Filtering Condition Identifiers

The filtering condition identifiers are each represented by a GUID. These identifiers are described in the following table.

Filtering condition identifierDescription

FWPM_CONDITION_ARRIVAL_INTERFACE_INDEX

The index of the arrival network interface, as enumerated by the network stack.

WFP uses the Arrival interface to match this condition. The Arrival Interface is the first interface the packet sees before entering the IP stack inbound from the network, before weak-host or forwarding are performed.

This condition is asymmetric for reauthorization purposes, as it is intrinsically an inbound condition. This means that WFP will use an empty value on this condition when reauthorizing an inbound connection on a response outbound packet.

To handle reauthorization a second filter must be used. This second filter can either permit or block the empty values, or use a different condition that will have a valid value for such circumstance. In the case of arrival interface conditions, the next hop class of interface conditions will have a valid interface on outbound packets.

Note   Available only in Windows Server 2008 R2, Windows 7, and later versions of Windows.
 

FWPM_CONDITION_ARRIVAL_INTERFACE_TYPE

The type of the arrival network interface, as defined by the Internet Assigned Numbers Authority (IANA). For more information, see IANAifType-MIB Definitions.

WFP uses the Arrival interface to match this condition. The Arrival Interface is the first interface the packet sees before entering the IP stack inbound from the network, before weak-host or forwarding are performed.

This condition is asymmetric for reauthorization purposes, as it is intrinsically an inbound condition. This means that WFP will use an empty value on this condition when reauthorizing an inbound connection on a response outbound packet.

To handle reauthorization a second filter must be used. This second filter can either permit or block the empty values, or use a different condition that will have a valid value for such circumstance. In the case of arrival interface conditions, the next hop class of interface conditions will have a valid interface on outbound packets.

Note   Available only in Windows Server 2008 R2, Windows 7, and later versions of Windows.
 

FWPM_CONDITION_ARRIVAL_TUNNEL_TYPE

The encapsulation method used by a tunnel if the IfType member of the IP_ADAPTER_ADDRESSES structure is IF_TYPE_TUNNEL. The tunnel type is defined by the IANA. For more information, see IANAifType-MIB Definitionsand the Windows SDK IP Helper documentation.

WFP uses the Arrival interface to match this condition. The Arrival Interface is the first interface the packet sees before entering the IP stack inbound from the network, before weak-host or forwarding are performed.

This condition is asymmetric for reauthorization purposes, as it is intrinsically an inbound condition. This means that WFP will use an empty value on this condition when reauthorizing an inbound connection on a response outbound packet.

To handle reauthorization a second filter must be used. This second filter can either permit or block the empty values, or use a different condition that will have a valid value for such circumstance. In the case of arrival interface conditions, the next hop class of interface conditions will have a valid interface on outbound packets.

Note   Available only in Windows Server 2008 R2, Windows 7, and later versions of Windows.
 

FWPM_CONDITION_IP_ARRIVAL_INTERFACE

The LUIDfor the network interface that is associated with the arrival IP address.

WFP uses the Arrival interface to match this condition. The Arrival Interface is the first interface the packet sees before entering the IP stack inbound from the network, before weak-host or forwarding are performed.

This condition is asymmetric for reauthorization purposes, as it is intrinsically an inbound condition. This means that WFP will use an empty value on this condition when reauthorizing an inbound connection on a response outbound packet.

To handle reauthorization a second filter must be used. This second filter can either permit or block the empty values, or use a different condition that will have a valid value for such circumstance. In the case of arrival interface conditions, the next hop class of interface conditions will have a valid interface on outbound packets.

Note   Available only in Windows Server 2008 R2, Windows 7, and later versions of Windows.
 

FWPM_CONDITION_NEXTHOP_INTERFACE_INDEX

The index of the arrival network interface, as enumerated by the network stack.

WFP uses the Next Hop interface to match this condition. The Next Hop Interface is the last interface the packet sees before leaving the IP stack outbound towards the network, after weak-host or forwarding are performed.

This condition is asymmetric for reauthorization purposes, as it is intrinsically an outbound condition. This means that WFP will use an empty value on this condition when reauthorizing an outbound connection on a response inbound packet.

To handle reauthorization a second filter must be used. This second filter can either permit or block the empty values, or use a different condition that will have a valid value for such circumstance. In the case of next hop interface conditions, the arrival class of interface conditions will have a valid interface on inbound packets.

Note   Available only in Windows Server 2008 R2, Windows 7, and later versions of Windows.
 

