fireware log catalog - watchguard · 2021. 4. 20. · ${dst}from${src}detected. 30000160 info...

Fireware v12.7

Log Message Catalog

WatchGuard FireboxRevised April 2021

Copyright, Trademark, and Patent InformationInformation in this guide is subject to change without notice. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc.

Copyright© 1998–2021 WatchGuard Technologies, Inc. All rights reserved.

All trademarks or trade names mentioned herein, if any, are the property of their respective owners.

Complete copyright, trademark, patent, and licensing information can be found in the Copyright and Licensing Guide, available online at: http://www.watchguard.com/help/documentation/.

Revised: April 2021

About WatchGuard

WatchGuard® Technologies, Inc. is a global leader in network security, providing best-in-class Unified Threat Management, NextGeneration Firewall, secureWi-Fi, and network intelligence products and services tomore than 75,000 customers worldwide. Thecompany’s mission is to make enterprise-grade security accessible to companies of all types and sizes through simplicity, makingWatchGuard an ideal solution for Distributed Enterprises and SMBs. WatchGuard is headquartered in Seattle, Washington, withoffices throughout North America, Europe, Asia Pacific, and Latin America. To learnmore, visit WatchGuard.com.

For additional information, promotions and updates, follow WatchGuard on Twitter, @WatchGuard on Facebook, or on the LinkedInCompany page. Also, visit our InfoSec blog, Secplicity, for real-time information about the latest threats and how to cope with them atwww.secplicity.org.

Address505 Fifth Avenue South

Suite 500Seattle,WA98104

Supportwww.watchguard.com/support

U.S. and Canada +877.232.3531AllOther Countries+1.206.521.3575

SalesU.S. and Canada +1.800.734.9905

AllOther Countries+1.206.613.0895

Copyright, Trademark, and Patent Information

Log Catalog i

http://www.watchguard.com/help/documentation

ContentsCopyright, Trademark, and Patent Information i

Introduction to the Log Catalog 1

Search the Log Catalog 1

About Log Messages 1

Types of LogMessages 2

Traffic LogMessages 2

Alarm LogMessages 2

Event LogMessages 3

Debug (Diagnostic) LogMessages 3

Statistic LogMessages 3

Read a Log Message 3

Firewall Log Messages 6

Alarm 6

Diagnostic 10

Event 13

Traffic 16

Networking Log Messages 19

Diagnostic 19

Event 29

Proxy Policy Log Messages 40

Event 40

Traffic 43

Management Log Messages 98

Log Catalog ii

Diagnostic 98

Event 100

FireCluster Log Messages 110

Diagnostic 110

Event 113

Security Services Log Messages 120

Event 120

VPN Log Messages 122

Alarm 122

Diagnostic 122

Event 150

Mobile Security Log Messages 152

Event 153

Introduction to the Log CatalogYou can use the tools available inWatchGuard Dimension, WatchGuard SystemManager(WSM), and FirewareWebUI to review the logmessages and events that occur on yourWatchGuard Firebox devices, to examine the activity on your network. Logmessages give youimportant information about the flow of traffic through your network, and are a key component tohelp you troubleshoot problems on your network.

The Fireware Log Catalog describes many of the types of logmessages that your Firebox cangenerate. It includes examples of logmessages for Firebox devices that run Fireware OS,grouped by the product area.

All logmessages included in the Log Catalog are first organized into topics by product area andthen separated into sections in each topic by the logmessage type:

n ALARM— Alarm logmessagesn DIAG—Debug (Diagnostics) logmessagesn EVENT— Event logmessagesn STAT— Statistics logmessagesn TRAFFIC — Traffic logmessages

For more information about logmessage types, seeAbout LogMessages.

Only logmessages that are assigned amessage ID number are included inthe Log Catalog.

To review the logmessages that are defined in the Log Catalog, you can expand the LogMessages section and select a topic for a product area, expand the section for a logmessagetype, and review the logmessage lists to find a specific logmessage.

n To expand a single section, click .n To collapse a single section, click .

n To expand all the sections in a topic, at the top of the topic window, click .

n To collapse all the sections in a topic, at the top of the topic window, click .

Introduction to the Log Catalog

Log Catalog 1

You can also search the Log Catalog for the specific details included in a logmessage.

For more information about options to search the Log Catalog, seeSearch the Log Catalog.

Search the Log CatalogAll logmessages in the Log Catalog are first organized by the functional area and then by the log type.To quickly find a specific logmessage in the Log Catalog, you can search the Log Catalog for thespecific details included in a logmessage.

When you search for a logmessage, you can specify any of the details included in the logmessagethat you see in Traffic Monitor or LogManager. Themore specific your search criteria, the fewersearch results are returned from your search query. To find a specific text phrase, make sure toinclude the phrase in quotationmarks. If you search for themessage ID number, make sure toremove the hyphen when you type themessage ID number.

For example, to search the Log Catalog for themessage ID number that appears in a logmessagethat you see in Traffic Monitor:

1. In Traffic Monitor, find the msg_id value in the logmessage.2. Open the Fireware Log Catalog in Adobe Acrobat.3. Press CTRL + F.4. In the Find text box, type themsg_id value from your logmessage, without the hyphen.

For example, to find the 1C02-00CD error logmessage for the FTP-proxy, type “1C0200CD”.5. Press Enter.

The first instance of the message ID you searched for is highlighted.

When you search for unique text such as amessage ID number, the search results will include only afew items. If your search includes text that is more generic (for example, HTTPS), the search resultswill includemany entries.

About Log MessagesYour Firebox can send logmessages to an instance of Dimension, aWSM Log Server, or a syslogserver. You can also configure your Firebox to store logmessages locally on the Firebox. You canuse Traffic Monitor in FirewareWebUI or Firebox SystemManager (FSM) to review logmessages inreal-time. If you send logmessages to Dimension, you can use the Dimension LogManager to review

the logmessages from your Firebox devices. If you send logmessages to aWSM Log Server,you can use LogManager inWatchGuardWebCenter to review logmessages after they aregenerated and processed by the Log Server.

Types of Log MessagesFirebox devices can send several types of logmessages for events that occur on the Firebox.Eachmessage includes themessage type in the text of themessage. The logmessages typesare:

n Trafficn Alarmn Eventn Debug (Diagnostic)n Statistic

Traffic and event logmessages, and some alarm logmessages, automatically appear in TrafficMonitor by default; you do not have to enable any settings on your Firebox to generate them.Themajority of the other logmessage types must be enabled in the device configuration filebefore they appear in Traffic Monitor or LogManager.

Traffic Log MessagesMost of the logmessages that appear in Traffic Monitor are traffic logmessages. TrafficMonitor shows all of the logmessages that are generated by your Firebox and are recorded inyour log file. Traffic logmessages show the traffic that moves through your Firebox and how thepacket filter and proxy policies were applied. A traffic logmessage can include details thatshow how NAT (network address translation) was handled for a packet.

The traffic logmessages for traffic managed by packet filter policies contain a set number offields. The information for the same traffic logmessage will look different in Traffic Monitor thanin LogManager.

For a traffic logmessage generated by traffic managed by a proxy policy, your Fireboxgenerates more than one logmessage. The first entry shows the same information as a packetfilter logmessage, but includes this additional information:


Log Catalog 2

proxy_act

The name of the proxy action that handles this packet. A proxy action is a set of rules for aproxy that can be applied tomore than one policy.

rule_name

The name of the specific proxy rule that handles this packet.

content_type

The type of content in the packet that is filtered by the proxy rule.

Other proxy logmessages include a variable number of fields.

Alarm Log MessagesAlarm logmessages are sent when an event occurs that triggers the Firebox to run a command.When the alarm condition is matched, the Firebox generates an alarm logmessage that you can seein Traffic Monitor, sends the logmessage to your Dimension server, WSM Log Server, or syslogserver, and then it completes the specified action for the event.

You can configure your Firebox to send alarm logmessages for specific events that occur on yourdevice. For example, you can configure an alarm to occur when a specified valuematches or exceedsa threshold. Other alarm logmessages are set by the Firebox OS, with values that you cannotchange. For example, the Firebox sends an alarm logmessage when a network connection on one ofthe Firebox interfaces fails, or when a Denial of Service attack occurs.

There are eight categories of alarm logmessages:

n Systemn IPSn AVn Policyn Proxyn Countern Denial of Servicen Traffic

The Firebox does not sendmore than 10 alarms in 15minutes for the same conditions.

Event Log MessagesEvent logmessages are generated for activity on your Firebox that is related to actions by theFirebox and users. Actions that can cause the Firebox to send an event logmessage include:

n Firebox start up and shut downn Firebox and VPN authenticationn Process start up and shut downn Problems with Firebox hardware componentsn Any task completed by a device administrator

Debug (Diagnostic) Log MessagesDebug logmessages include detailed diagnostic information that you can use to helptroubleshoot problems on your Firebox . There are 27 different product components that cansend debug logmessages. When you configure the logging settings on your Firebox you canspecify the level of diagnostic logging to see for each different product component enabled onyour Firebox. The available levels are:

n Offn Errorn Warningn Informationn Debug

Statistic Log MessagesStatistic logmessages include information about the performance of your Firebox. You canconfigure your Firebox to generate logmessages about external interface performance, VPNbandwidth statistics, and Security Services statistics. You can review these logmessages todetermine what changes are necessary in your Firebox settings to improve performance. Tosee these logmessages, performance statistic loggingmust be enabled on the Firebox.

Read a LogMessage

Log Catalog 3

Read a Log MessageEach logmessage generated by your Firebox includes a string of data about the traffic on yourFirebox. If you review the logmessages in Traffic Monitor, the details in the data have different colorsapplied to them to help visually distinguish each detail.

Here is an example of one traffic logmessage from Traffic Monitor:

2014-07-02 17:38:43 Member2 Allow 192.168.228.202 10.0.1.1 webcache/tcp42973 8080 3-Trusted 1-WCI Allowed 60 63 (Outgoing-proxy-00) proc_id="firewall" rc="100" src_ip_nat="69.164.168.163" tcp_info="offset 10 S2982213793 win 2105" msg_id="3000-0148"

When you read logmessages, you can see details about when the connection for the traffic occurred,the source and destination of the traffic, as well as the disposition of the connection, and other details.

Each logmessage includes these details:

Time Stamp

The logmessage line begins with a time stamp that includes the time and date that the logmessage was created. The time stamp uses the time zone and current time from the Firebox.

This is the time stamp from the example logmessage above:

2014-07-02 17:38:43

FireCluster Member Information

If the logmessage is from a Firebox that is amember of a FireCluster, the logmessageincludes the cluster member number for the Firebox.

This is the FireCluster member information from the example logmessage above:

Member2

Disposition

Each logmessage indicates the disposition of the traffic: Allow or Deny. If the logmessage isfor traffic that was managed by a proxy policy instead of a packet filter policy, the traffic maybemarked Allow even though the packet body was stripped or altered by the proxy action.

This is the disposition from the example logmessage above:

Allow

Source and Destination Addresses

After the disposition, the logmessage shows the actual source and destination IPaddresses of the traffic. If NAT was applied to the traffic, the NAT addresses appearlater in the logmessage.

These are the source and destination addresses from the example logmessage above:

192.168.228.202 and 10.0.1.1

Service and Protocol

The next entries in the logmessage are the service and protocol that managed thetraffic. The service is specified based on the protocol and port the traffic used, not thename of the policy that managed the traffic. If the service cannot be determined, the portnumber appears instead.

These are the service and protocol from the example logmessage above:

webcache/tcp

Source and Destination Ports

The next details in the logmessage are the source and destination ports. The sourceport identifies the return traffic. The destination port determines the service used for thetraffic.

These are the source and destination ports from the example logmessage above:

42973 and 8080

Source and Destination Interfaces

The source and destination interfaces appear after the destination port. These are thephysical or virtual interfaces that handle the connection for this traffic.

These are the source and destination interfaces from the example logmessage above:

3-Trusted and 1-WCI


Log Catalog 4

Connection Action

This is the action applied to the traffic connection. For proxy actions, this indicates whether thecontents of the packet are allowed, dropped, or stripped.

This is the connection action from the example logmessage above:

Allowed

Packet Length

The two packet length numbers indicate the packet length (in bytes) and the TTL (Time ToLive) value. TTL is ametric used to prevent network congestion by only allowing the packet topass through a specific number of routing devices before it is discarded.

These are the packet length numbers from the example logmessage above:

60 (packet length) and 63 (TTL)

Policy Name

This is the name of the policy on your Firebox that handles the traffic. The number (-00) isautomatically appended to policy names, and is part of the internal reference system on theFirebox.

This is the policy name from the example logmessage above:

(Outgoing-proxy-00)

Process

This section of the logmessage shows the process that handles the traffic.

This is the process from the example logmessage above:

proc_id="firewall"

Return Code

This is the return code for the packet, which is used in reports.

This is the return code from the example logmessage above:

rc="100"

NAT Address

This is the IP address that appears in place of the actual source IP address of the trafficafter it leaves the Firebox interface and the NAT rules have been applied. A destinationNAT IP address can also be included.

This is the NAT address from the example logmessage above:

src_ip_nat="69.164.168.163"

Packet Size

The tcp_info detail includes values for the offset, sequence, and window size for thepacket that initiates the connection. The packet size details that are included depend onthe protocol type.

This is the packet size from the example logmessage above:

tcp_info="offset 10 S 2982213793 win 2105"

Message Identification Number

Each type of logmessage includes a uniquemessage identification number. When youreview a logmessage in Traffic Monitor, themessage ID number can appear as thevalue for either the msg_id= detail or the id= detail. In LogManager, themessage IDnumber appears as the value for the id= detail.

Some logmessages do not include amessage ID number. Only logmessages that areassigned amessage ID number are included in the Log Catalog.

The is themessage ID number from the example logmessage above:

msg_id="3000-0148"

Themessage ID numbers included in the Log Catalog do not include the hyphens thatappear in themessage ID number in Traffic Monitor and LogManager. Tomake sure youcan locate themessage ID number in the Log Catalog, when you search the Log Catalogfor themessage ID, remove the hyphen from themessage ID number.

For example, to search for information about message ID number 3000-0148, in theSearch Log Catalog text box, type 300000148.


Log Catalog 5

Firewall Log MessagesFirewall logmessages are generated by your Firebox for events that occur on the Firebox and for traffic managed by some packet filter policies. In addition to normal traffic, this can includemessages related tofeature keys, subscription services, server load balancing, and other features configured on your Firebox.

AlarmFirewall logmessages of theAlarm log type.

ID Level Area Name Log Message Example Description Format Message Variables

30000152 INFO Firewall /PacketFilter

IPv4sourcerouteattack

IPv4 source route attack from 10.0.1.34detected.

IPv4 source routeattack wasdetected.

IPv4 source route attack from%s detected. IPv4 source route from ${src}detected.


IPv4 SYNfloodattack

SYN flood attack against 10.0.1.51 from216.3.21.4 detected. 500 SYN packetsdropped since last alarm.

IPv4 SYN floodattack wasdetected.

SYN flood attack against %s from%s detected.%llu SYN packets dropped since last alarm.

SYN flood attack against${dst} from ${src} detected.${gap} SYN packets droppedsince last alarm.


IPv4 ICMPfloodattack

ICMP flood attack against 10.0.1.51 from216.3.21.4 detected. 500 ICMP floodpackets dropped since last alarm.

IPv4 ICMP floodattack wasdetected.

ICMP flood attack against %s from%s detected.%llu ICMP flood packets dropped since lastalarm.

ICMP flood attack against${dst} from ${src} detected.${gap} ICMP flood packetsdropped since last alarm.


IPv4 UDPfloodattack

UDP flood attack against 32.21.56.8 from12.34.23.67 detected. 500 UDP floodpackets dropped since last alarm.

IPv4 UDP floodattack wasdetected.

UDP flood attack against %s from%s detected.%llu UDP flood packets dropped since last alarm.

UDP flood attack against${dst} from ${src} detected.${gap} UDP flood packetsdropped since last alarm.


IPv4IPSECfloodattack

IPSEC flood attack against 32.21.56.8 from12.34.23.67 detected. 500 IPSEC floodpackets dropped since last alarm.

IPv4 IPSEC floodattack wasdetected.

IPSEC flood attack against %s from%sdetected. %llu IPSEC flood packets droppedsince last alarm.

IPSEC flood attack against$dst from $src detected. $gapIPSEC flood packets droppedsince last alarm.

30000157 INFO Firewall / IPv4 IKE IKE flood attack against 32.21.56.8 from IPv4 IKE flood IKE flood attack against %s from%s detected.%llu IKE flood packets dropped since last alarm.

IKE flood attack against ${dst}

Firewall LogMessages

Log Catalog 6


PacketFilter

floodattack

12.34.23.67 detected. 500 IKE floodpackets dropped since last alarm.

attack wasdetected

from ${src} detected. ${gap}IKE flood packets droppedsince last alarm.


IPv4 scanattack

IP scan attack against 32.21.56.8 from12.34.23.67 detected.

IPv4 scan attackwas detected.

IP scan attack against %s from%s detected. IP scan attack against ${dst}from ${src} detected.


IPv4 portscanattack

PORT scan attack against 32.21.56.8 from12.34.23.67 detected.

IPv4 port scanattack wasdetected.

PORT scan attack against %s from%s detected. Port scan attack against${dst} from ${src} detected.


IPv4DDOSagainstserver

DDOS against server 10.0.1.34 detected. IPv4 DDOSattack against aserver wasdetected.

DDOS against server%s detected. DDOS against server ${dst}detected.


IPv4DDOSattack fromclient

DDOS from client 10.0.1.34 detected. IPv4 DDOSattack from aclient wasdetected.

DDOS from client $src detected. DDOS from client ${src}detected.


IPv6 SYNfloodattack

SYN flood attack against2001:0db8:85a3:08d3:1319:8a2e:0370:7344from FF01::101 detected. 100 SYN packetsdropped since last alarm.

IPv6 SYN floodattack wasdetected.

SYN flood attack against %s from%s detected.%llu SYN packets dropped since last alarm.

SYN flood attack against${dst} from ${src} detected.${gap} SYN packets droppedsince last alarm.


IPv6 ICMPfloodattack

ICMP flood attack against2001:0db8:85a3:08d3:1319:8a2e:0370:7344from FF01::101 detected. 100 ICMPpackets dropped since last alarm.

IPv6 ICMP floodattack wasdetected.

ICMP flood attack against %s from%s detected.%llu ICMP packets dropped since last alarm.

ICMP flood attack against${dst} from ${src} detected.${gap} ICMP packets droppedsince last alarm.


IPv6 UDPfloodattack

UDP flood attack against2001:0db8:85a3:08d3:1319:8a2e:0370:7344from FF01::101 detected. 100 UDP packetsdropped since last alarm.

IPv6 UDP floodattack wasdetected.

UDP flood attack against %s from%s detected.%llu UDP packets dropped since last alarm.

UDP flood attack against${dst} from ${src} detected.${gap} UDP packets droppedsince last alarm.


Log Catalog 7



IPv6IPSECfloodattack

IPSEC flood attack against2001:0db8:85a3:08d3:1319:8a2e:0370:7344from FF01::101 detected. 100 IPSECpackets dropped since last alarm.

IPv6 IPSEC floodattack wasdetected.

IPSEC flood attack against %s from%sdetected. %llu IPSEC packets dropped since lastalarm.

IPSEC flood attack against${dst} from ${src} detected.${gap} IPSEC packetsdropped since last alarm.


IPv6 IKEfloodattack

IKE flood attack against2001:0db8:85a3:08d3:1319:8a2e:0370:7344from FF01::101 detected. 100 IKE packetsdropped since last alarm.

IPv6 IKE floodattack wasdetected.

IKE flood attack against %s from%s detected.%llu IKE packets dropped since last alarm.

IKE flood attack against ${dst}from ${src} detected. ${gap}IKE packets dropped sincelast alarm.


AlarmTrafficmatchedpolicy

Policy Name: HTTP-00 Source IP Address:10.0.1.20 Source Port: 4107 Destination IPAddress: 61.135.169.125 Destination Port:80

An alarm logmessage wassent for traffic thatmatched thespecified policy.

Policy Name: %s Source IP Address: %s SourcePort: %dDestination IP Address: %s DestinationPort: %d

Policy Name: ${pcy_name}Source IP Address: ${src_ip}Source Port: ${src_port}Destination IP Address:${dst_ip} Destination Port:${dst_port}


Blockedsite

Blocked site: Traffic detected from 10.0.1.2to 61.231.45.165.

Traffic wasdetected to orfrom a blockedsite.

Blocked site: Traffic detected from%src to%dst. Blocked site: Traffic detectedfrom ${src} to ${dst}.


IP spoofing IP spoofing: Traffic detected from 10.0.1.2to 43.123.12.26.

IP spoofing wasdetected from theIP addressspecified in thelogmessage.

IP spoofing: Traffic detected from%src to%dst. IP spoofing: Traffic detectedfrom ${src} to ${dst}.


Connectiontable highwater mark

The total number of current sessions (1024)has reached the high water mark (1024).

The total numberof currentsessions reachedthe high watermark (80%) of themaximumconnection table.

The total number of current sessions (%u) hasreached the high water mark (%d).

The total number of currentsessions (${value1}) hasreached the high water mark(${value2}).


Log Catalog 8



Conntracktable is full

The number of connections (2048) hasreached the configured limit (2048).

The conntracktable is full. Thenumber ofconnections hasreached theconfigured limit.

The number of connections (%u) has reached theconfigured limit (%d).

The number of connections(${value1}) has reached theconfigured limit (${value2}).


Blockedport

Blocked port: Traffic detected from 10.0.1.2to 61.231.45.165 on port 513.

Traffic wasdetected on ablocked port.

Blocked port: Traffic detected from%src to%dston port %port.

Blocked port: Traffic detectedfrom ${src} to ${dst} on port${port}.


Log Catalog 9

DiagnosticFirewall logmessages of theDebug (Diagnostic) log type.


3000002A INFO Firewall /PacketFilter

Addressalreadyblocked

IP address 192.168.111.10 will not beadded to the blocked sites listbecause it already exists.

– IP address %s will not be added to the blocked sites listbecause it already exists.

IP address ${ip} will not beadded to the blocked siteslist because it already exists.

3000003A ERROR Firewall /PacketFilter

Unable toreadfeaturekeys

Unable to read the feature keys, somefeatures may be unavailable

Unable to readfeature keysfile or fail toparse featurekeys file.Features thatrequire acorrect featurekey will notfunction.

Unable to read the feature keys, some features may beunavailable

–

3000003C ERROR Firewall /PacketFilter

No routeto HTTPredirecthost

Route look up on HTTP redirect host192.168.111.10 for policy "FTP-00"failed, local redirect may not work

Route look upon HTTPredirect hostfor thespecifiedpolicy failed,and localHTTP redirectmay not work.

Route look up on HTTP redirect host %u.%u.%u.%u forpolicy "%s" failed, local redirect may not work

–

3000012D INFO Firewall /PacketFilter

VerifyARP entry

Verify ARP entry for host at192.168.111.10

The appliancesent an ARPrequest toverify learnedARP entry fora given host.

Verify ARP entry for host at %hu.%hu.%hu.%hu –


Log Catalog 10


3000012E ERROR Firewall /PacketFilter

Possibleloop orARPspoofingdetected

Cannot relearn systemMAC address,possible loop or MAC spoofing,ip=192.168.111.10,mac=00:50:da:c7:90:5d, interface=5

The appliancereceived anARP packetsent from oneof its ownMACaddresses. Itis possibly anetwork orcabling loop,or anotherdevice isfaking thisdevice's MACaddress.

Cannot relearn systemMAC address, possible loop orMAC spoofing, ip=%hu.%hu.%hu.%hu,mac=%02x:%02x:%02x:%02x:%02x:%02x, interface=%u

Cannot relearn systemMACaddress, possible loop oranother device is faking thisdevice's MAC address,ip=${ip}, mac=${mac},interface=${interface}


Featuresettingsupdated

Application control settings updated Firewallsettings for thefeaturespecified inthemessagehave beenupdated

%s settings updated –


DNSforwardingdeferred

Deferred DNS forwarding until validDNS server IP address is dynamicallylearned

DNS server IPaddress is notyet known,device willenable DNSwhen a DNSserver IPaddress isdetected

Deferred DNS forwarding until valid DNS server IPaddress is dynamically learned

–

30000027 INFO Firewall / Firewall is Firewall is starting up – Firewall is starting up –


Log Catalog 11


PacketFilter

starting up


Firewall isshuttingdown

Firewall is shutting down – Firewall is shutting down –


Addressexemptedfromblockedsites

IP address 192.168.111.254 will notbe added to the blocked sites listbecause it is exempt

The particularIP address isan exemptionand will not beadded to theblocked siteslist

IP address %s will not be added to the blocked sites listbecause it is exempt

IP address ${ip} will not beadded to the blocked siteslist because it is exempt


Blockedsite idletimeout

Idle timeout has occurred for blockedsite 192.168.111.10

Idle timeouthas occurredfor thespecifiedblocked site,and it will beremoved fromthe blockedsites list.

Idle timeout has occurred for blocked site%s –


Quotaamountused bythespecifieduser

User James@Firebox-DB used 21MB of the bandwidth quota (100MB)and used 1minute of the time quota (3minutes).

– User%s used%s User {user} used {quota info}


Log Catalog 12

EventFirewall logmessages of theEvent log type.


300000C9 INFO Firewall /PacketFilter

Load BalanceServer(TCPProbe)

TCP probe packetstimeout, Load BalanceServer 10.10.10.100 port3030 is offline.

Load BalanceServer statusupdate due toresponse orlack ofresponse to aTCP Probepacket. The logmessagespecifies theserver IPaddress andport.

%s %s , Load Balance Server%hu.%hu.%hu.%hu port %d is%s.

${probemethod} ${reason},Load Balance Server ${ip} port${port} is ${status}

300000CB INFO Firewall /PacketFilter

Load BalanceServer(ICMPProbe)

ICMP probe packetstimeout, Load BalanceServer 10.10.10.100 isoffline.

Update tostatus of LoadBalance Serverdue to successor failure ofICMP Probepacket. The logmessagespecifies theserver IP andstatus.

%s %s , Load Balance Server%u.%u.%u.%u is %s. ${probemethod} ${reason},Load Balance Server ${ip} is${status}


Log Catalog 13


3000002F INFO Firewall /PacketFilter

Feature notsupported byfeature key

Feature key does notsupport the featurePolicy based routing.

The devicefeature keydoes notsupport thespecifiedfeature.

Feature key does not support the feature%s. No valid ${feature name}feature

3000012C ERROR Firewall /PacketFilter

ARP spoofingattack

ARP spoofing attackdetected,ip=192.168.111.10,mac=00:50:da:c7:90:5d,interface=5

Detected anARP spoofingattack. The logmessagespecifies thesource IPaddress, MACaddress, andincominginterface of theARP packet.

ARP spoofing attack detected, ip=%u.%u.%u.%u,mac=%02x:%02x:%02x:%02x:%02x:%02x, interface=%u

ARP spoofing attack detected,ip=${ip}, mac=${mac},interface=${interface}


ApplicationControl featureexpired

The Application Controlfeature has expired.

The feature keyfor yourApplicationControlsubscriptionhas expired.

The Application Control feature has expired. –


IPS featureexpired

The IPS feature hasexpired.

The feature keyfor yourIntrusionPreventionServicessubscriptionhas expired.

The IPS feature has expired. –


Log Catalog 14



SD-WANfailover/failback

SD-WAN action testfailed over from interfaceBovpn-Vif to Optional-1.

SD-WANaction failedover or failedback from oneinterface toanother one.

SD-WAN action%name%update from interface%prev to%new.

SD-WAN action ${name}${update} from interface ${prev}to ${new}


Temporarilyblocking host

Temporarily blockinghost 198.13.111.226(reason = autoblock bypolicy)

The host isblockedtemporarily.

Temporarily blocking host %s (reason = %s) Temporarily blocking host ${IP}(reason = ${reason string})


Unblock host The Temporary BlockedSites list is full(capacity=1000). Theoldest entry 10.0.5.96was removed.

The host wasunblockedbecause theTemporaryBlocked Siteslist is full.

The Temporary Blocked Sites list is full (capacity=%d). Theoldest entry %s was removed.

The Temporary Blocked Siteslist is full (capacity=${limit}).The oldest entry ${IP} wasremoved.


Log Catalog 15

TrafficFirewall logmessages of the Traffic log type.

ID Level Area NameLog MessageExample Description Format Message Variables


Normaltraffic

Allow Firebox 0-External 52 tcp20 127 10.0.1.2206.190.60.13862443 80 offset 8S 832026162 win8192 (HTTP-00)

Details of normaltraffic eitherallowed or deniedby the firewallpolicy specified inthe logmessage.

%s %s %s %d%s %d%s %s %d%d offset %d%s %d%s%d(%s)

${disposition} ${inif} ${outif} ${ip_pkt_len}${protocol} ${iph_len} ${TTL} {${src_ip}|${src_user}} {${dst_ip|${dst_user}}[${tcp_info}] [${udp_info}] [${icmp_info}][${route_type}] ${policy_name}


ApplicationControlTrafficidentified

Allow 1-Trusted0-External 40 tcp20 127 10.0.1.2206.190.60.13853008 80 offset 5AF 3212213617win 257 app_name="WorldWideWebHTTP" cat_name="NetworkProtocols" app_beh_name="connect"app_id="63" app_cat_id="18" app_ctl_disp="2" sig_vers="18.123"msg="Applicationidentified"(HTTP-00)

Application Controlidentified traffic foran application.

%s %s %s %d%s %d%s %s %d%d offset %d%s %d%s%d app_name=\"%s\" cat_name=\"%s\" app_beh_name=\"%s\" appid=\"%d\" app_cat_id=\"%d\" app_ctl_disp=\"%d\" sig_vers=\"%s\" msg=\"%s\" (%s)

${disposition} ${inif} ${outif} ${ip_pkt_len}${protocol} ${iph_len} ${TTL} {${src_ip}|${src_user}} {${dst_ip|${dst_user}}[${tcp_info}] [${udp_info}] app_name=${app_name} cat_name=${cat_name} app_beh_name=${app_beh_name} appid=${appid} app_cat_id=${app_cat_id} app_ctl_disp=${app_ctl_disp} sig_vers=${sig_vers}msg=${msg} [${route_type}] ${policy_name}


Log Catalog 16



IPS Trafficdetected

Deny 1-Trusted0-External 1440tcp 20 61 10.0.1.2192.168.130.12655810 80 offset 5A 447868619 win54 signature_name="EXPLOITApple QuickTimeFLIC Animationfile bufferoverflow -1-2"signature_cat="Misc"signature_id="1112464"severity="4" sig_vers="18.124"msg="IPSdetected" (HTTP-00)

IPS detected trafficthat matches anIPS signature.

%s %s %s %d%s %d%s %s %d%d offset %d%s %d%s%d signature_name=\"%s\" signature_cat=\"%s\" signature_id=\"%s\" severity=\"%d\" sig_vers=\"%s\" msg=\"%s\" (%s)

${disposition} ${inif} ${outif} ${ip_pkt_len}${protocol} ${iph_len} ${TTL} {${src_ip}|${src_user}} {${dst_ip|${dst_user}}[${tcp_info}] [${udp_info}] signature_name=${signature_name} signature_cat=${signature_cat} signature_id=${signature_id} severity=${severity}sig_vers=${sig_vers} msg=${msg}[${route_type}] ${policy_name}


Trafficconnectionterminated

Allow 1-Trusted0-External tcp10.0.1.2220.181.90.2453018 80 app_id="63" app_cat_id="18" app_ctl_disp="2"duration="80"sent_bytes="652"

Record for aterminatedconnection

%s %s %s %d%s %d%s %s %d%d offset %d%s %d%s%d appid=\"%d\" app_cat_id=\"%d\" app_ctl_disp=\"%d\"duration=\"%d\" sent_bytes=\"%d\" rcvd_bytes=\"%d\" (%s)

${disposition} ${inif} ${outif} ${ip_pkt_len}${protocol} ${iph_len} ${TTL} {${src_ip}|${src_user}} {${dst_ip|${dst_user}}[${tcp_info}] [${udp_info}] appid=${appid}app_cat_id=${app_cat_id} app_ctl_disp=${app_ctl_disp}duration=${duration} sent_bytes=${sent_bytes} rcvd_bytes=${rcvd_bytes} ${policy_name}


Log Catalog 17


rcvd_bytes="423"(HTTP-00)


Hostiletraffic

Deny 0-ExternalFirebox 52 tcp 20127206.190.60.13810.0.0.1 62443 80offset 8 S832026162 win8192 blockedsites (InternalPolicy)

Details of hostiletraffic denied by thefirewall internalpolicy.

%s %s %s %d%s %d%s %s %d%d offset %d%s %d%s%d(%s)

${inif} ${outif} ${ip_pkt_len} ${protocol}${iph_len} ${TTL} {${src_ip}|${src_user}}{${dst_ip|${dst_user}} [${tcp_info}][${udp_info}] [${icmp_info}]


Log Catalog 18

Networking Log MessagesNetworking logmessages are generated for traffic related to the connections through your Firebox. This can include events related to interface activity, dynamic routing, PPPoE connections, DHCP serverrequests, FireCluster management, link monitoring, and wireless connections.

