Filtering condition identifiers

The filtering condition identifiers are each represented by a GUID. These identifiers are described in the following table.

Filtering condition identifier Description
FWPM_CONDITION_ARRIVAL_INTERFACE_INDEX The index of the arrival network interface, as enumerated by the network stack.
WFP uses the Arrival interface to match this condition. The Arrival Interface is the first interface the packet sees before entering the IP stack inbound from the network, before weak-host or forwarding are performed.
This condition is asymmetric for reauthorization purposes, as it is intrinsically an inbound condition. This means that WFP will use an empty value on this condition when reauthorizing an inbound connection on a response outbound packet.
To handle reauthorization a second filter must be used. This second filter can either permit or block the empty values, or use a different condition that will have a valid value for such circumstance. In the case of arrival interface conditions, the next hop class of interface conditions will have a valid interface on outbound packets.
Note that this is available only in Windows Server 2008 R2, Windows 7, and later versions of Windows.
FWPM_CONDITION_ARRIVAL_INTERFACE_TYPE The type of the arrival network interface, as defined by the Internet Assigned Numbers Authority (IANA). For more information, see IANAifType-MIB Definitions.
WFP uses the Arrival interface to match this condition. The Arrival Interface is the first interface the packet sees before entering the IP stack inbound from the network, before weak-host or forwarding are performed.
This condition is asymmetric for reauthorization purposes, as it is intrinsically an inbound condition. This means that WFP will use an empty value on this condition when reauthorizing an inbound connection on a response outbound packet.
To handle reauthorization a second filter must be used. This second filter can either permit or block the empty values, or use a different condition that will have a valid value for such circumstance. In the case of arrival interface conditions, the next hop class of interface conditions will have a valid interface on outbound packets.
Note that this is available only in Windows Server 2008 R2, Windows 7, and later versions of Windows.
FWPM_CONDITION_ARRIVAL_TUNNEL_TYPE The encapsulation method used by a tunnel if the IfType member of the IP_ADAPTER_ADDRESSES structure is IF_TYPE_TUNNEL. The tunnel type is defined by the IANA. For more information, see IANAifType-MIB Definitions and the Windows SDK IP Helper documentation.
WFP uses the Arrival interface to match this condition. The Arrival Interface is the first interface the packet sees before entering the IP stack inbound from the network, before weak-host or forwarding are performed.
This condition is asymmetric for reauthorization purposes, as it is intrinsically an inbound condition. This means that WFP will use an empty value on this condition when reauthorizing an inbound connection on a response outbound packet.
To handle reauthorization a second filter must be used. This second filter can either permit or block the empty values, or use a different condition that will have a valid value for such circumstance. In the case of arrival interface conditions, the next hop class of interface conditions will have a valid interface on outbound packets.
Note that this is available only in Windows Server 2008 R2, Windows 7, and later versions of Windows.
FWPM_CONDITION_IP_ARRIVAL_INTERFACE The LUID for the network interface that is associated with the arrival IP address.
WFP uses the Arrival interface to match this condition. The Arrival Interface is the first interface the packet sees before entering the IP stack inbound from the network, before weak-host or forwarding are performed.
This condition is asymmetric for reauthorization purposes, as it is intrinsically an inbound condition. This means that WFP will use an empty value on this condition when reauthorizing an inbound connection on a response outbound packet.
To handle reauthorization a second filter must be used. This second filter can either permit or block the empty values, or use a different condition that will have a valid value for such circumstance. In the case of arrival interface conditions, the next hop class of interface conditions will have a valid interface on outbound packets.
Note that this is available only in Windows Server 2008 R2, Windows 7, and later versions of Windows.
FWPM_CONDITION_NEXTHOP_INTERFACE_INDEX The index of the arrival network interface, as enumerated by the network stack.
WFP uses the Next Hop interface to match this condition. The Next Hop Interface is the last interface the packet sees before leaving the IP stack outbound towards the network, after weak-host or forwarding are performed.
This condition is asymmetric for reauthorization purposes, as it is intrinsically an outbound condition. This means that WFP will use an empty value on this condition when reauthorizing an outbound connection on a response inbound packet.
To handle reauthorization a second filter must be used. This second filter can either permit or block the empty values, or use a different condition that will have a valid value for such circumstance. In the case of next hop interface conditions, the arrival class of interface conditions will have a valid interface on inbound packets.
Note that this is available only in Windows Server 2008 R2, Windows 7, and later versions of Windows.
FWPM_CONDITION_NEXTHOP_INTERFACE_TYPE The type of the arrival network interface, as defined by the Internet Assigned Numbers Authority (IANA). For more information, see IANAifType-MIB Definitions.
WFP uses the Next Hop interface to match this condition. The Next Hop Interface is the last interface the packet sees before leaving the IP stack outbound towards the network, after weak-host or forwarding are performed.
This condition is asymmetric for reauthorization purposes, as it is intrinsically an outbound condition. This means that WFP will use an empty value on this condition when reauthorizing an outbound connection on a response inbound packet.
To handle reauthorization a second filter must be used. This second filter can either permit or block the empty values, or use a different condition that will have a valid value for such circumstance. In the case of next hop interface conditions, the arrival class of interface conditions will have a valid interface on inbound packets.
Note that this is available only in Windows Server 2008 R2, Windows 7, and later versions of Windows.
FWPM_CONDITION_NEXTHOP_TUNNEL_TYPE The encapsulation method used by a tunnel if the IfType member of the IP_ADAPTER_ADDRESSES structure is IF_TYPE_TUNNEL. The tunnel type is defined by the IANA. For more information, see IANAifType-MIB Definitions and the Windows SDK IP Helper documentation.
WFP uses the Next Hop interface to match this condition. The Next Hop Interface is the last interface the packet sees before leaving the IP stack outbound towards the network, after weak-host or forwarding are performed.
This condition is asymmetric for reauthorization purposes, as it is intrinsically an outbound condition. This means that WFP will use an empty value on this condition when reauthorizing an outbound connection on a response inbound packet.
To handle reauthorization a second filter must be used. This second filter can either permit or block the empty values, or use a different condition that will have a valid value for such circumstance. In the case of next hop interface conditions, the arrival class of interface conditions will have a valid interface on inbound packets.
Note that this is available only in Windows Server 2008 R2, Windows 7, and later versions of Windows.
FWPM_CONDITION_IP_NEXTHOP_INTERFACE The LUID for the network interface that is associated with the arrival IP addres
WFP uses the Next Hop interface to match this condition. The Next Hop Interface is the last interface the packet sees before leaving the IP stack outbound towards the network, after weak-host or forwarding are performed.
This condition is asymmetric for reauthorization purposes, as it is intrinsically an outbound condition. This means that WFP will use an empty value on this condition when reauthorizing an outbound connection on a response inbound packet.
To handle reauthorization a second filter must be used. This second filter can either permit or block the empty values, or use a different condition that will have a valid value for such circumstance. In the case of next hop interface conditions, the arrival class of interface conditions will have a valid interface on inbound packets.
Note that this is available only in Windows Server 2008 R2, Windows 7, and later versions of Windows.
FWPM_CONDITION_IP_LOCAL_ADDRESS The local IP address.
FWPM_CONDITION_IP_REMOTE_ADDRESS The remote IP address.
FWPM_CONDITION_IP_SOURCE_ADDRESS The source IP address for forwarded packets.
FWPM_CONDITION_IP_DESTINATION_ADDRESS The destination IP address for forwarded packets.
FWPM_CONDITION_IP_LOCAL_ADDRESS_TYPE The local IP address type. The possible condition values are:
- NlatUnspecified
- NlatUnicast
- NlatAnycast
- NlatMulticast
- NlatBroadcast
FWPM_CONDITION_IP_DESTINATION_ADDRESS_TYPE The destination IP address type. The possible condition values are:
- NlatUnspecified
- NlatUnicast
- NlatAnycast
- NlatMulticast
- NlatBroadcast
FWPM_CONDITION_IP_LOCAL_INTERFACE The LUID for the network interface associated with the local IP address.
FWPM_CONDITION_IP_FORWARD_INTERFACE The LUID for the network interface on which the packet being forwarded is to be sent out.
FWPM_CONDITION_IP_PROTOCOL The IP protocol number, as specified in RFC 1700.
FWPM_CONDITION_IP_LOCAL_PORT The local transport protocol port number.
FWPM_CONDITION_IP_REMOTE_PORT The remote transport protocol port number.
FWPM_CONDITION_ICMP_TYPE The ICMP type field, as specified in RFC 792.
FWPM_CONDITION_ICMP_CODE The ICMP code field, as specified in RFC 792.
FWPM_CONDITION_EMBEDDED_LOCAL_ADDRESS_TYPE The local IP address type that is embedded in the ICMP packet. The possible condition values are:
- NlatUnspecified
- NlatUnicast
- NlatAnycast
- NlatMulticast
- NlatBroadcast
FWPM_CONDITION_EMBEDDED_REMOTE_ADDRESS The remote IP address that is embedded in the ICMP packet.
FWPM_CONDITION_EMBEDDED_PROTOCOL The IP protocol number that is embedded in the ICMP packet, as specified in RFC 1700.
FWPM_CONDITION_EMBEDDED_LOCAL_PORT The local transport protocol port number that is embedded in the ICMP packet.
FWPM_CONDITION_EMBEDDED_REMOTE_PORT The remote transport protocol port number that is embedded in the ICMP packet.
FWPM_CONDITION_FLAGS A bitwise OR of a combination of filtering condition flags. For information about the possible flags, see Filtering Condition Flags.
FWPM_CONDITION_DIRECTION The direction of the datagram traffic or data flow. The possible condition values are:
- FWP_DIRECTION_INBOUND
- FWP_DIRECTION_OUTBOUND

In datagram data layers and stream packet layers, this condition specifies the direction of the packet.
In stream layers and ALE flow established layers, this condition specifies the direction of the connection (for example, when a local application initiates the connection, an inbound packet has FWPM_CONDITION_DIRECTION set to FWP_DIRECTION_OUTBOUND).
FWPM_CONDITION_INTERFACE_INDEX The index of the network interface, as enumerated by the network stack.
FWPM_CONDITION_INTERFACE_TYPE The bus type of the network interface.
FWPM_CONDITION_SUB_INTERFACE_INDEX The index of the logical network interface, as enumerated by the network stack.
FWPM_CONDITION_SOURCE_INTERFACE_INDEX The index of the source network interface for forwarded packets, as enumerated by the network stack.
FWPM_CONDITION_SOURCE_SUB_INTERFACE_INDEX The index of the source logical network interface for forwarded packets, as enumerated by the network stack.
FWPM_CONDITION_DESTINATION_INTERFACE_INDEX The index of the destination network interface for forwarded packets, as enumerated by the network stack.
FWPM_CONDITION_DESTINATION_SUB_INTERFACE_INDEX The index of the destination logical network interface for forwarded packets, as enumerated by the network stack.
FWPM_CONDITION_ALE_APP_ID The full path of the application.
FWPM_CONDITION_ALE_USER_ID The identification of the local user.
FWPM_CONDITION_ALE_REMOTE_USER_ID The identification of the remote user.
FWPM_CONDITION_ALE_REMOTE_MACHINE_ID The identification of the remote machine.
FWPM_CONDITION_ALE_PROMISCUOUS_MODE The raw socket mode that is allowed or denied. The possible condition values are:
- SIO_RCVALL
- SIO_RCVALL_IGMPMCAST
- SIO_RCVALL_MCAST
For a description of these raw socket modes, see WSAIoctl in the Microsoft Windows SDK documentation.
FWPM_CONDITION_ALE_SIO_FIREWALL_SYSTEM_PORT Reserved for internal use.
FWPM_CONDITION_ALE_NAP_CONTEXT Reserved for internal use.
FWPM_CONDITION_REMOTE_USER_TOKEN The identification of the remote user.
FWPM_CONDITION_RPC_IF_UUID The UUID of the RPC interface.
FWPM_CONDITION_RPC_IF_VERSION The version of the RPC interface.
FWPM_CONDITION_RCP_IF_FLAG Reserved for internal use.
FWPM_CONDITION_DCOM_APP_ID The identification of the COM application.
FWPM_CONDITION_IMAGE_NAME The name of the application.
FWPM_CONDITION_RPC_PROTOCOL The RPC protocol. The possible condition values are:
- RPC_PROTSEQ_TCP
- RPC_PROTSEQ_HTTP
- RPC_PROTSEQ_NMP
FWPM_CONDITION_RPC_AUTH_TYPE The authentication service type. For more information about authentication service types, see Authentication-Service Constants in the RPC section of the Windows SDK documentation.
FWPM_CONDITION_RPC_AUTH_LEVEL The authentication service level. For more information about authentication service levels, see Authentication-Level Constants in the RPC section of the Windows SDK documentation.
FWPM_CONDITION_SEC_ENCRYPT_ALGORITHM The certificate based security service provider interface (SSPI) encryption algorithm.
FWPM_CONDITION_SEC_KEY_SIZE The certificate based security service provider interface (SSPI) encryption key size.
FWPM_CONDITION_IP_LOCAL_ADDRESS_V4 The local IPv4 address.
FWPM_CONDITION_IP_LOCAL_ADDRESS_V6 The local IPv6 address.
FWPM_CONDITION_PIPE The name of the remote named pipe.
FWPM_CONDITION_IP_REMOTE_ADDRESS_V4 The remote IPv4 address.
FWPM_CONDITION_IP_REMOTE_ADDRESS_V6 The remote IPv6 address.
FWPM_CONDITION_PROCESS_WITH_RPC_IF_UUID The UUID of the process with the RPC interface.
FWPM_CONDITION_RPC_EP_VALUE Reserved for internal use.
FWPM_CONDITION_RPC_EP_FLAGS Reserved for internal use.
FWPM_CONDITION_CLIENT_TOKEN The identification of the client when using RpcProxy.
FWPM_CONDITION_RPC_SERVER_NAME The name of the RPC server when using RpcProxy.
FWPM_CONDITION_RPC_SERVER_PORT The port on the RPC server when using RpcProxy.
FWPM_CONDITION_RPC_PROXY_AUTH_TYPE The RPC proxy authentication service type. For more information about authentication service types, see Authentication-Service Constants in the RPC section of the Windows SDK documentation.
FWPM_CONDITION_TUNNEL_TYPE The encapsulation method used by a tunnel.
FWPM_CONDITION_CLIENT_CERT_KEY_LENGTH The secure socket layer (SSL) key length in the client certificate.
FWPM_CONDITION_CLIENT_CERT_OID The object identifier (OID) in the client certificate.
FWPM_CONDITION_INTERFACE_MAC_ADDRESS The physical address of the sending or receiving network interface.
Note Supported in Windows 8, Windows Server 2012, and later versions of Windows.
FWPM_CONDITION_MAC_LOCAL_ADDRESS The physical address of the local network interface. For inbound traffic this is the destination MAC address in the frame. For outbound traffic this is the source MAC address of the frame.
Note Supported in Windows 8, Windows Server 2012, and later versions of Windows.
FWPM_CONDITION_MAC_REMOTE_ADDRESS The physical address of the remote network interface. For inbound traffic this is the source MAC address in the frame. For outbound traffic this is the destination MAC address of the frame.
Note Supported in Windows 8, Windows Server 2012, and later versions of Windows.
FWPM_CONDITION_ETHER_TYPE The type indicated in the MAC frame. This value is 0x800 for IPv4 traffic, 0x86DD for IPv6 traffic or, 0x806 for ARP traffic. All of the possible values are defined as NDIS_ETH_TYPE_Xxx in ntddndis.h.
FWPM_CONDITION_VLAN_ID The identifier of the VLAN in the ETHERNET SNAP header.
Note Supported in Windows 8, Windows Server 2012, and later versions of Windows.
FWPM_CONDITION_NDIS_PORT The port number identifying a miniport adapter port.
Note Supported in Windows 8, Windows Server 2012, and later versions of Windows.
FWPM_CONDITION_NDIS_MEDIA_TYPE The type of the NDIS medium specified as one of the NDIS_MEDIUM enumeration values.
Note Supported in Windows 8, Windows Server 2012, and later versions of Windows.
FWPM_CONDITION_NDIS_PHYSICAL_MEDIA_TYPE The type of the physical medium for the communicating interface specified as one of the NDIS_PHYSICAL_MEDIUM enumeration values.
Note Supported in Windows 8, Windows Server 2012, and later versions of Windows.
FWPM_CONDITION_L2_FLAGS A bitwise OR of a combination of filtering condition flags for the MAC layers. For information about the possible flags, see Filtering Condition L2 Flags.
Note Supported in Windows 8, Windows Server 2012, and later versions of Windows.
FWPM_CONDITION_MAC_LOCAL_ADDRESS_TYPE The Datalink type of the local MAC address. This is one of the values that are defined in the DL_ADDRESS_TYPE enumeration in FwpmTypes.h.
Note Supported in Windows 8, Windows Server 2012, and later versions of Windows.
FWPM_CONDITION_MAC_REMOTE_ADDRESS_TYPE The Datalink type of the remote MAC address. This is one of the values that are defined in the DL_ADDRESS_TYPE enumeration in FwpmTypes.h.
Note Supported in Windows 8, Windows Server 2012, and later versions of Windows.
FWPM_CONDITION_INTERFACE The LUID for the network interface that is associated with the local MAC address.