FWPM_CONDITION_NEXTHOP_INTERFACE_TYPE

The type of the arrival network interface, as defined by the Internet Assigned Numbers Authority (IANA). For more information, see IANAifType-MIB Definitions.

WFP uses the Next Hop interface to match this condition. The Next Hop Interface is the last interface the packet sees before leaving the IP stack outbound towards the network, after weak-host or forwarding are performed.

This condition is asymmetric for reauthorization purposes, as it is intrinsically an outbound condition. This means that WFP will use an empty value on this condition when reauthorizing an outbound connection on a response inbound packet.

To handle reauthorization a second filter must be used. This second filter can either permit or block the empty values, or use a different condition that will have a valid value for such circumstance. In the case of next hop interface conditions, the arrival class of interface conditions will have a valid interface on inbound packets.

Note   Available only in Windows Server 2008 R2, Windows 7, and later versions of Windows.
 

FWPM_CONDITION_NEXTHOP_TUNNEL_TYPE

The encapsulation method used by a tunnel if the IfType member of the IP_ADAPTER_ADDRESSES structure is IF_TYPE_TUNNEL. The tunnel type is defined by the IANA. For more information, see IANAifType-MIB Definitions and the Windows SDK IP Helper documentation.

WFP uses the Next Hop interface to match this condition. The Next Hop Interface is the last interface the packet sees before leaving the IP stack outbound towards the network, after weak-host or forwarding are performed.

This condition is asymmetric for reauthorization purposes, as it is intrinsically an outbound condition. This means that WFP will use an empty value on this condition when reauthorizing an outbound connection on a response inbound packet.

To handle reauthorization a second filter must be used. This second filter can either permit or block the empty values, or use a different condition that will have a valid value for such circumstance. In the case of next hop interface conditions, the arrival class of interface conditions will have a valid interface on inbound packets.

Note   Available only in Windows Server 2008 R2, Windows 7, and later versions of Windows.
 

FWPM_CONDITION_IP_NEXTHOP_INTERFACE

The LUIDfor the network interface that is associated with the arrival IP address.

WFP uses the Next Hop interface to match this condition. The Next Hop Interface is the last interface the packet sees before leaving the IP stack outbound towards the network, after weak-host or forwarding are performed.

This condition is asymmetric for reauthorization purposes, as it is intrinsically an outbound condition. This means that WFP will use an empty value on this condition when reauthorizing an outbound connection on a response inbound packet.

To handle reauthorization a second filter must be used. This second filter can either permit or block the empty values, or use a different condition that will have a valid value for such circumstance. In the case of next hop interface conditions, the arrival class of interface conditions will have a valid interface on inbound packets.

Note   Available only in Windows Server 2008 R2, Windows 7, and later versions of Windows.
 

FWPM_CONDITION_IP_LOCAL_ADDRESS

The local IP address.

FWPM_CONDITION_IP_REMOTE_ADDRESS

The remote IP address.

FWPM_CONDITION_IP_SOURCE_ADDRESS

The source IP address for forwarded packets.

FWPM_CONDITION_IP_DESTINATION_ADDRESS

The destination IP address for forwarded packets.

FWPM_CONDITION_IP_LOCAL_ADDRESS_TYPE

The local IP address type. The possible condition values are:

NlatUnspecified
NlatUnicast
NlatAnycast
NlatMulticast
NlatBroadcast

FWPM_CONDITION_IP_DESTINATION_ADDRESS_TYPE

The destination IP address type. The possible condition values are:

NlatUnspecified
NlatUnicast
NlatAnycast
NlatMulticast
NlatBroadcast

FWPM_CONDITION_IP_LOCAL_INTERFACE

The LUID for the network interface associated with the local IP address.

FWPM_CONDITION_IP_FORWARD_INTERFACE

The LUID for the network interface on which the packet being forwarded is to be sent out.

FWPM_CONDITION_IP_PROTOCOL

The IP protocol number, as specified in RFC 1700.

FWPM_CONDITION_IP_LOCAL_PORT

The local transport protocol port number.

FWPM_CONDITION_IP_REMOTE_PORT

The remote transport protocol port number.

FWPM_CONDITION_ICMP_TYPE

The ICMP type field, as specified in RFC 792.

FWPM_CONDITION_ICMP_CODE

The ICMP code field, as specified in RFC 792.

FWPM_CONDITION_EMBEDDED_LOCAL_ADDRESS_TYPE

The local IP address type that is embedded in the ICMP packet. The possible condition values are:

NlatUnspecified
NlatUnicast
NlatAnycast
NlatMulticast
NlatBroadcast

FWPM_CONDITION_EMBEDDED_REMOTE_ADDRESS

The remote IP address that is embedded in the ICMP packet.