DiagnosticNetworking logmessages of theDebug (Diagnostic) log type.


09000001 ERROR Networking /PPPoE

Duplicate PPPoE InstanceError

Another instance of PPPoEis running

Anotherinstance ofthe PPPoEprocess isalready activein the system.

Another instance ofPPPoE is running

–

09000002 ERROR Networking /PPPoE

Invalid PPPoE automaticrestart settings

PPPoE automatic restartsettings are invalid,automatic restart will not beused

Automaticrestart ofPPPoE isdisabled dueto invalidsettings.

PPPoE automaticrestart settings areinvalid, automaticrestart will not be used

–

09000006 INFO Networking /PPPoE

Initiate PPPoE automaticrestart

Initiating PPPoE automaticrestart

PPPoEinstance willrestartautomatically.

Initiating PPPoEautomatic restart

–

09000007 WARN Networking /PPPoE

Skip PPPoE automatic restart Skipped PPPoE automaticrestart because the link wasnot up

PPPoEinstance willnot restartautomaticallydue to no link.

Skipped PPPoEautomatic restartbecause the link wasnot up

–

Networking LogMessages

Log Catalog 19


31000003 INFO Networking /NetworkManagement

Initiate gratuitous ARP Initiating GARP for eth0 InitiategratuitousARP for thespecifiedinterface.

Initiating GARP for%s

Initiating GARP for ${dev_name}


Initiate gratuitous ARP Initiating GARP for allinterfaces

InitiategratuitousARP for alltheinterfaces.

Initiating GARP for allinterfaces

–

3100000F INFO Networking /NetworkManagement

Add bridge interface Adding bridge tbr0 Add bridgeinterface inbridgemode.

Adding bridge%s Adding bridge ${dev_name}


Send interface logical linkstatus event

[eth0] Sending interfacestatus event, logical=uplink=up ip=10.0.0.1mask=255.255.255.0

Interfacestatus eventis sent forlogical linkstatuschange.

[%s] Sendinginterface statusevent%s, logical=%slink=%sip=%u.%u.%u.%umask=%u.%u.%u.%u

[${dev_name}] Sending interface statusevent, logical=${logical} link=${link} ip=${ip}mask=${mask}


Send interface link statusevent

[eth0] Sending interfacestatus event for link up

Interfacestatus eventis sent for linkchange.

[%s] Sendinginterface statusevent%s for link %s

[${dev_name}] Sending interface statusevent for link ${link}


A change was made to the IPaddress of the externalinterface

[eth0 (External)] ExternalInterface set IP address

Handle IPaddress forthe specifiedexternalinterface.

[%s (%s)] ExternalInterface%s IPaddress

[${dev_name} (${if_name})] ExternalInterface ${operation} IP address


Log Catalog 20


31000035 ERROR Networking /NetworkManagement

Ignore unknown addressoperation

[eth0 (External)] Ignoringunknown address operationsss

Ignoreunknownaddressoperation onthe specifiedinterface.

[%s (%s)] Ignoringunknown addressoperation%s

[${dev_name} (${if_name})] Ignoringunknown address operation ${operation}


Layer 2 traffic gate is closed [Cluster] The traffic gate oflayer2 is closed due tocluster role backup

Layer 2 trafficgate is closeddue to thespecifiedreason.

[Cluster] The trafficgate of layer2 isclosed due to clusterrole%s

[Cluster] The traffic gate of layer2 is closeddue to cluster role ${role}


Layer 2 traffic gate is opened [Cluster] The traffic gate oflayer2 is opened due tocluster role master

Layer 2 trafficgate isopened due tothe specifiedreason.

[Cluster] The trafficgate of layer2 isopened due to clusterrole%s

[Cluster] The traffic gate of layer2 is openeddue to cluster role ${role}


Traffic signal changed [Cluster] Traffic signalbecome green

Traffic signalis changed tothe specifiedstatus.

[Cluster] Traffic signalbecome%s

[Cluster] Traffic signal become ${status}

3100003D INFO Networking /NetworkManagement

Update ARP rules [Cluster] Update arp rulesfor cluster role backup

Update ARPrules for thespecifiedcluster role.

[Cluster] Update arprules for cluster role%s

[Cluster] Update arp rules for cluster role${role}


Fix upmultipath gateways [ECMP] Fix up 2multipathgateway successfully

Fix upmultipathgateways ofthe specifiednumbersuccessfully.

[ECMP] Fix up%dmultipath gatewaysuccessfully

[ECMP] Fix up ${num}multipath gatewaysuccessfully


Log Catalog 21



Starting wireless AP Starting wireless AP ath1 Startingspecifiedwireless AP.

Starting wireless AP%s

–


Stopping wireless AP Stopping wireless AP ath1 Stopping thespecifiedwirelessAccess Point.

Stopping wireless AP%s

–


Start processing configuration Starts processing aconfiguration setting

Started toprocessconfigurationsettings.

Starts processing aconfiguration setting

–


Update bridgemode settings Updating global bridgemodesetting

Update globalbridgemodesettings.

Updating global bridgemode setting

–


Update drop-in mode settings Updating global drop-inmode setting

Update globaldrop-in modesettings.

Updating global drop-in mode setting

–

3100005A INFO Networking /NetworkManagement

Update wireless settings Updating wireless setting Updatewirelesssettings

Updating wirelesssetting

–

3100005B INFO Networking /NetworkManagement

Update secondary IP settings Updating Trust-1 secondaryIP(s) setting

Updatesecondary IPaddresssettings forthe specifiedinterface.

Updating%ssecondary IP(s)setting

Updating ${if_name} secondary IP(s)setting

3100005C INFO Networking /NetworkManagement

Update route settings Updating route setting Update routesettings.

Updating route setting –


Log Catalog 22



Update 1to1 NAT settings Updating 1to1 NAT setting Update 1-to-1NAT settings.

Updating 1to1 NATsetting

–

3100005E INFO Networking /NetworkManagement

Update DNS settings Updating DNS setting Update DNSsettings.

Updating DNS setting –


Clean up stale connections [Cluster] Clean up stale IPconnections with expiredaddress 192.168.1.22 forPPPoE interface eth0

Clean upstaleconnectionsfor the expiredIP address ondynamicinterface.

[Cluster] Clean upstale IP connectionswith expired address%s for%s interface%s

[Cluster] Clean up stale IP connectionswith expired address ${ip} for dynamicinterface ${dev_name}


DNSWatch servers should notbe in use

DNSWatch is expired orwas disabled. Your Fireboxdoes not have a configuredDNS server. Tomake sureyour Firebox does not usethe DNSWatch servers, youmust specify a DNS serverin the network DNS/WINSsettings.

DNSWatchserversshould not bein use but theFirebox doesnot have analternativeDNS server itcan use.

DNSWatch is expiredor was disabled. YourFirebox does not havea configured DNSserver. Tomake sureyour Firebox does notuse the DNSWatchservers, youmustspecify a DNS serverin the networkDNS/WINS settings.

–


Capture stopped Capture stopped,insufficient space

Capturestopped dueto thespecifiedreason.

Capture stopped, %s Capture stopped, ${reason}

45000001 ERROR Networking /Modem

Duplicatemodem instancerunning

Another instance of Modemis running

System Another instance ofModem is running

–


Log Catalog 23


loadedModemprocess, butanotherinstance isalreadyactive.

5A000001 INFO Networking /Dynamic DNS

Response from Dynamic DNSserver

Response from server:update succeeded with nochange, abusive warning (1)

Receive thespecifiedresponsefrom thedynamic DNSserver.

Response fromserver: %s (%d)

Response from server: ${response} (${ret_code})


Dynamic DNS Domain NameResolved

Resolved domainmembers.dyndns.org to204.13.248.111

DynamicDNS serverdomain namesuccessfullyresolved to anIP address.

Resolved domain%sto%s

Resolved domain ${domain} to ${ip}


Connected to the server Connected to:members.dyndns.org /204.13.248.111

Connected tothe specifieddynamic DNSserver.

Connected to: %s /%s

Connected to: ${server_name} / ${server_ip}


Connecting to the server Connecting to:members.dyndns.com /204.13.248.111

Connecting tothe specifieddynamic DNSserver.

Connecting to: %s /%s

Connecting to: ${server_name} / ${server_ip}


Log Catalog 24



Activate dynamic DNS Activating DynDNS oninterface: External

Activatedynamic DNSon thespecifiedinterface.

Activating DynDNSon interface: %s

Activating DynDNS on interface: ${if_name}

5A000006 DEBUG Networking /Dynamic DNS

Received reply from the server Received reply: HTTP/1.1200OK Date: Tue, 27 Nov2012 17:14:57 GMT Server:Apache Content-Type:text/plain Connection: closegood 192.168.53.88

Received thespecifiedreply from thedynamic DNSserver.

Received reply: %s Received reply: ${reply}

5A000007 ERROR Networking /Dynamic DNS

Unable to resolve domainname

Could not resolve server:members.dyndns.org

Could notresolvedomain fordynamic DNSserver.

Could not resolveserver: %s

Could not resolve server: ${server}


Failed to connect to the server Could not connect tomembers.dyndns.org /204.13.248.111, connectionrefused

Could notconnect to thedynamic DNSserver due tospecifiedreason.

Could not connect to%s / %s, %m

Could not connect to ${server_name} /${server_ip}, ${reason}


Unable to connect to server Unable to connect to server:members.dyndns.org /204.13.248.111

Unable toconnect to thespecifieddynamic DNSserver.

Unable to connect toserver: %s / %s

Unable to connect to server: ${server_name} / ${server_ip}

5A00000A ERROR Networking /Dynamic DNS

No response from server No response from servermembers.dyndns.org /204.13.248.111

Not able toget responsefrom specifieddynamic DNS

No response fromserver%s / %s

No response from server ${server_name} /${server_ip}


Log Catalog 25


server.

5A00000B ERROR Networking /Dynamic DNS

Invalid response from server Invalid response from server(-2)

The dynamicDNS serverreturned aninvalidresponsecode. The logmessagespecifies thatcode.

Invalid response fromserver (%d)

Invalid response from server (${ret_code})

5A00000C INFO Networking /Dynamic DNS

The time for next update Next update is on Tue, 27Nov 2012 17:14:57

The logmessagespecifies thenext updatetime fordynamicDNS.

Next update is on%s Next update is on ${time}

5A00000D DEBUG Networking /Dynamic DNS

Send update request Sending update request (138bytes): GET/nic/update?system=dyndns

Sendingdynamic DNSupdaterequest. Thelogmessagespecifies thesize andcontent of therequest.

Sending updaterequest (%zu bytes):%s

Sending update request (${size} bytes):${content}

56000001 INFO Networking /Dynamic Routing

Update IPv4 Dynamic Routes Sync add an IPv4 dynamicroute (10.0.1.2/24 gw10.0.1.254 ifindex 1metric10)

Updated anIPv4 dynamicroute. The logmessagespecifies the

%s %s an IPv4dynamic route(%s/%d gw %sifindex %dmetric %d)

${event} ${action} an IPv4 dynamic route(${ip}/${mask} gw ${gw} ifindex ${ifindex}metric ${metric}


Log Catalog 26


route that ischanged.

56010002 ERROR Networking /Dynamic Routing

Failed to retrieve license Failed to retrieve activelicense features

Failed toretrievelicensefeatures fordynamicrouting.

Failed to retrieveactive licensefeatures

–


Failed to parse license Failed to parse the activelicense features

Failed toparse licensefeatures fordynamicrouting.

Failed to parse theactive licensefeatures

–


Not able to get license Could not get license fordynamic routing features

Not able toget license fordynamicroutingfeatures.

Could not get licensefor dynamic routingfeatures

–

56020001 DEBUG Networking /Dynamic Routing

Received interface event Received interface statusevent

Received aninterfacestatus event.

Received interfacestatus event

–


Received cluster event Received cluster readyevent

Receivedcluster readyevent.

Received clusterready event

–


Received cluster event Received cluster rolechange event

Receivedcluster rolechange event.

Received cluster rolechange event

–


Log Catalog 27



Received license event Received License Updateevent

Received alicenseupdate event.

Received LicenseUpdate event

–


RCS unresponsive RCS(10.10.10.10) isunresponsive, and isconsidered stopped

The RCS atthe specifiedIP addresshas becomeunresponsive

RCS(%s) isunresponsive, and isconsidered stopped

RCS(${ip}) is unresponsive, and isconsidered stopped


Not able to forward request toRCS

Could not forward request toRCS, not connected

Not able toforwardrequest toRCS due tonoconnection.

Could not forwardrequest to RCS, notconnected

–


– Configuration error detectedin ripd.conf, line 12: 'network192.168.53.0/24 area 0'

An error wasdetected intheconfiguration.The logmessagespecifies theline number ofthe error.

Configuration errordetected in%s, line%d: '%s'

Configuration error detected in ${config},line ${lineno}: '${line}'


Not able to connect to RCS Could not connect to RCS,10.0.1.10

Not able toconnect toRCS with thespecified IPaddress.

Could not connect toRCS, %s

Could not connect to RCS, ${ip}


Connection to RCS closed Connection to RCS wasclosed

Connection toRCS closed.

Connection to RCSwas closed

–


Log Catalog 28

EventNetworking logmessages of theEvent log type.


09000004 ERROR Networking / PPPoE Authentication failure PPPoE authentication failed The Firebox orXTM devicefailed toauthenticatefor PPPoE.

PPPoEauthenticationfailed

–

09000005 ERROR Networking / PPPoE PPPoE stopped PPPoE stoppedunexpectedly (unknownerror)

PPPoEstoppedunexpectedlydue to anunknownerror.

PPPoEstoppedunexpectedly(unknownerror)

–

09000008 INFO Networking / PPPoE Enforce static IP address [eth2 (External)] EnforcedPPPoE static IP address:192.168.3.48 is replacedwith 192.168.3.29

Replaced theassignedPPPoE IPaddress withthe configuredstatic IPaddress. Theassigned IPaddress isretained as asecondary IPaddress forthe interface.

[%s (%s)]EnforcedPPPoE staticIP address: %sis replacedwith%s

[${dev_name} (${if_name})] Enforced PPPoEstatic IP address: ${nego_ip} is replaced with${static_ip}

09000009 INFO Networking / PPPoE Session established [eth0 (External)] PPPoEsession[11] is established,acquired IP address192.168.3.48, peer

The specifiedinterfaceestablished aPPPoE

[%s (%s)]PPPoEsession[%d] isestablished,

[${physical_name} (${ifname})] PPPoEsession[${session_id}] is established,acquired IP address ${ipaddr}, peer ${peer_addr}


Log Catalog 29


192.168.3.254 session. Thelogmessagealso specifiesthe sessionID, acquiredIP address,and peer IPaddress.

acquired IPaddress %s,peer%s

0900000A INFO Networking / PPPoE Disconnect [eth0 (External)] PPPoEsession[11] is disconnected.

The PPPoEsession for thespecifiedinterface isdisconnected.

[%s(%s)]PPPoEsession[%d] isdisconnected.

–

16000001 ERROR Networking / DHCPServer

DHCP discover DHCPDISCOVER from00:50:04:ce:c6:3d via eth1:network 192.168.111.0/24:no free leases

ReceivedDHCPdiscover fromthe client, butthere are nofree leasesavailable.

%s –

16000002 INFO Networking / DHCPServer

DHCP offer DHCPOFFER on192.168.111.20 to84:2b:2b:a6:02:3f (client) viaeth1

The DHCPserver offeredan IP addressto thespecifiedclient device.

%s –

16000003 INFO Networking / DHCPServer

DHCP request DHCPREQUEST for192.168.111.20 from84:2b:2b:a6:02:3f (client) viaeth1

ReceivedDHCPrequest forspecified IPaddress from

%s –


Log Catalog 30


the specifiedclient.


Interface initializing [eth1 (Trusted)] Interfaceinitializing

Initializing thespecifiedinterface.

[%s (%s)]Interfaceinitializing

[${dev_name} (${if_name})] Interfaceinitializing

3100000A INFO Networking /NetworkManagement

Interface shutting down [eth1 (Trusted)] Interfaceshutting down

Shutting downthe specifiedinterface.

[%s (%s)]Interfaceshutting down

[${dev_name} (${if_name})] Interface shuttingdown

3100000B INFO Networking /NetworkManagement

Multi-WAN interface activated. [eth1 (Trusted)] Interface isactivated as link statebecomes UP.

Interface isactivated aslink statebecomes UP.The logmessagespecifies theinterface.

[%s (%s)]Interface isactivated aslink statebecomes UP.

–

3100000D WARN Networking /NetworkManagement

Multi-WAN interface deactivated [eth1 (Trusted)] Interface isdeactivated as link statebecomes DOWN.

Interface isdeactivated aslink statebecomesDOWN. Thelogmessagespecifies theinterface.

[%s (%s)]Interface isdeactivated aslink statebecomesDOWN.

–


Failed to add bridge Failed to add bridge tbr0VLAN ID 1

Failed to addbridge

Failed to addbridge%sVLAN ID %d

–


Failed to add interface IP address [eth1 (Trusted)] Failed to addaddress 198.51.100.0

Failed to addthe specifiedIP address to

[%s (%s)]Failed to%saddress %s

–


Log Catalog 31


the specifiedinterface.

3100002B ERROR Networking /NetworkManagement

Interface is disabled [eth1 (Trusted)] Interface isdisabled because it does notexist

Specifiedinterface doesnot exist, Theinterfacestatus is set todisabled.

[%s (%s)]Interface isdisabledbecause itdoes not exist

[${dev_name} (${if_name})] Interface isdisabled because it does not exist

3100002C WARN Networking /NetworkManagement

Interface link status changed [eth1 (Trusted)] Interfacelink status changed to UP

The interfacelink status haschanged. Thelogmessagespecifies thenew status.

[%s (%s)]Interface linkstatus changedto%s

–


Cluster management interfacechange

[Cluster] Managementinterface setting is changed:interface from eth1 to eth2,IPv4 address from 10.0.1.3to 10.0.2.3, IPv4mask from24 to 24, IPv6 CIDR from2000::1/64 to 2001::2/64

Theconfigurationfor the clustermanagementinterfacechanged. Thelogmessagespecifieschanges to theinterface, IPaddress,mask andIPv6 address.

[Cluster]Managementinterfacesetting ischanged:interface from%s to%s,IPv4 addressfrom%u.%u.%u.%uto%u.%u.%u.%uIPv4maskfrom%d to%dIPv6 CIDRfrom%s to%s%s

[Cluster] Management interface setting ischanged: interface from ${pre_if} to ${new_if},IPv4 address from ${pre_ip} to ${new_ip} IPv4mask from ${pre_mask} to ${new_mask} IPv6CIDR from ${pre_ipv6} to%{new_ipv6}%s


Log Catalog 32


3100003A WARN Networking /NetworkManagement

Cluster is enabled Cluster is enabled and isforming

Cluster isenabled and isforming.

Cluster isenabled and isforming

–

3100003B WARN Networking /NetworkManagement

Cluster setting changed todisabled

Cluster setting changedfrom enabled to disabled

The clustersetting waschanged fromenabled todisabled.

Cluster settingchanged fromenabled todisabled

–

3100003E INFO Networking /NetworkManagement

Cluster A/P role changed [Cluster] Cluster A/P rolesuccessfully changed frommaster to idle.

The role of thisdevice in theactive/passive(A/P) clusterchanged. Thelogmessagespecifies theold and newroles.

[Cluster]Cluster A/Prolesuccessfullychanged from%s to%s.

–


Cluster A/A role changed [Cluster] Cluster A/A rolesuccessfully changed frommaster to idle.

The Clusteractive/active(A/A) rolechanged. Thelogmessagespecifies theold and newroles.

[Cluster]Cluster A/Arolesuccessfullychanged from%s to%s.

–


Activating external interface [eth0 (External)] Activatingexternal interface

Activatingspecifiedexternalinterface.

[%s (%s)]Activatingexternalinterface

[${dev_name} (${if_name})] Activatingexternal interface


Log Catalog 33



Deactivating external interface [eth0 (External)]Deactivating externalinterface

Deactivatingthe specifiedexternalinterface.

[%s (%s)]Deactivatingexternalinterface

[${dev_name} (${if_name})] Deactivatingexternal interface


Starting wireless AP service Starting wireless AP service Startingwireless APservice.

Startingwireless APservice

–


Detect rogue wireless AP Starting the scan for roguewireless AP detection

Starting roguewireless APdetectionscan.

Starting thescan for roguewireless APdetection

–


Stop detecting rogue wireless AP Stopping the scan for roguewireless AP detection

Stoppingrogue wirelessAP detectionscan.

Stopping thescan for roguewireless APdetection

–


Restart detecting rogue wirelessAP

Restart the scan for roguewireless AP detection

Restart roguewireless APdetectionscan.

Restart thescan for roguewireless APdetection

–


IPv6 interface activated. [eth0 (External)] IPv6interface is activated.

An IPv6interface wasactivated. Thelogmessagespecifies theinterface.

[%s (%s)] IPv6interface isactivated.

–


Log Catalog 34


3100006A WARN Networking /NetworkManagement

IPv6 interface deactivated. [eth0 (External)] IPv6interface is deactivated.

IPv6 interfacewasdeactivated.The logmessagespecifies theinterface.

[%s (%s)] IPv6interface isdeactivated.

–

3100006C INFO Networking /NetworkManagement

IPv6 interface shutting down [eth0 (External)] IPv6interface shutting down

Shutting downspecified IPv6interface.

[%s (%s)] IPv6interfaceshutting down

[${dev_name} (${if_name})] IPv6 interfaceshutting down


IPv6 interface initializing [eth0 (External)] IPv6interface initializing

Initializingspecified IPv6interface.

[%s (%s)] IPv6interfaceinitializing

[${dev_name} (${if_name})] IPv6 interfaceinitializing


PPPoE IP address change duringcluster failover

[eth0 (External)] PPPoE IPaddress changed duringcluster failover, from192.168.1.22 to192.168.1.23

The clustercompleted afailover.During thefailover, thePPPoE IPaddresschanged.

[%s (%s)]PPPoE IPaddresschanged duringcluster failover,from%s to%s

[${dev_name} (${if_name})] PPPoE IPaddress changes during cluster failover, from${pre_ip} to ${new_ip}


No change for PPPoE IP addressduring cluster failover

[eth0 (External)] PPPoE IPaddress 192.168.1.22 didnot change during clusterfailover

PPPoE IPaddress didnot changeduring clusterfailover.

[%s (%s)]PPPoE IPaddress%u.%u.%u.%udid not changeduring clusterfailover

–


DHCP IP address change duringcluster failover

[eth0 (External)] DHCP IPaddress changed duringcluster failover, from

The clustercompleted a

[%s (%s)]DHCP IP

[${dev_name} (${if_name})] DHCP IP addresschanges during cluster failover, from ${pre_ip}to ${new_ip}


Log Catalog 35


192.168.1.22 to192.168.1.23

failover.During thefailover, theDHCP IPaddresschanged.

addresschanged duringcluster failover,from%s to%s


No change for DHCP IP addressduring cluster failover

[eth0 (External)] DHCP IPaddress 192.168.1.22 didnot change during clusterfailover

DHCP IPaddress didnot changeduring clusterfailover.

[%s (%s)]DHCP IPaddress%u.%u.%u.%udid not changeduring clusterfailover

–

45000003 INFO Networking / Modem Modem disconnected modem0 disconnected Specifiedmodem isdisconnected.

%sdisconnected

–

45000004 ERROR Networking / Modem Modem authentication failed Modem authenticationfailed, check your modemconfiguration

Modemauthenticationfailed.

Modemauthenticationfailed, checkyour modemconfiguration

–

49000001 ERROR Networking / LinkMonitoring

Multi-WAN Domain NameResolution Failed

[Link Monitor] Externalunable to resolve domainnamewww.example.com

Specifiedinterface failedto resolvespecifieddomain namefor ping orTCP test forfailover.

[Link Monitor]%s unable toresolve domainname%s

–


Log Catalog 36


49000002 WARN Networking / LinkMonitoring

Multi-Wan Probe Failed [Link Monitor] No responsereceived on External fromTCP host 192.168.1.218port 9999

Specifiedinterface didnot receive aresponse toProbe forfailover.

[Link Monitor]No responsereceived on%sfrom%s

[Link Monitor] No response received on ${if_name} from ${target}

49000003 ERROR Networking / LinkMonitoring

Probe failure [Link Monitor] Externalinterface failed because aprobe to the target hostfailed

Specifiedinterfacemarked asFailed due tono responsefrom ping orTCP host.

[Link Monitor]%s interfacefailed becausea probe to thetarget hostfailed

–

68000001 INFO Networking /Discovery

Network scan completed On demand scan completed Specified typeof scancompleted

%s scancompleted

${scan_type} scan completed


Network scan started On demand scan - stage 2started

Specified typeand stage ofscan started

%s scan%sstarted

${scan_type} scan${scan_stage} started


On demand scan - stage 1completed

On demand scan - stage 1completed

On demandscan - stage 1completed

On demandscan - stage 1completed

On demand scan - stage 1 completed


Cluster role failed over to backup Failed over frommaster tobackup

Cluster rolefailed overfrommaster tobackup

Failed overfrommaster tobackup

–


Log Catalog 37



Cluster role failed over to master Failed over from backup tomaster

Cluster rolefailed overfrom backuptomaster

Failed overfrom backup tomaster

–

56010001 WARN Networking /Dynamic Routing

No valid feature key Invalid or missing featurekey for dynamic routingprotocol OSPF

No validfeature key forthe specifieddynamicroutingprotocol.

Invalid ormissing featurekey fordynamicrouting protocol%s

–


License status License for dynamic routingprotocol BGP is valid

Specifies thelicense statusfor a dynamicroutingprotocol.

License fordynamicrouting protocol%s is %s

License for dynamic routing protocol ${proto}is ${status}

54000001 INFO Networking / RogueAccess PointDetection

Scan=%u-%llu started Scan=0-34 started Scan started Scan started, itwill last about30 seconds,wireless trafficwill beinterrupted inthemeantime

–


Scan=%u-%llu ended%zd%zd Scan=0-34 ended 0 0 Scan ended%zd%zd

Scan ended[Rogue APCount][Trusted APCount]

–

54000003 WARN Networking / RogueAccess PointDetection

Scan=%u-%llu detected RogueAP with%s

Scan=0-34 detected RogueAP with mac_address='00:90:0b:1b:34:30'

DetectedRogue AP

Scan detectedRogue AP, thisAP is not in thelist of 'Trusted

–


Log Catalog 38


Access PointConfiguration'


Scan=%u-%llu detected TrustedAP with%s

Scan=0-34 detected TrustedAP with mac_address='00:90:0b:1b:35:40'

DetectedTrusted AP

Scan detectedTrusted AP,this AP is inthe list of'TrustedAccess PointConfiguration'

–


Log Catalog 39

Proxy Policy Log MessagesProxy policy logmessages are generated for traffic managed by the proxy policies configured on your Firebox. This can include events related to traffic through the proxy, proxy actions, authentication, SubscriptionServices, and Security Services. For information about logmessages from Security Services processes, seeSecurity Services LogMessages on page 120.

EventProxy Policy logmessages of theEvent log type.


0F000001 INFO Proxy / ConnectionFrameworkManager

HTTPS contentinspection list imported

HTTPS content inspection exceptionlist imported

When a pre-defined HTTPSexception list is imported, thisevent log is generated to informthe user.

HTTPScontentinspectionexceptionlist imported

–

0F010015 WARN Proxy / ConnectionFrameworkManager

APT threat notified APT threat notified. Details='PolicyName: HTTPS-proxy-00 Reason: highAPT threat detected Task_UUID:d09445005c3f4a9a9bb78c8cb34edc2aSource IP: 10.0.1.2 Source Port: 43130Destination IP: 67.228.175.200Destination Port: 443 Proxy Type:HTTP Proxy Host:analysis.lastline.com Path:/docs/lastline-demo-sample.exe'

When APT server analysis resultreturned and identified as certainlevel threat, this event log will begenerated to inform that the APTnotification has been sent withdetailed information.

APT threatnotified.Details='%s'

–

Proxy Policy LogMessages

Log Catalog 40


0F010016 INFO Proxy / ConnectionFrameworkManager

Safe APT Analysisresult

APT safe result from file submission.Details='Policy Name: HTTP-OUT-00Reason: cleanMessage: APT safeobject Task_UUID:7a1e1500e92a410fa44d907f96b9209eMD5:d2723ba60dc88ec1ea449be9eee601ccSource IP: 10.0.1.2 Source Port: 50293Destination IP: 100.100.100.3Destination Port: 80 Proxy Type:HTTP Proxy Host: 100.100.100.3Path: /test.exe'

When the APT Blocker serverreturns a clean analysis result,this event log containsinformation about the scannedfile.

APT saferesult fromfilesubmission.Details='%s'

–

1B0400CE ERROR Proxy / SMTP Ruleset lookup failed Ruleset 'envelope/greeting' lookupfailed

SMTP proxy -- Failed to checkthe specified ruleset

Ruleset '%s'lookup failed

–

1C0200CD ERROR Proxy / FTP Ruleset lookup failed Cannot get the rule from ruleset'request/download'

FTP proxy -- Failed to check thespecified ruleset

Cannot getthe rule fromruleset '%s'

–

1F000001 ERROR Security Services /Gateway Anti-Virus

Process failed to start Cannot start ScanD ScanD -- Process failed to start Cannot startScanD

–

1F010015 INFO Security Services /Gateway Anti-Virus

Ready for service ScanD ready ScanD -- Ready for service ScanDready

–

23000001 ERROR Security Services /spamBlocker

Failed to start Cannot start spamD spamD -- Failed to start Cannot startspamD

–

23000002 INFO Security Services /spamBlocker

Ready for service spamD ready spamD -- Ready for service spamDready

–

2E000005 ERROR Security Services /Signature Update

Process exiting SIGD shutting down SIGD -- Process exiting SIGDshuttingdown

–


Log Catalog 41



Process crashed SIGD crashed SIGD -- Process crashed SIGDcrashed

–

2E010017 WARN Security Services /Signature Update

License failed to load Cannot load the license SIGD -- License failed to load Cannot loadthe license

–


Failed to start thesignature update for thespecified services

Cannot start the signature update for'IPS'

SIGD -- Failed to the startsignature update for the specifiedservices

Cannot startthe signatureupdate for'%s'

–


Failed to check theavailable signatureversion on the server

Cannot complete the version check SIGD -- Failed to check theavailable signature version onthe server

Cannotcomplete theversioncheck

–

2E01001A ERROR Security Services /Signature Update

Signature updateprocess failed to start

Cannot start the signature updateprocess

SIGD -- Signature updateprocess failed to start

Cannot startthe signatureupdateprocess

–

2E01001B ERROR Security Services /Signature Update

Signature updateprocess crashed

SIGD Worker crashed SIGD -- Signature updateprocess crashed

SIGDWorkercrashed

–

2E020065 INFO Security Services /Signature Update

Signature updateprocess started

Scheduled DLP update started SIGD -- Signature updateprocess started

%s %supdatestarted

–


Signature updateprocess completed

Scheduled DLP update for version(4.94) completed

SIGD -- Signature updateprocess completed

%s %supdate forversion (%s)completed

–


Log Catalog 42



Signature updateprocess for the specifiedversion failed

Manual DLP update for version(4.94)failed (Valid feature key not available)

SIGD -- Signature updateprocess for the specified versionfailed

%s %supdate forversion (%s)failed (%s)

–


Device has the latestsignature version for thespecified service

Device already has the latest DLPsignature version (4.94)

SIGD -- Device has the latestsignature version for specifiedservice

Devicealready hasthe latest%ssignatureversion (%s)

–

TrafficProxy Policy logmessages of the Traffic log type.

ID Level Area Name Log Message Example Description FormatMessageVariables

1AFF0001 INFO Proxy /HTTP

Session timeoutwith server idle

Deny 1-Trusted 6-Ext-access tcp 10.0.1.2 192.168.53.82 60654 80msg="ProxyDeny: HTTP server response timeout" (HTTP-proxy-00)

The HTTP sessionhas timed outbecause no traffichas been receivedfrom the server for thespecified amount oftime. (Default: 10minutes)

HTTP serverresponsetimeout

–


Session timeoutwith client idle

Deny 1-Trusted 6-Ext-access tcp 10.0.1.2 23.3.105.139 60680 80msg="ProxyDeny: HTTP client request timeout" (HTTP-proxy-00)

The HTTP sessionhas timed outbecause no traffichas been receivedfrom the client for thespecified amount of

HTTP clientrequesttimeout

–


Log Catalog 43


time. (Default: 10minutes)


Session timeoutwith closecompletecommandtimeout

Deny 1-Trusted 6-Ext-access tcp 10.0.1.2 182.168.53.82 60654 80msg="ProxyDeny: HTTP close complete timeout" (HTTP-proxy-00)

The Close HTTPSession commandtimed out because noresponse to the FINpacket was receivedwithin the responsetime limit (3 minutes).

