232-002230-00 rev b sonicos 5.9 log event reference...
TRANSCRIPT
| 1
SonicOS 5.9Log Event Reference Guide
2
Notes, Cautions, and Warnings
© 2013 Dell Inc.
Trademarks: Dell™, the DELL logo, SonicWALL™, SonicWALL GMS™, SonicWALL Analyzer™, Reassem-bly-Free Deep Packet Inspection™, Dynamic Security for the Global Network™, SonicWALL Clean VPN™, SonicWALL Clean Wireless™, SonicWALL Comprehensive Gateway Security Suite™, SonicWALL Mobile Connect™, and all other SonicWALL product and service names and slogans are trademarks of Dell Inc.
2013 – 09 P/N 232-002230-00 Rev. B
NOTE: A NOTE indicates important information that helps you make better use of your system.
CAUTION: A CAUTION indicates potential damage to hardware or loss of data if instructions are not followed.
WARNING: A WARNING indicates a potential for property damage, personal injury, or death.
Overview This reference guide lists and describes Dell SonicWALL SonicOS 5.9 log event messages. Reference a log event message by using the alphabetical index of log event messages.
This document contains the following sections: • “Log > Log Monitor” on page 1
• “Log > Settings” on page 2
• “Index of Log Event Messages” on page 6
• “Index of Syslog Tag Field Description” on page 56
Log > Log MonitorThe Dell SonicWALL security appliance maintains an Event log for tracking potential security threats. This log can be viewed by navigating to the Log > Log Monitor or Dashboard > Log Monitor page.
For information on configuring the Log Monitor page, refer to the SonicOS Administrator’s Guide.
Log > SettingsThe Settings page provides custom logging functions for troubleshooting and diagnostics on your Dell SonicWALL security appliance.
You can extend your Dell SonicWALL security appliance log reporting capabilities by using the Dell SonicWALL GMS or Analyzer, which is a Web-based graphical reporting tool for detailed and comprehensive reports. For more information on GMS and Analyzer reporting, refer to www.sonicwall.com.
For information on configuring the Log > Settings page, refer to the SonicOS Administrator’s Guide.
The Category column provides the following SonicOS Management Interface screen names:
• System
• Log
• Security Services
• Network
• Users
• Firewall Settings
• VPN
• High Availability
• 3G/4G, Modem, and Module
• Firewall
• Wireless
• VoIP
• SSL VPN
• Anti-Spam
• WAN Acceleration
2 | SonicOS 5.9 Log Event Reference Guide
Each of the Categories can be expanded to display the Event Groups within that category. The table below displays the Management Interface Group Name and the Enhanced Category where the group belongs:
Table 1 Event Groups & Categories
Group GUI Name Enhanced Category where Group belongs
PPP Dial‐Up 3G/4G, Modem, and Module
3G/4G and Modem 3G/4G, Modem, and Module
E1‐T1 Module 3G/4G, Modem, and Module
DSL Module 3G/4G, Modem, and Module
Probe Anti‐Spam
General Anti‐Spam
E‐mail Anti‐Spam
GRID Anti‐Spam
Access Rules Firewall
Application Firewall Firewall
Application Control Firewall
Flood Protection Firewall Settings
Advanced Firewall Settings
FTP Firewall Settings
Multicast Firewall Settings
Checksum Enforcement Firewall Settings
SSL Control Firewall Settings
State High Availability
Synchronization High Availability
General High Availability
Monitoring High Availability
Cluster High Availability
General Log
E‐mail Log
Syslog Log
Network Access Network
IP Network
TCP Network
UDP Network
ICMP Network
ARP Network
Interfaces Network
DNS Network
DHCP Client Network
PPPoE Network
| 3
L2TP Client Network
PPP Network
Failover and Load Balancing Network
NAT Network
PPTP Network
RIP Network
BOOTP Network
IPcomp Network
Network Monitor Network
Dynamic DNS Network
DHCP Server Network
Advanced Routing Network
Dynamic Address Objects Network
MAC‐IP Anti‐Spoof Network
NAT Policy Network
General Security Services
Attacks Security Services
Anti‐Virus Security Services
E‐mail Filtering Security Services
Content Filter Security Services
Crypto Test Security Services
IDP Security Services
IPS Security Services
DPI‐SSL Security Services
Anti‐Spyware Security Services
RBL Filter Security Services
Botnet Filter Security Services
Geo‐IP Filter Security Services
General SSL VPN
Status System
Restart System
GMS System
Administration System
Settings System
Hardware System
Time System
SNMP System
Authentication Access Users
Radius Authentication Users
SSO Agent Authentication Users
Call VoIP
H.323 VoIP
4 | SonicOS 5.9 Log Event Reference Guide
SIP VoIP
Anomaly VoIP
VPN IPsec VPN
VPN IKE VPN
VPN Client VPN
DHCP Relay VPN
VPN PKI VPN
L2TP Server VPN
VPN IKEv2 VPN
Local WXA Appliance WAN Acceleration
Remote WXA Appliance WAN Acceleration
Network Access Wireless
WLAN Wireless
WLAN IDS Wireless
SonicPoint Wireless
RF Monitoring Wireless
SonicPointN Wireless
| 5
Index of Log Event MessagesThis section contains a list of alphabetically ordered log event messages for the SonicOS 5.9 firmware. Use a Search or Find function to search for a specific command. For more information regarding the Log Event Message Symbols, reference the table below:
Table 2 Log Event Message Symbols Key
TCP IP Layered-Data Packet Processing
In specific cases of multi-layer packet processing, a TCP connection initially logged as "open," will be rejected by a deeper layer of packet processing. In these cases, the connection request has not been forwarded by the Dell SonicWALL security appliance, and the initial Connection Open SonicOS log event message should be ignored in favor of the TCP Connection Dropped log event message.
Each log event message described in the following table provides the following log event details:
• Group—Displays the category event group.
• Legacy Category—Displays the category event type.
• Priority Level—Displays the level of urgency of the log event message.
• ID—Displays the ID number of the log event message.
• Enhanced SNMP Trap Type—Displays the SNMP Trap ID number of the log event message.
Note The information in the Legacy Category column does not appear in the SonicOS 5.9 Management Interface. However, the equivalent numeric value is used in the Syslog packet for the “c=” and “cat=” tags. Refer to “Numeric Values for the Legacy Category” on page 55, for a full list of values.
Log Event Message Symbol Description Context
%s Ethernet Port Down Represents a character string. [WAN | LAN | DMZ] Ethernet Port Down
The cache is full; %u openconnections; some will be dropped
Represents a numerical string. The cache is full; [40,000] openconnections; some will be dropped
6 | SonicOS 5.9 Log Event Reference Guide
Log Event Message Index
The following table is the Log Event Message Index, which is an alphabetical list of log event messages for the SonicOS 5.9 firmware.
Table 3 Log Event Message Index
Enhanced Log Event Message Group Legacy
Category
Priority
Level
ID Enhanced
SNMP Trap
Type DOS protection on WAN begins %s Intrusion
Detection
Debug ALERT 1180 ‐‐‐
"As per Diagnostic Auto‐restart
configuration Request, restarting
system"
Firewall Event ‐‐‐ INFO 1047 ‐‐‐
%s auto‐dial failed: Current Connection
Model is configured as Ethernet Only
PPP Dial‐UP System Error ALERT 1028 ‐‐‐
%s Ethernet Port Down Firewall Event System Error ERROR 333 641
%s Ethernet Port Up Firewall Event System Error WARNING 332 640
%s is operational. Anti‐Spam ‐‐‐ WARNING 1082 13801
%s is unavailable. Anti‐Spam ‐‐‐ WARNING 1083 13802
3G/4G %s device detected Firewall
Hardware
System
Environment
INFO 1017 ‐‐‐
3G/4G Dial‐up: %s. PPP Dial‐UP User Activity ALERT 1026 ‐‐‐
3G/4G Dial‐up: data usage limit reached
for the '%s' billing cycle. Disconnecting
the session.
PPP Dial‐UP User Activity ALERT 1027 7643
3G/4G: No SIM detected Firewall
Hardware
‐‐‐ ALERT 1055 ‐‐‐
802.11 Management Wireless 80211b
Management
INFO 518 ‐‐‐
A high percentage of the system packet
buffers are held waiting for SSO
CIA User Activity ALERT 1178 ‐‐‐
A prior version of preferences was
loaded because the most recent
preferences file was inaccessible
Firewall Event System Error WARNING 572 648
A SonicOS Standard to Enhanced
Upgrade was performed
Firewall Event Maintenance INFO 611 ‐‐‐
A user has a very high number of
connections waiting for SSO
CIA User Activity ALERT 1179 ‐‐‐
Access attempt from host out of
compliance with GSC Policy
Security
Services
Maintenance INFO 761 ‐‐‐
Access attempt from host without Anti‐
Virus agent installed
Security
Services
Maintenance INFO 123 ‐‐‐
| 7
Access attempt from host without GSC
installed
Security
Services
Maintenance INFO 763 8627
Access rule added Firewall Rule User Activity INFO 440 ‐‐‐
Access rule deleted Firewall Rule User Activity INFO 442 ‐‐‐
Access rule modified Firewall Rule User Activity INFO 441 ‐‐‐
Access rules restored to defaults Firewall Rule User Activity INFO 443 ‐‐‐
Access to proxy server denied Network Access Blocked Sites NOTICE 60 705
Active Secondary detects Active
Primary: Secondary going Idle
High Availability Maintenance INFO 154 ‐‐‐
Active/Active Clustering license is not
activated on the following cluster units:
%s
High Availability ‐‐‐ ERROR 1152 ‐‐‐
ActiveX access denied Network Access Blocked Code NOTICE 18 ‐‐‐
ActiveX or Java archive access denied Network Access Blocked Code NOTICE 20 ‐‐‐
ADConnector %s response timed‐out;
applying caching policy
Microsoft
Active Directory
‐‐‐ ERROR 769 ‐‐‐
Add an attack message Firewall Event Attack ERROR 143 525
Added a new member to an LDAP
mirror user group
RADIUS ‐‐‐ INFO 1192 ‐‐‐
Added host entry to dynamic address
object
Dynamic
Address Objects
Maintenance INFO 911 ‐‐‐
Added new LDAP mirror user group: %s RADIUS ‐‐‐ INFO 1190 ‐‐‐
Adding Dynamic Entry for Bound MAC
Address
Network ‐‐‐ INFO 813 ‐‐‐
Adding L2TP IP pool Address object
Failed.
L2TP Server System Error ERROR 603 661
Adding to multicast policy List ,
interface : %s
Multicast ‐‐‐ DEBUG 697 ‐‐‐
Adding to Multicast policy List , VPN SPI
: %s
Multicast ‐‐‐ DEBUG 699 ‐‐‐
Administrator logged out Authentication
Access
User Activity INFO 261 ‐‐‐
Administrator logged out ‐ inactivity
timer expired
Authentication
Access
User Activity INFO 262 ‐‐‐
Administrator login allowed Authentication
Access
User Activity INFO 29 ‐‐‐
Administrator login denied due to bad
credentials
Authentication
Access
Attack ALERT 30 560
Administrator login denied from %s;
logins disabled from this interface
Authentication
Access
Attack ALERT 35 506
Administrator name changed Authentication
Access
Maintenance INFO 328 ‐‐‐
All Dynamic DNS associations have been
deleted
Dynamic DNS Maintenance INFO 783 ‐‐‐
8 | SonicOS 5.9 Log Event Reference Guide
All preference values have been set to
factory default values
Firewall Event System Error WARNING 574 650
Allowed LDAP server certificate with
wrong host name
RADIUS User Activity WARNING 752 ‐‐‐
An LDAP user group nesting is not being
mirrored
RADIUS ‐‐‐ WARNING 1246 ‐‐‐
Anti‐Spam service is disabled by
administrator.
Anti‐Spam ‐‐‐ INFO 1085 13804
Anti‐Spam service is enabled by
administrator.
Anti‐Spam ‐‐‐ INFO 1084 13803
Anti‐Spam Startup Failure ‐ %s Anti‐Spam ‐‐‐ WARNING 1088 13807
Anti‐Spam Teardown Failure ‐ %s Anti‐Spam ‐‐‐ WARNING 1089 13808
Anti‐Spyware Detection Alert: %s Intrusion
Detection
Attack ALERT 795 6438
Anti‐Spyware Prevention Alert: %s Intrusion
Detection
Attack ALERT 794 6437
Anti‐Spyware Service Expired Security
Services
Maintenance WARNING 796 8631
Anti‐Virus agent out‐of‐date on host Security
Services
Maintenance INFO 124 ‐‐‐
Anti‐Virus Licenses Exceeded Security
Services
Maintenance INFO 408 ‐‐‐
Application Control Detection Alert: %s AppControl
Detection
‐‐‐ ALERT 1154 15001
Application Control Prevention Alert: %s AppControl
Detection
‐‐‐ ALERT 1155 15002
Application Filter Detection Alert: %s Intrusion
Detection
Attack ALERT 650 ‐‐‐
Application Filters Block Alert: %s Intrusion
Detection
Attack ALERT 649 ‐‐‐
Application Firewall Alert: %s Application
Firewall
User Activity ALERT 793 13201
ARP request packet received Network ‐‐‐ INFO 717 ‐‐‐
ARP request packet sent Network ‐‐‐ INFO 715 ‐‐‐
ARP response packet received Network ‐‐‐ INFO 716 ‐‐‐
ARP response packet sent Network ‐‐‐ INFO 718 ‐‐‐
ARP Timeout Network Debug DEBUG 45 ‐‐‐
Assigned IP address %s DHCP Server ‐‐‐ INFO 1110 ‐‐‐
Association Flood from WLAN station WLAN IDS WLAN IDS ALERT 548 903
Attempt to contact Remote backup
server for upload approval failed
Firewall Event Maintenance DEBUG 1160 ‐‐‐
Authentication Timeout during
Remotely Triggered Dial‐out session
Authentication
Access
User Activity INFO 821 ‐‐‐
Back Orifice attack dropped Intrusion
Detection
Attack ALERT 73 512
| 9
Backup remote server did not approve
upload Request
Firewall Event Maintenance DEBUG 1161 ‐‐‐
Bad CRL format VPN PKI User Activity ALERT 277 ‐‐‐
Bind to LDAP server failed RADIUS System Error ERROR 1009 ‐‐‐
Blocked Quick Mode for Client using
Default KeyId
VPN Client System Error ERROR 505 660
BOOTP Client IP address on LAN
conflicts with remote device IP, deleting
IP address from remote table
BOOTP Maintenance INFO 619 ‐‐‐
BOOTP reply relayed to local device BOOTP Maintenance INFO 620 ‐‐‐
BOOTP Request received from remote
device
BOOTP Debug DEBUG 621 ‐‐‐
BOOTP server response relayed to
remote device
BOOTP Debug DEBUG 618 ‐‐‐
Broadcast packet dropped Network Access Debug DEBUG 46 ‐‐‐
Cannot connect to the CRL server VPN PKI User Activity ALERT 274 ‐‐‐
Cannot Validate Issuer Path VPN PKI User Activity ALERT 878 ‐‐‐
Certificate on Revoked list(CRL) VPN PKI User Activity ALERT 279 ‐‐‐
CFL auto‐download disabled, time
problem detected
Security
Services
Maintenance INFO 268 ‐‐‐
Chat %s PPP Dial‐UP User Activity INFO 1022 ‐‐‐
Chat completed PPP Dial‐UP User Activity INFO 1020 ‐‐‐
Chat failed: %s PPP Dial‐UP User Activity INFO 1023 ‐‐‐
Chat started PPP Dial‐UP User Activity INFO 1019 ‐‐‐
Chat started by '%s' PPP Dial‐UP User Activity INFO 1032 ‐‐‐
Chat wrote '%s' PPP Dial‐UP User Activity INFO 1021 ‐‐‐
CLI administrator logged out Authentication
Access
User Activity INFO 520 ‐‐‐
CLI administrator login allowed Authentication
Access
User Activity INFO 199 ‐‐‐
CLI administrator login denied due to
bad credentials
Authentication
Access
User Activity WARNING 200 ‐‐‐
Computed hash does not match hash
received from peer; preshared key
mismatch
VPN IKE User Activity WARNING 410 ‐‐‐
Configuration mode administration
session ended
Authentication
Access
User Activity INFO 995 ‐‐‐
Configuration mode administration
session started
Authentication
Access
User Activity INFO 994 ‐‐‐
Connection Closed Network Traffic
AppFirewall FIC
Connection
Traffic
AppFirewall
FIC
INFO 537 ‐‐‐
10 | SonicOS 5.9 Log Event Reference Guide
Connection Opened Network Traffic
AppFirewall FIC
Connection INFO 98 ‐‐‐
Connection timed out VPN PKI User Activity ALERT 273 ‐‐‐
Content filter subscRIPtion expired. Security
Services
System Error ERROR 197 631
Cookie removed Network Access Blocked Code NOTICE 21 ‐‐‐
CPU reaches 80% utilization for more
than 10 seconds.
Firewall
Hardware
‐‐‐ ALERT 1248 17002
CRL has expired VPN PKI User Activity ALERT 874 ‐‐‐
CRL loaded from VPN PKI User Activity INFO 270 ‐‐‐
CRL missing ‐ Issuer requires CRL
checking.
