fireware log catalog - watchguard · 2021. 4. 20. · ${dst}from${src}detected. 30000160 info...
TRANSCRIPT
Fireware v12.7
Log Message Catalog
WatchGuard FireboxRevised April 2021
Copyright, Trademark, and Patent InformationInformation in this guide is subject to change without notice. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc.
Copyright© 1998–2021 WatchGuard Technologies, Inc. All rights reserved.
All trademarks or trade names mentioned herein, if any, are the property of their respective owners.
Complete copyright, trademark, patent, and licensing information can be found in the Copyright and Licensing Guide, available online at: http://www.watchguard.com/help/documentation/.
Revised: April 2021
About WatchGuard
WatchGuard® Technologies, Inc. is a global leader in network security, providing best-in-class Unified Threat Management, NextGeneration Firewall, secureWi-Fi, and network intelligence products and services tomore than 75,000 customers worldwide. Thecompany’s mission is to make enterprise-grade security accessible to companies of all types and sizes through simplicity, makingWatchGuard an ideal solution for Distributed Enterprises and SMBs. WatchGuard is headquartered in Seattle, Washington, withoffices throughout North America, Europe, Asia Pacific, and Latin America. To learnmore, visit WatchGuard.com.
For additional information, promotions and updates, follow WatchGuard on Twitter, @WatchGuard on Facebook, or on the LinkedInCompany page. Also, visit our InfoSec blog, Secplicity, for real-time information about the latest threats and how to cope with them atwww.secplicity.org.
Address505 Fifth Avenue South
Suite 500Seattle,WA98104
Supportwww.watchguard.com/support
U.S. and Canada +877.232.3531AllOther Countries+1.206.521.3575
SalesU.S. and Canada +1.800.734.9905
AllOther Countries+1.206.613.0895
Copyright, Trademark, and Patent Information
Log Catalog i
ContentsCopyright, Trademark, and Patent Information i
Introduction to the Log Catalog 1
Search the Log Catalog 1
About Log Messages 1
Types of LogMessages 2
Traffic LogMessages 2
Alarm LogMessages 2
Event LogMessages 3
Debug (Diagnostic) LogMessages 3
Statistic LogMessages 3
Read a Log Message 3
Firewall Log Messages 6
Alarm 6
Diagnostic 10
Event 13
Traffic 16
Networking Log Messages 19
Diagnostic 19
Event 29
Proxy Policy Log Messages 40
Event 40
Traffic 43
Management Log Messages 98
Log Catalog ii
Diagnostic 98
Event 100
FireCluster Log Messages 110
Diagnostic 110
Event 113
Security Services Log Messages 120
Event 120
VPN Log Messages 122
Alarm 122
Diagnostic 122
Event 150
Mobile Security Log Messages 152
Event 153
Introduction to the Log CatalogYou can use the tools available inWatchGuard Dimension, WatchGuard SystemManager(WSM), and FirewareWebUI to review the logmessages and events that occur on yourWatchGuard Firebox devices, to examine the activity on your network. Logmessages give youimportant information about the flow of traffic through your network, and are a key component tohelp you troubleshoot problems on your network.
The Fireware Log Catalog describes many of the types of logmessages that your Firebox cangenerate. It includes examples of logmessages for Firebox devices that run Fireware OS,grouped by the product area.
All logmessages included in the Log Catalog are first organized into topics by product area andthen separated into sections in each topic by the logmessage type:
n ALARM— Alarm logmessagesn DIAG—Debug (Diagnostics) logmessagesn EVENT— Event logmessagesn STAT— Statistics logmessagesn TRAFFIC — Traffic logmessages
For more information about logmessage types, seeAbout LogMessages.
Only logmessages that are assigned amessage ID number are included inthe Log Catalog.
To review the logmessages that are defined in the Log Catalog, you can expand the LogMessages section and select a topic for a product area, expand the section for a logmessagetype, and review the logmessage lists to find a specific logmessage.
n To expand a single section, click .n To collapse a single section, click .
n To expand all the sections in a topic, at the top of the topic window, click .
n To collapse all the sections in a topic, at the top of the topic window, click .
Introduction to the Log Catalog
Log Catalog 1
You can also search the Log Catalog for the specific details included in a logmessage.
For more information about options to search the Log Catalog, seeSearch the Log Catalog.
Search the Log CatalogAll logmessages in the Log Catalog are first organized by the functional area and then by the log type.To quickly find a specific logmessage in the Log Catalog, you can search the Log Catalog for thespecific details included in a logmessage.
When you search for a logmessage, you can specify any of the details included in the logmessagethat you see in Traffic Monitor or LogManager. Themore specific your search criteria, the fewersearch results are returned from your search query. To find a specific text phrase, make sure toinclude the phrase in quotationmarks. If you search for themessage ID number, make sure toremove the hyphen when you type themessage ID number.
For example, to search the Log Catalog for themessage ID number that appears in a logmessagethat you see in Traffic Monitor:
1. In Traffic Monitor, find the msg_id value in the logmessage.2. Open the Fireware Log Catalog in Adobe Acrobat.3. Press CTRL + F.4. In the Find text box, type themsg_id value from your logmessage, without the hyphen.
For example, to find the 1C02-00CD error logmessage for the FTP-proxy, type “1C0200CD”.5. Press Enter.
The first instance of the message ID you searched for is highlighted.
When you search for unique text such as amessage ID number, the search results will include only afew items. If your search includes text that is more generic (for example, HTTPS), the search resultswill includemany entries.
About Log MessagesYour Firebox can send logmessages to an instance of Dimension, aWSM Log Server, or a syslogserver. You can also configure your Firebox to store logmessages locally on the Firebox. You canuse Traffic Monitor in FirewareWebUI or Firebox SystemManager (FSM) to review logmessages inreal-time. If you send logmessages to Dimension, you can use the Dimension LogManager to review
the logmessages from your Firebox devices. If you send logmessages to aWSM Log Server,you can use LogManager inWatchGuardWebCenter to review logmessages after they aregenerated and processed by the Log Server.
Types of Log MessagesFirebox devices can send several types of logmessages for events that occur on the Firebox.Eachmessage includes themessage type in the text of themessage. The logmessages typesare:
n Trafficn Alarmn Eventn Debug (Diagnostic)n Statistic
Traffic and event logmessages, and some alarm logmessages, automatically appear in TrafficMonitor by default; you do not have to enable any settings on your Firebox to generate them.Themajority of the other logmessage types must be enabled in the device configuration filebefore they appear in Traffic Monitor or LogManager.
Traffic Log MessagesMost of the logmessages that appear in Traffic Monitor are traffic logmessages. TrafficMonitor shows all of the logmessages that are generated by your Firebox and are recorded inyour log file. Traffic logmessages show the traffic that moves through your Firebox and how thepacket filter and proxy policies were applied. A traffic logmessage can include details thatshow how NAT (network address translation) was handled for a packet.
The traffic logmessages for traffic managed by packet filter policies contain a set number offields. The information for the same traffic logmessage will look different in Traffic Monitor thanin LogManager.
For a traffic logmessage generated by traffic managed by a proxy policy, your Fireboxgenerates more than one logmessage. The first entry shows the same information as a packetfilter logmessage, but includes this additional information:
Introduction to the Log Catalog
Log Catalog 2
proxy_act
The name of the proxy action that handles this packet. A proxy action is a set of rules for aproxy that can be applied tomore than one policy.
rule_name
The name of the specific proxy rule that handles this packet.
content_type
The type of content in the packet that is filtered by the proxy rule.
Other proxy logmessages include a variable number of fields.
Alarm Log MessagesAlarm logmessages are sent when an event occurs that triggers the Firebox to run a command.When the alarm condition is matched, the Firebox generates an alarm logmessage that you can seein Traffic Monitor, sends the logmessage to your Dimension server, WSM Log Server, or syslogserver, and then it completes the specified action for the event.
You can configure your Firebox to send alarm logmessages for specific events that occur on yourdevice. For example, you can configure an alarm to occur when a specified valuematches or exceedsa threshold. Other alarm logmessages are set by the Firebox OS, with values that you cannotchange. For example, the Firebox sends an alarm logmessage when a network connection on one ofthe Firebox interfaces fails, or when a Denial of Service attack occurs.
There are eight categories of alarm logmessages:
n Systemn IPSn AVn Policyn Proxyn Countern Denial of Servicen Traffic
The Firebox does not sendmore than 10 alarms in 15minutes for the same conditions.
Event Log MessagesEvent logmessages are generated for activity on your Firebox that is related to actions by theFirebox and users. Actions that can cause the Firebox to send an event logmessage include:
n Firebox start up and shut downn Firebox and VPN authenticationn Process start up and shut downn Problems with Firebox hardware componentsn Any task completed by a device administrator
Debug (Diagnostic) Log MessagesDebug logmessages include detailed diagnostic information that you can use to helptroubleshoot problems on your Firebox . There are 27 different product components that cansend debug logmessages. When you configure the logging settings on your Firebox you canspecify the level of diagnostic logging to see for each different product component enabled onyour Firebox. The available levels are:
n Offn Errorn Warningn Informationn Debug
Statistic Log MessagesStatistic logmessages include information about the performance of your Firebox. You canconfigure your Firebox to generate logmessages about external interface performance, VPNbandwidth statistics, and Security Services statistics. You can review these logmessages todetermine what changes are necessary in your Firebox settings to improve performance. Tosee these logmessages, performance statistic loggingmust be enabled on the Firebox.
Read a LogMessage
Log Catalog 3
Read a Log MessageEach logmessage generated by your Firebox includes a string of data about the traffic on yourFirebox. If you review the logmessages in Traffic Monitor, the details in the data have different colorsapplied to them to help visually distinguish each detail.
Here is an example of one traffic logmessage from Traffic Monitor:
2014-07-02 17:38:43 Member2 Allow 192.168.228.202 10.0.1.1 webcache/tcp42973 8080 3-Trusted 1-WCI Allowed 60 63 (Outgoing-proxy-00) proc_id="firewall" rc="100" src_ip_nat="69.164.168.163" tcp_info="offset 10 S2982213793 win 2105" msg_id="3000-0148"
When you read logmessages, you can see details about when the connection for the traffic occurred,the source and destination of the traffic, as well as the disposition of the connection, and other details.
Each logmessage includes these details:
Time Stamp
The logmessage line begins with a time stamp that includes the time and date that the logmessage was created. The time stamp uses the time zone and current time from the Firebox.
This is the time stamp from the example logmessage above:
2014-07-02 17:38:43
FireCluster Member Information
If the logmessage is from a Firebox that is amember of a FireCluster, the logmessageincludes the cluster member number for the Firebox.
This is the FireCluster member information from the example logmessage above:
Member2
Disposition
Each logmessage indicates the disposition of the traffic: Allow or Deny. If the logmessage isfor traffic that was managed by a proxy policy instead of a packet filter policy, the traffic maybemarked Allow even though the packet body was stripped or altered by the proxy action.
This is the disposition from the example logmessage above:
Allow
Source and Destination Addresses
After the disposition, the logmessage shows the actual source and destination IPaddresses of the traffic. If NAT was applied to the traffic, the NAT addresses appearlater in the logmessage.
These are the source and destination addresses from the example logmessage above:
192.168.228.202 and 10.0.1.1
Service and Protocol
The next entries in the logmessage are the service and protocol that managed thetraffic. The service is specified based on the protocol and port the traffic used, not thename of the policy that managed the traffic. If the service cannot be determined, the portnumber appears instead.
These are the service and protocol from the example logmessage above:
webcache/tcp
Source and Destination Ports
The next details in the logmessage are the source and destination ports. The sourceport identifies the return traffic. The destination port determines the service used for thetraffic.
These are the source and destination ports from the example logmessage above:
42973 and 8080
Source and Destination Interfaces
The source and destination interfaces appear after the destination port. These are thephysical or virtual interfaces that handle the connection for this traffic.
These are the source and destination interfaces from the example logmessage above:
3-Trusted and 1-WCI
Introduction to the Log Catalog
Log Catalog 4
Connection Action
This is the action applied to the traffic connection. For proxy actions, this indicates whether thecontents of the packet are allowed, dropped, or stripped.
This is the connection action from the example logmessage above:
Allowed
Packet Length
The two packet length numbers indicate the packet length (in bytes) and the TTL (Time ToLive) value. TTL is ametric used to prevent network congestion by only allowing the packet topass through a specific number of routing devices before it is discarded.
These are the packet length numbers from the example logmessage above:
60 (packet length) and 63 (TTL)
Policy Name
This is the name of the policy on your Firebox that handles the traffic. The number (-00) isautomatically appended to policy names, and is part of the internal reference system on theFirebox.
This is the policy name from the example logmessage above:
(Outgoing-proxy-00)
Process
This section of the logmessage shows the process that handles the traffic.
This is the process from the example logmessage above:
proc_id="firewall"
Return Code
This is the return code for the packet, which is used in reports.
This is the return code from the example logmessage above:
rc="100"
NAT Address
This is the IP address that appears in place of the actual source IP address of the trafficafter it leaves the Firebox interface and the NAT rules have been applied. A destinationNAT IP address can also be included.
This is the NAT address from the example logmessage above:
src_ip_nat="69.164.168.163"
Packet Size
The tcp_info detail includes values for the offset, sequence, and window size for thepacket that initiates the connection. The packet size details that are included depend onthe protocol type.
This is the packet size from the example logmessage above:
tcp_info="offset 10 S 2982213793 win 2105"
Message Identification Number
Each type of logmessage includes a uniquemessage identification number. When youreview a logmessage in Traffic Monitor, themessage ID number can appear as thevalue for either the msg_id= detail or the id= detail. In LogManager, themessage IDnumber appears as the value for the id= detail.
Some logmessages do not include amessage ID number. Only logmessages that areassigned amessage ID number are included in the Log Catalog.
The is themessage ID number from the example logmessage above:
msg_id="3000-0148"
Themessage ID numbers included in the Log Catalog do not include the hyphens thatappear in themessage ID number in Traffic Monitor and LogManager. Tomake sure youcan locate themessage ID number in the Log Catalog, when you search the Log Catalogfor themessage ID, remove the hyphen from themessage ID number.
For example, to search for information about message ID number 3000-0148, in theSearch Log Catalog text box, type 300000148.
Introduction to the Log Catalog
Log Catalog 5
Firewall Log MessagesFirewall logmessages are generated by your Firebox for events that occur on the Firebox and for traffic managed by some packet filter policies. In addition to normal traffic, this can includemessages related tofeature keys, subscription services, server load balancing, and other features configured on your Firebox.
AlarmFirewall logmessages of theAlarm log type.
ID Level Area Name Log Message Example Description Format Message Variables
30000152 INFO Firewall /PacketFilter
IPv4sourcerouteattack
IPv4 source route attack from 10.0.1.34detected.
IPv4 source routeattack wasdetected.
IPv4 source route attack from%s detected. IPv4 source route from ${src}detected.
30000153 INFO Firewall /PacketFilter
IPv4 SYNfloodattack
SYN flood attack against 10.0.1.51 from216.3.21.4 detected. 500 SYN packetsdropped since last alarm.
IPv4 SYN floodattack wasdetected.
SYN flood attack against %s from%s detected.%llu SYN packets dropped since last alarm.
SYN flood attack against${dst} from ${src} detected.${gap} SYN packets droppedsince last alarm.
30000154 INFO Firewall /PacketFilter
IPv4 ICMPfloodattack
ICMP flood attack against 10.0.1.51 from216.3.21.4 detected. 500 ICMP floodpackets dropped since last alarm.
IPv4 ICMP floodattack wasdetected.
ICMP flood attack against %s from%s detected.%llu ICMP flood packets dropped since lastalarm.
ICMP flood attack against${dst} from ${src} detected.${gap} ICMP flood packetsdropped since last alarm.
30000155 INFO Firewall /PacketFilter
IPv4 UDPfloodattack
UDP flood attack against 32.21.56.8 from12.34.23.67 detected. 500 UDP floodpackets dropped since last alarm.
IPv4 UDP floodattack wasdetected.
UDP flood attack against %s from%s detected.%llu UDP flood packets dropped since last alarm.
UDP flood attack against${dst} from ${src} detected.${gap} UDP flood packetsdropped since last alarm.
30000156 INFO Firewall /PacketFilter
IPv4IPSECfloodattack
IPSEC flood attack against 32.21.56.8 from12.34.23.67 detected. 500 IPSEC floodpackets dropped since last alarm.
IPv4 IPSEC floodattack wasdetected.
IPSEC flood attack against %s from%sdetected. %llu IPSEC flood packets droppedsince last alarm.
IPSEC flood attack against$dst from $src detected. $gapIPSEC flood packets droppedsince last alarm.
30000157 INFO Firewall / IPv4 IKE IKE flood attack against 32.21.56.8 from IPv4 IKE flood IKE flood attack against %s from%s detected.%llu IKE flood packets dropped since last alarm.
IKE flood attack against ${dst}
Firewall LogMessages
Log Catalog 6
ID Level Area Name Log Message Example Description Format Message Variables
PacketFilter
floodattack
12.34.23.67 detected. 500 IKE floodpackets dropped since last alarm.
attack wasdetected
from ${src} detected. ${gap}IKE flood packets droppedsince last alarm.
30000158 INFO Firewall /PacketFilter
IPv4 scanattack
IP scan attack against 32.21.56.8 from12.34.23.67 detected.
IPv4 scan attackwas detected.
IP scan attack against %s from%s detected. IP scan attack against ${dst}from ${src} detected.
30000159 INFO Firewall /PacketFilter
IPv4 portscanattack
PORT scan attack against 32.21.56.8 from12.34.23.67 detected.
IPv4 port scanattack wasdetected.
PORT scan attack against %s from%s detected. Port scan attack against${dst} from ${src} detected.
30000160 INFO Firewall /PacketFilter
IPv4DDOSagainstserver
DDOS against server 10.0.1.34 detected. IPv4 DDOSattack against aserver wasdetected.
DDOS against server%s detected. DDOS against server ${dst}detected.
30000161 INFO Firewall /PacketFilter
IPv4DDOSattack fromclient
DDOS from client 10.0.1.34 detected. IPv4 DDOSattack from aclient wasdetected.
DDOS from client $src detected. DDOS from client ${src}detected.
30000162 INFO Firewall /PacketFilter
IPv6 SYNfloodattack
SYN flood attack against2001:0db8:85a3:08d3:1319:8a2e:0370:7344from FF01::101 detected. 100 SYN packetsdropped since last alarm.
IPv6 SYN floodattack wasdetected.
SYN flood attack against %s from%s detected.%llu SYN packets dropped since last alarm.
SYN flood attack against${dst} from ${src} detected.${gap} SYN packets droppedsince last alarm.
30000163 INFO Firewall /PacketFilter
IPv6 ICMPfloodattack
ICMP flood attack against2001:0db8:85a3:08d3:1319:8a2e:0370:7344from FF01::101 detected. 100 ICMPpackets dropped since last alarm.
IPv6 ICMP floodattack wasdetected.
ICMP flood attack against %s from%s detected.%llu ICMP packets dropped since last alarm.
ICMP flood attack against${dst} from ${src} detected.${gap} ICMP packets droppedsince last alarm.
30000164 INFO Firewall /PacketFilter
IPv6 UDPfloodattack
UDP flood attack against2001:0db8:85a3:08d3:1319:8a2e:0370:7344from FF01::101 detected. 100 UDP packetsdropped since last alarm.
IPv6 UDP floodattack wasdetected.
UDP flood attack against %s from%s detected.%llu UDP packets dropped since last alarm.
UDP flood attack against${dst} from ${src} detected.${gap} UDP packets droppedsince last alarm.
Firewall LogMessages
Log Catalog 7
ID Level Area Name Log Message Example Description Format Message Variables
30000165 INFO Firewall /PacketFilter
IPv6IPSECfloodattack
IPSEC flood attack against2001:0db8:85a3:08d3:1319:8a2e:0370:7344from FF01::101 detected. 100 IPSECpackets dropped since last alarm.
IPv6 IPSEC floodattack wasdetected.
IPSEC flood attack against %s from%sdetected. %llu IPSEC packets dropped since lastalarm.
IPSEC flood attack against${dst} from ${src} detected.${gap} IPSEC packetsdropped since last alarm.
30000166 INFO Firewall /PacketFilter
IPv6 IKEfloodattack
IKE flood attack against2001:0db8:85a3:08d3:1319:8a2e:0370:7344from FF01::101 detected. 100 IKE packetsdropped since last alarm.
IPv6 IKE floodattack wasdetected.
IKE flood attack against %s from%s detected.%llu IKE packets dropped since last alarm.
IKE flood attack against ${dst}from ${src} detected. ${gap}IKE packets dropped sincelast alarm.
30000167 INFO Firewall /PacketFilter
AlarmTrafficmatchedpolicy
Policy Name: HTTP-00 Source IP Address:10.0.1.20 Source Port: 4107 Destination IPAddress: 61.135.169.125 Destination Port:80
An alarm logmessage wassent for traffic thatmatched thespecified policy.
Policy Name: %s Source IP Address: %s SourcePort: %dDestination IP Address: %s DestinationPort: %d
Policy Name: ${pcy_name}Source IP Address: ${src_ip}Source Port: ${src_port}Destination IP Address:${dst_ip} Destination Port:${dst_port}
30000168 INFO Firewall /PacketFilter
Blockedsite
Blocked site: Traffic detected from 10.0.1.2to 61.231.45.165.
Traffic wasdetected to orfrom a blockedsite.
Blocked site: Traffic detected from%src to%dst. Blocked site: Traffic detectedfrom ${src} to ${dst}.
30000169 INFO Firewall /PacketFilter
IP spoofing IP spoofing: Traffic detected from 10.0.1.2to 43.123.12.26.
IP spoofing wasdetected from theIP addressspecified in thelogmessage.
IP spoofing: Traffic detected from%src to%dst. IP spoofing: Traffic detectedfrom ${src} to ${dst}.
30000170 INFO Firewall /PacketFilter
Connectiontable highwater mark
The total number of current sessions (1024)has reached the high water mark (1024).
The total numberof currentsessions reachedthe high watermark (80%) of themaximumconnection table.
The total number of current sessions (%u) hasreached the high water mark (%d).
The total number of currentsessions (${value1}) hasreached the high water mark(${value2}).
Firewall LogMessages
Log Catalog 8
ID Level Area Name Log Message Example Description Format Message Variables
30000171 INFO Firewall /PacketFilter
Conntracktable is full
The number of connections (2048) hasreached the configured limit (2048).
The conntracktable is full. Thenumber ofconnections hasreached theconfigured limit.
The number of connections (%u) has reached theconfigured limit (%d).
The number of connections(${value1}) has reached theconfigured limit (${value2}).
30000172 INFO Firewall /PacketFilter
Blockedport
Blocked port: Traffic detected from 10.0.1.2to 61.231.45.165 on port 513.
Traffic wasdetected on ablocked port.
Blocked port: Traffic detected from%src to%dston port %port.
Blocked port: Traffic detectedfrom ${src} to ${dst} on port${port}.
Firewall LogMessages
Log Catalog 9
DiagnosticFirewall logmessages of theDebug (Diagnostic) log type.
ID Level Area Name Log Message Example Description Format Message Variables
3000002A INFO Firewall /PacketFilter
Addressalreadyblocked
IP address 192.168.111.10 will not beadded to the blocked sites listbecause it already exists.
– IP address %s will not be added to the blocked sites listbecause it already exists.
IP address ${ip} will not beadded to the blocked siteslist because it already exists.
3000003A ERROR Firewall /PacketFilter
Unable toreadfeaturekeys
Unable to read the feature keys, somefeatures may be unavailable
Unable to readfeature keysfile or fail toparse featurekeys file.Features thatrequire acorrect featurekey will notfunction.
Unable to read the feature keys, some features may beunavailable
–
3000003C ERROR Firewall /PacketFilter
No routeto HTTPredirecthost
Route look up on HTTP redirect host192.168.111.10 for policy "FTP-00"failed, local redirect may not work
Route look upon HTTPredirect hostfor thespecifiedpolicy failed,and localHTTP redirectmay not work.
Route look up on HTTP redirect host %u.%u.%u.%u forpolicy "%s" failed, local redirect may not work
–
3000012D INFO Firewall /PacketFilter
VerifyARP entry
Verify ARP entry for host at192.168.111.10
The appliancesent an ARPrequest toverify learnedARP entry fora given host.
Verify ARP entry for host at %hu.%hu.%hu.%hu –
Firewall LogMessages
Log Catalog 10
ID Level Area Name Log Message Example Description Format Message Variables
3000012E ERROR Firewall /PacketFilter
Possibleloop orARPspoofingdetected
Cannot relearn systemMAC address,possible loop or MAC spoofing,ip=192.168.111.10,mac=00:50:da:c7:90:5d, interface=5
The appliancereceived anARP packetsent from oneof its ownMACaddresses. Itis possibly anetwork orcabling loop,or anotherdevice isfaking thisdevice's MACaddress.
Cannot relearn systemMAC address, possible loop orMAC spoofing, ip=%hu.%hu.%hu.%hu,mac=%02x:%02x:%02x:%02x:%02x:%02x, interface=%u
Cannot relearn systemMACaddress, possible loop oranother device is faking thisdevice's MAC address,ip=${ip}, mac=${mac},interface=${interface}
30000006 INFO Firewall /PacketFilter
Featuresettingsupdated
Application control settings updated Firewallsettings for thefeaturespecified inthemessagehave beenupdated
%s settings updated –
30000007 INFO Firewall /PacketFilter
DNSforwardingdeferred
Deferred DNS forwarding until validDNS server IP address is dynamicallylearned
DNS server IPaddress is notyet known,device willenable DNSwhen a DNSserver IPaddress isdetected
Deferred DNS forwarding until valid DNS server IPaddress is dynamically learned
–
30000027 INFO Firewall / Firewall is Firewall is starting up – Firewall is starting up –
Firewall LogMessages
Log Catalog 11
ID Level Area Name Log Message Example Description Format Message Variables
PacketFilter
starting up
30000028 INFO Firewall /PacketFilter
Firewall isshuttingdown
Firewall is shutting down – Firewall is shutting down –
30000029 INFO Firewall /PacketFilter
Addressexemptedfromblockedsites
IP address 192.168.111.254 will notbe added to the blocked sites listbecause it is exempt
The particularIP address isan exemptionand will not beadded to theblocked siteslist
IP address %s will not be added to the blocked sites listbecause it is exempt
IP address ${ip} will not beadded to the blocked siteslist because it is exempt
30000040 INFO Firewall /PacketFilter
Blockedsite idletimeout
Idle timeout has occurred for blockedsite 192.168.111.10
Idle timeouthas occurredfor thespecifiedblocked site,and it will beremoved fromthe blockedsites list.
Idle timeout has occurred for blocked site%s –
30000065 INFO Firewall /PacketFilter
Quotaamountused bythespecifieduser
User James@Firebox-DB used 21MB of the bandwidth quota (100MB)and used 1minute of the time quota (3minutes).
– User%s used%s User {user} used {quota info}
Firewall LogMessages
Log Catalog 12
EventFirewall logmessages of theEvent log type.
ID Level Area Name Log Message Example Description Format Message Variables
300000C9 INFO Firewall /PacketFilter
Load BalanceServer(TCPProbe)
TCP probe packetstimeout, Load BalanceServer 10.10.10.100 port3030 is offline.
Load BalanceServer statusupdate due toresponse orlack ofresponse to aTCP Probepacket. The logmessagespecifies theserver IPaddress andport.
%s %s , Load Balance Server%hu.%hu.%hu.%hu port %d is%s.
${probemethod} ${reason},Load Balance Server ${ip} port${port} is ${status}
300000CB INFO Firewall /PacketFilter
Load BalanceServer(ICMPProbe)
ICMP probe packetstimeout, Load BalanceServer 10.10.10.100 isoffline.
Update tostatus of LoadBalance Serverdue to successor failure ofICMP Probepacket. The logmessagespecifies theserver IP andstatus.
%s %s , Load Balance Server%u.%u.%u.%u is %s. ${probemethod} ${reason},Load Balance Server ${ip} is${status}
Firewall LogMessages
Log Catalog 13
ID Level Area Name Log Message Example Description Format Message Variables
3000002F INFO Firewall /PacketFilter
Feature notsupported byfeature key
Feature key does notsupport the featurePolicy based routing.
The devicefeature keydoes notsupport thespecifiedfeature.
Feature key does not support the feature%s. No valid ${feature name}feature
3000012C ERROR Firewall /PacketFilter
ARP spoofingattack
ARP spoofing attackdetected,ip=192.168.111.10,mac=00:50:da:c7:90:5d,interface=5
Detected anARP spoofingattack. The logmessagespecifies thesource IPaddress, MACaddress, andincominginterface of theARP packet.
ARP spoofing attack detected, ip=%u.%u.%u.%u,mac=%02x:%02x:%02x:%02x:%02x:%02x, interface=%u
ARP spoofing attack detected,ip=${ip}, mac=${mac},interface=${interface}
30000004 INFO Firewall /PacketFilter
ApplicationControl featureexpired
The Application Controlfeature has expired.
The feature keyfor yourApplicationControlsubscriptionhas expired.
The Application Control feature has expired. –
30000005 INFO Firewall /PacketFilter
IPS featureexpired
The IPS feature hasexpired.
The feature keyfor yourIntrusionPreventionServicessubscriptionhas expired.
The IPS feature has expired. –
Firewall LogMessages
Log Catalog 14
ID Level Area Name Log Message Example Description Format Message Variables
30000174 INFO Firewall /PacketFilter
SD-WANfailover/failback
SD-WAN action testfailed over from interfaceBovpn-Vif to Optional-1.
SD-WANaction failedover or failedback from oneinterface toanother one.
SD-WAN action%name%update from interface%prev to%new.
SD-WAN action ${name}${update} from interface ${prev}to ${new}
30011001 INFO Firewall /PacketFilter
Temporarilyblocking host
Temporarily blockinghost 198.13.111.226(reason = autoblock bypolicy)
The host isblockedtemporarily.
Temporarily blocking host %s (reason = %s) Temporarily blocking host ${IP}(reason = ${reason string})
30011002 INFO Firewall /PacketFilter
Unblock host The Temporary BlockedSites list is full(capacity=1000). Theoldest entry 10.0.5.96was removed.
The host wasunblockedbecause theTemporaryBlocked Siteslist is full.
The Temporary Blocked Sites list is full (capacity=%d). Theoldest entry %s was removed.
The Temporary Blocked Siteslist is full (capacity=${limit}).The oldest entry ${IP} wasremoved.
Firewall LogMessages
Log Catalog 15
TrafficFirewall logmessages of the Traffic log type.
ID Level Area NameLog MessageExample Description Format Message Variables
30000148 INFO Firewall /PacketFilter
Normaltraffic
Allow Firebox 0-External 52 tcp20 127 10.0.1.2206.190.60.13862443 80 offset 8S 832026162 win8192 (HTTP-00)
Details of normaltraffic eitherallowed or deniedby the firewallpolicy specified inthe logmessage.
%s %s %s %d%s %d%s %s %d%d offset %d%s %d%s%d(%s)
${disposition} ${inif} ${outif} ${ip_pkt_len}${protocol} ${iph_len} ${TTL} {${src_ip}|${src_user}} {${dst_ip|${dst_user}}[${tcp_info}] [${udp_info}] [${icmp_info}][${route_type}] ${policy_name}
30000149 INFO Firewall /PacketFilter
ApplicationControlTrafficidentified
Allow 1-Trusted0-External 40 tcp20 127 10.0.1.2206.190.60.13853008 80 offset 5AF 3212213617win 257 app_name="WorldWideWebHTTP" cat_name="NetworkProtocols" app_beh_name="connect"app_id="63" app_cat_id="18" app_ctl_disp="2" sig_vers="18.123"msg="Applicationidentified"(HTTP-00)
Application Controlidentified traffic foran application.