HTTP closecompletetimeout

–


Oversize Start-Line

Deny 1-Trusted 6-Ext-access tcp 10.0.1.2 134.170.188.84 52662 80msg="ProxyDeny: HTTP Start-Line oversize" (HTTP-proxy-00)

The first line of theclient request orserver response islonger than theconfiguredmaximumline length. Thedefault maximumlength is 4,096 bytes.

HTTP Start-Line oversize

–


Invalid Request-Line format

Deny 1-Trusted 0-External tcp 10.0.1.2 192.168.53.92 52668 80msg="ProxyDeny:HTTP invalid Request-Line Format" proxy_act="HTTP-Client.5"line="\x03\x03\x0d\x0a" (HTTP-proxy-00)

The request line fromthe client does notmatch the standardformat of [Method][SP][Request-URI][SP][HTTP/Version].The incorrect status-line is specified in thelogmessage.

HTTP InvalidRequest-LineFormat

–


Invalid Status-Line format

Deny 1-Trusted 6-Ext-access tcp 10.0.1.2 194.219.221.195 64610 80msg="ProxyDeny: HTTP invalid Status-Line format" proxy_act="HTTP-Client.2"line="\x03\x00\x00Kh\x80\x00\x07\x02,\x97\x02\xcc\x18M\xe4\xbe\xff\xa8\x87_a\x07\xb1\xa3d\x9f\x82\xc2\xea\xa2\xe17\x9f\xc8@+\xde\x7f\x7f\x0a" (HTTP-

The status line fromthe server does notmatch the standardformat of

HTTP invalidStatus-Lineformat

–


Log Catalog 44


proxy-00) [HTTP/Version][SP][Status Code][SP][Reason]. Theincorrect status-lineis specified in the logmessage.


Header lineoversize

Deny 1-Trusted 6-Ext-access tcp 10.0.1.2 74.125.25.105 64152 80msg="ProxyDeny: HTTP header line oversize" proxy_act="HTTP-Client.4"line="X-Frame-Options: " (HTTP-proxy-00)

A single clientrequest or serverresponse line islonger than theconfiguredmaximumline length. Thedefault maximumlength is 4,096 bytes.

HTTP headerline oversize

–


Header blockoversize

Deny 1-Trusted 0-External tcp 10.0.1.2 77.237.248.69 50019 80msg="ProxyDeny:HTTP header block oversize" proxy_act="HTTP-Client.1" line="Date: Fri, 30May2014 16:50:51 GMT\x0d\x0a" (HTTP-proxy-00)

The client request orserver responseheader block length islonger than theconfigured limit. Ifmaximum total lengthis enabled, the defaultlimit is 16,384 bytes.

HTTP headerblock oversize

–


header blockparse error

Deny 1-Trusted 0-External tcp 10.0.1.2 54.230.68.99 58900 80msg="ProxyDeny:header block parse error" (HTTP-proxy-00)

The HTTP proxycannot process theheader line becausethe format isincorrect. Therequired format is[Name]:[Value].

HTTP headerblock parseerror

–

1AFF000A INFO Proxy / Request missing Deny 1-Trusted 0-External tcp 10.0.1.2 54.230.68.99 58900 80msg="ProxyDeny: The HTTP proxy HTTP request –


Log Catalog 45


HTTP URL path HTTP request URL pathmissing" proxy_act="HTTP-Client.1" line="Date: Fri, 30May 2014 18:50:51 GMT\x0d\x0a"

cannot complete theURL because thehost or URI value ismissing. The HTTPrequest is denied.

URL pathmissing

1AFF000B INFO Proxy /HTTP

Request URLmatch

Allow 1-Trusted 0-External tcp 10.0.1.2 173.194.33.185 60351 80msg="ProxyAllow: HTTP request URLmatch" proxy_act="HTTP-Client.1" rule_name="Default" dstname="pagead2.googlesyndication.com" arg="/pagead/osd.js"(HTTP-proxy-00)

The requested URLmatched a configuredURL path in theHTTP proxy. Bydefault, all URL pathsare allowed.

HTTP requestURLmatch

–

1AFF000C INFO Proxy /HTTP

Chunk size lineoversize

Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 40656 80msg="ProxyDeny: HTTP chunk size line oversize" proxy_act="HTTP-Client.2"line="\x03\x00\x00Kh\x80\x00\x07\x02,\x97\x02\xcc\x18M\xe4\xbe\xff\xa8\x87_a\x07\xb1\xa3d\x9f\x82\xc2\xea\xa2\xe17\x9f\xc8@+\xde\x7f\x7f\x0a" (HTTP-proxy-00)

The HTTP chunk sizeline does notterminate correctlywith a carriage returnand line-feed (CRLF).The invalid line isspecified in the logmessage.

HTTP chunksize lineoversize

–

1AFF000D INFO Proxy /HTTP

Chunk size lineinvalid

Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 40722 80msg="ProxyDeny: HTTP chunk size invalid" proxy_act="HTTP-Client.2"line="k7\x0d\x0a" (HTTP-proxy-00)

The HTTP chunk sizeline has an invalidhexadecimal value.The invalid line isspecified in the logmessage.

HTTP chunksize invalid

–

1AFF000E INFO Proxy /HTTP

Chunk no CRLFtail

Deny 1-Trusted 0-External tcp 10.0.1.2 77.237.248.69 50019 80msg="ProxyDeny:HTTP chunk CRLF tail missing" proxy_act="HTTP-Client.1" line="This stringmissing the Carriage Return in the terminating CF-LF pair\x0a" (HTTP-proxy-00)

The HTTP chunkdoes not close with acarriage return andline feed (CRLF)because the chunk

HTTP chunkCRLF tailmissing

–


Log Catalog 46


block is missing theclosing characters.This is required foreach chunk whenchunked transfer-encoding is in use.The logmessageincludes the invalidchunk tail line.

1AFF000F INFO Proxy /HTTP

Footer lineoversize

Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 40662 80msg="ProxyDeny: HTTP footer line oversize" proxy_act="HTTP-Client.2"line="\x03\x00\x00Kh\x80\x00\x07\x02,\x97\x02\xcc\x18M\xe4\xbe\xff\xa8\x87_a\x07\xb1\xa3d\x9f\x82\xc2\xea\xa2\xe17\x9f\xc8@+\xde\x7f\x7f\x0a" (HTTP-proxy-00)

One line of the HTTPfooter, an additionalheader sent at theend of amessage islarger than theconfigured line limit.The default line limitis 4,096 bytes.

HTTP footerline oversize

–


Footer blockoversize

Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 40688 80msg="ProxyDeny: HTTP footer block oversize" proxy_act="HTTP-Client.2"line="\x03\x00\x00Kh\x80\x00\x07\x02,\x97\x02\xcc\x18M\xe4\xbe\xff\xa8\x87_a\x07\xb1\xa3d\x9f\x82\xc2\xea\xa2\xe17\x9f\xc8@+\xde\x7f\x7f\x0a" (HTTP-proxy-00)

The HTTP footerincludes additionalheader informationthat is larger than theconfigured block limitsize. The default totalmessage limit, ifenabled, is 16,384bytes. The logmessage includesinformation about theinvalid line.

HTTP footerblock oversize

–


Log Catalog 47



Footer blockparse error

Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 40705 80msg="ProxyDeny: HTTP footer block parse error" (HTTP-proxy-00)

The HTTP footerincludes an additionalheader field withsyntax that violatesthe header formatrestrictions.

HTTP footerblock parseerror

–


Body contenttypematch

Allow 1-Trusted 0-External tcp 10.0.1.2 192.168.53.92 52089 80msg="ProxyAllow: HTTP Body Content Typematch" proxy_act="HTTP-Client.1"rule_name="Default" (HTTP-proxy-00)

The HTTP contenteither matches aconfigured BodyContent Type or noBody Content Type isdefined (only thedefault rule is in use).

HTTP BodyContent Typematch

–


Header contentmalformed

Allow 1-Trusted 0-External tcp 10.0.1.2 192.168.53.92 41048 80msg="ProxyStrip:HTTP header malformed" proxy_act="393296" header="WWW-Authenticate:\x0d\x0a"

The HTTP header linedoes not follow thecorrect syntax for aclient request orserver responseheader. The logmessage containsthe header line withthe syntax error.

HTTP headermalformed

–


Header Transfer-Encodingmatch

Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 40719 80msg="ProxyAllow: HTTP header Transfer-Encodingmatch" proxy_act="HTTP-Client.2" rule_name="chunked" encoding="chunked" (HTTP-proxy-00)

The Transfer-Encoding in theHTTP headermatches a configuredrule, or the defaultrule of nomatch. Thelogmessagespecifies thematching rule name

HTTP headertransferencodingmatch

–


Log Catalog 48


and header value.


Header contenttypematch

Allow 1-Trusted 0-External tcp 10.0.1.2 198.252.206.140 52047 80msg="ProxyAllow: HTTP header Content Typematch" proxy_act="HTTP-Client.1" rule_name="text/*" content_type="text/html" (HTTP-proxy-00)

The HTTP headerContent Typematches a configuredrule, or the defaultrule of nomatch. Thelogmessagespecifies thematching rule nameand header value.

HTTP headerContent Typematch

–


Request versionmatch

Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 40627 80msg="ProxyDeny: HTTP request versionmatch" proxy_act="HTTP-Client.2" rule_name="Default" line="GET /index.html HTTP/1.8\x0d\x0a" (HTTP-proxy-00)

The HTTP versionspecified in the HTTPrequest linematchesa configured rule, orthe default rule of nomatch. The logspecifies thematched rule nameand the request line.

HTTP requestversionmatch

–

1AFF001A INFO Proxy /HTTP

Request methodmatch

Allow 1-Trusted 0-External tcp 10.0.1.2 50.16.229.215 52301 80msg="ProxyAllow: HTTP request methodmatch" proxy_act="HTTP-Client.1"rule_name="GET" method="GET" (HTTP-proxy-00)

The HTTP requestmethod specified inthe Request-Linematches a configuredrule, or the defaultrule of nomatch. Thelogmessagespecifies thematched rule nameand themethod.

HTTP requestmethodmatch

–

1AFF001B INFO Proxy / Header match Allow 1-Trusted 0-External tcp 10.0.1.2 50.16.229.215 52301 80 The HTTP header line HTTP header –


Log Catalog 49


HTTP msg="ProxyAllow: HTTP header match" proxy_act="HTTP-Client.1" rule_name="Default" header="Host: www.walkscore.com\x0d\x0a" (HTTP-proxy-00)

matches a configuredrule, or the defaultrule of nomatch. Thelogmessagespecifies thematched rule nameand header line.

match


Header cookiedomainmatch

Deny 1-Trusted 0-External tcp 10.0.1.2 50.16.229.215 52466 80msg="ProxyDeny:HTTP header cookie domainmatch" proxy_act="HTTP-Client.1" rule_name="DoubleClick.com" domain=".doubleclick.com" (HTTP-proxy-00)

The cookie domainheader matches aconfigured rule, or thedefault rule of nomatch. The logmessage includes thematched rule nameand the cookiedomain.

HTTP headercookie domainmatch

–


Request hostmissing

Deny 1-Trusted 6-Ext-access tcp 10.0.1.2 192.168.53.82 60654 80msg="ProxyDeny: HTTP request host missing" (HTTP-proxy-00)

The HTTP requestheader is missing thehost value.

HTTP requesthost missing

–


Log Catalog 50



Headerauthenticationschemematch

Allow 1-Trusted 6-Ext-access tcp 10.0.1.2 192.168.53.92 4910 80msg="ProxyAllow: HTTP Header auth schemematch" proxy_act="HTTP-Client.1" rule_name="Basic" scheme="Basic" (HTTP-proxy-00)

The authenticationscheme in the HTTPheader serverresponsematchesone of the configuredrules, or the defaultrule of nomatch. Thelogmessagespecifies thematched rule nameand theauthenticationscheme.

HTTP headerauth schemematch

–


Request methodnot supported

Deny 1-Trusted 6-Ext-access tcp 10.0.1.2 192.168.53.92 64152 80msg="ProxyDeny: HTTP request method unsupported" proxy_act="HTTP-Client.1" method="OPTIONS" (HTTP-proxy-00)

The HTTP requestmethod does notmatch a configuredrule. The logmessage specifiesthemethod in use.

HTTP requestmethodunsupported

–


Request portmismatch

Deny 1-Trusted 6-Ext-access tcp 10.0.1.2 192.168.53.92 64152 80msg="ProxyDeny: HTTP request port mismatch" proxy_act="HTTP-Client.1"(HTTP-proxy-00)

Relative-URI is inuse and the portspecified in the HTTPrequest host headerdoes not match theport used for theconnection.

HTTP requestport mismatch

–


Requestcategories

Allow 1-Trusted 0-External tcp 10.0.1.2 50.16.210.117 50790 80msg="ProxyAllow: HTTP Request categories" proxy_act="HTTP-Client.2"cats="ReferenceMaterials" op="GET" dstname="www.walkscore.com" arg="/"(HTTP-proxy-00)

The HTTP requestmatched aWebBlockercategory. The logmessage specifies

HTTPRequestcategories

–


Log Catalog 51


the action taken bythe proxy, the URL,and the categorymatched.


Serviceunavailable

Deny 2-Internal-traffic 4-External-traffic tcp 192.168.2.23 23.21.224.150 60921 80msg="ProxyDeny: HTTP service unavailable" proxy_act="HTTP-Client.1"service="WebBlocker.1" details="Webblocker server is not available" (HTTP-proxy-00)

WebBlockercategorization failedbecause theconfiguredWebBlocker server isnot available. The logmessage specifiesthe profile name and amore detailed errormessage.

HTTP serviceunavailable

–


Request URLpath oversize

Deny 1-Trusted 6-Ext-access tcp 10.0.1.2 173.194.33.167 64279 80msg="ProxyDeny: HTTP request URL path oversize" proxy_act="HTTP-Client.1"path="/crx/blobs/QwAAAHF3InbmK-wFIemaY3I3BCMqOfjjbz3ZPr0OdvcXp8cUu10k48t_h-qsRfYvKPciETPh6ZMAQTV8WL-Rx-lfADpBbs0T0xmHzDv3tYNK4R4eAMZSmuX1YAUWVQlL6kSI-xpS-vSmdvbuQg/extension_0_1_0_12919.crx" (HTTP-proxy-00)

The URI in the HTTPRequest-Line islonger than theconfigured limit. Thedefault limit is 2,048bytes. The logmessage specifiesthe oversize URI.

HTTP requestURL pathoversize

–


Request Allow 1-Trusted 6-Ext-access tcp 10.0.1.2 192.168.53.92 64425 80msg="HTTPrequest" proxy_act="HTTP-Client.1" op="GET" dstname="192.168.53.92" arg="/"sent_bytes="339" rcvd_bytes="2" elapsed_time="5.037750 sec(s)" (HTTP-proxy-00)

A detailed summaryof the last HTTPproxy transaction.

HTTP request –


Header IPS rulematch

Deny 1-Trusted 0-External tcp 10.0.1.2 107.20.162.187 55531 80msg="ProxyDeny: HTTP header IPS match" proxy_act="HTTP-Client.1"signature_id="1055396" severity="5" signature_name="WEB Cross-site Scripting-9" signature_cat="Web Attack" sig_vers="18.001" host="intext.nav-links.com"

Intrusion PreventionService (IPS)detected an intrusionin the client request or

HTTP headerIPS match

–


Log Catalog 52


path="/util/intexteval.pl?action=startup" (HTTP-proxy-00) server responseheader. The logmessage specifiesthe action taken,signature ID, threatseverity, signaturename, signaturecategory, destinationhost name, and URIpath.


Body IPS rulematch

Deny 4-Trusted-1 0-External tcp 192.168.53.92 188.40.238.252 45617 443msg="ProxyDeny: HTTP body IPS match" proxy_act="HTTP-Client.4" signature_id="1051723" severity="5" signature_name="Virus Eicar test string" signature_cat="Virus/Worm" sig_vers="18.001" host="secure.eicar.org"path="/eicar.com.txt" src_user="[email protected]" (HTTPS-proxy-00)

Intrusion PreventionService (IPS)detected an intrusionin the client request orserver responsecontent body. The logmessage specifiesthe action taken,signature ID, threatseverity, signaturename, signaturecategory, destinationhost name, and URIpath.

HTTP bodyIPS match

–


GAV Virus found Deny 2-Internal-traffic 4-External-traffic tcp 10.0.1.8 192.168.53.92 57525 80msg="ProxyDrop: HTTP Virus found" proxy_act="HTTP-Client.1" virus="EICAR_Test" host="192.168.53.92" path="/viruses/eicar.com" (HTTP-proxy-00)

Gateway AntiVirus(GAV) detected avirus or malware. Thelogmessagespecifies the virusname, destinationhost name, and URIpath.

HTTP Virusfound

–


Log Catalog 53



GAV scan error Allow 1-Trusted 0-External tcp 10.0.1.2 8.25.35.115 51859 80msg="ProxyAllow:HTTP AV scanning error" proxy_act="HTTP-Client.3" error="avg scanner is notcreated" host="api.yontoo.com" path="/LoadJS.ashx" (HTTP-proxy-00)

Gateway AntiVirus(GAV) failed to scanbecause of an error.The logmessagespecifies the errormessage, thedestination hostname, and URI path.

HTTP AVscanning error

–


Trusted host Allow 1-Trusted 0-External tcp 10.0.1.2 134.170.51.254 51941 80msg="ProxyAllow: HTTP Trusted host" proxy_act="HTTP-Client.3" rule_name="*.windowsupdate.com" (HTTP-proxy-00)

The destination hostnamematches aproxy exceptionconfigured in theHTTP proxy.

HTTP Trustedhost

–


Bad reputation Deny 1-Trusted 0-External tcp 172.16.1.101 188.40.238.250 36834 80msg="ProxyDeny: HTTP bad reputation" proxy_act="HTTP-ACT-OUT"reputation="100" host="www.eicar.org" path="/download/eicar_com.zip" (HTTP-OUT-00)

The HTTP proxyblocked access to thedestination addressbecause of a badreputation score forthe URL.

HTTP badreputation

–


Good reputation Allow 4-Trusted-1 0-External tcp 192.168.53.92 198.35.26.96 45365 80msg="ProxyAllow: HTTP good reputation" proxy_act="HTTP-Client.4"reputation="1" host="en.wikipedia.org" path="/favicon.ico" src_user="[email protected]" (HTTP-00)

The HTTP proxy didnot complete aGateway AntiVirus(GAV) scan for trafficto the destinationaddress because theURL received a goodreputation score.

HTTP goodreputation

–


Log Catalog 54



Applicationmatch

Allow 4-Trusted-1 0-External tcp 192.168.53.92 198.35.26.96 45365 80msg="ProxyAllow: HTTP Appmatch" proxy_act="HTTP-Client.4" app_cat_name="Web" app_cat_id="13" app_name="Mozilla Firefox" app_id="12" app_beh_name="access" app_beh_id="6" sig_vers="18.001" src_user="[email protected]"(HTTP-00)

Application Controlidentified theapplication type fromthe HTTP clientrequest or serverresponse stream.

HTTP Appmatch

–


DLP violationfound

Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.3 59568 80msg="ProxyAllow: HTTP DLP violation found" proxy_act="HTTP-Client.1" dlp_sensor="sample_dlp_test" dlp_rule="BankaccountdetailsnearpersonallyidentifiableinformationUSA"host="100.100.100.3" path="/cgi-bin/upload.cgi" (HTTP-OUT.1-00)

Data Loss Prevention(DLP) detected aviolation of DLPrules. The logmessage onlyincludes informationabout the first rulematched.

HTTP DLPviolation found

–


DLP cannotperform scan

Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 62398 80msg="ProxyAllow: HTTP cannot perform DLP scan" proxy_act="HTTP-Client.1"dlp_sensor="sample_dlp_test" error="Cannot Perform DLP scanning" (HTTP-proxy-00)

Data Loss Prevention(DLP) failed to scanthe traffic because ofthe error specified inthe logmessage.

HTTP cannotperform DLPScan

–


DLP objectunscannable

Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 40608 80msg="ProxyAllow: HTTP DLP object unscannable" proxy_act="HTTP-Client.2"dlp_sensor="PCI Audit Sensor.1" error="unscannable object (File was encrypted)"host="100.100.100.11" path="/password-protected.zip" (HTTP-proxy-00)

Data Loss Prevention(DLP) cannot extractdata from an objectbecause it isencrypted.

HTTP DLPobjectunscannable

–


Log Catalog 55



HTTP object toolarge

Allow 2-optional 0-External tcp 192.168.53.92 172.16.10.14 8902 80msg="ProxyAllow: HTTP DLP object too large" proxy_act="HTTP-Client.1" dlp_sensor="DLPSensor.1" error="DLP scan limit exceeded" (HTTP-proxy-00)

Data Loss Prevention(DLP) cannot scanthe object because itis larger than theconfigured limit. Thedefault value variesby device type andranges between 1 and5MB.

HTTP DLPobject toolarge

–


Range header Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.15 40535 80msg="ProxyStrip: HTTP Range header" proxy_act="HTTP-Client.1"header="Accept-Ranges: bytes\x0d\x0a" (HTTP-proxy-00)

This is the configuredaction (allow or strip)for the HTTP proxyRange header. Thedefault action is strip.The HTTP proxyRange header canallow partial filetransfers that impactcontent scansbecause the fullcontent is notpresented.

HTTP Rangeheader

–


APT threatdetected

Deny 2-Internal-traffic 4-External-traffic tcp 192.168.2.20 192.168.3.30 48120 80msg="ProxyDrop: HTTP APT detected" proxy_act="HTTP-Client.1"host="192.168.3.30" path="/apt_sample.exe"md5="2e77cadb722944a3979571b444ed5183"

APT Blockerdetected a threat. Thelogmessagespecifies the thethreat level, threatname, threat class,malicious activities,destination hostname, and URI path.

HTTP APTdetected

–


Log Catalog 56



File submitted toAPT analysisserver

Allow 2-Internal-traffic 4-External-traffic tcp 192.168.2.20 192.168.3.30 34063 80msg="ProxyAllow: HTTP File submitted to APT analysis server" proxy_act="HTTP-Client.1" host="192.168.3.30" path="/test/sample.exe"md5="dd0af53fec2267757cd90d633acd549a" task_uuid="35c8ac1aaeee4e5186d584318deb397b" (HTTP-proxy-00)

File submitted to APTanalysis server fordeep threat analysis.The analysis resultwill be notified whenthe analysis result isfetched from APTanalysis server.

HTTP Filesubmitted toAPT analysisserver

–


Connect tunnelport match

Allow 1-Trusted Firebox tcp 10.0.1.3 100.100.100.16 53531 3128msg="ProxyReplace: HTTP connect tunnel port match" proxy_act="Explicit-Web.Standard.1" rule_name="Redirect-HTTPS" port="443" (Explicit-proxy-00)

The HTTPCONNECT tunnelrequest port matchesa configured rule, orthe default rule of nomatch. The logmessage specifiesthematched rulename and port.

HTTP connecttunnel portmatch

–


Webproxyredirect

Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.16 53532 3128msg="ProxyReplace: HTTP webproxy redirect" proxy_act="Explicit-Web.Standard.1" redirect_action="HTTPS-Client.Standard" (Explicit-proxy-00)

The HTTPWebproxyconnection wasredirected to adifferent proxy actionbecause of theconfiguration settingin explicit proxy. Thelogmessagespecifies the newproxy action used.

HTTPwebproxyredirect

–


Log Catalog 57



File reported safefrom APT hashcheck

Allow 2-Internal-traffic 4-External-traffic tcp 192.168.2.20 192.168.3.30 34063 80msg="ProxyAllow: HTTP File reported safe from APT hash check" proxy_act="HTTP-Client.1" host="192.168.3.30" path="/test/sample.exe"md5="dd0af53fec2267757cd90d633acd549a" task_uuid="35c8ac1aaeee4e5186d584318deb397b" (HTTP-proxy-00)

APT hash check didnot report a threatfrom the object

HTTP Filereported safefrom APT hashcheck

–

1AFF003A INFO Proxy /HTTP

Content redirect Allow 0-External 3-Optional-2 tcp 203.0.113.2 203.0.113.3 50560 80msg="ProxyReplace: HTTP Content Action redirect" proxy_act="HTTP-Content.Standard.1" redirect_action="HTTP-Server.Standard.2" srv_ip="10.0.2.8"srv_port="80" ssl_offload="0" client_ssl="NONE" server_ssl="NONE" (HTTP-proxy-00)

The HTTP contentaction connectionwas redirected to adifferent proxy actionbecause of theconfiguration. The logmessage specifiesthe new proxy actionused as well as thecurrent ssl status.

HTTP Contentredirect

–


Request Contentmatch

Allow 0-External 1-Trusted tcp 203.0.113.2 203.0.113.2 50428 80msg="ProxyReplace: HTTP Request content match" proxy_act="HTTP-Content.Standard.1" rule_name="forums" content_src="URN"dstname="203.0.113.2" arg="/forums/index.html" srv_ip="10.0.2.8" srv_port="80"ssl_offload="1" redirect_action="HTTP-Server.Standard.1" (HTTP-proxy-00)

The requestcontained contentwhichmatched aconfigured contentrule in the HTTPproxy. The logmessage specifiesthe content whichmatched the rule aswell as rule details.

HTTPRequestcontent match

–


DNSWatchblackholeddomain

Allow 1-Trusted 0-External tcp 10.0.1.2 54.173.101.99 58477 80msg="ProxyAllow: HTTP DNSWatch blackholed domain" proxy_act="HTTP-Client.Standard.1" host="www.wine.com" path="/" geo_dst="USA" (HTTP-proxy-00)

DNSWatch DNSserver returned theblackhole server IPaddress for the nameresolution forrequested domain.

HTTPDNSWatchblackholeddomain

–


Log Catalog 58


HTTP proxyacknowledge theblackhole server IPaddress andgenerates the log forthe client request


DNSWatchcontent filtereddomain

Deny 1-Trusted 0-External tcp 10.0.1.2 54.173.101.99 58477 80msg="ProxyAllow:HTTP DNSWatch content filtered domain" proxy_act="HTTP-Client.Standard.1"host="www.wine.com" path="/" geo_dst="USA" (HTTP-proxy-00)

DNSWatch DNSserver returned thefilterhole server IPaddress for the nameresolution forrequested domainfrom the contentfiltered domainconfiguration. HTTPproxy acknowledgethe filterhole server IPaddress andgenerates the log forthe client request

HTTPDNSWatchcontent filtereddomain

–

1BFF0000 INFO Proxy /SMTP

Greeting Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39366 25msg="ProxyDeny: SMTP greeting" proxy_act="SMTP-Outgoing.1" rule_name="*.test.net" hostname="testbox.test.net" (SMTP-proxy-00)

The host name in theSMTP proxy HELO orEHLO commandmatched one of theGreeting Rules, or thedefault rule of nomatch.

SMTP greeting –


Log Catalog 59



ESMTP option Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39371 25msg="ProxyStrip: SMTP ESMTP option" proxy_act="SMTP-Outgoing.1"keyword="VRFY" (SMTP-proxy-00)

The EHLO responsefrom the SMTPserver includes anESMTP option that isdisabled or unknown.

SMTP ESMTPoption

–


Authentication(AUTH)

Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39374 25msg="ProxyDeny: SMTP AUTH" proxy_act="SMTP-Outgoing.1" rule_name="PLAIN" authtype="PLAIN" (SMTP-proxy-00)

The EHLO responsefrom the SMTPserver included anauthentication typethat matches aconfiguredauthentication rule.The logmessagespecifies the proxyaction, the rule name,the action taken, andthe authenticationtype.

SMTP AUTH –


Header Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39379 25msg="ProxyStrip: SMTP header" proxy_act="SMTP-Outgoing.1" rule_name="Default" header="X-MimeOLE: Produced By Microsoft ExchangeV6.0.6603.0" (SMTP-proxy-00)

A MIME headermatched a configuredrule, or the defaultrule of nomatch.

SMTP header –


From address Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39383 25msg="ProxyDeny: SMTP From address" proxy_act="SMTP-Outgoing.1" rule_name="jsmith@*.com->ex-employee" address="[email protected]" (SMTP-proxy-00)

The sender addressmatched a rulespecified in theMailFrom rules.

SMTP Fromaddress

–


To address Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39384 25msg="ProxyDeny: SMTP To address" proxy_act="SMTP-Outgoing.1" rule_name="Default" address="[email protected]" (SMTP-proxy-00)

The recipient addressmatched a rulespecified in the RcptTo rules.

SMTP Toaddress

–


Log Catalog 60



Content type Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39391 25msg="ProxyAvScan: SMTP content type" proxy_act="SMTP-Outgoing.1" rule_name="Default" content_type="application/x-gzip" sender="[email protected]"recipients="wg@localhost" (SMTP-proxy-00)

Some of themessagecontent matched acontent filter rule.

SMTP contenttype

–


Filename Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39436 25msg="ProxyStrip: SMTP filename" proxy_act="SMTP-Outgoing.1" rule_name="*.exe" file_name="app.exe" sender="[email protected]"recipients="wg@localhost" (SMTP-proxy-00)

An email attachmentmatched a file namerule, or theattachment isuuencoded and theSMTP proxy allowsuuencodedattachments.

SMTPfilename

–

1BFF000A INFO Proxy /SMTP

Timeout Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39402 25msg="ProxyDeny: SMTP timeout" proxy_act="SMTP-Outgoing.1" timeout="60"(SMTP-proxy-00)

The SMTPconnection was idlefor longer than theconfigured idletimeout limit. Thedefault is 10minutes.

SMTP timeout –

1BFF000C INFO Proxy /SMTP

GAV Virus found Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39445 25msg="ProxyStrip: SMTP Virus found" proxy_act="SMTP-Outgoing.1"sender="[email protected]" recipients="wg@localhost" virus="I-Worm/Netsky.CORRUPTED" filename="message.scr" (SMTP-proxy-00)

Gateway AntiVirus(GAV) detected avirus or malware in anemail attachment.

SMTP Virusfound

–

1BFF000E INFO Proxy /SMTP

GAV cannotperform scan

Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39589 25msg="ProxyLock: SMTP cannot perform Gateway AV scan" proxy_act="SMTP-Outgoing.1" sender="[email protected]" recipients="wg@localhost"error="scan request failed" filename="message.scr" (SMTP-proxy-00)

Gateway AntiVirus(GAV) could notcomplete the scanbecause of the errorthat is specified in thelogmessage.

SMTP cannotperformGateway AVscan

–


Log Catalog 61


1BFF000F INFO Proxy /SMTP

Request Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39398 25msg="SMTPrequest" proxy_act="SMTP-Outgoing.1" rcvd_bytes="272" sent_bytes="282"sender="[email protected]" recipients="wg@localhost" server_ssl="ECDHE-RSA-AES256-GCM-SHA384" client_ssl="AES128-SHA256" tls_profile="TLS-Client.Standard"(SMTP-proxy-00)

This SMTP audit logspecifies the bytessent, bytes received,the sender andrecipient addresses,and the sender andrecipient TLS cipher.

SMTP request –


Message format Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39452 25msg="ProxyDeny: SMTP message format" proxy_act="SMTP-Outgoing.1" file_name="sm_conns.txt" type="uuencode" sender="[email protected]"recipients="wg@localhost" (SMTP-proxy-00)

The email messageformat matched amessage format rulespecified in theSMTP proxy. The logmessage includes theerror message.

SMTPmessageformat

–


IPS match Deny 0-External 1-Trusted tcp 172.16.180.2 172.16.181.2 1024 25msg="ProxyDrop: SMTP IPS match" proxy_act="SMTP-Incoming.1" signature_id="1110401" severity="4" signature_name="EXPLOIT IBM Lotus Notes Lotus 1-2-3Work Sheet File Viewer Buffer Overflow (CVE-2007-6593)" signature_cat="Buffer Over Flow" sig_vers="18.001" (SMTP-proxy-00)

Intrusion PreventionService (IPS)detected a threat. Thelogmessagespecifies thesignature name andID, threat severity,and signaturecategory.

SMTP IPSmatch

–


Toomanyrecipients

Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39404 25msg="ProxyDeny: toomany recipients" proxy_act="SMTP-Outgoing.1" num_recipients="15" (SMTP-proxy-00)

The number of emailrecipients specified inthe email messageexceeds theconfigured limit. Thedefault limit is 99 forinboundmessagesand unlimited for

SMTP toomanyrecipients

–


Log Catalog 62


outboundmessages.The logmessagespecifies the proxyaction and number ofrecipients.


Response sizetoo long

Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39973 25msg="ProxyDeny: SMTP response size too long" proxy_act="SMTP-Outgoing.1"response_size="5030" (SMTP-proxy-00)

The SMTP serverresponse exceedsthe configured limit.The default limit is10,000 KB. The logmessage specifiesthe size of theresponse.

SMTPresponse sizetoo long

–


Line too long Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39457 25msg="ProxyDeny: SMTP line length too long" proxy_act="SMTP-Outgoing.1" line_length="32110" (SMTP-proxy-00)

The email messagecontains a line thatexceeds theconfigured limit. Thedefault is 1,000bytes. The logmessage specifiesthe line length.

SMTP linelength too long

–


Message too long Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39466 25msg="ProxyDeny: SMTP message size too long" proxy_act="SMTP-Outgoing.1"size="16384" (SMTP-proxy-00)

The SMTP messagelength exceeds theconfigured limit. Thedefault limit is 10,000kb.

SMTPmessage sizetoo long

–


Header too long Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39473 25msg="ProxyDeny: SMTP header size too long" proxy_act="SMTP-Outgoing.1"headers_size="12157" (SMTP-proxy-00)

The SMTP messagecontains a headerthat exceeds theconfiguredMaximum

SMTP headersize too long

–


Log Catalog 63


Header Length. Thedefault is 20,000bytes.


Command Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39474 25msg="ProxyDeny: SMTP command" proxy_act="SMTP-Outgoing.1"keyword="VERIFY\x0d\x0a" response="500" (SMTP-proxy-00)

The SMTP requestcontains a commandthat is not supportedor is not valid for theemail transaction.The logmessagespecifies the proxyaction, action taken,SMTP command, andthe response code.

SMTPcommand

–


spamBlockerconfirmed spam

Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39446 25msg="ProxyDeny: SMTP Classified as confirmed SPAM" proxy_act="SMTP-Outgoing.1" sender="[email protected]" recipients="wg@localhost" (SMTP-proxy-00)

spamBlocker hasclassified themessage asconfirmed SPAM.The logmessagespecifies the proxyaction, the actiontaken, and the senderand recipientaddresses.

SMTPClassified asconfirmedSPAM

–


Log Catalog 64



spamBlockerbulk spam

Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39499 25msg="ProxyReplace: SMTP Classified as bulk mail" proxy_act="SMTP-Outgoing.1" sender="[email protected]" recipients="wg@localhost" (SMTP-proxy-00)

spamBlocker hasclassified themessage as bulkSPAM. The logmessage specifiesthe proxy action, theaction taken, and thesender and recipientaddresses.

SMTPClassified asbulk mail

–

1BFF001B INFO Proxy /SMTP

spamBlockersuspect spam

Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39999 25msg="ProxyAllow: SMTP Classified as suspect SPAM" proxy_act="SMTP-Outgoing.1" sender="[email protected]" recipients="wg@localhost" (SMTP-proxy-00)

spamBlocker hasclassified themessage as suspectSPAM. The logmessage specifiesthe proxy action, theaction taken, and thesender and recipientaddresses.

SMTPClassified assuspectSPAM

–


spamBlocker notSPAM

Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39487 25msg="ProxyAllow: SMTP Classified as not SPAM" proxy_act="SMTP-Outgoing.1" sender="[email protected]" recipients="wg@localhost" (SMTP-proxy-00)

spamBlocker hasclassified themessage as notSPAM. The logmessage specifiesthe proxy action, theaction taken, and thesender and recipientaddresses.

SMTPClassified asnot SPAM

–

1BFF001D INFO Proxy /SMTP

spamBlockerclassificationunknown

Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39524 25msg="ProxyDeny: SMTP message classification is unknown because an erroroccurred while classifying" proxy_act="SMTP-Outgoing.1"sender="[email protected]" recipients="wg@localhost" (SMTP-proxy-00)

spamBlocker wasunable to classify theemail messagebecause of an error.

SMTPmessageclassificationis unknown

–


Log Catalog 65


The logmessagespecifies the senderand recipientaddresses.

because anerror occurredwhileclassifying

1BFF001E INFO Proxy /SMTP

spamBlockerexceptionmatched

Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39476 25msg="ProxyAvScan: SMTP spamBlocker exception" proxy_act="SMTP-Outgoing.1" rule_name="Default" content_type=""sender="[email protected]" recipients="wg@localhost" (SMTP-proxy-00)

The sender orrecipient of the emailmessagematches aspamBlockerexception specified inthe SMTP proxy.

SMTPspamBlockerexception wasmatched

–

1BFF001F INFO Proxy /SMTP

Decoder error Allow 1-Trusted 0-External tcp 10.0.55.253 100.100.100.155 36921 25msg="ProxyStrip: SMTP An error was found by our decoder" proxy_act="SMTP-Outgoing.1" message="invalid b64 characters in input" (SMTP-OUT-00)

The SMTP proxy wasunable to decode theemail message due tothe error specified inthe logmessage.

SMTP An errorwas found byour decoder

–


Extra padcharacters inbase64 encoding

Allow 1-Trusted 0-External tcp 10.0.55.253 100.100.100.155 36664 25msg="ProxyStrip: SMTP extra pad characters in base64 input" proxy_act="SMTP-Outgoing.1" pad_error="1" (SMTP-OUT-00)

The SMTP proxyencountered extrapad characters whenthe body of thebase64-encodedmessage wasprocessed.

SMTP extrapad charactersin base64 input

–


Mail from addresstoo long

Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39497 25msg="ProxyDeny: SMTP Mail From address too long" proxy_act="SMTP-Outgoing.1"address="[email protected]"length="56" response="553" (SMTP-proxy-00)

A sender emailaddress exceededthe configuredmaximum addresslength. The addresslength is unlimited bydefault.

SMTP MailFrom addresstoo long

–


Log Catalog 66



Applicationmatch

Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39913 25msg="ProxyDrop: SMTP Appmatch" proxy_act="SMTP-Outgoing.1" app_cat_name="Mail and Collaboration" app_cat_id="5" app_name="SMTP" app_id="1"app_beh_name="access" app_beh_id="6" sig_vers="18.001" (SMTP-proxy-00)

Application Controlidentified theapplication in themailmessage that isspecified in the logmessage.

SMTP Appmatch

–


DLP violationfound

Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39510 25msg="ProxyAllow: SMTP DLP violation Found" proxy_act="SMTP-Outgoing.1"dlp_sensor="PCI Audit Sensor.1" dlp_rule="SocialsecuritynumbersUSA"sender="[email protected]" recipients="wg@localhost" filename="ssn.docx"(SMTP-proxy-00)

Data Loss Prevention(DLP) detected therule violation that isspecified in the logmessage.

SMTP DLPviolationFound

–



Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39589 25msg="ProxyLock: SMTP cannot perform DLP scan" proxy_act="SMTP-Outgoing.1" sender="[email protected]" recipients="wg@localhost"error="scan request failed" filename="message.scr" (SMTP-proxy-00)

Data Loss Prevention(DLP) is unable toscan because of theerror specified in thelogmessage.

SMTP cannotperform DLPScan

–


DLP cannot scanobject

Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39900 25msg="ProxyAllow: SMTP DLP object unscannable" proxy_act="SMTP-Outgoing.1" dlp_sensor="PCI Audit Sensor.1" error="unscannable object (File wasencrypted)" sender="[email protected]" recipients="wg@localhost" (SMTP-proxy-00)

Data Loss Prevention(DLP) is unable toextract data from anobject because theobject is encrypted.

SMTP DLPobjectunscannable

–


Log Catalog 67



DLP object toolarge

May 30 06:36:45 2014 gary_xtmv local1.info smtp-proxy[2861]: msg_id="1BFF-0027" Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.3 50976 25msg="ProxyAllow: SMTP DLP oject too large" proxy_act="SMTP-Outgoing.1"sender="[email protected]" recipients="wg@localhost" error="DLP scanlimit (524288) exceeded" filename="2M-dlp-violates-end.txt" (SMTP-proxy-00)

The file requested forData Loss Prevention(DLP) analysis islarger than theconfigured limit. Thedefault value variesby platform, from oneto fiveMB. The logspecifies the DLPsensor name anderror message.

SMTP DLPobject toolarge

–


APT threatdetected

Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39771 25msg="ProxyAllow: SMTP APT detected" proxy_act="SMTP-Outgoing.1"sender="[email protected]" recipients="wg@localhost"filename="ecc59a46b439bdf63b058964e29ace0c"md5="ecc59a46b439bdf63b058964e29ace0c" task_uuid="b239bc669b534fcfa61bd78e156c9b19" threat_level="high" (SMTP-proxy-00)

APT Blocker foundthe threat specified inthe logmessage in anattached file.

SMTP APTdetected

–



Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39965 25msg="ProxyAllow: SMTP File submitted to APT analysis server" proxy_act="SMTP-Outgoing.1" sender="[email protected]" recipients="wg@localhost"filename="regex2.dll" md5="547c43567ab8c08eb30f6c6bacb479a3" task_uuid="b8517202826a43fc93dba00f9e8c30ed" (SMTP-proxy-00)


SMTP Filesubmitted toAPT analysisserver

–

1BFF002B INFO Proxy /SMTP


Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39965 25msg="ProxyAllow: SMTP File reported safe from APT hash check" proxy_act="SMTP-Outgoing.1" sender="[email protected]" recipients="wg@localhost"filename="regex2.dll" md5="547c43567ab8c08eb30f6c6bacb479a3" task_uuid="b8517202826a43fc93dba00f9e8c30ed" (SMTP-proxy-00)


SMTP Filereported safefrom APT hashcheck

–


Log Catalog 68



Protocol invalid Deny 1-Trusted 0-External tcp 10.0.1.2 192.168.53.143 41551 465msg="ProxyDrop: SMTP invalid TLS protocol" proxy_act="SMTP-Outgoing.1"(SMTP-proxy-00)

The SMTP proxydetected invalid TLSprotocol.

SMTP invalidTLS protocol

–

1BFF002D INFO Proxy /SMTP

ContentInspection

Allow 1-Trusted 0-External tcp 10.0.1.2 192.168.53.143 40742 25msg="ProxyInspect: SMTP content inspection" proxy_act="SMTP-Outgoing.Standard.1" tls_profile="TLS-Client.Standard" tls_version="TLSv1.3"content_inspection="yes" server_ssl="TLS_AES_256_GCM_SHA384" client_ssl="NONE" (SMTP-proxy-00)

The SMTP proxycontent inspectionaction for a secureconnection.

SMTP TLScontentinspection

–

1CFF0000 INFO Proxy /FTP

User name toolong

Deny 1-Trusted 0-External tcp 10.0.1.49 11.11.11.2 60774 21msg="ProxyDeny:FTP user name too long" proxy_act="FTP-Client.1" user="testusertestuser1"length="17" (FTP-proxy-00)

The user nameexceeds themaximum lengthspecified in the FTPproxy. The default is64 characters.

FTP username too long

–


Password toolong

Deny 1-Trusted 0-External tcp 10.0.1.49 11.11.11.2 60776 21msg="ProxyDeny:FTP user password too long" proxy_act="FTP-Client.1" length="17" (FTP-proxy-00)

The passwordspecified for the userexceeds themaximum lengthconfigured in the FTPproxy. The defaultmaximum length is 32characters.

FTP userpassword toolong

–


File or directoryname too long

Deny 1-Trusted 0-External tcp 10.0.1.49 11.11.11.2 60782 21msg="ProxyDeny:FTP file or directory name too long" proxy_act="FTP-Client.1" length="5" (FTP-proxy-00)

The file or directoryname exceeds themaximum lengthconfigured in the FTPproxy. The defaultmaximum length is1,024 bytes.

FTP file ordirectory nametoo long

–


Log Catalog 69



Command linetoo long

Deny 1-Trusted 0-External tcp 10.0.1.49 11.11.11.2 60784 21msg="ProxyDeny:FTP command line too long" proxy_act="FTP-Client.1" length="12" (FTP-proxy-00)

The commandexceeded themaximum lengthconfigured in the FTPproxy. The defaultmaximum length is1,030 characters.

FTP commandline too long

–


Exceededmaximumallowed loginattempts

Deny 1-Trusted 0-External tcp 10.0.1.49 11.11.11.2 49162 21msg="ProxyDrop:FTP exceededmaximum permitted login attempts" (FTP-proxy-00)

The user exceededthe configuredmaximum number ofallowed failed log inattepmts perconnection. Thedefault limit is 6.

FTP exceededmaximumpermitted loginattempts

–


Commandmatch Deny 1-Trusted 0-External tcp 10.0.1.49 11.11.11.2 49196 21msg="ProxyDeny:FTP commandmatch" proxy_act="FTP-Client.2" rule_name="LIST"command="ls" (FTP-proxy-00)

The commandmatched a configuredrule, or the default ofnomatch. For theFTP-server proxyaction, the default isto deny anycommand that doesnot appear on the list.For the FTP-clientproxy action, there isno default restrictionon commands. Thelogmessagespecifies the proxyaction, action taken,and the command.

FTP commandmatch

–


Log Catalog 70



Downloadmatch Deny 1-Trusted 0-External tcp 10.0.1.49 11.11.11.2 49208 21msg="ProxyDeny:FTP downloadmatch" proxy_act="FTP-Client.2" rule_name="*.zip" file_name="hostname.zip" (FTP-proxy-00)

The file typematcheda configureddownload rule, or thedefault rule of nomatch. The logmessage specifiesthe proxy action,action taken, and filetype.

FTP downloadmatch

–


Uploadmatch Deny 1-Trusted 0-External tcp 10.0.1.49 11.11.11.2 49228 21msg="ProxyDeny:FTP uploadmatch" proxy_act="FTP-Client.2" rule_name="ISO" file_name="test.iso" (FTP-proxy-00)

The file typematcheda configured uploadrule, or the defaultrule of nomatch. Thelogmessagespecifies the proxyaction, action taken,and file type.

FTP uploadmatch

–


Timeout Deny 1-Trusted 0-External tcp 10.0.1.49 11.11.11.2 49561 21msg="ProxyDrop:FTP timeout" proxy_act="FTP-Proxy" (FTP-proxy-00)

The connectionexceeded theconfigured idle timevalue. The default is180 seconds.

FTP timeout –


Invalid request Deny 1-Trusted 0-External tcp 10.0.1.49 11.11.11.2 49579 21msg="ProxyDeny:FTP invalid request" proxy_act="FTP-Client.2" reason="No username valueprovided for USER command" (FTP-proxy-00)

The FTP proxyrejected thecommand because ofa lack of requiredarguments, such as auser name. The logmessage specifiesthe proxy action andcommand.

FTP invalidrequest

–


Log Catalog 71


1CFF000C INFO Proxy /FTP

Request Allow 1-Trusted 0-External tcp 10.0.1.49 11.11.11.2 49590 21msg="FTP request"proxy_act="FTP-Client.2" ctl_src="10.0.1.49:47553" ctl_dst="11.11.11.2:5120"file="test.exe" rcvd_bytes="1084" sent_bytes="0" user="testuser"type="download" (FTP-proxy-00)

This logmessage forthe FTP requesttransaction includesthe source anddestination IPaddresses for theinitial connections.

FTP request –

1CFF000D INFO Proxy /FTP

IPS match Deny 0-External 1-Trusted tcp 11.11.11.2 11.11.11.5 1024 21msg="ProxyDrop:FTP IPS match" proxy_act="FTP-Client.3" signature_id="1110297" severity="4"signature_name="EXPLOIT FlashGet FTP PWD Command Stack buffer overflow-1" signature_cat="Buffer Over Flow" sig_vers="18.001" (FTP-proxy-00)

Intrusion PreventionService (IPS)detected a threat. Theaction configured foran IPS Match will beapplied to the traffic.The logmessageincludes the signatureID, threat severity,signature name, andsignature category.

FTP IPSmatch

–

1CFF000E INFO Proxy /FTP

GAV Virus found Deny 0-External 1-Trusted tcp 11.11.11.2 11.11.11.5 20 56528msg="ProxyDrop:FTP Virus found" proxy_act="FTP-Client.3" ctl_src="11.11.11.2:5120" ctl_dst="10.0.1.49:47553" virus="EICAR_Test" file="eicar.com" (FTP-proxy-00)

Gateway AntiVirus(GAV) detected avirus or malware inthe attachment. Thelogmessagespecifies thedetected virus nameand the file name ofthe attachment.

FTP Virusfound

–

1CFF000F INFO Proxy /FTP

GAV scan error Deny 0-External 1-Trusted tcp 11.11.11.2 11.11.11.5 20 44485msg="ProxyDrop:FTP AV scanning error" proxy_act="FTP-Client.3" ctl_src="11.11.11.2:5120" ctl_dst="10.0.1.49:47553" error="avg scanner is not created" file="eicar.com" (FTP-proxy-00)

Gateway AntiVirus(GAV) failed to scandue to the errorspecified in the log

FTP AVscanning error

–


Log Catalog 72


message.


Applicationmatch

Allow 1-Trusted 0-External tcp 10.0.1.49 11.11.11.2 49843 21msg="ProxyAllow:FTP Appmatch" proxy_act="FTP-Client.3" app_cat_name="File Transfer" app_cat_id="3" app_name="FTP Applications" app_id="1" app_beh_name="authority"app_beh_id="1" sig_vers="18.001" (FTP-proxy-00)

Application Controlidentified anapplication in the FTPclient request orserver response. Thelogmessagespecifies the proxyaction, applicationcontrol action, actiontaken, applicationname and ID,application categoryand ID, andapplication behaviorname and ID.

FTP Appmatch

–


DLP violationfound

Deny 0-External 1-Trusted tcp 11.11.11.2 11.11.11.5 20 37611msg="ProxyDrop:FTP DLP violation found" proxy_act="FTP-Client.3" ctl_src="10.0.1.49:47553"ctl_dst="11.11.11.2:5120" dlp_sensor="test" dlp_rule="SocialsecuritynumberswithqualifyingtermsUSA" authenticated_user="testuser" file="test.docx" (FTP-proxy-00)

Data Loss Prevention(DLP) detected a ruleviolation. The logmessage specifiesthe proxy action, theDLP sensor name,DLP rule name, theauthenticated user,and the file name.The logmessage alsospecifies the sourceand destination IPaddresses and portfor the controlchannel of the FTPsession.

FTP DLPviolation found

–


Log Catalog 73




Allow 0-External 1-Trusted tcp 11.11.11.2 11.11.11.5 20 52217msg="ProxyAllow:FTP cannot perform DLP scan" proxy_act="FTP-Client.3" ctl_src="11.11.11.2:5120" ctl_dst="10.0.1.49:47553" error="Error: DLP not initialized"file="ssn.docx" (FTP-proxy-00)

Data Loss Prevention(DLP) failed to scanbecause of the errorspecified in the logmessage.

FTP cannotperform DLPscan

–


DLP cannot scanobject

Allow 0-External 1-Trusted tcp 11.11.11.2 11.11.11.5 20 43974msg="ProxyAllow:FTP DLP object unscannable" proxy_act="FTP-Client.3" ctl_src="11.11.11.2:5120" ctl_dst="10.0.1.49:47553" dlp_sensor="test"error="unscannable object (File was encrypted)" authenticated_user="testuser"file="test.zip" (FTP-proxy-00)

Data Loss Prevention(DLP) could not scanand analyze theattachment becauseit is encrypted. Thelogmessagespecifies the DLPsensor name, errormessage, theauthenticated user,and the file name.

FTP DLPobjectunscannable

–


DLP object toolarge

Allow 0-External 1-Trusted tcp 11.11.11.2 11.11.11.5 20 43813msg="ProxyAllow:FTP DLP object too large" proxy_act="FTP-Client.3" error="DLP scan limit(5242880) exceeded" (FTP-proxy-00)

Data Loss Prevention(DLP) could notanalyze theattachment becausethe file was largerthan the configuredlimit. The limit variesby platform, from oneto fiveMB. The logmessage specifiesthe DLP sensor nameand error message.

FTP DLPobject toolarge

–


APT threatdetected

Deny 0-External 1-Trusted tcp 11.11.11.2 11.11.11.5 20 58661msg="ProxyDrop:FTP APT detected" proxy_act="FTP-Client.3" ctl_src="11.11.11.2:5120" ctl_dst="10.0.1.49:47553" md5="03e7ef270a157090e2f68079603b10fc" task_

APT Blockeridentified a threat.The logmessage

FTP APTdetected

–


Log Catalog 74


uuid="d21914d5a2bc4b618fae72da3b1c137e" threat_level="low" file="apt.txt"(FTP-proxy-00)

specifies the threatlevel, threat name,threat class,malicious activities,and file namewherethe threat waslocated.



Allow 0-External 1-Trusted tcp 11.11.11.2 11.11.11.5 20 43490msg="ProxyAllow:FTP File submitted to APT analysis server" proxy_act="FTP-Client.3" ctl_src="11.11.11.2:5120" ctl_dst="10.0.1.49:47553"md5="03e7ef270a157090e2f68079603b10fc" task_uuid="d21914d5a2bc4b618fae72da3b1c137e" file="apt.txt"

File submitted to APTanalysis server fordeep threat analysis.A separate logmessage will appearwhen the result isretrieved from theAPT analysis server.

FTP Filesubmitted toAPT analysisserver

–



Allow 0-External 1-Trusted tcp 11.11.11.2 11.11.11.5 20 43490msg="ProxyAllow:FTP File reported safe from APT hash check" proxy_act="FTP-Client.3" ctl_src="11.11.11.2:5120" ctl_dst="10.0.1.49:47553"md5="03e7ef270a157090e2f68079603b10fc" task_uuid="d21914d5a2bc4b618fae72da3b1c137e" file="apt.txt"


FTP Filereported safefrom APT hashcheck

–

1CFF0019 ERROR Proxy /FTP

FTP BounceAttempt

Deny 1-Trusted 0-External tcp 10.0.1.2 192.168.53.164 37989 21msg="ProxyBlock: FTP Bounce Attempt" proxy_act="FTP-Client.Standard"bounce_ip="10.0.1.101"

The user attemptedan FTP bounceattack by sending aPORT commandspecifying the IPaddress of a thirdparty instead of theuser's own IPaddress

FTP BounceAttempt

–

1DFF0000 INFO Proxy / Invalid number of Deny 1-Trusted 0-External udp 10.0.1.5 192.168.53.143 56701 53 The traffic was DNS invalid –


Log Catalog 75


DNS questions msg="ProxyDeny: DNS invalid number of questions" proxy_act="DNS-Outgoing.1" (DNS-proxy-00)

blocked because themessage included aninvalid number ofquestions.

number ofquestions

1DFF0001 INFO Proxy /DNS

Query nameoversized

Deny 1-Trusted 0-External udp 10.0.1.5 192.168.53.143 56702 53msg="ProxyDeny: DNS oversized query name" proxy_act="DNS-Outgoing.1"(DNS-proxy-00)

The DNS query wasblocked because theDNS query nameexceeded the allowedbuffer size, whichvaries from 0kilobytes to 64kilobytes.

DNSoversizedquery name

–


Query namecompressed

Deny 1-Trusted 0-External udp 10.0.1.5 192.168.53.143 56703 53msg="ProxyDeny: DNS compressed query name" proxy_act="DNS-Outgoing.1"(DNS-proxy-00)

The DNS query wasblocked because thedomain namewascompressed.

DNScompressedquery name

–


Parse error Deny 1-Trusted 0-External udp 10.0.1.5 192.168.53.143 56704 53msg="ProxyDeny: DNS parse error" proxy_act="DNS-Outgoing.1" (DNS-proxy-00)

The DNS requestwas blocked becausethe proxy failed toparse the domainname.

DNS Parseerror

–


Not InternetCLASS

Deny 1-Trusted 0-External udp 10.0.1.5 192.168.53.143 46828 53msg="ProxyDeny: DNS Not Internet CLASS" proxy_act="DNS-Outgoing.1"query_class="ANY" (DNS-proxy-00)

The DNS query wasnot Internet CLASS.The logmessagespecifies the actiontaken and theCLASS.

DNS NotInternetCLASS

–


Log Catalog 76



OPcodematch Deny 1-Trusted 0-External udp 10.0.1.3 192.168.130.81 36755 53msg="ProxyDeny: DNS OpCodematch" proxy_act="DNS-Outgoing.1" rule_name="Query" query_opcode="QUERY" (DNS-proxy-00)

TheOpCodematched a configuredrule, or the defaultrule of nomatch. Thelogmessagespecifies the actiontaken, the rule, andthe OpCode.

DNS OpCodematch

–


Query typematch Deny 2-Optional-1 0-External udp 10.0.2.2 192.168.130.245 53710 53msg="ProxyDeny: DNS query typematch" proxy_act="DNS-Outgoing.1" rule_name="PTR record" query_type="PTR" (DNS-proxy-00)

The query typematched a configuredrule, or the defaultrule of nomatch. Thelogmessagespecifies the actiontaken, the rulematched, and thequery type.

DNS querytypematch

–


Questionundersized

Deny 1-Trusted 0-External udp 10.0.1.5 192.168.53.143 56704 53msg="ProxyDeny: DNS undersized question" proxy_act="DNS-Outgoing.1"(DNS-proxy-00)

The DNS query wasblocked because thequery size was lessthan theminimumvalid size of 17 bytes.

DNSundersizedquestion

–


Questionoversized

Deny 1-Trusted 0-External udp 10.0.1.5 192.168.53.143 56705 53msg="ProxyDeny: DNS oversized question" proxy_act="DNS-Outgoing.1" (DNS-proxy-00)

The DNS query wasblocked because thequery size exceedsthemaximum allowedsize of 271 bytes.

DNSoversizedquestion

–


Log Catalog 77



Timeout Deny 1-Trusted 0-External udp 10.0.1.5 192.168.53.143 54807 53msg="ProxyDrop: DNS timeout" proxy_act="DNS-Outgoing.1" (DNS-proxy-00)

The DNS connectionwas idle longer thanthe configuredtimeout value in theDNS policy.

DNS timeout –

1DFF000A INFO Proxy /DNS

Responseanswerundersized

Deny 1-Trusted 0-External udp 10.0.1.5 192.168.53.143 56706 53msg="ProxyDeny: DNS undersized answer" proxy_act="DNS-Outgoing.1" (DNS-proxy-00)

The DNS responsewas blocked becausethe response sizewas less than theminimum value of 17bytes.

DNSundersizedanswer

–

1DFF000C INFO Proxy /DNS

Response IDInvalid

Deny 1-Trusted 0-External udp 10.0.1.5 192.168.53.143 56706 53msg="ProxyDeny: DNS invalid response" proxy_act="DNS-Outgoing.1" (DNS-proxy-00)

The DNS responsewas blocked becausethe response ID didnot match the currentor previous requestID.

DNS invalidresponse

–

1DFF000E INFO Proxy /DNS

Query questionmatch

Deny 1-Trusted 0-External udp 10.0.1.3 192.168.130.81 59806 53msg="ProxyDeny: DNS questionmatch" proxy_act="DNS-Outgoing.1" rule_name="GStatic" query_type="A" question="ssl.gstatic.com" (DNS-proxy-00)

The DNS query namematched a configuredrule, or the defaultrule of nomatch. Thelogmessagespecifies the rulematched, actiontaken, and queryname.

DNS questionmatch

–


Log Catalog 78


1DFF000F INFO Proxy /DNS

Request Allow 2-Optional-1 0-External udp 10.0.2.2 192.168.130.245 61758 53msg="DNSrequest" proxy_act="DNS-Outgoing.1" query_type="PTR"question="1.0.0.127.dnsbugtest.1.0.0.127.in-addr.arpa" app_id="61" app_cat_id="9" app_name="DNS" app_cat_name="Network Management" sig_vers="18.001" (DNS-proxy-00)

The DNS requestaudit log specifies thequery type and name.

DNS request –


IPS match Deny 0-External 1-Trusted udp 10.0.1.5 192.168.53.143 1024 53msg="ProxyDrop:DNS IPS match" proxy_act="DNS-Outgoing.1" signature_id="1056125"severity="4" signature_name="EXPLOIT Tftpd32 DNS Server Buffer Overflow"signature_cat="Buffer Over Flow" sig_vers="18.001" (DNS-proxy-00)

Intrusion PreventionService (IPS)detected an intrusionthreat. The logmessage specifiesthe signature ID,threat severity,signature name, andsignature category.

DNS IPSmatch

–


Applicationmatch

Allow 1-Trusted 0-External udp 10.0.1.3 192.168.130.81 36755 53msg="ProxyAllow: DNS Appmatch" proxy_act="DNS-Outgoing.1" app_cat_name="Network Management" app_cat_id="9" app_name="DNS" app_id="61"app_beh_name="access" app_beh_id="6" sig_vers="18.001" (DNS-proxy-00)

Application Controlidentified theapplication type fromthe DNS client queryand server response.The logmessagespecifies theapplication name andID, the applicationcategory name andID, and the behaviorname and ID.

DNS Appmatch

–

21FF0000 INFO Proxy /POP3

CAPA Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 43924 110msg="ProxyDeny: POP3CAPA" keyword="VERF": (POP3-proxy-00)

The CAPA responsecontained theunknown or blockedcapability that isspecified in the log

POP3CAPA –


Log Catalog 79


message.


Authentication Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 44047 110msg="ProxyDeny: POP3 AUTH" proxy_act="POP3-Client.2" rule_name="Default" authtype="KERBOSE_V12" (POP3-proxy-00)

The authenticationtypematched a rule,or the default rule ofnomatch. The logmessage specifiesthe rule name andauthentication type.

POP3 AUTH –


Command Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 44225 110msg="ProxyDeny: POP3 command" proxy_act="POP3-Client.2"keyword="AUTH KERBEROS_V12\x0d\x0a" (POP3-proxy-00)

The client sent anauthenticationcommandwhen itwas not allowed.

POP3command

–


Header Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 43909 110msg="ProxyStrip: POP3 header" proxy_act="POP3-Client.1" rule_name="Default"header="Delivered-To: wg@localhost" (POP3-proxy-00)

A POP3 headermatched a configuredHeader rule, or thedefault rule of nomatch. The logmessage specifiesthe rule and header.

POP3 header –


Content type Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 43909 110msg="ProxyAllow: POP3 content type" proxy_act="POP3-Client.1" rule_name="All text types" content_type="text/plain" user="wg" (POP3-proxy-00)

A MIME-typematched a configuredcontent type rule, orthe default rule of nomatch. The logmessage specifiesthe rule, MIME-type,and user name.

POP3 contenttype

–


Log Catalog 80



File name Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 44035 110msg="ProxyAvScan: POP3 filename" proxy_act="POP3-Client.1" rule_name="Text files" file_name="high-triggerme.txt" user="wg" (POP3-proxy-00)

The attachmentmatches a configuredfile name rule, or thedefault rule of nomatch. The logmessage specifiesthe rule, file name,and user name.

POP3filename

–


Timeout Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 44042 110msg="ProxyDeny: POP3 timeout" proxy_act="POP3-Client.1" timeout="180"(POP3-proxy-00)

The connection wasidle for longer than theconfigured timeoutlimit. The default limitis 1minute.

POP3 timeout –

21FF000A INFO Proxy /POP3

Request Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 43909 110msg="POP3request" proxy_act="POP3-Client.1" rcvd_bytes="625052" sent_bytes="1433"user="wg" (POP3-proxy-00)

This audit logmessage specifiesthe bytes sent, bytesreceived, and user.

POP3 request –

21FF000C INFO Proxy /POP3

IPS match Deny 0-External 1-Trusted tcp 172.16.180.2 172.16.181.2 1024 25msg="ProxyDrop: POP3 IPS match" proxy_act="POP3-Incoming.1" signature_id="1110401" severity="4" signature_name="EXPLOIT IBM Lotus Notes Lotus 1-2-3Work Sheet File Viewer Buffer Overflow (CVE-2007-6593)" signature_cat="Buffer Over Flow" sig_vers="18.001" (POP3-proxy-00)

Intrusion PreventionService (IPS)detected an intrusionthreat. The logmessage specifiesthe action taken, thesignature ID, threatseverity, signaturename, and signaturecategory.

POP3 IPSmatch

–


Log Catalog 81


21FF000F INFO Proxy /POP3

GAV Virus found Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 44042 110msg="ProxyAllow: POP3 Virus found" proxy_act="POP3-Client.1" user="wg"filename="sample.apt" virus="Generic34.EFX" (POP3-proxy-00)

Gateway AntiVirusdetected a virus ormalware in the file.The logmessagespecifies the virusname, user, and filename.

POP3 Virusfound

–


GAV cannotperform scan

Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39589 25msg="ProxyLock: POP3Cannot perform Gateway AV scan" proxy_act="POP3-Client.1" user="wg" filename="message.scr" error="scan request failed" (POP3-proxy-00)

Gateway AntiVirus(GAV) failed to scanbecause of the errorspecified in the logmessage.

POP3 cannotperformGateway AV

–


Line length toolong

Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39457 25msg="ProxyDeny: POP3 line length too long" proxy_act="POP3-Client.1" line_length="22121" (POP3-proxy-00)

A line exceeds theconfigured limit. Thedefault is 1,000bytes. The logmessage specifiesthe line length.

POP3 linelength too long

–


Message format Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 44061 110msg="ProxyStrip: POP3message format" proxy_act="POP3-Client.2" file_name="sm_conns.txt" type="uuencode" (POP3-proxy-00)

Themessage is not inan allowed format.The logmessagespecifies the errorand the user.

POP3messageformat

–


Encoding error Allow 0-External 1-Trusted tcp 100.100.106.253 100.100.106.55 51064 110msg="ProxyStrip: POP3 encoding error" proxy_act="POP3-Server.1"message="invalid b64 characters in input" (POP3-IN-00)

The proxy was unableto decode and encodethemessagebecause of the errorspecified in the logmessage.