VPN PKI User Activity ALERT 876 ‐‐‐
CRL validation failure for Root
Certificate
VPN PKI User Activity ALERT 877 ‐‐‐
Crypto AES failed ‐‐‐ Maintenance ERROR 1291 ‐‐‐
Crypto AES test failed ‐‐‐ Maintenance ERROR 1278 ‐‐‐
Crypto AES test success ‐‐‐ Maintenance INFO 1279 ‐‐‐
Crypto DES failed ‐‐‐ Maintenance ERROR 1298 ‐‐‐
Crypto DES test failed Crypto Test Maintenance ERROR 360 ‐‐‐
Crypto DES test success ‐‐‐ Maintenance INFO 1277 ‐‐‐
Crypto DH test failed Crypto Test Maintenance ERROR 361 ‐‐‐
Crypto DH test success ‐‐‐ Maintenance INFO 1270 ‐‐‐
Crypto DRBG failed ‐‐‐ Maintenance ERROR 1292 ‐‐‐
Crypto DRBG test failed ‐‐‐ Maintenance ERROR 1281 ‐‐‐
Crypto DRBG test success ‐‐‐ Maintenance INFO 1280 ‐‐‐
Crypto DSA failed ‐‐‐ Maintenance ERROR 1293 ‐‐‐
Crypto hardware 3DES test failed Crypto Test Maintenance ERROR 367 ‐‐‐
Crypto hardware 3DES test success ‐‐‐ Maintenance INFO 1276 ‐‐‐
Crypto Hardware 3DES with SHA test
failed
Crypto Test Maintenance ERROR 369 ‐‐‐
Crypto hardware 3DES with SHA test
success
‐‐‐ Maintenance INFO 1290 ‐‐‐
Crypto Hardware AES test failed Crypto Test Maintenance ERROR 610 ‐‐‐
Crypto hardware AES test success ‐‐‐ Maintenance INFO 1288 ‐‐‐
Crypto hardware DES test failed Crypto Test Maintenance ERROR 366 ‐‐‐
Crypto hardware DES test success ‐‐‐ Maintenance INFO 1272 ‐‐‐
Crypto hardware DES with SHA test
failed
Crypto Test Maintenance ERROR 368 ‐‐‐
Crypto hardware DES with SHA test
success
‐‐‐ Maintenance INFO 1289 ‐‐‐
Crypto Hmac‐MD5 fest failed Crypto Test Maintenance ERROR 362 ‐‐‐
Crypto Hmac‐MD5 test success ‐‐‐ Maintenance INFO 1271 ‐‐‐
Crypto Hmac‐Sha1 test failed Crypto Test Maintenance ERROR 363 ‐‐‐
Crypto Hmac‐Sha1 test success ‐‐‐ Maintenance INFO 1275 ‐‐‐
| 11
Crypto Hmac‐SHA256 failed ‐‐‐ Maintenance ERROR 1294 ‐‐‐
Crypto Hmac‐Sha256 test failed ‐‐‐ Maintenance ERROR 1283 ‐‐‐
Crypto Hmac‐Sha256 test success ‐‐‐ Maintenance INFO 1282 ‐‐‐
Crypto MD5 test failed Crypto Test Maintenance ERROR 370 ‐‐‐
Crypto MD5 test success ‐‐‐ Maintenance INFO 1273 ‐‐‐
Crypto RSA failed ‐‐‐ Maintenance ERROR 1295 ‐‐‐
Crypto RSA test failed Crypto Test Maintenance ERROR 364 ‐‐‐
Crypto RSA test success ‐‐‐ Maintenance INFO 1284 ‐‐‐
Crypto SHA1 based DRNG KAT test
failed
Crypto Test ‐‐‐ ERROR 1060 ‐‐‐
Crypto SHA1 based DRNG KAT test
success
‐‐‐ ‐‐‐ INFO 1274 ‐‐‐
Crypto SHA1 failed ‐‐‐ Maintenance ERROR 1296 ‐‐‐
Crypto Sha1 test failed Crypto Test Maintenance ERROR 365 ‐‐‐
Crypto Sha1 test success ‐‐‐ Maintenance INFO 1285 ‐‐‐
Crypto SHA256 failed ‐‐‐ Maintenance ERROR 1297 ‐‐‐
Crypto Sha256 test failed ‐‐‐ Maintenance ERROR 1287 ‐‐‐
Crypto Sha256 test success ‐‐‐ Maintenance INFO 1286 ‐‐‐
CSR Generation: %s VPN PKI ‐‐‐ INFO 1109 ‐‐‐
Current dynamic NAT translation count
is more than 50% of the configured
maximum.
Firewall
Hardware
‐‐‐ ALERT 1250 17004
Current session count is more than 50%
of the supported maximum.
Firewall
Hardware
‐‐‐ ALERT 1249 17003
Dynamic DNS association %s disabled Dynamic DNS Maintenance INFO 781 ‐‐‐
Dynamic DNS association %s enabled Dynamic DNS Maintenance INFO 780 ‐‐‐
Dynamic DNS association %s added Dynamic DNS Maintenance INFO 779 ‐‐‐
Dynamic DNS association %s
deactivated
Dynamic DNS Maintenance INFO 784 ‐‐‐
Dynamic DNS association %s deleted Dynamic DNS Maintenance INFO 785 ‐‐‐
Dynamic DNS Association %s put on line Dynamic DNS Maintenance INFO 782 ‐‐‐
Dynamic DNS association %s taken
Offline locally
Dynamic DNS Maintenance INFO 778 ‐‐‐
Dynamic DNS association %s updated Dynamic DNS ‐‐‐ INFO 786 ‐‐‐
Dynamic DNS Failure: Provider %s Dynamic DNS System Error ERROR 774 ‐‐‐
Dynamic DNS Failure: Provider %s Dynamic DNS System Error ERROR 775 ‐‐‐
Dynamic DNS Failure: Provider %s Dynamic DNS System Error ERROR 773 ‐‐‐
Dynamic DNS Update success for
domain %s
Dynamic DNS Maintenance INFO 776 ‐‐‐
Dynamic DNS Warning: Provider %s Dynamic DNS System Error WARNING 777 ‐‐‐
Default to not blacklisted Anti‐Spam ‐‐‐ DEBUG 1144 ‐‐‐
Delete invalid scope because port IP in
the range of this DHCP scope.
DHCP Server ‐‐‐ WARNING 1184 ‐‐‐
Deleted LDAP mirror user group: %s RADIUS ‐‐‐ INFO 1191 ‐‐‐
12 | SonicOS 5.9 Log Event Reference Guide
Deleting from Multicast policy list,
interface : %s
Multicast ‐‐‐ DEBUG 698 ‐‐‐
Deleting from Multicast policy list, VPN
SPI : %s
Multicast ‐‐‐ DEBUG 700 ‐‐‐
Deleting IPsec SA VPN IKE User Activity INFO 92 ‐‐‐
Deleting IPsec SA for destination VPN IKE User Activity INFO 91 ‐‐‐
Deleting IPsec SA. (Phase 2) VPN IKE ‐‐‐ DEBUG 1183 ‐‐‐
Destination IP address connection
status: %s
Firewall Event ‐‐‐ INFO 735 ‐‐‐
Destination IPv6 address is unspecified.
Packet is dropped
Network Access Debug ALERT 1302 ‐‐‐
DHCP client enabled but not ready DHCP Client Maintenance INFO 504 ‐‐‐
DHCP Client did not get DHCP ACK. DHCP Client Maintenance INFO 109 ‐‐‐
DHCP Client failed to verify and lease
has expired. Go to INIT state.
DHCP Client Maintenance INFO 119 ‐‐‐
DHCP Client failed to verify and lease is
still valid. Go to BOUND state.
DHCP Client Maintenance INFO 120 ‐‐‐
DHCP Client got a new IP address lease. DHCP Client Maintenance INFO 121 ‐‐‐
DHCP Client got ACK from server. DHCP Client Maintenance INFO 111 ‐‐‐
DHCP Client got NACK. DHCP Client Maintenance INFO 110 ‐‐‐
DHCP Client is declining address offered
by the server.
DHCP Client Maintenance INFO 112 ‐‐‐
DHCP Client sending Request and going
to REBIND state.
DHCP Client Maintenance INFO 113 ‐‐‐
DHCP Client sending Request and going
to RENEW state.
DHCP Client Maintenance INFO 114 ‐‐‐
DHCP DECLINE received from remote
device
DHCP Relay Debug INFO 475 ‐‐‐
DHCP DISCOVER received from local
device
DHCP Relay Debug INFO 479 ‐‐‐
DHCP DISCOVER received from remote
device
DHCP Relay Debug INFO 474 ‐‐‐
DHCP INFORM received from remote
device
DHCP Relay Debug INFO 1215 ‐‐‐
DHCP lease dropped. Lease from
Central Gateway conflicts with Relay IP
DHCP Relay Maintenance WARNING 228 ‐‐‐
DHCP lease dropped. Lease from
Central Gateway conflicts with Remote
Management IP
DHCP Relay Maintenance WARNING 484 ‐‐‐
DHCP lease file in the flash is corrupted;
read failed
Firewall Event System Error WARNING 833 ‐‐‐
DHCP lease relayed to local device DHCP Relay Maintenance INFO 223 ‐‐‐
DHCP lease relayed to remote device DHCP Relay Debug INFO 225 ‐‐‐
| 13
DHCP lease to LAN device conflicts with
remote device, deleting remote IP entry
DHCP Relay Maintenance INFO 226 ‐‐‐
DHCP leases written to flash Firewall Event Maintenance INFO 835 ‐‐‐
DHCP NACK received from server DHCP Relay Debug INFO 477 ‐‐‐
DHCP OFFER received from server DHCP Relay Debug INFO 476 ‐‐‐
DHCP RELEASE received from remote
device
DHCP Relay Debug INFO 224 ‐‐‐
DHCP RELEASE relayed to Central
Gateway
DHCP Relay Maintenance INFO 222 ‐‐‐
DHCP REQUEST received from local
device
DHCP Relay Debug INFO 480 ‐‐‐
DHCP REQUEST received from remote
device
DHCP Relay Debug INFO 473 ‐‐‐
DHCP Scopes altered automatically due
to change in network settings for
interface %s
Firewall Event ‐‐‐ INFO 832 ‐‐‐
DHCP Server not available. Did not get
any DHCP OFFER.
DHCP Client Maintenance INFO 106 ‐‐‐
DHCP Server sanity check failed %s Firewall Event ‐‐‐ CRITICAL 1072 ‐‐‐
DHCP Server sanity check passed %s Firewall Event ‐‐‐ CRITICAL 1071 ‐‐‐
DHCP Server: IP conflict detected Firewall Event ‐‐‐ ALERT 1040 ‐‐‐
DHCP Server: Received DHCP decline
from client
Firewall Event ‐‐‐ ALERT 1041 ‐‐‐
DHCP Server: Received DHCP message
from untrusted relay agent
Firewall Event ‐‐‐ NOTICE 1090 ‐‐‐
DHCP Server: Resources of this pool ran
out. Client Info: %s
DHCP Server ‐‐‐ ALERT 1311 ‐‐‐
DHCPv6 lease file in the flash is
corrupted; read failed
Network ‐‐‐ WARNING 1259 ‐‐‐
DHCPv6 leases written to flash Network ‐‐‐ INFO 1261 ‐‐‐
Diagnostic Auto‐restart canceled Firewall Event ‐‐‐ INFO 1046 ‐‐‐
Diagnostic Auto‐restart scheduled for
%s minutes from now
Firewall Event ‐‐‐ INFO 1045 ‐‐‐
Diagnostic Code A Firewall
Hardware
System Error ERROR 93 611
Diagnostic Code B Firewall
Hardware
System Error ERROR 94 612
Diagnostic Code C Firewall
Hardware
System Error ERROR 95 613
Diagnostic Code D Firewall
Hardware
System Error ERROR 64 610
Diagnostic Code E VPN IPsec System Error ERROR 61 609
Diagnostic Code F Firewall
Hardware
System Error ERROR 164 621
14 | SonicOS 5.9 Log Event Reference Guide
Diagnostic Code G Firewall
Hardware
System Error ERROR 599 655
Diagnostic Code H Firewall
Hardware
System Error ERROR 600 656
Diagnostic Code I Firewall
Hardware
System Error ERROR 601 657
Diagnostic Code J Firewall
Hardware
System Error ERROR 1025 5423
Dial‐up: Session initiated by data packet PPP Dial‐UP ‐‐‐ INFO 1039 ‐‐‐
Dial‐up: TrApplication Firewallfic
generated by '%s'
PPP Dial‐UP ‐‐‐ INFO 1038 ‐‐‐
Disconnecting L2TP Tunnel due to
trApplication Firewallfic Timeout
L2TP Client Maintenance INFO 215 ‐‐‐
Disconnecting PPPoE due to
trApplication Firewallfic Timeout
PPPoE Maintenance INFO 168 ‐‐‐
Disconnecting PPTP Tunnel due to
trApplication Firewallfic Timeout
PPTP Maintenance INFO 389 ‐‐‐
Discovered HA %s Firewall High Availability ‐‐‐ INFO 1044 ‐‐‐
Discovered HA Secondary Firewall High Availability Maintenance INFO 156 ‐‐‐
DNS packet allowed Network Access Debug INFO 602 ‐‐‐
DNS rebind attack blocked Intrusion
Detection
‐‐‐ ALERT 1099 6466
DOS protection on WAN %s Intrusion
Detection
Debug WARNING 1181 ‐‐‐
DOS protection on WAN %s Intrusion
Detection
Debug ALERT 1182 ‐‐‐
DPI‐SSL: %s DPI SSL ‐‐‐ INFO 791 ‐‐‐
Drop WLAN trApplication Firewallfic
from non‐SonicPoint devices
Intrusion
Detection
Attack ERROR 662 6434
DSL: %s Device Down DSL ‐‐‐ ALERT 1186 ‐‐‐
DSL: %s Device Up DSL ‐‐‐ ALERT 1185 ‐‐‐
DSL: %s WAN is connected DSL ‐‐‐ ALERT 1187 ‐‐‐
DSL: %s WAN is initializing DSL ‐‐‐ ALERT 1188 ‐‐‐
Duplicate packet dropped Network Access Debug DEBUG 51 ‐‐‐
Dynamic IPsec client connected VPN IPsec User Activity INFO 62 ‐‐‐
E1_T1 Layer 1 status: Controlled slip E1/T1 Status ‐‐‐ INFO 1167 ‐‐‐
E1_T1 Layer 1 status: No frame
synchronization
E1/T1 Status ‐‐‐ INFO 1164 ‐‐‐
E1_T1 Layer 1 status: No multiframe
synchronization
E1/T1 Status ‐‐‐ INFO 1165 ‐‐‐
E1_T1 Layer 1 status: No signal E1/T1 Status ‐‐‐ INFO 1163 ‐‐‐
E1_T1 Layer 1 status: OK E1/T1 Status ‐‐‐ INFO 1168 ‐‐‐
E1_T1 Layer 1 status: Remote alarm
detected
E1/T1 Status ‐‐‐ INFO 1166 ‐‐‐
| 15
EIGRP packet dropped Network Access Debug NOTICE 714 ‐‐‐
E‐Mail fragment dropped Intrusion
Detection
Attack ERROR 437 550
Entering FIPS ERROR state Crypto Test Maintenance ERROR 359 ‐‐‐
Entering FIPS Error State. Crypto Test System Error ERROR 497 659
Error initializing Hardware acceleration
for VPN
Firewall
Hardware
Maintenance ERROR 374 ‐‐‐
Error Rebooting HA Peer Firewall High Availability System Error ERROR 669 663
Error setting the IP address of the
Secondary, please manually set to
Secondary LAN IP
High Availability System Error ERROR 191 629
Error synchronizing HA peer firewall
(%s)
High Availability System Error ERROR 158 662
Error updating HA peer configuration High Availability System Error ERROR 192 630
ERROR: DHCP over VPN Policy is not
defined. Cannot start IKE.
DHCP Relay Maintenance INFO 478 ‐‐‐
Exceeded Max multicast address limit Multicast ‐‐‐ WARNING 703 ‐‐‐
External Web Server Host Resolution
Failed %s
Authentication
Access
‐‐‐ ERROR 1069 ‐‐‐
Failed in SNMP memory allocateation.
Not enough memory
‐‐‐ ‐‐‐ ERROR 1224 ‐‐‐
Failed on updating time from NTP
server
‐‐‐ UDP NOTICE 1230 ‐‐‐
Failed payload validation VPN IKE User Activity WARNING 405 ‐‐‐
Failed payload verification Application
Firewallter decryption; possible
preshared key mismatch
VPN IKE User Activity WARNING 404 ‐‐‐
Failed to add a member to an LDAP
mirror user group
RADIUS ‐‐‐ WARNING 1245 ‐‐‐
Failed to add an LDAP mirror user group RADIUS ‐‐‐ WARNING 1244 ‐‐‐
Failed to find certificate VPN PKI User Activity ALERT 875 ‐‐‐
Failed to get CRL from VPN PKI User Activity ALERT 271 ‐‐‐
Failed to insert entry into GRID result IP
cached table
Anti‐Spam ‐‐‐ DEBUG 1145 ‐‐‐
Failed to Process CRL from VPN PKI User Activity ALERT 276 ‐‐‐
Failed to resolve name Network Maintenance INFO 84 ‐‐‐
Failed to send file to remote backup
server, Error: %s
Firewall Event Maintenance INFO 1066 ‐‐‐
Failed to send Preference file to remote
backup server, Error: %s
Firewall Event Maintenance INFO 1062 ‐‐‐
Failed to send TSR file to remote backup
server, Error: %s
Firewall Event Maintenance INFO 1064 ‐‐‐
Failed to synchronize license
information with Licensing Server. %s
Security
Services
Maintenance WARNING 766 8628
16 | SonicOS 5.9 Log Event Reference Guide
Failed to synchronize Relay IP Table DHCP Relay System Error WARNING 234 632
Failed to write DHCP leases to flash Firewall Event System Error WARNING 834 ‐‐‐
Failed to write DHCPv6 leases to flash Network ‐‐‐ WARNING 1260 ‐‐‐
Failed VPN I/O processing VPN IKE User Activity ERROR 1234 ‐‐‐
Failure to reach Interface %s probe High Availability System Error ERROR 675 6234
Fan Failure Firewall
Hardware
System
Environment
ALERT 576 102
FIN Flood Blacklist on IF %s continues Intrusion
Detection
Debug WARNING 902 ‐‐‐
FIN‐Flooding machine %s blacklisted Intrusion
Detection
Debug ALERT 901 ‐‐‐
Firmware Update Failed ‐‐‐ ‐‐‐ NOTICE 1268 ‐‐‐
Firmware Update Success ‐‐‐ ‐‐‐ NOTICE 1269 ‐‐‐
Forbidden E‐Mail attachment deleted Intrusion
Detection
Attack ERROR 248 534
Forbidden E‐Mail attachment disabled Intrusion
Detection
Attack ALERT 165 527
Found Rogue Access Point WLAN IDS WLAN IDS ALERT 546 901
Found Rogue Access Point WLAN IDS WLAN IDS ALERT 556 10804
Fragmented packet dropped Network TCP | UDP |
ICMP
NOTICE 28 ‐‐‐
Fraudulent Microsoft certificate found;
access denied
Intrusion
Detection
Attack ERROR 193 532
FTP client user logged in failed FTP ‐‐‐ DEBUG 1115 ‐‐‐
FTP client user logged in successfully FTP ‐‐‐ DEBUG 1114 ‐‐‐
FTP client user logged out FTP ‐‐‐ DEBUG 1116 ‐‐‐
FTP client user name was sent FTP ‐‐‐ DEBUG 1113 ‐‐‐
FTP server accepted the connection FTP ‐‐‐ DEBUG 1112 ‐‐‐
FTP: Data connection from non default
port dropped
Network Access Attack ALERT 538 557
FTP: PASV response bounce attack
dropped.
Intrusion
Detection
Attack ALERT 528 556
FTP: PASV response spoof attack
dropped
Intrusion
Detection
Attack ERROR 446 551
FTP: PORT bounce attack dropped. Intrusion
Detection
Attack ALERT 527 555
Gateway Anti‐Virus Alert: %s Security
Services
Attack ALERT 809 8632
Gateway Anti‐Virus Service expired Security
Services
Maintenance WARNING 810 8633
Global VPN Client connection is not
allowed. Appliance is not registered.
VPN Client System Error INFO 529 643
Global VPN Client License Exceeded:
Connection denied.