%s %s %s %d%s %d%s %s %d%d offset %d%s %d%s%d app_name=\"%s\" cat_name=\"%s\" app_beh_name=\"%s\" appid=\"%d\" app_cat_id=\"%d\" app_ctl_disp=\"%d\" sig_vers=\"%s\" msg=\"%s\" (%s)
${disposition} ${inif} ${outif} ${ip_pkt_len}${protocol} ${iph_len} ${TTL} {${src_ip}|${src_user}} {${dst_ip|${dst_user}}[${tcp_info}] [${udp_info}] app_name=${app_name} cat_name=${cat_name} app_beh_name=${app_beh_name} appid=${appid} app_cat_id=${app_cat_id} app_ctl_disp=${app_ctl_disp} sig_vers=${sig_vers}msg=${msg} [${route_type}] ${policy_name}
Firewall LogMessages
Log Catalog 16
ID Level Area NameLog MessageExample Description Format Message Variables
30000150 INFO Firewall /PacketFilter
IPS Trafficdetected
Deny 1-Trusted0-External 1440tcp 20 61 10.0.1.2192.168.130.12655810 80 offset 5A 447868619 win54 signature_name="EXPLOITApple QuickTimeFLIC Animationfile bufferoverflow -1-2"signature_cat="Misc"signature_id="1112464"severity="4" sig_vers="18.124"msg="IPSdetected" (HTTP-00)
IPS detected trafficthat matches anIPS signature.
%s %s %s %d%s %d%s %s %d%d offset %d%s %d%s%d signature_name=\"%s\" signature_cat=\"%s\" signature_id=\"%s\" severity=\"%d\" sig_vers=\"%s\" msg=\"%s\" (%s)
${disposition} ${inif} ${outif} ${ip_pkt_len}${protocol} ${iph_len} ${TTL} {${src_ip}|${src_user}} {${dst_ip|${dst_user}}[${tcp_info}] [${udp_info}] signature_name=${signature_name} signature_cat=${signature_cat} signature_id=${signature_id} severity=${severity}sig_vers=${sig_vers} msg=${msg}[${route_type}] ${policy_name}
30000151 INFO Firewall /PacketFilter
Trafficconnectionterminated
Allow 1-Trusted0-External tcp10.0.1.2220.181.90.2453018 80 app_id="63" app_cat_id="18" app_ctl_disp="2"duration="80"sent_bytes="652"
Record for aterminatedconnection
%s %s %s %d%s %d%s %s %d%d offset %d%s %d%s%d appid=\"%d\" app_cat_id=\"%d\" app_ctl_disp=\"%d\"duration=\"%d\" sent_bytes=\"%d\" rcvd_bytes=\"%d\" (%s)
${disposition} ${inif} ${outif} ${ip_pkt_len}${protocol} ${iph_len} ${TTL} {${src_ip}|${src_user}} {${dst_ip|${dst_user}}[${tcp_info}] [${udp_info}] appid=${appid}app_cat_id=${app_cat_id} app_ctl_disp=${app_ctl_disp}duration=${duration} sent_bytes=${sent_bytes} rcvd_bytes=${rcvd_bytes} ${policy_name}
Firewall LogMessages
Log Catalog 17
ID Level Area NameLog MessageExample Description Format Message Variables
rcvd_bytes="423"(HTTP-00)
30000173 INFO Firewall /PacketFilter
Hostiletraffic
Deny 0-ExternalFirebox 52 tcp 20127206.190.60.13810.0.0.1 62443 80offset 8 S832026162 win8192 blockedsites (InternalPolicy)
Details of hostiletraffic denied by thefirewall internalpolicy.
%s %s %s %d%s %d%s %s %d%d offset %d%s %d%s%d(%s)
${inif} ${outif} ${ip_pkt_len} ${protocol}${iph_len} ${TTL} {${src_ip}|${src_user}}{${dst_ip|${dst_user}} [${tcp_info}][${udp_info}] [${icmp_info}]
Firewall LogMessages
Log Catalog 18
Networking Log MessagesNetworking logmessages are generated for traffic related to the connections through your Firebox. This can include events related to interface activity, dynamic routing, PPPoE connections, DHCP serverrequests, FireCluster management, link monitoring, and wireless connections.
DiagnosticNetworking logmessages of theDebug (Diagnostic) log type.
ID Level Area Name Log Message Example Description Format Message Variables
09000001 ERROR Networking /PPPoE
Duplicate PPPoE InstanceError
Another instance of PPPoEis running
Anotherinstance ofthe PPPoEprocess isalready activein the system.
Another instance ofPPPoE is running
–
09000002 ERROR Networking /PPPoE
Invalid PPPoE automaticrestart settings
PPPoE automatic restartsettings are invalid,automatic restart will not beused
Automaticrestart ofPPPoE isdisabled dueto invalidsettings.
PPPoE automaticrestart settings areinvalid, automaticrestart will not be used
–
09000006 INFO Networking /PPPoE
Initiate PPPoE automaticrestart
Initiating PPPoE automaticrestart
PPPoEinstance willrestartautomatically.
Initiating PPPoEautomatic restart
–
09000007 WARN Networking /PPPoE
Skip PPPoE automatic restart Skipped PPPoE automaticrestart because the link wasnot up
PPPoEinstance willnot restartautomaticallydue to no link.
Skipped PPPoEautomatic restartbecause the link wasnot up
–
Networking LogMessages
Log Catalog 19
ID Level Area Name Log Message Example Description Format Message Variables
31000003 INFO Networking /NetworkManagement
Initiate gratuitous ARP Initiating GARP for eth0 InitiategratuitousARP for thespecifiedinterface.
Initiating GARP for%s
Initiating GARP for ${dev_name}
31000004 INFO Networking /NetworkManagement
Initiate gratuitous ARP Initiating GARP for allinterfaces
InitiategratuitousARP for alltheinterfaces.
Initiating GARP for allinterfaces
–
3100000F INFO Networking /NetworkManagement
Add bridge interface Adding bridge tbr0 Add bridgeinterface inbridgemode.
Adding bridge%s Adding bridge ${dev_name}
31000030 INFO Networking /NetworkManagement
Send interface logical linkstatus event
[eth0] Sending interfacestatus event, logical=uplink=up ip=10.0.0.1mask=255.255.255.0
Interfacestatus eventis sent forlogical linkstatuschange.
[%s] Sendinginterface statusevent%s, logical=%slink=%sip=%u.%u.%u.%umask=%u.%u.%u.%u
[${dev_name}] Sending interface statusevent, logical=${logical} link=${link} ip=${ip}mask=${mask}
31000031 INFO Networking /NetworkManagement
Send interface link statusevent
[eth0] Sending interfacestatus event for link up
Interfacestatus eventis sent for linkchange.
[%s] Sendinginterface statusevent%s for link %s
[${dev_name}] Sending interface statusevent for link ${link}
31000034 INFO Networking /NetworkManagement
A change was made to the IPaddress of the externalinterface
[eth0 (External)] ExternalInterface set IP address
Handle IPaddress forthe specifiedexternalinterface.
[%s (%s)] ExternalInterface%s IPaddress
[${dev_name} (${if_name})] ExternalInterface ${operation} IP address
Networking LogMessages
Log Catalog 20
ID Level Area Name Log Message Example Description Format Message Variables
31000035 ERROR Networking /NetworkManagement
Ignore unknown addressoperation
[eth0 (External)] Ignoringunknown address operationsss
Ignoreunknownaddressoperation onthe specifiedinterface.
[%s (%s)] Ignoringunknown addressoperation%s
[${dev_name} (${if_name})] Ignoringunknown address operation ${operation}
31000036 INFO Networking /NetworkManagement
Layer 2 traffic gate is closed [Cluster] The traffic gate oflayer2 is closed due tocluster role backup
Layer 2 trafficgate is closeddue to thespecifiedreason.
[Cluster] The trafficgate of layer2 isclosed due to clusterrole%s
[Cluster] The traffic gate of layer2 is closeddue to cluster role ${role}
31000037 INFO Networking /NetworkManagement
Layer 2 traffic gate is opened [Cluster] The traffic gate oflayer2 is opened due tocluster role master
Layer 2 trafficgate isopened due tothe specifiedreason.
[Cluster] The trafficgate of layer2 isopened due to clusterrole%s
[Cluster] The traffic gate of layer2 is openeddue to cluster role ${role}
31000038 INFO Networking /NetworkManagement
Traffic signal changed [Cluster] Traffic signalbecome green
Traffic signalis changed tothe specifiedstatus.
[Cluster] Traffic signalbecome%s
[Cluster] Traffic signal become ${status}
3100003D INFO Networking /NetworkManagement
Update ARP rules [Cluster] Update arp rulesfor cluster role backup
Update ARPrules for thespecifiedcluster role.
[Cluster] Update arprules for cluster role%s
[Cluster] Update arp rules for cluster role${role}
3100004F INFO Networking /NetworkManagement
Fix upmultipath gateways [ECMP] Fix up 2multipathgateway successfully
Fix upmultipathgateways ofthe specifiednumbersuccessfully.
[ECMP] Fix up%dmultipath gatewaysuccessfully
[ECMP] Fix up ${num}multipath gatewaysuccessfully
Networking LogMessages
Log Catalog 21
ID Level Area Name Log Message Example Description Format Message Variables
31000050 INFO Networking /NetworkManagement
Starting wireless AP Starting wireless AP ath1 Startingspecifiedwireless AP.
Starting wireless AP%s
–
31000051 INFO Networking /NetworkManagement
Stopping wireless AP Stopping wireless AP ath1 Stopping thespecifiedwirelessAccess Point.
Stopping wireless AP%s
–
31000057 INFO Networking /NetworkManagement
Start processing configuration Starts processing aconfiguration setting
Started toprocessconfigurationsettings.
Starts processing aconfiguration setting
–
31000058 INFO Networking /NetworkManagement
Update bridgemode settings Updating global bridgemodesetting
Update globalbridgemodesettings.
Updating global bridgemode setting
–
31000059 INFO Networking /NetworkManagement
Update drop-in mode settings Updating global drop-inmode setting
Update globaldrop-in modesettings.
Updating global drop-in mode setting
–
3100005A INFO Networking /NetworkManagement
Update wireless settings Updating wireless setting Updatewirelesssettings
Updating wirelesssetting
–
3100005B INFO Networking /NetworkManagement
Update secondary IP settings Updating Trust-1 secondaryIP(s) setting
Updatesecondary IPaddresssettings forthe specifiedinterface.
Updating%ssecondary IP(s)setting
Updating ${if_name} secondary IP(s)setting
3100005C INFO Networking /NetworkManagement
Update route settings Updating route setting Update routesettings.
Updating route setting –
Networking LogMessages
Log Catalog 22
ID Level Area Name Log Message Example Description Format Message Variables
3100005D INFO Networking /NetworkManagement
Update 1to1 NAT settings Updating 1to1 NAT setting Update 1-to-1NAT settings.
Updating 1to1 NATsetting
–
3100005E INFO Networking /NetworkManagement
Update DNS settings Updating DNS setting Update DNSsettings.
Updating DNS setting –
31000070 INFO Networking /NetworkManagement
Clean up stale connections [Cluster] Clean up stale IPconnections with expiredaddress 192.168.1.22 forPPPoE interface eth0
Clean upstaleconnectionsfor the expiredIP address ondynamicinterface.
[Cluster] Clean upstale IP connectionswith expired address%s for%s interface%s
[Cluster] Clean up stale IP connectionswith expired address ${ip} for dynamicinterface ${dev_name}
31000075 ERROR Networking /NetworkManagement
DNSWatch servers should notbe in use
DNSWatch is expired orwas disabled. Your Fireboxdoes not have a configuredDNS server. Tomake sureyour Firebox does not usethe DNSWatch servers, youmust specify a DNS serverin the network DNS/WINSsettings.
DNSWatchserversshould not bein use but theFirebox doesnot have analternativeDNS server itcan use.
DNSWatch is expiredor was disabled. YourFirebox does not havea configured DNSserver. Tomake sureyour Firebox does notuse the DNSWatchservers, youmustspecify a DNS serverin the networkDNS/WINS settings.
–
31130001 ERROR Networking /NetworkManagement
Capture stopped Capture stopped,insufficient space
Capturestopped dueto thespecifiedreason.
Capture stopped, %s Capture stopped, ${reason}
45000001 ERROR Networking /Modem
Duplicatemodem instancerunning
Another instance of Modemis running
System Another instance ofModem is running
–
Networking LogMessages
Log Catalog 23
ID Level Area Name Log Message Example Description Format Message Variables
loadedModemprocess, butanotherinstance isalreadyactive.
5A000001 INFO Networking /Dynamic DNS
Response from Dynamic DNSserver
Response from server:update succeeded with nochange, abusive warning (1)
Receive thespecifiedresponsefrom thedynamic DNSserver.
Response fromserver: %s (%d)
Response from server: ${response} (${ret_code})
5A000002 INFO Networking /Dynamic DNS
Dynamic DNS Domain NameResolved
Resolved domainmembers.dyndns.org to204.13.248.111
DynamicDNS serverdomain namesuccessfullyresolved to anIP address.
Resolved domain%sto%s
Resolved domain ${domain} to ${ip}
5A000003 INFO Networking /Dynamic DNS
Connected to the server Connected to:members.dyndns.org /204.13.248.111
Connected tothe specifieddynamic DNSserver.
Connected to: %s /%s
Connected to: ${server_name} / ${server_ip}
5A000004 INFO Networking /Dynamic DNS
Connecting to the server Connecting to:members.dyndns.com /204.13.248.111
Connecting tothe specifieddynamic DNSserver.
Connecting to: %s /%s
Connecting to: ${server_name} / ${server_ip}
Networking LogMessages
Log Catalog 24
ID Level Area Name Log Message Example Description Format Message Variables
5A000005 INFO Networking /Dynamic DNS
Activate dynamic DNS Activating DynDNS oninterface: External
Activatedynamic DNSon thespecifiedinterface.
Activating DynDNSon interface: %s
Activating DynDNS on interface: ${if_name}
5A000006 DEBUG Networking /Dynamic DNS
Received reply from the server Received reply: HTTP/1.1200OK Date: Tue, 27 Nov2012 17:14:57 GMT Server:Apache Content-Type:text/plain Connection: closegood 192.168.53.88
Received thespecifiedreply from thedynamic DNSserver.
Received reply: %s Received reply: ${reply}
5A000007 ERROR Networking /Dynamic DNS
Unable to resolve domainname
Could not resolve server:members.dyndns.org
Could notresolvedomain fordynamic DNSserver.
Could not resolveserver: %s
Could not resolve server: ${server}
5A000008 ERROR Networking /Dynamic DNS
Failed to connect to the server Could not connect tomembers.dyndns.org /204.13.248.111, connectionrefused
Could notconnect to thedynamic DNSserver due tospecifiedreason.
Could not connect to%s / %s, %m
Could not connect to ${server_name} /${server_ip}, ${reason}
5A000009 ERROR Networking /Dynamic DNS
Unable to connect to server Unable to connect to server:members.dyndns.org /204.13.248.111
Unable toconnect to thespecifieddynamic DNSserver.
Unable to connect toserver: %s / %s
Unable to connect to server: ${server_name} / ${server_ip}
5A00000A ERROR Networking /Dynamic DNS
No response from server No response from servermembers.dyndns.org /204.13.248.111
Not able toget responsefrom specifieddynamic DNS
No response fromserver%s / %s
No response from server ${server_name} /${server_ip}
Networking LogMessages
Log Catalog 25
ID Level Area Name Log Message Example Description Format Message Variables
server.
5A00000B ERROR Networking /Dynamic DNS
Invalid response from server Invalid response from server(-2)
The dynamicDNS serverreturned aninvalidresponsecode. The logmessagespecifies thatcode.
Invalid response fromserver (%d)
Invalid response from server (${ret_code})
5A00000C INFO Networking /Dynamic DNS
The time for next update Next update is on Tue, 27Nov 2012 17:14:57
The logmessagespecifies thenext updatetime fordynamicDNS.
Next update is on%s Next update is on ${time}
5A00000D DEBUG Networking /Dynamic DNS
Send update request Sending update request (138bytes): GET/nic/update?system=dyndns
Sendingdynamic DNSupdaterequest. Thelogmessagespecifies thesize andcontent of therequest.
Sending updaterequest (%zu bytes):%s
Sending update request (${size} bytes):${content}
56000001 INFO Networking /Dynamic Routing
Update IPv4 Dynamic Routes Sync add an IPv4 dynamicroute (10.0.1.2/24 gw10.0.1.254 ifindex 1metric10)
Updated anIPv4 dynamicroute. The logmessagespecifies the
%s %s an IPv4dynamic route(%s/%d gw %sifindex %dmetric %d)
${event} ${action} an IPv4 dynamic route(${ip}/${mask} gw ${gw} ifindex ${ifindex}metric ${metric}
Networking LogMessages
Log Catalog 26
ID Level Area Name Log Message Example Description Format Message Variables
route that ischanged.
56010002 ERROR Networking /Dynamic Routing
Failed to retrieve license Failed to retrieve activelicense features
Failed toretrievelicensefeatures fordynamicrouting.
Failed to retrieveactive licensefeatures
–
56010003 ERROR Networking /Dynamic Routing
Failed to parse license Failed to parse the activelicense features
Failed toparse licensefeatures fordynamicrouting.
Failed to parse theactive licensefeatures
–
56010004 ERROR Networking /Dynamic Routing
Not able to get license Could not get license fordynamic routing features
Not able toget license fordynamicroutingfeatures.
Could not get licensefor dynamic routingfeatures
–
56020001 DEBUG Networking /Dynamic Routing
Received interface event Received interface statusevent
Received aninterfacestatus event.
Received interfacestatus event
–
56020002 DEBUG Networking /Dynamic Routing
Received cluster event Received cluster readyevent
Receivedcluster readyevent.
Received clusterready event
–
56020003 DEBUG Networking /Dynamic Routing
Received cluster event Received cluster rolechange event
Receivedcluster rolechange event.
Received cluster rolechange event
–
Networking LogMessages
Log Catalog 27
ID Level Area Name Log Message Example Description Format Message Variables
56020004 DEBUG Networking /Dynamic Routing
Received license event Received License Updateevent
Received alicenseupdate event.
Received LicenseUpdate event
–
56020005 ERROR Networking /Dynamic Routing
RCS unresponsive RCS(10.10.10.10) isunresponsive, and isconsidered stopped
The RCS atthe specifiedIP addresshas becomeunresponsive
RCS(%s) isunresponsive, and isconsidered stopped
RCS(${ip}) is unresponsive, and isconsidered stopped
56020006 INFO Networking /Dynamic Routing
Not able to forward request toRCS
Could not forward request toRCS, not connected
Not able toforwardrequest toRCS due tonoconnection.
Could not forwardrequest to RCS, notconnected
–
56030001 ERROR Networking /Dynamic Routing
– Configuration error detectedin ripd.conf, line 12: 'network192.168.53.0/24 area 0'
An error wasdetected intheconfiguration.The logmessagespecifies theline number ofthe error.
Configuration errordetected in%s, line%d: '%s'
Configuration error detected in ${config},line ${lineno}: '${line}'
56040001 ERROR Networking /Dynamic Routing
Not able to connect to RCS Could not connect to RCS,10.0.1.10
Not able toconnect toRCS with thespecified IPaddress.
Could not connect toRCS, %s
Could not connect to RCS, ${ip}
56040002 ERROR Networking /Dynamic Routing
Connection to RCS closed Connection to RCS wasclosed
Connection toRCS closed.
Connection to RCSwas closed
–
Networking LogMessages
Log Catalog 28
EventNetworking logmessages of theEvent log type.
ID Level Area Name Log Message Example Description Format Message Variables
09000004 ERROR Networking / PPPoE Authentication failure PPPoE authentication failed The Firebox orXTM devicefailed toauthenticatefor PPPoE.
PPPoEauthenticationfailed
–
09000005 ERROR Networking / PPPoE PPPoE stopped PPPoE stoppedunexpectedly (unknownerror)
PPPoEstoppedunexpectedlydue to anunknownerror.
PPPoEstoppedunexpectedly(unknownerror)
–
09000008 INFO Networking / PPPoE Enforce static IP address [eth2 (External)] EnforcedPPPoE static IP address:192.168.3.48 is replacedwith 192.168.3.29
Replaced theassignedPPPoE IPaddress withthe configuredstatic IPaddress. Theassigned IPaddress isretained as asecondary IPaddress forthe interface.
[%s (%s)]EnforcedPPPoE staticIP address: %sis replacedwith%s
[${dev_name} (${if_name})] Enforced PPPoEstatic IP address: ${nego_ip} is replaced with${static_ip}
09000009 INFO Networking / PPPoE Session established [eth0 (External)] PPPoEsession[11] is established,acquired IP address192.168.3.48, peer
The specifiedinterfaceestablished aPPPoE
[%s (%s)]PPPoEsession[%d] isestablished,
[${physical_name} (${ifname})] PPPoEsession[${session_id}] is established,acquired IP address ${ipaddr}, peer ${peer_addr}
Networking LogMessages
Log Catalog 29
ID Level Area Name Log Message Example Description Format Message Variables
192.168.3.254 session. Thelogmessagealso specifiesthe sessionID, acquiredIP address,and peer IPaddress.
acquired IPaddress %s,peer%s
0900000A INFO Networking / PPPoE Disconnect [eth0 (External)] PPPoEsession[11] is disconnected.
The PPPoEsession for thespecifiedinterface isdisconnected.
[%s(%s)]PPPoEsession[%d] isdisconnected.
–
16000001 ERROR Networking / DHCPServer
DHCP discover DHCPDISCOVER from00:50:04:ce:c6:3d via eth1:network 192.168.111.0/24:no free leases
ReceivedDHCPdiscover fromthe client, butthere are nofree leasesavailable.
%s –
16000002 INFO Networking / DHCPServer
DHCP offer DHCPOFFER on192.168.111.20 to84:2b:2b:a6:02:3f (client) viaeth1
The DHCPserver offeredan IP addressto thespecifiedclient device.
%s –
16000003 INFO Networking / DHCPServer
DHCP request DHCPREQUEST for192.168.111.20 from84:2b:2b:a6:02:3f (client) viaeth1
ReceivedDHCPrequest forspecified IPaddress from
%s –
Networking LogMessages
Log Catalog 30
ID Level Area Name Log Message Example Description Format Message Variables
the specifiedclient.
31000009 INFO Networking /NetworkManagement
Interface initializing [eth1 (Trusted)] Interfaceinitializing
Initializing thespecifiedinterface.
[%s (%s)]Interfaceinitializing
[${dev_name} (${if_name})] Interfaceinitializing
3100000A INFO Networking /NetworkManagement
Interface shutting down [eth1 (Trusted)] Interfaceshutting down
Shutting downthe specifiedinterface.
[%s (%s)]Interfaceshutting down
[${dev_name} (${if_name})] Interface shuttingdown
3100000B INFO Networking /NetworkManagement
Multi-WAN interface activated. [eth1 (Trusted)] Interface isactivated as link statebecomes UP.
Interface isactivated aslink statebecomes UP.The logmessagespecifies theinterface.
[%s (%s)]Interface isactivated aslink statebecomes UP.
–
3100000D WARN Networking /NetworkManagement
Multi-WAN interface deactivated [eth1 (Trusted)] Interface isdeactivated as link statebecomes DOWN.
Interface isdeactivated aslink statebecomesDOWN. Thelogmessagespecifies theinterface.
[%s (%s)]Interface isdeactivated aslink statebecomesDOWN.
–
31000010 ERROR Networking /NetworkManagement
Failed to add bridge Failed to add bridge tbr0VLAN ID 1
Failed to addbridge
Failed to addbridge%sVLAN ID %d
–
31000029 ERROR Networking /NetworkManagement
Failed to add interface IP address [eth1 (Trusted)] Failed to addaddress 198.51.100.0
Failed to addthe specifiedIP address to
[%s (%s)]Failed to%saddress %s
–
Networking LogMessages
Log Catalog 31
ID Level Area Name Log Message Example Description Format Message Variables
the specifiedinterface.
3100002B ERROR Networking /NetworkManagement
Interface is disabled [eth1 (Trusted)] Interface isdisabled because it does notexist
Specifiedinterface doesnot exist, Theinterfacestatus is set todisabled.
[%s (%s)]Interface isdisabledbecause itdoes not exist
[${dev_name} (${if_name})] Interface isdisabled because it does not exist
3100002C WARN Networking /NetworkManagement
Interface link status changed [eth1 (Trusted)] Interfacelink status changed to UP
The interfacelink status haschanged. Thelogmessagespecifies thenew status.
[%s (%s)]Interface linkstatus changedto%s
–
31000039 INFO Networking /NetworkManagement
Cluster management interfacechange
[Cluster] Managementinterface setting is changed:interface from eth1 to eth2,IPv4 address from 10.0.1.3to 10.0.2.3, IPv4mask from24 to 24, IPv6 CIDR from2000::1/64 to 2001::2/64
Theconfigurationfor the clustermanagementinterfacechanged. Thelogmessagespecifieschanges to theinterface, IPaddress,mask andIPv6 address.
[Cluster]Managementinterfacesetting ischanged:interface from%s to%s,IPv4 addressfrom%u.%u.%u.%uto%u.%u.%u.%uIPv4maskfrom%d to%dIPv6 CIDRfrom%s to%s%s
[Cluster] Management interface setting ischanged: interface from ${pre_if} to ${new_if},IPv4 address from ${pre_ip} to ${new_ip} IPv4mask from ${pre_mask} to ${new_mask} IPv6CIDR from ${pre_ipv6} to%{new_ipv6}%s
Networking LogMessages
Log Catalog 32
ID Level Area Name Log Message Example Description Format Message Variables
3100003A WARN Networking /NetworkManagement
Cluster is enabled Cluster is enabled and isforming
Cluster isenabled and isforming.
Cluster isenabled and isforming
–
3100003B WARN Networking /NetworkManagement
Cluster setting changed todisabled
Cluster setting changedfrom enabled to disabled
The clustersetting waschanged fromenabled todisabled.
Cluster settingchanged fromenabled todisabled
–
3100003E INFO Networking /NetworkManagement
Cluster A/P role changed [Cluster] Cluster A/P rolesuccessfully changed frommaster to idle.
The role of thisdevice in theactive/passive(A/P) clusterchanged. Thelogmessagespecifies theold and newroles.
[Cluster]Cluster A/Prolesuccessfullychanged from%s to%s.
–
3100003F INFO Networking /NetworkManagement
Cluster A/A role changed [Cluster] Cluster A/A rolesuccessfully changed frommaster to idle.
The Clusteractive/active(A/A) rolechanged. Thelogmessagespecifies theold and newroles.
[Cluster]Cluster A/Arolesuccessfullychanged from%s to%s.
–
31000046 INFO Networking /NetworkManagement
Activating external interface [eth0 (External)] Activatingexternal interface
Activatingspecifiedexternalinterface.
[%s (%s)]Activatingexternalinterface
[${dev_name} (${if_name})] Activatingexternal interface
Networking LogMessages
Log Catalog 33
ID Level Area Name Log Message Example Description Format Message Variables
31000047 INFO Networking /NetworkManagement
Deactivating external interface [eth0 (External)]Deactivating externalinterface
Deactivatingthe specifiedexternalinterface.
[%s (%s)]Deactivatingexternalinterface
[${dev_name} (${if_name})] Deactivatingexternal interface
31000052 INFO Networking /NetworkManagement
Starting wireless AP service Starting wireless AP service Startingwireless APservice.
Startingwireless APservice
–
31000054 INFO Networking /NetworkManagement
Detect rogue wireless AP Starting the scan for roguewireless AP detection
Starting roguewireless APdetectionscan.
Starting thescan for roguewireless APdetection
–
31000055 INFO Networking /NetworkManagement
Stop detecting rogue wireless AP Stopping the scan for roguewireless AP detection
Stoppingrogue wirelessAP detectionscan.
Stopping thescan for roguewireless APdetection
–
31000056 INFO Networking /NetworkManagement
Restart detecting rogue wirelessAP
Restart the scan for roguewireless AP detection
Restart roguewireless APdetectionscan.
Restart thescan for roguewireless APdetection
–
31000069 INFO Networking /NetworkManagement
IPv6 interface activated. [eth0 (External)] IPv6interface is activated.
An IPv6interface wasactivated. Thelogmessagespecifies theinterface.
[%s (%s)] IPv6interface isactivated.
–
Networking LogMessages
Log Catalog 34
ID Level Area Name Log Message Example Description Format Message Variables
3100006A WARN Networking /NetworkManagement
IPv6 interface deactivated. [eth0 (External)] IPv6interface is deactivated.
IPv6 interfacewasdeactivated.The logmessagespecifies theinterface.
[%s (%s)] IPv6interface isdeactivated.
–
3100006C INFO Networking /NetworkManagement
IPv6 interface shutting down [eth0 (External)] IPv6interface shutting down
Shutting downspecified IPv6interface.
[%s (%s)] IPv6interfaceshutting down
[${dev_name} (${if_name})] IPv6 interfaceshutting down
3100006D INFO Networking /NetworkManagement
IPv6 interface initializing [eth0 (External)] IPv6interface initializing
Initializingspecified IPv6interface.
[%s (%s)] IPv6interfaceinitializing
[${dev_name} (${if_name})] IPv6 interfaceinitializing
31000071 INFO Networking /NetworkManagement
PPPoE IP address change duringcluster failover
[eth0 (External)] PPPoE IPaddress changed duringcluster failover, from192.168.1.22 to192.168.1.23
The clustercompleted afailover.During thefailover, thePPPoE IPaddresschanged.
[%s (%s)]PPPoE IPaddresschanged duringcluster failover,from%s to%s
[${dev_name} (${if_name})] PPPoE IPaddress changes during cluster failover, from${pre_ip} to ${new_ip}
31000072 INFO Networking /NetworkManagement
No change for PPPoE IP addressduring cluster failover
[eth0 (External)] PPPoE IPaddress 192.168.1.22 didnot change during clusterfailover
PPPoE IPaddress didnot changeduring clusterfailover.
[%s (%s)]PPPoE IPaddress%u.%u.%u.%udid not changeduring clusterfailover
–
31000073 INFO Networking /NetworkManagement
DHCP IP address change duringcluster failover
[eth0 (External)] DHCP IPaddress changed duringcluster failover, from
The clustercompleted a
[%s (%s)]DHCP IP
[${dev_name} (${if_name})] DHCP IP addresschanges during cluster failover, from ${pre_ip}to ${new_ip}
Networking LogMessages
Log Catalog 35
ID Level Area Name Log Message Example Description Format Message Variables
192.168.1.22 to192.168.1.23
failover.During thefailover, theDHCP IPaddresschanged.
addresschanged duringcluster failover,from%s to%s
31000074 INFO Networking /NetworkManagement
No change for DHCP IP addressduring cluster failover
[eth0 (External)] DHCP IPaddress 192.168.1.22 didnot change during clusterfailover
DHCP IPaddress didnot changeduring clusterfailover.
[%s (%s)]DHCP IPaddress%u.%u.%u.%udid not changeduring clusterfailover
–
45000003 INFO Networking / Modem Modem disconnected modem0 disconnected Specifiedmodem isdisconnected.
%sdisconnected
–
45000004 ERROR Networking / Modem Modem authentication failed Modem authenticationfailed, check your modemconfiguration
Modemauthenticationfailed.
Modemauthenticationfailed, checkyour modemconfiguration
–
49000001 ERROR Networking / LinkMonitoring
Multi-WAN Domain NameResolution Failed
[Link Monitor] Externalunable to resolve domainnamewww.example.com
Specifiedinterface failedto resolvespecifieddomain namefor ping orTCP test forfailover.
[Link Monitor]%s unable toresolve domainname%s
–
Networking LogMessages
Log Catalog 36
ID Level Area Name Log Message Example Description Format Message Variables
49000002 WARN Networking / LinkMonitoring
Multi-Wan Probe Failed [Link Monitor] No responsereceived on External fromTCP host 192.168.1.218port 9999
Specifiedinterface didnot receive aresponse toProbe forfailover.
[Link Monitor]No responsereceived on%sfrom%s
[Link Monitor] No response received on ${if_name} from ${target}
49000003 ERROR Networking / LinkMonitoring
Probe failure [Link Monitor] Externalinterface failed because aprobe to the target hostfailed
Specifiedinterfacemarked asFailed due tono responsefrom ping orTCP host.
[Link Monitor]%s interfacefailed becausea probe to thetarget hostfailed
–
68000001 INFO Networking /Discovery
Network scan completed On demand scan completed Specified typeof scancompleted
%s scancompleted
${scan_type} scan completed
68000002 INFO Networking /Discovery
Network scan started On demand scan - stage 2started
Specified typeand stage ofscan started
%s scan%sstarted
${scan_type} scan${scan_stage} started
68000003 INFO Networking /Discovery
On demand scan - stage 1completed
On demand scan - stage 1completed
On demandscan - stage 1completed
On demandscan - stage 1completed
On demand scan - stage 1 completed
56000002 INFO Networking /Dynamic Routing
Cluster role failed over to backup Failed over frommaster tobackup
Cluster rolefailed overfrommaster tobackup
Failed overfrommaster tobackup
–
Networking LogMessages
Log Catalog 37
ID Level Area Name Log Message Example Description Format Message Variables
56000003 INFO Networking /Dynamic Routing
Cluster role failed over to master Failed over from backup tomaster
Cluster rolefailed overfrom backuptomaster
Failed overfrom backup tomaster
–
56010001 WARN Networking /Dynamic Routing
No valid feature key Invalid or missing featurekey for dynamic routingprotocol OSPF
No validfeature key forthe specifieddynamicroutingprotocol.
Invalid ormissing featurekey fordynamicrouting protocol%s
–
56010005 INFO Networking /Dynamic Routing
License status License for dynamic routingprotocol BGP is valid
Specifies thelicense statusfor a dynamicroutingprotocol.
License fordynamicrouting protocol%s is %s
License for dynamic routing protocol ${proto}is ${status}
54000001 INFO Networking / RogueAccess PointDetection
Scan=%u-%llu started Scan=0-34 started Scan started Scan started, itwill last about30 seconds,wireless trafficwill beinterrupted inthemeantime
–
54000002 INFO Networking / RogueAccess PointDetection
Scan=%u-%llu ended%zd%zd Scan=0-34 ended 0 0 Scan ended%zd%zd
Scan ended[Rogue APCount][Trusted APCount]
–
54000003 WARN Networking / RogueAccess PointDetection
Scan=%u-%llu detected RogueAP with%s
Scan=0-34 detected RogueAP with mac_address='00:90:0b:1b:34:30'
DetectedRogue AP
Scan detectedRogue AP, thisAP is not in thelist of 'Trusted
–
Networking LogMessages
Log Catalog 38
ID Level Area Name Log Message Example Description Format Message Variables
Access PointConfiguration'
54000004 INFO Networking / RogueAccess PointDetection
Scan=%u-%llu detected TrustedAP with%s
Scan=0-34 detected TrustedAP with mac_address='00:90:0b:1b:35:40'
DetectedTrusted AP
Scan detectedTrusted AP,this AP is inthe list of'TrustedAccess PointConfiguration'
–
Networking LogMessages
Log Catalog 39
Proxy Policy Log MessagesProxy policy logmessages are generated for traffic managed by the proxy policies configured on your Firebox. This can include events related to traffic through the proxy, proxy actions, authentication, SubscriptionServices, and Security Services. For information about logmessages from Security Services processes, seeSecurity Services LogMessages on page 120.
EventProxy Policy logmessages of theEvent log type.
ID Level Area Name Log Message Example Description Format Message Variables
0F000001 INFO Proxy / ConnectionFrameworkManager
HTTPS contentinspection list imported
HTTPS content inspection exceptionlist imported
When a pre-defined HTTPSexception list is imported, thisevent log is generated to informthe user.
HTTPScontentinspectionexceptionlist imported
–
0F010015 WARN Proxy / ConnectionFrameworkManager
APT threat notified APT threat notified. Details='PolicyName: HTTPS-proxy-00 Reason: highAPT threat detected Task_UUID:d09445005c3f4a9a9bb78c8cb34edc2aSource IP: 10.0.1.2 Source Port: 43130Destination IP: 67.228.175.200Destination Port: 443 Proxy Type:HTTP Proxy Host:analysis.lastline.com Path:/docs/lastline-demo-sample.exe'
When APT server analysis resultreturned and identified as certainlevel threat, this event log will begenerated to inform that the APTnotification has been sent withdetailed information.
APT threatnotified.Details='%s'
–
Proxy Policy LogMessages
Log Catalog 40
ID Level Area Name Log Message Example Description Format Message Variables
0F010016 INFO Proxy / ConnectionFrameworkManager
Safe APT Analysisresult
APT safe result from file submission.Details='Policy Name: HTTP-OUT-00Reason: cleanMessage: APT safeobject Task_UUID:7a1e1500e92a410fa44d907f96b9209eMD5:d2723ba60dc88ec1ea449be9eee601ccSource IP: 10.0.1.2 Source Port: 50293Destination IP: 100.100.100.3Destination Port: 80 Proxy Type:HTTP Proxy Host: 100.100.100.3Path: /test.exe'
When the APT Blocker serverreturns a clean analysis result,this event log containsinformation about the scannedfile.
APT saferesult fromfilesubmission.Details='%s'
–
1B0400CE ERROR Proxy / SMTP Ruleset lookup failed Ruleset 'envelope/greeting' lookupfailed
SMTP proxy -- Failed to checkthe specified ruleset
Ruleset '%s'lookup failed
–
1C0200CD ERROR Proxy / FTP Ruleset lookup failed Cannot get the rule from ruleset'request/download'
FTP proxy -- Failed to check thespecified ruleset
Cannot getthe rule fromruleset '%s'
–
1F000001 ERROR Security Services /Gateway Anti-Virus
Process failed to start Cannot start ScanD ScanD -- Process failed to start Cannot startScanD
–
1F010015 INFO Security Services /Gateway Anti-Virus
Ready for service ScanD ready ScanD -- Ready for service ScanDready
–
23000001 ERROR Security Services /spamBlocker
Failed to start Cannot start spamD spamD -- Failed to start Cannot startspamD
–
23000002 INFO Security Services /spamBlocker
Ready for service spamD ready spamD -- Ready for service spamDready
–
2E000005 ERROR Security Services /Signature Update
Process exiting SIGD shutting down SIGD -- Process exiting SIGDshuttingdown
–
Proxy Policy LogMessages
Log Catalog 41
ID Level Area Name Log Message Example Description Format Message Variables
2E000006 ERROR Security Services /Signature Update
Process crashed SIGD crashed SIGD -- Process crashed SIGDcrashed
–
2E010017 WARN Security Services /Signature Update
License failed to load Cannot load the license SIGD -- License failed to load Cannot loadthe license
–
2E010018 ERROR Security Services /Signature Update
Failed to start thesignature update for thespecified services
Cannot start the signature update for'IPS'
SIGD -- Failed to the startsignature update for the specifiedservices
Cannot startthe signatureupdate for'%s'
–
2E010019 ERROR Security Services /Signature Update
Failed to check theavailable signatureversion on the server
Cannot complete the version check SIGD -- Failed to check theavailable signature version onthe server
Cannotcomplete theversioncheck
–
2E01001A ERROR Security Services /Signature Update
Signature updateprocess failed to start
Cannot start the signature updateprocess
SIGD -- Signature updateprocess failed to start
Cannot startthe signatureupdateprocess
–
2E01001B ERROR Security Services /Signature Update
Signature updateprocess crashed
SIGD Worker crashed SIGD -- Signature updateprocess crashed
SIGDWorkercrashed
–
2E020065 INFO Security Services /Signature Update
Signature updateprocess started
Scheduled DLP update started SIGD -- Signature updateprocess started
%s %supdatestarted
–
2E020066 INFO Security Services /Signature Update
Signature updateprocess completed
Scheduled DLP update for version(4.94) completed
SIGD -- Signature updateprocess completed
%s %supdate forversion (%s)completed
–
Proxy Policy LogMessages
Log Catalog 42
ID Level Area Name Log Message Example Description Format Message Variables
2E020067 ERROR Security Services /Signature Update
Signature updateprocess for the specifiedversion failed
Manual DLP update for version(4.94)failed (Valid feature key not available)
SIGD -- Signature updateprocess for the specified versionfailed
%s %supdate forversion (%s)failed (%s)
–
2E020069 INFO Security Services /Signature Update
Device has the latestsignature version for thespecified service
Device already has the latest DLPsignature version (4.94)
SIGD -- Device has the latestsignature version for specifiedservice
Devicealready hasthe latest%ssignatureversion (%s)
–
TrafficProxy Policy logmessages of the Traffic log type.
ID Level Area Name Log Message Example Description FormatMessageVariables
1AFF0001 INFO Proxy /HTTP
Session timeoutwith server idle
Deny 1-Trusted 6-Ext-access tcp 10.0.1.2 192.168.53.82 60654 80msg="ProxyDeny: HTTP server response timeout" (HTTP-proxy-00)
The HTTP sessionhas timed outbecause no traffichas been receivedfrom the server for thespecified amount oftime. (Default: 10minutes)
HTTP serverresponsetimeout
–
1AFF0002 INFO Proxy /HTTP
Session timeoutwith client idle
Deny 1-Trusted 6-Ext-access tcp 10.0.1.2 23.3.105.139 60680 80msg="ProxyDeny: HTTP client request timeout" (HTTP-proxy-00)
The HTTP sessionhas timed outbecause no traffichas been receivedfrom the client for thespecified amount of
HTTP clientrequesttimeout
–
Proxy Policy LogMessages
Log Catalog 43
ID Level Area Name Log Message Example Description FormatMessageVariables
time. (Default: 10minutes)
1AFF0003 INFO Proxy /HTTP
Session timeoutwith closecompletecommandtimeout
Deny 1-Trusted 6-Ext-access tcp 10.0.1.2 182.168.53.82 60654 80msg="ProxyDeny: HTTP close complete timeout" (HTTP-proxy-00)
The Close HTTPSession commandtimed out because noresponse to the FINpacket was receivedwithin the responsetime limit (3 minutes).
HTTP closecompletetimeout
–
1AFF0004 INFO Proxy /HTTP
Oversize Start-Line
Deny 1-Trusted 6-Ext-access tcp 10.0.1.2 134.170.188.84 52662 80msg="ProxyDeny: HTTP Start-Line oversize" (HTTP-proxy-00)
The first line of theclient request orserver response islonger than theconfiguredmaximumline length. Thedefault maximumlength is 4,096 bytes.
HTTP Start-Line oversize
–
1AFF0005 INFO Proxy /HTTP
Invalid Request-Line format
Deny 1-Trusted 0-External tcp 10.0.1.2 192.168.53.92 52668 80msg="ProxyDeny:HTTP invalid Request-Line Format" proxy_act="HTTP-Client.5"line="\x03\x03\x0d\x0a" (HTTP-proxy-00)
The request line fromthe client does notmatch the standardformat of [Method][SP][Request-URI][SP][HTTP/Version].The incorrect status-line is specified in thelogmessage.
HTTP InvalidRequest-LineFormat
–
1AFF0006 INFO Proxy /HTTP
Invalid Status-Line format
Deny 1-Trusted 6-Ext-access tcp 10.0.1.2 194.219.221.195 64610 80msg="ProxyDeny: HTTP invalid Status-Line format" proxy_act="HTTP-Client.2"line="\x03\x00\x00Kh\x80\x00\x07\x02,\x97\x02\xcc\x18M\xe4\xbe\xff\xa8\x87_a\x07\xb1\xa3d\x9f\x82\xc2\xea\xa2\xe17\x9f\xc8@+\xde\x7f\x7f\x0a" (HTTP-
The status line fromthe server does notmatch the standardformat of
HTTP invalidStatus-Lineformat
–
Proxy Policy LogMessages
Log Catalog 44
ID Level Area Name Log Message Example Description FormatMessageVariables
proxy-00) [HTTP/Version][SP][Status Code][SP][Reason]. Theincorrect status-lineis specified in the logmessage.
1AFF0007 INFO Proxy /HTTP
Header lineoversize
Deny 1-Trusted 6-Ext-access tcp 10.0.1.2 74.125.25.105 64152 80msg="ProxyDeny: HTTP header line oversize" proxy_act="HTTP-Client.4"line="X-Frame-Options: " (HTTP-proxy-00)
A single clientrequest or serverresponse line islonger than theconfiguredmaximumline length. Thedefault maximumlength is 4,096 bytes.
HTTP headerline oversize
–
1AFF0008 INFO Proxy /HTTP
Header blockoversize
Deny 1-Trusted 0-External tcp 10.0.1.2 77.237.248.69 50019 80msg="ProxyDeny:HTTP header block oversize" proxy_act="HTTP-Client.1" line="Date: Fri, 30May2014 16:50:51 GMT\x0d\x0a" (HTTP-proxy-00)
The client request orserver responseheader block length islonger than theconfigured limit. Ifmaximum total lengthis enabled, the defaultlimit is 16,384 bytes.
HTTP headerblock oversize
–
1AFF0009 INFO Proxy /HTTP
header blockparse error
Deny 1-Trusted 0-External tcp 10.0.1.2 54.230.68.99 58900 80msg="ProxyDeny:header block parse error" (HTTP-proxy-00)
The HTTP proxycannot process theheader line becausethe format isincorrect. Therequired format is[Name]:[Value].
HTTP headerblock parseerror
–
1AFF000A INFO Proxy / Request missing Deny 1-Trusted 0-External tcp 10.0.1.2 54.230.68.99 58900 80msg="ProxyDeny: The HTTP proxy HTTP request –
Proxy Policy LogMessages
Log Catalog 45
ID Level Area Name Log Message Example Description FormatMessageVariables
HTTP URL path HTTP request URL pathmissing" proxy_act="HTTP-Client.1" line="Date: Fri, 30May 2014 18:50:51 GMT\x0d\x0a"
cannot complete theURL because thehost or URI value ismissing. The HTTPrequest is denied.
URL pathmissing
1AFF000B INFO Proxy /HTTP
Request URLmatch
Allow 1-Trusted 0-External tcp 10.0.1.2 173.194.33.185 60351 80msg="ProxyAllow: HTTP request URLmatch" proxy_act="HTTP-Client.1" rule_name="Default" dstname="pagead2.googlesyndication.com" arg="/pagead/osd.js"(HTTP-proxy-00)
The requested URLmatched a configuredURL path in theHTTP proxy. Bydefault, all URL pathsare allowed.
HTTP requestURLmatch
–
1AFF000C INFO Proxy /HTTP
Chunk size lineoversize
Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 40656 80msg="ProxyDeny: HTTP chunk size line oversize" proxy_act="HTTP-Client.2"line="\x03\x00\x00Kh\x80\x00\x07\x02,\x97\x02\xcc\x18M\xe4\xbe\xff\xa8\x87_a\x07\xb1\xa3d\x9f\x82\xc2\xea\xa2\xe17\x9f\xc8@+\xde\x7f\x7f\x0a" (HTTP-proxy-00)
The HTTP chunk sizeline does notterminate correctlywith a carriage returnand line-feed (CRLF).The invalid line isspecified in the logmessage.
HTTP chunksize lineoversize
–
1AFF000D INFO Proxy /HTTP
Chunk size lineinvalid
Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 40722 80msg="ProxyDeny: HTTP chunk size invalid" proxy_act="HTTP-Client.2"line="k7\x0d\x0a" (HTTP-proxy-00)
The HTTP chunk sizeline has an invalidhexadecimal value.The invalid line isspecified in the logmessage.
HTTP chunksize invalid
–
1AFF000E INFO Proxy /HTTP
Chunk no CRLFtail
Deny 1-Trusted 0-External tcp 10.0.1.2 77.237.248.69 50019 80msg="ProxyDeny:HTTP chunk CRLF tail missing" proxy_act="HTTP-Client.1" line="This stringmissing the Carriage Return in the terminating CF-LF pair\x0a" (HTTP-proxy-00)
The HTTP chunkdoes not close with acarriage return andline feed (CRLF)because the chunk
HTTP chunkCRLF tailmissing
–
Proxy Policy LogMessages
Log Catalog 46
ID Level Area Name Log Message Example Description FormatMessageVariables
block is missing theclosing characters.This is required foreach chunk whenchunked transfer-encoding is in use.The logmessageincludes the invalidchunk tail line.
1AFF000F INFO Proxy /HTTP
Footer lineoversize
Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 40662 80msg="ProxyDeny: HTTP footer line oversize" proxy_act="HTTP-Client.2"line="\x03\x00\x00Kh\x80\x00\x07\x02,\x97\x02\xcc\x18M\xe4\xbe\xff\xa8\x87_a\x07\xb1\xa3d\x9f\x82\xc2\xea\xa2\xe17\x9f\xc8@+\xde\x7f\x7f\x0a" (HTTP-proxy-00)
One line of the HTTPfooter, an additionalheader sent at theend of amessage islarger than theconfigured line limit.The default line limitis 4,096 bytes.
HTTP footerline oversize
–
1AFF0010 INFO Proxy /HTTP
Footer blockoversize
Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 40688 80msg="ProxyDeny: HTTP footer block oversize" proxy_act="HTTP-Client.2"line="\x03\x00\x00Kh\x80\x00\x07\x02,\x97\x02\xcc\x18M\xe4\xbe\xff\xa8\x87_a\x07\xb1\xa3d\x9f\x82\xc2\xea\xa2\xe17\x9f\xc8@+\xde\x7f\x7f\x0a" (HTTP-proxy-00)
The HTTP footerincludes additionalheader informationthat is larger than theconfigured block limitsize. The default totalmessage limit, ifenabled, is 16,384bytes. The logmessage includesinformation about theinvalid line.
HTTP footerblock oversize
–
Proxy Policy LogMessages
Log Catalog 47
ID Level Area Name Log Message Example Description FormatMessageVariables
1AFF0011 INFO Proxy /HTTP
Footer blockparse error
Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 40705 80msg="ProxyDeny: HTTP footer block parse error" (HTTP-proxy-00)
The HTTP footerincludes an additionalheader field withsyntax that violatesthe header formatrestrictions.
HTTP footerblock parseerror
–
1AFF0012 INFO Proxy /HTTP
Body contenttypematch
Allow 1-Trusted 0-External tcp 10.0.1.2 192.168.53.92 52089 80msg="ProxyAllow: HTTP Body Content Typematch" proxy_act="HTTP-Client.1"rule_name="Default" (HTTP-proxy-00)
The HTTP contenteither matches aconfigured BodyContent Type or noBody Content Type isdefined (only thedefault rule is in use).
HTTP BodyContent Typematch
–
1AFF0013 INFO Proxy /HTTP
Header contentmalformed
Allow 1-Trusted 0-External tcp 10.0.1.2 192.168.53.92 41048 80msg="ProxyStrip:HTTP header malformed" proxy_act="393296" header="WWW-Authenticate:\x0d\x0a"
The HTTP header linedoes not follow thecorrect syntax for aclient request orserver responseheader. The logmessage containsthe header line withthe syntax error.
HTTP headermalformed
–
1AFF0016 INFO Proxy /HTTP
Header Transfer-Encodingmatch
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 40719 80msg="ProxyAllow: HTTP header Transfer-Encodingmatch" proxy_act="HTTP-Client.2" rule_name="chunked" encoding="chunked" (HTTP-proxy-00)
The Transfer-Encoding in theHTTP headermatches a configuredrule, or the defaultrule of nomatch. Thelogmessagespecifies thematching rule name
HTTP headertransferencodingmatch
–
Proxy Policy LogMessages
Log Catalog 48
ID Level Area Name Log Message Example Description FormatMessageVariables
and header value.
1AFF0018 INFO Proxy /HTTP
Header contenttypematch
Allow 1-Trusted 0-External tcp 10.0.1.2 198.252.206.140 52047 80msg="ProxyAllow: HTTP header Content Typematch" proxy_act="HTTP-Client.1" rule_name="text/*" content_type="text/html" (HTTP-proxy-00)
The HTTP headerContent Typematches a configuredrule, or the defaultrule of nomatch. Thelogmessagespecifies thematching rule nameand header value.
HTTP headerContent Typematch
–
1AFF0019 INFO Proxy /HTTP
Request versionmatch
Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 40627 80msg="ProxyDeny: HTTP request versionmatch" proxy_act="HTTP-Client.2" rule_name="Default" line="GET /index.html HTTP/1.8\x0d\x0a" (HTTP-proxy-00)
The HTTP versionspecified in the HTTPrequest linematchesa configured rule, orthe default rule of nomatch. The logspecifies thematched rule nameand the request line.
HTTP requestversionmatch
–
1AFF001A INFO Proxy /HTTP
Request methodmatch
Allow 1-Trusted 0-External tcp 10.0.1.2 50.16.229.215 52301 80msg="ProxyAllow: HTTP request methodmatch" proxy_act="HTTP-Client.1"rule_name="GET" method="GET" (HTTP-proxy-00)
The HTTP requestmethod specified inthe Request-Linematches a configuredrule, or the defaultrule of nomatch. Thelogmessagespecifies thematched rule nameand themethod.
HTTP requestmethodmatch
–
1AFF001B INFO Proxy / Header match Allow 1-Trusted 0-External tcp 10.0.1.2 50.16.229.215 52301 80 The HTTP header line HTTP header –
Proxy Policy LogMessages
Log Catalog 49
ID Level Area Name Log Message Example Description FormatMessageVariables
HTTP msg="ProxyAllow: HTTP header match" proxy_act="HTTP-Client.1" rule_name="Default" header="Host: www.walkscore.com\x0d\x0a" (HTTP-proxy-00)
matches a configuredrule, or the defaultrule of nomatch. Thelogmessagespecifies thematched rule nameand header line.
match
1AFF001C INFO Proxy /HTTP
Header cookiedomainmatch
Deny 1-Trusted 0-External tcp 10.0.1.2 50.16.229.215 52466 80msg="ProxyDeny:HTTP header cookie domainmatch" proxy_act="HTTP-Client.1" rule_name="DoubleClick.com" domain=".doubleclick.com" (HTTP-proxy-00)
The cookie domainheader matches aconfigured rule, or thedefault rule of nomatch. The logmessage includes thematched rule nameand the cookiedomain.
HTTP headercookie domainmatch
–
1AFF001D INFO Proxy /HTTP
Request hostmissing
Deny 1-Trusted 6-Ext-access tcp 10.0.1.2 192.168.53.82 60654 80msg="ProxyDeny: HTTP request host missing" (HTTP-proxy-00)
The HTTP requestheader is missing thehost value.
HTTP requesthost missing
–
Proxy Policy LogMessages
Log Catalog 50
ID Level Area Name Log Message Example Description FormatMessageVariables
1AFF001E INFO Proxy /HTTP
Headerauthenticationschemematch
Allow 1-Trusted 6-Ext-access tcp 10.0.1.2 192.168.53.92 4910 80msg="ProxyAllow: HTTP Header auth schemematch" proxy_act="HTTP-Client.1" rule_name="Basic" scheme="Basic" (HTTP-proxy-00)
The authenticationscheme in the HTTPheader serverresponsematchesone of the configuredrules, or the defaultrule of nomatch. Thelogmessagespecifies thematched rule nameand theauthenticationscheme.
HTTP headerauth schemematch
–
1AFF001F INFO Proxy /HTTP
Request methodnot supported
Deny 1-Trusted 6-Ext-access tcp 10.0.1.2 192.168.53.92 64152 80msg="ProxyDeny: HTTP request method unsupported" proxy_act="HTTP-Client.1" method="OPTIONS" (HTTP-proxy-00)
The HTTP requestmethod does notmatch a configuredrule. The logmessage specifiesthemethod in use.
HTTP requestmethodunsupported
–
1AFF0020 INFO Proxy /HTTP
Request portmismatch
Deny 1-Trusted 6-Ext-access tcp 10.0.1.2 192.168.53.92 64152 80msg="ProxyDeny: HTTP request port mismatch" proxy_act="HTTP-Client.1"(HTTP-proxy-00)
Relative-URI is inuse and the portspecified in the HTTPrequest host headerdoes not match theport used for theconnection.
HTTP requestport mismatch
–
1AFF0021 INFO Proxy /HTTP
Requestcategories
Allow 1-Trusted 0-External tcp 10.0.1.2 50.16.210.117 50790 80msg="ProxyAllow: HTTP Request categories" proxy_act="HTTP-Client.2"cats="ReferenceMaterials" op="GET" dstname="www.walkscore.com" arg="/"(HTTP-proxy-00)
The HTTP requestmatched aWebBlockercategory. The logmessage specifies
HTTPRequestcategories
–
Proxy Policy LogMessages
Log Catalog 51
ID Level Area Name Log Message Example Description FormatMessageVariables
the action taken bythe proxy, the URL,and the categorymatched.
1AFF0022 INFO Proxy /HTTP
Serviceunavailable
Deny 2-Internal-traffic 4-External-traffic tcp 192.168.2.23 23.21.224.150 60921 80msg="ProxyDeny: HTTP service unavailable" proxy_act="HTTP-Client.1"service="WebBlocker.1" details="Webblocker server is not available" (HTTP-proxy-00)
WebBlockercategorization failedbecause theconfiguredWebBlocker server isnot available. The logmessage specifiesthe profile name and amore detailed errormessage.
HTTP serviceunavailable
–
1AFF0023 INFO Proxy /HTTP
Request URLpath oversize
Deny 1-Trusted 6-Ext-access tcp 10.0.1.2 173.194.33.167 64279 80msg="ProxyDeny: HTTP request URL path oversize" proxy_act="HTTP-Client.1"path="/crx/blobs/QwAAAHF3InbmK-wFIemaY3I3BCMqOfjjbz3ZPr0OdvcXp8cUu10k48t_h-qsRfYvKPciETPh6ZMAQTV8WL-Rx-lfADpBbs0T0xmHzDv3tYNK4R4eAMZSmuX1YAUWVQlL6kSI-xpS-vSmdvbuQg/extension_0_1_0_12919.crx" (HTTP-proxy-00)
The URI in the HTTPRequest-Line islonger than theconfigured limit. Thedefault limit is 2,048bytes. The logmessage specifiesthe oversize URI.
HTTP requestURL pathoversize
–
1AFF0024 INFO Proxy /HTTP
Request Allow 1-Trusted 6-Ext-access tcp 10.0.1.2 192.168.53.92 64425 80msg="HTTPrequest" proxy_act="HTTP-Client.1" op="GET" dstname="192.168.53.92" arg="/"sent_bytes="339" rcvd_bytes="2" elapsed_time="5.037750 sec(s)" (HTTP-proxy-00)
A detailed summaryof the last HTTPproxy transaction.
HTTP request –
1AFF0025 INFO Proxy /HTTP
Header IPS rulematch
Deny 1-Trusted 0-External tcp 10.0.1.2 107.20.162.187 55531 80msg="ProxyDeny: HTTP header IPS match" proxy_act="HTTP-Client.1"signature_id="1055396" severity="5" signature_name="WEB Cross-site Scripting-9" signature_cat="Web Attack" sig_vers="18.001" host="intext.nav-links.com"
Intrusion PreventionService (IPS)detected an intrusionin the client request or
HTTP headerIPS match
–
Proxy Policy LogMessages
Log Catalog 52
ID Level Area Name Log Message Example Description FormatMessageVariables
path="/util/intexteval.pl?action=startup" (HTTP-proxy-00) server responseheader. The logmessage specifiesthe action taken,signature ID, threatseverity, signaturename, signaturecategory, destinationhost name, and URIpath.
1AFF0026 INFO Proxy /HTTP
Body IPS rulematch
Deny 4-Trusted-1 0-External tcp 192.168.53.92 188.40.238.252 45617 443msg="ProxyDeny: HTTP body IPS match" proxy_act="HTTP-Client.4" signature_id="1051723" severity="5" signature_name="Virus Eicar test string" signature_cat="Virus/Worm" sig_vers="18.001" host="secure.eicar.org"path="/eicar.com.txt" src_user="[email protected]" (HTTPS-proxy-00)
Intrusion PreventionService (IPS)detected an intrusionin the client request orserver responsecontent body. The logmessage specifiesthe action taken,signature ID, threatseverity, signaturename, signaturecategory, destinationhost name, and URIpath.
HTTP bodyIPS match
–
1AFF0028 INFO Proxy /HTTP
GAV Virus found Deny 2-Internal-traffic 4-External-traffic tcp 10.0.1.8 192.168.53.92 57525 80msg="ProxyDrop: HTTP Virus found" proxy_act="HTTP-Client.1" virus="EICAR_Test" host="192.168.53.92" path="/viruses/eicar.com" (HTTP-proxy-00)
Gateway AntiVirus(GAV) detected avirus or malware. Thelogmessagespecifies the virusname, destinationhost name, and URIpath.
HTTP Virusfound
–
Proxy Policy LogMessages
Log Catalog 53
ID Level Area Name Log Message Example Description FormatMessageVariables
1AFF0029 INFO Proxy /HTTP
GAV scan error Allow 1-Trusted 0-External tcp 10.0.1.2 8.25.35.115 51859 80msg="ProxyAllow:HTTP AV scanning error" proxy_act="HTTP-Client.3" error="avg scanner is notcreated" host="api.yontoo.com" path="/LoadJS.ashx" (HTTP-proxy-00)
Gateway AntiVirus(GAV) failed to scanbecause of an error.The logmessagespecifies the errormessage, thedestination hostname, and URI path.
HTTP AVscanning error
–
1AFF002B INFO Proxy /HTTP
Trusted host Allow 1-Trusted 0-External tcp 10.0.1.2 134.170.51.254 51941 80msg="ProxyAllow: HTTP Trusted host" proxy_act="HTTP-Client.3" rule_name="*.windowsupdate.com" (HTTP-proxy-00)
The destination hostnamematches aproxy exceptionconfigured in theHTTP proxy.
HTTP Trustedhost
–
1AFF002C INFO Proxy /HTTP
Bad reputation Deny 1-Trusted 0-External tcp 172.16.1.101 188.40.238.250 36834 80msg="ProxyDeny: HTTP bad reputation" proxy_act="HTTP-ACT-OUT"reputation="100" host="www.eicar.org" path="/download/eicar_com.zip" (HTTP-OUT-00)
The HTTP proxyblocked access to thedestination addressbecause of a badreputation score forthe URL.
HTTP badreputation
–
1AFF002D INFO Proxy /HTTP
Good reputation Allow 4-Trusted-1 0-External tcp 192.168.53.92 198.35.26.96 45365 80msg="ProxyAllow: HTTP good reputation" proxy_act="HTTP-Client.4"reputation="1" host="en.wikipedia.org" path="/favicon.ico" src_user="[email protected]" (HTTP-00)
The HTTP proxy didnot complete aGateway AntiVirus(GAV) scan for trafficto the destinationaddress because theURL received a goodreputation score.
HTTP goodreputation
–
Proxy Policy LogMessages
Log Catalog 54
ID Level Area Name Log Message Example Description FormatMessageVariables
1AFF002E INFO Proxy /HTTP
Applicationmatch
Allow 4-Trusted-1 0-External tcp 192.168.53.92 198.35.26.96 45365 80msg="ProxyAllow: HTTP Appmatch" proxy_act="HTTP-Client.4" app_cat_name="Web" app_cat_id="13" app_name="Mozilla Firefox" app_id="12" app_beh_name="access" app_beh_id="6" sig_vers="18.001" src_user="[email protected]"(HTTP-00)
Application Controlidentified theapplication type fromthe HTTP clientrequest or serverresponse stream.
