| | DisplayName | Description | ID | Target | Parent Monitor | Category | Enabled | Instance Name | Counter Name | Frequency | Alert Generate | Alert Severity | Alert Priority | Alert Auto Resolve | Monitor Type | Remotable | Accessibility | RunAs |
|---|
 | DirectAccess activation state | This is a critical alarm generated because the DirectAccess activation process failed. This alarm is cleared when the DirectAccess activation process succeeds. | DirectAccess_Server_Activation.Critical | Microsoft.Forefront.UAG.DirectAccess | System.Health.AvailabilityState | Custom | True | | | 0 | True | Error | High | True | Microsoft.Windows.2SingleEventLog2StateMonitorType | True | Public | |
| Failed Main Mode negotiations at critical level | This is a critical alarm generated because the "Failed Main Mode Negotiations" counter (under the object "IPsec AuthIP IPv6" in the performance monitor tool) exceeded critical levels. This alarm is cleared when the counter returns to healthy levels. | DirectAccess_Server_Security_AuthFailuresIPv6_Critical | Microsoft.Forefront.UAG.DirectAccess | System.Health.SecurityState | SecurityHealth | True | IPsec AuthIP IPv6 | Failed Main Mode Negotiations | 300 | False | | | True | System.Performance.DeltaThreshold | True | Public | |
| Failed Main Mode negotiations at warning level | This is a warning alarm generated because "Failed Main Mode Negotiations" counter (under the object "IPsec AuthIP IPv6" in the performance monitor tool) exceeded warning levels. This alarm is cleared when the counter returns to healthy levels. | DirectAccess_Server_Security_AuthFailuresIPv6_Warning | Microsoft.Forefront.UAG.DirectAccess | System.Health.SecurityState | SecurityHealth | True | IPsec AuthIP IPv6 | Failed Main Mode Negotiations | 300 | False | | | True | System.Performance.DeltaThreshold | True | Public | |
| DNS64 average query processing time | This is a warning alarm generated because the "Total Query Average Processing Time" counter (under the object "Forefront UAG DNS64" in the performance monitor tool) exceeded a defined threshold. "Total Query Average Processing Time" is the average time taken for DNS64 to process a query. This alarm is cleared when the counter returns to healthy levels. | DNS64_Service_Average_Query_Processing_Time | Microsoft.Forefront.UAG.DNS64 | System.Health.PerformanceState | PerformanceHealth | True | Forefront UAG DNS64 | Total Query Average Processing Time | 300 | False | | | True | System.Performance.ConsecutiveSamplesThreshold | True | Public | |
| DNS64 total dropped queries | This is a warning alarm generated because the "Total Query Dropped" counter (under the object "Forefront UAG DNS64" in the performance monitor tool) exceeded a defined threshold. "Total Query Dropped" is the number of queries dropped by DNS64, usually due to full queues. This alarm is cleared when the counter returns to healthy levels. | DNS64_Service_Total_Dropped | Microsoft.Forefront.UAG.DNS64 | System.Health.PerformanceState | PerformanceHealth | True | Forefront UAG DNS64 | Total Query Dropped | 300 | False | | | True | System.Performance.DeltaThreshold | True | Public | |
| DNS64 total dropped queries per second | This is a warning alarm generated because the "Total Query Dropped/sec" counter (under the object "Forefront UAG DNS64" in the performance monitor tool) exceeded a defined threshold. "Total Query Dropped/sec" is the number of queries dropped per second by DNS64, usually due to full queues. This alarm is cleared when the counter returns to healthy levels. | DNS64_Service_Total_Dropped_Second | Microsoft.Forefront.UAG.DNS64 | System.Health.PerformanceState | PerformanceHealth | True | Forefront UAG DNS64 | Total Query Dropped/sec | 300 | False | | | True | System.Performance.ConsecutiveSamplesThreshold | True | Public | |
| IP-HTTPS gateway availability | This is a critical alarm generated because the IP Helper service (iphlpsvc) stopped responding. The IP Helper service provides tunnel connectivity using the Connectivity Platform, IPv6 transition technologies (6to4, ISATAP, Port Proxy, and Teredo), and IP-HTTPS. If this service is stopped, the computer will not have the enhanced connectivity benefits that these technologies offer. This alarm is cleared when the service is running again. | IPHTTPS_Gateway_Availability | IPHTTPS_Gateway_Class | System.Health.AvailabilityState | AvailabilityHealth | True | | | 0 | True | Error | High | True | Microsoft.Windows.CheckNTServiceStateMonitorType | True | Public | |
| ISATAP router availability | This is a critical alarm generated because the IP Helper service (iphlpsvc) stopped responding. The IP Helper service provides tunnel connectivity using the Connectivity Platform, IPv6 transition technologies (6to4, ISATAP, Port Proxy, and Teredo), and IP-HTTPS. If this service is stopped, the computer will not have the enhanced connectivity benefits that these technologies offer. This alarm is cleared when the service is running again. | ISATAP_Router_Availability | ISATAP_Router_Class | System.Health.AvailabilityState | AvailabilityHealth | True | | | 0 | True | Error | High | True | Microsoft.Windows.CheckNTServiceStateMonitorType | True | Public | |
| NLB Helper driver availability | This is a critical alarm generated because the NLB Helper driver (DAEng) stopped responding. This alarm is cleared when the driver is running again. | Microsoft.Forefront.UAG.DirectAccess.DAEngDriverMonitor | Microsoft.Forefront.UAG.DirectAccess | System.Health.AvailabilityState | AvailabilityHealth | True | | | 0 | True | Error | High | True | Microsoft.Forefront.UAG.DirectAccess.NLB.DAEngDriverState | True | Public | |
| Sticky connections exist | This is a warning alarm generated because there were no Network Load Balancing sticky connections on the current node. A "sticky" connection is a 6to4 or Teredo client connection that will always go to the same specific node. This alarm is cleared when at least one sticky connection is active. | Microsoft.Forefront.UAG.DirectAccess.UserActivity.AtLeastOneStickyConnectionExists | Microsoft.Forefront.UAG.DirectAccess | Microsoft.Forefront.UAG.DirectAccess.UserActivity | PerformanceHealth | True | | | 0 | False | | | True | Microsoft.Forefront.UAG.DirectAccess.StickyConnectionsExists | True | Public | |
| User Kerberos Main Mode SAs exist | This is a warning alarm generated because there were no established Main Mode security associations that have user Kerberos authentication. | Microsoft.Forefront.UAG.DirectAccess.UserActivity.AtLeastOneUserKerbMMSAExists | Microsoft.Forefront.UAG.DirectAccess | Microsoft.Forefront.UAG.DirectAccess.UserActivity | PerformanceHealth | True | | | 0 | False | | | True | Microsoft.Forefront.UAG.DirectAccess.UserKerbMMSAExists | True | Public | |
| Teredo packet receive rate | This is a warning alarm generated because there was no change in packet amount in the "In - Teredo Server Total Packets: Success + Error" counter (under the object "Teredo Server" in the performance monitor tool), meaning there was no Teredo traffic. This alarm is cleared when the counter returns to healthy levels. | Microsoft.Forefront.UAG.DirectAccess.UserActivity.TeredoPacketReceiveRate | Microsoft.Forefront.UAG.DirectAccess | Microsoft.Forefront.UAG.DirectAccess.UserActivity | PerformanceHealth | True | Teredo Server | In - Teredo Server Total Packets: Success + Error | 600 | False | | | True | System.Performance.DeltaThreshold | True | Public | |
| DNS64 DnsAlgSrv service availability | This is a critical alarm generated because the Forefront UAG DNS64 (DnsAlgSrv) service stopped responding. This alarm is cleared when the service is running again. | Microsoft.Forefront.UAG.DnsAlgSrv | Microsoft.Forefront.UAG.DNS64 | System.Health.AvailabilityState | AvailabilityHealth | True | | | 0 | True | Error | High | True | Microsoft.Windows.CheckNTServiceStateMonitorType | True | Public | |
| Forefront UAG built-in application service availability | This is a critical alarm generated because a Forefront UAG built-in application service stopped responding. This alarm is cleared when the service is running again. | Microsoft.Forefront.UAG.Monitor.Application.BuiltIn | Microsoft.Forefront.UAG.Application.BuiltIn | Microsoft.Forefront.UAG.Monitor.Applications | StateCollection | True | | | 0 | True | Error | High | True | Microsoft.Windows.CheckNTServiceStateMonitorType | True | Public | |
| Forefront UAG configuration module availability | This is a critical alarm generated because the Forefront UAG configuration module reported an error. | Microsoft.Forefront.UAG.Monitor.Configuration | Microsoft.Forefront.UAG.Server | System.Health.AvailabilityState | AvailabilityHealth | True | | | 0 | False | | | True | Microsoft.Windows.2SingleEventLog2StateMonitorType | True | Public | |
| Forefront UAG repository availability | This monitor represents a Forefront UAG repository. The repository is not monitored. A Forefront UAG repository holds information used to authenticate users accessing Forefront UAG portals. | Microsoft.Forefront.UAG.Monitor.Repository | Microsoft.Forefront.UAG.Repository | System.Health.AvailabilityState | AvailabilityHealth | True | | | 0 | False | | | True | Microsoft.Windows.RepeatedEventLogSingleEventLog2StateMonitorType | True | Public | |
| ConfigMgrCom service availability | This is a critical alarm generated because the Forefront UAG Configuration Manager service (ConfigMgrCom) stopped responding. This alarm is cleared when the service is running again. | Microsoft.Forefront.UAG.Server.ConfigMgrComMonitor | Microsoft.Forefront.UAG.Server | Microsoft.Forefront.UAG.CoreServicesMonitor | StateCollection | True | | | 0 | True | Error | High | True | Microsoft.Windows.CheckNTServiceStateMonitorType | True | Public | |
| MonitorMgrCom service availability | This is a critical alarm generated because the Forefront UAG Monitoring Manager service (MonitorMgrCom) stopped responding. This alarm is cleared when the service is running again. | Microsoft.Forefront.UAG.Server.MonitorMgrComMonitor | Microsoft.Forefront.UAG.Server | Microsoft.Forefront.UAG.CoreServicesMonitor | StateCollection | True | | | 0 | True | Error | High | True | Microsoft.Windows.CheckNTServiceStateMonitorType | True | Public | |
| SessionMgrCom service availability | This is a critical alarm generated because the Forefront UAG Session Manager service (SessionMgrCom) stopped responding. This alarm is cleared when the service is running again. | Microsoft.Forefront.UAG.Server.SessionMgrComMonitor | Microsoft.Forefront.UAG.Server | Microsoft.Forefront.UAG.CoreServicesMonitor | StateCollection | True | | | 0 | True | Error | High | True | Microsoft.Windows.CheckNTServiceStateMonitorType | True | Public | |
| UserMgrCom service availability | This is a critical alarm generated because the Forefront UAG User Manager service (UserMgrCom) stopped responding. This alarm is cleared when the service is running again. | Microsoft.Forefront.UAG.Server.UserMgrComMonitor | Microsoft.Forefront.UAG.Server | Microsoft.Forefront.UAG.CoreServicesMonitor | StateCollection | True | | | 0 | True | Error | High | True | Microsoft.Windows.CheckNTServiceStateMonitorType | True | Public | |
| DNS64 WatchDogSrv service availability | This is a critical alarm generated because the Forefront UAG Watch Dog service (WatchDogSrv) stopped responding. This alarm is cleared when the service is running again. | Microsoft.Forefront.UAG.WatchDogSrv | Microsoft.Forefront.UAG.DNS64 | System.Health.AvailabilityState | AvailabilityHealth | True | | | 0 | True | Error | High | True | Microsoft.Windows.CheckNTServiceStateMonitorType | True | Public | |
| BFE service availability | This is a critical alarm generated because the Base Filtering Engine service (BFE) stopped responding. The BFE service manages firewall and Internet Protocol security (IPsec) policies and implements user mode filtering. Disabling the BFE service significantly reduces the security of the system and also results in unpredictable behavior in IPsec management and firewall applications. This alarm is cleared when the service is running again. | Network_Security_AvailabilityBFE | Network_Security_Class | System.Health.AvailabilityState | AvailabilityHealth | True | | | 0 | True | Error | High | True | Microsoft.Windows.CheckNTServiceStateMonitorType | True | Public | |
| IKEEXT service availability | This is a critical alarm generated because the IKE and AuthIP IPsec Keying Modules service (IKEEXT) stopped responding. The IKEEXT service hosts the Internet Key Exchange (IKE) and Authenticated Internet Protocol (AuthIP) keying modules which are used for authentication and key exchange in Internet Protocol security (IPsec). This alarm is cleared when the service restarts. Disabling the IKEEXT service disables IKE and AuthIP key exchange with peer computers. IPsec is typically configured to use IKE or AuthIP; therefore, stopping or disabling the IKEEXT service might result in an IPsec failure and might compromise the security of the system. This alarm is cleared when the service is running again. | Network_Security_AvailabilityIKEEXT | Network_Security_Class | System.Health.AvailabilityState | AvailabilityHealth | True | | | 0 | True | Error | High | True | Microsoft.Windows.CheckNTServiceStateMonitorType | True | Public | |
| Discarded ICMPv6 packets per second | This is a warning alarm generated because the "Inbound Rate Limit Discarded ICMPv6 Packets/sec" counter (under the object "IPSec DOS Protection" in the performance monitor tool) exceeded a defined threshold. "Inbound Rate Limit Discarded ICMPv6 Packets/sec" is the rate at which ICMPv6 packets are received on a public interface and discarded because they exceeded the rate limit for ICMPv6 packets per second. This alarm is cleared when the counter returns to healthy levels. | Network_Security_ICMPQueueOverflow_Warning | Network_Security_Class | System.Health.PerformanceState | PerformanceHealth | True | IPsec DoS Protection | Inbound Rate Limit Discarded ICMPv6 Packets/sec | 300 | False | | | True | System.Performance.ConsecutiveSamplesThreshold | True | Public | |
| IKE DoS-prevention mode started | This is a warning alarm for potential DoS attack and is raised when "IKE DoS-prevention mode started" event (Event Id: 4646, Event Source: Microsoft Windows security auditing, Event Log Channel: Security) is generated. This alarm is cleared when the same event is generated again. | Network_Security_IKEDoSP | Network_Security_Class | System.Health.SecurityState | SecurityHealth | True | | | 0 | False | | | True | Microsoft.Windows.2SingleEventLog2StateMonitorType | True | Public | |
| Discarded IPv6 IPsec authenticated packets per second | This is a warning alarm generated because the "Inbound Rate Limit Discarded IPv6 IPsec Authenticated Packets/sec" counter (under the object "IPSec DOS Protection" in the performance monitor tool) exceeded a defined threshold. "Inbound Rate Limit Discarded IPv6 IPsec Authenticated Packets/sec" is the rate at which authenticated IKEv1, IKEv2, AuthIP, or ESP IPv6 packets are received on a public interface and discarded because they exceed the rate limit for IPv6 IPsec authenticated packets per second. An authenticated packet is an IPsec packet with an associated state entry. A state entry is a pair of IPv6 addresses that is authorized to pass through from a public to an internal interface. This alarm is cleared when the counter returns to healthy levels. | Network_Security_QueueOverflow_Warning | Network_Security_Class | System.Health.PerformanceState | PerformanceHealth | True | IPsec DoS Protection | Inbound Rate Limit Discarded IPv6 IPsec Authenticated Packets/sec | 300 | False | | | True | System.Performance.ConsecutiveSamplesThreshold | True | Public | |
| Discarded IPv6 IPsec unauthenticated packets per second | This is a warning alarm generated because the "Inbound Rate Limit Discarded IPv6 IPsec Unauthenticated Packets/sec" counter (under the object "IPSec DOS Protection" in the performance monitor tool) exceeded a defined threshold. "Inbound Rate Limit Discarded IPv6 IPsec Unauthenticated Packets/sec" is the rate at which unauthenticated IKEv1, IKEv2, AuthIP, or ESP IPv6 packets are received on a public interface and discarded because they exceed the rate limit for IPv6 IPsec unauthenticated packets per second. An unauthenticated packet is an IPsec packet without an associated state entry. A state entry is a pair of IPv6 addresses that is authorized to pass through from a public to an internal interface. This alarm is cleared when the counter returns to healthy levels. | Network_Security_RateLimitDiscardUnAuth | Network_Security_Class | System.Health.SecurityState | SecurityHealth | True | IPsec DOS Protection | Inbound Rate Limit Discarded IPv6 IPsec Unauthenticated Packets/sec | 300 | False | | | True | System.Performance.AverageThreshold | True | Public | |
| Failed replay detection packets per second | This is a warning alarm generated because the "Packets That Failed Replay Detection/sec" counter (under the object "IPsec Driver" in the performance monitor tool) exceeded a defined threshold. "Packets That Failed Replay Detection/sec" is the rate of packets that contained an invalid sequence number since the computer was last started. Increases in this counter might indicate a network problem or replay attack. This alarm is cleared when the counter returns to healthy levels. | Network_Security_ReplayAttack | Network_Security_Class | System.Health.SecurityState | SecurityHealth | True | IPsec Driver | Packets That Failed Replay Detection/sec | 300 | False | | | True | System.Performance.AverageThreshold | True | Public | |