VPN Client System Error INFO 494 658
| 17
Global VPN Client version cannot
enforce personal firewall. Minimum
Version required is 2.1
VPN Client User Activity INFO 604 ‐‐‐
Got DHCP OFFER. Selecting. DHCP Client Maintenance INFO 107 ‐‐‐
GSC Policy out‐of‐date on host Security
Services
Maintenance INFO 762 ‐‐‐
Guest account '%s' created Authentication
Access
User Activity INFO 558 ‐‐‐
Guest account '%s' deleted Authentication
Access
User Activity INFO 559 ‐‐‐
Guest account '%s' disabled Authentication
Access
User Activity INFO 560 ‐‐‐
Guest account '%s' pruned Authentication
Access
User Activity INFO 562 ‐‐‐
Guest account '%s' re‐enabled Authentication
Access
User Activity INFO 561 ‐‐‐
Guest account '%s' re‐generated Authentication
Access
User Activity INFO 563 ‐‐‐
Guest Account Timeout Authentication
Access
User Activity INFO 551 ‐‐‐
Guest Idle Timeout Authentication
Access
User Activity INFO 564 ‐‐‐
Guest login denied. Guest '%s' is already
logged in. Please try again later.
Authentication
Access
User Activity INFO 557 ‐‐‐
Guest policy accepted ‐‐‐ User Activity INFO 1228 ‐‐‐
Guest Services drop trApplication
Firewallfic to deny network
Network Access ‐‐‐ INFO 724 ‐‐‐
Guest Services pass trApplication
Firewallfic to access allow network
Network Access ‐‐‐ INFO 725 ‐‐‐
Guest Session Timeout Authentication
Access
User Activity INFO 550 ‐‐‐
Guest trApplication Firewallfic quota
exceeded
‐‐‐ User Activity INFO 1227 ‐‐‐
GUI administration session ended Authentication
Access
User Activity INFO 998 ‐‐‐
H.323/H.225 Connect VoIP VoIP DEBUG 634 ‐‐‐
H.323/H.225 Setup VoIP VoIP DEBUG 633 ‐‐‐
H.323/H.245 Address VoIP VoIP DEBUG 635 ‐‐‐
H.323/H.245 End Session VoIP VoIP DEBUG 636 ‐‐‐
H.323/RAS Admission Confirm VoIP VoIP DEBUG 625 ‐‐‐
H.323/RAS Admission Reject VoIP VoIP DEBUG 624 ‐‐‐
H.323/RAS Admission Request VoIP VoIP DEBUG 626 ‐‐‐
H.323/RAS Bandwidth Reject VoIP VoIP DEBUG 627 ‐‐‐
H.323/RAS Disengage Confirm VoIP VoIP DEBUG 628 ‐‐‐
18 | SonicOS 5.9 Log Event Reference Guide
H.323/RAS Disengage Reject VoIP VoIP DEBUG 641 ‐‐‐
H.323/RAS Gatekeeper Reject VoIP VoIP DEBUG 629 ‐‐‐
H.323/RAS Location Confirm VoIP VoIP DEBUG 630 ‐‐‐
H.323/RAS Location Reject VoIP VoIP DEBUG 631 ‐‐‐
H.323/RAS Registration Reject VoIP VoIP DEBUG 632 ‐‐‐
H.323/RAS Unknown Message
Response
VoIP VoIP DEBUG 640 ‐‐‐
H.323/RAS Unregistration Reject VoIP VoIP DEBUG 642 ‐‐‐
HA association posted successfully to
License Manager
Firewall Event ‐‐‐ INFO 1310 ‐‐‐
HA association request to License
Manager failed: %s
Firewall Event ‐‐‐ WARNING 1309 ‐‐‐
HA packet processing error High Availability Maintenance INFO 162 ‐‐‐
HA Peer Firewall Rebooted High Availability Maintenance INFO 668 ‐‐‐
HA Peer Firewall Synchronized High Availability Maintenance INFO 157 ‐‐‐
Hardware Failover settings were not
upgraded.
Firewall Event Maintenance INFO 743 ‐‐‐
Header verification failed VPN IKE User Activity WARNING 587 ‐‐‐
Heartbeat received from incompatible
source
High Availability Maintenance INFO 163 ‐‐‐
High Availability has been enabled, Dial‐
Up device(s) are not supported in High
Availability processing.
High Availability User Activity INFO 1125 ‐‐‐
Host IP address not in GRID List Anti‐Spam ‐‐‐ DEBUG 1141 ‐‐‐
HTTP management port has changed Firewall Event Maintenance INFO 340 ‐‐‐
HTTP method detected; examining
stream for host header
Network Access TCP DEBUG 882 ‐‐‐
HTTPS Handshake: %s ‐‐‐ ‐‐‐ INFO 1226 ‐‐‐
HTTPS management port has changed Firewall Event Maintenance INFO 341 ‐‐‐
ICMP checksum error; packet dropped Network Access UDP NOTICE 886 ‐‐‐
ICMP packet allowed Network Access Debug INFO 597 ‐‐‐
ICMP packet dropped due to Policy Network Access ICMP NOTICE 38 ‐‐‐
ICMP packet dropped no match Network Access ICMP NOTICE 523 ‐‐‐
ICMP packet from LAN allowed Network Access Debug INFO 598 ‐‐‐
ICMP packet from LAN dropped Network Access LAN ICMP |
LAN TCP
NOTICE 175 ‐‐‐
ICMPv6 packet allowed Network ‐‐‐ INFO 1256 ‐‐‐
ICMPv6 packet dropped due to policy Network ‐‐‐ NOTICE 1257 ‐‐‐
ICMPv6 packet from LAN allowed Network ‐‐‐ INFO 1255 ‐‐‐
ICMPv6 packet from LAN dropped Network ‐‐‐ NOTICE 1254 ‐‐‐
If not already enabled, enabling NTP is
recommended
Firewall
Hardware
System Error WARNING 540 645
IGMP Leave group message Received on
interface %s
Multicast ‐‐‐ INFO 682 ‐‐‐
| 19
IGMP packet dropped, decoding error Multicast ‐‐‐ NOTICE 686 ‐‐‐
IGMP packet dropped, wrong checksum
received on interface %s
Multicast ‐‐‐ NOTICE 683 ‐‐‐
IGMP Packet Not handled. Packet type :
%s
Multicast ‐‐‐ NOTICE 687 ‐‐‐
IGMP querier Router detected on
interface %s
Multicast ‐‐‐ DEBUG 701 ‐‐‐
IGMP querier Router detected on VPN
tunnel , SPI %S
Multicast ‐‐‐ DEBUG 702 ‐‐‐
IGMP state table entry time out,
deleting interface : %s
Multicast ‐‐‐ DEBUG 692 ‐‐‐
IGMP state table entry time out,
deleting VPN SPI : %s
Multicast ‐‐‐ DEBUG 693 ‐‐‐
IGMP V2 client joined multicast Group :
%s
Multicast ‐‐‐ INFO 676 ‐‐‐
IGMP V2 Membership report received
from interface %s
Multicast ‐‐‐ DEBUG 679 ‐‐‐
IGMP V3 client joined multicast Group :
%s
Multicast ‐‐‐ INFO 677 ‐‐‐
IGMP V3 Membership report received
from interface %s
Multicast ‐‐‐ DEBUG 678 ‐‐‐
IGMP V3 packet dropped, unsupported
Record type : %s
Multicast ‐‐‐ NOTICE 688 ‐‐‐
IGMP V3 record type : %s not Handled Multicast ‐‐‐ DEBUG 689 ‐‐‐
IKE Initiator : VPN Policy for gateway
address not found
VPN IKE User Activity WARNING 1308 ‐‐‐
IKE Initiator : VPN Policy for IKE ID not
found
VPN IKE User Activity WARNING 1307 ‐‐‐
IKE Initiator drop: VPN tunnel end point
does not match configured VPN Policy
Bound to scope
VPN IKE User Activity INFO 544 ‐‐‐
IKE Initiator: Accepting IPsec proposal
(Phase 2)
VPN IKE User Activity INFO 372 ‐‐‐
IKE Initiator: Accepting peer lifetime.
(Phase 1)
VPN IKE User Activity INFO 445 ‐‐‐
IKE Initiator: Aggressive Mode complete
(Phase 1).
VPN IKE User Activity INFO 354 ‐‐‐
IKE Initiator: IKE proposal does not
match (Phase 1)
VPN IKE User Activity WARNING 937 ‐‐‐
IKE Initiator: Main Mode complete
(Phase 1)
VPN IKE User Activity INFO 353 ‐‐‐
IKE Initiator: Proposed IKE ID mismatch VPN IKE User Activity WARNING 933 ‐‐‐
IKE Initiator: Remote party Timeout ‐
Retransmitting IKE Request.
VPN IKE User Activity INFO 930 ‐‐‐
20 | SonicOS 5.9 Log Event Reference Guide
IKE Initiator: Start Aggressive Mode
negotiation (Phase 1)
VPN IKE User Activity INFO 358 ‐‐‐
IKE Initiator: Start Main Mode
negotiation (Phase 1)
VPN IKE User Activity INFO 351 ‐‐‐
IKE Initiator: Start Quick Mode (Phase
2).
VPN IKE User Activity INFO 346 ‐‐‐
IKE Initiator: Using secondary gateway
to negotiate
VPN IKE User Activity INFO 543 ‐‐‐
IKE negotiation aborted due to Timeout VPN IKE User Activity INFO 403 ‐‐‐
IKE negotiation complete. Adding IPsec
SA. (Phase 2)
VPN IKE User Activity INFO 89 ‐‐‐
IKE Responder : VPN Policy for gateway
address not found
VPN IKE User Activity WARNING 1306 ‐‐‐
IKE Responder : VPN Policy for IKE ID
not found
VPN IKE User Activity WARNING 1305 ‐‐‐
IKE Responder drop: VPN tunnel end
point does not match configured VPN
Policy Bound to scope
VPN IKE User Activity INFO 545 ‐‐‐
IKE Responder: %s Policy does not allow
static IP for Virtual Adapter.
VPN Client System Error ERROR 660 ‐‐‐
IKE Responder: Accepting IPsec
proposal (Phase 2)
VPN IKE User Activity INFO 87 ‐‐‐
IKE Responder: Aggressive Mode
complete (Phase 1)
VPN IKE User Activity INFO 373 ‐‐‐
IKE Responder: AH authentication
algorithm does not match
VPN IKE User Activity WARNING 920 ‐‐‐
IKE Responder: AH authentication key
length does not match
VPN IKE User Activity WARNING 923 ‐‐‐
IKE Responder: AH authentication key
rounds does not match
VPN IKE User Activity WARNING 926 ‐‐‐
IKE Responder: AH Perfect Forward
Secrecy mismatch
VPN IKE User Activity WARNING 258 544
IKE Responder: Algorithms and/or keys
do not match
VPN IKE User Activity WARNING 260 546
IKE Responder: Client Policy has no VPN
Access Networks assigned. Check
Configuration.
VPN IKE System Error ERROR 965 ‐‐‐
IKE Responder: Default LAN gateway is
not set but peer is proposing to use this
SA as a default route
VPN IKE Attack ERROR 516 553
IKE Responder: Default LAN gateway is
set but peer is not proposing to use this
SA as a default route
VPN IKE User Activity WARNING 253 539
| 21
IKE Responder: ESP authentication
algorithm does not match
VPN IKE User Activity WARNING 922 ‐‐‐
IKE Responder: ESP authentication key
length does not match
VPN IKE User Activity WARNING 925 ‐‐‐
IKE Responder: ESP authentication key
rounds does not match
VPN IKE User Activity WARNING 928 ‐‐‐
IKE Responder: ESP encryption
algorithm does not match
VPN IKE User Activity WARNING 921 ‐‐‐
IKE Responder: ESP encryption key
length does not match
VPN IKE User Activity WARNING 924 ‐‐‐
IKE Responder: ESP encryption key
rounds does not match
VPN IKE User Activity WARNING 927 ‐‐‐
IKE Responder: ESP mode mismatch
Local ‐ Transport Remote ‐ Tunnel
VPN IKE User Activity WARNING 1128 ‐‐‐
IKE Responder: ESP mode mismatch
Local ‐ Tunnel Remote ‐ Transport
VPN IKE User Activity WARNING 1127 ‐‐‐
IKE Responder: ESP Perfect Forward
Secrecy mismatch
VPN IKE User Activity WARNING 259 545
IKE Responder: IKE Phase 1 exchange
does not match
VPN IKE User Activity ERROR 1036 ‐‐‐
IKE Responder: IKE proposal does not
match (Phase 1)
VPN IKE User Activity WARNING 402 ‐‐‐
IKE Responder: IP Address already exists
in the DHCP relay table. Client
trApplication Firewallfic not allowed.
VPN Client System Error ERROR 659 ‐‐‐
IKE Responder: IP Compression
algorithm does not match
VPN IKE User Activity WARNING 929 ‐‐‐
IKE Responder: IPsec proposal does not
match (Phase 2)
VPN IKE User Activity WARNING 88 523
IKE Responder: IPsec protocol mismatch VPN IKE User Activity WARNING 932 ‐‐‐
IKE Responder: Main Mode complete
(Phase 1)
VPN IKE User Activity INFO 357 ‐‐‐
IKE Responder: Mode %d ‐ not transport
mode. XAUTH is required but not
supported by peer.
VPN IKE Debug WARNING 342 ‐‐‐
IKE Responder: Mode %d ‐ not tunnel
mode
VPN IKE User Activity WARNING 249 535
IKE Responder: No match for proposed
remote network address
VPN IKE User Activity WARNING 252 538
IKE Responder: No matching Phase 1 ID
found for proposed remote network
VPN IKE User Activity WARNING 250 536
IKE Responder: Peer's destination
network does not match VPN Policy's
[Local Network]
VPN IKE User Activity WARNING 935 ‐‐‐
22 | SonicOS 5.9 Log Event Reference Guide
IKE Responder: Peer's local network
does not match VPN Policy's
[Destination ]
VPN IKE User Activity WARNING 934 ‐‐‐
IKE Responder: Peer's proposed
network does not match VPN Policy's
Network
VPN IKE ‐‐‐ WARNING 1189 ‐‐‐
IKE Responder: Phase 1 Authentication
Method does not match
VPN IKE User Activity WARNING 913 ‐‐‐
IKE Responder: Phase 1 DH Group does
not match
VPN IKE User Activity WARNING 919 ‐‐‐
IKE Responder: Phase 1 encryption
algorithm does not match
VPN IKE User Activity WARNING 914 ‐‐‐
IKE Responder: Phase 1 encryption
algorithm keylength does not match
VPN IKE User Activity WARNING 915 ‐‐‐
IKE Responder: Phase 1 hash algorithm
does not match
VPN IKE User Activity WARNING 916 ‐‐‐
IKE Responder: Phase 1 XAUTH required
but Policy has no user name
VPN IKE User Activity WARNING 917 ‐‐‐
IKE Responder: Phase 1 XAUTH required
but Policy has no user password
VPN IKE User Activity WARNING 918 ‐‐‐
IKE Responder: Proposed IKE ID
mismatch
VPN IKE System Error WARNING 658 ‐‐‐
IKE Responder: Proposed local network
is 0.0.0.0 but SA has no LAN Default
Gateway
VPN IKE User Activity WARNING 418 549
IKE Responder: Proposed remote
network is 0.0.0.0 but not DHCP relay
nor default route
VPN IKE User Activity WARNING 251 537
IKE Responder: Received Aggressive
Mode Request (Phase 1)
VPN IKE User Activity INFO 356 ‐‐‐
IKE Responder: Received Main Mode
Request (Phase 1)
VPN IKE User Activity INFO 355 ‐‐‐
IKE Responder: Received Quick Mode
Request (Phase 2)
VPN IKE User Activity INFO 352 ‐‐‐
IKE Responder: Remote party Timeout ‐
Retransmitting IKE Request.
VPN IKE User Activity INFO 931 ‐‐‐
IKE Responder: Route table overrides
VPN Policy
VPN IKE User Activity WARNING 936 ‐‐‐
IKE Responder: Tunnel terminates
inside firewall but proposed local
network is not inside firewall
VPN IKE User Activity WARNING 255 541
IKE Responder: Tunnel terminates on
DMZ but proposed local network is on
LAN
VPN IKE User Activity WARNING 256 542
| 23
IKE Responder: Tunnel terminates on
LAN but proposed local network is on
DMZ
VPN IKE User Activity WARNING 257 543
IKE Responder: Tunnel terminates
outside firewall but proposed local
network is not NAT public address
VPN IKE User Activity WARNING 254 540
IKE Responder: Tunnel terminates
outside firewall but proposed remote
network is not NAT public address
VPN IKE User Activity WARNING 345 548
IKE SA lifetime expired. VPN IKE User Activity INFO 350 ‐‐‐
IKEv2 Accept IKE SA Proposal VPN IKE User Activity INFO 943 ‐‐‐
IKEv2 Accept IPsec SA Proposal VPN IKE User Activity INFO 944 ‐‐‐
IKEv2 Authentication successful VPN IKE User Activity INFO 942 ‐‐‐
IKEv2 Decrypt packet failed VPN IKE User Activity WARNING 960 ‐‐‐
IKEv2 Function sendto() failed to
transmit packet.
VPN IKE User Activity ERROR 979 ‐‐‐
IKEv2 IKE attribute not found VPN IKE User Activity WARNING 970 ‐‐‐
IKEv2 IKE proposal does not match VPN IKE User Activity WARNING 981 ‐‐‐
IKEv2 Initiator: Negotiations failed.
Extra payloads present.
VPN IKE User Activity WARNING 954 ‐‐‐
IKEv2 Initiator: Negotiations failed.
Invalid input state.
VPN IKE User Activity WARNING 956 ‐‐‐
IKEv2 Initiator: Negotiations failed.
Invalid output state.
VPN IKE User Activity WARNING 957 ‐‐‐
IKEv2 Initiator: Negotiations failed.
Missing required payloads.
VPN IKE User Activity WARNING 955 ‐‐‐
IKEv2 Initiator: Proposed IKE ID
mismatch
VPN IKE User Activity WARNING 980 ‐‐‐
IKEv2 Initiator: Received
CREATE_CHILD_SA response
VPN IKE User Activity INFO 975 ‐‐‐
IKEv2 Initiator: Received IKE_AUTH
response
VPN IKE User Activity INFO 974 ‐‐‐
IKEv2 Initiator: Received IKE_SA_INT
response
VPN IKE User Activity INFO 973 ‐‐‐
IKEv2 Initiator: Remote party Timeout ‐
Retransmitting IKEv2 Request.
VPN IKE User Activity INFO 972 ‐‐‐
IKEv2 Initiator: Send CREATE_CHILD_SA
Request
VPN IKE User Activity INFO 945 ‐‐‐
IKEv2 Initiator: Send IKE_AUTH Request VPN IKE User Activity INFO 940 ‐‐‐
IKEv2 Initiator: Send IKE_SA_INIT
Request
VPN IKE User Activity INFO 938 ‐‐‐
IKEv2 Invalid SPI size VPN IKE User Activity WARNING 966 ‐‐‐
IKEv2 Invalid state VPN IKE User Activity WARNING 964 ‐‐‐
IKEv2 IPsec attribute not found VPN IKE User Activity WARNING 969 ‐‐‐
24 | SonicOS 5.9 Log Event Reference Guide
IKEv2 IPsec proposal does not match VPN IKE User Activity WARNING 968 ‐‐‐
IKEv2 NAT device detected between
negotiating peers
VPN IKE User Activity INFO 985 ‐‐‐
IKEv2 negotiation complete VPN IKE User Activity INFO 978 ‐‐‐
IKEv2 No NAT device detected between
negotiating peers
VPN IKE User Activity INFO 984 ‐‐‐
IKEv2 Out of memory VPN IKE User Activity WARNING 961 ‐‐‐
IKEv2 Payload processing error VPN IKE User Activity WARNING 953 ‐‐‐
IKEv2 Payload validation failed. VPN IKE User Activity WARNING 958 ‐‐‐
IKEv2 Peer is not responding.