HTTP Appmatch
–
1AFF002F INFO Proxy /HTTP
DLP violationfound
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.3 59568 80msg="ProxyAllow: HTTP DLP violation found" proxy_act="HTTP-Client.1" dlp_sensor="sample_dlp_test" dlp_rule="BankaccountdetailsnearpersonallyidentifiableinformationUSA"host="100.100.100.3" path="/cgi-bin/upload.cgi" (HTTP-OUT.1-00)
Data Loss Prevention(DLP) detected aviolation of DLPrules. The logmessage onlyincludes informationabout the first rulematched.
HTTP DLPviolation found
–
1AFF0030 INFO Proxy /HTTP
DLP cannotperform scan
Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 62398 80msg="ProxyAllow: HTTP cannot perform DLP scan" proxy_act="HTTP-Client.1"dlp_sensor="sample_dlp_test" error="Cannot Perform DLP scanning" (HTTP-proxy-00)
Data Loss Prevention(DLP) failed to scanthe traffic because ofthe error specified inthe logmessage.
HTTP cannotperform DLPScan
–
1AFF0031 INFO Proxy /HTTP
DLP objectunscannable
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 40608 80msg="ProxyAllow: HTTP DLP object unscannable" proxy_act="HTTP-Client.2"dlp_sensor="PCI Audit Sensor.1" error="unscannable object (File was encrypted)"host="100.100.100.11" path="/password-protected.zip" (HTTP-proxy-00)
Data Loss Prevention(DLP) cannot extractdata from an objectbecause it isencrypted.
HTTP DLPobjectunscannable
–
Proxy Policy LogMessages
Log Catalog 55
ID Level Area Name Log Message Example Description FormatMessageVariables
1AFF0032 INFO Proxy /HTTP
HTTP object toolarge
Allow 2-optional 0-External tcp 192.168.53.92 172.16.10.14 8902 80msg="ProxyAllow: HTTP DLP object too large" proxy_act="HTTP-Client.1" dlp_sensor="DLPSensor.1" error="DLP scan limit exceeded" (HTTP-proxy-00)
Data Loss Prevention(DLP) cannot scanthe object because itis larger than theconfigured limit. Thedefault value variesby device type andranges between 1 and5MB.
HTTP DLPobject toolarge
–
1AFF0033 INFO Proxy /HTTP
Range header Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.15 40535 80msg="ProxyStrip: HTTP Range header" proxy_act="HTTP-Client.1"header="Accept-Ranges: bytes\x0d\x0a" (HTTP-proxy-00)
This is the configuredaction (allow or strip)for the HTTP proxyRange header. Thedefault action is strip.The HTTP proxyRange header canallow partial filetransfers that impactcontent scansbecause the fullcontent is notpresented.
HTTP Rangeheader
–
1AFF0034 INFO Proxy /HTTP
APT threatdetected
Deny 2-Internal-traffic 4-External-traffic tcp 192.168.2.20 192.168.3.30 48120 80msg="ProxyDrop: HTTP APT detected" proxy_act="HTTP-Client.1"host="192.168.3.30" path="/apt_sample.exe"md5="2e77cadb722944a3979571b444ed5183"
APT Blockerdetected a threat. Thelogmessagespecifies the thethreat level, threatname, threat class,malicious activities,destination hostname, and URI path.
HTTP APTdetected
–
Proxy Policy LogMessages
Log Catalog 56
ID Level Area Name Log Message Example Description FormatMessageVariables
1AFF0036 INFO Proxy /HTTP
File submitted toAPT analysisserver
Allow 2-Internal-traffic 4-External-traffic tcp 192.168.2.20 192.168.3.30 34063 80msg="ProxyAllow: HTTP File submitted to APT analysis server" proxy_act="HTTP-Client.1" host="192.168.3.30" path="/test/sample.exe"md5="dd0af53fec2267757cd90d633acd549a" task_uuid="35c8ac1aaeee4e5186d584318deb397b" (HTTP-proxy-00)
File submitted to APTanalysis server fordeep threat analysis.The analysis resultwill be notified whenthe analysis result isfetched from APTanalysis server.
HTTP Filesubmitted toAPT analysisserver
–
1AFF0037 INFO Proxy /HTTP
Connect tunnelport match
Allow 1-Trusted Firebox tcp 10.0.1.3 100.100.100.16 53531 3128msg="ProxyReplace: HTTP connect tunnel port match" proxy_act="Explicit-Web.Standard.1" rule_name="Redirect-HTTPS" port="443" (Explicit-proxy-00)
The HTTPCONNECT tunnelrequest port matchesa configured rule, orthe default rule of nomatch. The logmessage specifiesthematched rulename and port.
HTTP connecttunnel portmatch
–
1AFF0038 INFO Proxy /HTTP
Webproxyredirect
Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.16 53532 3128msg="ProxyReplace: HTTP webproxy redirect" proxy_act="Explicit-Web.Standard.1" redirect_action="HTTPS-Client.Standard" (Explicit-proxy-00)
The HTTPWebproxyconnection wasredirected to adifferent proxy actionbecause of theconfiguration settingin explicit proxy. Thelogmessagespecifies the newproxy action used.
HTTPwebproxyredirect
–
Proxy Policy LogMessages
Log Catalog 57
ID Level Area Name Log Message Example Description FormatMessageVariables
1AFF0039 INFO Proxy /HTTP
File reported safefrom APT hashcheck
Allow 2-Internal-traffic 4-External-traffic tcp 192.168.2.20 192.168.3.30 34063 80msg="ProxyAllow: HTTP File reported safe from APT hash check" proxy_act="HTTP-Client.1" host="192.168.3.30" path="/test/sample.exe"md5="dd0af53fec2267757cd90d633acd549a" task_uuid="35c8ac1aaeee4e5186d584318deb397b" (HTTP-proxy-00)
APT hash check didnot report a threatfrom the object
HTTP Filereported safefrom APT hashcheck
–
1AFF003A INFO Proxy /HTTP
Content redirect Allow 0-External 3-Optional-2 tcp 203.0.113.2 203.0.113.3 50560 80msg="ProxyReplace: HTTP Content Action redirect" proxy_act="HTTP-Content.Standard.1" redirect_action="HTTP-Server.Standard.2" srv_ip="10.0.2.8"srv_port="80" ssl_offload="0" client_ssl="NONE" server_ssl="NONE" (HTTP-proxy-00)
The HTTP contentaction connectionwas redirected to adifferent proxy actionbecause of theconfiguration. The logmessage specifiesthe new proxy actionused as well as thecurrent ssl status.
HTTP Contentredirect
–
1AFF003B INFO Proxy /HTTP
Request Contentmatch
Allow 0-External 1-Trusted tcp 203.0.113.2 203.0.113.2 50428 80msg="ProxyReplace: HTTP Request content match" proxy_act="HTTP-Content.Standard.1" rule_name="forums" content_src="URN"dstname="203.0.113.2" arg="/forums/index.html" srv_ip="10.0.2.8" srv_port="80"ssl_offload="1" redirect_action="HTTP-Server.Standard.1" (HTTP-proxy-00)
The requestcontained contentwhichmatched aconfigured contentrule in the HTTPproxy. The logmessage specifiesthe content whichmatched the rule aswell as rule details.
HTTPRequestcontent match
–
1AFF0040 INFO Proxy /HTTP
DNSWatchblackholeddomain
Allow 1-Trusted 0-External tcp 10.0.1.2 54.173.101.99 58477 80msg="ProxyAllow: HTTP DNSWatch blackholed domain" proxy_act="HTTP-Client.Standard.1" host="www.wine.com" path="/" geo_dst="USA" (HTTP-proxy-00)
DNSWatch DNSserver returned theblackhole server IPaddress for the nameresolution forrequested domain.
HTTPDNSWatchblackholeddomain
–
Proxy Policy LogMessages
Log Catalog 58
ID Level Area Name Log Message Example Description FormatMessageVariables
HTTP proxyacknowledge theblackhole server IPaddress andgenerates the log forthe client request
1AFF0041 INFO Proxy /HTTP
DNSWatchcontent filtereddomain
Deny 1-Trusted 0-External tcp 10.0.1.2 54.173.101.99 58477 80msg="ProxyAllow:HTTP DNSWatch content filtered domain" proxy_act="HTTP-Client.Standard.1"host="www.wine.com" path="/" geo_dst="USA" (HTTP-proxy-00)
DNSWatch DNSserver returned thefilterhole server IPaddress for the nameresolution forrequested domainfrom the contentfiltered domainconfiguration. HTTPproxy acknowledgethe filterhole server IPaddress andgenerates the log forthe client request
HTTPDNSWatchcontent filtereddomain
–
1BFF0000 INFO Proxy /SMTP
Greeting Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39366 25msg="ProxyDeny: SMTP greeting" proxy_act="SMTP-Outgoing.1" rule_name="*.test.net" hostname="testbox.test.net" (SMTP-proxy-00)
The host name in theSMTP proxy HELO orEHLO commandmatched one of theGreeting Rules, or thedefault rule of nomatch.
SMTP greeting –
Proxy Policy LogMessages
Log Catalog 59
ID Level Area Name Log Message Example Description FormatMessageVariables
1BFF0001 INFO Proxy /SMTP
ESMTP option Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39371 25msg="ProxyStrip: SMTP ESMTP option" proxy_act="SMTP-Outgoing.1"keyword="VRFY" (SMTP-proxy-00)
The EHLO responsefrom the SMTPserver includes anESMTP option that isdisabled or unknown.
SMTP ESMTPoption
–
1BFF0002 INFO Proxy /SMTP
Authentication(AUTH)
Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39374 25msg="ProxyDeny: SMTP AUTH" proxy_act="SMTP-Outgoing.1" rule_name="PLAIN" authtype="PLAIN" (SMTP-proxy-00)
The EHLO responsefrom the SMTPserver included anauthentication typethat matches aconfiguredauthentication rule.The logmessagespecifies the proxyaction, the rule name,the action taken, andthe authenticationtype.
SMTP AUTH –
1BFF0003 INFO Proxy /SMTP
Header Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39379 25msg="ProxyStrip: SMTP header" proxy_act="SMTP-Outgoing.1" rule_name="Default" header="X-MimeOLE: Produced By Microsoft ExchangeV6.0.6603.0" (SMTP-proxy-00)
A MIME headermatched a configuredrule, or the defaultrule of nomatch.
SMTP header –
1BFF0004 INFO Proxy /SMTP
From address Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39383 25msg="ProxyDeny: SMTP From address" proxy_act="SMTP-Outgoing.1" rule_name="jsmith@*.com->ex-employee" address="[email protected]" (SMTP-proxy-00)
The sender addressmatched a rulespecified in theMailFrom rules.
SMTP Fromaddress
–
1BFF0005 INFO Proxy /SMTP
To address Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39384 25msg="ProxyDeny: SMTP To address" proxy_act="SMTP-Outgoing.1" rule_name="Default" address="[email protected]" (SMTP-proxy-00)
The recipient addressmatched a rulespecified in the RcptTo rules.
SMTP Toaddress
–
Proxy Policy LogMessages
Log Catalog 60
ID Level Area Name Log Message Example Description FormatMessageVariables
1BFF0006 INFO Proxy /SMTP
Content type Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39391 25msg="ProxyAvScan: SMTP content type" proxy_act="SMTP-Outgoing.1" rule_name="Default" content_type="application/x-gzip" sender="[email protected]"recipients="wg@localhost" (SMTP-proxy-00)
Some of themessagecontent matched acontent filter rule.
SMTP contenttype
–
1BFF0007 INFO Proxy /SMTP
Filename Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39436 25msg="ProxyStrip: SMTP filename" proxy_act="SMTP-Outgoing.1" rule_name="*.exe" file_name="app.exe" sender="[email protected]"recipients="wg@localhost" (SMTP-proxy-00)
An email attachmentmatched a file namerule, or theattachment isuuencoded and theSMTP proxy allowsuuencodedattachments.
SMTPfilename
–
1BFF000A INFO Proxy /SMTP
Timeout Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39402 25msg="ProxyDeny: SMTP timeout" proxy_act="SMTP-Outgoing.1" timeout="60"(SMTP-proxy-00)
The SMTPconnection was idlefor longer than theconfigured idletimeout limit. Thedefault is 10minutes.
SMTP timeout –
1BFF000C INFO Proxy /SMTP
GAV Virus found Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39445 25msg="ProxyStrip: SMTP Virus found" proxy_act="SMTP-Outgoing.1"sender="[email protected]" recipients="wg@localhost" virus="I-Worm/Netsky.CORRUPTED" filename="message.scr" (SMTP-proxy-00)
Gateway AntiVirus(GAV) detected avirus or malware in anemail attachment.
SMTP Virusfound
–
1BFF000E INFO Proxy /SMTP
GAV cannotperform scan
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39589 25msg="ProxyLock: SMTP cannot perform Gateway AV scan" proxy_act="SMTP-Outgoing.1" sender="[email protected]" recipients="wg@localhost"error="scan request failed" filename="message.scr" (SMTP-proxy-00)
Gateway AntiVirus(GAV) could notcomplete the scanbecause of the errorthat is specified in thelogmessage.
SMTP cannotperformGateway AVscan
–
Proxy Policy LogMessages
Log Catalog 61
ID Level Area Name Log Message Example Description FormatMessageVariables
1BFF000F INFO Proxy /SMTP
Request Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39398 25msg="SMTPrequest" proxy_act="SMTP-Outgoing.1" rcvd_bytes="272" sent_bytes="282"sender="[email protected]" recipients="wg@localhost" server_ssl="ECDHE-RSA-AES256-GCM-SHA384" client_ssl="AES128-SHA256" tls_profile="TLS-Client.Standard"(SMTP-proxy-00)
This SMTP audit logspecifies the bytessent, bytes received,the sender andrecipient addresses,and the sender andrecipient TLS cipher.
SMTP request –
1BFF0010 INFO Proxy /SMTP
Message format Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39452 25msg="ProxyDeny: SMTP message format" proxy_act="SMTP-Outgoing.1" file_name="sm_conns.txt" type="uuencode" sender="[email protected]"recipients="wg@localhost" (SMTP-proxy-00)
The email messageformat matched amessage format rulespecified in theSMTP proxy. The logmessage includes theerror message.
SMTPmessageformat
–
1BFF0011 INFO Proxy /SMTP
IPS match Deny 0-External 1-Trusted tcp 172.16.180.2 172.16.181.2 1024 25msg="ProxyDrop: SMTP IPS match" proxy_act="SMTP-Incoming.1" signature_id="1110401" severity="4" signature_name="EXPLOIT IBM Lotus Notes Lotus 1-2-3Work Sheet File Viewer Buffer Overflow (CVE-2007-6593)" signature_cat="Buffer Over Flow" sig_vers="18.001" (SMTP-proxy-00)
Intrusion PreventionService (IPS)detected a threat. Thelogmessagespecifies thesignature name andID, threat severity,and signaturecategory.
SMTP IPSmatch
–
1BFF0013 INFO Proxy /SMTP
Toomanyrecipients
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39404 25msg="ProxyDeny: toomany recipients" proxy_act="SMTP-Outgoing.1" num_recipients="15" (SMTP-proxy-00)
The number of emailrecipients specified inthe email messageexceeds theconfigured limit. Thedefault limit is 99 forinboundmessagesand unlimited for
SMTP toomanyrecipients
–
Proxy Policy LogMessages
Log Catalog 62
ID Level Area Name Log Message Example Description FormatMessageVariables
outboundmessages.The logmessagespecifies the proxyaction and number ofrecipients.
1BFF0014 INFO Proxy /SMTP
Response sizetoo long
Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39973 25msg="ProxyDeny: SMTP response size too long" proxy_act="SMTP-Outgoing.1"response_size="5030" (SMTP-proxy-00)
The SMTP serverresponse exceedsthe configured limit.The default limit is10,000 KB. The logmessage specifiesthe size of theresponse.
SMTPresponse sizetoo long
–
1BFF0015 INFO Proxy /SMTP
Line too long Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39457 25msg="ProxyDeny: SMTP line length too long" proxy_act="SMTP-Outgoing.1" line_length="32110" (SMTP-proxy-00)
The email messagecontains a line thatexceeds theconfigured limit. Thedefault is 1,000bytes. The logmessage specifiesthe line length.
SMTP linelength too long
–
1BFF0016 INFO Proxy /SMTP
Message too long Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39466 25msg="ProxyDeny: SMTP message size too long" proxy_act="SMTP-Outgoing.1"size="16384" (SMTP-proxy-00)
The SMTP messagelength exceeds theconfigured limit. Thedefault limit is 10,000kb.
SMTPmessage sizetoo long
–
1BFF0017 INFO Proxy /SMTP
Header too long Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39473 25msg="ProxyDeny: SMTP header size too long" proxy_act="SMTP-Outgoing.1"headers_size="12157" (SMTP-proxy-00)
The SMTP messagecontains a headerthat exceeds theconfiguredMaximum
SMTP headersize too long
–
Proxy Policy LogMessages
Log Catalog 63
ID Level Area Name Log Message Example Description FormatMessageVariables
Header Length. Thedefault is 20,000bytes.
1BFF0018 INFO Proxy /SMTP
Command Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39474 25msg="ProxyDeny: SMTP command" proxy_act="SMTP-Outgoing.1"keyword="VERIFY\x0d\x0a" response="500" (SMTP-proxy-00)
The SMTP requestcontains a commandthat is not supportedor is not valid for theemail transaction.The logmessagespecifies the proxyaction, action taken,SMTP command, andthe response code.
SMTPcommand
–
1BFF0019 INFO Proxy /SMTP
spamBlockerconfirmed spam
Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39446 25msg="ProxyDeny: SMTP Classified as confirmed SPAM" proxy_act="SMTP-Outgoing.1" sender="[email protected]" recipients="wg@localhost" (SMTP-proxy-00)
spamBlocker hasclassified themessage asconfirmed SPAM.The logmessagespecifies the proxyaction, the actiontaken, and the senderand recipientaddresses.
SMTPClassified asconfirmedSPAM
–
Proxy Policy LogMessages
Log Catalog 64
ID Level Area Name Log Message Example Description FormatMessageVariables
1BFF001A INFO Proxy /SMTP
spamBlockerbulk spam
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39499 25msg="ProxyReplace: SMTP Classified as bulk mail" proxy_act="SMTP-Outgoing.1" sender="[email protected]" recipients="wg@localhost" (SMTP-proxy-00)
spamBlocker hasclassified themessage as bulkSPAM. The logmessage specifiesthe proxy action, theaction taken, and thesender and recipientaddresses.
SMTPClassified asbulk mail
–
1BFF001B INFO Proxy /SMTP
spamBlockersuspect spam
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39999 25msg="ProxyAllow: SMTP Classified as suspect SPAM" proxy_act="SMTP-Outgoing.1" sender="[email protected]" recipients="wg@localhost" (SMTP-proxy-00)
spamBlocker hasclassified themessage as suspectSPAM. The logmessage specifiesthe proxy action, theaction taken, and thesender and recipientaddresses.
SMTPClassified assuspectSPAM
–
1BFF001C INFO Proxy /SMTP
spamBlocker notSPAM
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39487 25msg="ProxyAllow: SMTP Classified as not SPAM" proxy_act="SMTP-Outgoing.1" sender="[email protected]" recipients="wg@localhost" (SMTP-proxy-00)
spamBlocker hasclassified themessage as notSPAM. The logmessage specifiesthe proxy action, theaction taken, and thesender and recipientaddresses.
SMTPClassified asnot SPAM
–
1BFF001D INFO Proxy /SMTP
spamBlockerclassificationunknown
Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39524 25msg="ProxyDeny: SMTP message classification is unknown because an erroroccurred while classifying" proxy_act="SMTP-Outgoing.1"sender="[email protected]" recipients="wg@localhost" (SMTP-proxy-00)
spamBlocker wasunable to classify theemail messagebecause of an error.
SMTPmessageclassificationis unknown
–
Proxy Policy LogMessages
Log Catalog 65
ID Level Area Name Log Message Example Description FormatMessageVariables
The logmessagespecifies the senderand recipientaddresses.
because anerror occurredwhileclassifying
1BFF001E INFO Proxy /SMTP
spamBlockerexceptionmatched
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39476 25msg="ProxyAvScan: SMTP spamBlocker exception" proxy_act="SMTP-Outgoing.1" rule_name="Default" content_type=""sender="[email protected]" recipients="wg@localhost" (SMTP-proxy-00)
The sender orrecipient of the emailmessagematches aspamBlockerexception specified inthe SMTP proxy.
SMTPspamBlockerexception wasmatched
–
1BFF001F INFO Proxy /SMTP
Decoder error Allow 1-Trusted 0-External tcp 10.0.55.253 100.100.100.155 36921 25msg="ProxyStrip: SMTP An error was found by our decoder" proxy_act="SMTP-Outgoing.1" message="invalid b64 characters in input" (SMTP-OUT-00)
The SMTP proxy wasunable to decode theemail message due tothe error specified inthe logmessage.
SMTP An errorwas found byour decoder
–
1BFF0021 INFO Proxy /SMTP
Extra padcharacters inbase64 encoding
Allow 1-Trusted 0-External tcp 10.0.55.253 100.100.100.155 36664 25msg="ProxyStrip: SMTP extra pad characters in base64 input" proxy_act="SMTP-Outgoing.1" pad_error="1" (SMTP-OUT-00)
The SMTP proxyencountered extrapad characters whenthe body of thebase64-encodedmessage wasprocessed.
SMTP extrapad charactersin base64 input
–
1BFF0022 INFO Proxy /SMTP
Mail from addresstoo long
Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39497 25msg="ProxyDeny: SMTP Mail From address too long" proxy_act="SMTP-Outgoing.1"address="[email protected]"length="56" response="553" (SMTP-proxy-00)
A sender emailaddress exceededthe configuredmaximum addresslength. The addresslength is unlimited bydefault.
SMTP MailFrom addresstoo long
–
Proxy Policy LogMessages
Log Catalog 66
ID Level Area Name Log Message Example Description FormatMessageVariables
1BFF0023 INFO Proxy /SMTP
Applicationmatch
Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39913 25msg="ProxyDrop: SMTP Appmatch" proxy_act="SMTP-Outgoing.1" app_cat_name="Mail and Collaboration" app_cat_id="5" app_name="SMTP" app_id="1"app_beh_name="access" app_beh_id="6" sig_vers="18.001" (SMTP-proxy-00)
Application Controlidentified theapplication in themailmessage that isspecified in the logmessage.
SMTP Appmatch
–
1BFF0024 INFO Proxy /SMTP
DLP violationfound
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39510 25msg="ProxyAllow: SMTP DLP violation Found" proxy_act="SMTP-Outgoing.1"dlp_sensor="PCI Audit Sensor.1" dlp_rule="SocialsecuritynumbersUSA"sender="[email protected]" recipients="wg@localhost" filename="ssn.docx"(SMTP-proxy-00)
Data Loss Prevention(DLP) detected therule violation that isspecified in the logmessage.
SMTP DLPviolationFound
–
1BFF0025 INFO Proxy /SMTP
DLP cannotperform scan
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39589 25msg="ProxyLock: SMTP cannot perform DLP scan" proxy_act="SMTP-Outgoing.1" sender="[email protected]" recipients="wg@localhost"error="scan request failed" filename="message.scr" (SMTP-proxy-00)
Data Loss Prevention(DLP) is unable toscan because of theerror specified in thelogmessage.
SMTP cannotperform DLPScan
–
1BFF0026 INFO Proxy /SMTP
DLP cannot scanobject
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39900 25msg="ProxyAllow: SMTP DLP object unscannable" proxy_act="SMTP-Outgoing.1" dlp_sensor="PCI Audit Sensor.1" error="unscannable object (File wasencrypted)" sender="[email protected]" recipients="wg@localhost" (SMTP-proxy-00)
Data Loss Prevention(DLP) is unable toextract data from anobject because theobject is encrypted.
SMTP DLPobjectunscannable
–
Proxy Policy LogMessages
Log Catalog 67
ID Level Area Name Log Message Example Description FormatMessageVariables
1BFF0027 INFO Proxy /SMTP
DLP object toolarge
May 30 06:36:45 2014 gary_xtmv local1.info smtp-proxy[2861]: msg_id="1BFF-0027" Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.3 50976 25msg="ProxyAllow: SMTP DLP oject too large" proxy_act="SMTP-Outgoing.1"sender="[email protected]" recipients="wg@localhost" error="DLP scanlimit (524288) exceeded" filename="2M-dlp-violates-end.txt" (SMTP-proxy-00)
The file requested forData Loss Prevention(DLP) analysis islarger than theconfigured limit. Thedefault value variesby platform, from oneto fiveMB. The logspecifies the DLPsensor name anderror message.
SMTP DLPobject toolarge
–
1BFF0028 INFO Proxy /SMTP
APT threatdetected
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39771 25msg="ProxyAllow: SMTP APT detected" proxy_act="SMTP-Outgoing.1"sender="[email protected]" recipients="wg@localhost"filename="ecc59a46b439bdf63b058964e29ace0c"md5="ecc59a46b439bdf63b058964e29ace0c" task_uuid="b239bc669b534fcfa61bd78e156c9b19" threat_level="high" (SMTP-proxy-00)
APT Blocker foundthe threat specified inthe logmessage in anattached file.
SMTP APTdetected
–
1BFF002A INFO Proxy /SMTP
File submitted toAPT analysisserver
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39965 25msg="ProxyAllow: SMTP File submitted to APT analysis server" proxy_act="SMTP-Outgoing.1" sender="[email protected]" recipients="wg@localhost"filename="regex2.dll" md5="547c43567ab8c08eb30f6c6bacb479a3" task_uuid="b8517202826a43fc93dba00f9e8c30ed" (SMTP-proxy-00)
File submitted to APTanalysis server fordeep threat analysis.The analysis resultwill be notified whenthe analysis result isfetched from APTanalysis server.
SMTP Filesubmitted toAPT analysisserver
–
1BFF002B INFO Proxy /SMTP
File reported safefrom APT hashcheck
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39965 25msg="ProxyAllow: SMTP File reported safe from APT hash check" proxy_act="SMTP-Outgoing.1" sender="[email protected]" recipients="wg@localhost"filename="regex2.dll" md5="547c43567ab8c08eb30f6c6bacb479a3" task_uuid="b8517202826a43fc93dba00f9e8c30ed" (SMTP-proxy-00)
APT hash check didnot report a threatfrom the object
SMTP Filereported safefrom APT hashcheck
–
Proxy Policy LogMessages
Log Catalog 68
ID Level Area Name Log Message Example Description FormatMessageVariables
1BFF002C INFO Proxy /SMTP
Protocol invalid Deny 1-Trusted 0-External tcp 10.0.1.2 192.168.53.143 41551 465msg="ProxyDrop: SMTP invalid TLS protocol" proxy_act="SMTP-Outgoing.1"(SMTP-proxy-00)
The SMTP proxydetected invalid TLSprotocol.
SMTP invalidTLS protocol
–
1BFF002D INFO Proxy /SMTP
ContentInspection
Allow 1-Trusted 0-External tcp 10.0.1.2 192.168.53.143 40742 25msg="ProxyInspect: SMTP content inspection" proxy_act="SMTP-Outgoing.Standard.1" tls_profile="TLS-Client.Standard" tls_version="TLSv1.3"content_inspection="yes" server_ssl="TLS_AES_256_GCM_SHA384" client_ssl="NONE" (SMTP-proxy-00)
The SMTP proxycontent inspectionaction for a secureconnection.
SMTP TLScontentinspection
–
1CFF0000 INFO Proxy /FTP
User name toolong
Deny 1-Trusted 0-External tcp 10.0.1.49 11.11.11.2 60774 21msg="ProxyDeny:FTP user name too long" proxy_act="FTP-Client.1" user="testusertestuser1"length="17" (FTP-proxy-00)
The user nameexceeds themaximum lengthspecified in the FTPproxy. The default is64 characters.
FTP username too long
–
1CFF0001 INFO Proxy /FTP
Password toolong
Deny 1-Trusted 0-External tcp 10.0.1.49 11.11.11.2 60776 21msg="ProxyDeny:FTP user password too long" proxy_act="FTP-Client.1" length="17" (FTP-proxy-00)
The passwordspecified for the userexceeds themaximum lengthconfigured in the FTPproxy. The defaultmaximum length is 32characters.
FTP userpassword toolong
–
1CFF0002 INFO Proxy /FTP
File or directoryname too long
Deny 1-Trusted 0-External tcp 10.0.1.49 11.11.11.2 60782 21msg="ProxyDeny:FTP file or directory name too long" proxy_act="FTP-Client.1" length="5" (FTP-proxy-00)
The file or directoryname exceeds themaximum lengthconfigured in the FTPproxy. The defaultmaximum length is1,024 bytes.
FTP file ordirectory nametoo long
–
Proxy Policy LogMessages
Log Catalog 69
ID Level Area Name Log Message Example Description FormatMessageVariables
1CFF0003 INFO Proxy /FTP
Command linetoo long
Deny 1-Trusted 0-External tcp 10.0.1.49 11.11.11.2 60784 21msg="ProxyDeny:FTP command line too long" proxy_act="FTP-Client.1" length="12" (FTP-proxy-00)
The commandexceeded themaximum lengthconfigured in the FTPproxy. The defaultmaximum length is1,030 characters.
FTP commandline too long
–
1CFF0004 INFO Proxy /FTP
Exceededmaximumallowed loginattempts
Deny 1-Trusted 0-External tcp 10.0.1.49 11.11.11.2 49162 21msg="ProxyDrop:FTP exceededmaximum permitted login attempts" (FTP-proxy-00)
The user exceededthe configuredmaximum number ofallowed failed log inattepmts perconnection. Thedefault limit is 6.
FTP exceededmaximumpermitted loginattempts
–
1CFF0005 INFO Proxy /FTP
Commandmatch Deny 1-Trusted 0-External tcp 10.0.1.49 11.11.11.2 49196 21msg="ProxyDeny:FTP commandmatch" proxy_act="FTP-Client.2" rule_name="LIST"command="ls" (FTP-proxy-00)
The commandmatched a configuredrule, or the default ofnomatch. For theFTP-server proxyaction, the default isto deny anycommand that doesnot appear on the list.For the FTP-clientproxy action, there isno default restrictionon commands. Thelogmessagespecifies the proxyaction, action taken,and the command.
FTP commandmatch
–
Proxy Policy LogMessages
Log Catalog 70
ID Level Area Name Log Message Example Description FormatMessageVariables
1CFF0006 INFO Proxy /FTP
Downloadmatch Deny 1-Trusted 0-External tcp 10.0.1.49 11.11.11.2 49208 21msg="ProxyDeny:FTP downloadmatch" proxy_act="FTP-Client.2" rule_name="*.zip" file_name="hostname.zip" (FTP-proxy-00)
The file typematcheda configureddownload rule, or thedefault rule of nomatch. The logmessage specifiesthe proxy action,action taken, and filetype.
FTP downloadmatch
–
1CFF0007 INFO Proxy /FTP
Uploadmatch Deny 1-Trusted 0-External tcp 10.0.1.49 11.11.11.2 49228 21msg="ProxyDeny:FTP uploadmatch" proxy_act="FTP-Client.2" rule_name="ISO" file_name="test.iso" (FTP-proxy-00)
The file typematcheda configured uploadrule, or the defaultrule of nomatch. Thelogmessagespecifies the proxyaction, action taken,and file type.
FTP uploadmatch
–
1CFF0008 INFO Proxy /FTP
Timeout Deny 1-Trusted 0-External tcp 10.0.1.49 11.11.11.2 49561 21msg="ProxyDrop:FTP timeout" proxy_act="FTP-Proxy" (FTP-proxy-00)
The connectionexceeded theconfigured idle timevalue. The default is180 seconds.
FTP timeout –
1CFF0009 INFO Proxy /FTP
Invalid request Deny 1-Trusted 0-External tcp 10.0.1.49 11.11.11.2 49579 21msg="ProxyDeny:FTP invalid request" proxy_act="FTP-Client.2" reason="No username valueprovided for USER command" (FTP-proxy-00)
The FTP proxyrejected thecommand because ofa lack of requiredarguments, such as auser name. The logmessage specifiesthe proxy action andcommand.
FTP invalidrequest
–
Proxy Policy LogMessages
Log Catalog 71
ID Level Area Name Log Message Example Description FormatMessageVariables
1CFF000C INFO Proxy /FTP
Request Allow 1-Trusted 0-External tcp 10.0.1.49 11.11.11.2 49590 21msg="FTP request"proxy_act="FTP-Client.2" ctl_src="10.0.1.49:47553" ctl_dst="11.11.11.2:5120"file="test.exe" rcvd_bytes="1084" sent_bytes="0" user="testuser"type="download" (FTP-proxy-00)
This logmessage forthe FTP requesttransaction includesthe source anddestination IPaddresses for theinitial connections.
FTP request –
1CFF000D INFO Proxy /FTP
IPS match Deny 0-External 1-Trusted tcp 11.11.11.2 11.11.11.5 1024 21msg="ProxyDrop:FTP IPS match" proxy_act="FTP-Client.3" signature_id="1110297" severity="4"signature_name="EXPLOIT FlashGet FTP PWD Command Stack buffer overflow-1" signature_cat="Buffer Over Flow" sig_vers="18.001" (FTP-proxy-00)
Intrusion PreventionService (IPS)detected a threat. Theaction configured foran IPS Match will beapplied to the traffic.The logmessageincludes the signatureID, threat severity,signature name, andsignature category.
FTP IPSmatch
–
1CFF000E INFO Proxy /FTP
GAV Virus found Deny 0-External 1-Trusted tcp 11.11.11.2 11.11.11.5 20 56528msg="ProxyDrop:FTP Virus found" proxy_act="FTP-Client.3" ctl_src="11.11.11.2:5120" ctl_dst="10.0.1.49:47553" virus="EICAR_Test" file="eicar.com" (FTP-proxy-00)
Gateway AntiVirus(GAV) detected avirus or malware inthe attachment. Thelogmessagespecifies thedetected virus nameand the file name ofthe attachment.
FTP Virusfound
–
1CFF000F INFO Proxy /FTP
GAV scan error Deny 0-External 1-Trusted tcp 11.11.11.2 11.11.11.5 20 44485msg="ProxyDrop:FTP AV scanning error" proxy_act="FTP-Client.3" ctl_src="11.11.11.2:5120" ctl_dst="10.0.1.49:47553" error="avg scanner is not created" file="eicar.com" (FTP-proxy-00)
Gateway AntiVirus(GAV) failed to scandue to the errorspecified in the log
FTP AVscanning error
–
Proxy Policy LogMessages
Log Catalog 72
ID Level Area Name Log Message Example Description FormatMessageVariables
message.
1CFF0010 INFO Proxy /FTP
Applicationmatch
Allow 1-Trusted 0-External tcp 10.0.1.49 11.11.11.2 49843 21msg="ProxyAllow:FTP Appmatch" proxy_act="FTP-Client.3" app_cat_name="File Transfer" app_cat_id="3" app_name="FTP Applications" app_id="1" app_beh_name="authority"app_beh_id="1" sig_vers="18.001" (FTP-proxy-00)
Application Controlidentified anapplication in the FTPclient request orserver response. Thelogmessagespecifies the proxyaction, applicationcontrol action, actiontaken, applicationname and ID,application categoryand ID, andapplication behaviorname and ID.
FTP Appmatch
–
1CFF0011 INFO Proxy /FTP
DLP violationfound
Deny 0-External 1-Trusted tcp 11.11.11.2 11.11.11.5 20 37611msg="ProxyDrop:FTP DLP violation found" proxy_act="FTP-Client.3" ctl_src="10.0.1.49:47553"ctl_dst="11.11.11.2:5120" dlp_sensor="test" dlp_rule="SocialsecuritynumberswithqualifyingtermsUSA" authenticated_user="testuser" file="test.docx" (FTP-proxy-00)
Data Loss Prevention(DLP) detected a ruleviolation. The logmessage specifiesthe proxy action, theDLP sensor name,DLP rule name, theauthenticated user,and the file name.The logmessage alsospecifies the sourceand destination IPaddresses and portfor the controlchannel of the FTPsession.
FTP DLPviolation found
–
Proxy Policy LogMessages
Log Catalog 73
ID Level Area Name Log Message Example Description FormatMessageVariables
1CFF0012 INFO Proxy /FTP
DLP cannotperform scan
Allow 0-External 1-Trusted tcp 11.11.11.2 11.11.11.5 20 52217msg="ProxyAllow:FTP cannot perform DLP scan" proxy_act="FTP-Client.3" ctl_src="11.11.11.2:5120" ctl_dst="10.0.1.49:47553" error="Error: DLP not initialized"file="ssn.docx" (FTP-proxy-00)
Data Loss Prevention(DLP) failed to scanbecause of the errorspecified in the logmessage.
FTP cannotperform DLPscan
–
1CFF0013 INFO Proxy /FTP
DLP cannot scanobject
Allow 0-External 1-Trusted tcp 11.11.11.2 11.11.11.5 20 43974msg="ProxyAllow:FTP DLP object unscannable" proxy_act="FTP-Client.3" ctl_src="11.11.11.2:5120" ctl_dst="10.0.1.49:47553" dlp_sensor="test"error="unscannable object (File was encrypted)" authenticated_user="testuser"file="test.zip" (FTP-proxy-00)
Data Loss Prevention(DLP) could not scanand analyze theattachment becauseit is encrypted. Thelogmessagespecifies the DLPsensor name, errormessage, theauthenticated user,and the file name.
FTP DLPobjectunscannable
–
1CFF0014 INFO Proxy /FTP
DLP object toolarge
Allow 0-External 1-Trusted tcp 11.11.11.2 11.11.11.5 20 43813msg="ProxyAllow:FTP DLP object too large" proxy_act="FTP-Client.3" error="DLP scan limit(5242880) exceeded" (FTP-proxy-00)
Data Loss Prevention(DLP) could notanalyze theattachment becausethe file was largerthan the configuredlimit. The limit variesby platform, from oneto fiveMB. The logmessage specifiesthe DLP sensor nameand error message.
FTP DLPobject toolarge
–
1CFF0015 INFO Proxy /FTP
APT threatdetected
Deny 0-External 1-Trusted tcp 11.11.11.2 11.11.11.5 20 58661msg="ProxyDrop:FTP APT detected" proxy_act="FTP-Client.3" ctl_src="11.11.11.2:5120" ctl_dst="10.0.1.49:47553" md5="03e7ef270a157090e2f68079603b10fc" task_
APT Blockeridentified a threat.The logmessage
FTP APTdetected
–
Proxy Policy LogMessages
Log Catalog 74
ID Level Area Name Log Message Example Description FormatMessageVariables
uuid="d21914d5a2bc4b618fae72da3b1c137e" threat_level="low" file="apt.txt"(FTP-proxy-00)
specifies the threatlevel, threat name,threat class,malicious activities,and file namewherethe threat waslocated.
1CFF0017 INFO Proxy /FTP
File submitted toAPT analysisserver
Allow 0-External 1-Trusted tcp 11.11.11.2 11.11.11.5 20 43490msg="ProxyAllow:FTP File submitted to APT analysis server" proxy_act="FTP-Client.3" ctl_src="11.11.11.2:5120" ctl_dst="10.0.1.49:47553"md5="03e7ef270a157090e2f68079603b10fc" task_uuid="d21914d5a2bc4b618fae72da3b1c137e" file="apt.txt"
File submitted to APTanalysis server fordeep threat analysis.A separate logmessage will appearwhen the result isretrieved from theAPT analysis server.
FTP Filesubmitted toAPT analysisserver
–
1CFF0018 INFO Proxy /FTP
File reported safefrom APT hashcheck
Allow 0-External 1-Trusted tcp 11.11.11.2 11.11.11.5 20 43490msg="ProxyAllow:FTP File reported safe from APT hash check" proxy_act="FTP-Client.3" ctl_src="11.11.11.2:5120" ctl_dst="10.0.1.49:47553"md5="03e7ef270a157090e2f68079603b10fc" task_uuid="d21914d5a2bc4b618fae72da3b1c137e" file="apt.txt"
APT hash check didnot report a threatfrom the object
FTP Filereported safefrom APT hashcheck
–
1CFF0019 ERROR Proxy /FTP
FTP BounceAttempt
Deny 1-Trusted 0-External tcp 10.0.1.2 192.168.53.164 37989 21msg="ProxyBlock: FTP Bounce Attempt" proxy_act="FTP-Client.Standard"bounce_ip="10.0.1.101"
The user attemptedan FTP bounceattack by sending aPORT commandspecifying the IPaddress of a thirdparty instead of theuser's own IPaddress
FTP BounceAttempt
–
1DFF0000 INFO Proxy / Invalid number of Deny 1-Trusted 0-External udp 10.0.1.5 192.168.53.143 56701 53 The traffic was DNS invalid –
Proxy Policy LogMessages
Log Catalog 75
ID Level Area Name Log Message Example Description FormatMessageVariables
DNS questions msg="ProxyDeny: DNS invalid number of questions" proxy_act="DNS-Outgoing.1" (DNS-proxy-00)
blocked because themessage included aninvalid number ofquestions.
number ofquestions
1DFF0001 INFO Proxy /DNS
Query nameoversized
Deny 1-Trusted 0-External udp 10.0.1.5 192.168.53.143 56702 53msg="ProxyDeny: DNS oversized query name" proxy_act="DNS-Outgoing.1"(DNS-proxy-00)
The DNS query wasblocked because theDNS query nameexceeded the allowedbuffer size, whichvaries from 0kilobytes to 64kilobytes.
DNSoversizedquery name
–
1DFF0002 INFO Proxy /DNS
Query namecompressed
Deny 1-Trusted 0-External udp 10.0.1.5 192.168.53.143 56703 53msg="ProxyDeny: DNS compressed query name" proxy_act="DNS-Outgoing.1"(DNS-proxy-00)
The DNS query wasblocked because thedomain namewascompressed.
DNScompressedquery name
–
1DFF0003 INFO Proxy /DNS
Parse error Deny 1-Trusted 0-External udp 10.0.1.5 192.168.53.143 56704 53msg="ProxyDeny: DNS parse error" proxy_act="DNS-Outgoing.1" (DNS-proxy-00)
The DNS requestwas blocked becausethe proxy failed toparse the domainname.
DNS Parseerror
–
1DFF0004 INFO Proxy /DNS
Not InternetCLASS
Deny 1-Trusted 0-External udp 10.0.1.5 192.168.53.143 46828 53msg="ProxyDeny: DNS Not Internet CLASS" proxy_act="DNS-Outgoing.1"query_class="ANY" (DNS-proxy-00)
The DNS query wasnot Internet CLASS.The logmessagespecifies the actiontaken and theCLASS.
DNS NotInternetCLASS
–
Proxy Policy LogMessages
Log Catalog 76
ID Level Area Name Log Message Example Description FormatMessageVariables
1DFF0005 INFO Proxy /DNS
OPcodematch Deny 1-Trusted 0-External udp 10.0.1.3 192.168.130.81 36755 53msg="ProxyDeny: DNS OpCodematch" proxy_act="DNS-Outgoing.1" rule_name="Query" query_opcode="QUERY" (DNS-proxy-00)
TheOpCodematched a configuredrule, or the defaultrule of nomatch. Thelogmessagespecifies the actiontaken, the rule, andthe OpCode.
DNS OpCodematch
–
1DFF0006 INFO Proxy /DNS
Query typematch Deny 2-Optional-1 0-External udp 10.0.2.2 192.168.130.245 53710 53msg="ProxyDeny: DNS query typematch" proxy_act="DNS-Outgoing.1" rule_name="PTR record" query_type="PTR" (DNS-proxy-00)
The query typematched a configuredrule, or the defaultrule of nomatch. Thelogmessagespecifies the actiontaken, the rulematched, and thequery type.
DNS querytypematch
–
1DFF0007 INFO Proxy /DNS
Questionundersized
Deny 1-Trusted 0-External udp 10.0.1.5 192.168.53.143 56704 53msg="ProxyDeny: DNS undersized question" proxy_act="DNS-Outgoing.1"(DNS-proxy-00)
The DNS query wasblocked because thequery size was lessthan theminimumvalid size of 17 bytes.
DNSundersizedquestion
–
1DFF0008 INFO Proxy /DNS
Questionoversized
Deny 1-Trusted 0-External udp 10.0.1.5 192.168.53.143 56705 53msg="ProxyDeny: DNS oversized question" proxy_act="DNS-Outgoing.1" (DNS-proxy-00)
The DNS query wasblocked because thequery size exceedsthemaximum allowedsize of 271 bytes.
DNSoversizedquestion
–
Proxy Policy LogMessages
Log Catalog 77
ID Level Area Name Log Message Example Description FormatMessageVariables
1DFF0009 INFO Proxy /DNS
Timeout Deny 1-Trusted 0-External udp 10.0.1.5 192.168.53.143 54807 53msg="ProxyDrop: DNS timeout" proxy_act="DNS-Outgoing.1" (DNS-proxy-00)
The DNS connectionwas idle longer thanthe configuredtimeout value in theDNS policy.
DNS timeout –
1DFF000A INFO Proxy /DNS
Responseanswerundersized
Deny 1-Trusted 0-External udp 10.0.1.5 192.168.53.143 56706 53msg="ProxyDeny: DNS undersized answer" proxy_act="DNS-Outgoing.1" (DNS-proxy-00)
The DNS responsewas blocked becausethe response sizewas less than theminimum value of 17bytes.
DNSundersizedanswer
–
1DFF000C INFO Proxy /DNS
Response IDInvalid
Deny 1-Trusted 0-External udp 10.0.1.5 192.168.53.143 56706 53msg="ProxyDeny: DNS invalid response" proxy_act="DNS-Outgoing.1" (DNS-proxy-00)
The DNS responsewas blocked becausethe response ID didnot match the currentor previous requestID.
DNS invalidresponse
–
1DFF000E INFO Proxy /DNS
Query questionmatch
Deny 1-Trusted 0-External udp 10.0.1.3 192.168.130.81 59806 53msg="ProxyDeny: DNS questionmatch" proxy_act="DNS-Outgoing.1" rule_name="GStatic" query_type="A" question="ssl.gstatic.com" (DNS-proxy-00)
The DNS query namematched a configuredrule, or the defaultrule of nomatch. Thelogmessagespecifies the rulematched, actiontaken, and queryname.
DNS questionmatch
–
Proxy Policy LogMessages
Log Catalog 78
ID Level Area Name Log Message Example Description FormatMessageVariables
1DFF000F INFO Proxy /DNS
Request Allow 2-Optional-1 0-External udp 10.0.2.2 192.168.130.245 61758 53msg="DNSrequest" proxy_act="DNS-Outgoing.1" query_type="PTR"question="1.0.0.127.dnsbugtest.1.0.0.127.in-addr.arpa" app_id="61" app_cat_id="9" app_name="DNS" app_cat_name="Network Management" sig_vers="18.001" (DNS-proxy-00)
The DNS requestaudit log specifies thequery type and name.
DNS request –
1DFF0010 INFO Proxy /DNS
IPS match Deny 0-External 1-Trusted udp 10.0.1.5 192.168.53.143 1024 53msg="ProxyDrop:DNS IPS match" proxy_act="DNS-Outgoing.1" signature_id="1056125"severity="4" signature_name="EXPLOIT Tftpd32 DNS Server Buffer Overflow"signature_cat="Buffer Over Flow" sig_vers="18.001" (DNS-proxy-00)
Intrusion PreventionService (IPS)detected an intrusionthreat. The logmessage specifiesthe signature ID,threat severity,signature name, andsignature category.
DNS IPSmatch
–
1DFF0012 INFO Proxy /DNS
Applicationmatch
Allow 1-Trusted 0-External udp 10.0.1.3 192.168.130.81 36755 53msg="ProxyAllow: DNS Appmatch" proxy_act="DNS-Outgoing.1" app_cat_name="Network Management" app_cat_id="9" app_name="DNS" app_id="61"app_beh_name="access" app_beh_id="6" sig_vers="18.001" (DNS-proxy-00)
Application Controlidentified theapplication type fromthe DNS client queryand server response.The logmessagespecifies theapplication name andID, the applicationcategory name andID, and the behaviorname and ID.
DNS Appmatch
–
21FF0000 INFO Proxy /POP3
CAPA Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 43924 110msg="ProxyDeny: POP3CAPA" keyword="VERF": (POP3-proxy-00)
The CAPA responsecontained theunknown or blockedcapability that isspecified in the log
POP3CAPA –
Proxy Policy LogMessages
Log Catalog 79
ID Level Area Name Log Message Example Description FormatMessageVariables
message.
21FF0001 INFO Proxy /POP3
Authentication Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 44047 110msg="ProxyDeny: POP3 AUTH" proxy_act="POP3-Client.2" rule_name="Default" authtype="KERBOSE_V12" (POP3-proxy-00)
The authenticationtypematched a rule,or the default rule ofnomatch. The logmessage specifiesthe rule name andauthentication type.
POP3 AUTH –
21FF0002 INFO Proxy /POP3
Command Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 44225 110msg="ProxyDeny: POP3 command" proxy_act="POP3-Client.2"keyword="AUTH KERBEROS_V12\x0d\x0a" (POP3-proxy-00)
The client sent anauthenticationcommandwhen itwas not allowed.
POP3command
–
21FF0005 INFO Proxy /POP3
Header Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 43909 110msg="ProxyStrip: POP3 header" proxy_act="POP3-Client.1" rule_name="Default"header="Delivered-To: wg@localhost" (POP3-proxy-00)
A POP3 headermatched a configuredHeader rule, or thedefault rule of nomatch. The logmessage specifiesthe rule and header.
POP3 header –
21FF0006 INFO Proxy /POP3
Content type Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 43909 110msg="ProxyAllow: POP3 content type" proxy_act="POP3-Client.1" rule_name="All text types" content_type="text/plain" user="wg" (POP3-proxy-00)
A MIME-typematched a configuredcontent type rule, orthe default rule of nomatch. The logmessage specifiesthe rule, MIME-type,and user name.
POP3 contenttype
–
Proxy Policy LogMessages
Log Catalog 80
ID Level Area Name Log Message Example Description FormatMessageVariables
21FF0007 INFO Proxy /POP3
File name Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 44035 110msg="ProxyAvScan: POP3 filename" proxy_act="POP3-Client.1" rule_name="Text files" file_name="high-triggerme.txt" user="wg" (POP3-proxy-00)
The attachmentmatches a configuredfile name rule, or thedefault rule of nomatch. The logmessage specifiesthe rule, file name,and user name.
POP3filename
–
21FF0009 INFO Proxy /POP3
Timeout Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 44042 110msg="ProxyDeny: POP3 timeout" proxy_act="POP3-Client.1" timeout="180"(POP3-proxy-00)
The connection wasidle for longer than theconfigured timeoutlimit. The default limitis 1minute.
POP3 timeout –
21FF000A INFO Proxy /POP3
Request Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 43909 110msg="POP3request" proxy_act="POP3-Client.1" rcvd_bytes="625052" sent_bytes="1433"user="wg" (POP3-proxy-00)
This audit logmessage specifiesthe bytes sent, bytesreceived, and user.
POP3 request –
21FF000C INFO Proxy /POP3
IPS match Deny 0-External 1-Trusted tcp 172.16.180.2 172.16.181.2 1024 25msg="ProxyDrop: POP3 IPS match" proxy_act="POP3-Incoming.1" signature_id="1110401" severity="4" signature_name="EXPLOIT IBM Lotus Notes Lotus 1-2-3Work Sheet File Viewer Buffer Overflow (CVE-2007-6593)" signature_cat="Buffer Over Flow" sig_vers="18.001" (POP3-proxy-00)
Intrusion PreventionService (IPS)detected an intrusionthreat. The logmessage specifiesthe action taken, thesignature ID, threatseverity, signaturename, and signaturecategory.
POP3 IPSmatch
–
Proxy Policy LogMessages
Log Catalog 81
ID Level Area Name Log Message Example Description FormatMessageVariables
21FF000F INFO Proxy /POP3
GAV Virus found Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 44042 110msg="ProxyAllow: POP3 Virus found" proxy_act="POP3-Client.1" user="wg"filename="sample.apt" virus="Generic34.EFX" (POP3-proxy-00)
Gateway AntiVirusdetected a virus ormalware in the file.The logmessagespecifies the virusname, user, and filename.
POP3 Virusfound
–
21FF0010 INFO Proxy /POP3
GAV cannotperform scan
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39589 25msg="ProxyLock: POP3Cannot perform Gateway AV scan" proxy_act="POP3-Client.1" user="wg" filename="message.scr" error="scan request failed" (POP3-proxy-00)
Gateway AntiVirus(GAV) failed to scanbecause of the errorspecified in the logmessage.
POP3 cannotperformGateway AV
–
21FF0012 INFO Proxy /POP3
Line length toolong
Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39457 25msg="ProxyDeny: POP3 line length too long" proxy_act="POP3-Client.1" line_length="22121" (POP3-proxy-00)
A line exceeds theconfigured limit. Thedefault is 1,000bytes. The logmessage specifiesthe line length.
POP3 linelength too long
–
21FF0014 INFO Proxy /POP3
Message format Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 44061 110msg="ProxyStrip: POP3message format" proxy_act="POP3-Client.2" file_name="sm_conns.txt" type="uuencode" (POP3-proxy-00)
Themessage is not inan allowed format.The logmessagespecifies the errorand the user.
POP3messageformat
–
21FF0015 INFO Proxy /POP3
Encoding error Allow 0-External 1-Trusted tcp 100.100.106.253 100.100.106.55 51064 110msg="ProxyStrip: POP3 encoding error" proxy_act="POP3-Server.1"message="invalid b64 characters in input" (POP3-IN-00)
The proxy was unableto decode and encodethemessagebecause of the errorspecified in the logmessage.
POP3encoding error
–
Proxy Policy LogMessages
Log Catalog 82
ID Level Area Name Log Message Example Description FormatMessageVariables
21FF0016 INFO Proxy /POP3
spamBlockerconfirmed spam
Allow 1-Trusted 0-External tcp 10.0.55.253 100.100.100.155 45551 110msg="ProxyReplace: POP3Classified as confirmed SPAM" (POP3-OUT-00)
spamBlockerclassified themessage asconfirmed SPAM.The logmessagespecifies the senderand recipients.
POP3Classified asconfirmedSPAM
–
21FF0017 INFO Proxy /POP3
spamBlockerBULK spam
Allow 0-External 1-Trusted tcp 100.100.106.253 100.100.106.55 46177 110msg="ProxyReplace: POP3Classified as suspect SPAM" (POP3-IN-00)
spamBlockerclassified themessage as bulkSPAM. The logmessage specifiesthe sender andrecipients.
POP3Classified assuspectSPAM
–
21FF0018 INFO Proxy /POP3
spamBlockersuspect spam
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 44249 110msg="ProxyReplace: POP3Classified as suspect SPAM" (POP3-proxy-00)
spamBlockerclassified themessage as suspectSPAM. The logmessage specifiesthe sender andrecipients.
POP3Classified assuspectSPAM
–
21FF001A INFO Proxy /POP3
spamBlockerexceptionmatched
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 43913 110msg="ProxyAllow: POP3 spamBlocker exception was matched" proxy_act="POP3-Client.1" from="[email protected]" to="wg@localhost" subj_tag="(none)" (POP3-proxy-00)
The sender for theemail matched aspamBlockerexception rule. Thelogmessagespecifies the sender,recipient, andsubject.
POP3spamBlockerexception wasmatched
–
21FF001B INFO Proxy / spamBlocker not Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 43924 110 spamBlocker POP3 –
Proxy Policy LogMessages
Log Catalog 83
ID Level Area Name Log Message Example Description FormatMessageVariables
POP3 spam msg="ProxyAllow: POP3Classified as not SPAM" (POP3-proxy-00) classified themessage as notSPAM. The logmessage specifiesthe sender andrecipients.
Classified asnot SPAM
21FF001C INFO Proxy /POP3
spamBlockerclassificationunknown
Allow 1-Trusted 0-External tcp 10.0.55.253 100.100.100.155 53776 110msg="ProxyAllow: POP3message classification is unknown because an erroroccurred while classifying" (POP3-OUT-00)
spamBlocker wasunable to classify themessage because ofthe error specified inthe logmessage.
POP3messageclassificationis unknownbecause anerror occurredwhileclassifying
–
21FF001D INFO Proxy /POP3
Extra padcharacters
Allow 0-External 1-Trusted tcp 100.100.106.253 100.100.106.55 46177 110msg="ProxyStrip: POP3 Extra pad characters in base64 input" proxy_act="POP3-Server.1" pad_error="1" (POP3-IN-00)
The POP3 proxyencountered extrapad characters in thebody of a base64-encodedmessage.
POP3 extrapad charactersin base64 input
–
21FF001E INFO Proxy /POP3
Applicationmatch
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 44042 110msg="ProxyAllow: POP3 Appmatch" proxy_act="POP3-Client.1" app_cat_name="Mail and Collaboration" app_cat_id="5" app_name="POP3" app_id="2"app_beh_name="communicate" app_beh_id="2" sig_vers="18.001" (POP3-proxy-00)
Application Controlidentified theapplication from theemail message. Thelog specifies theapplication name andID, applicationcategory and ID, andthe applicationbehavior name andID.
POP3 Appmatch
–
Proxy Policy LogMessages
Log Catalog 84
ID Level Area Name Log Message Example Description FormatMessageVariables
21FF001F INFO Proxy /POP3
APT threatdetected
Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.3 47193 110msg="ProxyDrop: POP3 APT detected" proxy_act="POP3-Client.Standard.1"user="wg" filename="971d3aa1c683c69f425cc6ddf66833d3d172f0fd.apk"md5="7abebcf53e97b586c92a9ce5b9985cd4" task_uuid="e8a3730d1f88491c8821712e85d94929" threat_level="high" (POP3-proxy-00)
APT Blocker foundthe threat specified inthe logmessage in anattached file.
POP3 APTdetected
–
21FF0021 INFO Proxy /POP3
File submitted toAPT analysisserver
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.3 47187 110msg="ProxyAllow: POP3 File submitted to APT analysis server" proxy_act="POP3-Client.Standard.1" user="wg"filename="971d3aa1c683c69f425cc6ddf66833d3d172f0fd.apk"md5="7abebcf53e97b586c92a9ce5b9985cd4" task_uuid="e8a3730d1f88491c8821712e85d94929" (POP3-proxy-00)
File submitted to APTanalysis server fordeep threat analysis.The analysis resultwill be notified whenthe analysis result isfetched from APTanalysis server.
POP3 Filesubmitted toAPT analysisserver
–
21FF0022 INFO Proxy /POP3
File reported safefrom APT hashcheck
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.3 47187 110msg="ProxyAllow: POP3 File reported safe from APT hash check" proxy_act="POP3-Client.Standard.1" user="wg"filename="971d3aa1c683c69f425cc6ddf66833d3d172f0fd.apk"md5="7abebcf53e97b586c92a9ce5b9985cd4" task_uuid="e8a3730d1f88491c8821712e85d94929" (POP3-proxy-00)
APT hash check didnot report a threatfrom the object
POP3 Filereported safefrom APT hashcheck
–
22FF0000 INFO Proxy /IMAP
Request Allow 1-Trusted 0-External tcp 10.0.1.70 10.148.22.60 53589 143msg="IMAPRequest" proxy_act="IMAP-Client.Standard.1" email_len="652" action="allow"reason="" mbx="INBOX" user="wg" auth_method="plain" (IMAP-proxy-00)
This audit logmessage specifiesthe email messagetransaction result.
IMAP Request –
22FF0001 INFO Proxy /IMAP
Timeout Deny 1-Trusted 0-External tcp 10.0.1.70 10.148.22.60 53589 143msg="IMAPTimeout" proxy_act="IMAP-Client.Standard.1" timeout="120" (IMAP-proxy-00)
The connection wasidle for longer than theconfigured timeoutlimit. The default limitis 1minute.
IMAP Timeout –
Proxy Policy LogMessages
Log Catalog 85
ID Level Area Name Log Message Example Description FormatMessageVariables
22FF0005 INFO Proxy /IMAP
Content Type Allow 1-Trusted 0-External tcp 10.0.1.73 10.148.22.60 54116 143msg="ProxyAvScan: IMAP Content Type" proxy_act="IMAP-Client.Standard.1"rule_name="All text types" content_type="text/plain" mbx="inbox" user="wg"auth_method="plain" (IMAP-proxy-00)
A MIME-typematched a configuredcontent type rule, orthe default rule of nomatch. The logmessage specifiesthe rule, MIME-type,and user-relatedinformation.
IMAP ContentType
–
22FF0006 INFO Proxy /IMAP
Filename Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 56079 143msg="ProxyStrip: IMAP Filename" proxy_act="IMAP-Client.Standard.1" rule_name="Word documents" filename="bug92408.doc"attachment="bug92408.zip.zip" mbx="inbox" user="wg" auth_method="plain"(IMAP-proxy-00)
The attachmentmatches a configuredfile name rule, or thedefault rule of nomatch. The logmessage specifiesthe rule, file name,and user-relatedinformation.
IMAPFilename
–
22FF0008 INFO Proxy /IMAP
Virus Found Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 50633 143msg="ProxyAllow: IMAP Virus Found" proxy_act="IMAP-Client.Standard.1"virus="Eicar" mbx="INBOX" user="wg" (IMAP-proxy-00)
Gateway AntiVirusdetected a virus ormalware in the file.The logmessagespecifies the virusname, file name, anduser-relatedinformation.
IMAP VirusFound
–
22FF0009 INFO Proxy /IMAP
Cannot PerformGateway AVScan
Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 50633 143msg="ProxyLock: IMAP Cannot Perform Gateway AV Scan" proxy_act="IMAP-Client.Standard.1" error="unable to scan" mbx="INBOX" user="wg" (IMAP-proxy-00)
Gateway AntiVirus(GAV) failed to scanbecause of the errorspecified in the logmessage
IMAP CannotPerformGateway AVScan
–
Proxy Policy LogMessages
Log Catalog 86
ID Level Area Name Log Message Example Description FormatMessageVariables
22FF000A INFO Proxy /IMAP
APT detected Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 60275 143msg="ProxyStrip: IMAP APT detected" proxy_act="IMAP-Client.Standard.1"filename="lastline-demo-sample.exe"md5="7abebcf53e97b586c92a9ce5b9985cd4" task_uuid="e8a3730d1f88491c8821712e85d94929" threat_level="high" mbx="INBOX"user="wg" (IMAP-proxy-00)
APT Blocker foundthe threat specified inthe logmessage in anattached file.
IMAP APTdetected
–
22FF000C INFO Proxy /IMAP
File Submitted toAPT analysisserver
Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 60275 143msg="ProxyStrip: IMAP File submitted to APT analysis server" proxy_act="IMAP-Client.Standard.1" filename="971d3aa1c683c69f425cc6ddf66833d3d172f0fd.apk"md5="7abebcf53e97b586c92a9ce5b9985cd4" task_uuid="e8a3730d1f88491c8821712e85d94929"APT detected" mbx="INBOX"user="wg" (IMAP-proxy-00)
File submitted to APTanalysis server fordeep threat analysis.The analysis resultwill be notified whenthe analysis result isfetched from APTanalysis server.
IMAP FileSubmitted toAPT analysisserver
–
22FF000D INFO Proxy /IMAP
File reported safefrom APT hashcheck
Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 60275 143msg="ProxyStrip: IMAP File reported safe from APT hash check" proxy_act="IMAP-Client.Standard.1"filename="971d3aa1c683c69f425cc6ddf66833d3d172f0fd.apk"md5="7abebcf53e97b586c92a9ce5b9985cd4" task_uuid="e8a3730d1f88491c8821712e85d94929"APT detected" mbx="INBOX"user="wg" (IMAP-proxy-00)
APT hash check didnot report a threatfrom the object.
IMAP Filereported safefrom APT hashcheck
–
22FF000E INFO Proxy /IMAP
spamBlockerconfirmed spam
Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 60275 143msg="ProxyReplace: IMAP Classified as confirmed SPAM" proxy_act="IMAP-Client.Standard.1" mbx="INBOX" user="wg" (IMAP-proxy-00)
spamBlockerclassified themessage asconfirmed SPAM.The logmessagespecifies the user-related information
IMAPClassified asconfirmedSPAM
–
Proxy Policy LogMessages
Log Catalog 87
ID Level Area Name Log Message Example Description FormatMessageVariables
22FF000F INFO Proxy /IMAP
spamBlockerbulk mail
Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 60275 143msg="ProxyReplace: IMAP Classified as bulk mail" proxy_act="IMAP-Client.Standard.1" mbx="INBOX" user="wg" (IMAP-proxy-00)
spamBlockerclassified themessage as bulkmail. The logmessage specifiesthe user-relatedinformation
IMAPClassified asbulk mail
–
22FF0010 INFO Proxy /IMAP
spamBlockersuspect spam
Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 60275 143msg="ProxyReplace: IMAP Classified as suspect SPAM" proxy_act="IMAP-Client.Standard.1" mbx="INBOX" user="wg" (IMAP-proxy-00)
spamBlockerclassified themessage as suspectSPAM. The logmessage specifiesthe user-relatedinformation
IMAPClassified assuspectSPAM
–
22FF0012 INFO Proxy /IMAP
spamBlockerexceptionmatched
Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 60275 143msg="ProxyAllow: IMAP spamBlocker exception was matched" proxy_act="IMAP-Client.Standard.1" mbx="INBOX" user="wg" (IMAP-proxy-00)
The sender for theemail matched aspamBlockerexception rule. Thelogmessagespecifies the rule anduser-relatedinformation.
IMAPspamBlockerexception wasmatched
–
22FF0013 INFO Proxy /IMAP
spamBlocker notspam
Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 60275 143msg="ProxyAllow: IMAP Classified as not SPAM" proxy_act="IMAP-Client.Standard.1" mbx="INBOX" user="wg" (IMAP-proxy-00)
spamBlockerclassified themessage as notSPAM. The logmessage specifiesthe user-relatedinformation.
IMAPClassified asnot SPAM
–
Proxy Policy LogMessages
Log Catalog 88
ID Level Area Name Log Message Example Description FormatMessageVariables
22FF0014 INFO Proxy /IMAP
spamBlocker notspam
Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 60275 143msg="ProxyAllow: IMAP Message classification is unknown because an erroroccurred while classifying" proxy_act="IMAP-Client.Standard.1" mbx="INBOX"user="wg" (IMAP-proxy-00)
spamBlocker wasunable to classify themessage because ofthe error specified inthe logmessage. Thelogmessagespecifies the user-related information.
IMAPMessageclassificationis unknownbecause anerror occurredwhileclassifying
–
22FF0015 INFO Proxy /IMAP
GAV file too large Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 50698 143msg="ProxyAllow: IMAP Gateway AV object too large" proxy_act="IMAP-Client.OUT" attachment="large_file.doc" error="File exceeding the scan size limit"mbx="INBOX" user="wg" (IMAP-proxy-00)
The attachment filesize exceeds theGateway AV scansize limit.
IMAPGateway AVobject toolarge
–
22FF0016 INFO Proxy /IMAP
GAV fileencrypted
Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 50698 143msg="ProxyAllow: IMAP Gateway AV object enrcypted (password-protected)"proxy_act="IMAP-Client.OUT" attachment="password-protected.zip"error="Object Encrypted" mbx="INBOX" user="wg" (IMAP-proxy-00)
The attachment file isencrypted orpassword-protected.
Gateway AVobjectencrypted(password-protected)
–
22FF1017 INFO Proxy /IMAP
Protocol invalid Deny 1-Trusted 0-External tcp 10.0.1.2 192.168.53.143 41551 993msg="ProxyDrop: IMAP invalid TLS protocol" proxy_act="IMAP-Client.1" (IMAP-proxy-00)
The IMAP proxydetected invalid TLSprotocol.
IMAP invalidTLS protocol
–
22FF1018 INFO Proxy /IMAP
ContentInspection
Deny 1-Trusted 0-External tcp 10.0.1.2 192.168.53.143 41551 993msg="ProxyInspect: IMAP TLS content inspection" proxy_act="IMAP-Client.1"server_ssl="ECDHE-RSA-AES256-SHA384" client_ssl="ECDHE-RSA-AES256-GCM-SHA384" (IMAP-proxy-00)
The IMAP proxycontent inspectionaction for a secureconnection.
IMAP TLScontentinspection
–
28FF0000 INFO Proxy /SIP
Timeout Deny 1-Trusted 0-External udp 10.0.1.5 192.168.53.143 5060 5060msg="ProxyDrop: SIP timeout" (SIP-ALG-00)
The connection wasidle for longer than theconfigured timeoutvalue. The defaultvalue is 180 seconds.
SIP timeout –
Proxy Policy LogMessages
Log Catalog 89
ID Level Area Name Log Message Example Description FormatMessageVariables
28FF0004 INFO Proxy /SIP
Request Allow 1-Trusted 0-External udp 10.0.1.3 192.168.53.143 5060 5060msg="SIPrequest" proxy_act="SIP-Client.1" call_from="10.0.1.3" call_to="192.168.53.143"(SIP-ALG-00)
The logmessagespecifies the sourceand destination of theallowed call.
SIP request –
28FF0005 INFO Proxy /SIP
Codec Deny 1-Trusted 0-External udp 10.0.1.3 192.168.53.143 5060 5060msg="ProxyDeny: SIP codec" proxy_act="SIP-Client.1" codec="speex" (SIP-ALG-00)
The codec is allowedor denied based onthe setting for DeniedCodecs in the SIPpolicy.
SIP codec –
28FF0006 INFO Proxy /SIP
Access control Allow 1-Trusted 0-External udp 10.0.1.3 192.168.53.143 5060 5060msg="ProxyAllow: SIP Access control" proxy_act="SIP-Client.1" To-header="[email protected]" From-header="[email protected]" (SIP-ALG-00)
The header addressis allowed or deniedbased on the AccessControl settings. Thelogmessagespecifies the actiontaken, header andmessage ID.
SIP Accesscontrol
–
28FF0008 INFO Proxy /SIP
IPS match Deny 0-External 1-Trusted udp 10.0.1.5 192.168.53.143 5060 5060msg="ProxyDrop: SIP IPS match" proxy_act="SIP-Client.1" signature_id="1057422" severity="4" signature_name="SIP Digium Asterisk SIP SDPHeader Parsing Stack Buffer Overflow -1" signature_cat="Buffer Over Flow" sig_vers="18.001" (SIP-ALG-00)
Intrusion PreventionService (IPS)detected an intrusionthreat. The logmessage specifiesthe signature ID,threat severity,signature name,signature category,destination hostname and URI path.
SIP IPS match –
Proxy Policy LogMessages
Log Catalog 90
ID Level Area Name Log Message Example Description FormatMessageVariables
28FF0009 INFO Proxy /SIP
Applicationmatch
Deny 1-Trusted 0-External udp 10.0.1.4 192.168.53.143 5060 5060msg="ProxyDrop: SIP Appmatch" proxy_act="SIP-Client.1" app_id="12" app_name="SIP" app_beh_name="communicate" sig_vers="18.001" (SIP-ALG-00)
Application Controlidentified anapplication from thetransaction. The logmessage specifiesthe action taken, theapplication name andID, applicationcategory name andID, and theapplication behaviorname and ID.
SIP Appmatch
–
2AFF0000 INFO Proxy /H.323
Timeout Deny 1-Trusted 0-External tcp 10.0.1.5 192.168.53.143 1720 1720msg="ProxyDrop: H323 timeout" proxy_act="H.323-Client.1" (H323-ALG-00)
The connection wasidle longer than theconfigured timeoutvalue. The defaultvalue is 180 seconds.
H323 timeout –
2AFF0001 INFO Proxy /H.323
Request Allow 1-Trusted 0-External tcp 10.0.1.2 192.168.53.167 3233 1720msg="H323request" proxy_act="H.323-Client.1" call_from="10.0.1.2" call_to="192.168.53.167" rcvd_bytes="171444" sent_bytes="256488" (H323-ALG-00)
This logmessagespecifies the IPaddresses for thecompleted H323 call.
H323 request –
2AFF0002 INFO Proxy /H.323
Codec Deny 1-Trusted 0-External tcp 10.0.1.2 192.168.53.167 3230 1720msg="ProxyDeny: H323 codec" proxy_act="H.323-Client.1" codec="(unknown)"(H323-ALG-00)
Themedia codec isdenied because itmatched a configuredDenied Codec. Thelogmessagespecifies the codec.
H323 codec –
Proxy Policy LogMessages
Log Catalog 91
ID Level Area Name Log Message Example Description FormatMessageVariables
2AFF0003 INFO Proxy /H.323
Access control Allow 1-Trusted 0-External tcp 10.0.1.2 192.168.53.167 3232 1720msg="ProxyAllow: H323 Access control" proxy_act="H.323-Client.1" From-header="10.0.1.2" To-header="192.168.53.143" (H323-ALG-00)
The header addressis allowed or deniedbecause it matchesan Access Controlrule configured in theH323 policy. The logmessage specifiesthe address.
H323 Accesscontrol
–
2AFF0006 INFO Proxy /H.323
IPS match Deny 0-External 1-Trusted tcp 10.0.1.5 192.168.53.143 3234 3230msg="ProxyDrop: H323 IPS match" proxy_act="H.323-Client.1" signature_id="1112506" severity="4" signature_name="EXPLOIT Digium Asterisk InvalidRTP Payload Type NumberMemory Corruption" signature_cat="Access Control"sig_vers="18.001" (H323-ALG-00)
Intrusion PreventionService (IPS)detected an intrusionthreat. The logmessage specifiesthe signature ID,threat severity,signature name,signature category,destination hostname, and URI path.
H323 IPSmatch
–
2AFF0007 INFO Proxy /H.323
Applicationmatch
Deny 1-Trusted 0-External tcp 10.0.1.6 192.168.53.167 3234 3230msg="ProxyDrop: H323 Appmatch" proxy_act="H.323-Client.1" app_cat_name="Voice over IP" app_cat_id="6" app_name="H.323" app_id="2" app_beh_name="access" app_beh_id="6" sig_vers="18.001" (H323-ALG-00)
Application Controldetected anapplication type fromthe transaction. Thelogmessagespecifies the actiontaken, the applicationname and ID,application categoryname and ID, and theapplication behaviorname and ID.
H323 Appmatch
–
Proxy Policy LogMessages
Log Catalog 92
ID Level Area Name Log Message Example Description FormatMessageVariables
2CFF0000 INFO Proxy /HTTPS
Request Allow 1-Trusted 0-External tcp 10.0.1.2 173.194.33.184 59277 443msg="HTTPSRequest" proxy_act="HTTPS-Client.Standard.3" sni="www.gstatic.com"cn="*.google.com" cert_issuer="CN=olympus.wgti.net,OU=QA,O=WGTI,L=Seattle,ST=WA,C=US" cert_subject="CN=*.google.com,O=Google Inc,L=MountainView,ST=California,C=US" action="allow" (HTTPS-proxy-00)
HTTPS transactionlog includes servername, certificatedetails and actiontaken.
HTTPSRequest
–
2CFF0001 INFO Proxy /HTTPS
WebBlockerRequestcategories
Allow 1-Trusted 0-External tcp 10.0.1.2 74.125.25.104 44773 443msg="ProxyAllow: HTTPS Request categories" proxy_act="HTTPS-Client.1"service="Def" cats="Search Engines and Portals" dstname="www.google.com"(HTTPS-proxy-00)
WebBlockeridentified thecategory for a webrequest. The logmessage specifiesthe category and hostname.
HTTPSRequestcategories
–
2CFF0002 INFO Proxy /HTTPS
WebBlockerserviceunavailable
Allow 1-Trusted 0-External tcp 10.0.1.2 74.125.25.147 51566 443msg="ProxyAllow: HTTPS service unavailable" proxy_act="HTTPS-Client.1"error="Webblocker server is not available" service="Def" cats=""dstname="www.google.com" (HTTPS-proxy-00)
WebBlocker failedbecause aWebBlocker Serverwas not available.
HTTPSserviceunavailable
–
2CFF0003 INFO Proxy /HTTPS
Domain namematch
Allow 1-Trusted 0-External tcp 10.0.1.2 173.194.33.176 59545 443msg="ProxyAllow: HTTPS domain namematch" proxy_act="HTTPS-Client.Standard.3" rule_name="*.google.com" sni="www.google.com" cn=""ipaddress="173.194.33.176" (HTTPS-proxy-00)
This rule log includesthematched rulename or default ruleof nomatch and thepatterns its beenmatched against.
HTTPSdomain namematch
–
2CFF0005 INFO Proxy /HTTPS
IPS Match Deny 1-Trusted 0-External tcp 10.0.1.2 173.194.33.176 59545 443msg="ProxyDrop: HTTPS IPS Match" proxy_act="HTTPS-Client.Standard.3""signature_id="1110070" severity="4" signature_name="DOS Apachemod_sslHTTPS Request DOS -1" signature_cat="Dos/DDoS" sig_vers="18.001"(HTTPS-proxy-00)
Intrusion PreventionService (IPS)detected an intrusionthreat in TCP-UDPproxy traffic. The logmessage specifiesthe action taken,
HTTPS IPSMatch
–
Proxy Policy LogMessages
Log Catalog 93
ID Level Area Name Log Message Example Description FormatMessageVariables
signature ID, threatseverity, signaturename, and signaturecategory.
2CFF0006 INFO Proxy /HTTPS
HTTPS AppMatch
Deny 1-Trusted 0ssh -External tcp 10.0.1.2 173.194.33.176 59545 443msg="ProxyDrop: HTTPS AppMatch" proxy_act="HTTPS-Client.Standard.3"app_cat_name="Network Protocols(3)" app_cat_id="19" app_name="HTTPProtocol over TLS SSL" app_id="94" app_beh_name="access" app_beh_id="6"sig_vers="18.001" (HTTPS-proxy-00)
Application Controlidentified theapplication type fromthe HTTPS proxytraffic. The logmessage specifiesthe action taken, theapplication name andID, the applicationcategory name andID, and theapplication behaviorand ID.
HTTPS APPMatch
–
2CFF0007 INFO Proxy /HTTPS
Protocol invalid Deny 1-Trusted 0-External tcp 10.0.1.2 192.168.53.143 41551 443msg="ProxyDrop: HTTPS invalid protocol" proxy_act="HTTPS-Client.1"version="0x9999" length="123" data="\x16\x03\x01\x00{\x01\x00\x00w\x99\x99"(HTTPS-proxy-00)
The HTTPS proxydetected an invalidSSL version.
HTTPS invalidprotocol
–
2CFF0008 INFO Proxy /HTTPS
Timeout Deny 1-Trusted 0-External tcp 10.0.1.5 192.168.53.143 54707 443msg="ProxyDrop: HTTPS timeout" (HTTPS-proxy-00)
The HTTPSconnection was idlelonger than thetimeout valueconfigured in theHTTPS policy. Thedefault is 180seconds.
HTTPStimeout
–
2CFF0009 INFO Proxy / Content Allow 1-Trusted 0-External tcp 10.0.1.2 173.194.33.180 59276 443 The HTTPS traffic HTTPS –
Proxy Policy LogMessages
Log Catalog 94
ID Level Area Name Log Message Example Description FormatMessageVariables
HTTPS inspection msg="ProxyInspect: HTTPS content inspection" proxy_act="HTTPS-Client.Standard.3" inspect_action="HTTP-Client.Standard" server_ssl="ECDHE-RSA-AES256-SHA384" client_ssl="ECDHE-RSA-AES256-GCM-SHA384"(HTTPS-proxy-00)
was directed to adifferent proxy actionbecause of theContent Inspectionsettings in theHTTPS proxy. Thelogmessagespecifies the newproxy action used forcontent inspection,as well as the TLSciphers used for theserver and client.
contentinspection
2CFF000A INFO Proxy /HTTPS
HTTPS contentinspectionexceptuion rulematch
Allow 1-Trusted 0-External tcp 10.0.1.2 173.194.33.180 59276 443msg="ProxyAllow: content inspection exception list match" proxy_act="HTTPS-Client.Standard.3" sni="www.gstatic.com" cn="*.google.com" exception_rule="allow google" action="allow" (HTTPS-proxy-00)
The HTTPSconnectionmatchesthe contentinspection exceptionrule and the definedaction is taken.
HTTPSexception rulematch
–
2DFF0000 INFO Proxy /TCP-UDP
Request Allow ppp0 0-External tcp 10.0.1.46 206.191.171.104 49391 80msg="IP Request"proxy_act="TCP-UDP-Proxy.Standard.1" sent_bytes="72271" rcvd_bytes="72271" src_user="testuser@Firebox-DB" (TCP-UDP-proxy-00)
TCP-UDPtransaction log for thetraffic that isconfigured to allow ordeny.
IP Request –
Proxy Policy LogMessages
Log Catalog 95
ID Level Area Name Log Message Example Description FormatMessageVariables
2DFF0001 INFO Proxy /TCP-UDP
IPS match Deny 0-External 1-Trusted udp 10.0.1.5 192.168.53.143 1025 80msg="ProxyDrop:TCP-UDP IPS match" proxy_act="TCP-UDP-Proxy.1" signature_id="1110070"severity="4" signature_name="DOS Apachemod_ssl HTTPS Request DOS -1"signature_cat="Dos/DDoS" sig_vers="18.001" (TCP-UDP-proxy-00)
Intrusion PreventionService (IPS)detected an intrusionthreat in TCP-UDPproxy traffic. The logmessage specifiesthe action taken,signature ID, threatseverity, signaturename, and signaturecategory.
IP IPS match –
2DFF0004 INFO Proxy /TCP-UDP
Protocol Allow 1-Trusted 0-External tcp 10.0.1.2 91.189.95.36 53246 80msg="ProxyReplace: IP protocol" proxy_act="TCP-UDP-Proxy.1" rule_name="HTTP-Client.1" new_action="HTTP-Client.1" (TCP-UDP-proxy-00)
The TCP-UDP proxyrecognized theprotocol. The logmessage specifiesthe action taken, andthe rule name.
IP protocol –
2DFF0005 INFO Proxy /TCP-UDP
Applicationmatch
Allow 1-Trusted 0-External udp 10.0.1.3 4.2.2.1 63690 53msg="ProxyAllow: IPAppmatch" proxy_act="TCP-UDP-Proxy.1" app_cat_name="NetworkManagement" app_cat_id="9" app_name="DNS" app_id="61" app_beh_name="access" app_beh_id="6" sig_vers="18.001" (TCP-UDP-proxy-00)
Application Controlidentified theapplication type fromthe TCP-UDP proxytraffic. The logmessage specifiesthe action taken, theapplication name andID, the applicationcategory name andID, and theapplication behaviorand ID.
IP Appmatch –
Proxy Policy LogMessages
Log Catalog 96
ID Level Area Name Log Message Example Description FormatMessageVariables
2DFF0006 INFO Proxy /TCP-UDP
DNSWatchcontent filtereddomain
Allow 1-Trusted 0-External tcp 10.0.1.2 54.173.101.99 60180 23msg="ProxyAllow: IP DNSWatch blackholed domain" proxy_act="TCP-UDP-Proxy.Standard.1" Protocol="telnet" geo_dst="USA" (TCP-UDP-proxy-00)
DNSWatch DNSserver returned theblackhole server IPaddress for the nameresolution forrequested domain.TCPUDP proxyacknowledge theblackhole server IPaddress andgenerates the log forthe client request
IP DNSWatchblackholeddomain
–
2DFF0007 INFO Proxy /TCP-UDP
DNSWatchcontent filtereddomain
Deny 1-Trusted 0-External tcp 10.0.1.2 54.173.101.99 60180 23msg="ProxyAllow:IP DNSWatch content filtered domain" proxy_act="TCP-UDP-Proxy.Standard.1"Protocol="telnet" geo_dst="USA" (TCP-UDP-proxy-00)
DNSWatch DNSserver returned thefilterhole server IPaddress for the nameresolution forrequested domainfrom the contentfiltered domainconfiguration.TCPUDP proxyacknowledge thefilterhole server IPaddress andgenerates the log forthe client request
IP DNSWatchcontent filtereddomain
–
Proxy Policy LogMessages
Log Catalog 97
Management Log MessagesManagement logmessages are generated for activity on your Firebox. This includes when changes aremade to the device configuration and DeviceManagement user accounts, for user authentication to theFirebox, and actions related to LiveSecurity and system settings.
DiagnosticManagement logmessages of theDebug (Diagnostic) log type.
ID Level Area Name Log Message Example Description Format Message Variables
5501000C INFO Management /System
Devicerestore failed
Device auto restore from USB driveimage failed due to USB drive notfound
Device auto restorefrom a specific imagein a USB drive disc ornormal restore from anormal image failed
Device%s restore from%s image failed due to%s Device ${restore_type} restore from${image_source}image failed for${reason}
5501000D INFO Management /System
CreatingUSB autorestoreimage failed
Creation of USB auto restore imagefailed due to no USB drive
– Creation of USB auto restore image failed due to%s
Creation of USB autorestore image failed:${reason}
55010010 INFO Management /System
USB driveformat
USB drive format operation wassuccessful
– USB drive format operation was %s USB drive format${result}
55010014 INFO Management /System
Generatesystemdiagnosticfile failed
Generate system diagnostic file toUSB drive failed
– Generate system diagnostic file to%s failed Generate systemdiagnostic file to${device} failed
55010015 INFO Management /System
Periodicsupportsnapshot isenabled
System periodic support snapshot isenabled
– System periodic support snapshot is enabled –
55010017 INFO Management /System
Generatesystem
Exported system diagnostic file toserver successfully
– Exported system diagnostic file to%ssuccessfully
Generate systemdiagnostic file to
Management LogMessages
Log Catalog 98
ID Level Area Name Log Message Example Description Format Message Variables
diagnosticsuccessfully
${device}successfully
55010018 INFO Management /System
Reset to thedefaultconfigurationfailed
Reset to the default configurationfailed when the device was rebooted.
The defaultconfiguration settingswere not restoredafter a system reset.
Reset to the default configuration failed when thedevice was rebooted.
–
5501001B INFO Management /System
Systembackupfailed
System backup to USB drive faileddue to write file to USB drive error
– System backup%s failed due to%s. System backup${dest device} failed:${reason}
5501001C INFO Management /System
USB autorestore failedreason
USB auto restore failed due to notdetect the USB drive
– USB auto restore failed due to%s USB auto restorefailed for ${reason}
Management LogMessages
Log Catalog 99
EventManagement logmessages of theEvent log type.
ID Level Area Name Log Message Example Description Format Message Variables
01010001 INFO Management /Configuration
Deviceconfigurationchange
Management useradmin@Firebox-DB from10.139.36.22 {modified | added |deleted } Blocked SitesExceptions
The device configuration hasbeen changed.
Management user%s@%s from%s %s %s %s
Management user${user}@${domain}from ${ipaddr}${operation}${subsystem} ${object}
01010002 INFO Management /Configuration
Administrativeaccounts reset todefault
Administrative accounts werereset to the default settings
The administrative accountswere returned to the defaultsettings. This could be becausethe system is in safemode, orbecause of a corruptedadministrative account file.
Administrative accounts were resetto the default settings
–
01020001 INFO Management /Configuration
Feature key added admin added feature key'883B25CCF32949EE'
An administrator added afeature key. The logmessagespecifies the feature key ID.
%s added feature key '%s' –
01020002 INFO Management /Configuration
Feature keyremoved
admin removed feature key'883B25CCF32949EE'
An administrator has removed afeature key. The logmessagespecifies the feature key ID.
%s removed feature key '%s' –
01020003 WARN Management /Configuration
Feature expired 'LIVESECURITY' featureexpired. Contact WatchGuard torenew your subscription.
– '%s' feature expired. ContactWatchGuard to renew yoursubscription.
–
01020005 INFO Management /Configuration
Feature expirationreminder
'LIVESECURITY' feature willexpire in 90 days.
A feature will soon expire. Thelogmessage specifies thefeature and the number of daysuntil it expires.
'%s' feature will expire in%d days. –
Management LogMessages
Log Catalog 100
ID Level Area Name Log Message Example Description Format Message Variables
01040001 INFO Management /Configuration
Default devicesettings in use forsafemode
Device default configuration wasloaded in safemode
The device configuration wasreset to the default settingsbecause the device is in safemode.
Device default configuration wasloaded in safemode
–
01050001 INFO Management /Configuration
Moved the policy tonew position
Moved Ping policy from position2 to 6
When change the policy order,there will bemove operation tomove the policies.
Moved%s policy from position%dto%d
Moved ${policy name}from ${old position} to${new position}
11000003 INFO Management /Authentication
Authenticationserver unavailable
Authentication server192.168.1.1:389 is notresponding
The external authenticationserver is not available.
Authentication server%s:%d is notresponding
–
11000004 INFO Management /Authentication
User authenticationsucceeded
Authentication of firewall user[user1@Firebox-DB] from198.51.100.2 was accepted
The user successfullyauthenticated. The logmessage specifies whether thisis an administrative user, afirewall user, or another type ofuser.
Authentication of %s user[%s@%s] from%s was accepted
Authentication of${user_type} user[${user_name}@${auth_server}] from ${ipaddr}was accepted.
11000005 WARN Management /Authentication
User authenticationfailed
Authentication of Firewall user[test@RADIUS] from 10.0.1.2was rejected, received anAccess-Reject response fromthe RADIUS server
User authentication failed. Thelogmessage specifies thereason.
Authentication of %s user[%s@%s] from%s was rejected,%s
Authentication of${user_type} user[${user_name}@${auth_server}] from ${ip_addr}was rejected, ${reason}
11000006 INFO Management /Authentication
User unlock User test is unlockedautomatically
It indicates a user unlock andhow he/she is unlocked
User%s is unlocked%s User ${name} isunlocked ${how}
11000007 WARN Management /Authentication
user lock User test is locked out brieflyafter 3 login failures
It indicates a user lockout andhow and why he/she is lockedout
User%s is locked out %s after %dlogin failures
User ${name} is lockedout ${lockout_type}after ${failure_count}login failures
11000008 WARN Management / BOVPN TLS client Authentication of BOVPN TLS BOVPN TLS client Authentication of BOVPN TLS Authentication of
Management LogMessages
Log Catalog 101
ID Level Area Name Log Message Example Description Format Message Variables
Authentication authenticationfailed
client [EasternOffice] from198.51.100.2 was rejected, pre-shared key is incorrect
authentication failed. The logmessage specifies the reason.
client [%s] from%s was rejected,%s
BOVPN TLS client[${client_name}] from${ip_addr} wasrejected, ${reason}
1100000C WARN Management /Authentication
Authentication error Authentication error. Domain notfound for user1.
Authentication failed. The logmessage specifies the reason.
Authentication error. %s for%s. Authentication error.${error} for ${user_name}.
1100000D WARN Management /Authentication
Authenticationserver unavailable
Authentication of user[[email protected]] failed.Both primary and secondaryservers are unavailable.
Authentication failed becauseboth the primary and secondaryauthentication servers areunavailable.
Authentication of user [%s@%s]failed. Both primary and secondaryservers are unavailable.
–
1100000E WARN Management /Authentication
UnsupportedRADIUS method
Authentication of firewall user[user1@RADIUS] failed.RADIUS authenticationmethodMSCHAP_V1 is not supported.
Authentication failed becausethe specified RADIUS methodis not supported.
Authentication of %s user[%s@%s] failed. RADIUSauthenticationmethod%s is notsupported.
–
1100000F WARN Management /Authentication
Groups maximumreached
Themaximum number of groups(31) has been reached
Authentication failed becausethemaximum number of groupshas been reached.
Themaximum number of groups(%d) has been reached
–
11000010 INFO Management /Authentication
Firebox connectedto SSO agent
Firebox connected to the SSOagent at 10.0.1.25 successfully.
Firebox connected to the SSOagent successfully
Firebox connected to the SSOagent at %s successfully.
–
11000011 INFO Management /Authentication
Firebox closed theconnection
Firebox closed the connection tothe SSO agent at 10.0.1.25.
Firebox closed the connectionto the SSO agent.
Firebox closed the connection tothe SSO agent at %s.
–
11000012 INFO Management /Authentication
Firebox failed toconnect to the SSOagent
Firebox failed to connect to theSSO agent at 10.0.1.25. Reason:timeout.
Firebox failed to connect to theSSO agent.
Firebox failed to connect to theSSO agent at %s. Reason: %s.
–
11000013 INFO Management /Authentication
Successful SSOagent failover
SSOAgent failover from10.0.1.25 to 10.0.1.26 wassuccessful.
Successful SSO agent failover. SSOAgent failover from%s to%swas successful.
–
Management LogMessages
Log Catalog 102
ID Level Area Name Log Message Example Description Format Message Variables
11000014 INFO Management /Authentication
Unsuccessful SSOfailover
SSO agent failover from10.0.1.25 to 10.0.1.26 failed.Reason: incompatible SSO agentversion.
Unsuccessful SSO failover. SSO agent failover from%s to%sfailed. Reason: %s.
–
11000015 INFO Management /Authentication
Logon Disclaimerconfigurationchange
Logon Disclaimer was enabled The configuration of LogonDisclaimer was changed whenFirebox is on CSFC mode.
%s %s –
15000000 INFO Management /ManagementClient
Deviceconfigurationupdate with audittrail
The configuration file and featurekey for the device weresuccessfully updated after arequest from admin from theManagement Server at10.139.44.88. Revision: dummy_config_rev_id. Comments:update tcp segment.
The updated configuration filewas successfully sent to thedevice from the specifiedManagement Server. The logmessage indicates if the featurekey was updated. The logmessagemight also specify therevision ID and includescomments about the update.
The configuration file%s for thedevice%s successfully updatedafter a request from%s from theManagement Server at%s.%s%s%s%s.
–
15000001 INFO Management /ManagementClient
Deviceconfigurationupdate
Device configuration file wassuccessfully updated.Configuration file retrieved fromtheManagement Server at10.139.44.88.
The device retrieved an updatedconfiguration file from thespecifiedManagement Server.The logmessage also indicatesif device retrieved a feature key.
Device configuration file%ssuccessfully updated.Configuration file retrieved from theManagement Server at %s.
–
15010000 INFO Management /ManagementClient
IPSec certificateimport
The IPSec certificate wassuccessfully imported from theManagement Server at10.139.44.88.
The IPsec certificate wassuccessfully imported from thespecifiedManagement Server.
The IPSec certificate wassuccessfully imported from theManagement Server at %s.
–
15010001 INFO Management /ManagementClient
ManagementServer CAcertificate import
TheManagement Server CAcertificate was successfullyimported from theManagementServer at 10.139.44.88.
TheManagement Server CAcertificate was successfullyimported from the specifiedManagement Server.
TheManagement Server CAcertificate was successfullyimported from theManagementServer at %s.
–
Management LogMessages
Log Catalog 103
ID Level Area Name Log Message Example Description Format Message Variables
3D040001 INFO Management /Logging
Primary Log Serverconnected
Connected to the primary LogServer at 198.51.100.0
The device successfullyconnected to theWatchGuardLog Server designated as theprimary server.
