| | DisplayName | Description | ID | Target | Parent Monitor | Category | Enabled | Instance Name | Counter Name | Frequency | Alert Generate | Alert Severity | Alert Priority | Alert Auto Resolve | Monitor Type | Remotable | Accessibility | RunAs |
|---|
 | DirectAccess_Server_Security_AuthFailuresIPv6_Critical | This alarm indicates that the "Failed Main Mode Negotiations" counter (under the ‘IPsec AuthIP IPv6’ object in perfmon) has exceeded critical levels. | DirectAccess_Server_Security_AuthFailuresIPv6_Critical | DirectAccess_Server_Class | System.Health.SecurityState | SecurityHealth | True | IPsec AuthIP IPv6 | Failed Main Mode Negotiations | 300 | False | | | False | System.Performance.DeltaThreshold | True | Public | |
| DirectAccess_Server_Security_AuthFailuresIPv6_Warning | This alarm indicates that the "Failed Main Mode Negotiations" counter (under the ‘IPsec AuthIP IPv6’ object in perfmon) has exceeded warning levels. | DirectAccess_Server_Security_AuthFailuresIPv6_Warning | DirectAccess_Server_Class | System.Health.SecurityState | SecurityHealth | True | IPsec AuthIP IPv6 | Failed Main Mode Negotiations | 300 | False | | | False | System.Performance.DeltaThreshold | True | Public | |
| IPHTTPS_Gateway_AvailabilityIPHLPSVC | This is a critical (red) alarm generated because the IP Helper (iphlpsvc) service crashed. The iphlpsvc service provides tunnel connectivity using the Connectivity Platform, IPv6 transition technologies (6to4, ISATAP, Port Proxy, and Teredo), and IP-HTTPS. The alarm is cleared when the service comes back up. If this service is stopped, the computer will not have the enhanced connectivity benefits that these technologies offer.
| IPHTTPS_Gateway_Availability_IPHLPSVC | IPHTTPS_Gateway_Class | System.Health.AvailabilityState | AvailabilityHealth | True | | | 0 | True | Error | High | True | Microsoft.Windows.CheckNTServiceStateMonitorType | True | Public | |
| ISATAP_Router_AvailabilityIPHLPSVC | This is a critical (red) alarm generated because the IP Helper (iphlpsvc) service crashed. | ISATAP_Router_Availability_IPHLPSVC | ISATAP_Router_Class | System.Health.AvailabilityState | AvailabilityHealth | True | | | 0 | True | Error | High | True | Microsoft.Windows.CheckNTServiceStateMonitorType | True | Public | |
| Network_Security_AvailabilityBFE | This is a critical (red) alarm generated because the Base Filtering Engine (BFE) service crashed. The Base Filtering Engine (BFE) is a service that manages firewall and Internet Protocol security (IPsec) policies and implements user mode filtering. The alarm is cleared when the service comes back up. Disabling the BFE service will significantly reduce the security of the system and will also result in unpredictable behavior in IPsec management and firewall applications.
| Network_Security_AvailabilityBFE | Network_Security_Class | System.Health.AvailabilityState | AvailabilityHealth | True | | | 0 | True | Error | High | True | Microsoft.Windows.CheckNTServiceStateMonitorType | True | Public | |
| Network_Security_AvailabilityIKEEXT | This is a critical (red) alarm generated because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service crashed. | Network_Security_AvailabilityIKEEXT | Network_Security_Class | System.Health.AvailabilityState | AvailabilityHealth | True | | | 0 | True | Error | High | True | Microsoft.Windows.CheckNTServiceStateMonitorType | True | Public | |
| Network Security ICMP Queue Overflow Warning | This is a warning (yellow) alarm that is raised when the "Inbound Rate Limit Discarded ICMPv6
Packets/sec" counter (under the ‘IPSec DOS Protection’ object in perfmon) exceeds a defined threshold. "Inbound RateLimit Discarded ICMPv6 Packets/sec" is the rate at which ICMPv6 packets are received on a public interface and discarded because they exceeded the rate limit for ICMPv6 packets per second. | Network_Security_ICMPQueueOverflow_Warning | Network_Security_Class | System.Health.PerformanceState | PerformanceHealth | True | IPsec DoS Protection | Inbound Rate Limit Discarded ICMPv6 Packets/sec | 300 | False | | | True | System.Performance.ConsecutiveSamplesThreshold | True | Public | |
| Network Security IKE DoSP | This is a warning (yellow) alarm for potential DoS attack and is raised when "IKE DoS-prevention mode started" event (Event Id: 4646, Event Source: Microsoft Windows security auditing, Event Log Channel: Security) is generated. The alarm is cleared when the same event is generated again. | Network_Security_IKEDoSP | Network_Security_Class | System.Health.SecurityState | SecurityHealth | True | | | 0 | False | | | True | Microsoft.Windows.2SingleEventLog2StateMonitorType | True | Public | |
| Network Security QueueOverflow Warning | This is a warning (yellow) alarm that is raised when the "Inbound Rate Limit Discarded IPv6 IPsec Authenticated Packets/sec" counter (under the ‘IPSec DOS Protection’ object in perfmon) exceeds a defined threshold. "Inbound Rate Limit DiscardedPv6 IPsec Authenticated Packets/sec" is the rate at which authenticated IKEv1, IKEv2, AuthIP, or ESP IPv6 packets are received on a public interface and discarded because they exceed the rate limit for IPv6 IPsec authenticated packets per second. An authenticated packet is an IPsec packet with an associated state entry. A state entry is a pair of IPv6 addresses that is authorized to pass through from a public to an internal interface.