| Incorrect SPI packets per second | This is a warning alarm generated because the "Incorrect SPI Packets/sec" counter (under the object "IPsec Driver" in the performance monitor tool) exceeded a defined threshold. "Incorrect SPI Packets/sec" is the rate of packets for which the Security Parameter Index (SPI) was incorrect since the computer was last started. A large number of packets with bad SPIs within a short amount of time might indicate a packet spoofing attack. This alarm is cleared when the counter returns to healthy levels. | Network_Security_SpoofingAttack | Network_Security_Class | System.Health.SecurityState | SecurityHealth | True | IPsec Driver | Incorrect SPI Packets/sec | 300 | False | | | True | System.Performance.AverageThreshold | True | Public | |
| Current state entries at critical level | This is a critical alarm generated because the "Current State Entries" counter (under the object "IPSec DOS Protection" in the performance monitor tool) exceeded critical levels. "Current state Entries" is the number of active state entries in the table. A state entry is a pair of IPv6 addresses that is authorized to pass through from a public to an internal interface. This alarm is cleared when the counter returns to healthy levels. | Network_Security_StateUtil_Critical | Network_Security_Class | System.Health.ConfigurationState | ConfigurationHealth | True | IPsec DOS Protection | Current State Entries | 300 | False | | | True | System.Performance.ConsecutiveSamplesThreshold | True | Public | |
| Current state entries at warning level | This is a warning alarm generated because "Current State Entries" counter (under the object "IPSec DOS Protection" in the performance monitor tool) exceeded warning levels. "Current state Entries" is the number of active state entries in the table. A state entry is a pair of IPv6 addresses that is authorized to pass through from a public to an internal interface. This alarm is cleared when the counter returns to healthy levels. | Network_Security_StateUtil_Warning | Network_Security_Class | System.Health.ConfigurationState | ConfigurationHealth | True | IPsec DOS Protection | Current State Entries | 300 | False | | | True | System.Performance.ConsecutiveSamplesThreshold | True | Public | |
| 6to4 router availability | This is a critical alarm generated because the IP Helper service (iphlpsvc) stopped responding. The IP Helper service provides tunnel connectivity using the Connectivity Platform, IPv6 transition technologies (6to4, ISATAP, Port Proxy, and Teredo), and IP-HTTPS. If this service is stopped, the computer will not have the enhanced connectivity benefits that these technologies offer. This alarm is cleared when the service is running again. | Router_6to4_Availability | Router_6to4_Class | System.Health.AvailabilityState | AvailabilityHealth | True | | | 0 | True | Error | High | True | Microsoft.Windows.CheckNTServiceStateMonitorType | True | Public | |
| Teredo relay availability | This is a critical alarm generated because the IP Helper service (iphlpsvc) stopped responding. The IP Helper service provides tunnel connectivity using the Connectivity Platform, IPv6 transition technologies (6to4, ISATAP, Port Proxy, and Teredo), and IP-HTTPS. If this service is stopped, the computer will not have the enhanced connectivity benefits that these technologies offer. This alarm is cleared when the service is running again. | Teredo_Relay_Availability | Teredo_Relay_Class | System.Health.AvailabilityState | AvailabilityHealth | True | | | 0 | True | Error | High | True | Microsoft.Windows.CheckNTServiceStateMonitorType | True | Public | |
| Teredo server availability | This is a critical alarm generated because the IP Helper service (iphlpsvc) stopped responding. The IP Helper service provides tunnel connectivity using the Connectivity Platform, IPv6 transition technologies (6to4, ISATAP, Port Proxy, and Teredo), and IP-HTTPS. If this service is stopped, the computer will not have the enhanced connectivity benefits that these technologies offer. This alarm is cleared when the service is running again. | Teredo_Server_Availability | Teredo_Server_Class | System.Health.AvailabilityState | AvailabilityHealth | True | | | 0 | True | Error | High | True | Microsoft.Windows.CheckNTServiceStateMonitorType | True | Public | |
Home