FWPM_CONDITION_EMBEDDED_PROTOCOL

The IP protocol number that is embedded in the ICMP packet, as specified in RFC 1700.

FWPM_CONDITION_EMBEDDED_LOCAL_PORT

The local transport protocol port number that is embedded in the ICMP packet.

FWPM_CONDITION_EMBEDDED_REMOTE_PORT

The remote transport protocol port number that is embedded in the ICMP packet.

FWPM_CONDITION_FLAGS

A bitwise OR of a combination of filtering condition flags. For information about the possible flags, see Filtering Condition Flags.

FWPM_CONDITION_DIRECTION

The direction of the datagram traffic or data flow.

The possible condition values are:

FWP_DIRECTION_INBOUND
FWP_DIRECTION_OUTBOUND

In datagram data layers and stream packet layers, this condition specifies the direction of the packet.

In stream layers and ALE flow established layers, this condition specifies the direction of the connection (for example, when a local application initiates the connection, an inbound packet has FWPM_CONDITION_DIRECTION set to FWP_DIRECTION_OUTBOUND).

FWPM_CONDITION_INTERFACE_INDEX

The index of the network interface, as enumerated by the network stack.

FWPM_CONDITION_INTERFACE_TYPE

The bus type of the network interface.

FWPM_CONDITION_SUB_INTERFACE_INDEX

The index of the logical network interface, as enumerated by the network stack.

FWPM_CONDITION_SOURCE_INTERFACE_INDEX

The index of the source network interface for forwarded packets, as enumerated by the network stack.

FWPM_CONDITION_SOURCE_SUB_INTERFACE_INDEX

The index of the source logical network interface for forwarded packets, as enumerated by the network stack.

FWPM_CONDITION_DESTINATION_INTERFACE_INDEX

The index of the destination network interface for forwarded packets, as enumerated by the network stack.

FWPM_CONDITION_DESTINATION_SUB_INTERFACE_INDEX

The index of the destination logical network interface for forwarded packets, as enumerated by the network stack.

FWPM_CONDITION_ALE_APP_ID

The full path of the application.

FWPM_CONDITION_ALE_USER_ID

The identification of the local user.

FWPM_CONDITION_ALE_REMOTE_USER_ID

The identification of the remote user.

FWPM_CONDITION_ALE_REMOTE_MACHINE_ID

The identification of the remote machine.

FWPM_CONDITION_ALE_PROMISCUOUS_MODE

The raw socket mode that is allowed or denied. The possible condition values are:

SIO_RCVALL
SIO_RCVALL_IGMPMCAST
SIO_RCVALL_MCAST

For a description of these raw socket modes, see WSAIoctl in the Microsoft Windows SDK documentation.

FWPM_CONDITION_ALE_SIO_FIREWALL_SYSTEM_PORT

Reserved for internal use.

FWPM_CONDITION_ALE_NAP_CONTEXT

Reserved for internal use.

FWPM_CONDITION_REMOTE_USER_TOKEN

The identification of the remote user.

FWPM_CONDITION_RPC_IF_UUID

The UUID of the RPC interface.

FWPM_CONDITION_RPC_IF_VERSION

The version of the RPC interface.

FWPM_CONDITION_RCP_IF_FLAG

Reserved for internal use.

FWPM_CONDITION_DCOM_APP_ID

The identification of the COM application.

FWPM_CONDITION_IMAGE_NAME

The name of the application.

FWPM_CONDITION_RPC_PROTOCOL

The RPC protocol. The possible condition values are:

RPC_PROTSEQ_TCP
RPC_PROTSEQ_HTTP
RPC_PROTSEQ_NMP

FWPM_CONDITION_RPC_AUTH_TYPE

The authentication service type. For more information about authentication service types, see Authentication-Service Constants in the RPC section of the Windows SDK documentation.

FWPM_CONDITION_RPC_AUTH_LEVEL

The authentication service level. For more information about authentication service levels, see Authentication-Level Constants in the RPC section of the Windows SDK documentation.

FWPM_CONDITION_SEC_ENCRYPT_ALGORITHM

The certificate based security service provider interface (SSPI) encryption algorithm.

FWPM_CONDITION_SEC_KEY_SIZE

The certificate based security service provider interface (SSPI) encryption key size.

FWPM_CONDITION_IP_LOCAL_ADDRESS_V4

The local IPv4 address.

FWPM_CONDITION_IP_LOCAL_ADDRESS_V6

The local IPv6 address.

FWPM_CONDITION_PIPE

The name of the remote named pipe.