| Network_Security_QueueOverflow_Warning | Network_Security_Class | System.Health.PerformanceState | PerformanceHealth | True | IPsec DoS Protection | Inbound Rate Limit Discarded IPv6 IPsec Authenticated Packets/sec | 300 | False | | | True | System.Performance.ConsecutiveSamplesThreshold | True | Public | |
| Network Security RateLimitDiscardUnAuth | This is a warning (yellow) alarm indicating that the "Inbound Rate Limit Discarded IPv6 IPsec Unauthenticated Packets/sec" counter (under the ‘IPSec DOS Protection’ object in perfmon) has exceeded a defined threshold. "Inbound Rate Limit Discarded IPv6 IPsec Unauthenticated Packets/sec" is the rate at which unauthenticated IKEv1, IKEv2, AuthIP, or ESP IPv6 packets received on a public
interface were discarded because they exceeded the rate limit for IPv6 IPsec unauthenticated packets per second. An unauthenticated packet is an IPsec packet without an associated state entry. A state entry is a pair of IPv6 addresses that is authorized to pass through from a public to an internal interface.
| Network_Security_RateLimitDiscardUnAuth | Network_Security_Class | System.Health.SecurityState | SecurityHealth | True | IPsec DOS Protection | Inbound Rate Limit Discarded IPv6 IPsec Unauthenticated Packets/sec | 300 | False | | | True | System.Performance.AverageThreshold | True | Public | |
| Network Security ReplayAttack | This is a warning (yellow) alarm that is raised when the "Packets That Failed Replay
Detection/sec" counter (under the 'IPsec Driver' object in perfmon) exceeds a defined threshold. "Packets That Failed Replay Detection/sec" is the rate of packets that contained an invalid sequence number since the computer was last started. Increases in this counter might indicate a network problem or replay attack. | Network_Security_ReplayAttack | Network_Security_Class | System.Health.SecurityState | SecurityHealth | True | IPsec Driver | Packets That Failed Replay Detection/sec | 300 | False | | | True | System.Performance.AverageThreshold | True | Public | |
| Network Security SpoofingAttack | This is a warning (yellow) alarm that is raised when the "Incorrect SPI Packets/sec" counter (under the 'IPsec Driver' object in perfmon) exceeds a defined threshold. "Incorrect SPI Packets/sec" is the rate of packets
for which the Security Parameter Index (SPI) was incorrect since the computer was last started. A large number of packets with bad SPIs within a short amount of time might indicate a packet spoofing attack. | Network_Security_SpoofingAttack | Network_Security_Class | System.Health.SecurityState | SecurityHealth | True | IPsec Driver | Incorrect SPI Packets/sec | 300 | False | | | True | System.Performance.AverageThreshold | True | Public | |
| Network Security State Utilization critical level | This alarm indicates that the "Current State Entries" counter (under the ‘IPSec DOS Protection’ object in perfmon) has exceeded critical levels. "Current state Entries" is the number of active state entries in the table. A state entry is a pair of IPv6 addresses that is authorized to pass through from a public to an internal interface. | Network_Security_StateUtil_Critical | Network_Security_Class | System.Health.ConfigurationState | ConfigurationHealth | True | IPsec DOS Protection | Current State Entries | 300 | False | | | True | System.Performance.ConsecutiveSamplesThreshold | True | Public | |
| Network Security State utilization warning level | This alarm indicates that the "Current State Entries" counter (under the ‘IPSec DOS Protection’ object in perfmon) has exceeded warning levels. "Current state Entries" is the number of active state entries in the table. A state entry is a pair of IPv6 addresses that is authorized to pass through from a public to an internal interface | Network_Security_StateUtil_Warning | Network_Security_Class | System.Health.ConfigurationState | ConfigurationHealth | True | IPsec DOS Protection | Current State Entries | 300 | False | | | True | System.Performance.ConsecutiveSamplesThreshold | True | Public | |
| Router_6to4_AvailabilityIPHLPSVC | This is a critical (red) alarm generated because the IP Helper (iphlpsvc) service crashed.
| Router_6to4_Availability_IPHLPSVC | Router_6to4_Class | System.Health.AvailabilityState | AvailabilityHealth | True | | | 0 | True | Error | High | True | Microsoft.Windows.CheckNTServiceStateMonitorType | True | Public | |
| Teredo_Relay_AvailabilityIPHLPSVC | This is a critical (red) alarm generated because the IP Helper (iphlpsvc) service crashed. | Teredo_Relay_Availability_IPHLPSVC | Teredo_Relay_Class | System.Health.AvailabilityState | AvailabilityHealth | True | | | 0 | True | Error | High | True | Microsoft.Windows.CheckNTServiceStateMonitorType | True | Public | |
| Teredo_Server_AvailabilityIPHLPSVC | This is a critical (red) alarm generated because the IP Helper (iphlpsvc) service crashed. The iphlpsvc service provides tunnel connectivity using the Connectivity Platform, IPv6 transition technologies (6to4, ISATAP, Port Proxy, and Teredo),and IP-HTTPS. The alarm is cleared when the service comes back up. If this service is stopped, the computer will not have the enhanced connectivity benefits that these technologies offer. | Teredo_Server_Availability_IPHLPSVC | Teredo_Server_Class | System.Health.AvailabilityState | AvailabilityHealth | True | | | 0 | True | Error | High | True | Microsoft.Windows.CheckNTServiceStateMonitorType | True | Public | |
Home