Connected to the primary LogServer at %s
–
3D040002 INFO Management /Logging
Backup Log Serverconnected
Connected to the backup LogServer at 198.51.100.0
The device successfullyconnected to theWatchGuardLog Server designated as thebackup server.
Connected to the backup LogServer at %s
–
3D040003 INFO Management /Logging
Add/Removesyslog server
Deleted syslog server : 3.3.3.3 Log the event when add/removesyslog server
%s –
3E000002 INFO Management /Accounting
User loginsucceeded
Management user admin from10.0.1.2 logged in
A user successfully logged in.The logmessage specifies theuser type, user name, and IPaddress.
%s %s%s%s from%s loggedin%s%s%s%s
${user_type} ${user_name}${auth_server}from {ipaddr} logged in${virtual_ip} ${msg}
3E000003 WARN Management /Accounting
User login failed Management user admin from10.0.1.2 log in attempt wasrejected.
A user log in attempt failed. Thelogmessage specifies the usertype, user name, IP address,and the failure reason, ifavailable.
%s %s%s%s from%s log inattempt was rejected%s%s%s%s
${user_type} ${user_name}${auth_server}from {ipaddr} rejected${virtual_ip} ${msg}
3E000004 INFO Management /Accounting
User logout Management user admin from10.0.1.2 logged out
A user successfully logged out.The logmessage specifies theuser type, user name, and IPaddress.
%s %s%s%s from%s loggedout%s%s%s%s
${user_type} ${user_name}${auth_server}from {ipaddr} logged out${virtual_ip} ${msg}
3E000005 INFO Management /Accounting
Property change Updated the value of themanagement session idletimeout from 3600 seconds to7200 seconds
Config changed. The logmessage specifies the name ofthe property,the old and newvalue.
Updated the value of %s from%ld%sto%ld%s.
Updated the value of${property name} from${old value} ${unit} to${new value} ${unit}
40010001 INFO Management /Certificate
CA certificateupdated
CA certificate updatedsuccessfully to version 1.3.
The CA certificate updatedsuccessfully to the specified
CA certificate updatedsuccessfully to version%s.
CA certificate updatedsuccessfully to version
Management LogMessages
Log Catalog 104
ID Level Area Name Log Message Example Description Format Message Variables
successfully new version. ${new CA versionnumber}.
40010002 ERROR Management /Certificate
CA certificateupdated failed
CA certificate update failed.Current CA certificate version:1.2.
CA certificate updated failed. CA certificate update failed.Current CA certificate version: %s.
CA certificate updatefailed. Current CAcertificate version:${current CA versionnumber}.
40010003 INFO Management /Certificate
Certificate not validyet
Certificate(subject=o=WatchGuardou=Fireware cn=Fireware webCA) is not valid.
Certificate not valid yet Certificate (subject=%s) is notvalid.
Certificate(subject=${certificatesubject}) is not valid.
40010004 INFO Management /Certificate
Certificate expired Certificate(subject=o=WatchGuardou=Fireware cn=Fireware webCA) is expired.
Certificate expired Certificate (subject=%s) is expired. Certificate(subject=${certificatesubject}) is expired.
40010005 INFO Management /Certificate
Certificate revoked Certificate(subject=o=WatchGuardou=Fireware cn=Fireware webCA) is revoked.
Certificate revoked Certificate (subject=%s) isrevoked.
Certificate(subject=${certificatesubject}) is revoked.
40010006 INFO Management /Certificate
Generated/importedertificate signingrequest
Generated certificate signingrequest CN=test2, O=wgti2.net,C=US
Generated Certificate signingrequest or imported certificatesigned with csr
%s certificate%s%s. >%s certificate%s%s
41000001 INFO Management /LiveSecurity
RapidDeploysucceeded
RapidDeploy package wasapplied successfully
The RapidDeploy package fromthe LiveSecurity service wassuccessfully applied to thedevice.
RapidDeploy package was appliedsuccessfully
–
Management LogMessages
Log Catalog 105
ID Level Area Name Log Message Example Description Format Message Variables
41000002 ERROR Management /LiveSecurity
RapidDeploy failed RapidDeploy package was notapplied: Cannot find result.xml
The RapidDeploy package wasnot applied to the device. Thelogmessage specifies thereason.
RapidDeploy package was notapplied: %s
RapidDeploy failed:${reason}
41000003 INFO Management /LiveSecurity
New RSS feedupdate succeeded
New RSS feed from LiveSecurityService was updated
New RSS feed from theLiveSecurity Service wasupdated.
New RSS feed from LiveSecurityService was updated
–
41000004 ERROR Management /LiveSecurity
New RSS feedupdate failed
New RSS feed from LiveSecurityService was not updated: errorretrieving response from server
New RSS feed from theLiveSecurity Service failed toupdate.
New RSS feed from LiveSecurityService was not updated: %s
–
41000005 INFO Management /LiveSecurity
Feature keydownloadsucceeded
Feature key from LiveSecurityService was received
The feature key for the devicewas successfully downloadedfrom the LiveSecurity Service.
Feature key from LiveSecurityService was received
–
41000006 ERROR Management /LiveSecurity
Feature keydownload failed
Feature key from LiveSecurityService was not received: errorparsing response fromLiveSecurity service
The feature key could not bedownloaded from theLiveSecurity Service. The logmessage specifies the reason.
Feature key from LiveSecurityService was not received: %s
–
41000007 INFO Management /LiveSecurity
Wireless countryspecificationupdate succeeded
Wireless country specificationwas updated
The wireless countryspecification was successfullyupdated from the LiveSecurityservice.
Wireless country specification wasupdated
–
41000008 ERROR Management /LiveSecurity
Wireless countryspecificationupdate failed
Wireless country specificationfrom LiveSecurity Service wasnot received: received error code<n> from LSS
Thewireless countryspecification could not bedownloaded from theLiveSecurity service. The logmessage specifies the failurereason and the number ofretries.
Wireless country specification fromLiveSecurity Service was notreceived: %s, (retry_count=%d)
–
41010001 INFO Management / RapidDeploy RapidDeploy configuration from a The RapidDeploy configuration RapidDeploy configuration from a –
Management LogMessages
Log Catalog 106
ID Level Area Name Log Message Example Description Format Message Variables
LiveSecurity configuration fromUSB succeeded
USB drive was appliedsuccessfully
was successfully applied fromaUSB drive.
USB drive was appliedsuccessfully
41010002 ERROR Management /LiveSecurity
RapidDeployconfiguration fromUSB failed
RapidDeploy configuration from aUSB drive was not applied:config linemissing
The RapidDeploy configurationwas not successfully appliedfrom aUSB drive. The logmessage specifies the reason.
RapidDeploy configuration from aUSB drive was not applied: %s
–
50000001 WARN Management /Web Service
User login failed(wgagent)
WSMUser status from 10.0.1.2log in attempt was rejected -Invalid credentials.
A user log in attempt failed. Thelogmessage specifies the UItype, User Name, IP address,and (if available) the failurereason.
%s %s@%s from%s log inattempt was rejected -%s.
%{ui_type} ${user_name}@${auth_server}from ${ipaddr} log inattempt was rejected${msg}.
55010000 INFO Management /System
Bootup time System boot up at 2000-01-0100:00:01
– System boot up at %s System boot up at${time}
55010002 ERROR Management /System
LIVESECURITYfeature not found
Valid 'LIVESECURITY' featurenot found
– Valid 'LIVESECURITY' feature notfound
–
55010003 ERROR Management /System
LIVESECURITYexpired
'LIVESECURITY' featureexpired (TueMay 14 12:25:002013) prior to package releasedate (WedMay 15 01:00:00 2013)
'LIVESECURITY' feature expired(%s) prior to package release date(%s)
'LIVESECURITY'feature expired(${expiration time}) priorto package release date(${package releasetime})
55010004 INFO Management /System
Shutdown Shutdown requested by system – Shutdown requested by system –
55010005 INFO Management /System
Reboot System is rebooting – System is rebooting –
55010006 INFO Management /System
Upgradesucceeded
System upgrade to 11.9successful, system needs toreboot
– System upgrade to%s successful,%s
System upgrade to${software version}successful ${box needreboot or not}
Management LogMessages
Log Catalog 107
ID Level Area Name Log Message Example Description Format Message Variables
55010007 INFO Management /System
Automatic reboot System is automaticallyrebooting at 12:09
– System is automatically rebootingat %d:%d
System isautomatically rebootingat ${hour}:${second}
55010008 INFO Management /System
Time change System time changed from 2012-10-5 12:30:15 to 2012-10-614:10:00
– System time changed from%s to%s
System time changedfrom ${old value} to${new value}
5501000B INFO Management /System
Device restore Device auto restore from USBdrive image initiated, rebootneeded
Device was restored from asaved backup image. Thebackup image was either autorestored from aUSB drive orrestored from another location.
Device%s restore from%s imageinitiated%s
Device ${restore_type}restore from ${image_source} imageinitiated${reboot_option}
55010013 INFO Management /System
USB auto restorestarted
USB auto restore started – USB auto restore started –
55010016 INFO Management /System
Feature expirationreminder
'LIVESECURITY' feature willexpire on Sat., Jan 5, 11:27:23CST 2013.
– 'LIVESECURITY' feature willexpire on%s
'LIVESECURITY'feature will expire on${expiration time}
55010019 WARN Management /System
Configuration resetfailed during adowngrade
During a system downgrade, theconfiguration reset failed
– During a system downgrade, theconfiguration reset failed
–
5501001A WARN Management /System
Upgrade failed System upgrade failed:'LIVESECURITY' featureexpired
– System upgrade failed: %s System upgrade failed:${reason}
5501001D INFO Management /System
Logo uploadsucceeded
Upload of logo succeeded – Upload of logo succeeded –
55010020 INFO Management /System
Backup succeeded System backup succeeded – System backup succeeded –
55010021 INFO Management /System
Device restoresuccess
Device auto restore from USBdrive succeeded
Device auto restore from aspecific image in USB drive or
Device%s restore from%s imagesucceeded
Device ${restore_type}restore from ${image_
Management LogMessages
Log Catalog 108
ID Level Area Name Log Message Example Description Format Message Variables
normal restore from a normalimage
source} imagesucceeded
55010022 INFO Management /System
USB auto restoreimage created
USB auto restore imagesuccessfully created
– USB auto restore imagesuccessfully created
58000001 INFO Management /NTP
System timechanged
System time changed to 2012-08-29 08:20:00 by NTP
The system time was changedby the NTP process.
System time changed to%s byNTP
–
Management LogMessages
Log Catalog 109
FireCluster Log MessagesFireCluster logmessages are for events related to your Fireboxes that aremembers of a FireCluster. This includes actions related tomanagement of the FireCluster, operational errors of cluster members, eventsthat occur on cluster members, and changes to the status of a cluster member.
DiagnosticFireCluster logmessages of theDebug (Diagnostic) log type.
ID Level Area Name Log Message Example Description Format Message Variables
3A000002 INFO Cluster /EventMonitoring
VRRP enabled VRRP is now enabled forCluster.
Virtual RouterRedundancyProtocol (VRRP) isnow enabled forthisActive/PassiveCluster.
VRRP is now enabled for Cluster. –
3A000004 INFO Cluster /EventMonitoring
VRRP startmaster
Virtual Router with clusterID 1 started in master state.
VRRP started inmaster state.
Virtual Router with cluster ID %d started in masterstate.
Virtual Router withcluster ID ${value}started in master state.
3A000005 INFO Cluster /EventMonitoring
VR shutdown Virtual Router with clusterID 1 returned to initial state.
Virtual Routerreturned to initialstate.
Virtual Router with cluster ID %d returned to initialstate.
Virtual Router withcluster ID ${id} returnedto initial state
3A000006 INFO Cluster /EventMonitoring
VR pause Virtual Router with clusterID 1 becomes backup onpause event
Virtual Routerbecomes backupdue to a pauseevent.
Virtual Router with cluster ID %d becomes backup onpause event
Virtual Router withcluster ID ${id} becomesbackup on pause event
3A000007 INFO Cluster /EventMonitoring
VR resume Virtual Router with clusterID 1 becomes master onresume event
Virtual Routerbecomes masterdue to a resumeevent.
Virtual Router with cluster ID %d becomes master onresume event
Virtual Router withcluster ID ${id} becomesmaster on resume event
FireCluster LogMessages
Log Catalog 110
ID Level Area Name Log Message Example Description Format Message Variables
3A000008 INFO Cluster /EventMonitoring
VR backup state Virtual Router with clusterID 1 state changed frommaster to backup
Virtual Router statechanged frommaster to backup
Virtual Router with cluster ID %d state changed frommaster to backup
Virtual Router withcluster ID ${id} statechanged frommaster tobackup
3A00000A INFO Cluster /EventMonitoring
VR notificationgap
Member 80B20002E5BCDVirtual Router with clusterID 1 changed state tomaster due to 3 secondnotification gap from currentmaster with IP 10.0.4.1
Member VirtualRouter changedstate tomaster dueto notification gapfrom currentmaster
Member%s Virtual Router with cluster ID %d changedstate tomaster due to%d second notification gap fromcurrent master with IP %s
Member ${member}Virtual Router withcluster ID ${id} changedstate tomaster due to${value} secondnotification gap fromcurrent master with IP${ip}
3A00000B INFO Cluster /EventMonitoring
VRRP masterstate
Virtual Router with clusterID 1 state changed tomaster
Virtual Router statechanged tomaster
Virtual Router with cluster ID %d state changed tomaster
Virtual Router withcluster ID ${id} statechanged tomaster
3A00000C ERROR Cluster /EventMonitoring
VRRPinitializationfailed
Cluster VRRP initializationfailed
Initialization ofVirtual RouterRedundancyProtocol (VRRP)failed.
Cluster VRRP initialization failed –
38000002 ERROR Cluster /Management
DHCP overwrite A DHCP server is interferingwith static addressassignment of cluster IPaddress 10.0.0.1 on eth0.Disable DHCP serveraccess to eth5.
A DHCP serverhas attempted toassign an IPaddress to clustermember on theCluster Interface.This logmessagerecommends theadmin isolate theCluster interfacenetwork from the
A DHCP server is interfering with static addressassignment of cluster IP address %s on eth%d.Disable DHCP server access to eth%d.
A DHCP server isinterfering with staticaddress assignment ofcluster IP ${ip} oneth${port}. Pleasedisable DHCP serveraccess to eth${port}.
FireCluster LogMessages
Log Catalog 111
ID Level Area Name Log Message Example Description Format Message Variables
DHCP server, andspecifies theinterface numberand IP address thecluster attemptedto assign to themember.
38000003 INFO Cluster /Management
Cluster interfaceup
Cluster interface eth5 is up. Cluster interfacelink status changedto up.
Cluster interface%s is up. Cluster interface${ifname} is up.
38000004 WARN Cluster /Management
Cluster interfacedown
Cluster interface eth5 isdown.
Cluster interfacelink status changedto down.
Cluster interface%s is down. Cluster interface${ifname} is down
3800025C INFO Cluster /Management
Configurationupdate
Cluster member80B20002E5BCD receivedupdated configuration;version 3.
Cluster memberreceived anupdatedconfiguration fromthemaster. The logmessage specifiesthemember serialnumber andconfigurationversion number.
Cluster member%s received updated configuration;version%d.
Cluster member${member} receivedupdated configuration;version ${version}.
38000264 WARN Cluster /Management
Timesynchronizationfailure
Cluster timesynchronization failed.
The clustermaster's attempt tosynchronize timeto a clustermember failed
Cluster time synchronization failed.
FireCluster LogMessages
Log Catalog 112
ID Level Area Name Log Message Example Description Format Message Variables
3B000001 INFO Cluster /Transport
Channel statuschange
Cluster channel frommember 80B20002E5BCDtomaster is up
The clustercommunicationchannel betweenthe specifiedmembers changedstate.
Cluster channel frommember%s tomaster is %s. Cluster channel frommember ${member} tomaster is ${state}.
3B000002 INFO Cluster /Transport
Cluster interfacedown
Cluster interface eth5 isdown.
The specifiedCluster interface isdown.
Cluster interface%s is down. Cluster interface${ifname} is down.
EventFireCluster logmessages of theEvent log type.
ID Level Area Name Log Message Example Description Format Message Variables
3A00000E INFO Cluster /EventMonitoring
VR enabled Virtual Router with cluster ID1 is now enabled
The VirtualRouterrepresentingthe cluster isnow enabled
Virtual Router with cluster ID %d is now enabled Virtual Router with clusterID ${id} is now enabled
3A00000F INFO Cluster /EventMonitoring
VR disabled Virtual Router with cluster ID1 is now disabled
The VirtualRouterrepresentingthe cluster isnow disabled
Virtual Router with cluster ID %d is now disabled Virtual Router with clusterID ${id} is now disabled
FireCluster LogMessages
Log Catalog 113
ID Level Area Name Log Message Example Description Format Message Variables
38000278 WARN Cluster /Management
Cluster disabled Cluster disabled. Non-master member80B20002E5BCD will bereset to factory-defaultsettings.
The non-mastermember of thecluster will bereset to factorydefault-settingsbecauseFireCluster isdisabled.
Cluster disabled. Non-master member%s will be resetto factory-default settings.
Cluster disabled. Non-master member%s will bereset to factory-defaultsettings.
38000279 WARN Cluster /Management
Criticalconfigurationchange
Non-master member80B20002E5BCD will bereset to factory-defaultsettings due to a criticalcluster configuration change.
The non-mastermember of thecluster will bereset to factory-default settingsdue to a criticalconfigurationchange. Aconfigurationchange iscritical if itwould causethemaster andbackupmasterto lose the TCPconnection onthe clusterinterface.
Non-master member%s will be reset to factory-defaultsettings due to a critical cluster configuration change.
Non-master member${member} will be reset tofactory default-settingsdue to a critical clusterconfiguration change.
38000280 ERROR Cluster /Management
Device discoveryfailed
Cluster master80B20002E5BCD wasunable to issue a devicediscovery message.
The clustermaster wasunable to issuea devicediscoverymessage.
Cluster master%s was unable to issue a devicediscovery message.
Cluster master ${master}was unable to issue adevice discoverymessage.
FireCluster LogMessages
Log Catalog 114
ID Level Area Name Log Message Example Description Format Message Variables
38000282 INFO Cluster /Management
Member ready tojoin
Member 80B20002E5BCD isready to join the cluster.
Local memberhas FireClusterenabled and isready to join.
Member%s is ready to join the cluster. Member ${member} isready to join the cluster.
3800025A INFO Cluster /Management
Cluster enabled Cluster enabled onmember80B20002E5BCD.
Cluster wasenabled on thespecifiedmember.
Cluster enabled onmember%s. Cluster enabled onmember ${member}.
3800025B INFO Cluster /Management
Cluster disabledonmaster
Cluster disabled on clustermaster 80B20002E5BCD.
Clusterdisabled on thecluster memberwhile it was thecluster master.
Cluster disabled on cluster master%s. Cluster disabled on clustermaster ${master}.
3800027A WARN Cluster /Management
Non-mastermember removed
Non-master cluster member80B20002E5BCD wasremoved from cluster, andwill be reset to factory-default settings.
The non-mastermember of theCluster will bereset to factory-default settingsbecause it wasremoved fromthe cluster.
Non-master cluster member%s was removed fromcluster, and will be reset to factory-default settings.
Non-master clustermember%s was removedfrom cluster, and will bereset to factory-defaultsettings.
3800027E ERROR Cluster /Management
Factory-defaultreset failed
Failed to reset clustermember 80B20002E5BCDto factory-default settings.
Failed to resetto factory-defaultsettings.
Failed to reset cluster member%s to factory-defaultsettings.
Failed to reset member${member} to factory-default settings.
39000003 WARN Cluster /Operations
Heartbeat lost Master 80B20002E5BFEdetected loss of heartbeatfrommember80B20002E5BCD, clusterchannel is up.
The specifiedCluster failed toreceive aheartbeatmessage.
Master%s detected loss of heartbeat frommember%s, cluster channel is up.
Master ${master} detectedloss of heartbeat frommember ${member},cluster channel is up.
FireCluster LogMessages
Log Catalog 115
ID Level Area Name Log Message Example Description Format Message Variables
39000005 INFO Cluster /Operations
Member promotedtomaster
Member 80B20002E5BCD isnow master.
The specifiedmember hasbecomemaster.
Member%s is now master. Member ${member} is nowmaster.
39000007 ERROR Cluster /Operations
Failover due toWAI
Master 80B20002E5BCDfailed over to member80B20002E5BFE, which hasa greaterWeighted AverageIndex.
Themasterfailed over tothe specifiedmemberbecause thatmember has ahigher healthscore than themaster.
Master%s failed over to member%s, which has agreaterWeighted Average Index.
Master ${master} failoverto member ${member} withgreaterWeighted AverageIndex.
39000010 INFO Cluster /Operations
Member rolechange
Member 80B20002E5BCDchanged role to master
The clustermemberchanged to thespecified role.
Member%s changed role to%s. Member ${member} rolechanged to ${role}.
39000011 INFO Cluster /Operations
Interface linkstatus change
Monitored interface eth0 linkis down.
Specifiedmonitoredinterface linkstatuschanged, whichwill change thehealth index forthemember.
Monitored interface%s link is %s. Monitored interface${ifname} link is ${state}.
39000012 INFO Cluster /Operations
New master Member 80B20002E5BCDtook over as master frommember 80B20002E5BFE.
The specifiedmember hastaken over asmaster..
Member%s took over as master frommember%s. Member ${member} tookover as master frommember ${member}.
FireCluster LogMessages
Log Catalog 116
ID Level Area Name Log Message Example Description Format Message Variables
39000015 INFO Cluster /Operations
Failover initiatedby administrator
Master 80B20002E5BCDinitiated failover byadministrator request.
Theadministratorhas initiated afailover.
Master%s initiated failover by administrator request. Master ${master} initiatedfailover by administratorrequest..
39000016 WARN Cluster /Operations
Cannot initiatefailover
Cannot initiate failover frommaster 80B20002E5BCD tomember 80B20002E5BFEdue to higherWeightedAverage Index on currentmaster or backupmaster isunreachable.
The failoverrequested byadministratorcannot proceedbecause themaster has ahigher healthindex, or thebackupmasteris unreachable.
Cannot initiate failover frommaster%s tomember%sdue to higherWeighted Average Index on currentmaster or backupmaster is unreachable.
Cannot initiate failoverfrommaster ${master} tomember ${member} due tohigherWeighted AverageIndex on current master orother member isunreachable.
39000019 ERROR Cluster /Operations
Failover due tointerface statechange
Cluster failover due tointerface eth4 link downevent.
A clusterfailover eventoccurred due toa change ofinterface state.
Cluster failover due to interface%s link %s event. Cluster failover due tointerface ${ifname} link${state} event.
39000058 INFO Cluster /Operations
Member RoleChange
Cluster member80B20002E5BCD changedrole from idle to backupmaster
The role of thespecifiedClustermemberchanged.
Cluster member%s changed role from%s to%s. Cluster member${member} changed rolefrom ${role} to ${role}.
FireCluster LogMessages
Log Catalog 117
ID Level Area Name Log Message Example Description Format Message Variables
3900000C ERROR Cluster /Operations
Synchronizationfailed
Full state synchronizationfrommaster80B20002E5BCD to backupmaster 80B20002E5BFEfailed.
Full statesynchronizationfrom themasterto the specifiedmember failed.Member statewill not changeto BackupMaster.
Full state synchronization frommaster%s to backupmaster%s failed.
Full state synchronizationfrommaster ${master} tobackupmaster ${member}failed.
3900000D ERROR Cluster /Operations
Synchronizationtimeout
Full state synchronizationfrommaster80B20002E5BCD to backupmaster 80B20002E5BFEtimed out.
Full statesynchronizationfrom themasterto the specifiedmember timedout. Memberstate will notchange toBackupMaster.
Full state synchronization frommaster%s to backupmaster%s timed out.
Full state synchronizationfrommaster ${master} tobackupmaster ${member}timed out.
FireCluster LogMessages
Log Catalog 118
ID Level Area Name Log Message Example Description Format Message Variables
3900000E INFO Cluster /Operations
Synchronizationsuccessful
Full state synchronizationfrommaster80B20002E5BCD to backupmaster 80B20002E5BFEcompleted successfully.
Full statesynchronizationto the specifiedmember wassuccessful.Member statuschanged tobackupmaster.
Full state synchronization frommaster%s to backupmaster%s completed successfully.
Full state synchronizationfrommaster ${master} tobackupmaster ${member}completed successfully
3900000F ERROR Cluster /Operations
Failover due tolink-down
Master 80B20002E5BCDfailed-over to member80B20002E5BFE due to alink-down event on interfaceeth3.
Cluster failoverdue to a linkfailure on thecurrent master,which now hasa health indexlower than thebackupmaster.The logmessagespecifies whichinterface hasthe link down.
Master%s failed-over to member%s due to a link-downevent on interface%s.
Master ${master} failed-over to member${member} due to a link-down event on interface${ifname}.
FireCluster LogMessages
Log Catalog 119
Security Services Log MessagesSecurity Services logmessages are generated for processes related to the Security Services configured on your Firebox. For the logmessages from Security Services traffic and events, review the proxy logmessages for the proxy policies where the Security Services are enabled. For more information, seeProxy Policy LogMessages on page 40.
EventSecurity Services logmessages of theEvent log type.
ID Level Area Name Log Message Example Description FormatMessageVariables
1F000001 ERROR Security Services /Gateway Anti-Virus
Process failed to start Cannot start ScanD ScanD -- Process failed to start Cannot start ScanD —
1F010015 INFO Security Services /Gateway Anti-Virus
Ready for service ScanD ready ScanD -- Ready for service ScanD ready —
2E000005 ERROR Security Services /Signature Update
Process exiting SIGD shutting down SIGD -- Process exiting SIGD shutting down —
2E000006 ERROR Security Services /Signature Update
Process crashed SIGD crashed SIGD -- Process crashed SIGD crashed —
2E010018 ERROR Security Services /Signature Update
Failed to start the signatureupdate for the specifiedservices
Cannot start the signature update for'IPS'
SIGD -- Failed to the startsignature update for the specifiedservices
Cannot start the signatureupdate for '%s'
—
2E010019 ERROR Security Services /Signature Update
Failed to check the availablesignature version on the server
Cannot complete the version check SIGD -- Failed to check theavailable signature version on theserver
Cannot complete theversion check
—
2E01001A ERROR Security Services /Signature Update
Signature update process failedto start
Cannot start the signature updateprocess
SIGD -- Signature update processfailed to start
Cannot start the signatureupdate process
—
2E01001B ERROR Security Services /Signature Update
Signature update processcrashed
SIGD Worker crashed SIGD -- Signature update processcrashed
SIGD Worker crashed —
Security Services LogMessages
Log Catalog 120
ID Level Area Name Log Message Example Description FormatMessageVariables
2E020067 ERROR Security Services /Signature Update
Signature update process forthe specified version failed
Manual DLP update for version(4.94)failed (Valid feature key not available)
SIGD -- Signature update processfor the specified version failed
%s %s update for version(%s) failed (%s)
—
2E020065 INFO Security Services /Signature Update
Signature update processstarted
Scheduled DLP update started SIGD -- Signature update processstarted
%s %s update started —
2E020066 INFO Security Services /Signature Update
Signature update processcompleted
Scheduled DLP update for version(4.94) completed
SIGD -- Signature update processcompleted
%s %s update for version(%s) completed
—
2E020069 INFO Security Services /Signature Update
Device has the latest signatureversion for the specified service
Device already has the latest DLPsignature version (4.94)
SIGD -- Device has the latestsignature version for specifiedservice
Device already has thelatest %s signature version(%s)
—
2E010017 WARN Security Services /Signature Update
License failed to load Cannot load the license SIGD -- License failed to load Cannot load the license —
23000001 ERROR Security Services /spamBlocker
Failed to start Cannot start spamD spamD -- Failed to start Cannot start spamD —
23000002 INFO Security Services /spamBlocker
Ready for service spamD ready spamD -- Ready for service spamD ready —
Security Services LogMessages
Log Catalog 121
VPN Log MessagesVPN logmessages are generated for processes related to the all VPNs configured on your Firebox. This includes changes to the VPN configuration, tunnel status, and daemon activity.
AlarmVPN logmessages of theAlarm log type.
ID Level Area Name Log Message Example Description Format Message Variables
020B0001 INFO VPN /IPSEC
Tunnel statuschanged
BOVPN tunnel 'tunnel.2' local172.16.12.81/255.255.255.255remote172.16.13.204/255.255.255.255under gateway 'gateway.1' isdown
The status of the IPSectunnel changed to up ordown.
%s tunnel '%s' local %s remote%s undergateway '%s' is %s
${tunnel_type} tunnel'${tunnel}' local ${local}remote ${remote} undergateway '$(gateway}' is${status}
DiagnosticVPN logmessages of theDebug (Diagnostic) log type.
ID Level Area Name Log Message Example Description Format Message Variables
02000001 ERROR VPN /IPSEC
Default certificatenot found
The default IPSeccertificate is not installedon the device
The IPSec tunnel couldnot be negotiatedbecause the defaultIPSec certificate is notinstalled or is not valid.
The default IPSec certificate is not installedon the device
–
02000002 ERROR VPN /IPSEC
Failed to readcertificate
Could not read [DSA |RSA] certificate with [n] ID
The IPSec tunnel couldnot be negotiatedbecause the IPSeccertificate is not valid.
Could not read%s certificate with%d ID Could not read ${cert_type}certificate with ${id} ID
VPN LogMessages
Log Catalog 122
ID Level Area Name Log Message Example Description Format Message Variables
02020001 WARN VPN /IPSEC
IP address notavailable for MobileVPN with IPSec user
Virtual IP address from'abcd' address pool is notavailable for Mobile VPNwith IPSec user 'Bob'
All virtual IP addressesallocated to this MobileVPN with IPSec groupare already assigned.New Mobile VPN withIPSec tunnels cannotbe established unlessexisting tunnels aredeleted.
Virtual IP address from '%s' address pool isnot available for Mobile VPN with IPSecuser '%s'
Virtual IP address from ${pool_name} address pool is notavailable for Mobile VPN withIPSec user ${user}
02030002 ERROR VPN /IPSEC
IKE Phase 1expectingmainmode
IKE phase-1 negotiationfrom 172.16.12.82:500 to172.16.12.81:500 failed.Gateway-Endpoint='gateway.1'Reason=Received'Aggressivemode'exchange type. Expectingmainmode.
IKE Phase 1 negotiationfailed because ofincorrect exchange typein proposal from remotegateway. The logmessage specifies theexpected and receivedexchange type.
IKE phase-1 negotiation from%s to%sfailed. Gateway-Endpoint='%s'Reason=Received '%s' exchange type.Expectingmainmode.
IKE phase-1 negotiation from${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}' Reason=Received'${exchange_type}' exchangetype. Expectingmainmode.
02030003 ERROR VPN /IPSEC
IKE Phase 1expecting aggressivemode
IKE phase-1 negotiationfrom 172.16.12.82:500 to172.16.12.81:500 failed.Gateway-Endpoint='gateway.1'Reason=Received 'Mainmode' exchange type.Expecting aggressivemode.
IKE Phase 1 negotiationfailed because ofincorrect exchange typein proposal from remotegateway. The logmessage specifies theexpected and receivedexchange type.
IKE phase-1 negotiation from%s to%sfailed. Gateway-Endpoint='%s'Reason=Received '%s' exchange type.Expecting aggressivemode.
IKE phase-1 negotiation from${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}' Reason=Received'${exchange_type}' exchangetype. Expecting aggressivemode.