FWPM_CONDITION_IP_REMOTE_ADDRESS_V4

The remote IPv4 address.

FWPM_CONDITION_IP_REMOTE_ADDRESS_V6

The remote IPv6 address.

FWPM_CONDITION_PROCESS_WITH_RPC_IF_UUID

The UUID of the process with the RPC interface.

FWPM_CONDITION_RPC_EP_VALUE

Reserved for internal use.

FWPM_CONDITION_RPC_EP_FLAGS

Reserved for internal use.

FWPM_CONDITION_CLIENT_TOKEN

The identification of the client when using RpcProxy.

FWPM_CONDITION_RPC_SERVER_NAME

The name of the RPC server when using RpcProxy.

FWPM_CONDITION_RPC_SERVER_PORT

The port on the RPC server when using RpcProxy.

FWPM_CONDITION_RPC_PROXY_AUTH_TYPE

The RPC proxy authentication service type. For more information about authentication service types, see Authentication-Service Constants in the RPC section of the Windows SDK documentation.

FWPM_CONDITION_TUNNEL_TYPE

The encapsulation method used by a tunnel.

FWPM_CONDITION_CLIENT_CERT_KEY_LENGTH

The secure socket layer (SSL) key length in the client certificate.

FWPM_CONDITION_CLIENT_CERT_OID

The object identifier (OID) in the client certificate.

FWPM_CONDITION_INTERFACE_MAC_ADDRESS

The physical address of the sending or receiving network interface.

Note  Supported in Windows 8, Windows Server 2012, and later versions of Windows.
 

FWPM_CONDITION_MAC_LOCAL_ADDRESS

The physical address of the local network interface. For inbound traffic this is the destination MAC address in the frame. For outbound traffic this is the source MAC address of the frame.

Note  Supported in Windows 8, Windows Server 2012, and later versions of Windows.
 

FWPM_CONDITION_MAC_REMOTE_ADDRESS

The physical address of the remote network interface. For inbound traffic this is the source MAC address in the frame. For outbound traffic this is the destination MAC address of the frame.

Note  Supported in Windows 8, Windows Server 2012, and later versions of Windows.
 

FWPM_CONDITION_ETHER_TYPE

The type indicated in the MAC frame. This value is 0x800 for IPv4 traffic, 0x86DD for IPv6 traffic or, 0x806 for ARP traffic. All of the possible values are defined as NDIS_ETH_TYPE_Xxx in ntddndis.h.

FWPM_CONDITION_VLAN_ID

The identifier of the VLAN in the ETHERNET SNAP header. If the frame is ETHERNET II, this value is 0.

Note  Supported in Windows 8, Windows Server 2012, and later versions of Windows.
 

FWPM_CONDITION_NDIS_PORT

The port number identifying a miniport adapter port.

Note  Supported in Windows 8, Windows Server 2012, and later versions of Windows.
 

FWPM_CONDITION_NDIS_MEDIA_TYPE

The type of the NDIS medium specified as one of the NDIS_MEDIUM enumeration values.

Note  Supported in Windows 8, Windows Server 2012, and later versions of Windows.
 

FWPM_CONDITION_NDIS_PHYSICAL_MEDIA_TYPE

The type of the physical medium for the communicating interface specified as one of the NDIS_PHYSICAL_MEDIUM enumeration values.

Note  Supported in Windows 8, Windows Server 2012, and later versions of Windows.
 

FWPM_CONDITION_L2_FLAGS

A bitwise OR of a combination of filtering condition flags for the MAC layers. For information about the possible flags, see Filtering Condition L2 Flags.

Note  Supported in Windows 8, Windows Server 2012, and later versions of Windows.
 

FWPM_CONDITION_MAC_LOCAL_ADDRESS_TYPE

The Datalink type of the local MAC address. This is one of the values that are defined in the DL_ADDRESS_TYPE enumeration in FwpmTypes.h.

Note  Supported in Windows 8, Windows Server 2012, and later versions of Windows.
 

FWPM_CONDITION_MAC_REMOTE_ADDRESS_TYPE

The Datalink type of the remote MAC address. This is one of the values that are defined in the DL_ADDRESS_TYPE enumeration in FwpmTypes.h.

Note  Supported in Windows 8, Windows Server 2012, and later versions of Windows.
 

FWPM_CONDITION_INTERFACE

The LUID for the network interface that is associated with the local MAC address.

Note  Supported in Windows 8, Windows Server 2012, and later versions of Windows.
 

FWPM_CONDITION_ALE_PACKAGE_ID

The security identifier (SID) of the AppContainer restricted package.

