Established

Fields

Name	Description
`LocalSpn`	—
`PeerSpn`	—
`MainModeLocalAddressLength`	—
`MainModeLocalAddress`	—
`MainModePeerAddressLength`	—
`MainModePeerAddress`	—
`KeyingModule`	—
`AuthenticationMethodType`	—
`EncryptionAlgorithm`	—
`AuthenticationAlgorithm`	—
`DiffieHellmanGroup`	—
`LifetimeMinutes`	—
`QMLimit`	—
`Role`	—
`Impersonation`	—
`MMFilterId`	—
`SaLuid`	—

Event ID 1015 — IPsec: Main Mode SA Established

Provider: Microsoft-Windows-WFP
Channel: Debug

Message

IPsec: Main Mode SA Established

Fields

Name	Description
`LocalCertDnSubject`	—
`LocalCertShaThumbprintLength`	—
`LocalCertShaThumbprint`	—
`LocalCertDnIssuer`	—
`LocalCertDnRoot`	—
`PeerCertDnSubject`	—
`PeerCertShaThumbprintLength`	—
`PeerCertShaThumbprint`	—
`PeerCertDnIssuer`	—
`PeerCertDnRoot`	—
`MainModeLocalAddressLength`	—
`MainModeLocalAddress`	—
`MainModePeerAddressLength`	—
`MainModePeerAddress`	—
`KeyingModule`	—
`AuthenticationMethodType`	—
`EncryptionAlgorithm`	—
`AuthenticationAlgorithm`	—
`DiffieHellmanGroup`	—
`LifetimeMinutes`	—
`QMLimit`	—
`Role`	—
`Impersonation`	—
`MMFilterId`	—
`SaLuid`	—

Event ID 1016 — IPsec: Extended Mode and Main Mode SAs Established

Provider: Microsoft-Windows-WFP
Channel: Debug

Message

IPsec: Extended Mode and Main Mode SAs Established

Fields

Name	Description
`LocalCertDnSubject`	—
`LocalCertShaThumbprintLength`	—
`LocalCertShaThumbprint`	—
`LocalCertDnIssuer`	—
`LocalCertDnRoot`	—
`PeerCertDnSubject`	—
`PeerCertShaThumbprintLength`	—
`PeerCertShaThumbprint`	—
`PeerCertDnIssuer`	—
`PeerCertDnRoot`	—
`MainModeLocalAddressLength`	—
`MainModeLocalAddress`	—
`MainModePeerAddressLength`	—
`MainModePeerAddress`	—
`EncryptionAlgorithm`	—
`AuthenticationAlgorithm`	—
`DiffieHellmanGroup`	—
`LifetimeMinutes`	—
`QMLimit`	—
`Role`	—
`Impersonation`	—
`MMFilterId`	—
`SaLuid`	—
`LocalUmCertDnSubject`	—
`LocalUmCertShaThumbprintLength`	—
`LocalUmCertShaThumbprint`	—
`LocalUmCertDnIssuer`	—
`LocalUmCertDnRoot`	—
`PeerUmCertDnSubject`	—
`PeerUmCertShaThumbprintLength`	—
`PeerUmCertShaThumbprint`	—
`PeerUmCertDnIssuer`	—
`PeerUmCertDnRoot`	—
`UMImpersonation`	—
`QMFilterId`	—

Event ID 1017 — IPsec: Extended Mode and Main Mode SAs Established

Provider: Microsoft-Windows-WFP
Channel: Debug

Message

IPsec: Extended Mode and Main Mode SAs Established

Fields

Name	Description
`LocalCertDnSubject`	—
`LocalCertShaThumbprintLength`	—
`LocalCertShaThumbprint`	—
`LocalCertDnIssuer`	—
`LocalCertDnRoot`	—
`PeerCertDnSubject`	—
`PeerCertShaThumbprintLength`	—
`PeerCertShaThumbprint`	—
`PeerCertDnIssuer`	—
`PeerCertDnRoot`	—
`MainModeLocalAddressLength`	—
`MainModeLocalAddress`	—
`MainModePeerAddressLength`	—
`MainModePeerAddress`	—
`EncryptionAlgorithm`	—
`AuthenticationAlgorithm`	—
`DiffieHellmanGroup`	—
`LifetimeMinutes`	—
`QMLimit`	—
`Role`	—
`Impersonation`	—
`MMFilterId`	—
`SaLuid`	—
`UMLocalSPN`	—
`UMPeerSPN`	—
`UMAuthenticationMethodType`	—
`UMImpersonation`	—
`QMFilterId`	—

Event ID 1018 — IPsec: Extended Mode and Main Mode SAs Established

Provider: Microsoft-Windows-WFP
Channel: Debug

Message

IPsec: Extended Mode and Main Mode SAs Established

Fields

Name	Description
`LocalSPN`	—
`PeerSPN`	—
`MainModeLocalAddressLength`	—
`MainModeLocalAddress`	—
`MainModePeerAddressLength`	—
`MainModePeerAddress`	—
`AuthenticationMethodType`	—
`EncryptionAlgorithm`	—
`AuthenticationAlgorithm`	—
`DiffieHellmanGroup`	—
`LifetimeMinutes`	—
`QMLimit`	—
`Role`	—
`Impersonation`	—
`MMFilterId`	—
`SaLuid`	—
`LocalUmCertDnSubject`	—
`LocalUmCertShaThumbprintLength`	—
`LocalUmCertShaThumbprint`	—
`LocalUmCertDnIssuer`	—
`LocalUmCertDnRoot`	—
`PeerUmCertDnSubject`	—
`PeerUmCertShaThumbprintLength`	—
`PeerUmCertShaThumbprint`	—
`PeerUmCertDnIssuer`	—
`PeerUmCertDnRoot`	—
`UMImpersonation`	—
`QMFilterId`	—

Event ID 1019 — IPsec: Extended Mode and Main Mode SAs Established

Provider: Microsoft-Windows-WFP
Channel: Debug

Message

IPsec: Extended Mode and Main Mode SAs Established

Fields

Name	Description
`LocalSpn`	—
`PeerSpn`	—
`MainModeLocalAddressLength`	—
`MainModeLocalAddress`	—
`MainModePeerAddressLength`	—
`MainModePeerAddress`	—
`AuthenticationMethodType`	—
`EncryptionAlgorithm`	—
`AuthenticationAlgorithm`	—
`DiffieHellmanGroup`	—
`LifetimeMinutes`	—
`QMLimit`	—
`Role`	—
`Impersonation`	—
`MMFilterId`	—
`SaLuid`	—
`UMLocalSPN`	—
`UMPeerSPN`	—
`UMAuthenticationMethodType`	—
`UMImpersonation`	—
`QMFilterId`	—

Event ID 1020 — IPsec DoS Protection Enabled

Provider: Microsoft-Windows-WFP
Channel: Operational

Message

IPsec DoS Protection Enabled

Event ID 1021 — IPsec DoS Protection Disabled

Provider: Microsoft-Windows-WFP
Channel: Operational

Message

IPsec DoS Protection Disabled

Event ID 1022 — IPsec DoS Protection failed to create state because the maximum number of entries allowed by policy has been reached

Provider: Microsoft-Windows-WFP
Channel: Operational

Message

IPsec DoS Protection failed to create state because the maximum number of entries allowed by policy has been reached

Event ID 1023 — IPsec: Negotiation Request Initiated

Provider: Microsoft-Windows-WFP
Channel: Debug

Message

IPsec: Negotiation Request Initiated

Fields

Name	Description
`KeyingModule`	—
`AcquireContext`	—
`LocalAddressLength`	—
`LocalAddress`	—
`RemoteAddressLength`	—
`RemoteAddress`	—
`Mode`	—
`FilterId`	—
`IPProtocol`	—
`InterfaceLuid`	—
`ProfileId`	—
`LocalUdpEncapPort`	—
`RemoteUdpEncapPort`	—
`MMTargetName`	—
`EMTargetName`	—
`NumTokens`	—
`Token1Type`	—
`Token1Principal`	—
`Token1Mode`	—
`Token1`	—
`Token2Type`	—
`Token2Principal`	—
`Token2Mode`	—
`Token2`	—
`Token3Type`	—
`Token3Principal`	—
`Token3Mode`	—
`Token3`	—
`Token4Type`	—
`Token4Principal`	—
`Token4Mode`	—
`Token4`	—
`VirtualIfTunnelId`	—
`TrafficSelectorId`	—
`Flags`	—
`RekeySPI`	—
`OrigVirtualIfTunnelId`	—
`PacketLocalAddressLength`	—
`PacketLocalAddress`	—
`PacketRemoteAddressLength`	—
`PacketRemoteAddress`	—
`PacketIPProtocol`	—
`PacketInterfaceLuid`	—
`PacketProfileId`	—

Event ID 1024 — IPsec: Send ISAKMP Packet

Provider: Microsoft-Windows-WFP
Channel: Debug

Message

IPsec: Send ISAKMP Packet

Fields

Name	Description
`ICookie`	—
`RCookie`	—
`ExchangeType`	—
`Length`	—
`NextPayload`	—
`Flags`	—
`MessageID`	—
`LocalAddress`	—
`LocalPort`	—
`LocalProtocol`	—
`RemoteAddress`	—
`RemotePort`	—
`RemoteProtocol`	—
`InterfaceLuid`	—

Event ID 1025 — IPsec: Receive ISAKMP Packet

Provider: Microsoft-Windows-WFP
Channel: Debug

Message

IPsec: Receive ISAKMP Packet

Fields

Name	Description
`ICookie`	—
`RCookie`	—
`ExchangeType`	—
`Length`	—
`NextPayload`	—
`Flags`	—
`MessageID`	—
`LocalAddress`	—
`LocalPort`	—
`LocalProtocol`	—
`RemoteAddress`	—
`RemotePort`	—
`RemoteProtocol`	—
`InterfaceLuid`	—
`ProfileId`	—

Event ID 1026 — WFP: User Mode Error

Provider: Microsoft-Windows-WFP
Channel: Debug

Message

WFP: User Mode Error

Fields

Name	Description
`Function`	—
`ErrorCode`	—

Event ID 1027 — An IPsec quick mode security association ended.

Provider: Microsoft-Windows-WFP
Channel: Operational

Fields

Name	Description
`LocalAddressLength`	—
`LocalAddress`	—
`LocalAddressMask`	—
`LocalTunnelEndpointLength`	—
`LocalTunnelEndpoint`	—
`RemoteAddressLength`	—
`RemoteAddress`	—
`RemoteAddressMask`	—
`RemoteTunnelEndpointLength`	—
`RemoteTunnelEndpoint`	—
`IPProtocol`	—
`QMSaLuid`	—
`VirtualIFTunnelId`	—
`VirtualIFTrafficSelectorId`	—
`InboundSPI`	—
`OutboundSPI`	—

Event ID 1027 — An IPsec quick mode security association ended.

Provider: Microsoft-Windows-WFP
Channel: Debug

Message

An IPsec quick mode security association ended.

Fields

Name	Description
`LocalAddressLength`	—
`LocalAddress`	—
`LocalAddressMask`	—
`LocalTunnelEndpointLength`	—
`LocalTunnelEndpoint`	—
`RemoteAddressLength`	—
`RemoteAddress`	—
`RemoteAddressMask`	—
`RemoteTunnelEndpointLength`	—
`RemoteTunnelEndpoint`	—
`IPProtocol`	—
`QMSaLuid`	—
`VirtualIFTunnelId`	—
`VirtualIFTrafficSelectorId`	—
`InboundSPI`	—
`OutboundSPI`	—

Event ID 1028 — An IPsec quick mode security association was established.

Provider: Microsoft-Windows-WFP
Channel: Operational

Message

An IPsec quick mode security association was established.

Fields

Name	Description
`LocalAddressLength`	—
`LocalAddress`	—
`LocalAddressMask`	—
`LocalTunnelEndpointLength`	—
`LocalTunnelEndpoint`	—
`RemoteAddressLength`	—
`RemoteAddress`	—
`RemoteAddressMask`	—
`RemoteTunnelEndpointLength`	—
`RemoteTunnelEndpoint`	—
`IPProtocol`	—
`KeyingModuleName`	—
`AHAuthType`	—
`ESPAuthType`	—
`ESPCipherType`	—
`LifetimeSeconds`	—
`LifetimeKilobytes`	—
`LifetimePackets`	—
`Mode`	—
`Role`	—
`TransportFilterId`	—
`MMSaLuid`	—
`QMSaLuid`	—
`InboundSPI`	—
`OutboundSPI`	—
`VirtualIFTunnelId`	—
`VirtualIFTrafficSelectorId`	—
`RekeySPI`	—

Event ID 1029 — WFP: Packet Dropped - Filter Run-Time ID: %10, Layer Run-Time ID: %11.

Provider: Microsoft-Windows-WFP
Channel: Analytic

Message

WFP: Packet Dropped - Filter Run-Time ID: %10, Layer Run-Time ID: %11

Fields

Name	Description
`Timestamp`	—
`LocalAddressLength`	—
`LocalAddress`	—
`RemoteAddressLength`	—
`RemoteAddress`	—
`EtherType`	—
`MediaType`	—
`InterfaceType`	—
`VlanTag`	—
`FilterId`	—
`LayerId`	—
`vSwitchId`	—
`SourcevSwitchPort`	—
`DestinationvSwitchPort`	—

Event ID 1030 — Transaction Watchdog Timeout The filtering engine has exceeded the configured threshold to process a transaction.

Provider: Microsoft-Windows-WFP
Channel: Operational
Level: 3
Samples: 1

Message

Transaction Watchdog Timeout
The filtering engine has exceeded the configured threshold to process a transaction. This could indicate a suboptimal policy configuration that may cause temporary network outages.
    Owning Process ID: %1
    Transaction Time (msec): %2
    Transaction Commit Time (msec): %3
    Configured Threshold (msec): %4

Fields

Name	Description
`ProcessId`	—
`TxnTimeInMSec`	—
`CommitTimeInMSec`	—
`WatchdogTimeoutInMSec`	—

Example Event

system:
  provider: Microsoft-Windows-WFP
  guid: 0C478C5B-0351-41B1-8C58-4A6737DA32E3
  event_source_name: ''
  event_id: 1030
  version: 0
  level: 3
  task: 0
  opcode: 0
  keywords: 4611686293305294848
  time_created: '2023-11-06T00:38:29.619758+00:00'
  event_record_id: 29
  correlation: {}
  execution:
    process_id: 2896
    thread_id: 7680
  channel: Microsoft-Windows-WFP/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-19
event_data:
  ProcessId: 4940
  TxnTimeInMSec: 968
  CommitTimeInMSec: 0
  WatchdogTimeoutInMSec: 500
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 1031 — File path trigger increment due to match for %2, counter value %1.

Provider: Microsoft-Windows-WFP
Channel: Operational

Message

File path trigger increment due to match for %2, counter value %1

Fields

Name	Description
`Counter`	—
`FilePath`	—

Event ID 1032 — File path trigger decrement due to match for %2, counter value %1.

Provider: Microsoft-Windows-WFP
Channel: Operational

Message

File path trigger decrement due to match for %2, counter value %1

Fields

Name	Description
`Counter`	—
`FilePath`	—

Event ID 1033 — Modern app trigger increment due to match for %2, counter value %1.

Provider: Microsoft-Windows-WFP
Channel: Operational

Message

Modern app trigger increment due to match for %2, counter value %1

Fields

Name	Description
`Counter`	—
`AppSID`	—

Event ID 1034 — Modern app trigger decrement due to match for %2, counter value %1.

Provider: Microsoft-Windows-WFP
Channel: Operational

Message

Modern app trigger decrement due to match for %2, counter value %1

Fields

Name	Description
`Counter`	—
`AppSID`	—

Event ID 1035 — Modern app trigger decrement due to match for %2, counter value %1.

Provider: Microsoft-Windows-WFP
Channel: Operational

Message

Modern app trigger decrement due to match for %2, counter value %1

Fields

Name	Description
`Counter`	—
`SecurityDescriptor`	—

Event ID 1036 — Modern app trigger decrement due to match for %2, counter value %1.

Provider: Microsoft-Windows-WFP
Channel: Operational

Message

Modern app trigger decrement due to match for %2, counter value %1

Fields

Name	Description
`Counter`	—
`SecurityDescriptor`	—

Event ID 1037 — Trigger increment due to NRPT lookup, counter value %1.

Provider: Microsoft-Windows-WFP
Channel: Operational

Message

Trigger increment due to NRPT lookup, counter value %1

Fields

Name	Description
`Counter`	—

Event ID 1038 — Trigger decrement due to NRPT idle, counter value %1.

Provider: Microsoft-Windows-WFP
Channel: Operational

Message

Trigger decrement due to NRPT idle, counter value %1

Fields

Name	Description
`Counter`	—

Event ID 1039 — Trigger increment due to flow creation, counter value: %1, local address: %3, remote address: %5, protocol %6.

Provider: Microsoft-Windows-WFP
Channel: Operational

Message

Trigger increment due to flow creation, counter value: %1, local address: %3, remote address: %5, protocol %6

Fields

Name	Description
`Counter`	—
`LocalAddressLength`	—
`LocalAddress`	—
`RemoteAddressLength`	—
`RemoteAddress`	—
`IPProtocol`	—

Event ID 1040 — Trigger decrement due to flow deletion, counter value: %1, local address: %3, remote address: %5, protocol %6.

Provider: Microsoft-Windows-WFP
Channel: Operational

Message

Trigger decrement due to flow deletion, counter value: %1, local address: %3, remote address: %5, protocol %6

Fields

Name	Description
`Counter`	—
`LocalAddressLength`	—
`LocalAddress`	—
`RemoteAddressLength`	—
`RemoteAddress`	—
`IPProtocol`	—

Event ID 1041 — Connect occurred due to unexpected disconnect, counter value %1.

Provider: Microsoft-Windows-WFP
Channel: Operational

Message

Connect occurred due to unexpected disconnect, counter value %1

Fields

Name	Description
`Counter`	—

Event ID 1042 — Disconnecting after expiration of debounce interval

Provider: Microsoft-Windows-WFP
Channel: Operational

Message

Disconnecting after expiration of debounce interval

Event ID 1043 — IPsec: Main Mode SA Established

Provider: Microsoft-Windows-WFP
Channel: Operational

Message

IPsec: Main Mode SA Established

Fields

Name	Description
`MainModeLocalAddressLength`	—
`MainModeLocalAddress`	—
`MainModePeerAddressLength`	—
`MainModePeerAddress`	—
`KeyingModule`	—
`AuthenticationMethodType`	—
`EncryptionAlgorithm`	—
`AuthenticationAlgorithm`	—
`DiffieHellmanGroup`	—
`LifetimeMinutes`	—
`QMLimit`	—
`Role`	—
`Impersonation`	—
`MMFilterId`	—
`SaLuid`	—
`ProviderContextKey`	—
`VirtualIfTunnelId`	—
`ICookie`	—
`RCookie`	—

Event ID 1044 — Received the first packet on low power enabled IKE tunnel with SPI.

Provider: Microsoft-Windows-WFP
Channel: Operational

Message

Received the first packet on low power enabled IKE tunnel with SPI: %9

Fields

Name	Description
`Timestamp`	—
`LocalAddressLength`	—
`LocalAddress`	—
`RemoteAddressLength`	—
`RemoteAddress`	—
`ScopeId`	—
`AppId`	—
`UserSID`	—
`SPI`	—