POP3encoding error

–


Log Catalog 82




Allow 1-Trusted 0-External tcp 10.0.55.253 100.100.100.155 45551 110msg="ProxyReplace: POP3Classified as confirmed SPAM" (POP3-OUT-00)

spamBlockerclassified themessage asconfirmed SPAM.The logmessagespecifies the senderand recipients.

POP3Classified asconfirmedSPAM

–


spamBlockerBULK spam

Allow 0-External 1-Trusted tcp 100.100.106.253 100.100.106.55 46177 110msg="ProxyReplace: POP3Classified as suspect SPAM" (POP3-IN-00)

spamBlockerclassified themessage as bulkSPAM. The logmessage specifiesthe sender andrecipients.

POP3Classified assuspectSPAM

–



Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 44249 110msg="ProxyReplace: POP3Classified as suspect SPAM" (POP3-proxy-00)

spamBlockerclassified themessage as suspectSPAM. The logmessage specifiesthe sender andrecipients.

POP3Classified assuspectSPAM

–

21FF001A INFO Proxy /POP3


Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 43913 110msg="ProxyAllow: POP3 spamBlocker exception was matched" proxy_act="POP3-Client.1" from="[email protected]" to="wg@localhost" subj_tag="(none)" (POP3-proxy-00)

The sender for theemail matched aspamBlockerexception rule. Thelogmessagespecifies the sender,recipient, andsubject.

POP3spamBlockerexception wasmatched

–

21FF001B INFO Proxy / spamBlocker not Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 43924 110 spamBlocker POP3 –


Log Catalog 83


POP3 spam msg="ProxyAllow: POP3Classified as not SPAM" (POP3-proxy-00) classified themessage as notSPAM. The logmessage specifiesthe sender andrecipients.

Classified asnot SPAM

21FF001C INFO Proxy /POP3

spamBlockerclassificationunknown

Allow 1-Trusted 0-External tcp 10.0.55.253 100.100.100.155 53776 110msg="ProxyAllow: POP3message classification is unknown because an erroroccurred while classifying" (POP3-OUT-00)

spamBlocker wasunable to classify themessage because ofthe error specified inthe logmessage.

POP3messageclassificationis unknownbecause anerror occurredwhileclassifying

–

21FF001D INFO Proxy /POP3

Extra padcharacters

Allow 0-External 1-Trusted tcp 100.100.106.253 100.100.106.55 46177 110msg="ProxyStrip: POP3 Extra pad characters in base64 input" proxy_act="POP3-Server.1" pad_error="1" (POP3-IN-00)

The POP3 proxyencountered extrapad characters in thebody of a base64-encodedmessage.

POP3 extrapad charactersin base64 input

–

21FF001E INFO Proxy /POP3

Applicationmatch

Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 44042 110msg="ProxyAllow: POP3 Appmatch" proxy_act="POP3-Client.1" app_cat_name="Mail and Collaboration" app_cat_id="5" app_name="POP3" app_id="2"app_beh_name="communicate" app_beh_id="2" sig_vers="18.001" (POP3-proxy-00)

Application Controlidentified theapplication from theemail message. Thelog specifies theapplication name andID, applicationcategory and ID, andthe applicationbehavior name andID.

POP3 Appmatch

–


Log Catalog 84


21FF001F INFO Proxy /POP3

APT threatdetected

Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.3 47193 110msg="ProxyDrop: POP3 APT detected" proxy_act="POP3-Client.Standard.1"user="wg" filename="971d3aa1c683c69f425cc6ddf66833d3d172f0fd.apk"md5="7abebcf53e97b586c92a9ce5b9985cd4" task_uuid="e8a3730d1f88491c8821712e85d94929" threat_level="high" (POP3-proxy-00)


POP3 APTdetected

–



Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.3 47187 110msg="ProxyAllow: POP3 File submitted to APT analysis server" proxy_act="POP3-Client.Standard.1" user="wg"filename="971d3aa1c683c69f425cc6ddf66833d3d172f0fd.apk"md5="7abebcf53e97b586c92a9ce5b9985cd4" task_uuid="e8a3730d1f88491c8821712e85d94929" (POP3-proxy-00)


POP3 Filesubmitted toAPT analysisserver

–



Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.3 47187 110msg="ProxyAllow: POP3 File reported safe from APT hash check" proxy_act="POP3-Client.Standard.1" user="wg"filename="971d3aa1c683c69f425cc6ddf66833d3d172f0fd.apk"md5="7abebcf53e97b586c92a9ce5b9985cd4" task_uuid="e8a3730d1f88491c8821712e85d94929" (POP3-proxy-00)


POP3 Filereported safefrom APT hashcheck

–

22FF0000 INFO Proxy /IMAP

Request Allow 1-Trusted 0-External tcp 10.0.1.70 10.148.22.60 53589 143msg="IMAPRequest" proxy_act="IMAP-Client.Standard.1" email_len="652" action="allow"reason="" mbx="INBOX" user="wg" auth_method="plain" (IMAP-proxy-00)

This audit logmessage specifiesthe email messagetransaction result.

IMAP Request –


Timeout Deny 1-Trusted 0-External tcp 10.0.1.70 10.148.22.60 53589 143msg="IMAPTimeout" proxy_act="IMAP-Client.Standard.1" timeout="120" (IMAP-proxy-00)

The connection wasidle for longer than theconfigured timeoutlimit. The default limitis 1minute.

IMAP Timeout –


Log Catalog 85



Content Type Allow 1-Trusted 0-External tcp 10.0.1.73 10.148.22.60 54116 143msg="ProxyAvScan: IMAP Content Type" proxy_act="IMAP-Client.Standard.1"rule_name="All text types" content_type="text/plain" mbx="inbox" user="wg"auth_method="plain" (IMAP-proxy-00)

A MIME-typematched a configuredcontent type rule, orthe default rule of nomatch. The logmessage specifiesthe rule, MIME-type,and user-relatedinformation.

IMAP ContentType

–


Filename Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 56079 143msg="ProxyStrip: IMAP Filename" proxy_act="IMAP-Client.Standard.1" rule_name="Word documents" filename="bug92408.doc"attachment="bug92408.zip.zip" mbx="inbox" user="wg" auth_method="plain"(IMAP-proxy-00)

The attachmentmatches a configuredfile name rule, or thedefault rule of nomatch. The logmessage specifiesthe rule, file name,and user-relatedinformation.

IMAPFilename

–


Virus Found Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 50633 143msg="ProxyAllow: IMAP Virus Found" proxy_act="IMAP-Client.Standard.1"virus="Eicar" mbx="INBOX" user="wg" (IMAP-proxy-00)

Gateway AntiVirusdetected a virus ormalware in the file.The logmessagespecifies the virusname, file name, anduser-relatedinformation.

IMAP VirusFound

–


Cannot PerformGateway AVScan

Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 50633 143msg="ProxyLock: IMAP Cannot Perform Gateway AV Scan" proxy_act="IMAP-Client.Standard.1" error="unable to scan" mbx="INBOX" user="wg" (IMAP-proxy-00)

Gateway AntiVirus(GAV) failed to scanbecause of the errorspecified in the logmessage

IMAP CannotPerformGateway AVScan

–


Log Catalog 86


22FF000A INFO Proxy /IMAP

APT detected Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 60275 143msg="ProxyStrip: IMAP APT detected" proxy_act="IMAP-Client.Standard.1"filename="lastline-demo-sample.exe"md5="7abebcf53e97b586c92a9ce5b9985cd4" task_uuid="e8a3730d1f88491c8821712e85d94929" threat_level="high" mbx="INBOX"user="wg" (IMAP-proxy-00)


IMAP APTdetected

–

22FF000C INFO Proxy /IMAP

File Submitted toAPT analysisserver

Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 60275 143msg="ProxyStrip: IMAP File submitted to APT analysis server" proxy_act="IMAP-Client.Standard.1" filename="971d3aa1c683c69f425cc6ddf66833d3d172f0fd.apk"md5="7abebcf53e97b586c92a9ce5b9985cd4" task_uuid="e8a3730d1f88491c8821712e85d94929"APT detected" mbx="INBOX"user="wg" (IMAP-proxy-00)


IMAP FileSubmitted toAPT analysisserver

–

22FF000D INFO Proxy /IMAP


Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 60275 143msg="ProxyStrip: IMAP File reported safe from APT hash check" proxy_act="IMAP-Client.Standard.1"filename="971d3aa1c683c69f425cc6ddf66833d3d172f0fd.apk"md5="7abebcf53e97b586c92a9ce5b9985cd4" task_uuid="e8a3730d1f88491c8821712e85d94929"APT detected" mbx="INBOX"user="wg" (IMAP-proxy-00)

APT hash check didnot report a threatfrom the object.

IMAP Filereported safefrom APT hashcheck

–

22FF000E INFO Proxy /IMAP


Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 60275 143msg="ProxyReplace: IMAP Classified as confirmed SPAM" proxy_act="IMAP-Client.Standard.1" mbx="INBOX" user="wg" (IMAP-proxy-00)

spamBlockerclassified themessage asconfirmed SPAM.The logmessagespecifies the user-related information

IMAPClassified asconfirmedSPAM

–


Log Catalog 87


22FF000F INFO Proxy /IMAP

spamBlockerbulk mail

Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 60275 143msg="ProxyReplace: IMAP Classified as bulk mail" proxy_act="IMAP-Client.Standard.1" mbx="INBOX" user="wg" (IMAP-proxy-00)

spamBlockerclassified themessage as bulkmail. The logmessage specifiesthe user-relatedinformation

IMAPClassified asbulk mail

–



Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 60275 143msg="ProxyReplace: IMAP Classified as suspect SPAM" proxy_act="IMAP-Client.Standard.1" mbx="INBOX" user="wg" (IMAP-proxy-00)

spamBlockerclassified themessage as suspectSPAM. The logmessage specifiesthe user-relatedinformation

IMAPClassified assuspectSPAM

–



Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 60275 143msg="ProxyAllow: IMAP spamBlocker exception was matched" proxy_act="IMAP-Client.Standard.1" mbx="INBOX" user="wg" (IMAP-proxy-00)

The sender for theemail matched aspamBlockerexception rule. Thelogmessagespecifies the rule anduser-relatedinformation.

IMAPspamBlockerexception wasmatched

–


spamBlocker notspam

Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 60275 143msg="ProxyAllow: IMAP Classified as not SPAM" proxy_act="IMAP-Client.Standard.1" mbx="INBOX" user="wg" (IMAP-proxy-00)

spamBlockerclassified themessage as notSPAM. The logmessage specifiesthe user-relatedinformation.

IMAPClassified asnot SPAM

–


Log Catalog 88



spamBlocker notspam

Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 60275 143msg="ProxyAllow: IMAP Message classification is unknown because an erroroccurred while classifying" proxy_act="IMAP-Client.Standard.1" mbx="INBOX"user="wg" (IMAP-proxy-00)

spamBlocker wasunable to classify themessage because ofthe error specified inthe logmessage. Thelogmessagespecifies the user-related information.

IMAPMessageclassificationis unknownbecause anerror occurredwhileclassifying

–


GAV file too large Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 50698 143msg="ProxyAllow: IMAP Gateway AV object too large" proxy_act="IMAP-Client.OUT" attachment="large_file.doc" error="File exceeding the scan size limit"mbx="INBOX" user="wg" (IMAP-proxy-00)

The attachment filesize exceeds theGateway AV scansize limit.

IMAPGateway AVobject toolarge

–


GAV fileencrypted

Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 50698 143msg="ProxyAllow: IMAP Gateway AV object enrcypted (password-protected)"proxy_act="IMAP-Client.OUT" attachment="password-protected.zip"error="Object Encrypted" mbx="INBOX" user="wg" (IMAP-proxy-00)

The attachment file isencrypted orpassword-protected.

Gateway AVobjectencrypted(password-protected)

–


Protocol invalid Deny 1-Trusted 0-External tcp 10.0.1.2 192.168.53.143 41551 993msg="ProxyDrop: IMAP invalid TLS protocol" proxy_act="IMAP-Client.1" (IMAP-proxy-00)

The IMAP proxydetected invalid TLSprotocol.

IMAP invalidTLS protocol

–


ContentInspection

Deny 1-Trusted 0-External tcp 10.0.1.2 192.168.53.143 41551 993msg="ProxyInspect: IMAP TLS content inspection" proxy_act="IMAP-Client.1"server_ssl="ECDHE-RSA-AES256-SHA384" client_ssl="ECDHE-RSA-AES256-GCM-SHA384" (IMAP-proxy-00)

The IMAP proxycontent inspectionaction for a secureconnection.

IMAP TLScontentinspection

–

28FF0000 INFO Proxy /SIP

Timeout Deny 1-Trusted 0-External udp 10.0.1.5 192.168.53.143 5060 5060msg="ProxyDrop: SIP timeout" (SIP-ALG-00)

The connection wasidle for longer than theconfigured timeoutvalue. The defaultvalue is 180 seconds.

SIP timeout –


Log Catalog 89



Request Allow 1-Trusted 0-External udp 10.0.1.3 192.168.53.143 5060 5060msg="SIPrequest" proxy_act="SIP-Client.1" call_from="10.0.1.3" call_to="192.168.53.143"(SIP-ALG-00)

The logmessagespecifies the sourceand destination of theallowed call.

SIP request –


Codec Deny 1-Trusted 0-External udp 10.0.1.3 192.168.53.143 5060 5060msg="ProxyDeny: SIP codec" proxy_act="SIP-Client.1" codec="speex" (SIP-ALG-00)

The codec is allowedor denied based onthe setting for DeniedCodecs in the SIPpolicy.

SIP codec –


Access control Allow 1-Trusted 0-External udp 10.0.1.3 192.168.53.143 5060 5060msg="ProxyAllow: SIP Access control" proxy_act="SIP-Client.1" To-header="[email protected]" From-header="[email protected]" (SIP-ALG-00)

The header addressis allowed or deniedbased on the AccessControl settings. Thelogmessagespecifies the actiontaken, header andmessage ID.

SIP Accesscontrol

–


IPS match Deny 0-External 1-Trusted udp 10.0.1.5 192.168.53.143 5060 5060msg="ProxyDrop: SIP IPS match" proxy_act="SIP-Client.1" signature_id="1057422" severity="4" signature_name="SIP Digium Asterisk SIP SDPHeader Parsing Stack Buffer Overflow -1" signature_cat="Buffer Over Flow" sig_vers="18.001" (SIP-ALG-00)

Intrusion PreventionService (IPS)detected an intrusionthreat. The logmessage specifiesthe signature ID,threat severity,signature name,signature category,destination hostname and URI path.

SIP IPS match –


Log Catalog 90



Applicationmatch

Deny 1-Trusted 0-External udp 10.0.1.4 192.168.53.143 5060 5060msg="ProxyDrop: SIP Appmatch" proxy_act="SIP-Client.1" app_id="12" app_name="SIP" app_beh_name="communicate" sig_vers="18.001" (SIP-ALG-00)

Application Controlidentified anapplication from thetransaction. The logmessage specifiesthe action taken, theapplication name andID, applicationcategory name andID, and theapplication behaviorname and ID.

SIP Appmatch

–

2AFF0000 INFO Proxy /H.323

Timeout Deny 1-Trusted 0-External tcp 10.0.1.5 192.168.53.143 1720 1720msg="ProxyDrop: H323 timeout" proxy_act="H.323-Client.1" (H323-ALG-00)

The connection wasidle longer than theconfigured timeoutvalue. The defaultvalue is 180 seconds.

H323 timeout –


Request Allow 1-Trusted 0-External tcp 10.0.1.2 192.168.53.167 3233 1720msg="H323request" proxy_act="H.323-Client.1" call_from="10.0.1.2" call_to="192.168.53.167" rcvd_bytes="171444" sent_bytes="256488" (H323-ALG-00)

This logmessagespecifies the IPaddresses for thecompleted H323 call.

H323 request –


Codec Deny 1-Trusted 0-External tcp 10.0.1.2 192.168.53.167 3230 1720msg="ProxyDeny: H323 codec" proxy_act="H.323-Client.1" codec="(unknown)"(H323-ALG-00)

Themedia codec isdenied because itmatched a configuredDenied Codec. Thelogmessagespecifies the codec.

H323 codec –


Log Catalog 91



Access control Allow 1-Trusted 0-External tcp 10.0.1.2 192.168.53.167 3232 1720msg="ProxyAllow: H323 Access control" proxy_act="H.323-Client.1" From-header="10.0.1.2" To-header="192.168.53.143" (H323-ALG-00)

The header addressis allowed or deniedbecause it matchesan Access Controlrule configured in theH323 policy. The logmessage specifiesthe address.

H323 Accesscontrol

–


IPS match Deny 0-External 1-Trusted tcp 10.0.1.5 192.168.53.143 3234 3230msg="ProxyDrop: H323 IPS match" proxy_act="H.323-Client.1" signature_id="1112506" severity="4" signature_name="EXPLOIT Digium Asterisk InvalidRTP Payload Type NumberMemory Corruption" signature_cat="Access Control"sig_vers="18.001" (H323-ALG-00)

Intrusion PreventionService (IPS)detected an intrusionthreat. The logmessage specifiesthe signature ID,threat severity,signature name,signature category,destination hostname, and URI path.

H323 IPSmatch

–


Applicationmatch

Deny 1-Trusted 0-External tcp 10.0.1.6 192.168.53.167 3234 3230msg="ProxyDrop: H323 Appmatch" proxy_act="H.323-Client.1" app_cat_name="Voice over IP" app_cat_id="6" app_name="H.323" app_id="2" app_beh_name="access" app_beh_id="6" sig_vers="18.001" (H323-ALG-00)

Application Controldetected anapplication type fromthe transaction. Thelogmessagespecifies the actiontaken, the applicationname and ID,application categoryname and ID, and theapplication behaviorname and ID.

H323 Appmatch

–


Log Catalog 92


2CFF0000 INFO Proxy /HTTPS

Request Allow 1-Trusted 0-External tcp 10.0.1.2 173.194.33.184 59277 443msg="HTTPSRequest" proxy_act="HTTPS-Client.Standard.3" sni="www.gstatic.com"cn="*.google.com" cert_issuer="CN=olympus.wgti.net,OU=QA,O=WGTI,L=Seattle,ST=WA,C=US" cert_subject="CN=*.google.com,O=Google Inc,L=MountainView,ST=California,C=US" action="allow" (HTTPS-proxy-00)

HTTPS transactionlog includes servername, certificatedetails and actiontaken.

HTTPSRequest

–


WebBlockerRequestcategories

Allow 1-Trusted 0-External tcp 10.0.1.2 74.125.25.104 44773 443msg="ProxyAllow: HTTPS Request categories" proxy_act="HTTPS-Client.1"service="Def" cats="Search Engines and Portals" dstname="www.google.com"(HTTPS-proxy-00)

WebBlockeridentified thecategory for a webrequest. The logmessage specifiesthe category and hostname.

HTTPSRequestcategories

–


WebBlockerserviceunavailable

Allow 1-Trusted 0-External tcp 10.0.1.2 74.125.25.147 51566 443msg="ProxyAllow: HTTPS service unavailable" proxy_act="HTTPS-Client.1"error="Webblocker server is not available" service="Def" cats=""dstname="www.google.com" (HTTPS-proxy-00)

WebBlocker failedbecause aWebBlocker Serverwas not available.

HTTPSserviceunavailable

–


Domain namematch

Allow 1-Trusted 0-External tcp 10.0.1.2 173.194.33.176 59545 443msg="ProxyAllow: HTTPS domain namematch" proxy_act="HTTPS-Client.Standard.3" rule_name="*.google.com" sni="www.google.com" cn=""ipaddress="173.194.33.176" (HTTPS-proxy-00)

This rule log includesthematched rulename or default ruleof nomatch and thepatterns its beenmatched against.

HTTPSdomain namematch

–


IPS Match Deny 1-Trusted 0-External tcp 10.0.1.2 173.194.33.176 59545 443msg="ProxyDrop: HTTPS IPS Match" proxy_act="HTTPS-Client.Standard.3""signature_id="1110070" severity="4" signature_name="DOS Apachemod_sslHTTPS Request DOS -1" signature_cat="Dos/DDoS" sig_vers="18.001"(HTTPS-proxy-00)

Intrusion PreventionService (IPS)detected an intrusionthreat in TCP-UDPproxy traffic. The logmessage specifiesthe action taken,

HTTPS IPSMatch

–


Log Catalog 93


signature ID, threatseverity, signaturename, and signaturecategory.


HTTPS AppMatch

Deny 1-Trusted 0ssh -External tcp 10.0.1.2 173.194.33.176 59545 443msg="ProxyDrop: HTTPS AppMatch" proxy_act="HTTPS-Client.Standard.3"app_cat_name="Network Protocols(3)" app_cat_id="19" app_name="HTTPProtocol over TLS SSL" app_id="94" app_beh_name="access" app_beh_id="6"sig_vers="18.001" (HTTPS-proxy-00)

Application Controlidentified theapplication type fromthe HTTPS proxytraffic. The logmessage specifiesthe action taken, theapplication name andID, the applicationcategory name andID, and theapplication behaviorand ID.

HTTPS APPMatch

–


Protocol invalid Deny 1-Trusted 0-External tcp 10.0.1.2 192.168.53.143 41551 443msg="ProxyDrop: HTTPS invalid protocol" proxy_act="HTTPS-Client.1"version="0x9999" length="123" data="\x16\x03\x01\x00{\x01\x00\x00w\x99\x99"(HTTPS-proxy-00)

The HTTPS proxydetected an invalidSSL version.

HTTPS invalidprotocol

–


Timeout Deny 1-Trusted 0-External tcp 10.0.1.5 192.168.53.143 54707 443msg="ProxyDrop: HTTPS timeout" (HTTPS-proxy-00)

The HTTPSconnection was idlelonger than thetimeout valueconfigured in theHTTPS policy. Thedefault is 180seconds.

HTTPStimeout

–

2CFF0009 INFO Proxy / Content Allow 1-Trusted 0-External tcp 10.0.1.2 173.194.33.180 59276 443 The HTTPS traffic HTTPS –


Log Catalog 94


HTTPS inspection msg="ProxyInspect: HTTPS content inspection" proxy_act="HTTPS-Client.Standard.3" inspect_action="HTTP-Client.Standard" server_ssl="ECDHE-RSA-AES256-SHA384" client_ssl="ECDHE-RSA-AES256-GCM-SHA384"(HTTPS-proxy-00)

was directed to adifferent proxy actionbecause of theContent Inspectionsettings in theHTTPS proxy. Thelogmessagespecifies the newproxy action used forcontent inspection,as well as the TLSciphers used for theserver and client.

contentinspection

2CFF000A INFO Proxy /HTTPS

HTTPS contentinspectionexceptuion rulematch

Allow 1-Trusted 0-External tcp 10.0.1.2 173.194.33.180 59276 443msg="ProxyAllow: content inspection exception list match" proxy_act="HTTPS-Client.Standard.3" sni="www.gstatic.com" cn="*.google.com" exception_rule="allow google" action="allow" (HTTPS-proxy-00)

The HTTPSconnectionmatchesthe contentinspection exceptionrule and the definedaction is taken.

HTTPSexception rulematch

–

2DFF0000 INFO Proxy /TCP-UDP

Request Allow ppp0 0-External tcp 10.0.1.46 206.191.171.104 49391 80msg="IP Request"proxy_act="TCP-UDP-Proxy.Standard.1" sent_bytes="72271" rcvd_bytes="72271" src_user="testuser@Firebox-DB" (TCP-UDP-proxy-00)

TCP-UDPtransaction log for thetraffic that isconfigured to allow ordeny.

IP Request –


Log Catalog 95



IPS match Deny 0-External 1-Trusted udp 10.0.1.5 192.168.53.143 1025 80msg="ProxyDrop:TCP-UDP IPS match" proxy_act="TCP-UDP-Proxy.1" signature_id="1110070"severity="4" signature_name="DOS Apachemod_ssl HTTPS Request DOS -1"signature_cat="Dos/DDoS" sig_vers="18.001" (TCP-UDP-proxy-00)

Intrusion PreventionService (IPS)detected an intrusionthreat in TCP-UDPproxy traffic. The logmessage specifiesthe action taken,signature ID, threatseverity, signaturename, and signaturecategory.

IP IPS match –


Protocol Allow 1-Trusted 0-External tcp 10.0.1.2 91.189.95.36 53246 80msg="ProxyReplace: IP protocol" proxy_act="TCP-UDP-Proxy.1" rule_name="HTTP-Client.1" new_action="HTTP-Client.1" (TCP-UDP-proxy-00)

The TCP-UDP proxyrecognized theprotocol. The logmessage specifiesthe action taken, andthe rule name.

IP protocol –


Applicationmatch

Allow 1-Trusted 0-External udp 10.0.1.3 4.2.2.1 63690 53msg="ProxyAllow: IPAppmatch" proxy_act="TCP-UDP-Proxy.1" app_cat_name="NetworkManagement" app_cat_id="9" app_name="DNS" app_id="61" app_beh_name="access" app_beh_id="6" sig_vers="18.001" (TCP-UDP-proxy-00)

Application Controlidentified theapplication type fromthe TCP-UDP proxytraffic. The logmessage specifiesthe action taken, theapplication name andID, the applicationcategory name andID, and theapplication behaviorand ID.

IP Appmatch –


Log Catalog 96




Allow 1-Trusted 0-External tcp 10.0.1.2 54.173.101.99 60180 23msg="ProxyAllow: IP DNSWatch blackholed domain" proxy_act="TCP-UDP-Proxy.Standard.1" Protocol="telnet" geo_dst="USA" (TCP-UDP-proxy-00)

DNSWatch DNSserver returned theblackhole server IPaddress for the nameresolution forrequested domain.TCPUDP proxyacknowledge theblackhole server IPaddress andgenerates the log forthe client request

IP DNSWatchblackholeddomain

–



Deny 1-Trusted 0-External tcp 10.0.1.2 54.173.101.99 60180 23msg="ProxyAllow:IP DNSWatch content filtered domain" proxy_act="TCP-UDP-Proxy.Standard.1"Protocol="telnet" geo_dst="USA" (TCP-UDP-proxy-00)

DNSWatch DNSserver returned thefilterhole server IPaddress for the nameresolution forrequested domainfrom the contentfiltered domainconfiguration.TCPUDP proxyacknowledge thefilterhole server IPaddress andgenerates the log forthe client request

IP DNSWatchcontent filtereddomain

–


Log Catalog 97

Management Log MessagesManagement logmessages are generated for activity on your Firebox. This includes when changes aremade to the device configuration and DeviceManagement user accounts, for user authentication to theFirebox, and actions related to LiveSecurity and system settings.

DiagnosticManagement logmessages of theDebug (Diagnostic) log type.


5501000C INFO Management /System

Devicerestore failed

Device auto restore from USB driveimage failed due to USB drive notfound

Device auto restorefrom a specific imagein a USB drive disc ornormal restore from anormal image failed

Device%s restore from%s image failed due to%s Device ${restore_type} restore from${image_source}image failed for${reason}

5501000D INFO Management /System

CreatingUSB autorestoreimage failed

Creation of USB auto restore imagefailed due to no USB drive

– Creation of USB auto restore image failed due to%s

Creation of USB autorestore image failed:${reason}

55010010 INFO Management /System

USB driveformat

USB drive format operation wassuccessful

– USB drive format operation was %s USB drive format${result}


Generatesystemdiagnosticfile failed

Generate system diagnostic file toUSB drive failed

– Generate system diagnostic file to%s failed Generate systemdiagnostic file to${device} failed


Periodicsupportsnapshot isenabled

System periodic support snapshot isenabled

– System periodic support snapshot is enabled –


Generatesystem

Exported system diagnostic file toserver successfully

– Exported system diagnostic file to%ssuccessfully

Generate systemdiagnostic file to

Management LogMessages

Log Catalog 98


diagnosticsuccessfully

${device}successfully


Reset to thedefaultconfigurationfailed

Reset to the default configurationfailed when the device was rebooted.

The defaultconfiguration settingswere not restoredafter a system reset.

Reset to the default configuration failed when thedevice was rebooted.

–

5501001B INFO Management /System

Systembackupfailed

System backup to USB drive faileddue to write file to USB drive error

– System backup%s failed due to%s. System backup${dest device} failed:${reason}

5501001C INFO Management /System

USB autorestore failedreason

USB auto restore failed due to notdetect the USB drive

– USB auto restore failed due to%s USB auto restorefailed for ${reason}


Log Catalog 99

EventManagement logmessages of theEvent log type.


01010001 INFO Management /Configuration

Deviceconfigurationchange

Management useradmin@Firebox-DB from10.139.36.22 {modified | added |deleted } Blocked SitesExceptions

The device configuration hasbeen changed.

Management user%s@%s from%s %s %s %s

Management user${user}@${domain}from ${ipaddr}${operation}${subsystem} ${object}


Administrativeaccounts reset todefault

Administrative accounts werereset to the default settings

The administrative accountswere returned to the defaultsettings. This could be becausethe system is in safemode, orbecause of a corruptedadministrative account file.

Administrative accounts were resetto the default settings

–


Feature key added admin added feature key'883B25CCF32949EE'

An administrator added afeature key. The logmessagespecifies the feature key ID.

%s added feature key '%s' –


Feature keyremoved

admin removed feature key'883B25CCF32949EE'

An administrator has removed afeature key. The logmessagespecifies the feature key ID.

%s removed feature key '%s' –

01020003 WARN Management /Configuration

Feature expired 'LIVESECURITY' featureexpired. Contact WatchGuard torenew your subscription.

– '%s' feature expired. ContactWatchGuard to renew yoursubscription.

–


Feature expirationreminder

'LIVESECURITY' feature willexpire in 90 days.

A feature will soon expire. Thelogmessage specifies thefeature and the number of daysuntil it expires.

'%s' feature will expire in%d days. –


Log Catalog 100



Default devicesettings in use forsafemode

Device default configuration wasloaded in safemode

The device configuration wasreset to the default settingsbecause the device is in safemode.

Device default configuration wasloaded in safemode

–


Moved the policy tonew position

Moved Ping policy from position2 to 6

When change the policy order,there will bemove operation tomove the policies.

Moved%s policy from position%dto%d

Moved ${policy name}from ${old position} to${new position}

11000003 INFO Management /Authentication

Authenticationserver unavailable

Authentication server192.168.1.1:389 is notresponding

The external authenticationserver is not available.

Authentication server%s:%d is notresponding

–


User authenticationsucceeded

Authentication of firewall user[user1@Firebox-DB] from198.51.100.2 was accepted

The user successfullyauthenticated. The logmessage specifies whether thisis an administrative user, afirewall user, or another type ofuser.

Authentication of %s user[%s@%s] from%s was accepted

Authentication of${user_type} user[${user_name}@${auth_server}] from ${ipaddr}was accepted.

11000005 WARN Management /Authentication

User authenticationfailed

Authentication of Firewall user[test@RADIUS] from 10.0.1.2was rejected, received anAccess-Reject response fromthe RADIUS server

User authentication failed. Thelogmessage specifies thereason.

Authentication of %s user[%s@%s] from%s was rejected,%s

Authentication of${user_type} user[${user_name}@${auth_server}] from ${ip_addr}was rejected, ${reason}


User unlock User test is unlockedautomatically

It indicates a user unlock andhow he/she is unlocked

User%s is unlocked%s User ${name} isunlocked ${how}

11000007 WARN Management /Authentication

user lock User test is locked out brieflyafter 3 login failures

It indicates a user lockout andhow and why he/she is lockedout

User%s is locked out %s after %dlogin failures

User ${name} is lockedout ${lockout_type}after ${failure_count}login failures

11000008 WARN Management / BOVPN TLS client Authentication of BOVPN TLS BOVPN TLS client Authentication of BOVPN TLS Authentication of


Log Catalog 101


Authentication authenticationfailed

client [EasternOffice] from198.51.100.2 was rejected, pre-shared key is incorrect

authentication failed. The logmessage specifies the reason.

client [%s] from%s was rejected,%s

BOVPN TLS client[${client_name}] from${ip_addr} wasrejected, ${reason}

1100000C WARN Management /Authentication

Authentication error Authentication error. Domain notfound for user1.

Authentication failed. The logmessage specifies the reason.

Authentication error. %s for%s. Authentication error.${error} for ${user_name}.

1100000D WARN Management /Authentication

Authenticationserver unavailable

Authentication of user[[email protected]] failed.Both primary and secondaryservers are unavailable.

Authentication failed becauseboth the primary and secondaryauthentication servers areunavailable.

Authentication of user [%s@%s]failed. Both primary and secondaryservers are unavailable.

–

1100000E WARN Management /Authentication

UnsupportedRADIUS method

Authentication of firewall user[user1@RADIUS] failed.RADIUS authenticationmethodMSCHAP_V1 is not supported.

Authentication failed becausethe specified RADIUS methodis not supported.

Authentication of %s user[%s@%s] failed. RADIUSauthenticationmethod%s is notsupported.

–

1100000F WARN Management /Authentication

Groups maximumreached

Themaximum number of groups(31) has been reached

Authentication failed becausethemaximum number of groupshas been reached.

Themaximum number of groups(%d) has been reached

–


Firebox connectedto SSO agent

Firebox connected to the SSOagent at 10.0.1.25 successfully.

Firebox connected to the SSOagent successfully

Firebox connected to the SSOagent at %s successfully.

–


Firebox closed theconnection

Firebox closed the connection tothe SSO agent at 10.0.1.25.

Firebox closed the connectionto the SSO agent.

Firebox closed the connection tothe SSO agent at %s.

–


Firebox failed toconnect to the SSOagent

Firebox failed to connect to theSSO agent at 10.0.1.25. Reason:timeout.

Firebox failed to connect to theSSO agent.

Firebox failed to connect to theSSO agent at %s. Reason: %s.

–


Successful SSOagent failover

SSOAgent failover from10.0.1.25 to 10.0.1.26 wassuccessful.

Successful SSO agent failover. SSOAgent failover from%s to%swas successful.

–


Log Catalog 102



Unsuccessful SSOfailover

SSO agent failover from10.0.1.25 to 10.0.1.26 failed.Reason: incompatible SSO agentversion.

Unsuccessful SSO failover. SSO agent failover from%s to%sfailed. Reason: %s.

–


Logon Disclaimerconfigurationchange

Logon Disclaimer was enabled The configuration of LogonDisclaimer was changed whenFirebox is on CSFC mode.

%s %s –

15000000 INFO Management /ManagementClient

Deviceconfigurationupdate with audittrail

The configuration file and featurekey for the device weresuccessfully updated after arequest from admin from theManagement Server at10.139.44.88. Revision: dummy_config_rev_id. Comments:update tcp segment.

The updated configuration filewas successfully sent to thedevice from the specifiedManagement Server. The logmessage indicates if the featurekey was updated. The logmessagemight also specify therevision ID and includescomments about the update.

The configuration file%s for thedevice%s successfully updatedafter a request from%s from theManagement Server at%s.%s%s%s%s.

–


Deviceconfigurationupdate

Device configuration file wassuccessfully updated.Configuration file retrieved fromtheManagement Server at10.139.44.88.

The device retrieved an updatedconfiguration file from thespecifiedManagement Server.The logmessage also indicatesif device retrieved a feature key.

Device configuration file%ssuccessfully updated.Configuration file retrieved from theManagement Server at %s.

–


IPSec certificateimport

The IPSec certificate wassuccessfully imported from theManagement Server at10.139.44.88.

The IPsec certificate wassuccessfully imported from thespecifiedManagement Server.

The IPSec certificate wassuccessfully imported from theManagement Server at %s.

–


ManagementServer CAcertificate import

TheManagement Server CAcertificate was successfullyimported from theManagementServer at 10.139.44.88.

TheManagement Server CAcertificate was successfullyimported from the specifiedManagement Server.

TheManagement Server CAcertificate was successfullyimported from theManagementServer at %s.

–


Log Catalog 103


3D040001 INFO Management /Logging

Primary Log Serverconnected

Connected to the primary LogServer at 198.51.100.0

The device successfullyconnected to theWatchGuardLog Server designated as theprimary server.

Connected to the primary LogServer at %s

–


Backup Log Serverconnected

Connected to the backup LogServer at 198.51.100.0

The device successfullyconnected to theWatchGuardLog Server designated as thebackup server.

Connected to the backup LogServer at %s

–


Add/Removesyslog server

Deleted syslog server : 3.3.3.3 Log the event when add/removesyslog server

%s –

3E000002 INFO Management /Accounting

User loginsucceeded

Management user admin from10.0.1.2 logged in

A user successfully logged in.The logmessage specifies theuser type, user name, and IPaddress.

%s %s%s%s from%s loggedin%s%s%s%s

${user_type} ${user_name}${auth_server}from {ipaddr} logged in${virtual_ip} ${msg}

3E000003 WARN Management /Accounting

User login failed Management user admin from10.0.1.2 log in attempt wasrejected.

A user log in attempt failed. Thelogmessage specifies the usertype, user name, IP address,and the failure reason, ifavailable.

%s %s%s%s from%s log inattempt was rejected%s%s%s%s

${user_type} ${user_name}${auth_server}from {ipaddr} rejected${virtual_ip} ${msg}


User logout Management user admin from10.0.1.2 logged out

A user successfully logged out.The logmessage specifies theuser type, user name, and IPaddress.

%s %s%s%s from%s loggedout%s%s%s%s

${user_type} ${user_name}${auth_server}from {ipaddr} logged out${virtual_ip} ${msg}


Property change Updated the value of themanagement session idletimeout from 3600 seconds to7200 seconds

Config changed. The logmessage specifies the name ofthe property,the old and newvalue.

Updated the value of %s from%ld%sto%ld%s.

Updated the value of${property name} from${old value} ${unit} to${new value} ${unit}

40010001 INFO Management /Certificate

CA certificateupdated

CA certificate updatedsuccessfully to version 1.3.

The CA certificate updatedsuccessfully to the specified

CA certificate updatedsuccessfully to version%s.

CA certificate updatedsuccessfully to version


Log Catalog 104


successfully new version. ${new CA versionnumber}.

40010002 ERROR Management /Certificate

CA certificateupdated failed

CA certificate update failed.Current CA certificate version:1.2.

CA certificate updated failed. CA certificate update failed.Current CA certificate version: %s.

CA certificate updatefailed. Current CAcertificate version:${current CA versionnumber}.


Certificate not validyet

Certificate(subject=o=WatchGuardou=Fireware cn=Fireware webCA) is not valid.

Certificate not valid yet Certificate (subject=%s) is notvalid.

Certificate(subject=${certificatesubject}) is not valid.


Certificate expired Certificate(subject=o=WatchGuardou=Fireware cn=Fireware webCA) is expired.

Certificate expired Certificate (subject=%s) is expired. Certificate(subject=${certificatesubject}) is expired.


Certificate revoked Certificate(subject=o=WatchGuardou=Fireware cn=Fireware webCA) is revoked.

Certificate revoked Certificate (subject=%s) isrevoked.

Certificate(subject=${certificatesubject}) is revoked.


Generated/importedertificate signingrequest

Generated certificate signingrequest CN=test2, O=wgti2.net,C=US

Generated Certificate signingrequest or imported certificatesigned with csr

%s certificate%s%s. >%s certificate%s%s

41000001 INFO Management /LiveSecurity

RapidDeploysucceeded

RapidDeploy package wasapplied successfully

The RapidDeploy package fromthe LiveSecurity service wassuccessfully applied to thedevice.

RapidDeploy package was appliedsuccessfully

–


Log Catalog 105


41000002 ERROR Management /LiveSecurity

RapidDeploy failed RapidDeploy package was notapplied: Cannot find result.xml

The RapidDeploy package wasnot applied to the device. Thelogmessage specifies thereason.

RapidDeploy package was notapplied: %s

RapidDeploy failed:${reason}


New RSS feedupdate succeeded

New RSS feed from LiveSecurityService was updated

New RSS feed from theLiveSecurity Service wasupdated.

New RSS feed from LiveSecurityService was updated

–


New RSS feedupdate failed

New RSS feed from LiveSecurityService was not updated: errorretrieving response from server

New RSS feed from theLiveSecurity Service failed toupdate.

New RSS feed from LiveSecurityService was not updated: %s

–


Feature keydownloadsucceeded

Feature key from LiveSecurityService was received

The feature key for the devicewas successfully downloadedfrom the LiveSecurity Service.

Feature key from LiveSecurityService was received

–


Feature keydownload failed

Feature key from LiveSecurityService was not received: errorparsing response fromLiveSecurity service

The feature key could not bedownloaded from theLiveSecurity Service. The logmessage specifies the reason.

Feature key from LiveSecurityService was not received: %s

–


Wireless countryspecificationupdate succeeded

Wireless country specificationwas updated

The wireless countryspecification was successfullyupdated from the LiveSecurityservice.

Wireless country specification wasupdated

–


Wireless countryspecificationupdate failed

Wireless country specificationfrom LiveSecurity Service wasnot received: received error code<n> from LSS

Thewireless countryspecification could not bedownloaded from theLiveSecurity service. The logmessage specifies the failurereason and the number ofretries.

Wireless country specification fromLiveSecurity Service was notreceived: %s, (retry_count=%d)

–

41010001 INFO Management / RapidDeploy RapidDeploy configuration from a The RapidDeploy configuration RapidDeploy configuration from a –


Log Catalog 106


LiveSecurity configuration fromUSB succeeded

USB drive was appliedsuccessfully

was successfully applied fromaUSB drive.

USB drive was appliedsuccessfully


RapidDeployconfiguration fromUSB failed

RapidDeploy configuration from aUSB drive was not applied:config linemissing

The RapidDeploy configurationwas not successfully appliedfrom aUSB drive. The logmessage specifies the reason.

RapidDeploy configuration from aUSB drive was not applied: %s

–

50000001 WARN Management /Web Service

User login failed(wgagent)

WSMUser status from 10.0.1.2log in attempt was rejected -Invalid credentials.

A user log in attempt failed. Thelogmessage specifies the UItype, User Name, IP address,and (if available) the failurereason.

%s %s@%s from%s log inattempt was rejected -%s.

%{ui_type} ${user_name}@${auth_server}from ${ipaddr} log inattempt was rejected${msg}.


Bootup time System boot up at 2000-01-0100:00:01

– System boot up at %s System boot up at${time}

55010002 ERROR Management /System

LIVESECURITYfeature not found

Valid 'LIVESECURITY' featurenot found

– Valid 'LIVESECURITY' feature notfound

–

55010003 ERROR Management /System

LIVESECURITYexpired

'LIVESECURITY' featureexpired (TueMay 14 12:25:002013) prior to package releasedate (WedMay 15 01:00:00 2013)

'LIVESECURITY' feature expired(%s) prior to package release date(%s)

'LIVESECURITY'feature expired(${expiration time}) priorto package release date(${package releasetime})


Shutdown Shutdown requested by system – Shutdown requested by system –


Reboot System is rebooting – System is rebooting –


Upgradesucceeded

System upgrade to 11.9successful, system needs toreboot

– System upgrade to%s successful,%s

System upgrade to${software version}successful ${box needreboot or not}


Log Catalog 107



Automatic reboot System is automaticallyrebooting at 12:09

– System is automatically rebootingat %d:%d

System isautomatically rebootingat ${hour}:${second}


Time change System time changed from 2012-10-5 12:30:15 to 2012-10-614:10:00

– System time changed from%s to%s

System time changedfrom ${old value} to${new value}

5501000B INFO Management /System

Device restore Device auto restore from USBdrive image initiated, rebootneeded

Device was restored from asaved backup image. Thebackup image was either autorestored from aUSB drive orrestored from another location.

Device%s restore from%s imageinitiated%s

Device ${restore_type}restore from ${image_source} imageinitiated${reboot_option}


USB auto restorestarted

USB auto restore started – USB auto restore started –


Feature expirationreminder

'LIVESECURITY' feature willexpire on Sat., Jan 5, 11:27:23CST 2013.

– 'LIVESECURITY' feature willexpire on%s

'LIVESECURITY'feature will expire on${expiration time}

55010019 WARN Management /System

Configuration resetfailed during adowngrade

During a system downgrade, theconfiguration reset failed

– During a system downgrade, theconfiguration reset failed

–

5501001A WARN Management /System

Upgrade failed System upgrade failed:'LIVESECURITY' featureexpired

– System upgrade failed: %s System upgrade failed:${reason}

5501001D INFO Management /System

Logo uploadsucceeded

Upload of logo succeeded – Upload of logo succeeded –


Backup succeeded System backup succeeded – System backup succeeded –


Device restoresuccess

Device auto restore from USBdrive succeeded

Device auto restore from aspecific image in USB drive or

Device%s restore from%s imagesucceeded

Device ${restore_type}restore from ${image_


Log Catalog 108


normal restore from a normalimage

source} imagesucceeded


USB auto restoreimage created

USB auto restore imagesuccessfully created

– USB auto restore imagesuccessfully created

58000001 INFO Management /NTP

System timechanged

System time changed to 2012-08-29 08:20:00 by NTP

The system time was changedby the NTP process.

System time changed to%s byNTP

–


Log Catalog 109

FireCluster Log MessagesFireCluster logmessages are for events related to your Fireboxes that aremembers of a FireCluster. This includes actions related tomanagement of the FireCluster, operational errors of cluster members, eventsthat occur on cluster members, and changes to the status of a cluster member.

DiagnosticFireCluster logmessages of theDebug (Diagnostic) log type.


3A000002 INFO Cluster /EventMonitoring

VRRP enabled VRRP is now enabled forCluster.

Virtual RouterRedundancyProtocol (VRRP) isnow enabled forthisActive/PassiveCluster.

VRRP is now enabled for Cluster. –


VRRP startmaster

Virtual Router with clusterID 1 started in master state.

VRRP started inmaster state.

Virtual Router with cluster ID %d started in masterstate.

Virtual Router withcluster ID ${value}started in master state.


VR shutdown Virtual Router with clusterID 1 returned to initial state.

Virtual Routerreturned to initialstate.

Virtual Router with cluster ID %d returned to initialstate.

Virtual Router withcluster ID ${id} returnedto initial state


VR pause Virtual Router with clusterID 1 becomes backup onpause event

Virtual Routerbecomes backupdue to a pauseevent.

Virtual Router with cluster ID %d becomes backup onpause event

Virtual Router withcluster ID ${id} becomesbackup on pause event


VR resume Virtual Router with clusterID 1 becomes master onresume event

Virtual Routerbecomes masterdue to a resumeevent.

Virtual Router with cluster ID %d becomes master onresume event

Virtual Router withcluster ID ${id} becomesmaster on resume event

FireCluster LogMessages

Log Catalog 110



VR backup state Virtual Router with clusterID 1 state changed frommaster to backup

Virtual Router statechanged frommaster to backup

Virtual Router with cluster ID %d state changed frommaster to backup

Virtual Router withcluster ID ${id} statechanged frommaster tobackup

3A00000A INFO Cluster /EventMonitoring

VR notificationgap

Member 80B20002E5BCDVirtual Router with clusterID 1 changed state tomaster due to 3 secondnotification gap from currentmaster with IP 10.0.4.1

Member VirtualRouter changedstate tomaster dueto notification gapfrom currentmaster

Member%s Virtual Router with cluster ID %d changedstate tomaster due to%d second notification gap fromcurrent master with IP %s

Member ${member}Virtual Router withcluster ID ${id} changedstate tomaster due to${value} secondnotification gap fromcurrent master with IP${ip}

3A00000B INFO Cluster /EventMonitoring

VRRP masterstate

Virtual Router with clusterID 1 state changed tomaster

Virtual Router statechanged tomaster

Virtual Router with cluster ID %d state changed tomaster

Virtual Router withcluster ID ${id} statechanged tomaster

3A00000C ERROR Cluster /EventMonitoring

VRRPinitializationfailed

Cluster VRRP initializationfailed

Initialization ofVirtual RouterRedundancyProtocol (VRRP)failed.

Cluster VRRP initialization failed –

38000002 ERROR Cluster /Management

DHCP overwrite A DHCP server is interferingwith static addressassignment of cluster IPaddress 10.0.0.1 on eth0.Disable DHCP serveraccess to eth5.

A DHCP serverhas attempted toassign an IPaddress to clustermember on theCluster Interface.This logmessagerecommends theadmin isolate theCluster interfacenetwork from the

A DHCP server is interfering with static addressassignment of cluster IP address %s on eth%d.Disable DHCP server access to eth%d.

A DHCP server isinterfering with staticaddress assignment ofcluster IP ${ip} oneth${port}. Pleasedisable DHCP serveraccess to eth${port}.


Log Catalog 111


DHCP server, andspecifies theinterface numberand IP address thecluster attemptedto assign to themember.

38000003 INFO Cluster /Management

Cluster interfaceup

Cluster interface eth5 is up. Cluster interfacelink status changedto up.

Cluster interface%s is up. Cluster interface${ifname} is up.

38000004 WARN Cluster /Management

Cluster interfacedown

Cluster interface eth5 isdown.

Cluster interfacelink status changedto down.

Cluster interface%s is down. Cluster interface${ifname} is down

3800025C INFO Cluster /Management

Configurationupdate

Cluster member80B20002E5BCD receivedupdated configuration;version 3.

Cluster memberreceived anupdatedconfiguration fromthemaster. The logmessage specifiesthemember serialnumber andconfigurationversion number.

Cluster member%s received updated configuration;version%d.

Cluster member${member} receivedupdated configuration;version ${version}.


Timesynchronizationfailure

Cluster timesynchronization failed.

The clustermaster's attempt tosynchronize timeto a clustermember failed

Cluster time synchronization failed.


Log Catalog 112


3B000001 INFO Cluster /Transport

Channel statuschange

Cluster channel frommember 80B20002E5BCDtomaster is up

The clustercommunicationchannel betweenthe specifiedmembers changedstate.

Cluster channel frommember%s tomaster is %s. Cluster channel frommember ${member} tomaster is ${state}.

3B000002 INFO Cluster /Transport

Cluster interfacedown

Cluster interface eth5 isdown.

The specifiedCluster interface isdown.

Cluster interface%s is down. Cluster interface${ifname} is down.

EventFireCluster logmessages of theEvent log type.


3A00000E INFO Cluster /EventMonitoring

VR enabled Virtual Router with cluster ID1 is now enabled

The VirtualRouterrepresentingthe cluster isnow enabled

Virtual Router with cluster ID %d is now enabled Virtual Router with clusterID ${id} is now enabled

3A00000F INFO Cluster /EventMonitoring

VR disabled Virtual Router with cluster ID1 is now disabled

The VirtualRouterrepresentingthe cluster isnow disabled

Virtual Router with cluster ID %d is now disabled Virtual Router with clusterID ${id} is now disabled


Log Catalog 113



Cluster disabled Cluster disabled. Non-master member80B20002E5BCD will bereset to factory-defaultsettings.

The non-mastermember of thecluster will bereset to factorydefault-settingsbecauseFireCluster isdisabled.

Cluster disabled. Non-master member%s will be resetto factory-default settings.

Cluster disabled. Non-master member%s will bereset to factory-defaultsettings.


Criticalconfigurationchange

Non-master member80B20002E5BCD will bereset to factory-defaultsettings due to a criticalcluster configuration change.

The non-mastermember of thecluster will bereset to factory-default settingsdue to a criticalconfigurationchange. Aconfigurationchange iscritical if itwould causethemaster andbackupmasterto lose the TCPconnection onthe clusterinterface.

Non-master member%s will be reset to factory-defaultsettings due to a critical cluster configuration change.

Non-master member${member} will be reset tofactory default-settingsdue to a critical clusterconfiguration change.

38000280 ERROR Cluster /Management

Device discoveryfailed

Cluster master80B20002E5BCD wasunable to issue a devicediscovery message.

The clustermaster wasunable to issuea devicediscoverymessage.

Cluster master%s was unable to issue a devicediscovery message.

Cluster master ${master}was unable to issue adevice discoverymessage.


Log Catalog 114


38000282 INFO Cluster /Management

Member ready tojoin

Member 80B20002E5BCD isready to join the cluster.

Local memberhas FireClusterenabled and isready to join.

Member%s is ready to join the cluster. Member ${member} isready to join the cluster.

3800025A INFO Cluster /Management

Cluster enabled Cluster enabled onmember80B20002E5BCD.

Cluster wasenabled on thespecifiedmember.

Cluster enabled onmember%s. Cluster enabled onmember ${member}.

3800025B INFO Cluster /Management

Cluster disabledonmaster

Cluster disabled on clustermaster 80B20002E5BCD.

Clusterdisabled on thecluster memberwhile it was thecluster master.

Cluster disabled on cluster master%s. Cluster disabled on clustermaster ${master}.

3800027A WARN Cluster /Management

Non-mastermember removed

Non-master cluster member80B20002E5BCD wasremoved from cluster, andwill be reset to factory-default settings.

The non-mastermember of theCluster will bereset to factory-default settingsbecause it wasremoved fromthe cluster.

Non-master cluster member%s was removed fromcluster, and will be reset to factory-default settings.

Non-master clustermember%s was removedfrom cluster, and will bereset to factory-defaultsettings.

3800027E ERROR Cluster /Management

Factory-defaultreset failed

Failed to reset clustermember 80B20002E5BCDto factory-default settings.

Failed to resetto factory-defaultsettings.

Failed to reset cluster member%s to factory-defaultsettings.

Failed to reset member${member} to factory-default settings.

39000003 WARN Cluster /Operations

Heartbeat lost Master 80B20002E5BFEdetected loss of heartbeatfrommember80B20002E5BCD, clusterchannel is up.

The specifiedCluster failed toreceive aheartbeatmessage.

Master%s detected loss of heartbeat frommember%s, cluster channel is up.

Master ${master} detectedloss of heartbeat frommember ${member},cluster channel is up.


Log Catalog 115


39000005 INFO Cluster /Operations

Member promotedtomaster

Member 80B20002E5BCD isnow master.

The specifiedmember hasbecomemaster.

Member%s is now master. Member ${member} is nowmaster.

39000007 ERROR Cluster /Operations

Failover due toWAI

Master 80B20002E5BCDfailed over to member80B20002E5BFE, which hasa greaterWeighted AverageIndex.

Themasterfailed over tothe specifiedmemberbecause thatmember has ahigher healthscore than themaster.

Master%s failed over to member%s, which has agreaterWeighted Average Index.

Master ${master} failoverto member ${member} withgreaterWeighted AverageIndex.


Member rolechange

Member 80B20002E5BCDchanged role to master

The clustermemberchanged to thespecified role.

Member%s changed role to%s. Member ${member} rolechanged to ${role}.


Interface linkstatus change

Monitored interface eth0 linkis down.

Specifiedmonitoredinterface linkstatuschanged, whichwill change thehealth index forthemember.

Monitored interface%s link is %s. Monitored interface${ifname} link is ${state}.


New master Member 80B20002E5BCDtook over as master frommember 80B20002E5BFE.

The specifiedmember hastaken over asmaster..

Member%s took over as master frommember%s. Member ${member} tookover as master frommember ${member}.


Log Catalog 116



Failover initiatedby administrator

Master 80B20002E5BCDinitiated failover byadministrator request.

Theadministratorhas initiated afailover.

Master%s initiated failover by administrator request. Master ${master} initiatedfailover by administratorrequest..

39000016 WARN Cluster /Operations

Cannot initiatefailover

Cannot initiate failover frommaster 80B20002E5BCD tomember 80B20002E5BFEdue to higherWeightedAverage Index on currentmaster or backupmaster isunreachable.

The failoverrequested byadministratorcannot proceedbecause themaster has ahigher healthindex, or thebackupmasteris unreachable.

Cannot initiate failover frommaster%s tomember%sdue to higherWeighted Average Index on currentmaster or backupmaster is unreachable.

Cannot initiate failoverfrommaster ${master} tomember ${member} due tohigherWeighted AverageIndex on current master orother member isunreachable.

39000019 ERROR Cluster /Operations

Failover due tointerface statechange

Cluster failover due tointerface eth4 link downevent.

A clusterfailover eventoccurred due toa change ofinterface state.

Cluster failover due to interface%s link %s event. Cluster failover due tointerface ${ifname} link${state} event.


Member RoleChange

Cluster member80B20002E5BCD changedrole from idle to backupmaster

The role of thespecifiedClustermemberchanged.

Cluster member%s changed role from%s to%s. Cluster member${member} changed rolefrom ${role} to ${role}.


Log Catalog 117


3900000C ERROR Cluster /Operations

Synchronizationfailed

Full state synchronizationfrommaster80B20002E5BCD to backupmaster 80B20002E5BFEfailed.

Full statesynchronizationfrom themasterto the specifiedmember failed.Member statewill not changeto BackupMaster.

Full state synchronization frommaster%s to backupmaster%s failed.

Full state synchronizationfrommaster ${master} tobackupmaster ${member}failed.

3900000D ERROR Cluster /Operations

Synchronizationtimeout

Full state synchronizationfrommaster80B20002E5BCD to backupmaster 80B20002E5BFEtimed out.

Full statesynchronizationfrom themasterto the specifiedmember timedout. Memberstate will notchange toBackupMaster.

Full state synchronization frommaster%s to backupmaster%s timed out.

Full state synchronizationfrommaster ${master} tobackupmaster ${member}timed out.


Log Catalog 118


3900000E INFO Cluster /Operations

Synchronizationsuccessful

Full state synchronizationfrommaster80B20002E5BCD to backupmaster 80B20002E5BFEcompleted successfully.

Full statesynchronizationto the specifiedmember wassuccessful.Member statuschanged tobackupmaster.

Full state synchronization frommaster%s to backupmaster%s completed successfully.

Full state synchronizationfrommaster ${master} tobackupmaster ${member}completed successfully

3900000F ERROR Cluster /Operations

Failover due tolink-down

Master 80B20002E5BCDfailed-over to member80B20002E5BFE due to alink-down event on interfaceeth3.

Cluster failoverdue to a linkfailure on thecurrent master,which now hasa health indexlower than thebackupmaster.The logmessagespecifies whichinterface hasthe link down.

Master%s failed-over to member%s due to a link-downevent on interface%s.

Master ${master} failed-over to member${member} due to a link-down event on interface${ifname}.


Log Catalog 119

Security Services Log MessagesSecurity Services logmessages are generated for processes related to the Security Services configured on your Firebox. For the logmessages from Security Services traffic and events, review the proxy logmessages for the proxy policies where the Security Services are enabled. For more information, seeProxy Policy LogMessages on page 40.

EventSecurity Services logmessages of theEvent log type.


1F000001 ERROR Security Services /Gateway Anti-Virus

Process failed to start Cannot start ScanD ScanD -- Process failed to start Cannot start ScanD —

1F010015 INFO Security Services /Gateway Anti-Virus

Ready for service ScanD ready ScanD -- Ready for service ScanD ready —


Process exiting SIGD shutting down SIGD -- Process exiting SIGD shutting down —


Process crashed SIGD crashed SIGD -- Process crashed SIGD crashed —


Failed to start the signatureupdate for the specifiedservices

Cannot start the signature update for'IPS'

SIGD -- Failed to the startsignature update for the specifiedservices

Cannot start the signatureupdate for '%s'

—


Failed to check the availablesignature version on the server

Cannot complete the version check SIGD -- Failed to check theavailable signature version on theserver

Cannot complete theversion check

—

2E01001A ERROR Security Services /Signature Update

Signature update process failedto start

Cannot start the signature updateprocess

SIGD -- Signature update processfailed to start

Cannot start the signatureupdate process

—

2E01001B ERROR Security Services /Signature Update

Signature update processcrashed

SIGD Worker crashed SIGD -- Signature update processcrashed

SIGD Worker crashed —

Security Services LogMessages

Log Catalog 120



Signature update process forthe specified version failed

Manual DLP update for version(4.94)failed (Valid feature key not available)

SIGD -- Signature update processfor the specified version failed

%s %s update for version(%s) failed (%s)

—


Signature update processstarted

Scheduled DLP update started SIGD -- Signature update processstarted

%s %s update started —


Signature update processcompleted

Scheduled DLP update for version(4.94) completed

SIGD -- Signature update processcompleted

%s %s update for version(%s) completed

—


Device has the latest signatureversion for the specified service

Device already has the latest DLPsignature version (4.94)

SIGD -- Device has the latestsignature version for specifiedservice

Device already has thelatest %s signature version(%s)

—

2E010017 WARN Security Services /Signature Update

License failed to load Cannot load the license SIGD -- License failed to load Cannot load the license —

23000001 ERROR Security Services /spamBlocker

Failed to start Cannot start spamD spamD -- Failed to start Cannot start spamD —

23000002 INFO Security Services /spamBlocker

Ready for service spamD ready spamD -- Ready for service spamD ready —

Security Services LogMessages

Log Catalog 121

VPN Log MessagesVPN logmessages are generated for processes related to the all VPNs configured on your Firebox. This includes changes to the VPN configuration, tunnel status, and daemon activity.

AlarmVPN logmessages of theAlarm log type.


020B0001 INFO VPN /IPSEC

Tunnel statuschanged

BOVPN tunnel 'tunnel.2' local172.16.12.81/255.255.255.255remote172.16.13.204/255.255.255.255under gateway 'gateway.1' isdown

The status of the IPSectunnel changed to up ordown.

%s tunnel '%s' local %s remote%s undergateway '%s' is %s

${tunnel_type} tunnel'${tunnel}' local ${local}remote ${remote} undergateway '$(gateway}' is${status}

DiagnosticVPN logmessages of theDebug (Diagnostic) log type.


02000001 ERROR VPN /IPSEC

Default certificatenot found

The default IPSeccertificate is not installedon the device

The IPSec tunnel couldnot be negotiatedbecause the defaultIPSec certificate is notinstalled or is not valid.

The default IPSec certificate is not installedon the device

–


Failed to readcertificate

Could not read [DSA |RSA] certificate with [n] ID

The IPSec tunnel couldnot be negotiatedbecause the IPSeccertificate is not valid.

Could not read%s certificate with%d ID Could not read ${cert_type}certificate with ${id} ID

VPN LogMessages

Log Catalog 122


02020001 WARN VPN /IPSEC

IP address notavailable for MobileVPN with IPSec user

Virtual IP address from'abcd' address pool is notavailable for Mobile VPNwith IPSec user 'Bob'

All virtual IP addressesallocated to this MobileVPN with IPSec groupare already assigned.New Mobile VPN withIPSec tunnels cannotbe established unlessexisting tunnels aredeleted.

Virtual IP address from '%s' address pool isnot available for Mobile VPN with IPSecuser '%s'

Virtual IP address from ${pool_name} address pool is notavailable for Mobile VPN withIPSec user ${user}


IKE Phase 1expectingmainmode

IKE phase-1 negotiationfrom 172.16.12.82:500 to172.16.12.81:500 failed.Gateway-Endpoint='gateway.1'Reason=Received'Aggressivemode'exchange type. Expectingmainmode.

IKE Phase 1 negotiationfailed because ofincorrect exchange typein proposal from remotegateway. The logmessage specifies theexpected and receivedexchange type.

IKE phase-1 negotiation from%s to%sfailed. Gateway-Endpoint='%s'Reason=Received '%s' exchange type.Expectingmainmode.

IKE phase-1 negotiation from${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}' Reason=Received'${exchange_type}' exchangetype. Expectingmainmode.


IKE Phase 1expecting aggressivemode

IKE phase-1 negotiationfrom 172.16.12.82:500 to172.16.12.81:500 failed.Gateway-Endpoint='gateway.1'Reason=Received 'Mainmode' exchange type.Expecting aggressivemode.

IKE Phase 1 negotiationfailed because ofincorrect exchange typein proposal from remotegateway. The logmessage specifies theexpected and receivedexchange type.

IKE phase-1 negotiation from%s to%sfailed. Gateway-Endpoint='%s'Reason=Received '%s' exchange type.Expecting aggressivemode.

IKE phase-1 negotiation from${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}' Reason=Received'${exchange_type}' exchangetype. Expecting aggressivemode.


IKE Phase 1 DHgroupmismatch

IKE phase-1 negotiationfrom 172.16.12.82:500 to172.16.12.81:500 failed.Gateway-Endpoint='gateway.1'

IKE Phase 1 negotiationfailed because ofincorrect Diffe-Hellmangroup in proposal fromremote gateway. The

IKE phase-1 negotiation from%s to%sfailed. Gateway-Endpoint='%s'Reason=Received DH group%d, expecting%d

IKE phase-1 negotiation from${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}' Reason=Received DH group${received}, expecting

VPN LogMessages

Log Catalog 123


Reason=Received DHgroup 2, expecting 14

logmessage specifiesthe received andexpected group number.

${expected}


IKE Phase 1 hashmismatch

IKE phase-1 negotiationfrom 172.16.12.82:500 to172.16.12.81:500 failed.Gateway-Endpoint='gateway.1'Reason=Received hashSHA1, expectingMD5

IKE Phase 1 negotiationfailed because ofincorrect hash type inproposal from remotegateway. The logmessage specifies thereceived and expectedhash type.

IKE phase-1 negotiation from%s to%sfailed. Gateway-Endpoint='%s'Reason=Received hash%s, expecting%s

IKE phase-1 negotiation from${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}' Reason=Received hash${received}, expecting${expected}


IKE Phase 1encryptionmismatch

IKE phase-1 negotiationfrom 172.16.12.82:500 to172.16.12.81:500 failed.Gateway-Endpoint='gateway.1'Reason=Receivedencryption 3DES,expecting AES

IKE Phase 1 negotiationfailed because ofincorrect encryptiontype in proposal fromremote gateway. Thelogmessage specifiesthe received andexpected encryptiontype.

IKE phase-1 negotiation from%s to%sfailed. Gateway-Endpoint='%s'Reason=Received encryption%s,expecting%s

IKE phase-1 negotiation from${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}' Reason=Receivedencryption ${received}, expecting${expected}


IKE Phase 1authenticationmethodmismatch

IKE phase-1 negotiationfrom 172.16.12.82:500 to172.16.12.81:500 failed.Gateway-Endpoint='gateway.1'Reason=ReceivedauthenticationmethodPSK, expecting RSAcertificate

IKE Phase 1 negotiationfailed because ofincorrect authenticationmethod in proposal fromremote gateway. Thelogmessage specifiesthe received andexpected authenticationmethods.