Note  Supported in Windows 8, Windows Server 2012, and later versions of Windows.
 

FWPM_CONDITION_MAC_SOURCE_ADDRESS

The physical address of the network interface that created the MAC frame.

Note  Supported in Windows 8, Windows Server 2012, and later versions of Windows.
 

FWPM_CONDITION_MAC_DESTINATION_ADDRESS

The physical address of the network interface to which the frame is destined.

Note  Supported in Windows 8, Windows Server 2012, and later versions of Windows.
 

FWPM_CONDITION_MAC_SOURCE_ADDRESS_TYPE

The Datalink type of the MAC Address for the interface that created the frame. This is one of the values that are defined in the DL_ADDRESS_TYPE enumeration in FwpmTypes.h.

Note  Supported in Windows 8, Windows Server 2012, and later versions of Windows.
 

FWPM_CONDITION_MAC_DESTINATION_ADDRESS_TYPE

The Datalink type of the MAC Address for the interface to which the frame is destined. This is one of the values that are defined in the DL_ADDRESS_TYPE enumeration in FwpmTypes.h.

Note  Supported in Windows 8, Windows Server 2012, and later versions of Windows.
 

FWPM_CONDITION_IP_SOURCE_PORT

The transport protocol source port number.

Note  Supported in Windows 8, Windows Server 2012, and later versions of Windows.
 

FWPM_CONDITION_IP_DESTINATION_PORT

The transport protocol destination port number.

Note  Supported in Windows 8, Windows Server 2012, and later versions of Windows.
 

FWPM_CONDITION_VSWITCH_ID

The GUID of the virtual switch.

Note  Supported in Windows 8, Windows Server 2012, and later versions of Windows.
 

FWPM_CONDITION_VSWITCH_NETWORK_TYPE

The type of network that is associated with the virtual switch. This is one of the values that are defined in the FWP_VSWITCH_NETWORK_TYPE enumeration in FwpTypes.h.

Note  Supported in Windows 8 and later versions of Windows.
 

FWPM_CONDITION_VSWITCH_SOURCE_INTERFACE_ID

The GUID of the interface of the virtual switch that created the frame.

Note  Supported in Windows 8, Windows Server 2012, and later versions of Windows.
 

FWPM_CONDITION_VSWITCH_DESTINATION_INTERFACE_ID

The GUID of the interface of the virtual switch to which the frame is destined.

Note  Supported in Windows 8 and later versions of Windows.
 

FWPM_CONDITION_VSWITCH_SOURCE_INTERFACE_TYPE

The type of the virtual switch interface that created the frame. This is one of the values that are defined in the NDIS_NIC_SWITCH_TYPE enumeration in Ntddndis.h.

Note  Supported in Windows 8, Windows Server 2012, and later versions of Windows.
 

FWPM_CONDITION_VSWITCH_DESTINATION_INTERFACE_TYPE

The type of the virtual switch interface to which the frame is destined. This is one of the values that are defined in the NDIS_NIC_SWITCH_TYPEenumeration in Ntddndis.h.

Note  Supported in Windows 8, Windows Server 2012, and later versions of Windows.
 

FWPM_CONDITION_VSWITCH_SOURCE_VM_ID

Unique identifier of the vSwitch source virtual machine.

Note  Supported in Windows 8, Windows Server 2012, and later versions of Windows.
 

FWPM_CONDITION_VSWITCH_DESTINATION_VM_ID

Unique identifier of the vSwitch destination virtual machine.

Note  Supported in Windows 8, Windows Server 2012, and later versions of Windows.
 

FWPM_CONDITION_VSWITCH_TENANT_NETWORK_ID

Unique identifier for the vSwitch network. Cannot be used in conjunction with VLAN_IDs.

Note  Supported in Windows 8, Windows Server 2012, and later versions of Windows.
 

FWPM_CONDITION_ALE_PACKAGE_ID

The security identifier (SID) of an app container.

Note  Supported in Windows 8, Windows Server 2012, and later versions of Windows.
 

FWPM_CONDITION_ALE_ORIGINAL_APP_ID

The original full path of the application before alteration from proxying. Note that if proxying is not involved, then this will be the same as the FWPM_CONDITION_ALE_APP_ID.

Note  Supported in Windows 8, Windows Server 2012, and later versions of Windows.
 

FWPM_CONDITION_QM_MODE

The quick mode (QM) mode.

Note  Supported in Windows 8, Windows Server 2012, and later versions of Windows.
 

 

 

 

Send comments about this topic to Microsoft

Show: