Audit Filtering Platform Policy Change
Audit Filtering Platform Policy Change allows you to audit events generated by changes to the Windows Filtering Platform (WFP), such as the following:
IPsec services status.
Changes to IPsec policy settings.
Changes to Windows Filtering Platform Base Filtering Engine policy settings.
Changes to WFP providers and engine.
Windows Filtering Platform (WFP) enables independent software vendors (ISVs) to filter and modify TCP/IP packets, monitor or authorize connections, filter Internet Protocol security (IPsec)-protected traffic, and filter remote procedure calls (RPCs).
4709(S): IPsec Services was started.
4710(S): IPsec Services was disabled.
4711(S): May contain any one of the following:
4712(F): IPsec Services encountered a potentially serious failure.
5040(S): A change has been made to IPsec settings. An Authentication Set was added.
5041(S): A change has been made to IPsec settings. An Authentication Set was modified.
5042(S): A change has been made to IPsec settings. An Authentication Set was deleted.
5043(S): A change has been made to IPsec settings. A Connection Security Rule was added.
5044(S): A change has been made to IPsec settings. A Connection Security Rule was modified.
5045(S): A change has been made to IPsec settings. A Connection Security Rule was deleted.
5046(S): A change has been made to IPsec settings. A Crypto Set was added.
5047(S): A change has been made to IPsec settings. A Crypto Set was modified.
5048(S): A change has been made to IPsec settings. A Crypto Set was deleted.
5440(S): The following callout was present when the Windows Filtering Platform Base Filtering Engine started.
5441(S): The following filter was present when the Windows Filtering Platform Base Filtering Engine started.
5442(S): The following provider was present when the Windows Filtering Platform Base Filtering Engine started.
5443(S): The following provider context was present when the Windows Filtering Platform Base Filtering Engine started.
5444(S): The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started.
5446(S): A Windows Filtering Platform callout has been changed.
5448(S): A Windows Filtering Platform provider has been changed.
5449(S): A Windows Filtering Platform provider context has been changed.
5450(S): A Windows Filtering Platform sub-layer has been changed.
5456(S): PAStore Engine applied Active Directory storage IPsec policy on the computer.
5457(F): PAStore Engine failed to apply Active Directory storage IPsec policy on the computer.
5458(S): PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer.
5459(F): PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.
5460(S): PAStore Engine applied local registry storage IPsec policy on the computer.
5461(F): PAStore Engine failed to apply local registry storage IPsec policy on the computer.
5462(F): PAStore Engine failed to apply some rules of the active IPsec policy on the computer. Use the IP Security Monitor snap-in to diagnose the problem.
5463(S): PAStore Engine polled for changes to the active IPsec policy and detected no changes.
5464(S): PAStore Engine polled for changes to the active IPsec policy, detected changes, and applied them to IPsec Services.
5465(S): PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully.
5466(F): PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory cannot be reached, and will use the cached copy of the Active Directory IPsec policy instead. Any changes made to the Active Directory IPsec policy since the last poll could not be applied.
5467(F): PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, and found no changes to the policy. The cached copy of the Active Directory IPsec policy is no longer being used.
5468(S): PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, found changes to the policy, and applied those changes. The cached copy of the Active Directory IPsec policy is no longer being used.
5471(S): PAStore Engine loaded local storage IPsec policy on the computer.
5472(F): PAStore Engine failed to load local storage IPsec policy on the computer.
5473(S): PAStore Engine loaded directory storage IPsec policy on the computer.
5474(F): PAStore Engine failed to load directory storage IPsec policy on the computer.
5477(F): PAStore Engine failed to add quick mode filter.