Negotiation aborted.
VPN IKE User Activity WARNING 971 ‐‐‐
IKEv2 Process Message queue failed VPN IKE User Activity WARNING 963 ‐‐‐
IKEv2 Received delete IKE SA Request VPN IKE User Activity INFO 948 ‐‐‐
IKEv2 Received delete IKE SA response VPN IKE User Activity INFO 1015 ‐‐‐
IKEv2 Received delete IPsec SA Request VPN IKE User Activity INFO 950 ‐‐‐
IKEv2 Received delete IPsec SA
response
VPN IKE User Activity INFO 1016 ‐‐‐
IKEv2 Received notify error payload VPN IKE User Activity WARNING 983 ‐‐‐
IKEv2 Received notify status payload VPN IKE User Activity INFO 982 ‐‐‐
IKEv2 Responder: Peer's destination
network does not match VPN Policy's
[Local Network]
VPN IKE User Activity INFO 951 ‐‐‐
IKEv2 Responder: Peer's local network
does not match VPN Policy's
[Destination Network]
VPN IKE User Activity INFO 952 ‐‐‐
IKEv2 Responder: Policy for remote IKE
ID not found
VPN IKE User Activity ERROR 962 ‐‐‐
IKEv2 Responder: Received
CREATE_CHILD_SA Request
VPN IKE User Activity INFO 946 ‐‐‐
IKEv2 Responder: Received IKE_AUTH
Request
VPN IKE User Activity INFO 941 ‐‐‐
IKEv2 Responder: Received IKE_SA_INIT
Request
VPN IKE User Activity INFO 939 ‐‐‐
IKEv2 Responder: Send
CREATE_CHILD_SA response
VPN IKE User Activity INFO 1012 ‐‐‐
IKEv2 Responder: Send IKE_AUTH
response
VPN IKE User Activity INFO 977 ‐‐‐
IKEv2 Responder: Send IKE_SA_INIT
response
VPN IKE User Activity INFO 976 ‐‐‐
IKEv2 Send delete IKE SA Request VPN IKE User Activity INFO 947 ‐‐‐
IKEv2 Send delete IKE SA response VPN IKE User Activity INFO 1013 ‐‐‐
IKEv2 Send delete IPsec SA Request VPN IKE User Activity INFO 949 ‐‐‐
IKEv2 Send delete IPsec SA response VPN IKE User Activity INFO 1014 ‐‐‐
IKEv2 Unable to find IKE SA VPN IKE User Activity WARNING 959 ‐‐‐
| 25
IKEv2 VPN Policy not found VPN IKE User Activity WARNING 967 ‐‐‐
IKEv2: Peer's IP Version of TrApplication
Firewallfic Selector does not match with
ours
VPN IKE ‐‐‐ INFO 1312 ‐‐‐
Illegal IPsec SPI VPN IPsec User Activity INFO 65 ‐‐‐
Imported HA hardware ID did not match
this firewall
High Availability Maintenance INFO 155 ‐‐‐
Imported VPN SA is invalid ‐ disabled Firewall Event Maintenance WARNING 348 ‐‐‐
Inbound connection from GRID‐listed
SMTP server dropped
Anti‐Spam ‐‐‐ NOTICE 1092 13810
Inbound connection from RBL‐listed
SMTP server dropped
RBL ‐‐‐ NOTICE 798 ‐‐‐
Incoming call received for Remotely
Triggered Dial‐out session
Authentication
Access
User Activity INFO 817 ‐‐‐
Incompatible IPsec Security Association VPN IPsec User Activity INFO 69 ‐‐‐
Incorrect authentication received for
Remotely Triggered Dial‐out
Authentication
Access
User Activity INFO 819 ‐‐‐
Ini Killer attack dropped Intrusion
Detection
Attack ALERT 80 519
Initiator from country blocked: %s GeoIP GeoIP ALERT 1198 ‐‐‐
Interface %s Link Is Down Firewall Event System Error ALERT 566 647
Interface %s Link Is Up Firewall Event System Error ALERT 565 646
Interface IP Assignment : Binding and
initializing %s
Firewall Event Maintenance INFO 568 ‐‐‐
Interface IP Assignment changed:
Shutting down %s
Firewall Event Maintenance INFO 567 ‐‐‐
Interface statistics report GMS ‐‐‐ INFO 805 ‐‐‐
Internet Access restricted to authorized
users. Dropped packet received in the
clear.
Wireless TCP | UDP |
ICMP
WARNING 532 ‐‐‐
Invalid DNS Server will not be accepted
by the dynamic client
Firewall Event ‐‐‐ INFO 1070 ‐‐‐
Invalid key or serial number used for
GRID response
Anti‐Spam ‐‐‐ DEBUG 1139 ‐‐‐
Invalid key version used for GRID
response
Anti‐Spam ‐‐‐ DEBUG 1140 ‐‐‐
Invalid Product Code Upgrade request
received: %s
Firewall Event ‐‐‐ ERROR 704 ‐‐‐
Invalid SNMP packet ‐‐‐ ‐‐‐ WARNING 1220 ‐‐‐
Invalid SNMPv3 engineID ‐‐‐ ‐‐‐ WARNING 1221 ‐‐‐
Invalid SNMPv3 Time Window ‐‐‐ ‐‐‐ WARNING 1223 ‐‐‐
Invalid SNMPv3 User ‐‐‐ ‐‐‐ WARNING 1222 ‐‐‐
Invalid VLAN packet dropped Network ‐‐‐ ALERT 836 ‐‐‐
26 | SonicOS 5.9 Log Event Reference Guide
IP address conflict detected from
Ethernet address %s
Network Maintenance WARNING 847 ‐‐‐
IP Address is allocateated for Client ‐‐‐ ‐‐‐ INFO 1219 ‐‐‐
IP Header checksum error; packet
dropped
Network Access TCP|UDP NOTICE 883 ‐‐‐
IP Pool of the VPN Policy is Full ‐‐‐ ‐‐‐ DEBUG 1216 ‐‐‐
IP Pool of the VPN Policy is Not
Configured
‐‐‐ ‐‐‐ DEBUG 1217 ‐‐‐
IP spoof detected on packet to Central
Gateway, packet dropped
DHCP Relay Attack ERROR 229 533
IP spoof dropped Intrusion
Detection
Attack ALERT 23 502
IP type %s packet dropped Network Access LAN UDP |
LAN TCP
NOTICE 590 ‐‐‐
IPComp connection interrupt IPComp Debug DEBUG 651 ‐‐‐
IPComp packet dropped IPComp TCP | UDP |
ICMP
NOTICE 652 ‐‐‐
IPComp packet dropped; waiting for
pending IPComp connection
IPComp Debug DEBUG 653 ‐‐‐
IPS Detection Alert: %s Intrusion
Detection
Attack ALERT 608 569
IPS Detection Alert: %s Intrusion
Detection
Attack ALERT 789 6435
IPS Prevention Alert: %s Intrusion
Detection
Attack ALERT 609 570
IPS Prevention Alert: %s Intrusion
Detection
Attack ALERT 790 6436
IPsec (AH) packet dropped VPN IPsec TCP | UDP |
ICMP
NOTICE 534 ‐‐‐
IPsec (AH) packet dropped; waiting for
pending IPsec connection
VPN IPsec Debug DEBUG 536 ‐‐‐
IPsec (ESP) packet dropped VPN IPsec TCP | UDP |
ICMP
NOTICE 533 ‐‐‐
IPsec (ESP) packet dropped; waiting for
pending IPsec connection
VPN IPsec Debug DEBUG 535 ‐‐‐
IPsec Authentication Failed VPN IPsec Attack ERROR 67 508
IPsec connection interrupt Network Access Debug DEBUG 43 ‐‐‐
IPsec Decryption Failed VPN IPsec Attack ERROR 68 509
IPsec packet dropped Network Access TCP | UDP |
ICMP
NOTICE 40 ‐‐‐
IPsec packet dropped; waiting for
pending IPsec connection
Network Access Debug DEBUG 42 ‐‐‐
IPsec packet from an illegal host VPN IPsec Maintenance INFO 247 ‐‐‐
IPsec packet from or to an illegal host VPN IPsec Attack ERROR 70 510
IPsec Replay Detected VPN IPsec Attack ALERT 180 531
| 27
IPsec SA lifetime expired. VPN IPsec User Activity INFO 349 ‐‐‐
IPsec Tunnel status changed VPN VPN Tunne
lStatus
INFO 427 801
IPv6 Tunnel packet dropped VPN IKE ‐‐‐ NOTICE 1253 ‐‐‐
IPv6 VPN only support IKEv2 mode VPN IKE ‐‐‐ INFO 1252 ‐‐‐
ISDN Driver Firmware successfully
updated
Firewall Event Maintenance INFO 493 ‐‐‐
Issuer match failed VPN PKI User Activity ALERT 278 ‐‐‐
Java access denied Network Access Blocked Code NOTICE 19 ‐‐‐
L2TP Connect Initiated by the User L2TP Client Maintenance INFO 216 ‐‐‐
L2TP Disconnect Initiated by the User L2TP Client Maintenance INFO 214 ‐‐‐
L2TP LCP Down L2TP Client Maintenance INFO 209 ‐‐‐
L2TP LCP Up L2TP Client Maintenance INFO 213 ‐‐‐
L2TP Max Retransmission Exceeded L2TP Client Maintenance INFO 203 ‐‐‐
L2TP PPP Authentication Failed L2TP Client Maintenance INFO 212 ‐‐‐
L2TP PPP Down L2TP Client Maintenance INFO 211 ‐‐‐
L2TP PPP link down L2TP Client Maintenance INFO 217 ‐‐‐
L2TP PPP Negotiation Started L2TP Client Maintenance INFO 208 ‐‐‐
L2TP PPP Session Up L2TP Client Maintenance INFO 210 ‐‐‐
L2TP Server : Access from L2TP VPN
Client Privilege not enabled for RADIUS
Users.
L2TP Server Maintenance INFO 343 ‐‐‐
L2TP Server : Deleting the L2TP active
Session
L2TP Server Maintenance INFO 337 ‐‐‐
L2TP Server : Deleting the Tunnel L2TP Server Maintenance INFO 336 ‐‐‐
L2TP Server : L2TP PPP Session
Established.
L2TP Server Maintenance INFO 310 ‐‐‐
L2TP Server : L2TP Session Established. L2TP Server Maintenance INFO 309 ‐‐‐
L2TP Server : L2TP Tunnel Established. L2TP Server Maintenance INFO 308 ‐‐‐
L2TP Server : Retransmission Timeout,
Deleting the Tunnel
L2TP Server Maintenance INFO 338 ‐‐‐
L2TP Server : User Name authentication
Failure locally.
L2TP Server Maintenance INFO 344 ‐‐‐
L2TP Server: Keep alive Failure. Closing
Tunnel
L2TP Server Maintenance INFO 320 ‐‐‐
L2TP Server: L2TP Remote terminated
the PPP session
L2TP Server Maintenance INFO 317 ‐‐‐
L2TP Server: L2TP Session Disconnect
from the Remote.
L2TP Server Maintenance INFO 316 ‐‐‐
L2TP Server: L2TP Tunnel Disconnect
from the Remote.
L2TP Server Maintenance INFO 315 ‐‐‐
L2TP Server: Local Authentication
Failure
L2TP Server Maintenance INFO 312 ‐‐‐
28 | SonicOS 5.9 Log Event Reference Guide
L2TP Server: Local Authentication
Success.
L2TP Server Maintenance INFO 318 ‐‐‐
L2TP Server: No IP address available in
the Local IP Pool
L2TP Server Maintenance INFO 314 ‐‐‐
L2TP Server: RADIUS/LDAP
Authentication Success
L2TP Server Maintenance INFO 319 ‐‐‐
L2TP Server: RADIUS/LDAP reports
Authentication Failure
L2TP Server Maintenance INFO 311 ‐‐‐
L2TP Server: RADIUS/LDAP server not
assigned IP address
L2TP Server Maintenance INFO 313 ‐‐‐
L2TP Server: Call Disconnect from
Remote.
L2TP Server Maintenance INFO 334 ‐‐‐
L2TP Server: Tunnel Disconnect from
Remote.
L2TP Server Maintenance INFO 335 ‐‐‐
L2TP Session Disconnect from Remote L2TP Client Maintenance INFO 207 ‐‐‐
L2TP Session Established L2TP Client Maintenance INFO 206 ‐‐‐
L2TP Session Negotiation Started L2TP Client Maintenance INFO 202 ‐‐‐
L2TP Tunnel Disconnect from Remote L2TP Client Maintenance INFO 205 ‐‐‐
L2TP Tunnel Established L2TP Client Maintenance INFO 204 ‐‐‐
L2TP Tunnel Negotiation %s L2TP Client ‐‐‐ INFO 1074 ‐‐‐
L2TP Tunnel Negotiation Started L2TP Client Maintenance INFO 201 ‐‐‐
LAN Subnet configurations were not
upgraded.
Firewall Event Maintenance INFO 741 ‐‐‐
Land attack dropped Intrusion
Detection
Attack ALERT 27 505
LDAP server does not allow CHAP RADIUS User Activity WARNING 758 ‐‐‐
LDAP using non‐administrative account
‐ VPN client user will not be able to
change passwords
RADIUS System Error WARNING 1011 ‐‐‐
License exceeded: Connection dropped
because too many IP addresses are in
use on your LAN
Firewall Event System Error ERROR 58 608
License of HA pair doesn't match: %s High Availability System Error ERROR 670 664
Locked‐out user logins allowed ‐ lockout
period expired
Authentication
Access
User Activity INFO 438 ‐‐‐
Locked‐out user logins allowed by
administrator
Authentication
Access
User Activity INFO 439 ‐‐‐
Log Cleared Firewall Logging Maintenance INFO 5 ‐‐‐
Log Debug Firewall Event Debug ERROR 142 ‐‐‐
Log full; deactivating Network Security
Appliance
Firewall Logging System Error ERROR 7 601
Log successfully sent via email Firewall Logging Maintenance INFO 6 ‐‐‐
Login screen timed out Authentication
Access
User Activity INFO 34 ‐‐‐
| 29
MAC address collides with Static ARP
Entry with Bound MAC address; packet
dropped
Network ‐‐‐ NOTICE 814 ‐‐‐
Machine %s removed from FIN flood
blacklist
Intrusion
Detection
Debug ALERT 903 ‐‐‐
Machine %s removed from RST flood
blacklist
Intrusion
Detection
Debug ALERT 900 ‐‐‐
Machine %s removed from SYN flood
blacklist
Intrusion
Detection
Debug ALERT 865 ‐‐‐
MAC‐IP Anti‐spoof cache found, but it is
blacklisted device
Mac IP spoof Attack ALERT 1212 ‐‐‐
MAC‐IP Anti‐spoof cache found, but it is
not a router
Mac IP spoof Attack ALERT 1211 ‐‐‐
MAC‐IP Anti‐spoof cache not found for
this router
Mac IP spoof Attack ALERT 1210 ‐‐‐
MAC‐IP Anti‐spoof check enforced for
hosts
Mac IP spoof Attack ALERT 1209 ‐‐‐
Malformed DNS packet detected Network Access Debug ALERT 1177 ‐‐‐
Malformed or unhandled IP packet
dropped
Network Access Debug ALERT 522 554
Maximum events per second threshold
exceeded
Firewall Logging System Error CRITICAL 654 ‐‐‐
Maximum number of Bandwidth
Managed rules exceeded upon upgrade
to this version. Some Bandwidth
settings ignored.
Firewall Event Maintenance NOTICE 541 ‐‐‐
Maximum sequential failed dial
attempts (10) to a single dial‐up
number: %s
PPP Dial‐UP Attack ERROR 591 566
Maximum syslog data per second
threshold exceeded
Firewall Logging System Error CRITICAL 655 ‐‐‐
Message blocked by Real‐Time Email
Scanner
Anti‐Spam ‐‐‐ INFO 1108 ‐‐‐
MOBIKE: Update Peer Gateway IP ‐‐‐ ‐‐‐ INFO 1218 ‐‐‐
Modules attached to HA units do not
match: %s
High Availability System Error ALERT 1162 664
Monitoring probe out interface
mismatch %s
High Availability ‐‐‐ ERROR 1194 ‐‐‐
Multicast application %s not supported Multicast ‐‐‐ INFO 696 ‐‐‐
Multicast packet dropped, Invalid src IP
received on interface : %s
Multicast ‐‐‐ ALERT 685 ‐‐‐
Multicast packet dropped, wrong MAC
address received on interface : %s
Multicast ‐‐‐ ALERT 684 ‐‐‐
Multicast TCP packet dropped Multicast ‐‐‐ NOTICE 691 ‐‐‐
30 | SonicOS 5.9 Log Event Reference Guide
Multicast UDP packet dropped, no state
entry
Multicast ‐‐‐ NOTICE 690 ‐‐‐
Multicast UDP packet dropped, RTCP
stateful failed
Multicast ‐‐‐ WARNING 695 ‐‐‐
Multicast UDP packet dropped, RTP
stateful failed
Multicast ‐‐‐ WARNING 694 ‐‐‐
Multiple DHCP Servers are detected on
network
Firewall Event ‐‐‐ WARNING 1068 ‐‐‐
Name Resolution for Syslog or GMS
failed.
Firewall Event ‐‐‐ ERROR 1156 ‐‐‐
NAT device may not support IPsec AH
pass‐through
VPN IPsec Maintenance INFO 266 ‐‐‐
NAT Discovery : No NAT/NAPT device
detected between IPsec Security
gateways
VPN IKE User Activity INFO 241 ‐‐‐
NAT Discovery : Local IPsec Security
Gateway behind a NAT/NAPT Device
VPN IKE User Activity INFO 240 ‐‐‐
NAT Discovery : Peer IPsec Security
Gateway behind a NAT/NAPT Device
VPN IKE User Activity INFO 239 ‐‐‐
NAT Discovery : Peer IPsec Security
Gateway doesn't support VPN NAT
Traversal
VPN IKE User Activity INFO 242 ‐‐‐
Nat Mapping Network Access ‐‐‐ NOTICE 1197 ‐‐‐
NAT policy added ‐‐‐ ‐‐‐ INFO 1313 ‐‐‐
NAT policy deleted ‐‐‐ ‐‐‐ INFO 1315 ‐‐‐
NAT policy modified ‐‐‐ ‐‐‐ INFO 1314 ‐‐‐
NAT translated packet exceeds size
limit, packet dropped
Network Debug DEBUG 339 ‐‐‐
Ndpp SelfTest write/read encrypt/
decrypt failure
‐‐‐ Maintenance ALERT 1300 ‐‐‐
Ndpp SelfTest write/read encrypt/
decrypt successsfully
‐‐‐ Maintenance ALERT 1299 ‐‐‐
Net Spy attack dropped Intrusion
Detection
Attack ALERT 74 513
NetBIOS settings were not upgraded.
Use Network>IP Helper to configure
NetBIOS support
Firewall Event Maintenance INFO 740 ‐‐‐
NetBus attack dropped Intrusion
Detection
Attack ALERT 72 511
Network for interface %s overlaps with
another interface.
Firewall Event Maintenance INFO 569 ‐‐‐
Network Modem Mode Disabled: re‐
enabling NAT
PPP Dial‐UP Maintenance INFO 531 ‐‐‐
| 31
Network Modem Mode Enabled:
turning off NAT
PPP Dial‐UP Maintenance INFO 530 ‐‐‐
Network Monitor Policy %s Added Network
Monitor
‐‐‐ INFO 1104 ‐‐‐
Network Monitor Policy %s Deleted Network
Monitor
‐‐‐ INFO 1105 ‐‐‐
Network Monitor Policy %s Modified Network
Monitor
‐‐‐ INFO 1106 ‐‐‐
Network Monitor: Host %s is offline Network
Monitor
‐‐‐ ALERT 706 14005
Network Monitor: Host %s is online Network
Monitor
‐‐‐ ALERT 707 14006
Network Monitor: Host %s status is
UNKNOWN
Network
Monitor
‐‐‐ ALERT 1103 14004
Network Monitor: Policy %s status is
DOWN
Network
Monitor
‐‐‐ ALERT 1101 14002
Network Monitor: Policy %s status is
UNKNOWN
Network
Monitor
‐‐‐ ALERT 1102 14003
Network Monitor: Policy %s status is UP Network
Monitor
‐‐‐ ALERT 1100 14001
Network Security Appliance activated Firewall Event Maintenance ALERT 4 ‐‐‐
Network Security Appliance initializing Firewall Event Maintenance INFO 521 ‐‐‐
New firmware available. Firewall Event Maintenance INFO 198 ‐‐‐
New URL List loaded Security
Services
Maintenance INFO 8 ‐‐‐
Newsgroup access allowed Network Access Blocked Sites NOTICE 17 704
Newsgroup access denied Network Access Blocked Sites NOTICE 15 702
No Certificate for VPN PKI User Activity ALERT 280 ‐‐‐
No DNS response to domain ‐ %s Security
Services
‐‐‐ DEBUG 1238 ‐‐‐
No HOST tag found in HTTP Request Network Access Debug DEBUG 52 ‐‐‐
No new URL List available Security
Services
Maintenance INFO 9 ‐‐‐
No response from ISP Disconnecting
PPPoE.
PPPoE Maintenance INFO 169 ‐‐‐
No response from PPTP server to call
requests
PPTP Maintenance INFO 431 ‐‐‐
No response from PPTP server to
control connection requests
PPTP Maintenance INFO 430 ‐‐‐
No response from server to Echo
Requests, disconnecting PPTP Tunnel
PPTP Maintenance INFO 429 ‐‐‐
No response received from DNS server Anti‐Spam ‐‐‐ DEBUG 1142 ‐‐‐
No valid DNS server specified for GRID
lookups
Anti‐Spam ‐‐‐ ERROR 1094 13812
32 | SonicOS 5.9 Log Event Reference Guide
No valid DNS server specified for RBL
lookups
RBL ‐‐‐ ERROR 800 ‐‐‐
Non‐config mode GUI administration
session started
Authentication
Access
User Activity INFO 997 ‐‐‐
Not all configurations may have been
completely upgraded
Firewall Event Maintenance INFO 612 ‐‐‐
Not blacklisted as per configuration Anti‐Spam ‐‐‐ DEBUG 1143 ‐‐‐
Not Blacklisted by domain ‐ %s Security
Services
‐‐‐ DEBUG 1237 ‐‐‐
Not enough memory to hold the CRL VPN PKI User Activity WARNING 272 ‐‐‐
NTP Request sent ‐‐‐ UDP NOTICE 1232 ‐‐‐
Obtained Relay IP Table from Remote
Gateway
DHCP Relay Maintenance INFO 233 ‐‐‐
OCSP Failed to Resolve Domain Name. VPN PKI User Activity ERROR 853 ‐‐‐
OCSP Internal error handling received
response.
VPN PKI User Activity ERROR 854 ‐‐‐
OCSP received response error. VPN PKI User Activity ERROR 851 ‐‐‐
OCSP received response. VPN PKI User Activity INFO 850 ‐‐‐
OCSP Resolved Domain Name. VPN PKI User Activity INFO 852 ‐‐‐
OCSP send request message failed. VPN PKI User Activity ERROR 849 ‐‐‐
OCSP sending request. VPN PKI User Activity INFO 848 ‐‐‐
On HA peer firewall, Interface %s Link Is
Down
High Availability System Error ALERT 1206 ‐‐‐
On HA peer firewall, Interface %s Link Is
Up
High Availability System Error ALERT 1205 ‐‐‐
Outbound connection to GRID‐listed
SMTP server dropped
Anti‐Spam ‐‐‐ NOTICE 1091 13809
Outbound connection to RBL‐listed
SMTP server dropped
RBL ‐‐‐ NOTICE 797 ‐‐‐
Out‐of‐order command packet dropped Network Access Debug DEBUG 48 ‐‐‐
Overriding Product Code Upgrade to:
%s
Firewall Event ‐‐‐ ERROR 705 ‐‐‐
Packet allowed by ACL Network ‐‐‐ INFO 1235 ‐‐‐
Packet destination not in VPN Access list VPN IPsec Attack ERROR 648 572
Packet Dropped ‐ IP TTL expired Network Debug WARNING 910 ‐‐‐
Packet dropped by guest check Network Access TCP | UDP |
ICMP
WARNING 488 ‐‐‐
Packet dropped by wireless Advanced
IDP
‐‐‐ TCP | UDP |
ICMP
WARNING 1229 ‐‐‐
Packet dropped by WLAN SSL VPN
enforcement check
Wireless TCP | UDP |
ICMP
WARNING 732 ‐‐‐
Packet dropped by WLAN VPN traversal
check
Wireless TCP | UDP |
ICMP
WARNING 495 ‐‐‐
| 33
Packet dropped. No firewall rule
associated with VPN policy.
VPN System Error ALERT 739 ‐‐‐
Packet dropped; connection limit for
this destination IP address has been
reached
Firewall Event System Error ALERT 647 5239
Packet dropped; connection limit for
this source IP address has been reached
Firewall Event System Error ALERT 646 5238
Packet is dropped due to NDPP rules. Network Access Debug ALERT 1304 ‐‐‐
Payload processing failed VPN IKE Debug ERROR 616 ‐‐‐
PC Card inserted. Firewall
Hardware
‐‐‐ ALERT 1054 5419
PC Card removed. Firewall
Hardware
‐‐‐ ALERT 1053 5418
PC Card: No device detected Firewall
Hardware
‐‐‐ ALERT 1056 ‐‐‐
Peer firewall has equivalent link status.
In event of failover, it will operate with
equal capability.
High Availability Maintenance INFO 1208 ‐‐‐
Peer firewall has reduced link status. In
event of failover, it will operate with
limited capability.
High Availability Maintenance INFO 1207 ‐‐‐
Peer firewall rebooting (%s) High Availability ‐‐‐ INFO 1057 ‐‐‐
Peer HA firewall has stateful license but
this firewall is not yet registered
High Availability System Error ALERT 1136 ‐‐‐
Physical environment normal Firewall
Hardware
‐‐‐ INFO 1042 5424
Physical interface utilization is greater
than 80% of the maximum rated
tolerance(for the interface)for more
than 10 seconds.
Firewall
Hardware
‐‐‐ ALERT 1247 17001
Ping of death dropped Intrusion
Detection
Attack ALERT 22 501
PKI Error: VPN PKI Maintenance ERROR 417 ‐‐‐
PKI Failure VPN PKI Maintenance ERROR 447 ‐‐‐
PKI Failure: CA certificates store
exceeded. Cannot verify this Local
Certificate
VPN PKI Maintenance ERROR 453 ‐‐‐
PKI Failure: Cannot allocate memory VPN PKI Maintenance ERROR 449 ‐‐‐
PKI Failure: Certificate's ID does not
match this Network Security Appliance
VPN PKI Maintenance ERROR 455 ‐‐‐
PKI Failure: Duplicate local certificate VPN PKI Maintenance ERROR 458 ‐‐‐
PKI Failure: Duplicate local certificate
name
VPN PKI Maintenance ERROR 457 ‐‐‐
PKI Failure: Import failed VPN PKI Maintenance ERROR 451 ‐‐‐
34 | SonicOS 5.9 Log Event Reference Guide
PKI Failure: Improper file format. Please
select PKCS#12 (*.p12) file
VPN PKI Maintenance ERROR 454 ‐‐‐
PKI Failure: Incorrect admin password VPN PKI Maintenance ERROR 452 ‐‐‐
PKI Failure: Internal error VPN PKI Maintenance ERROR 460 ‐‐‐
PKI Failure: Loaded but could not verify
certificate
VPN PKI Maintenance ERROR 469 ‐‐‐
PKI Failure: Loaded the certificate but
could not verify its chain
VPN PKI Maintenance ERROR 470 ‐‐‐
PKI Failure: No CA certificates yet
loaded
VPN PKI Maintenance ERROR 459 ‐‐‐
PKI Failure: Output buffer too small VPN PKI Maintenance ERROR 448 ‐‐‐
PKI Failure: public‐private key mismatch VPN PKI Maintenance ERROR 456 ‐‐‐
PKI Failure: Reached the limit for local
certificates, cant load any more
VPN PKI Maintenance ERROR 450 ‐‐‐
PKI Failure: Temporary memory
shortage, try again
VPN PKI Maintenance ERROR 461 ‐‐‐
PKI Failure: The certificate chain has no
root
VPN PKI Maintenance ERROR 464 ‐‐‐
PKI Failure: The certificate chain is
circular
VPN PKI Maintenance ERROR 462 ‐‐‐
PKI Failure: The certificate chain is
incomplete
VPN PKI Maintenance ERROR 463 ‐‐‐
PKI Failure: The certificate or a
certificate in the chain has a bad
signature
VPN PKI Maintenance ERROR 468 ‐‐‐
PKI Failure: The certificate or a
certificate in the chain has a validity
period in the future
VPN PKI Maintenance ERROR 466 ‐‐‐
PKI Failure: The certificate or a
certificate in the chain has expired
VPN PKI Maintenance ERROR 465 ‐‐‐
PKI Failure: The certificate or a
certificate in the chain is corrupt
VPN PKI Maintenance ERROR 467 ‐‐‐
Please connect interface %s to another
network to function properly
Firewall Event Maintenance INFO 570 ‐‐‐
Please manually check all system
configurations for correctness of
Upgrade
Firewall Event Maintenance INFO 613 ‐‐‐
Port configured to receive IPsec
protocol ONLY; drop packet received in
the clear
Network Access TCP | UDP |
ICMP
WARNING 347 ‐‐‐
Possible DNS rebind attack detected Intrusion
Detection
‐‐‐ ALERT 1098 6465
Possible FIN Flood on IF %s Intrusion
Detection
Debug ALERT 905 ‐‐‐
| 35
Possible FIN Flood on IF %s continues Intrusion
Detection
Debug WARNING 909 ‐‐‐
Possible FIN Flood on IF %s has ceased Intrusion
Detection
Debug ALERT 907 ‐‐‐
Possible ICMP flood attack detected Intrusion
Detection
Attack ALERT 1214 ‐‐‐
Possible port scan detected Intrusion
Detection
Attack ALERT 82 521
Possible RST Flood on IF %s Intrusion
Detection
Debug ALERT 904 ‐‐‐
Possible RST Flood on IF %s continues Intrusion
Detection
Debug WARNING 908 ‐‐‐
Possible RST Flood on IF %s has ceased Intrusion
Detection
Debug ALERT 906 ‐‐‐
Possible SYN flood attack detected Intrusion
Detection
Attack WARNING 25 503
Possible SYN flood detected on WAN IF
%s ‐ switching to connection‐proxy
mode
Intrusion
Detection
Debug ALERT 859 ‐‐‐
Possible SYN Flood on IF %s Intrusion
Detection
Debug ALERT 860 ‐‐‐
Possible SYN Flood on IF %s continues Intrusion
Detection
Debug WARNING 866 ‐‐‐
Possible SYN Flood on IF %s has ceased Intrusion
Detection
Debug ALERT 867 ‐‐‐
Possible UDP flood attack detected Intrusion
Detection
Attack ALERT 1213 ‐‐‐
Power supply without redundancy Firewall
Hardware
‐‐‐ ERROR 1043 5425
PPP Dial‐Up: Connect request canceled PPP Dial‐UP User Activity INFO 306 ‐‐‐
PPP Dial‐Up: Connected at %s bps ‐
starting PPP
PPP Dial‐UP User Activity INFO 286 ‐‐‐
PPP Dial‐Up: Connection disconnected
as scheduled.
PPP Dial‐UP ‐‐‐ INFO 666 ‐‐‐
PPP Dial‐Up: Dial initiated by %s PPP Dial‐UP Maintenance INFO 324 ‐‐‐
PPP Dial‐Up: Dialed number did not
answer
PPP Dial‐UP User Activity INFO 285 ‐‐‐
PPP Dial‐Up: Dialed number is busy PPP Dial‐UP User Activity INFO 284 ‐‐‐
PPP Dial‐Up: Dialing not allowed by
schedule. %s
PPP Dial‐UP ‐‐‐ INFO 665 ‐‐‐
PPP Dial‐Up: Dialing: %s PPP Dial‐UP User Activity INFO 281 ‐‐‐
PPP Dial‐Up: Failed to get IP address PPP Dial‐UP Module INFO 298 ‐‐‐
PPP Dial‐Up: Idle time limit exceeded ‐
disconnecting
PPP Dial‐UP User Activity INFO 297 ‐‐‐
PPP Dial‐Up: Initialization : %s PPP Dial‐UP User Activity INFO 303 ‐‐‐
36 | SonicOS 5.9 Log Event Reference Guide
PPP Dial‐Up: Invalid DNS IP address
returned from Dial‐Up ISP; overriding
using dial‐up profile settings
PPP Dial‐UP Maintenance INFO 811 ‐‐‐
PPP Dial‐Up: Link carrier lost PPP Dial‐UP User Activity INFO 288 ‐‐‐
PPP Dial‐Up: Manual intervention
needed. Check Primary Profile or Profile
details
PPP Dial‐UP User Activity INFO 321 ‐‐‐
PPP Dial‐Up: Maximum connection time
exceeded ‐ disconnecting
PPP Dial‐UP User Activity INFO 327 ‐‐‐
PPP Dial‐Up: No dial tone detected ‐
check phone‐line connection
PPP Dial‐UP User Activity INFO 282 ‐‐‐
PPP Dial‐Up: No link carrier detected ‐
check phone number
PPP Dial‐UP User Activity INFO 283 ‐‐‐
PPP Dial‐Up: No peer IP address from
Dial‐Up ISP, local and remote IPs will be
the same
PPP Dial‐UP Maintenance INFO 481 ‐‐‐
PPP Dial‐Up: PPP link down PPP Dial‐UP User Activity INFO 301 ‐‐‐
PPP Dial‐Up: PPP link established PPP Dial‐UP User Activity INFO 300 ‐‐‐
PPP Dial‐Up: PPP negotiation failed ‐
disconnecting
PPP Dial‐UP User Activity INFO 296 ‐‐‐
PPP Dial‐Up: Previous session was
connected for %s
PPP Dial‐UP User Activity INFO 542 ‐‐‐
PPP Dial‐Up: Received new IP address PPP Dial‐UP User Activity INFO 299 ‐‐‐
PPP Dial‐Up: Shutting down link PPP Dial‐UP User Activity INFO 302 ‐‐‐
PPP Dial‐Up: Starting PPP PPP Dial‐UP ‐‐‐ INFO 1037 ‐‐‐
PPP Dial‐Up: Startup without Ethernet
cable, will try to dial on outbound
trApplication Firewallfic
PPP Dial‐UP User Activity INFO 323 ‐‐‐
PPP Dial‐Up: The profile in use disabled
VPN networking.
PPP Dial‐UP Maintenance INFO 330 ‐‐‐
PPP Dial‐Up: Trying to failover but
Alternate Profile is manual
WAN Failover User Activity INFO 434 ‐‐‐
PPP Dial‐Up: Trying to failover but
Primary Profile is manual
PPP Dial‐UP User Activity INFO 322 ‐‐‐
PPP Dial‐Up: Unknown dialing failure PPP Dial‐UP User Activity INFO 287 ‐‐‐
PPP Dial‐Up: User requested connect PPP Dial‐UP User Activity INFO 305 ‐‐‐
PPP Dial‐Up: User requested disconnect PPP Dial‐UP User Activity INFO 304 ‐‐‐
PPP Dial‐Up: VPN networking restored. PPP Dial‐UP Maintenance INFO 331 ‐‐‐
PPP message: %s PPP ‐‐‐ INFO 1018 ‐‐‐
PPP: Authentication successful PPP ‐‐‐ INFO 289 ‐‐‐
PPP: CHAP authentication failed ‐ check
username / password
PPP ‐‐‐ INFO 291 ‐‐‐
PPP: MS‐CHAP authentication failed ‐
check username / password
PPP ‐‐‐ INFO 292 ‐‐‐
| 37
PPP: PAP Authentication failed ‐ check
username / password
PPP ‐‐‐ INFO 290 ‐‐‐
PPP: Starting CHAP authentication PPP ‐‐‐ INFO 294 ‐‐‐
PPP: Starting MS‐CHAP authentication PPP ‐‐‐ INFO 293 ‐‐‐
PPP: Starting PAP authentication PPP ‐‐‐ INFO 295 ‐‐‐
PPPoE terminated PPPoE Maintenance INFO 130 ‐‐‐
PPPoE CHAP Authentication Failed PPPoE Maintenance INFO 136 ‐‐‐
PPPoE Client: Previous session was
connected for %s
PPPoE Maintenance INFO 738 ‐‐‐
PPPoE discovery process complete PPPoE Maintenance INFO 133 ‐‐‐
PPPoE enabled but not ready PPPoE Maintenance INFO 499 ‐‐‐
PPPoE LCP Link Down PPPoE Maintenance INFO 129 ‐‐‐
PPPoE LCP Link Up PPPoE Maintenance INFO 128 ‐‐‐
PPPoE Network Connected PPPoE Maintenance INFO 131 ‐‐‐
PPPoE Network Disconnected PPPoE Maintenance INFO 132 ‐‐‐
PPPoE PAP Authentication Failed PPPoE Maintenance INFO 137 ‐‐‐
PPPoE PAP Authentication Failed.
Please verify PPPoE username and
password
PPPoE Maintenance INFO 167 ‐‐‐
PPPoE PAP Authentication success. PPPoE Maintenance INFO 166 ‐‐‐
PPPoE password changed by
Administrator
Authentication
Access
User Activity INFO 515 ‐‐‐
PPPoE starting CHAP Authentication PPPoE Maintenance INFO 134 ‐‐‐
PPPoE starting PAP Authentication PPPoE Maintenance INFO 135 ‐‐‐
PPPoE user name changed by
Administrator
Authentication
Access
User Activity INFO 514 ‐‐‐
PPTP enabled but not ready PPTP Maintenance INFO 501 ‐‐‐
PPTP CHAP Authentication Failed.
Please verify PPTP username and
password
PPTP Maintenance INFO 394 ‐‐‐
PPTP Connect Initiated by the User PPTP Maintenance INFO 390 ‐‐‐
PPTP Control Connection Established PPTP Maintenance INFO 378 ‐‐‐
PPTP Control Connection Negotiation
Started
PPTP Maintenance INFO 375 ‐‐‐
PPTP decode failure PPTP Debug DEBUG 596 ‐‐‐
PPTP Disconnect Initiated by the User PPTP Maintenance INFO 388 ‐‐‐
PPTP LCP Down PPTP Maintenance INFO 383 ‐‐‐
PPTP LCP Up PPTP Maintenance INFO 387 ‐‐‐
PPTP Max Retransmission Exceeded PPTP Maintenance INFO 377 ‐‐‐
PPTP packet dropped Network Access TCP | UDP |
ICMP
NOTICE 39 ‐‐‐
PPTP PAP Authentication Failed PPTP Maintenance INFO 395 ‐‐‐
PPTP PAP Authentication Failed. Please
verify PPTP username and password
PPTP Maintenance INFO 397 ‐‐‐
38 | SonicOS 5.9 Log Event Reference Guide
PPTP PAP Authentication success. PPTP Maintenance INFO 396 ‐‐‐
PPTP PPP Authentication Failed PPTP Maintenance INFO 386 ‐‐‐
PPTP PPP Down PPTP Maintenance INFO 385 ‐‐‐
PPTP PPP link down PPTP Maintenance INFO 391 ‐‐‐
PPTP PPP Link down PPTP Maintenance INFO 399 ‐‐‐
PPTP PPP Link Finished PPTP Maintenance INFO 400 ‐‐‐
PPTP PPP Link Up PPTP Maintenance INFO 398 ‐‐‐
PPTP PPP Negotiation Started PPTP Maintenance INFO 382 ‐‐‐
PPTP PPP Session Up PPTP Maintenance INFO 384 ‐‐‐
PPTP Server is not responding, check if
the server is UP and running.
PPTP Maintenance INFO 444 ‐‐‐
PPTP server rejected control connection PPTP Maintenance INFO 432 ‐‐‐
PPTP server rejected the call request PPTP Maintenance INFO 433 ‐‐‐
PPTP Session Disconnect from Remote PPTP Maintenance INFO 381 ‐‐‐
PPTP Session Established PPTP Maintenance INFO 380 ‐‐‐
PPTP Session Negotiation Started PPTP Maintenance INFO 376 ‐‐‐
PPTP starting CHAP Authentication PPTP Maintenance INFO 392 ‐‐‐
PPTP starting PAP Authentication PPTP Maintenance INFO 393 ‐‐‐
PPTP Tunnel Disconnect from Remote PPTP Maintenance INFO 379 ‐‐‐
Primary firewall has transitioned to
Active
High Availability Maintenance ALERT 144 ‐‐‐
Primary firewall has transitioned to Idle High Availability System Error ALERT 146 614
Primary firewall preempting Secondary High Availability System Error ERROR 153 620
Primary firewall rebooting itself as it
transitioned from Active to Idle while
Preempt
High Availability ‐‐‐ INFO 1058 ‐‐‐
Primary missed heartbeats from
Secondary
High Availability System Error ERROR 148 615
Primary received error signal from
Secondary
High Availability System Error ERROR 150 617
Primary received heartbeat from wrong
source
High Availability Maintenance INFO 160 ‐‐‐
Primary received reboot signal from
Secondary
High Availability System Error ERROR 671 665
Primary WAN link down, Primary going
Idle
High Availability Maintenance INFO 218 ‐‐‐
Primary WAN link down, Secondary
going Active
High Availability System Error ERROR 220 634
Primary WAN link up, preempting
Secondary
High Availability Maintenance INFO 221 ‐‐‐
Priority attack dropped Intrusion
Detection
Attack ALERT 79 518
Probable port scan detected Intrusion
Detection
Attack ALERT 83 522
| 39
Probable TCP FIN scan detected Intrusion
Detection
Attack ALERT 177 528
Probable TCP NULL scan detected Intrusion
Detection
Attack ALERT 179 530
Probable TCP XMAS scan detected Intrusion
Detection
Attack ALERT 178 529
Probe Response Failure ‐ %s Anti‐Spam ‐‐‐ DEBUG 1132 ‐‐‐
Probe Response Success ‐ %s Anti‐Spam ‐‐‐ DEBUG 1131 ‐‐‐
Probing failure on %s WAN Failover System Error ALERT 326 637
Probing succeeded on %s WAN Failover System Error ALERT 436 638
Problem loading the URL List; Appliance
not registered.
Security
Services
System Error ERROR 183 623
Problem loading the URL List; check
Filter settings
Security
Services
System Error ERROR 10 602
Problem loading the URL List; check
your DNS server
Security
Services
System Error ERROR 11 603
Problem loading the URL List; Flash
write failure.
Security
Services
System Error ERROR 187 627
Problem loading the URL List; Retrying
later.
Security
Services
System Error ERROR 186 626
Problem loading the URL List;
SubscRIPtion expired.
Security
Services
System Error ERROR 184 624
Problem loading the URL List; Try
loading it again.
Security
Services
System Error ERROR 185 625
Problem occurred during user group
membership retrieval
Authentication
Access
User Activity WARNING 1033 ‐‐‐
Problem sending log email; check log
settings
Firewall Logging System Error WARNING 12 604
Processed Email received from Email
Security Service
Anti‐Spam ‐‐‐ INFO 1096 13814
Product maximum entries reached ‐ %s Firewall Event Maintenance ALERT 1196 ‐‐‐
RADIUS user cannot use One Time
Password ‐ no mail address set for
equivalent local user
Authentication
Access
User Activity INFO 1119 ‐‐‐
RBL DNS server responded with error
code ‐ %s
Security
Services
‐‐‐ DEBUG 1239 ‐‐‐
Read‐only mode GUI administration
session started
Authentication
Access
User Activity INFO 996 ‐‐‐
Real time clock battery failure Time
values may be incorrect
Firewall
Hardware
System Error WARNING 539 644
Received a path MTU ICMP message
from router/gateway
Network User Activity INFO 182 ‐‐‐
Received a path MTU ICMP message
from router/gateway
Network User Activity INFO 188 ‐‐‐
40 | SonicOS 5.9 Log Event Reference Guide
Received Alert: Your Firewall Botnet
Filter subscRIPtion has expired.
Security
Services
Security
Services
WARNING 1195 ‐‐‐
Received Alert: Your Visualization
Control subscRIPtion has expired.
Security
Services
‐‐‐ WARNING 1159 ‐‐‐
Received Application Firewall Alert:
Your Application Firewall (Application
Firewall) subscRIPtion has expired.
Security
Services
Maintenance WARNING 1034 8635
Received AV Alert: %s Security
Services
Maintenance WARNING 125 524
Received AV Alert: Your Network Anti‐
Virus subscRIPtion has expired. %s
Security
Services
Maintenance WARNING 159 526
Received AV Alert: Your Network Anti‐
Virus subscRIPtion will expire in 7 days.
%s
Security
Services
Maintenance WARNING 482 552
Received Blacklisted Directive from ‐ %s Security
Services
‐‐‐ DEBUG 1236 ‐‐‐
Received CFS Alert: Your Content
Filtering subscRIPtion has expired.
Security
Services
Maintenance WARNING 490 563
Received CFS Alert: Your Content
Filtering subscRIPtion will expire in 7
days.
Security
Services
Maintenance WARNING 489 562
Received DHCP offer packet has errors DHCP Client Maintenance INFO 588 ‐‐‐
Received E‐Mail Filter Alert: Your E‐Mail
Filtering subscRIPtion has expired.
Security
Services
Maintenance WARNING 492 565
Received E‐Mail Filter Alert: Your E‐Mail
Filtering subscRIPtion will expire in 7
days.
Security
Services
Maintenance WARNING 491 564
Received fragmented packet or
fragmentation needed
Network Debug DEBUG 63 ‐‐‐
Received IKE SA delete request VPN IKE User Activity INFO 413 ‐‐‐
Received IPS Alert: Your Intrusion
Prevention (IDP) subscRIPtion has
expired.
Security
Services
Maintenance WARNING 614 571
Received IPsec SA delete request VPN IKE User Activity INFO 412 ‐‐‐
Received ISAKMP packet destined to
port %s
VPN IKE Debug | UDP INFO 607 ‐‐‐
Received LCP Echo Reply PPPoE Maintenance INFO 723 ‐‐‐
Received LCP Echo Request PPPoE Maintenance INFO 721 ‐‐‐
Received notify.
NO_PROPOSAL_CHOSEN
VPN IKE User Activity WARNING 401 ‐‐‐
Received notify: INVALID_COOKIES VPN IKE User Activity INFO 414 ‐‐‐
Received notify: INVALID_ID_INFO VPN IPsec User Activity WARNING 483 ‐‐‐
Received notify: INVALID_PAYLOAD VPN IKE User Activity ERROR 661 ‐‐‐
Received notify: INVALID_SPI VPN IKE User Activity INFO 416 ‐‐‐
| 41
Received notify: ISAKMP_AUTH_FAILED VPN IKE User Activity WARNING 409 ‐‐‐
Received notify:
PAYLOAD_MALFORMED
VPN IKE User Activity WARNING 411 ‐‐‐
Received notify: RESPONDER_LIFETIME VPN IKE User Activity INFO 415 ‐‐‐
Received packet retransmission. Drop
duplicate packet
VPN IKE User Activity WARNING 406 ‐‐‐
Received PPPoE Active Discovery Offer PPPoE Maintenance INFO 593 ‐‐‐
Received PPPoE Active Discovery
Session_confirmation
PPPoE Maintenance INFO 594 ‐‐‐
Received response packet for DHCP
request has errors
DHCP Client Maintenance INFO 589 ‐‐‐
Received unauthenticated GRID
response
Anti‐Spam ‐‐‐ DEBUG 1138 ‐‐‐
Received unencrypted packet in crypto
active state
VPN IKE User Activity WARNING 605 ‐‐‐
Registration Update Needed, Please
restore your existing security service
subscRIPtions.
Security
Services
Maintenance WARNING 496 ‐‐‐
Regulatory requirements prohibit %s
from being re‐dialed for 30 minutes
PPP Dial‐UP Attack ERROR 592 567
Released IP address %s DHCP Server ‐‐‐ INFO 1111 ‐‐‐
Remote WAN Acceleration device
started responding to probes
Bandwidth
Optimization
‐‐‐ WARNING 1175 ‐‐‐
Remote WAN Acceleration device
stopped responding to probes
Bandwidth
Optimization
‐‐‐ WARNING 1174 ‐‐‐
Remotely Triggered Dial‐out session
ended. Valid WAN bound data found.
Normal dial‐up sequence will
commence
Authentication
Access
User Activity INFO 822 ‐‐‐
Remotely Triggered Dial‐out session
started. Requesting authentication
Authentication
Access
User Activity INFO 818 ‐‐‐
Removed a member from an LDAP
mirror user group
RADIUS ‐‐‐ INFO 1193 ‐‐‐
Removed host entry from dynamic
address object
Dynamic
Address Objects
Maintenance INFO 912 ‐‐‐
Request for Relay IP Table from Central
Gateway
DHCP Relay Maintenance INFO 230 ‐‐‐
Requesting CRL from VPN PKI User Activity INFO 269 ‐‐‐
Requesting Relay IP Table from Remote
Gateway
DHCP Relay Maintenance INFO 231 ‐‐‐
Resolved ES Cloud ‐ %s Anti‐Spam ‐‐‐ DEBUG 1146 ‐‐‐
Responder from country blocked: %s GeoIP GeoIP ALERT 1199 ‐‐‐
Restarting Network Security Appliance;
dumping log to email
Firewall Event Maintenance INFO 13 ‐‐‐
42 | SonicOS 5.9 Log Event Reference Guide
Retransmitting DHCP DISCOVER. DHCP Client Maintenance INFO 99 ‐‐‐
Retransmitting DHCP Request
(Rebinding).
DHCP Client Maintenance INFO 102 ‐‐‐
Retransmitting DHCP Request
(Rebooting).
DHCP Client Maintenance INFO 103 ‐‐‐
Retransmitting DHCP Request
(Renewing).
DHCP Client Maintenance INFO 101 ‐‐‐
Retransmitting DHCP Request
(Requesting).
DHCP Client Maintenance INFO 100 ‐‐‐
Retransmitting DHCP Request
(Verifying).
DHCP Client Maintenance INFO 104 ‐‐‐
RIP Broadcasts for LAN Network %s are
being broadcast over dialup‐connection
RIP Maintenance INFO 571 8413
RIP disabled on DMZ interface RIP Maintenance INFO 423 8405
RIP disabled on interface %s RIP Maintenance INFO 419 8401
RIP disabled on WAN interface RIP Maintenance INFO 552 8409
RIPper attack dropped Intrusion
Detection
Attack ALERT 76 515
RIPv1 enabled on DMZ interface RIP Maintenance INFO 424 8406
RIPv1 enabled on interface %s RIP Maintenance INFO 420 8402
RIPv1 enabled on WAN interface RIP Maintenance INFO 553 8410
RIPv2 compatibility (broadcast) mode
enabled on DMZ interface
RIP Maintenance INFO 426 8408
RIPv2 compatibility (broadcast) mode
enabled on interface %s
RIP Maintenance INFO 422 8404
RIPv2 compatibility (broadcast) mode
enabled on WAN interface
RIP Maintenance INFO 555 8412
RIPv2 enabled on DMZ interface RIP Maintenance INFO 425 8407
RIPv2 enabled on interface %s RIP Maintenance INFO 421 8403
RIPv2 enabled on WAN interface RIP Maintenance INFO 554 8411
Router IGMP General query received on
interface %s
Multicast ‐‐‐ DEBUG 680 ‐‐‐
Router IGMP Membership query
received on interface %s
Multicast ‐‐‐ DEBUG 681 ‐‐‐
RST Flood Blacklist on IF %s continues Intrusion
Detection
Debug WARNING 899 ‐‐‐
RST‐Flooding machine %s blacklisted Intrusion
Detection
Debug ALERT 898 ‐‐‐
SA is disabled. Check VPN SA settings VPN IKE User Activity INFO 407 ‐‐‐
SCEP Client: %s VPN PKI ‐‐‐ NOTICE 1097 ‐‐‐
Secondary active High Availability System Error INFO 825 ‐‐‐
Secondary firewall being preempted by
Primary
High Availability System Error ERROR 152 619
| 43
Secondary firewall has transitioned to
Active
High Availability Maintenance ALERT 145 ‐‐‐
Secondary firewall has transitioned to
Idle
High Availability Maintenance ALERT 147 ‐‐‐
Secondary firewall rebooting itself as it
transitioned from Active to Idle while
Preempt
High Availability ‐‐‐ INFO 1059 ‐‐‐
Secondary going Active in preempt
mode Application Firewallter reboot
High Availability System Error ERROR 170 622
Secondary missed heartbeats from
Primary
High Availability System Error ERROR 149 616
Secondary received error signal from
Primary
High Availability System Error ERROR 151 618
Secondary received heartbeat from
wrong source
High Availability Maintenance INFO 161 ‐‐‐
Secondary received reboot signal from
Primary
High Availability System Error ERROR 672 666
Secondary shut down because license is
expired
High Availability System Error ERROR 824 ‐‐‐
Secondary WAN link down, Primary
going Active
High Availability System Error ERROR 219 633
Secondary will be shut down in %s
minutes
High Availability System Error ERROR 823 ‐‐‐
Sending DHCP DISCOVER. DHCP Client Maintenance INFO 105 ‐‐‐
Sending DHCP RELEASE. DHCP Client Maintenance INFO 122 ‐‐‐
Sending DHCP Request (Rebinding). DHCP Client Maintenance INFO 116 ‐‐‐
Sending DHCP Request (Rebooting). DHCP Client Maintenance INFO 117 ‐‐‐
Sending DHCP Request (Renewing). DHCP Client Maintenance INFO 115 ‐‐‐
Sending DHCP Request (Verifying). DHCP Client Maintenance INFO 118 ‐‐‐
Sending DHCP Request. DHCP Client Maintenance INFO 108 ‐‐‐
Sending LCP Echo Reply PPPoE Maintenance INFO 722 ‐‐‐
Sending LCP Echo Request PPPoE Maintenance INFO 720 ‐‐‐
Sending PPPoE Active Discovery
Request
PPPoE Maintenance INFO 595 ‐‐‐
Senna Spy attack dropped Intrusion
Detection
Attack ALERT 78 517
Sent Relay IP Table to Central Gateway DHCP Relay Maintenance INFO 232 ‐‐‐
Settings Import: %s Firewall Event ‐‐‐ INFO 1049 ‐‐‐
SIP Register expiration exceeds
configured Signaling inactivity time out
VoIP VoIP WARNING 645 ‐‐‐
SIP Request VoIP VoIP DEBUG 643 ‐‐‐
SIP Response VoIP VoIP DEBUG 644 ‐‐‐
SMTP authentication problem:%s Firewall Logging System Error WARNING 737 ‐‐‐
44 | SonicOS 5.9 Log Event Reference Guide
SMTP connection limit is reached.
Connection is dropped.
Anti‐Spam ‐‐‐ WARNING 1087 13806
SMTP POP‐Before‐SMTP authentication
failed
Firewall Logging System Error WARNING 656 ‐‐‐
SMTP server found on RBL blacklist RBL ‐‐‐ NOTICE 799 ‐‐‐
SMTP server found on Reject List Anti‐Spam ‐‐‐ NOTICE 1093 13811
Smurf Amplification attack dropped Intrusion
Detection
Attack ALERT 81 520
SNMP Packet Dropped ‐‐‐ ‐‐‐ INFO 1225 ‐‐‐
SonicPoint association posted
successfully to License Manager
Firewall Event ‐‐‐ INFO 1266 ‐‐‐
SonicPoint association request to
License Manager failed: %s
Firewall Event ‐‐‐ WARNING 1265 ‐‐‐
SonicPoint Provision SonicPoint SonicPoint INFO 727 ‐‐‐
SonicPoint statistics report GMS ‐‐‐ INFO 806 ‐‐‐
SonicPoint Status SonicPoint SonicPoint INFO 667 ‐‐‐
SonicPointN Provision SonicPointN ‐‐‐ INFO 1078 ‐‐‐
SonicPointN Status SonicPointN ‐‐‐ INFO 1077 ‐‐‐
Source IP address connection status: %s Firewall Event ‐‐‐ INFO 734 ‐‐‐
Source IPv6 address is unspecified but
this packet is not Neighbor Solicitation
message for DAD. Packet is dropped
Network Access Debug ALERT 1303 ‐‐‐
Source or Destination IPv6 address is
reserved by RFC 4291. Packet is
dropped
Network Access Debug ALERT 1301 ‐‐‐
Source routed IP packet dropped Intrusion
Detection
Debug WARNING 428 ‐‐‐
Spank attack multicast packet dropped Intrusion
Detection
Attack ALERT 606 568
SSL Control: Certificate chain not
complete
Network Access Blocked Sites INFO 1006 ‐‐‐
SSL Control: Certificate with invalid date Network Access Blocked Sites INFO 1002 ‐‐‐
SSL Control: Certificate with MD5 Digest
Signature Algorithm
Network Access Blocked Sites INFO 1081 ‐‐‐
SSL Control: Failed to decode Server
Hello
Network Access Blocked Sites INFO 1007 ‐‐‐
SSL Control: HTTPS via SSL2 Network Access Blocked Sites INFO 1001 ‐‐‐
SSL Control: Self‐signed certificate Network Access Blocked Sites INFO 1003 ‐‐‐
SSL Control: Untrusted CA Network Access Blocked Sites INFO 1005 ‐‐‐
SSL Control: Weak cipher being used Network Access Blocked Sites INFO 1004 ‐‐‐
SSL Control: Website found in blacklist Network Access Blocked Sites INFO 999 ‐‐‐
SSL Control: Website found in whitelist Network Access Blocked Sites INFO 1000 ‐‐‐
SSL VPN enforcement Wireless Maintenance INFO 733 ‐‐‐
| 45
SSL VPN TrApplication Firewallfic SslVPN Connection
Traffic
AppFirewall
FIC
INFO 1153 ‐‐‐
SSL VPN zone remote user login allowed Authentication
Access
‐‐‐ INFO 1080 ‐‐‐
SSO agent is down CIA User Activity ALERT 1075 ‐‐‐
SSO agent is up CIA User Activity ALERT 1076 ‐‐‐
SSO agent returned domain name too
long
CIA User Activity WARNING 993 ‐‐‐
SSO agent returned error CIA User Activity WARNING 1073 ‐‐‐
SSO agent returned user name too long CIA User Activity WARNING 992 ‐‐‐
Starting IKE negotiation VPN IKE User Activity INFO 90 ‐‐‐
Starting PPPoE discovery PPPoE Maintenance INFO 127 ‐‐‐
Status GMS Maintenance INFO 96 ‐‐‐
Striker attack dropped Intrusion
Detection
Attack ALERT 77 516
Sub Seven attack dropped Intrusion
Detection
Attack ALERT 75 514
Succeed in updating time from NTP
server
‐‐‐ UDP NOTICE 1231 ‐‐‐
Success to reach Interface %s probe High Availability System Error INFO 674 ‐‐‐
Successful authentication received for
Remotely Triggered Dial‐out
Authentication
Access
User Activity INFO 820 ‐‐‐
Successfully sent %s file to remote
backup server
Firewall Event Maintenance INFO 1065 ‐‐‐
Successfully sent Preference file to
remote backup server
Firewall Event Maintenance INFO 1061 ‐‐‐
Successfully sent TSR file to remote
backup server
Firewall Event Maintenance INFO 1063 ‐‐‐
Suspected Botnet initiator blocked: %s Botnet Botnet ALERT 1200 ‐‐‐
Suspected Botnet responder blocked:
%s
Botnet Botnet ALERT 1201 ‐‐‐
SYN Flood Blacklist on IF %s continues Intrusion
Detection
Debug WARNING 868 ‐‐‐
SYN Flood blacklisting disabled by user Intrusion
Detection
Debug WARNING 863 ‐‐‐
SYN Flood blacklisting enabled by user Intrusion
Detection
Debug WARNING 862 ‐‐‐
SYN flood ceased or flooding machines
blacklisted ‐ connection proxy disabled
Intrusion
Detection
Debug ALERT 861 ‐‐‐
SYN Flood Mode changed by user to:
Always proxy WAN connections
Intrusion
Detection
Debug WARNING 858 ‐‐‐
46 | SonicOS 5.9 Log Event Reference Guide
SYN Flood Mode changed by user to:
Watch and proxy WAN connections
when under attack
Intrusion
Detection
Debug WARNING 857 ‐‐‐
SYN Flood Mode changed by user to:
Watch and report possible SYN floods
Intrusion
Detection
Debug WARNING 856 ‐‐‐
Synchronizing preferences to HA Peer
Firewall
High Availability Maintenance INFO 673 ‐‐‐
SYN‐Flooding machine %s blacklisted Intrusion
Detection
Debug ALERT 864 ‐‐‐
Syslog Server cannot be reached Network Maintenance INFO 657 ‐‐‐
System clock manually updated Firewall Logging ‐‐‐ NOTICE 881 ‐‐‐
System shutdown by administrator.
Power cycle required.
Firewall Event ‐‐‐ ALERT 1067 5242
TCP checksum error; packet dropped Network Access TCP NOTICE 884 ‐‐‐
TCP connection abort received; TCP
connection dropped
Network Debug DEBUG 713 ‐‐‐
TCP connection dropped Network Access TCP NOTICE 36 ‐‐‐
TCP connection from LAN denied Network Access LanTCP NOTICE 173 ‐‐‐
TCP connection reject received; TCP
connection dropped
Network Debug DEBUG 712 ‐‐‐
TCP FIN packet dropped Network Debug DEBUG 181 ‐‐‐
TCP handshake violation detected; TCP
connection dropped
Network Access ‐‐‐ NOTICE 760 ‐‐‐
TCP packet received on a closing
connection; TCP packet dropped
Network Debug DEBUG 891 ‐‐‐
TCP packet received on non‐existent/
closed connection; TCP packet dropped
Network Debug DEBUG 888 ‐‐‐
TCP packet received with invalid ACK
number; TCP packet dropped
Network Debug DEBUG 709 ‐‐‐
TCP packet received with invalid header
length; TCP packet dropped
Network Debug DEBUG 887 ‐‐‐
TCP packet received with invalid MSS
option length; TCP packet dropped
Network Debug DEBUG 894 ‐‐‐
TCP packet received with invalid option
length; TCP packet dropped
Network Debug DEBUG 895 ‐‐‐
TCP packet received with invalid SACK
option length; TCP packet dropped
Network Debug DEBUG 893 ‐‐‐
TCP packet received with invalid SEQ
number; TCP packet dropped
Network Debug DEBUG 708 ‐‐‐
TCP packet received with invalid source
port; TCP packet dropped
Network Debug DEBUG 896 ‐‐‐
TCP packet received with invalid SYN
Flood cookie; TCP packet dropped
Network Debug INFO 897 ‐‐‐
| 47
TCP packet received with invalid
Window Scale option length; TCP packet
dropped
Network Debug DEBUG 1030 ‐‐‐
TCP packet received with invalid
Window Scale option value; TCP packet
dropped
Network Debug DEBUG 1031 ‐‐‐
TCP packet received with non‐
permitted option; TCP packet dropped
Network Debug DEBUG 1029 ‐‐‐
TCP packet received with SYN flag on an
existing connection; TCP packet
dropped
Network Debug INFO 892 ‐‐‐
TCP packet received without mandatory
ACK flag; TCP packet dropped
Network Debug DEBUG 890 ‐‐‐
TCP packet received without mandatory
SYN flag; TCP packet dropped
Network Debug DEBUG 889 ‐‐‐
TCP stateful inspection: Bad header;
TCP packet dropped
Network Debug DEBUG 711 ‐‐‐
TCP stateful inspection: Invalid flag; TCP
packet dropped
Network Debug INFO 710 ‐‐‐
TCP SYN received Intrusion
Detection
Debug DEBUG 869 ‐‐‐
TCP SYN/FIN packet dropped Network Access Attack ALERT 580 558
TCP Xmas Tree dropped Intrusion
Detection
Attack ALERT 267 547
Terminal Services agent is down CIA User Activity ALERT 1150 ‐‐‐
Terminal Services agent is up CIA User Activity ALERT 1151 ‐‐‐
The cache is full; %u open connections;
some will be droppedlogstrCode
Firewall Event System Error ERROR 53 607
The current WAN interface is not ready
to route packets.
Firewall Event System Error ERROR 325 635
The High Availability monitoring IP
configuration of Interface %s is
incorrect.
High Availability User Activity ERROR 1126 ‐‐‐
The loaded content URL List has
expired.
Security
Services
System Error ERROR 190 628
The network connection in use is %s WAN Failover System Error WARNING 307 639
The preferences file is too large to be
saved in available flash memory
Firewall Event System Error WARNING 573 649
The stateful license of HA peer firewall
is not activated
High Availability System Error ALERT 1137 ‐‐‐
Thermal Red Firewall
Hardware
System
Environment
ALERT 578 104
Thermal Red Timer Exceeded Firewall
Hardware
System
Environment
ALERT 579 105
48 | SonicOS 5.9 Log Event Reference Guide
Thermal Yellow Firewall
Hardware
System
Environment
ALERT 577 103
Time of day settings for firewall policies
were not upgraded.
Firewall Event Maintenance INFO 742 ‐‐‐
Too many gratuitous ARPs detected Network ‐‐‐ WARNING 815 ‐‐‐
Total firewall throughput is greater than
50% of the maximum rated tolerance
for more than 10 seconds.
Firewall
Hardware
‐‐‐ ALERT 1251 17005
UDP checksum error; packet dropped Network Access UDP NOTICE 885 ‐‐‐
UDP packet dropped Network Access UDP NOTICE 37 ‐‐‐
UDP packet from LAN dropped Network Access LAN UDP |
LAN TCP
NOTICE 174 ‐‐‐
Unable to resolve dynamic address
object
Dynamic
Address Objects
Maintenance INFO 880 ‐‐‐
Unable to send message to dial‐up task PPP Dial‐UP System Error ERROR 1024 ‐‐‐
Unhandled link‐local or multicast IPv6
packet dropped
‐‐‐ Debug ALERT 1233 ‐‐‐
Unknown IPsec SPI VPN IPsec Attack ERROR 66 507
Unknown protocol dropped Network Access Debug NOTICE 41 ‐‐‐
Unknown reason VPN PKI User Activity ERROR 275 ‐‐‐
Unprocessed email received from MTA
on Inbound SMTP port
Anti‐Spam ‐‐‐ INFO 1095 13813
Updated ES Cloud Address ‐ %s Anti‐Spam ‐‐‐ DEBUG 1147 ‐‐‐
User account '%s' expired and disabled Authentication
Access
User Activity INFO 1157 ‐‐‐
User account '%s' expired and pruned Authentication
Access
User Activity INFO 1158 ‐‐‐
User logged out Authentication
Access
User Activity INFO 263 ‐‐‐
User logged out ‐ inactivity timer
expired
Authentication
Access
User Activity INFO 265 ‐‐‐
User logged out ‐ logout detected by
SSO
Authentication
Access
User Activity INFO 1008 ‐‐‐
User logged out ‐ logout reported by
Terminal Services agent
Authentication
Access
User Activity INFO 1124 ‐‐‐
User logged out ‐ max session time
exceeded
Authentication
Access
User Activity INFO 264 ‐‐‐
User logged out ‐ user disconnect
detected (heartbeat timer expired)
Authentication
Access
User Activity INFO 24 ‐‐‐
User login denied ‐ insufficient access
on LDAP server
RADIUS User Activity WARNING 750 ‐‐‐
User login denied ‐ invalid credentials
on LDAP server
RADIUS User Activity WARNING 749 ‐‐‐
| 49
User login denied ‐ LDAP authentication
failure
RADIUS User Activity INFO 745 ‐‐‐
User login denied ‐ LDAP
communication problem
RADIUS User Activity WARNING 748 ‐‐‐
User login denied ‐ LDAP directory
mismatch
RADIUS User Activity WARNING 757 ‐‐‐
User login denied ‐ LDAP schema
mismatch
RADIUS User Activity WARNING 751 ‐‐‐
User login denied ‐ LDAP server
certificate not valid
RADIUS User Activity WARNING 755 ‐‐‐
User login denied ‐ LDAP server down or
misconfigured
RADIUS User Activity WARNING 747 ‐‐‐
User login denied ‐ LDAP server name
resolution failed
RADIUS User Activity WARNING 753 ‐‐‐
User login denied ‐ LDAP server Timeout RADIUS User Activity WARNING 746 ‐‐‐
User login denied ‐ Mail Address(From/
to) or SMTP Server is not configured
Authentication
Access
User Activity INFO 1118 ‐‐‐
User login denied ‐ No name received
from Terminal Services agent
Authentication
Access
User Activity WARNING 1122 ‐‐‐
User login denied ‐ not allowed by
Policy rule
Authentication
Access
User Activity INFO 986 ‐‐‐
User login denied ‐ not found locally Authentication
Access
User Activity INFO 987 ‐‐‐
User login denied ‐ password doesn't
meet constraints
Authentication
Access
‐‐‐ INFO 1048 ‐‐‐
User login denied ‐ password expired Authentication
Access
User Activity INFO 1035 ‐‐‐
User login denied ‐ RADIUS
authentication failure
RADIUS User Activity INFO 243 ‐‐‐
User login denied ‐ RADIUS
communication problem
RADIUS User Activity WARNING 744 ‐‐‐
User login denied ‐ RADIUS
configuration error
RADIUS User Activity WARNING 245 ‐‐‐
User login denied ‐ RADIUS server name
resolution failed
RADIUS User Activity WARNING 754 ‐‐‐
User login denied ‐ RADIUS server
Timeout
RADIUS User Activity WARNING 244 ‐‐‐
User login denied ‐ SSO agent
communication problem
Authentication
Access
User Activity WARNING 990 ‐‐‐
User login denied ‐ SSO agent
configuration error
Authentication
Access
User Activity WARNING 989 ‐‐‐
User login denied ‐ SSO agent name
resolution failed
Authentication
Access
User Activity WARNING 991 ‐‐‐
50 | SonicOS 5.9 Log Event Reference Guide
User login denied ‐ SSO agent Timeout Authentication
Access
User Activity WARNING 988 ‐‐‐
User login denied ‐ SSO probe failed Authentication
Access
User Activity WARNING 1117 ‐‐‐
User login denied ‐ Terminal Services
agent communication problem
Authentication
Access
User Activity WARNING 1123 ‐‐‐
User login denied ‐ Terminal Services
agent name resolution failed
Authentication
Access
User Activity WARNING 1121 ‐‐‐
User login denied ‐ Terminal Services
agent Timeout
Authentication
Access
User Activity WARNING 1120 ‐‐‐
User login denied ‐ TLS or local
certificate problem
RADIUS User Activity WARNING 756 ‐‐‐
User login denied ‐ user already logged
in
Authentication
Access
User Activity INFO 759 ‐‐‐
User login denied ‐ User has no
privileges for guest service
Authentication
Access
User Activity INFO 486 ‐‐‐
User login denied ‐ User has no
privileges for login from that location
Authentication
Access
User Activity INFO 246 ‐‐‐
User login denied due to bad
credentials
Authentication
Access
User Activity INFO 32 ‐‐‐
User login denied due to bad
credentials
Authentication
Access
User Activity INFO 33 ‐‐‐
User login disabled from %s Authentication
Access
Attack ERROR 583 559
User login Failed ‐ An error has occurred
while sending your one‐time password
Authentication
Access
User Activity INFO 1243 ‐‐‐
User login failed ‐ Guest service limit
reached
Authentication
Access
User Activity INFO 549 ‐‐‐
User login failure rate exceeded ‐ logins
from user IP address denied
Authentication
Access
Attack ERROR 329 561
User login from an internal zone
allowed
Authentication
Access
User Activity INFO 31 ‐‐‐
Using LDAP without TLS ‐ highly
insecure
RADIUS System Error ALERT 1010 ‐‐‐
Virtual Access Point is disabled SonicPoint 80211b
Management
INFO 731 ‐‐‐
Virtual Access Point is enabled SonicPoint 80211b
Management
INFO 730 ‐‐‐
VoIP %s Endpoint added VoIP VoIP DEBUG 637 ‐‐‐
VoIP %s Endpoint not added ‐
configured 'public' endpoint limit
reached
VoIP VoIP WARNING 639 ‐‐‐
VoIP %s Endpoint removed VoIP VoIP DEBUG 638 ‐‐‐
VoIP Call Connected VoIP VoIP INFO 622 ‐‐‐
| 51
VoIP Call Disconnected VoIP VoIP INFO 623 ‐‐‐
Voltages Out of Tolerance Firewall
Hardware
System
Environment
ERROR 575 101
VPN Cleanup: Dynamic network settings
change
VPN User Activity INFO 471 ‐‐‐
VPN Client Policy Provisioning VPN Client User Activity INFO 371 ‐‐‐
VPN disabled by administrator Authentication
Access
Maintenance INFO 506 ‐‐‐
VPN enabled by administrator Authentication
Access
Maintenance INFO 507 ‐‐‐
VPN Log Debug VPN IKE Debug INFO 172 ‐‐‐
VPN Policy Added VPN ‐‐‐ INFO 1050 ‐‐‐
VPN policy count received exceeds the
limit; %s
VPN System Error ERROR 719 ‐‐‐
VPN Policy Deleted VPN ‐‐‐ INFO 1051 ‐‐‐
VPN Policy Modified VPN ‐‐‐ INFO 1052 ‐‐‐
VPN TCP FIN VPN VPN Status INFO 195 ‐‐‐
VPN TCP PSH VPN VPN Status INFO 196 ‐‐‐
VPN TCP SYN VPN VPN Status INFO 194 ‐‐‐
VPN zone administrator login allowed Authentication
Access
User Activity INFO 235 ‐‐‐
VPN zone remote user login allowed Authentication
Access
User Activity INFO 237 ‐‐‐
WAN Acceleration device %s found Bandwidth
Optimization
‐‐‐ INFO 1169 ‐‐‐
WAN Acceleration device %s is being
used
Bandwidth
Optimization
‐‐‐ ALERT 1172 ‐‐‐
WAN Acceleration device %s is no
longer being used
Bandwidth
Optimization
‐‐‐ ALERT 1173 ‐‐‐
WAN Acceleration device %s is no
longer operational
Bandwidth
Optimization
‐‐‐ ALERT 1171 ‐‐‐
WAN Acceleration device %s is
operational
Bandwidth
Optimization
‐‐‐ ALERT 1170 ‐‐‐
WAN DHCPC IP Changed Firewall Event System Error WARNING 1129 ‐‐‐
WAN Interface not setup Firewall Event Maintenance INFO 498 ‐‐‐
Wan IP Changed Firewall Event System Error WARNING 138 636
WAN node exceeded: Connection
dropped because too many IP addresses
are in use on your LAN
Firewall Event System Error ERROR 812 ‐‐‐
WAN not ready Firewall Event Maintenance INFO 502 ‐‐‐
WAN zone administrator login allowed Authentication
Access
User Activity INFO 236 ‐‐‐
WAN zone remote user login allowed Authentication
Access
User Activity INFO 238 ‐‐‐
52 | SonicOS 5.9 Log Event Reference Guide
WARNING: Central Gateway does not
have a Relay IP Address. DHCP message
dropped.