IKE phase-1 negotiation from%s to%sfailed. Gateway-Endpoint='%s'Reason=Received authenticationmethod%s, expecting%s

IKE phase-1 negotiation from${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}' Reason=Receivedauthenticationmethod${received}, expecting${expected}


IKE Phase 1 AESkey lengthmismatch

IKE phase-1 negotiationfrom 172.16.12.82:500 to

IKE Phase 1 negotiationfailed because of

IKE phase-1 negotiation from%s to%sfailed. Gateway-Endpoint='%s'

IKE phase-1 negotiation from${local_addr} to ${peer_addr}

VPN LogMessages

Log Catalog 124


172.16.12.81:500 failed.Gateway-Endpoint='gateway.1'Reason=Received AESkey length 128, expecting256

incorrect AES keylength in proposal fromremote gateway. Thelogmessage specifiesthe received andexpected AES keylength.

Reason=Received AES key length%d,expecting%d

failed. Gateway-Endpoint='${gw-ep}' Reason=Received AES keylength ${received}, expecting${expected}


IKE Phase 1 invalidfirst message

IKE phase-1 negotiationfrom 172.16.12.82:500 to172.16.12.81:500 failed.Gateway-Endpoint='gateway.1'Reason=Received invalidmain/aggressivemode firstmessage. Check VPN IKEdiagnostic logmessagesfor more information.

IKE Phase 1 negotiationfailed because of invalidfirst message receivedby local gateway. Thelogmessage specifiesthe reason.

IKE phase-1 negotiation from%s to%sfailed. Gateway-Endpoint='%s'Reason=Received invalid main/aggressivemode first message. Check VPN IKEdiagnostic logmessages for moreinformation.

IKE phase-1 negotiation from${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}' Reason=Received invalidmain/aggressivemode firstmessage. Check VPN IKEdiagnostic logmessages formore information.

0203000A ERROR VPN /IPSEC

IKE Phase 1 invalidMainMode secondmessage

IKE phase-1 negotiationfrom 172.16.12.82:500 to172.16.12.81:500 failed.Gateway-Endpoint='gateway.1'Reason=Received invalidmainmode secondmessage. Check VPN IKEdiagnostic logmessagesfor more information.

IKE Phase 1 negotiationfailed because of invalidsecondmessagereceived by localgateway.

IKE phase-1 negotiation from%s to%sfailed. Gateway-Endpoint='%s'Reason=Received invalid mainmodesecondmessage. Check VPN IKEdiagnostic logmessages for moreinformation.

IKE phase-1 negotiation from${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}' Reason=Received invalidmainmode secondmessage.Check VPN IKE diagnostic logmessages for more information.

VPN LogMessages

Log Catalog 125


0203000B ERROR VPN /IPSEC

IKE Phase 1 invalidMainMode KeyExchange payload

IKE phase-1 negotiationfrom 172.16.12.82:500 to172.16.12.81:500 failed.Gateway-Endpoint='gateway.1'Reason=Received invalidmainmode KE payload.Check VPN IKE diagnosticlogmessages for moreinformation.

IKE Phase 1 negotiationfailed because localgateway receivedinvalid MainMode KeyExchange (KE) payload

IKE phase-1 negotiation from%s to%sfailed. Gateway-Endpoint='%s'Reason=Received invalid mainmode KEpayload. Check VPN IKE diagnostic logmessages for more information.

IKE phase-1 negotiation from${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}' Reason=Received invalidmainmode KE payload. CheckVPN IKE diagnostic logmessages for more information.

0203000C ERROR VPN /IPSEC

IKE Phase 1 invalidmainmode ID

IKE phase-1 negotiationfrom 172.16.12.82:500 to172.16.12.81:500 failed.Gateway-Endpoint='gateway.1'Reason=Received invalidmainmode ID payload.Check VPN IKE diagnosticlogmessages for moreinformation.

IKE Phase 1 negotiationfailed because of invalidMainMode ID payloadreceived by localgateway.

IKE phase-1 negotiation from%s to%sfailed. Gateway-Endpoint='%s'Reason=Received invalid mainmode IDpayload. Check VPN IKE diagnostic logmessages for more information.

IKE phase-1 negotiation from${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}' Reason=Received invalidmainmode ID payload. CheckVPN IKE diagnostic logmessages for more information.

0203000D ERROR VPN /IPSEC

IKE Phase 1 invalidaggressivemodehash

IKE phase-1 negotiationfrom 172.16.12.82:500 to172.16.12.81:500 failed.Gateway-Endpoint='gateway.1'Reason=Received invalidaggressivemode hashpayload. Check VPN IKEdiagnostic logmessagesfor more information.

IKE Phase 1 negotiationfailed because invalidaggressivemode hashpayload received byspecified local gateway.

IKE phase-1 negotiation from%s to%sfailed. Gateway-Endpoint='%s'Reason=Received invalid aggressivemodehash payload. Check VPN IKE diagnosticlogmessages for more information.

IKE phase-1 negotiation from${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}' Reason=Received invalidaggressivemode hash payload.Check VPN IKE diagnostic logmessages for more information.

0203000E ERROR VPN /IPSEC

IKE Phase 1 invalidAggressivemode SA

IKE phase-1 negotiationfrom 172.16.12.82:500 to

IKE Phase 1 negotiationfailed because of invalid

IKE phase-1 negotiation from%s to%sfailed. Gateway-Endpoint='%s'

IKE phase-1 negotiation from${local_addr} to ${peer_addr}

VPN LogMessages

Log Catalog 126


payload 172.16.12.81:500 failed.Gateway-Endpoint='gateway.1'Reason=Received invalidaggressivemode SApayload. Check VPN IKEdiagnostic logmessagesfor more information.

Aggressivemodesecurity association(SA) payload receivedby specified localgateway.

Reason=Received invalid aggressivemodeSA payload. Check VPN IKE diagnostic logmessages for more information.

failed. Gateway-Endpoint='${gw-ep}' Reason=Received invalidaggressivemode SA payload.Check VPN IKE diagnostic logmessages for more information.

0203000F INFO VPN /IPSEC

IKE Phase 1matching aggressivemode policy notfound

IKE phase-1 negotiationfrom 172.16.12.82:500 to172.16.12.81:500 failed.Reason=Aggressivemodematching policy not found

IKE Phase 1 negotiationbecause local gatewaydid not find amatchingaggressivemodepolicy.

IKE phase-1 negotiation from%s to%sfailed. Reason=Aggressivemodematchingpolicy not found

IKE phase-1 negotiation from${local_addr} to ${peer_addr}failed. Reason=Aggressivemodematching policy not found

02030010 INFO VPN /IPSEC

IKE Phase 1matchingMainModepolicy not found

IKE phase-1 negotiationfrom 172.16.12.82:500 to172.16.12.81:500 failed.Reason=Mainmodematching policy not found

IKE Phase 1 negotiationbecause local gatewaydid not find amatchingAggressivemodepolicy.

IKE phase-1 negotiation from%s to%sfailed. Reason=Mainmodematching policynot found

IKE phase-1 negotiation from${local_addr} to ${peer_addr}failed. Reason=Mainmodematching policy not found


IKE Phase 1 remotegateway IDmismatch

IKE phase-1 negotiationfrom 172.16.12.82:500 to172.16.12.81:500 failed.Gateway-Endpoint='gateway.1'Reason=Authenticationfailure due tomismatchedID setting

IKE Phase 1 negotiationfailed because remoteID in gatewayconfiguration did notmatch proposal fromremote gateway.

IKE phase-1 negotiation from%s to%sfailed. Gateway-Endpoint='%s'Reason=Authentication failure due tomismatched ID setting

IKE phase-1 negotiation from${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}' Reason=Authenticationfailure due tomismatched IDsetting


IKE Phase 1 pre-shared keyauthentication failure

IKE phase-1 negotiationfrom 172.16.12.82:500 to172.16.12.81:500 failed.Gateway-Endpoint='gateway.1'

IKE Phase 1 negotiationfailed because pre-shared key in proposaldid not match gatewayconfiguration.

IKE phase-1 negotiation from%s to%sfailed. Gateway-Endpoint='%s'Reason=Pre-shared key authenticationfailure

IKE phase-1 negotiation from${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}' Reason=Pre-shared keyauthentication failure

VPN LogMessages

Log Catalog 127


Reason=Pre-shared keyauthentication failure


IKE Phase 1negotiation failed

IKE phase-1 negotiationfrom 2.2.2.2:500 to1.1.1.1:500 failed.Reason=Received invalidmessage

IKE Phase 1 negotiationfailed because of thereason specified in thelog

IKE phase-1 negotiation from%s:%d to%s:%d failed. Reason=%s

IKE phase-1 negotiation from${src}:${sport} to ${dst}:${dport}failed - ${reason}


Receivedinformational errormessage

Received 'InvalidExchange Type' messagefrom 172.16.12.81:500 for'gateway.1' gatewayendpoint. Check VPN IKEdiagnostic logmessageson the remote gatewayendpoint for moreinformation.

Received the specifiedinformation or errormessage from remotegateway.

Received '%s' message from%s for '%s'gateway endpoint. Check VPN IKEdiagnostic logmessages on the remotegateway endpoint for more information.

Received '${info_msg}' messagefrom ${peer_addr} for '${gw-ep}'gateway endpoint. Check VPNIKE diagnostic logmessages onthe remote gateway endpoint formore information.


IKE Phase 1 retrytimeout

IKE phase-1 negotiationfrom 172.16.12.81:500 to172.16.12.82:500 failed.Gateway-Endpoint='gateway.1'Reason=Message retrytimeout. Check theconnection between localand remote gatewayendpoints.

IKE Phase 1 negotiationfailed because of noresponse from remotesite.

IKE phase-1 negotiation from%s to%sfailed. Gateway-Endpoint='%s'Reason=Message retry timeout. Check theconnection between local and remotegateway endpoints.

IKE phase-1 negotiation from${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}' Reason=Message retrytimeout. Check the connectionbetween local and remotegateway endpoints.


Mobile user rejected -maximum userconnections reached

RejectedMUVPN IPSecuser from 2.2.2.2 becausemaximum allowed userconnections has beenreached. Maximum:50

SpecifiedMobile VPNwith IPSec userconnection rejectedbecause the specifiedconcurrent user

RejectedMUVPN IPSec user from%sbecausemaximum allowed userconnections has been reached.Maximum:%d

RejectedMUVPN IPSec userfrom ${peer_addr} becausemaximum allowed userconnections has been reached.Maximum:${max_value}

VPN LogMessages

Log Catalog 128


connections limit hasbeen reached. The logmessage specifies theconcurrent userconnections limit.


CA certificate notavailable

IKE phase-1 negotiationfrom 172.16.12.82:500 to172.16.12.81:500 failed.Gateway-Endpoint='gateway.1'Reason=NoCA certificateavailable

IKE phase-1 negotiationfailed because noCertificate Authority(CA) certificate isavailable.

IKE phase-1 negotiation from%s to%sfailed. Gateway-Endpoint='%s' Reason=%s

IKE phase-1 negotiation from${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}' Reason=${reason}


IKE Phase 1 peercertificate CA is notsupported

IKE phase-1 negotiationfrom 172.16.12.82:500 to172.16.12.81:500 failed.Gateway-Endpoint='gateway.1'Reason=Peer certificate isnot issued by knowntrusted CA

IKE Phase 1 negotiationfailed because peercertificate is not issuedby a known and trustedCertificate Authority(CA).




IKE Phase 1received certificatewith invalid CA name

IKE phase-1 negotiationfrom 172.16.12.82:500 to172.16.12.81:500 failed.Gateway-Endpoint='gateway.1'Reason=Receivedcertificate with invalid CAname

IKE Phase 1 negotiationfailed because of invalidCertificate Authority(CA) name in certificatefor remote gateway.




IKE Phase 1possible sharedsecret mismatch

IKE phase-1 negotiationfrom 172.16.12.82:500 to172.16.12.81:500 failed.

IKE Phase 1 negotiationfailed because ofpossible shared key

IKE phase-1 negotiation from%s to%sfailed. Gateway-Endpoint='%s'Reason=Message decryption failed due to

IKE phase-1 negotiation from${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-

VPN LogMessages

Log Catalog 129


Gateway-Endpoint='gateway.1'Reason=Messagedecryption failed due topossible shared secretmismatch

mismatch. possible shared secret mismatch ep}' Reason=Messagedecryption failed due to possibleshared secret mismatch


DPD R_U_THERE_ACK not received

Remote gateway'gateway.1' with IP172.16.13.204:500 did notsend DPD R_U_THERE_ACK message. 2 retriesleft

Firebox or XTM devicesent a DPD_R_U_THERE request toremote gateway, but didnot receive DPD R_U_THERE_ACKresponse. The logmessage specifies thenumber of retries beforeit will delete the VPNtunnel.

Remote gateway '%s' with IP %s did notsend DPD R_U_THERE_ACK message.%d retries left

Remote gateway '${gw-ep}' withIP ${peer_addr} did not sendDPD R_U_THERE_ACKmessage. ${n} retries left.


DPD max failure Remote gateway'gateway.1' with IP172.16.13.204:500presumed dead due toDPD failure. Deleted alltunnels that use thisgateway. Check theconnection between localand remote gatewayendpoints.

The Firebox or XTMdevice deleted a VPNtunnel because theremote gateway did notrespond to DPD R_U_THERE requests.

Remote gateway '%s' with IP %s presumeddead due to DPD failure.%s

Remote gateway '${gw-ep}' withIP ${peer_addr} presumed deaddue to DPD failure. ${action}

VPN LogMessages

Log Catalog 130



Did not receiveKEEP_ALIVE_ACKresponse

Remote gateway'gateway.1' with IP172.16.13.204:500 did notsend KEEP_ALIVE_ACKmessage. 2 retries left.

Firebox or XTM devicesent a KEEP_ALIVErequest to remotegateway, but did notreceive KEEP_ALIVE_ACK response. The logmessage specifies thenumber of retries beforeit will delete the VPNtunnel.

Remote gateway '%s' with IP %s did notsend KEEP_ALIVE_ACK message. %dretries left.

Remote gateway '${gw-ep}' withIP ${peer_addr} did not sendKEEP_ALIVE_ACK message.${n} retries left.


Deleted VPN tunnelsdue to keep-alivefailure

Remote gateway'gateway.1' with IP172.16.13.204:500presumed dead due tokeep-alive negotiationfailure. Deleted all tunnelsthat use this gateway.Check the connectionbetween local and remotegateway endpoints.

Firebox or XTM devicedeleted one or moreVPN tunnels becausethe remote gateway didnot respond to keep-alive requests.

Remote gateway '%s' with IP %s presumeddead due to keep-alive negotiation failure.%s

Remote gateway '${gw-ep}' withIP ${peer_addr} presumed deaddue to keep-alive negotiationfailure.${action}


Received IKEmessage forunknown Phase 1SA

Received IKE messagefrom 172.16.13.204:500 forunknown P1 SA. Sendingdelete message to remotegateway 'gateway.1'.

Received IKE messagefor unknown P1 SA.Sending deletemessage to remotegateway

Received IKE message from%s forunknown P1 SA. Sending delete message toremote gateway '%s'.

Received IKE message from${peer_addr} for unknown P1 SA.Sending delete message toremote gateway '${gateway}'.


DSS certificate IDmismatch

IKE phase-1 negotiationfrom 172.16.12.82:500 to172.16.12.81:500 failed.Gateway-Endpoint='gateway.1'Reason=Authenticationfailure due tomismatched

IKE Phase 1 negotiationfailed because ofmismatched DSScertificate ID setting.

IKE phase-1 negotiation from%s to%sfailed. Gateway-Endpoint='%s'Reason=Authentication failure due tomismatched DSS certificate ID setting

IKE phase-1 negotiation from${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}' Reason=Authenticationfailure due tomismatched DSScertificate ID setting

VPN LogMessages

Log Catalog 131


DSS certificate ID setting


Failed to get IDinformation fromcertificate

IKE phase-1 negotiationfrom 172.16.12.82:500 to172.16.12.81:500 failed.Gateway-Endpoint='gateway.1'Reason=Failed to get IDinformation from certificate20001

IKE phase-1 negotiationfailed because failed toget ID information fromcertificate.

IKE phase-1 negotiation from%s to%sfailed. Gateway-Endpoint='%s'Reason=Failed to get ID information fromcertificate%d

IKE phase-1 negotiation from${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}' Reason=Failed to get IDinformation from certificate${certificate_id}


IKE Phase 1message received onwrong interface

IKE phase-1 negotiationfrom 198.51.100.2:500 to203.0.113.2:500 failed.Reason=Received IKEmessage on wronginterface 'eth0'(index:3).Expecting it to be receivedon 'eth6'.

IKE Phase 1 negotiationfailed because of IKEmessage peer wasreceived on wronginterface.

IKE phase-1 negotiation from%s to%sfailed. Reason=Received IKE message onwrong interface '%s'(index:%d). Expecting itto be received on '%s'.

IKE phase-1 negotiation from${local_addr} to ${peer_addr}failed. Reason=Received IKEmessage on wrong interface'${received_if}'(index:${received_ifindex}). Expecting it to bereceived on '${expected_if}'


IKE Phase 1 invalidaggressivemode ID

IKE phase-1 negotiationfrom 198.51.100.2:500 to203.0.113.2:500 failed.Gateway-Endpoint='gateway.1'Reason=Received ID didnot match with configuredaggressivemode ID.

IKE Phase 1 negotiationfailed because receivedID did not match withconfigured ID on localgateway. Checkaggressivemode IDinformation in gatewayendpoint configurationon both local andremote gateways.

IKE phase-1 negotiation from%s to%sfailed. Gateway-Endpoint='%s'Reason=Received ID did not match withconfigured aggressivemode ID.

IKE phase-1 negotiation from${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}' Reason=Received ID did notmatch with configuredaggressivemode ID.


IKE Phase 1 IKEversionmismatch

IKE phase-1 negotiationfrom 198.51.100.2:500 to203.0.113.2:500 failed.Gateway-

IKE Phase 1 negotiationfailed because thereceived IKE versiondid not match the IKE

IKE phase-1 negotiation from%s to%sfailed. Gateway-Endpoint='%s'Reason=Received IKE version did notmatch the configured IKE version.

IKE phase-1 negotiation from${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}' Reason=Received IKE

VPN LogMessages

Log Catalog 132


Endpoint='gateway.1'Reason=Received IKEversion did not match theconfigured IKE version.

version configured onthe local gateway.Check the IKE versionin the gateway endpointconfiguration on boththe local and remotegateways.

version did not match theconfigured IKE version.


IKE Phase 1message received onwrong interface IP

IKE phase-1 negotiationfrom 198.51.100.2:500 to192.0.2.2:500 failed.Gateway-Endpoint='gateway.1'Reason=Receivedmessage with wronginterface IP address192.0.2.2. Expecting peerto use remote gatewayendpoint IP address203.0.113.2.

IKE Phase 1 negotiationfailed because IKEmessage from the peerwas received on thewrong interface IPaddress. Check thelocal and remotegateway IP address inthe gateway endpointconfiguration on boththe local and remotegateways.

IKE phase-1 negotiation from%s to%sfailed. Gateway-Endpoint='%s'Reason=Receivedmessage with wronginterface IP address %s. Expecting peer touse remote gateway endpoint IP address%s.

IKE phase-1 negotiation from${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}' Reason=Receivedmessagewith wrong interface IP address${received_ip}. Expecting peer touse remote gateway endpoint IPaddress ${expected_ip}.


IKE Phase 2 PFSmismatch

IKE phase-2 negotiationfrom 172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1'Reason=Receivedproposal without PFS,Expecting PFS enabled

The IPSec tunnelnegotiation failedbecause the PerfectForward Secrecy (PFS)value did not match thePhase 2 configuration.

IKE phase-2 negotiation from%s to%sfailed. Tunnel='%s' Reason=Receivedproposal without PFS, Expecting PFSenabled

IKE phase-2 negotiation from${local_addr} to ${peer_addr}failed. Tunnel='${tunnel}'Reason=Received proposalwithout PFS, Expecting PFSenabled

VPN LogMessages

Log Catalog 133



IKE Phase-2proposal typemismatch

IKE phase-2 negotiationfrom 172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1'Reason=Received protocol'AH'. Expecting 'ESP' inphase-2 proposal.

The IPSec tunnelnegotiation failedbecause the proposaldid not match the Phase2 configuration. The logmessage specifies thereceived and expectedproposals.

IKE phase-2 negotiation from%s to%sfailed. Tunnel='%s' Reason=Receivedprotocol '%s'. Expecting '%s' in phase-2proposal.

IKE phase-2 negotiation from${local_addr} to ${peer_addr}failed. Tunnel='${tunnel}'Reason=Received protocol'${received_proto}'. Expecting'${expected_proto}' in phase-2proposal.


IKE Phase 2 AHauthenticationmethodmismatch

IKE phase-2 negotiationfrom 172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1'Reason=Received AHauthenticationMD5,expecting SHA1

The IPSec tunnelnegotiation failedbecause the proposedAH authenticationmethod did not matchthe Phase 2configuration. The logmessage specifies thereceived and expectedAH authenticationmethod.

IKE phase-2 negotiation from%s to%sfailed. Tunnel='%s' Reason=Received AHauthentication%s, expecting%s

IKE phase-2 negotiation from${local_addr} to ${peer_addr}failed. Tunnel='${tunnel}'Reason=Received AHauthentication ${received},expecting ${expected}


IKE Phase 2 ESPencryptionmethodmismatch

IKE phase-2 negotiationfrom 172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1'Reason=Received ESPencryption DES, expectingAES

The IPSec tunnelnegotiation failedbecause the proposedESP encryptionmethoddid not match the Phase2 configuration. The logmessage specifies thereceived and expectedESP encryptionmethod.

IKE phase-2 negotiation from%s to%sfailed. Tunnel='%s' Reason=Received ESPencryption%s, expecting%s

IKE phase-2 negotiation from${local_addr} to ${peer_addr}failed. Tunnel='${tunnel}'Reason=Received ESPencryption ${received}, expecting${expected}


IKE Phase 2 PFSDH groupmismatch

IKE phase-2 negotiationfrom 172.16.12.82:500 to172.16.12.81:500 failed.

The IPSec tunnelnegotiation failedbecause the proposed

IKE phase-2 negotiation from%s to%sfailed. Tunnel='%s' Reason=Received PFSDH group%d, expecting%d

IKE phase-2 negotiation from${local_addr} to ${peer_addr}failed. Tunnel='${tunnel}'

VPN LogMessages

Log Catalog 134


Tunnel='tunnel.1'Reason=Received PFSDH group 2, expecting 5

Perfect ForwardSecrecy Diffe-Hellman(PFS DH) group numberdid not match the Phase2 configuration. The logmessage specifies thereceived and expectedPFS DH groupnumbers.

Reason=Received PFS DHgroup ${received}, expecting${expected}


IKE Phase 2 ESPauthenticationmethodmismatch

IKE phase-2 negotiationfrom 172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1'Reason=Received ESPauthenticationMD5-HMAC, expecting SHA1-HMAC

The IPSec tunnelnegotiation failedbecause the proposedESP authenticationmethod did not matchthe Phase 2configuration. The logmessage specifies thereceived and expectedESP authenticationmethod.

IKE phase-2 negotiation from%s to%sfailed. Tunnel='%s' Reason=Received ESPauthentication%s, expecting%s

IKE phase-2 negotiation from${local_addr} to ${peer_addr}failed. Tunnel='${tunnel}'Reason=Received ESPauthentication ${received},expecting ${expected}


IKE Phase 2 AESkey lengthmismatch

IKE phase-2 negotiationfrom 172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1'Reason=Received AESkey length 128, expecting256

The IPSec tunnelnegotiation failedbecause the proposedAES encryption keylength did not match thePhase 2 configuration.The logmessagespecifies the receivedand expected AES keylength.

IKE phase-2 negotiation from%s to%sfailed. Tunnel='%s' Reason=Received AESkey length%d, expecting%d

IKE phase-2 negotiation from${local_addr} to ${peer_addr}failed. Tunnel='${tunnel}'Reason=Received AES keylength ${received}, expecting${expected}

VPN LogMessages

Log Catalog 135



IKE Phase 2 tunnelroutemismatch

IKE phase-2 negotiationfrom 172.16.12.82:500 to172.16.12.81:500 failed.Gateway='gateway.1'Reason=Nomatchingtunnel route for peerproposedlocal:192.168.81.0/24remote:192.168.82.0/28

The IPSec tunnelnegotiation failedbecause the proposedtunnel routes did notmatch the tunnelconfiguration. The logmessage specifies thereceived and expectedtunnel routes.

IKE phase-2 negotiation from%s to%sfailed. Gateway='%s' Reason=Nomatchingtunnel route for peer proposed local:%s/%dremote:%s/%d

IKE phase-2 negotiation from${local_addr} to ${peer_addr}failed. Gateway='${gateway}'Reason=Nomatching tunnelroute for peer proposedlocal:${tr_local} remote:${tr_remote}


IKE Phase 2message retrytimeout

IKE phase-2 negotiationfrom 172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1'Reason=Message retrytimeout. Check VPN IKEdiagnostic logmessagesfor more information.

The IPSec tunnelnegotiation failedbecause an expectedresponse was notreceived before themessage retry timeout.

IKE phase-2 negotiation from%s to%sfailed. Tunnel='%s' Reason=Message retrytimeout. Check VPN IKE diagnostic logmessages for more information.

IKE phase-2 negotiation from${local_addr} to ${peer_addr}failed. Tunnel='${tunnel}'Reason=Message retry timeout.Check VPN IKE diagnostic logmessages for more information.

0205000C ERROR VPN /IPSEC

IKE Phase2message retrytimeout becausePhase 1 SA expired

IKE phase-2 negotiationfrom 172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1'Reason=Message retrytimeout because phase-1SA expired

The IPSec tunnelnegotiation failedbecause the Phase 1Security Association(SA) expired.

IKE phase-2 negotiation from%s to%sfailed. Tunnel='%s' Reason=Message retrytimeout because phase-1 SA expired

IKE phase-2 negotiation from${local_addr} to ${peer_addr}failed. Tunnel='${tunnel}'Reason=Message retry timeoutbecause phase-1 SA expired

0205000D ERROR VPN /IPSEC

IKE Phase 2 PFS notenabled

IKE phase-2 negotiationfrom 172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1'Reason=Receivedproposal with PFS. PFSnot enabled.

The IPSec tunnelnegotiation failedbecause the PerfectForward Secrecy (PFS)value did not match thePhase 2 configuration.

IKE phase-2 negotiation from%s to%sfailed. Tunnel='%s' Reason=Receivedproposal with PFS. PFS not enabled.

IKE phase-2 negotiation from${local_addr} to ${peer_addr}failed. Tunnel='${tunnel}'Reason=Received proposal withPFS. PFS not enabled.

VPN LogMessages

Log Catalog 136


0205000E ERROR VPN /IPSEC

IKE Phase 2 waittimeout

IKE phase-2 negotiationfrom 172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1'Reason=Message was notreceived in expected time.Check the connectionbetween local and remotegateway endpoints.

The IPSec tunnelnegotiation failedbecause an expectedresponse was notreceived before theexpected time.

IKE phase-2 negotiation from%s to%sfailed. Tunnel='%s' Reason=Message wasnot received in expected time. Check theconnection between local and remotegateway endpoints.

IKE phase-2 negotiation from${local_addr} to ${peer_addr}failed. Tunnel='${tunnel}'Reason=Message was notreceived in expected time.Check the connection betweenlocal and remote gatewayendpoints.

0205000F WARN VPN /IPSEC

Rejected Phase 2negotiation due toincorrect gateway

Rejected phase-2negotiation from172.16.12.82:500 because'gateway.1*1' is not thepreferred IKE gatewayendpoint.

Rejected Phase 2negotiation the proposaldid not use the preferredIKE gateway endpoint.

Rejected phase-2 negotiation from%sbecause '%s' is not the preferred IKEgateway endpoint.

Rejected quick mode negotiationfrom ${peer_addr} because'${gw-ep}' is not the preferred IKEgateway endpoint.


Received quickmode informationalerror message

Received 'No ProposalChosen' message from172.16.12.81:500 for'tunnel.1' tunnel. CheckVPN IKE diagnostic logmessages on the remotegateway endpoint for moreinformation.

Remote gateway sentan information errormessage in response toVPN tunnel proposal.

Received '%s' message from%s for '%s'tunnel. Check VPN IKE diagnostic logmessages on the remote gateway endpointfor more information.

Received '${info_msg}' messagefrom ${peer_addr} for '${tunnel}'tunnel. Check VPN IKEdiagnostic logmessages on theremote gateway endpoint formore information.


Droppedsimultaneous Phase2 negotiation

Dropped a simultaneousphase-2 negotiation fromthe peer 172.16.13.204:500

Firebox or XTM devicedropped phase-2negotiation because ofanother Phase 2negotiation in progress.

Dropped a simultaneous phase-2 negotiationfrom the peer%s

Dropped a simultaneous IPSecnegotiation from the peer ${peer_addr}

VPN LogMessages

Log Catalog 137



Received XAuth failnotification

Received XAuth failednotification from172.16.24.1:4500.Group:'ToFirebox_mu'

Received notificationthat ExtendedAuthentication(XAuth)failed. Aborting XAuthnegotiation.

Received XAuth failed notification from%s.Group:'%s'

Received XAuth failednotification from ${peer_addr}.Group:'${gateway}'


Rejected PSKauthentication,Expect clientXAUTH enabled.

Rejected phase-1authenticationmethod PSKfrom 172.16.24.1:4500,expecting client XAUTHenabled.

Rejected proposedPhase 1 authenticationmethod becauseFirebox or XTM Deviceexpects client ExtendedAuthentication(XAuth)enabled.

Rejected phase-1 authenticationmethod%sfrom%s, expecting client XAUTH enabled.

Rejected phase 1 authenticationmethod ${auth_method} from${peer_addr}, expecting clientXAUTH enabled.


Rejected PSKauthentication,Expect serverXAUTH enabled.

Rejected phase-1authenticationmethod PSKfrom 172.16.24.1:4500,expecting server XAUTHenabled.

Rejected proposedPhase 1 authenticationmethod becauseFirebox or XTM Deviceexpects serverExtendedAuthentication(XAuth)enabled.

Rejected phase-1 authenticationmethod%sfrom%s, expecting server XAUTH enabled.

Rejected phase 1 authenticationmethod ${auth_method} from${peer_addr}, expecting serverXAUTH enabled.


XAuth negotiationfailed due tomismatchedmode

XAuth negotiation from172.16.24.1:4500 faileddue to amismatchedXAuthMode.

Mobile VPN with IPSecExtendedAuthentication(XAuth)negotiation failedbecause of mismatchedauthenticationmode.

XAuth negotiation from%s failed due to amismatched XAuthMode.

XAuth negotiation from ${peer_addr} failed due to amismatchedXAuthMode


Mobile VPN withIPSec authenticationfailed because ofunresponsive peer

MUVPN userauthentication failed due tounresponsive peer at172.16.24.1:4500

Mobile VPN with IPSecuser authenticationfailed because the peerdid not respond.

MUVPN user authentication failed due tounresponsive peer at %s

MUVPN user authenticationfailed due to unresponsive peerat %s

VPN LogMessages

Log Catalog 138



Mobile VPN withIPSec userconnected with nogroup

MUVPN user 'user.1' isauthenticated withoutgroup information.

SpecifiedMobile VPNwith IPSec usersuccessfullyauthenticated, but is notamember of any group.

MUVPN user '%s' is authenticated withoutgroup information.

MUVPN user '${user_name}' isauthenticated without groupinformation


Mobile user groupinformation

MUVPN user 'user.1' is amember of 'muvpn' group.

SpecifiedMobile VPNwith IPSec userbelongs to the specifiedgroup.

MUVPN user '%s' is amember of '%s'group.

MUVPN user '${user_name}' is amember of '${group_name}'group.


IKE phase-1negotiatedsuccessful

BOVPN phase-1main-mode completedsuccessfully as initiator for'gateway.1' gatewayendpoint. local-gw:172.16.12.81:500remote-gw:172.16.13.204:500 SAID:0x9d5e7809

IKE phase-1 negotiationwas successfullycompleted.

%s phase-1%s completed successfully as%s for '%s' gateway endpoint. local-gw:%s:%d remote-gw:%s:%d SAID:0x%08x

${tunnel_type} phase-1 ${nego_mode} completed successfullyas ${nego_role} for '${gateway}'gateway endpoint. local-gw:${src}:${sport} remote-gw:${dst}:${dport} SAID:${p1said}

021A0001 ERROR VPN /IPSEC

Dropped receivedIKEv2message

Dropped IKEv2 IKE_SA_INIT message from172.16.12.82:500.Reason=message hasinvalid initiator SPI (allzeros)

Dropped receivedinvalid IKEv2message.

Dropped IKEv2%s message from%s.Reason=%s

Dropped IKEv2 ${exchange_type} message from ${peer_addr}. Reason=${reason}


IKE SA not found tohandle IKE_SA_INIT_R message

Dropped IKEv2 IKE_SA_INIT message from172.16.12.82:500.Reason=IKE SA not foundto handlemessage withmessage ID 0x0.