Note Supported in Windows 8, Windows Server 2012, and later versions of Windows.
FWPM_CONDITION_ALE_PACKAGE_ID The security identifier (SID) of the AppContainer restricted package.
Note Supported in Windows 8, Windows Server 2012, and later versions of Windows.
FWPM_CONDITION_MAC_SOURCE_ADDRESS The physical address of the network interface that created the MAC frame.
Note Supported in Windows 8, Windows Server 2012, and later versions of Windows.
FWPM_CONDITION_MAC_DESTINATION_ADDRESS The physical address of the network interface to which the frame is destined.
Note Supported in Windows 8, Windows Server 2012, and later versions of Windows.
FWPM_CONDITION_MAC_SOURCE_ADDRESS_TYPE The Datalink type of the MAC Address for the interface that created the frame. This is one of the values that are defined in the DL_ADDRESS_TYPE enumeration in FwpmTypes.h.
Note Supported in Windows 8, Windows Server 2012, and later versions of Windows.
FWPM_CONDITION_MAC_DESTINATION_ADDRESS_TYPE The Datalink type of the MAC Address for the interface to which the frame is destined. This is one of the values that are defined in the DL_ADDRESS_TYPE enumeration in FwpmTypes.h.
Note Supported in Windows 8, Windows Server 2012, and later versions of Windows.
FWPM_CONDITION_IP_SOURCE_PORT The transport protocol source port number.
Note Supported in Windows 8, Windows Server 2012, and later versions of Windows.
FWPM_CONDITION_IP_DESTINATION_PORT The transport protocol destination port number.
Note Supported in Windows 8, Windows Server 2012, and later versions of Windows.
FWPM_CONDITION_VSWITCH_ID The GUID of the virtual switch.
Note Supported in Windows 8, Windows Server 2012, and later versions of Windows.
FWPM_CONDITION_VSWITCH_NETWORK_TYPE The type of network that is associated with the virtual switch. This is one of the values that are defined in the FWP_VSWITCH_NETWORK_TYPE enumeration in FwpTypes.h.
Note Supported in Windows 8 and later versions of Windows.
FWPM_CONDITION_VSWITCH_SOURCE_INTERFACE_ID The GUID of the interface of the virtual switch that created the frame.
Note Supported in Windows 8, Windows Server 2012, and later versions of Windows.
FWPM_CONDITION_VSWITCH_DESTINATION_INTERFACE_ID The GUID of the interface of the virtual switch to which the frame is destined.
Note Supported in Windows 8 and later versions of Windows.
FWPM_CONDITION_VSWITCH_SOURCE_INTERFACE_TYPE The type of the virtual switch interface that created the frame. This is one of the values that are defined in the NDIS_NIC_SWITCH_TYPE enumeration in Ntddndis.h.
Note Supported in Windows 8, Windows Server 2012, and later versions of Windows.
FWPM_CONDITION_VSWITCH_DESTINATION_INTERFACE_TYPE The type of the virtual switch interface to which the frame is destined. This is one of the values that are defined in the NDIS_NIC_SWITCH_TYPE enumeration in Ntddndis.h.
Note Supported in Windows 8, Windows Server 2012, and later versions of Windows.
FWPM_CONDITION_VSWITCH_SOURCE_VM_ID Unique identifier of the vSwitch source virtual machine.
Note Supported in Windows 8, Windows Server 2012, and later versions of Windows.
FWPM_CONDITION_VSWITCH_DESTINATION_VM_ID Unique identifier of the vSwitch destination virtual machine.
Note Supported in Windows 8, Windows Server 2012, and later versions of Windows.
FWPM_CONDITION_VSWITCH_TENANT_NETWORK_ID Unique identifier for the vSwitch network. Cannot be used in conjunction with VLAN_IDs.
Note Supported in Windows 8, Windows Server 2012, and later versions of Windows.
FWPM_CONDITION_ALE_PACKAGE_ID The security identifier (SID) of an app container.
Note Supported in Windows 8, Windows Server 2012, and later versions of Windows.
FWPM_CONDITION_ALE_ORIGINAL_APP_ID The original full path of the application before alteration from proxying. Note that if proxying is not involved, then this will be the same as the FWPM_CONDITION_ALE_APP_ID.
Note Supported in Windows 8, Windows Server 2012, and later versions of Windows.
FWPM_CONDITION_QM_MODE The quick mode (QM) mode.
Note Supported in Windows 8, Windows Server 2012, and later versions of Windows.