DHCP Relay Maintenance INFO 472 ‐‐‐
WARNING: DHCP lease relayed from
Central Gateway conflicts with IP in
Static Devices list
DHCP Relay Maintenance INFO 227 ‐‐‐
Web access Request dropped Network Access TCP NOTICE 524 ‐‐‐
Web management request allowed Network Access User Activity NOTICE 526 ‐‐‐
Web site access allowed Network Access Blocked Sites NOTICE 16 703
Web site access denied Network Access Blocked Sites ERROR 14 701
Web site hit Network Traffic
AppFirewall FIC
Connection
Traffic
AppFirewall
FIC
INFO 97 ‐‐‐
WiFiSec Enforcement disabled by
administrator
Authentication
Access
Maintenance INFO 510 ‐‐‐
WiFiSec Enforcement enabled by
administrator
Authentication
Access
Maintenance INFO 511 ‐‐‐
Wireless MAC Filter List disabled by
administrator
Authentication
Access
Maintenance INFO 513 ‐‐‐
Wireless MAC Filter List enabled by
administrator
Authentication
Access
Maintenance INFO 512 ‐‐‐
WLAN client null probing WLAN IDS WLAN IDS WARNING 615 904
WLAN DHCPC IP Changed Firewall Event System Error WARNING 1130 ‐‐‐
WLAN disabled by administrator Authentication
Access
Maintenance INFO 508 ‐‐‐
WLAN disabled by schedule Authentication
Access
Maintenance INFO 728 ‐‐‐
WLAN enabled by administrator Authentication
Access
Maintenance INFO 509 ‐‐‐
WLAN enabled by schedule Authentication
Access
Maintenance INFO 729 ‐‐‐
WLAN firmware image has been
updated
Wireless Maintenance INFO 487 ‐‐‐
WLAN HTTP trApplication Firewallfic not
being sent to WXA WebCache; zone
conflict
Bandwidth
Optimization
‐‐‐ WARNING 1264 ‐‐‐
WLAN max concurrent users reached
already
Network Access ‐‐‐ INFO 726 ‐‐‐
WLAN not in AP mode, DHCP server will
not provide lease to clients on WLAN
Wireless Maintenance INFO 617 ‐‐‐
WLAN radio frequency threat detected RF
Management
‐‐‐ WARNING 879 ‐‐‐
| 53
WLAN Reboot Firewall
Hardware
System Error ERROR 517 642
WLAN recovery Wireless Maintenance INFO 519 ‐‐‐
WLAN sequence number out of order WLAN IDS WLAN IDS WARNING 547 902
WLB Failback initiated by %s WAN Failover System Error ALERT 435 652
WLB Failover in progress WAN Failover System Error ALERT 584 651
WLB Resource failed WAN Failover System Error ALERT 586 654
WLB Resource is now available WAN Failover System Error ALERT 585 653
WLB SPIll‐over started, configured
threshold exceeded
WAN Failover Maintenance WARNING 581 ‐‐‐
WLB SPIll‐over stopped WAN Failover Maintenance WARNING 582 ‐‐‐
WPA MIC Failure Wireless 80211b
Management
WARNING 663 ‐‐‐
WPA RADIUS Server Timeout Wireless 80211b
Management
INFO 664 ‐‐‐
XAUTH Failed with VPN client,
Authentication failure
VPN Client User Activity ERROR 140 ‐‐‐
XAUTH Failed with VPN client, Cannot
Contact RADIUS Server
VPN Client User Activity INFO 141 ‐‐‐
XAUTH Succeeded with VPN client VPN Client User Activity INFO 139 ‐‐‐
Your Active/Active Clustering
subscRIPtion has expired.
High Availability ‐‐‐ WARNING 1149 ‐‐‐
Your Anti‐Spam Service subscRIPtion
has expired.
Anti‐Spam ‐‐‐ WARNING 1086 13805
Your WAN Acceleration Service
subscRIPtion has expired.
Bandwidth
Optimization
‐‐‐ WARNING 1176 ‐‐‐
YouTube for school enforced Network Access ‐‐‐ DEBUG 1262 ‐‐‐
54 | SonicOS 5.9 Log Event Reference Guide
Numeric Values for the Legacy Category
This table list the numeric equivalents to the Legacy Category names:
Table 4 Legacy Category ID & Name
Category ID used in syslog Category Name0 Not backward compatible1 Maintenance2 System Error4 Blocked Sites8 Blocked Code16 User Activity32 Attack64 TCP128 UDP256 ICMP512 Debug1024 Connection Traffic2048 LAN TCP4096 LAN UDP8192 LAN ICMP16384 VPN Status32768 Modem Debug65536 VPN Tunnel Status131072 80211b Management262144 Connection524288 System Environment2097152 WLAN IDS1048576 VoIP4194304 Sonic Point
| 55
Index of Syslog Tag Field DescriptionThis section provides an alphabetical listing of Syslog tags and the associated field description.
For examples of Syslog messages, refer to the following sections: • “Examples of Standard Syslogs” on page 63
• “Examples of ArcSight Syslogs” on page 64
Table 5 Syslog Tag Field Index
TagTags for Arc-
SightField Description
<ddd>Syslog mes-sage prefix
The beginning of each syslog message has a string of the form <ddd> where ddd is a decimal number indicating facility and priority of the message
af_polid Application Filter
Displays the Application Filter Policy ID
af_policy Application Filter
Displays the Application Policy name
af_type Application Filter
Displays the Application Policy type such as:
SMTP Client Request
HTTP Client Request
HTTP Server Response
FTP Client Request
FTP Client Upload File
FTP Client Download File
POP3 Client Request
POP3 Server Response
FTP Data Transfer
IPS Content
App Control Content
Custom Policy Type
CFS
af_service Application Filter
Displays the Application Policy service name
56 | SonicOS 5.9 Log Event Reference Guide
af_action Application Filter
Displays the Application Policy action such as
HTTP Block Page
HTTP Redirect
Bandwidth Management
Disable E-Mail Attachment
FTP Notification Reply
Reset/Drop
Block SMTP E-Mail
Bypass DPI
CFS Block Page
Packet Monitor
Af_objectApplication policy object name
Displays the custom Application Policy object name
ai
Active Interface via GMS heartbeat
Displays the Active WAN Interface. Normally it is Primary WAN but in a failover, it displays the value of the failover default outbound WAN interface, if there’s more than one WAN. When there is only one WAN interface, it is always Primary WAN regardless of the link state
app appNumeric appli-cation ID
Indicates the application for the applied syslog. Only displays when Flow Report-ing is enabled
appcat appcatApplication Control
Display the application category when Application Control is enabled
appid appid Application IDDisplay the application ID when Applica-tion Control is enabled
arg arg URLUsed to render a URL: arg represents the URL path name part
bcastRx bcastRxInterface statis-tics report
Displays the broadcast packets received
bcastTx bcastTxInterface statis-tics report
Displays the broadcast packets transmit-ted
bytesRx bytesRxInterface statis-tics report
Displays the bytes received
bytesTx bytesTxInterface statis-tics report
Displays the bytes transmitted
| 57
c catMessage cate-gory (legacy only)
Indicates the legacy category number (Note: We are not currently sending new category information.)
category category Blocking code description
Applicable only when CFS is enabled, indicates the category of the blocked content such as “Gambling”. This works in conjunction with “code” Blocking code.
catid Rule category Indicates the category id of the rule
cdur cn3LabelConnection Duration
Displays the connection duration
changeSWGMSchan-geUrl
Configuration change web-page
Displays the basename of the firewall web page that performed the last config-uration change
code reason Blocking code Indicates the CFS block code category
icmpCode cn2ICMP type and code
Indicates the ICMP code
connsFirewall status report via GMS heartbeat
Indicates the number of connections in use
contentObject Firewall Indicates rule name
cs4Interface Sta-tistics
Display interface statistics
deviceIn-boundInterface
InterfaceIndicates interface on which the packet leaves the device
deviceIn-boundInterface
InterfaceIndicates interface on which the packet enters the device
dpt Port Display destination port
dnpt NAT’ed Port Display NAT’ed destination port
dst dst DestinationDestination IP address, and optionally, port, network interface, and resolved name.
dstV6 dst DestinationDestination IPv6 address, and option-ally, port, network interface, and resolved name.
dstname dst URLDisplays the URL of web site hit and other legacy destination strings such as the URL of the host
58 | SonicOS 5.9 Log Event Reference Guide
dur requestNumeric, ses-sion duration in seconds
Indicates the duration in units of seconds that a session is connected
dyn cs6LabelFirewall status report via GMS heartbeat
Displays the HA and dialup connection state (rendered as “h.d” where “h” is “n” (not enabled), “b” (backup), or “p” (pri-mary) and “d” is “1” (enabled) or “0” (dis-abled))
f flowTypeNumeric flow type
Indicates the flow type when Flow Reporting is disabled
fwFirewall WAN IP
Indicates the WAN IP Address
fwlanFirewall status report via GMS heartbeat
Indicates the LAN zone IP address
gcat gcat Group categoryDisplay event group category when using Enhanced Syslog
goodRxBytes goodRxBytesSonicPoint sta-tistics report
Indicates the well formed bytes received
goodTxBytes goodTxBytesSonicPoint sta-tistics report
Indicates the well formed bytes transmit-ted
iFirewall status report via GMS heartbeat
Displays the GMS message interval in seconds
id=firewallWebTrends prefix
Syntactic sugar for WebTrends (and GMS by habit)
if ifInterface statis-tics report
Displays the interface on which statistics are reported
ipscat ipscat IPS message Displays the IPS category
ipspri ipspri IPS message Displays the IPS priority
licFirewall status report via GMS heartbeat
Indicates the number of licenses for fire-walls with limited modes
m Message ID Provides the message ID number
mac smac or dmac MAC addressProvides the source or destination MAC address
mailFrom Email sender Originator of the email
| 59
msg msg Message
Displays the message which is com-posed of either or both a predefined message and a dynamic message con-taining a string %s or numeric %d argu-ment
n cnt Message count
Indicates the number of times event occurs
natDst cs2LabelNAT destina-tion IP
Displays the NAT’ed destination IP address
natDstV6 cs2LabelNAT destina-tion IPv6
Displays the NAT’ed destination IPv6 address
natSrc cs1Label NAT source IP Displays the NAT’ed source IP address
natSrcV6 cs1LabelNAT source IPv6
Displays the NAT’ed source IPv6 address
note cs6 Additional Information
Additional information that is application-dependent
npcs cs5 URL
Applicable only when Network Packet Capture System (NPCS Solera) is enabled, displays URL of an NPCS object
op requestMethod HTTP OP codeDisplays the HTTP operation (GET, POST, etc.) of web site hit
priMessage prior-ity
Displays the event priority level (0=emer-gency..7=debug)
proto protoProtocol and service
Displays the protocol information (ren-dered as “proto=[protocol]” or just “[proto]/[service]”)
ptFirewall status report via GMS heartbeat
Displays the HTTP/HTTPS management port (rendered as “hhh.sss”)
radio radioSonicPoint sta-tistics report
Displays the SonicPoint radio on which event occurred
rcptTo recipient Indicates the email recipient
rcvd in Bytes receivedIndicates the number of bytes received within connection
result outcomeHTTP Result code
Displays the HTTP result code (200, 403, etc.) of web site hit
60 | SonicOS 5.9 Log Event Reference Guide
rpkt cn1LabelPacket received
Display the number of packet received
rule cs1 Rule IDDisplays the Access Rule number caus-ing packet drop. The policy index includes Address Object names
sent out Bytes sentDisplays the number of bytes sent within connection
sess cs5Label
Pre-defined string indicat-ing session type
Applies to syslogs with an associated user session being tracked by the UTM
sid sidIPS or Anti-Spyware mes-sage
Provides either IPS or Anti-Spyware sig-nature ID
snFirewall serial number
Indicates the device serial number
spkt cn2Label Packet sent Display the number of packets sent
spt Port Displays source port
spycat spycatAnti-Spyware message
Displays the Anti-Spyware category
spypri spypriAnti-Spyware message
Displays the Anti-Spyware priority
snptNAT source port
Display NAT’ed source port
src src SourceIndicates the source IP address, and optionally, port, network interface, and resolved name.
station stationSonicPoint sta-tistics report
Displays the client (station) on which event occurred
SWSPstatsSonicPoint sta-tistics report
Display SonicPoint statistics
time Time Reports the time of event
type cn1ICMP type and code
Indicates the ICMP type
ucastRx ucastRxInterface statis-tics report
Displays the unicast packets received
ucastTx ucastTxInterface statis-tics report
Displays the unicast packets transmitted
| 61
unsynchedFirewall status report via GMS heartbeat
Reports the time since last local change in seconds
usestandbysaFirewall status report via GMS heartbeat
Displays whether standby SA is in use (“1” or “0”) for GMS management
usr (or user) susr UserDisplays the user name (“user” is the tag used by WebTrends)
vpnpolicy
cs2 (source) or
cs3 (destina-tion)
Source VPN policy name
Displays the source VPN policy name of event
vpnpolicyDst
cs2 (source) or
cs3 (destina-tion)
Destination VPN policy name
Displays the destination VPN policy name of event
dstZone
cs3Label (source)
cs4Label (des-tination)
Destination zone name
Displays destination zone
srcZone
cs3Label (source)
cs4Label (des-tination)
Source zone name
Displays source zone
62 | SonicOS 5.9 Log Event Reference Guide
Examples of Standard Syslogs
The following examples show the content of the Syslog packet. This type of message can be viewed on the Syslog server or any packet analyzer application. Note that this is the Default Syslog Format.
id=firewall123 sn=0017C5991784 time="2013-03-20 11:56:53" fw=10.0.203.108 pri=6 c=1024 m=97 n=1 src=1.2.3.4:5432:X0 dst=4.3.2.1:2345:X1 proto=tcp/2345 op=1 sent=9876 rcvd=6789 result=403 dstname=http: arg=//www.gui.log.eng.sonicwall.com code=20 Category="Online Banking"
id=firewall123 sn=0017C5991784 time="2013-03-20 11:57:04" fw=10.0.203.108 pri=6 c=262144 m=98 msg="Connection Opened" n=1437 usr="admin" src=192.168.168.1:61505:X0 dst=192.168.168.168:443:X0 proto=tcp/https sent=52
id=firewall123 sn=0017C5991784 time="2013-03-20 11:57:06" fw=10.0.203.108 pri=6 c=1024 m=537 msg="Connection Closed" n=3683 usr="admin" src=192.168.168.1:61505:X0 dst=192.168.168.168:443:X0 proto=tcp/https sent=1519 rcvd=951 spkt=7 rpkt=8 cdur=2133
id=firewall123 sn=0017C5991784 time="2013-03-20 11:56:53" fw=10.0.203.108 pri=1 c=32 m=609 msg="IPS Prevention Alert: P2P BitTorrent -- Peer Sync" sid=1994 ipscat=P2P ipspri=3 P2P BitTorrent -- Peer Sync, SID: 1994, Priority: Low n=1 src=1.2.3.4:5432:X0 dst=4.3.2.1:2345:X1
id=firewall123 sn=0017C5991784 time="2013-01-29 23:38:24" bid=1 fw=10.8.70.22 pri=1 c=16 m=793 msg="App Rules Alert" af_polid=1 af_policy="test" af_type="SMTP Client Request" af_service="SMTP (Send E-Mail)" af_action="No Action" n=0 src=10.10.10.245:50613:X0 dst=10.8.41.228:25:X1"
id=firewall123 sn=0017C5991784 mgmtip=10.0.203.108 time="2013-03-20 20:14:30 UTC" fw=10.0.203.108 m=96 n=25 i=60 lic=0 unsynched=893 pt=80.443 usestandbysa=0 dyn=n.n ai=1 fwlan=192.168.168.168 conns=0
| 63
Examples of ArcSight Syslogs
The following examples show the content of the Syslog packet. This type of message can be viewed on the Syslog server or any packet analyzer application.
MAR 20 2013 19:07:43 0017C5991784 CEF:0|SonicWALL|NSA 2400|5.9.0.0-d_75o|97|Syslog Website Accessed|4|cat=1024 gcat=2 src=1.2.3.4 spt=5432 deviceInboundInterface=X0 cs1Label=1.2.4.5 snpt=1 dst=4.3.2.1 dpt=2345 deviceOutboundInterface=X1 cs2Label=5.4.3.2 dnpt=2 proto=tcp/2345 out=9876 in=6789 requestMethod=1 outcome=403 request=http://www.gui.log.eng.sonicwall.com reason=20 Category-"Online Banking"
MAR 20 2013 19:07:49 0017C5991784 CEF:0|SonicWALL|NSA 2400|5.9.0.0-d_75o|98|Syslog Connection Logged|4|cat=262144 gcat=2 src=192.168.168.1 spt=61693 deviceInboundInterface=X0 dst=192.168.168.168 dpt=443 deviceOutboundInterface=X0 susr="admin" proto=tcp/https out=52 cnt=1570
MAR 20 2013 19:07:52 0017C5991784 CEF:0|SonicWALL|NSA 2400|5.9.0.0-d_75o|537|Syslog Close|4|cat=1024 gcat=2 smac=00:00:c5:b3:6b:e5 src=192.168.168.1 spt=61693 deviceInboundInterface=X0 cs3Label=Trusted dst=192.168.168.168 dpt=443 deviceOutboundInterface=X0 cs4Label=Trusted susr="admin" proto=tcp/https out=1519 in=967 cn2Label=7 cn1Label=8 cn3Label=2333 cnt=3815
MAR 20 2013 19:07:43 0017C5991784 CEF:0|SonicWALL|NSA 2400|5.9.0.0-d_75o|609|IDP Prevention Alert|9|cat=32 gcat=3 src=1.2.3.4 spt=5432 deviceInboundInterface=X0 cs1Label=1.2.4.5 snpt=1 dst=4.3.2.1 dpt=2345 deviceOutboundInterface=X1 cs2Label=5.4.3.2 dnpt=2 msg="IPS Prevention Alert: P2P BitTorrent -- Peer Sync, SID: 1994, Priority: Low" cnt=3
MAR 20 2013 19:07:43 0017C5991784 CEF:0|SonicWALL|NSA 2400|5.9.0.0-d_75o|793|Application Firewall Alert|9|cat=16 gcat=10 src=1.2.3.4 spt=5432 deviceInboundInterface=X0 dst=4.3.2.1 dpt=2345 deviceOutboundInterface=X1 msg="Application Firewall Alert: Policy: foobar, Action Type: Block SMTP E-Mail - Send Error Reply, Mail From: an unknown string of unknown length" cnt=
64 | SonicOS 5.9 Log Event Reference Guide
| 65