IKE SA was not foundto handle the receivedIKE_SA_INIT_Rmessage.

Dropped IKEv2%s message from%s.Reason=IKE SA not found to handlemessage with message ID 0x%x.

Dropped IKEv2 ${exchange_type} message from ${peer_addr}. Reason=IKE SA not foundto handlemessage withmessage ID ${recvd_message_id}.

VPN LogMessages

Log Catalog 139



Gateway endpointnot found to handleIKE_SA_INIT_Rmessage

Dropped IKEv2 IKE_SA_INIT message from172.16.12.82:500.Reason='gateway.1'gateway endpoint not foundto handlemessage withmessage ID 0x0.

Gateway endpoint wasnot found to handle thereceived IKE_SA_INIT_R message

Dropped IKEv2%s message from%s.Reason='%s' gateway endpoint not found tohandlemessage with message ID 0x%x.

Dropped IKEv2 ${exchange_type} message from ${peer_addr}. Reason='${gw-ep}'gateway endpoint not found tohandle IKE_SA_INIT messagewith message ID ${recvd_message_id}.

021A0004 INFO VPN /IPSEC

IKEv2 IKE SA is indeleting state

Dropped IKEv2 IKE_SA_INIT message from172.16.12.82:500.Gateway-Endpoint='gateway.1'.Reason=IKE SA is inDELETING state.

Received IKEv2message was ignoredbecause thecorresponding IKE SAto handle themessagewas in DELETINGstate.

Dropped IKEv2%s message from%s.Gateway-Endpoint='%s'. Reason=IKE SAis in%s state.

Dropped IKEv2 ${exchange_type} message from ${peer_addr}. Gateway-Endpoint='${gw-ep}' Reason=IKE SA is in${ikev2_ikesa_state} state.


Invalid message IDin IKEv2 exchange

Dropped IKEv2 IKE_SA_INIT message from172.16.12.82:500.Gateway-Endpoint='gateway.1'.Reason=Invalid messageID in request message.

Received IKEv2message was droppedbecause it has invalidmessage ID.

Dropped IKEv2%s message from%s.Gateway-Endpoint='%s'. Reason=Invalidmessage ID in%s message.

Dropped IKEv2 ${exchange_type} message from ${peer_addr}. Gateway-Endpoint='${gw-ep}'. Reason=Invalid messageID in ${req_or_resp} message.


IKEv2 gatewayendpoint was notfound to handle thereceivedmessage

IKEv2 IKE_SA_INITexchange from172.16.12.82:500 to172.16.12.81:500 failed.Reason=Matchinggateway endpoint notfound.

IKEv2 gatewayendpoint was not foundto handle the receivedmessage.

IKEv2%s exchange from%s to%s failed.Reason=Matching gateway endpoint notfound.

IKEv2 ${exchange_type}exchange from ${local_addr} to${peer_addr} failed.Reason=Matching gatewayendpoint not found.

VPN LogMessages

Log Catalog 140



IKEv2 gatewayendpoint version notmatched

IKEv2 IKE_SA_INITexchange from172.16.12.82:500 to172.16.12.81:500 failed.Gateway-Endpoint='gateway.1'.Reason=Received IKEversion did not match theconfigured IKE version.

IKEv2messageexchange failedbecause the receivedIKE version did notmatch the IKE versionconfigured on the localgateway. Check theIKE version in thegateway endpointconfiguration on bothlocal and remotegateways.

IKEv2%s exchange from%s to%s failed.Gateway-Endpoint='%s'. Reason=ReceivedIKE version did not match the configuredIKE version.

IKEv2 ${exchange_type}exchange from ${local_addr} to${peer_addr} failed. Gateway-Endpoint='${gw-ep}'.Reason=Received IKE versiondid not match the configured IKEversion.


IKEv2 gatewayendpoint is disabled

IKEv2 IKE_SA_INITexchange from172.16.12.82:500 to172.16.12.81:500 failed.Gateway-Endpoint='gateway.1'.Reason=gateway endpointis disabled.

The IKEv2 gatewayendpoint is disabled. Itcannot be used in tunnelnegotiation.

IKEv2%s exchange from%s to%s failed.Gateway-Endpoint='%s'. Reason=gatewayendpoint is disabled.

IKEv2 ${exchange_type}exchange from ${local_addr} to${peer_addr} failed. Gateway-Endpoint='${gw-ep}'.Reason=gateway endpoint isdisabled.


IKEv2 gateway IDmismatch

IKEv2 IKE_AUTHexchange from172.16.12.82:500 to172.16.12.81:500 failed.Gateway-Endpoint='gateway.1'.Reason=Gateway endpointwith matching ID was notfound.

IKEv2 IKE_AUTHnegotiation failedbecause the remote IDconfigured in thegateway endpoint didnot match proposed IDreceived from theremote gateway.

IKEv2%s exchange from%s to%s failed.Gateway-Endpoint='%s'. Reason=Gatewayendpoint with matching ID was not found.

IKEv2 ${exchange_type}exchange from ${local_addr} to${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Gateway endpoint withmatching ID was not found.

021A000A ERROR VPN /IPSEC

IKEv2 IKE_SA_INITmessage received onwrong interface

IKEv2 IKE_SA_INITexchange from172.16.12.82:500 to

IKEv2 IKE_SA_INITnegotiation failedbecause IKE message

IKEv2%s exchange from%s to%s failed.Gateway-Endpoint='%s'. Reason=Receivedmessage on wrong interface '%s'(index:%d).

IKEv2 ${exchange_type}exchange from ${local_addr} to${peer_addr} failed. Gateway-

VPN LogMessages

Log Catalog 141


172.16.12.81:500 failed.Gateway-Endpoint='gateway.1'.Reason=Receivedmessage on wronginterface 'eth0'(index:3).Expecting it to be receivedon 'eth6'.

from peer was receivedon the wrong interface.

Expecting it to be received on '%s'. Endpoint='${gw-ep}'.Reason=Receivedmessage onwrong interface. '${received_if}'(index:${received_ifindex}).Expecting it to be received on'${expected_if}'.

021A000B ERROR VPN /IPSEC

IKEv2 remotegateway endpoint IDmismatch

IKEv2 IKE_AUTHexchange from172.16.12.82:500 to172.16.12.81:500 failed.Gateway-Endpoint='gateway.1'.Reason=Received ID didnot match the configuredremote gateway endpointID.

IKEv2 IKE_AUTHnegotiation failedbecause the remote IDin the gateway endpointconfiguration did notmatch the proposed IDreceived from theremote gateway.

IKEv2%s exchange from%s to%s failed.Gateway-Endpoint='%s'. Reason=ReceivedID did not match the configured remotegateway endpoint ID.

IKEv2 ${exchange_type}exchange from ${local_addr} to${peer_addr} failed. Gateway-Endpoint='${gw-ep}'.Reason=Received ID did notmatch the configured remotegateway endpoint ID.

021A000C ERROR VPN /IPSEC

IKEv2 local gatewayendpoint IDmismatch

IKEv2 IKE_AUTHexchange from172.16.12.82:500 to172.16.12.81:500 failed.Gateway-Endpoint='gateway.1'.Reason=Received ID didnot match the configuredlocal gateway endpoint ID.

IKEv2 IKE_AUTHnegotiation failedbecause the local ID inthe gateway endpointconfiguration did notmatch the proposed IDreceived from theremote gateway.

IKEv2%s exchange from%s to%s failed.Gateway-Endpoint='%s'. Reason=ReceivedID did not match the configured localgateway endpoint ID.

IKEv2 ${exchange_type}exchange from ${local_addr} to${peer_addr} failed. Gateway-Endpoint='${gw-ep}'.Reason=Received ID did notmatch the configured localgateway endpoint ID.

VPN LogMessages

Log Catalog 142


021A000D ERROR VPN /IPSEC

Received IKEv2message does nothave expectedpayloads

IKEv2 IKE_AUTHexchange from172.16.12.82:500 to172.16.12.81:500 failed.Gateway-Endpoint='gateway.1'.Reason=Received IKE_AUTH responsemessagedoes not have the expectedpayloads.

IKEv2messageexchange failedbecause the receivedmessage from the peerdoes not have theexpected payloads

IKEv2%s exchange from%s to%s failed.Gateway-Endpoint='%s'. Reason=Received%s message does not have the expectedpayloads.

IKEv2 ${exchange_type}exchange from ${local_addr} to${peer_addr} failed. Gateway-Endpoint='${gw-ep}'.Reason=Received ${msg_info}message does not have theexpected payloads.

021A000E ERROR VPN /IPSEC

IKEv2 IKE proposalmismatch

IKEv2 IKE_SA_INITexchange from198.51.100.2:500 to203.0.113.2:500 failed.Gateway-Endpoint='gateway.1'.Reason=IKE proposal didnot match. Receivedencryption 3DES,expected AES.

The IKEv2messageexchange failedbecause the IKEproposal in the receivedmessage did not matchthe expected proposal.

IKEv2%s exchange from%s to%s failed.Gateway-Endpoint='%s'. Reason=%s

IKEv2 ${exchange_type}exchange from ${local_addr} to${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=${msg_info}

021A000F ERROR VPN /IPSEC

IKEv2 KE DH-Groupmismatch

IKEv2 IKE_SA_INITexchange from172.16.12.82:500 to172.16.12.81:500 failed.Gateway-Endpoint='gateway.1'.Reason=DH-Group 14 inthe KE payload does notmatch DH-Group 5selected in the IKE_SA_INIT response proposal.

IKEv2messageexchange failedbecause the DH groupin the received KeyExchange (KE) payloaddoes not match the DH-Group in the selectedproposal.

IKEv2%s exchange from%s to%s failed.Gateway-Endpoint='%s'. Reason=DH-Group%d in the KE payload does not matchDH-Group%d selected in the%s proposal.

IKEv2 ${exchange_type}exchange from ${local_addr} to${peer_addr} failed. Gateway-Endpoint='${gw-ep}'.Reason=DH-Group ${recvd_dh_group} in the KE payload doesnot match the DH-Group${selected_dh_group} selected inthe ${msg_info} proposal.

VPN LogMessages

Log Catalog 143



IKEv2 IPSec KEDH-Groupmismatch

IKEv2 CREATE_CHILD_SA exchange from172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1'.Reason=DH-Group 14 inthe KE payload does notmatch DH-Group 5selected in the CREATE_CHILD_SA requestproposal.

IKEv2messageexchange failedbecause the DH groupin the received KeyExchange (KE) payloaddoes not match the DH-Group in the selectedproposal.

IKEv2%s exchange from%s to%s failed.Tunnel='%s'. Reason=DH-Group%d in theKE payload does not match DH-Group%dselected in the%s proposal.

IKEv2 ${exchange_type}exchange from ${local_addr} to${peer_addr} failed. Gateway-Endpoint='${gw-ep}'.Reason=DH-Group ${recvd_dh_group} in the KE payload doesnot match the DH-Group${selected_dh_group} selected inthe ${msg_info} proposal.


Receivedunacceptable trafficselector during firstCHILD SAnegotiation.

IKEv2 IKE_AUTHexchange from172.16.12.82:500 to172.16.12.81:500 failed.Gateway-Endpoint='gateway.1'.Reason=Receivedunacceptable trafficselector in IKE_AUTHrequest.

IKEv2 first CHILD SAcreation failed becausethe peer sent anunacceptable trafficselector.

IKEv2%s exchange from%s to%s failed.Gateway-Endpoint='%s'. Reason=Receivedunacceptable traffic selector in%s.

IKEv2 ${exchange_type}exchange from ${local_addr} to${peer_addr} failed. Gateway-Endpoint='${gw-ep}'.Reason=Received unacceptabletraffic selector in ${msg_info}.


IKEv2 peerauthenticationmethodmismatch.

IKEv2 IKE_AUTHexchange from172.16.12.82:500 to172.16.12.81:500 failed.Gateway-Endpoint='gateway.1'.Reason=ReceivedauthenticationmethodPSK, expecting RSAcertificate.

IKEv2 tunnelnegotiation failedbecause the incorrectauthenticate methodwas proposed by theremote gateway.

IKEv2%s exchange from%s to%s failed.Gateway-Endpoint='%s'. Reason=Receivedauthenticationmethod%s, expecting%s.

IKEv2 ${exchange_type}exchange from ${local_addr} to${peer_addr} failed.Reason=Receivedauthenticationmethod${received}, expecting${expected}.

VPN LogMessages

Log Catalog 144



IKEv2 peerauthentication failed

IKEv2 IKE_AUTHexchange from172.16.12.82:500 to172.16.12.81:500 failed.Gateway-Endpoint='gateway.1'.Reason=Remote gatewayendpoint RSA certificateauthentication failed.

IKEv2 tunnelnegotiation failedbecause the localgateway could notauthenticate the remotegateway.

IKEv2%s exchange from%s to%s failed.Gateway-Endpoint='%s'. Reason=Remotegateway endpoint %s authentication failed.

IKEv2 ${exchange_type}exchange from ${local_addr} to${peer_addr} failed.Reason=Remote gatewayendpoint ${auth_method}authentication failed.


IKEv2 PSKmismatch

IKEv2 IKE_AUTHexchange from172.16.12.82:500 to172.16.12.81:500 failed.Gateway-Endpoint='gateway.1'.Reason=Remote gatewayendpoint authenticationfailed due to a possibleshared secret mismatch.

IKEv2 tunnelnegotiation failedbecause of possiblePSK mismatch.

IKEv2%s exchange from%s to%s failed.Gateway-Endpoint='%s'. Reason=Remotegateway endpoint authentication failed dueto a possible shared secret mismatch.

IKEv2 ${exchange_type}exchange from ${local_addr} to${peer_addr} failed.Reason=Remote gatewayendpoint authentication faileddue to a possible shared secretmismatch.


Received IKEv2IKE_SA_INITnotification errormessage.

IKEv2 IKE_SA_INITexchange from172.16.12.82:500 to172.16.12.81:500 failed.Gateway-Endpoint='gateway.1'.Reason=Received N(NO_PROPOSAL_CHOSEN)message.

IKEv2 IKE_SA_INITnegotiation failedbecause the peer sent anotification errormessage.

IKEv2%s exchange from%s to%s failed.Gateway-Endpoint='%s'. Reason=Received%s message.

IKEv2 ${exchange_type}exchange from ${local_addr} to${peer_addr} failed. Gateway-Endpoint='${gw-ep}'.Reason=Received ${notify_msg}message.


Received IKEv2CREATE_CHILD_SA/IKE_AUTHnotification error

IKEv2 IKE_AUTHexchange from10.139.36.185:500 to10.139.36.195:500 failed.

IKEv2 CREATE_CHILD_SA/IKE_AUTHnegotiation failedbecause peer sent a

IKEv2%s exchange from%s to%s failed.Tunnel='%s'. Reason=Received%smessage.

IKEv2 ${exchange_type}exchange from ${local_addr} to${peer_addr} failed.Tunnel='${tunnel_name}'.

VPN LogMessages

Log Catalog 145


message. Tunnel='tunnel.1'.Reason=Received N(NO_PROPOSAL_CHOSEN)message.

notification errormessage.

Reason=Received ${notify_msg}message.

021A0017 INFO VPN /IPSEC

IKEv2 IKE SAestablished

IKEv2 IKE SA establishedsuccessfully as initiator for'gateway.1' gatewayendpoint. local-gw:10.139.36.185:500remote-gw:10.139.36.195:500 SAID:0xbc2188a5.

IKEv2 IKE SA isestablished becauseIKE_AUTH negotiationis finished or IKE SA isrekeyed.

IKEv2 IKE SA established successfully as%s for '%s' gateway endpoint. local-gw:%sremote-gw:%s SA ID:0x%08x.

IKEv2 IKE SA establishedsuccessfully as ${exchange_role} for '${gw-ep}' gatewayendpoint. local-gw:${local_addr}remote-gw:${peer_addr} SAID:${sa_id}.


IKEv2 tunnelproposal mismatch.

IKEv2 CREATE_CHILD_SA exchange from198.51.100.2:500 to203.0.113.2:500 failed.Tunnel='tunnel.1'.Reason=IPSec proposaldid not match. Receivedencryption 3DES,expected AES.

The IKEv2messageexchange failedbecause the IPSecproposal in the receivedmessage did not matchthe expected proposal.

IKEv2%s exchange from%s to%s failed.Tunnel='%s'. Reason=%s

IKEv2 ${exchange_type}exchange from ${local_addr} to${peer_addr} failed.Tunnel='${tunnel}'.Reason=${msg_info}


Received invalid SPIduring first CHILDSA negotiation.

IKEv2 IKE_AUTHexchange from172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1'.Reason=Peer proposedinvalid SPI in IKE_AUTHrequest.

IKEv2 first CHILD SAcreation failed becausethe peer sent an invalidSPI.

IKEv2%s exchange from%s to%s failed.Tunnel='%s'. Reason=Peer proposed invalidSPI in%s.

IKEv2 ${exchange_type}exchange from ${local_addr} to${peer_addr} failed.Tunnel='${tunnel}'. Reason=Peerproposed invalid SPI in ${msg_info}.

021A001A ERROR VPN /IPSEC

Received invalid SPIduring IKEv2 IPSec

IKEv2 CREATE_CHILD_SA exchange from

IKEv2 IPSec SA rekeyfailed because the peer

IKEv2%s exchange from%s to%s failed.Tunnel='%s'. Reason=Could not find child

IKEv2 ${exchange_type}exchange from ${local_addr} to

VPN LogMessages

Log Catalog 146


SA rekey 172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1'.Reason=Could not findchild SA by received SPI0xbaba1509 in CREATE_CHILD_SA(REKEY[CHILD SA]) request.

sent an invalid SPI. SA by received SPI %0x in%s. ${peer_addr} failed.Tunnel='${tunnel}'.Reason=Could not find child SAby received SPI ${spi} in ${msg_info}.

021A001B ERROR VPN /IPSEC

No response fromremote gateway

IKEv2 exchange from172.16.12.82:500 to172.16.12.81:500 failed.Gateway-Endpoint='gateway.1'.Reason=No response forIKE_AUTH requestmessage. Check theconnection between thelocal and remote gatewayendpoints.

IKEv2 connection wasterminated becausethere was no responsefrom the remote site.

IKEv2 exchange from%s to%s failed.Gateway-Endpoint='%s'. Reason=Noresponse for%s message. Check theconnection between the local and remotegateway endpoints.

IKEv2 exchange from ${local_addr} to ${peer_addr} failed.Gateway-Endpoint='${gw-ep}'.Reason=No response for ${msg_info} message. Check theconnection between the local andremote gateway endpoints.

021A001C INFO VPN /IPSEC

IKEv2 IKE SA iswaiting for the userauthentication result

Dropped IKEv2 IKE_AUTHmessage from198.51.100.2:4500.Gateway-Endpoint='ikev2_mobileuser'.Reason=Waiting for theEAP_MSCHAPv2 userauthentication result.

The Firebox ignored anIKEv2messagebecause thecorresponding IKE SAis waiting for the userauthentication resultfrom the authenticationmodule.

Dropped IKEv2%s message from%s.Gateway-Endpoint='%s'. Reason=Waitingfor the%s user authentication result.

Dropped IKEv2 ${exchange_type} message from ${peer_addr}. Gateway-Endpoint='${gw-ep}' Reason=Waiting for the${user-auth-protocol} userauthentication result.

VPN LogMessages

Log Catalog 147


021A001D ERROR VPN /IPSEC

IKEv2 gateway IDmismatch

IKEv2 IKE_AUTHexchange from198.51.100.2 to203.0.113.2:500 failed.Gateway-Endpoint='ikev2_mobileuser'. Reason=TheMobile VPN with IKEv2profile is not enabled.

IKEv2 IKE_AUTHnegotiation failedbecauseMobile VPNfor IKEv2 is not enabledon this gateway.

IKEv2%s exchange from%s to%s failed.Gateway-Endpoint='%s'. Reason=TheMobile VPN with IKEv2 profile is notenabled.

IKEv2 ${exchange_type}exchange from ${local_addr} to${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Mobile VPN with IKEv2profile is not enabled.

021A001E ERROR VPN /IPSEC

IKEv2 receivedinvalid EAPinformation

IKEv2 IKE_AUTH EAPexchange from198.51.100.2:4500 to203.0.113.2:4500 failed.Gateway-Endpoint='WGIKEv2MVPN'.Reason='example'authentication domain isnot configured.

IKEv2 IKE_AUTH EAPnegotiation failedbecause IKEv2MobileVPN client sent invalidinformation.

IKEv2%s EAP exchange from%s to%sfailed. Gateway-Endpoint='%s'.Reason=%s

IKEv2 ${exchange_type} EAPexchange from ${local_addr} to${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=${reason}

021A001F ERROR VPN /IPSEC

IKEv2 IKE_SA_INITmessage received onwrong interface IP

IKEv2 IKE_SA_INITexchange from198.51.100.2:500 to192.0.2.2:500 failed.Gateway-Endpoint='gateway.1'.Reason=Receivedmessage with wronginterface IP address192.0.2.2. Expecting peerto use remote gatewayendpoint IP address203.0.113.2.

IKEv2messageexchange failedbecause IKE messagefrom the peer wasreceived on the wronginterface IP address.Check the local andremote gateway IPaddress in the gatewayendpoint configurationon both the local andremote gateways.

IKEv2%s exchange from%s to%s failed.Gateway-Endpoint='%s'. Reason=Receivedmessage with wrong interface IP address%s. Expecting peer to use remote gatewayendpoint IP address %s.

IKEv2 ${exchange_type}exchange from ${local_addr} to${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Receivedmessagewith the wrong interface IPaddress ${received_ip}.Expecting peer to use remotegateway endpoint IP address${expected_ip}.


IKEv2 IKE_AUTHmessage received on

IKEv2 IKE_AUTH IKEv2message IKEv2%s exchange from%s to%s failed.Gateway-Endpoint='%s'. Reason=Received

IKEv2 ${exchange_type}exchange from ${local_addr} to

VPN LogMessages

Log Catalog 148


wrong interface IP exchange from198.51.100.2:500 to192.0.2.2:500 failed.Gateway-Endpoint='m500-197'. Reason=Receivedmessage with the wronginterface IP address192.0.2.2. Expecting peerto use remote gatewayendpoint IP address203.0.113.2.

exchange failedbecause IKE messagefrom the peer wasreceived on the wronginterface IP address.Check the local andremote gateway IPaddress in the gatewayendpoint configurationon both the local andremote gateways.

message with wrong interface IP address%s. Expecting peer to use remote gatewayendpoint IP address %s.

${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Receivedmessagewith wrong interface IP address${received_ip}. Expecting peer touse remote gateway endpoint IPaddress ${expected_ip}.

25000000 INFO VPN /SSLVPN

User login Mobile VPN with SSL usertsmith logged in. Virtual IPaddress is 192.168.113.2.Real IP address is192.51.100.2.

%s %s logged in.Virtual IP address is%s. Real IP address is%s.

A user logged in to VPN with SSL. The logmessage specifies the VPN user type,andthe user's name, virtual IP address, and realIP address.

${vpn_user_type} ${user_name}logged in. Virtual IP address is${virtual_ipaddr}. Real IPaddress is ${real_ipaddr}.

25000001 INFO VPN /SSLVPN

User log off Mobile VPN with SSL usertsmith logged off. Virtual IPaddress is 192.168.113.2.

%s %s logged off.Virtual IP address is%s.

The VPN with SSL user with the specifiedvirtual IP address logged out.

${vpn_user_type} ${user_name}logged off. Virtual IP addresswas ${virtual_ipaddr}.

5B010004 INFO VPN /L2TP

Update user session UpdatedMobile VPN withL2TP session for user'Firebox-DB\test', virtual IPaddress '192.168.113.2'.

UpdatedMobile VPNwith L2TP session foruser '%s\%s', virtual IPaddress '%s'.

Mobile VPN with L2TP updated the sessionfor the specified user. The logmessagespecifies the assigned virtual IP address.

–

5B010005 INFO VPN /L2TP

Delete user session DeletedMobile VPN withL2TP session for user'Firebox-DB\test', virtual IPaddress '192.168.113.2'.

DeletedMobile VPNwith L2TP session foruser '%s\%s', virtual IPaddress '%s'.

Deleted aMobile VPN with L2TP sessionwith the specified virtual IP address.

–

VPN LogMessages

Log Catalog 149

EventVPN logmessages of theEvent log type.



IKE process starts WatchGuard ikedv11.6.B341909 (C) 1996-2012WatchGuardTechnologies Inc. starts atWed Jun 30 21:49:08 2012

The IPSec IKE processstarted.

WatchGuard iked v%s %s starts at %s –


Configuration updatestarted

Started processing aconfiguration setting

An IPSec configurationupdate started.

Started to process a configuration setting –


Configuration updatecompleted

A configuration setting hasbeen processedsuccessfully

An IPSec configurationupdate wassuccessfully completed.

A configuration setting has been processedsuccessfully

–


Device not activated WARNING! Tunnelnegotiation is NOT allowedbecause the local box is notactivated yet(no"LIVESECURITY" featurekey is found)!!

The device is notactivated. IPSec tunnelscannot be established.

WARNING! Tunnel negotiation is NOTallowed because the local box is notactivated yet(no "LIVESECURITY" featurekey is found)!!

–


Tunnel establishedor re-keyed

'gateway.1' BOVPN IPSectunnel is established.local:192.168.81.0/28remote:192.168.25.0/28 in-SA:0x445e72b7 out-SA:0x5f9f256frole:responder

The IPSec tunnel wasestablished or re-keyedsuccessfully. The logmessage includes thesecurity associationidentifiers.

'%s' %s IPSec tunnel is %s. local:%sremote:%s in-SA:0x%08x out-SA:0x%08xrole:%s

${gateway} ${tunnel_type}IPSec tunnel is ${action}.local:${local} remote:${remote}in-spi:${in_spi} out-spi:${out_spi} role:${nego_role}


BOVPN tunnel limitreached

Themaximum number ofallowed active BOVPNtunnels has been reached(Maximum: 500 Current:

Themaximum allowednumber of BOVPNtunnel routes have beenestablished. No new

Themaximum number of active allowedBOVPN tunnels has been reached(Maximum: %dCurrent: %d)

–

VPN LogMessages

Log Catalog 150


500). tunnel routes can becreated until activetunnel routes expire orare deleted.


IKE process --FireCluster rolechanged

A FireCluster failoveroccurred. The clustermaster has changed.

The cluster master haschanged because of aFireCluster failover. Thelocal device will nothandle IKE negotiation.

A FireCluster failover occurred. The clustermaster has changed.

–

5B010001 INFO VPN / L2TP Daemon started TheMobile VPN with L2TPdaemon startedsuccessfully.

TheMobile VPN withL2TP daemon startedsuccessfully.

TheMobile VPN with L2TP daemonstarted.

–

5B010002 INFO VPN / L2TP Configurationupdated

Updating configuration forMobile VPN with L2TP.

Updating configurationfor Mobile VPN withL2TP.

TheMobile VPN with L2TP daemonreceived a configuration update.

–

5B010003 INFO VPN / L2TP Daemon stopped StoppedMobile VPN withL2TP daemon.

StoppedMobile VPNwith L2TP daemon.

TheMobile VPN with L2TP daemonstopped.

–

78000000 ERROR VPN / VPNTDR HostSensorEnforcementModule

VPN TDR HostSensor Enforcementfailure

VPN (SSL) connection [email protected] tomeet TDR HostSensor Enforcementrequirement: Host Sensorconnection failed.

VPN (%s) connection byuser%s%s%s failed tomeet TDR Host SensorEnforcementrequirement: %s.

Mobile VPN connection did not meet TDRHost Sensor Enforcement requirement

VPN ({$vpn_type}) connectionby user ${user}@${domain}failed tomeet TDR HostSensor Enforcementrequirement: ${reason}.

78000001 INFO VPN / VPNTDR HostSensorEnforcementModule

VPN TDR HostSensor Enforcementsuccess

VPN (IKEv2) connection byuser jdoe@Firebox-DB metall TDR Host SensorEnforcement requirements.

VPN (%s) connection byuser%s%s%s met allTDR Host SensorEnforcementrequirements.

Mobile VPN connectionmet all TDR HostSensor Enforcement requirement

VPN ({$vpn_type}) connectionby user ${user}@${domain}met all TDR Host SensorEnforcement requirements.

VPN LogMessages

Log Catalog 151

Mobile Security Log MessagesMobile Security logmessages are generated for activity related to traffic through your Firebox frommobile devices. This includes traffic related to FireClient and Endpoint Manager.

Mobile Security LogMessages

Log Catalog 152

EventMobile Security logmessages of theEvent log type.


70000001 ERROR MobileSecurity /EndpointManager

Mobile securitylicense limit reached

Rejected a FireClient user loginbecause the licensedmaximumnumber of concurrent MobileSecurity users has beenreached. Maximum: 50

A user loginfromFireClientwas rejectedbecause thenumber ofconcurrentlyconnectedMobileSecurityusers hasreached thelimitsupported bytheMobileSecuritylicense. Thelogmessagespecifies themaximumallowednumber ofconcurrentMobileSecurityusers.

Rejected a FireClient user login because thelicensedmaximum number of concurrentMobile Security users has been reached.Maximum: %d

–

70000002 WARN MobileSecurity /EndpointManager

Mobile securitylicense highwatermark reached

The number of connectedMobile Security users hasreached 90 percent of thelicensed capacity. Maximum:

The numberofconcurrently

The number of connectedMobile Securityusers has reached 90 percent of the licensedcapacity. Maximum: %d

–


Log Catalog 153


50 connectedMobileSecurityusers hasreached 90percent of thecapacitysupported bytheMobileSecuritylicense. Thelogmessagespecifies thesupportedmaximumnumber ofconcurrentMobileSecurityusers.

70010000 INFO MobileSecurity /EndpointManager

Mobile deviceconnect

Mobile device eee66f78-3d74-4002-8161-95938dca4390 isconnected.

FireClient onthe devicehasconnected tothe Firebox.

Mobile device%s is connected. –


Mobile device useralready login

Mobile device eee66f78-3d74-4002-8161-95938dca4390: userjoe has already logged in.

User haslogged in toFirebox fromthe deviceprior to theconnectionrequest.

Mobile device%s: user%s has already loggedin.

–


Log Catalog 154



Mobile device userlogin

Mobile device eee66f78-3d74-4002-8161-95938dca4390: userjoe logged in.

User haslogged in toFireboxthroughFireClient onthe device.

Mobile device%s: user%s logged in. –


Mobile device userlogout

Mobile device eee66f78-3d74-4002-8161-95938dca4390: userjoe logged out.

User haslogged out ofFirebox fromFireClient onthe device.

Mobile device%s: user%s logged out. –


Mobile device idledisconnected

Mobile device eee66f78-3d74-4002-8161-95938dca4390 isdisconnected due to FireClientinactivity.

FireClient onthe device isconsidereddisconnecteddue toinactivity.

Mobile device%s is disconnected due toFireClient inactivity.

–


Mobile devicedisconneted

Mobile device eee66f78-3d74-4002-8161-95938dca4390 isdisconnected.

FireClient onthe devicehasdisconnected.

Mobile device%s is disconnected. –


Log Catalog 155



Mobile deviceUnknown compliance

Mobile device eee66f78-3d74-4002-8161-95938dca4390compliance status is Unknown.

Mobile devicecompliancestatus isUnknown.This could bebecause thecompliancecheck is inprogress, orbecauseFireClient onthe device isnotresponding.

Mobile device%s compliance status isUnknown.

–


Mobile deviceCompliant

Mobile device eee66f78-3d74-4002-8161-95938dca4390compliance status isCompliant.

Mobile devicecompliancestatus isCompliant,because itmeets thecompliancerequirements.

Mobile device%s compliance status isCompliant.

–


Mobile device NotCompliant

Mobile device eee66f78-3d74-4002-8161-95938dca4390compliance status is NotCompliant.

Mobile devicecompliancestatus is NotCompliant,because itdoes not meetthecompliancerequirements.

Mobile device%s compliance status is NotCompliant.

–

70010009 INFO Mobile Mobile device user Mobile device eee66f78-3d74- User session Mobile device%s: session for user%s is –


Log Catalog 156


Security /EndpointManager

session recreated 4002-8161-95938dca4390:session for user joe isrecreated.

is recreatedbecause themobile deviceIP addresschanged. .

recreated.


Mobile deviceAuthorizationAgreement signaction

Mobile device eee66f78-3d74-4002-8161-95938dca4390:device authorization agreement(version 1) is accepted by userjoe on 2015-09-01 09:10:12+0800.

The DeviceAuthorizationAgreement iseitheraccepted ordeclined by auser at thespecifiedlocal time.

Mobile device%s: device authorizationagreement (version%d) is %s by user%s on%s.

device ${device id}: deviceauthorization agreement(version ${ver_number}) is${action} by user ${user} on${local_time}


Log Catalog 157

fireware log catalog - watchguard · 2021. 4. 20. · ${dst}from${src}detected. 30000160 info...

Documents