02030004 ERROR VPN /IPSEC
IKE Phase 1 DHgroupmismatch
IKE phase-1 negotiationfrom 172.16.12.82:500 to172.16.12.81:500 failed.Gateway-Endpoint='gateway.1'
IKE Phase 1 negotiationfailed because ofincorrect Diffe-Hellmangroup in proposal fromremote gateway. The
IKE phase-1 negotiation from%s to%sfailed. Gateway-Endpoint='%s'Reason=Received DH group%d, expecting%d
IKE phase-1 negotiation from${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}' Reason=Received DH group${received}, expecting
VPN LogMessages
Log Catalog 123
ID Level Area Name Log Message Example Description Format Message Variables
Reason=Received DHgroup 2, expecting 14
logmessage specifiesthe received andexpected group number.
${expected}
02030005 ERROR VPN /IPSEC
IKE Phase 1 hashmismatch
IKE phase-1 negotiationfrom 172.16.12.82:500 to172.16.12.81:500 failed.Gateway-Endpoint='gateway.1'Reason=Received hashSHA1, expectingMD5
IKE Phase 1 negotiationfailed because ofincorrect hash type inproposal from remotegateway. The logmessage specifies thereceived and expectedhash type.
IKE phase-1 negotiation from%s to%sfailed. Gateway-Endpoint='%s'Reason=Received hash%s, expecting%s
IKE phase-1 negotiation from${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}' Reason=Received hash${received}, expecting${expected}
02030006 ERROR VPN /IPSEC
IKE Phase 1encryptionmismatch
IKE phase-1 negotiationfrom 172.16.12.82:500 to172.16.12.81:500 failed.Gateway-Endpoint='gateway.1'Reason=Receivedencryption 3DES,expecting AES
IKE Phase 1 negotiationfailed because ofincorrect encryptiontype in proposal fromremote gateway. Thelogmessage specifiesthe received andexpected encryptiontype.
IKE phase-1 negotiation from%s to%sfailed. Gateway-Endpoint='%s'Reason=Received encryption%s,expecting%s
IKE phase-1 negotiation from${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}' Reason=Receivedencryption ${received}, expecting${expected}
02030007 ERROR VPN /IPSEC
IKE Phase 1authenticationmethodmismatch
IKE phase-1 negotiationfrom 172.16.12.82:500 to172.16.12.81:500 failed.Gateway-Endpoint='gateway.1'Reason=ReceivedauthenticationmethodPSK, expecting RSAcertificate
IKE Phase 1 negotiationfailed because ofincorrect authenticationmethod in proposal fromremote gateway. Thelogmessage specifiesthe received andexpected authenticationmethods.
IKE phase-1 negotiation from%s to%sfailed. Gateway-Endpoint='%s'Reason=Received authenticationmethod%s, expecting%s
IKE phase-1 negotiation from${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}' Reason=Receivedauthenticationmethod${received}, expecting${expected}
02030008 ERROR VPN /IPSEC
IKE Phase 1 AESkey lengthmismatch
IKE phase-1 negotiationfrom 172.16.12.82:500 to
IKE Phase 1 negotiationfailed because of
IKE phase-1 negotiation from%s to%sfailed. Gateway-Endpoint='%s'
IKE phase-1 negotiation from${local_addr} to ${peer_addr}
VPN LogMessages
Log Catalog 124
ID Level Area Name Log Message Example Description Format Message Variables
172.16.12.81:500 failed.Gateway-Endpoint='gateway.1'Reason=Received AESkey length 128, expecting256
incorrect AES keylength in proposal fromremote gateway. Thelogmessage specifiesthe received andexpected AES keylength.
Reason=Received AES key length%d,expecting%d
failed. Gateway-Endpoint='${gw-ep}' Reason=Received AES keylength ${received}, expecting${expected}
02030009 ERROR VPN /IPSEC
IKE Phase 1 invalidfirst message
IKE phase-1 negotiationfrom 172.16.12.82:500 to172.16.12.81:500 failed.Gateway-Endpoint='gateway.1'Reason=Received invalidmain/aggressivemode firstmessage. Check VPN IKEdiagnostic logmessagesfor more information.
IKE Phase 1 negotiationfailed because of invalidfirst message receivedby local gateway. Thelogmessage specifiesthe reason.
IKE phase-1 negotiation from%s to%sfailed. Gateway-Endpoint='%s'Reason=Received invalid main/aggressivemode first message. Check VPN IKEdiagnostic logmessages for moreinformation.
IKE phase-1 negotiation from${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}' Reason=Received invalidmain/aggressivemode firstmessage. Check VPN IKEdiagnostic logmessages formore information.
0203000A ERROR VPN /IPSEC
IKE Phase 1 invalidMainMode secondmessage
IKE phase-1 negotiationfrom 172.16.12.82:500 to172.16.12.81:500 failed.Gateway-Endpoint='gateway.1'Reason=Received invalidmainmode secondmessage. Check VPN IKEdiagnostic logmessagesfor more information.
IKE Phase 1 negotiationfailed because of invalidsecondmessagereceived by localgateway.
IKE phase-1 negotiation from%s to%sfailed. Gateway-Endpoint='%s'Reason=Received invalid mainmodesecondmessage. Check VPN IKEdiagnostic logmessages for moreinformation.
IKE phase-1 negotiation from${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}' Reason=Received invalidmainmode secondmessage.Check VPN IKE diagnostic logmessages for more information.
VPN LogMessages
Log Catalog 125
ID Level Area Name Log Message Example Description Format Message Variables
0203000B ERROR VPN /IPSEC
IKE Phase 1 invalidMainMode KeyExchange payload
IKE phase-1 negotiationfrom 172.16.12.82:500 to172.16.12.81:500 failed.Gateway-Endpoint='gateway.1'Reason=Received invalidmainmode KE payload.Check VPN IKE diagnosticlogmessages for moreinformation.
IKE Phase 1 negotiationfailed because localgateway receivedinvalid MainMode KeyExchange (KE) payload
IKE phase-1 negotiation from%s to%sfailed. Gateway-Endpoint='%s'Reason=Received invalid mainmode KEpayload. Check VPN IKE diagnostic logmessages for more information.
IKE phase-1 negotiation from${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}' Reason=Received invalidmainmode KE payload. CheckVPN IKE diagnostic logmessages for more information.
0203000C ERROR VPN /IPSEC
IKE Phase 1 invalidmainmode ID
IKE phase-1 negotiationfrom 172.16.12.82:500 to172.16.12.81:500 failed.Gateway-Endpoint='gateway.1'Reason=Received invalidmainmode ID payload.Check VPN IKE diagnosticlogmessages for moreinformation.
IKE Phase 1 negotiationfailed because of invalidMainMode ID payloadreceived by localgateway.
IKE phase-1 negotiation from%s to%sfailed. Gateway-Endpoint='%s'Reason=Received invalid mainmode IDpayload. Check VPN IKE diagnostic logmessages for more information.
IKE phase-1 negotiation from${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}' Reason=Received invalidmainmode ID payload. CheckVPN IKE diagnostic logmessages for more information.
0203000D ERROR VPN /IPSEC
IKE Phase 1 invalidaggressivemodehash
IKE phase-1 negotiationfrom 172.16.12.82:500 to172.16.12.81:500 failed.Gateway-Endpoint='gateway.1'Reason=Received invalidaggressivemode hashpayload. Check VPN IKEdiagnostic logmessagesfor more information.
IKE Phase 1 negotiationfailed because invalidaggressivemode hashpayload received byspecified local gateway.
IKE phase-1 negotiation from%s to%sfailed. Gateway-Endpoint='%s'Reason=Received invalid aggressivemodehash payload. Check VPN IKE diagnosticlogmessages for more information.
IKE phase-1 negotiation from${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}' Reason=Received invalidaggressivemode hash payload.Check VPN IKE diagnostic logmessages for more information.
0203000E ERROR VPN /IPSEC
IKE Phase 1 invalidAggressivemode SA
IKE phase-1 negotiationfrom 172.16.12.82:500 to
IKE Phase 1 negotiationfailed because of invalid
IKE phase-1 negotiation from%s to%sfailed. Gateway-Endpoint='%s'
IKE phase-1 negotiation from${local_addr} to ${peer_addr}
VPN LogMessages
Log Catalog 126
ID Level Area Name Log Message Example Description Format Message Variables
payload 172.16.12.81:500 failed.Gateway-Endpoint='gateway.1'Reason=Received invalidaggressivemode SApayload. Check VPN IKEdiagnostic logmessagesfor more information.
Aggressivemodesecurity association(SA) payload receivedby specified localgateway.
Reason=Received invalid aggressivemodeSA payload. Check VPN IKE diagnostic logmessages for more information.
failed. Gateway-Endpoint='${gw-ep}' Reason=Received invalidaggressivemode SA payload.Check VPN IKE diagnostic logmessages for more information.
0203000F INFO VPN /IPSEC
IKE Phase 1matching aggressivemode policy notfound
IKE phase-1 negotiationfrom 172.16.12.82:500 to172.16.12.81:500 failed.Reason=Aggressivemodematching policy not found
IKE Phase 1 negotiationbecause local gatewaydid not find amatchingaggressivemodepolicy.
IKE phase-1 negotiation from%s to%sfailed. Reason=Aggressivemodematchingpolicy not found
IKE phase-1 negotiation from${local_addr} to ${peer_addr}failed. Reason=Aggressivemodematching policy not found
02030010 INFO VPN /IPSEC
IKE Phase 1matchingMainModepolicy not found
IKE phase-1 negotiationfrom 172.16.12.82:500 to172.16.12.81:500 failed.Reason=Mainmodematching policy not found
IKE Phase 1 negotiationbecause local gatewaydid not find amatchingAggressivemodepolicy.
IKE phase-1 negotiation from%s to%sfailed. Reason=Mainmodematching policynot found
IKE phase-1 negotiation from${local_addr} to ${peer_addr}failed. Reason=Mainmodematching policy not found
02030011 ERROR VPN /IPSEC
IKE Phase 1 remotegateway IDmismatch
IKE phase-1 negotiationfrom 172.16.12.82:500 to172.16.12.81:500 failed.Gateway-Endpoint='gateway.1'Reason=Authenticationfailure due tomismatchedID setting
IKE Phase 1 negotiationfailed because remoteID in gatewayconfiguration did notmatch proposal fromremote gateway.
IKE phase-1 negotiation from%s to%sfailed. Gateway-Endpoint='%s'Reason=Authentication failure due tomismatched ID setting
IKE phase-1 negotiation from${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}' Reason=Authenticationfailure due tomismatched IDsetting
02030012 ERROR VPN /IPSEC
IKE Phase 1 pre-shared keyauthentication failure
IKE phase-1 negotiationfrom 172.16.12.82:500 to172.16.12.81:500 failed.Gateway-Endpoint='gateway.1'
IKE Phase 1 negotiationfailed because pre-shared key in proposaldid not match gatewayconfiguration.
IKE phase-1 negotiation from%s to%sfailed. Gateway-Endpoint='%s'Reason=Pre-shared key authenticationfailure
IKE phase-1 negotiation from${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}' Reason=Pre-shared keyauthentication failure
VPN LogMessages
Log Catalog 127
ID Level Area Name Log Message Example Description Format Message Variables
Reason=Pre-shared keyauthentication failure
02030013 INFO VPN /IPSEC
IKE Phase 1negotiation failed
IKE phase-1 negotiationfrom 2.2.2.2:500 to1.1.1.1:500 failed.Reason=Received invalidmessage
IKE Phase 1 negotiationfailed because of thereason specified in thelog
IKE phase-1 negotiation from%s:%d to%s:%d failed. Reason=%s
IKE phase-1 negotiation from${src}:${sport} to ${dst}:${dport}failed - ${reason}
02030014 INFO VPN /IPSEC
Receivedinformational errormessage
Received 'InvalidExchange Type' messagefrom 172.16.12.81:500 for'gateway.1' gatewayendpoint. Check VPN IKEdiagnostic logmessageson the remote gatewayendpoint for moreinformation.
Received the specifiedinformation or errormessage from remotegateway.
Received '%s' message from%s for '%s'gateway endpoint. Check VPN IKEdiagnostic logmessages on the remotegateway endpoint for more information.
Received '${info_msg}' messagefrom ${peer_addr} for '${gw-ep}'gateway endpoint. Check VPNIKE diagnostic logmessages onthe remote gateway endpoint formore information.
02030015 ERROR VPN /IPSEC
IKE Phase 1 retrytimeout
IKE phase-1 negotiationfrom 172.16.12.81:500 to172.16.12.82:500 failed.Gateway-Endpoint='gateway.1'Reason=Message retrytimeout. Check theconnection between localand remote gatewayendpoints.
IKE Phase 1 negotiationfailed because of noresponse from remotesite.
IKE phase-1 negotiation from%s to%sfailed. Gateway-Endpoint='%s'Reason=Message retry timeout. Check theconnection between local and remotegateway endpoints.
IKE phase-1 negotiation from${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}' Reason=Message retrytimeout. Check the connectionbetween local and remotegateway endpoints.
02030016 WARN VPN /IPSEC
Mobile user rejected -maximum userconnections reached
RejectedMUVPN IPSecuser from 2.2.2.2 becausemaximum allowed userconnections has beenreached. Maximum:50
SpecifiedMobile VPNwith IPSec userconnection rejectedbecause the specifiedconcurrent user
RejectedMUVPN IPSec user from%sbecausemaximum allowed userconnections has been reached.Maximum:%d
RejectedMUVPN IPSec userfrom ${peer_addr} becausemaximum allowed userconnections has been reached.Maximum:${max_value}
VPN LogMessages
Log Catalog 128
ID Level Area Name Log Message Example Description Format Message Variables
connections limit hasbeen reached. The logmessage specifies theconcurrent userconnections limit.
02030017 ERROR VPN /IPSEC
CA certificate notavailable
IKE phase-1 negotiationfrom 172.16.12.82:500 to172.16.12.81:500 failed.Gateway-Endpoint='gateway.1'Reason=NoCA certificateavailable
IKE phase-1 negotiationfailed because noCertificate Authority(CA) certificate isavailable.
IKE phase-1 negotiation from%s to%sfailed. Gateway-Endpoint='%s' Reason=%s
IKE phase-1 negotiation from${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}' Reason=${reason}
02030018 ERROR VPN /IPSEC
IKE Phase 1 peercertificate CA is notsupported
IKE phase-1 negotiationfrom 172.16.12.82:500 to172.16.12.81:500 failed.Gateway-Endpoint='gateway.1'Reason=Peer certificate isnot issued by knowntrusted CA
IKE Phase 1 negotiationfailed because peercertificate is not issuedby a known and trustedCertificate Authority(CA).
IKE phase-1 negotiation from%s to%sfailed. Gateway-Endpoint='%s' Reason=%s
IKE phase-1 negotiation from${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}' Reason=${reason}
02030019 ERROR VPN /IPSEC
IKE Phase 1received certificatewith invalid CA name
IKE phase-1 negotiationfrom 172.16.12.82:500 to172.16.12.81:500 failed.Gateway-Endpoint='gateway.1'Reason=Receivedcertificate with invalid CAname
IKE Phase 1 negotiationfailed because of invalidCertificate Authority(CA) name in certificatefor remote gateway.
IKE phase-1 negotiation from%s to%sfailed. Gateway-Endpoint='%s' Reason=%s
IKE phase-1 negotiation from${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}' Reason=${reason}
02030020 ERROR VPN /IPSEC
IKE Phase 1possible sharedsecret mismatch
IKE phase-1 negotiationfrom 172.16.12.82:500 to172.16.12.81:500 failed.
IKE Phase 1 negotiationfailed because ofpossible shared key
IKE phase-1 negotiation from%s to%sfailed. Gateway-Endpoint='%s'Reason=Message decryption failed due to
IKE phase-1 negotiation from${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-
VPN LogMessages
Log Catalog 129
ID Level Area Name Log Message Example Description Format Message Variables
Gateway-Endpoint='gateway.1'Reason=Messagedecryption failed due topossible shared secretmismatch
mismatch. possible shared secret mismatch ep}' Reason=Messagedecryption failed due to possibleshared secret mismatch
02030021 WARN VPN /IPSEC
DPD R_U_THERE_ACK not received
Remote gateway'gateway.1' with IP172.16.13.204:500 did notsend DPD R_U_THERE_ACK message. 2 retriesleft
Firebox or XTM devicesent a DPD_R_U_THERE request toremote gateway, but didnot receive DPD R_U_THERE_ACKresponse. The logmessage specifies thenumber of retries beforeit will delete the VPNtunnel.
Remote gateway '%s' with IP %s did notsend DPD R_U_THERE_ACK message.%d retries left
Remote gateway '${gw-ep}' withIP ${peer_addr} did not sendDPD R_U_THERE_ACKmessage. ${n} retries left.
02030022 WARN VPN /IPSEC
DPD max failure Remote gateway'gateway.1' with IP172.16.13.204:500presumed dead due toDPD failure. Deleted alltunnels that use thisgateway. Check theconnection between localand remote gatewayendpoints.
The Firebox or XTMdevice deleted a VPNtunnel because theremote gateway did notrespond to DPD R_U_THERE requests.
Remote gateway '%s' with IP %s presumeddead due to DPD failure.%s
Remote gateway '${gw-ep}' withIP ${peer_addr} presumed deaddue to DPD failure. ${action}
VPN LogMessages
Log Catalog 130
ID Level Area Name Log Message Example Description Format Message Variables
02030023 WARN VPN /IPSEC
Did not receiveKEEP_ALIVE_ACKresponse
Remote gateway'gateway.1' with IP172.16.13.204:500 did notsend KEEP_ALIVE_ACKmessage. 2 retries left.
Firebox or XTM devicesent a KEEP_ALIVErequest to remotegateway, but did notreceive KEEP_ALIVE_ACK response. The logmessage specifies thenumber of retries beforeit will delete the VPNtunnel.
Remote gateway '%s' with IP %s did notsend KEEP_ALIVE_ACK message. %dretries left.
Remote gateway '${gw-ep}' withIP ${peer_addr} did not sendKEEP_ALIVE_ACK message.${n} retries left.
02030024 WARN VPN /IPSEC
Deleted VPN tunnelsdue to keep-alivefailure
Remote gateway'gateway.1' with IP172.16.13.204:500presumed dead due tokeep-alive negotiationfailure. Deleted all tunnelsthat use this gateway.Check the connectionbetween local and remotegateway endpoints.
Firebox or XTM devicedeleted one or moreVPN tunnels becausethe remote gateway didnot respond to keep-alive requests.
Remote gateway '%s' with IP %s presumeddead due to keep-alive negotiation failure.%s
Remote gateway '${gw-ep}' withIP ${peer_addr} presumed deaddue to keep-alive negotiationfailure.${action}
02030025 INFO VPN /IPSEC
Received IKEmessage forunknown Phase 1SA
Received IKE messagefrom 172.16.13.204:500 forunknown P1 SA. Sendingdelete message to remotegateway 'gateway.1'.
Received IKE messagefor unknown P1 SA.Sending deletemessage to remotegateway
Received IKE message from%s forunknown P1 SA. Sending delete message toremote gateway '%s'.
Received IKE message from${peer_addr} for unknown P1 SA.Sending delete message toremote gateway '${gateway}'.
02030026 ERROR VPN /IPSEC
DSS certificate IDmismatch
IKE phase-1 negotiationfrom 172.16.12.82:500 to172.16.12.81:500 failed.Gateway-Endpoint='gateway.1'Reason=Authenticationfailure due tomismatched
IKE Phase 1 negotiationfailed because ofmismatched DSScertificate ID setting.
IKE phase-1 negotiation from%s to%sfailed. Gateway-Endpoint='%s'Reason=Authentication failure due tomismatched DSS certificate ID setting
IKE phase-1 negotiation from${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}' Reason=Authenticationfailure due tomismatched DSScertificate ID setting
VPN LogMessages
Log Catalog 131
ID Level Area Name Log Message Example Description Format Message Variables
DSS certificate ID setting
02030027 ERROR VPN /IPSEC
Failed to get IDinformation fromcertificate
IKE phase-1 negotiationfrom 172.16.12.82:500 to172.16.12.81:500 failed.Gateway-Endpoint='gateway.1'Reason=Failed to get IDinformation from certificate20001
IKE phase-1 negotiationfailed because failed toget ID information fromcertificate.
IKE phase-1 negotiation from%s to%sfailed. Gateway-Endpoint='%s'Reason=Failed to get ID information fromcertificate%d
IKE phase-1 negotiation from${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}' Reason=Failed to get IDinformation from certificate${certificate_id}
02030028 INFO VPN /IPSEC
IKE Phase 1message received onwrong interface
IKE phase-1 negotiationfrom 198.51.100.2:500 to203.0.113.2:500 failed.Reason=Received IKEmessage on wronginterface 'eth0'(index:3).Expecting it to be receivedon 'eth6'.
IKE Phase 1 negotiationfailed because of IKEmessage peer wasreceived on wronginterface.
IKE phase-1 negotiation from%s to%sfailed. Reason=Received IKE message onwrong interface '%s'(index:%d). Expecting itto be received on '%s'.
IKE phase-1 negotiation from${local_addr} to ${peer_addr}failed. Reason=Received IKEmessage on wrong interface'${received_if}'(index:${received_ifindex}). Expecting it to bereceived on '${expected_if}'
02030029 ERROR VPN /IPSEC
IKE Phase 1 invalidaggressivemode ID
IKE phase-1 negotiationfrom 198.51.100.2:500 to203.0.113.2:500 failed.Gateway-Endpoint='gateway.1'Reason=Received ID didnot match with configuredaggressivemode ID.
IKE Phase 1 negotiationfailed because receivedID did not match withconfigured ID on localgateway. Checkaggressivemode IDinformation in gatewayendpoint configurationon both local andremote gateways.
IKE phase-1 negotiation from%s to%sfailed. Gateway-Endpoint='%s'Reason=Received ID did not match withconfigured aggressivemode ID.
IKE phase-1 negotiation from${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}' Reason=Received ID did notmatch with configuredaggressivemode ID.
0203002A ERROR VPN /IPSEC
IKE Phase 1 IKEversionmismatch
IKE phase-1 negotiationfrom 198.51.100.2:500 to203.0.113.2:500 failed.Gateway-
IKE Phase 1 negotiationfailed because thereceived IKE versiondid not match the IKE
IKE phase-1 negotiation from%s to%sfailed. Gateway-Endpoint='%s'Reason=Received IKE version did notmatch the configured IKE version.
IKE phase-1 negotiation from${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}' Reason=Received IKE
VPN LogMessages
Log Catalog 132
ID Level Area Name Log Message Example Description Format Message Variables
Endpoint='gateway.1'Reason=Received IKEversion did not match theconfigured IKE version.
version configured onthe local gateway.Check the IKE versionin the gateway endpointconfiguration on boththe local and remotegateways.
version did not match theconfigured IKE version.
0203002B ERROR VPN /IPSEC
IKE Phase 1message received onwrong interface IP
IKE phase-1 negotiationfrom 198.51.100.2:500 to192.0.2.2:500 failed.Gateway-Endpoint='gateway.1'Reason=Receivedmessage with wronginterface IP address192.0.2.2. Expecting peerto use remote gatewayendpoint IP address203.0.113.2.
IKE Phase 1 negotiationfailed because IKEmessage from the peerwas received on thewrong interface IPaddress. Check thelocal and remotegateway IP address inthe gateway endpointconfiguration on boththe local and remotegateways.
IKE phase-1 negotiation from%s to%sfailed. Gateway-Endpoint='%s'Reason=Receivedmessage with wronginterface IP address %s. Expecting peer touse remote gateway endpoint IP address%s.
IKE phase-1 negotiation from${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}' Reason=Receivedmessagewith wrong interface IP address${received_ip}. Expecting peer touse remote gateway endpoint IPaddress ${expected_ip}.
02050002 ERROR VPN /IPSEC
IKE Phase 2 PFSmismatch
IKE phase-2 negotiationfrom 172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1'Reason=Receivedproposal without PFS,Expecting PFS enabled
The IPSec tunnelnegotiation failedbecause the PerfectForward Secrecy (PFS)value did not match thePhase 2 configuration.
IKE phase-2 negotiation from%s to%sfailed. Tunnel='%s' Reason=Receivedproposal without PFS, Expecting PFSenabled
IKE phase-2 negotiation from${local_addr} to ${peer_addr}failed. Tunnel='${tunnel}'Reason=Received proposalwithout PFS, Expecting PFSenabled
VPN LogMessages
Log Catalog 133
ID Level Area Name Log Message Example Description Format Message Variables
02050003 ERROR VPN /IPSEC
IKE Phase-2proposal typemismatch
IKE phase-2 negotiationfrom 172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1'Reason=Received protocol'AH'. Expecting 'ESP' inphase-2 proposal.
The IPSec tunnelnegotiation failedbecause the proposaldid not match the Phase2 configuration. The logmessage specifies thereceived and expectedproposals.
IKE phase-2 negotiation from%s to%sfailed. Tunnel='%s' Reason=Receivedprotocol '%s'. Expecting '%s' in phase-2proposal.
IKE phase-2 negotiation from${local_addr} to ${peer_addr}failed. Tunnel='${tunnel}'Reason=Received protocol'${received_proto}'. Expecting'${expected_proto}' in phase-2proposal.
02050004 ERROR VPN /IPSEC
IKE Phase 2 AHauthenticationmethodmismatch
IKE phase-2 negotiationfrom 172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1'Reason=Received AHauthenticationMD5,expecting SHA1
The IPSec tunnelnegotiation failedbecause the proposedAH authenticationmethod did not matchthe Phase 2configuration. The logmessage specifies thereceived and expectedAH authenticationmethod.
IKE phase-2 negotiation from%s to%sfailed. Tunnel='%s' Reason=Received AHauthentication%s, expecting%s
IKE phase-2 negotiation from${local_addr} to ${peer_addr}failed. Tunnel='${tunnel}'Reason=Received AHauthentication ${received},expecting ${expected}
02050005 ERROR VPN /IPSEC
IKE Phase 2 ESPencryptionmethodmismatch
IKE phase-2 negotiationfrom 172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1'Reason=Received ESPencryption DES, expectingAES
The IPSec tunnelnegotiation failedbecause the proposedESP encryptionmethoddid not match the Phase2 configuration. The logmessage specifies thereceived and expectedESP encryptionmethod.
IKE phase-2 negotiation from%s to%sfailed. Tunnel='%s' Reason=Received ESPencryption%s, expecting%s
IKE phase-2 negotiation from${local_addr} to ${peer_addr}failed. Tunnel='${tunnel}'Reason=Received ESPencryption ${received}, expecting${expected}
02050006 ERROR VPN /IPSEC
IKE Phase 2 PFSDH groupmismatch
IKE phase-2 negotiationfrom 172.16.12.82:500 to172.16.12.81:500 failed.
The IPSec tunnelnegotiation failedbecause the proposed
IKE phase-2 negotiation from%s to%sfailed. Tunnel='%s' Reason=Received PFSDH group%d, expecting%d
IKE phase-2 negotiation from${local_addr} to ${peer_addr}failed. Tunnel='${tunnel}'
VPN LogMessages
Log Catalog 134
ID Level Area Name Log Message Example Description Format Message Variables
Tunnel='tunnel.1'Reason=Received PFSDH group 2, expecting 5
Perfect ForwardSecrecy Diffe-Hellman(PFS DH) group numberdid not match the Phase2 configuration. The logmessage specifies thereceived and expectedPFS DH groupnumbers.
Reason=Received PFS DHgroup ${received}, expecting${expected}
02050007 ERROR VPN /IPSEC
IKE Phase 2 ESPauthenticationmethodmismatch
IKE phase-2 negotiationfrom 172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1'Reason=Received ESPauthenticationMD5-HMAC, expecting SHA1-HMAC
The IPSec tunnelnegotiation failedbecause the proposedESP authenticationmethod did not matchthe Phase 2configuration. The logmessage specifies thereceived and expectedESP authenticationmethod.
IKE phase-2 negotiation from%s to%sfailed. Tunnel='%s' Reason=Received ESPauthentication%s, expecting%s
IKE phase-2 negotiation from${local_addr} to ${peer_addr}failed. Tunnel='${tunnel}'Reason=Received ESPauthentication ${received},expecting ${expected}
02050008 ERROR VPN /IPSEC
IKE Phase 2 AESkey lengthmismatch
IKE phase-2 negotiationfrom 172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1'Reason=Received AESkey length 128, expecting256
The IPSec tunnelnegotiation failedbecause the proposedAES encryption keylength did not match thePhase 2 configuration.The logmessagespecifies the receivedand expected AES keylength.
IKE phase-2 negotiation from%s to%sfailed. Tunnel='%s' Reason=Received AESkey length%d, expecting%d
IKE phase-2 negotiation from${local_addr} to ${peer_addr}failed. Tunnel='${tunnel}'Reason=Received AES keylength ${received}, expecting${expected}
VPN LogMessages
Log Catalog 135
ID Level Area Name Log Message Example Description Format Message Variables
0205000A ERROR VPN /IPSEC
IKE Phase 2 tunnelroutemismatch
IKE phase-2 negotiationfrom 172.16.12.82:500 to172.16.12.81:500 failed.Gateway='gateway.1'Reason=Nomatchingtunnel route for peerproposedlocal:192.168.81.0/24remote:192.168.82.0/28
The IPSec tunnelnegotiation failedbecause the proposedtunnel routes did notmatch the tunnelconfiguration. The logmessage specifies thereceived and expectedtunnel routes.
IKE phase-2 negotiation from%s to%sfailed. Gateway='%s' Reason=Nomatchingtunnel route for peer proposed local:%s/%dremote:%s/%d
IKE phase-2 negotiation from${local_addr} to ${peer_addr}failed. Gateway='${gateway}'Reason=Nomatching tunnelroute for peer proposedlocal:${tr_local} remote:${tr_remote}
0205000B ERROR VPN /IPSEC
IKE Phase 2message retrytimeout
IKE phase-2 negotiationfrom 172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1'Reason=Message retrytimeout. Check VPN IKEdiagnostic logmessagesfor more information.
The IPSec tunnelnegotiation failedbecause an expectedresponse was notreceived before themessage retry timeout.
IKE phase-2 negotiation from%s to%sfailed. Tunnel='%s' Reason=Message retrytimeout. Check VPN IKE diagnostic logmessages for more information.
IKE phase-2 negotiation from${local_addr} to ${peer_addr}failed. Tunnel='${tunnel}'Reason=Message retry timeout.Check VPN IKE diagnostic logmessages for more information.
0205000C ERROR VPN /IPSEC
IKE Phase2message retrytimeout becausePhase 1 SA expired
IKE phase-2 negotiationfrom 172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1'Reason=Message retrytimeout because phase-1SA expired
The IPSec tunnelnegotiation failedbecause the Phase 1Security Association(SA) expired.
IKE phase-2 negotiation from%s to%sfailed. Tunnel='%s' Reason=Message retrytimeout because phase-1 SA expired
IKE phase-2 negotiation from${local_addr} to ${peer_addr}failed. Tunnel='${tunnel}'Reason=Message retry timeoutbecause phase-1 SA expired
0205000D ERROR VPN /IPSEC
IKE Phase 2 PFS notenabled
IKE phase-2 negotiationfrom 172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1'Reason=Receivedproposal with PFS. PFSnot enabled.
The IPSec tunnelnegotiation failedbecause the PerfectForward Secrecy (PFS)value did not match thePhase 2 configuration.
IKE phase-2 negotiation from%s to%sfailed. Tunnel='%s' Reason=Receivedproposal with PFS. PFS not enabled.
IKE phase-2 negotiation from${local_addr} to ${peer_addr}failed. Tunnel='${tunnel}'Reason=Received proposal withPFS. PFS not enabled.
VPN LogMessages
Log Catalog 136
ID Level Area Name Log Message Example Description Format Message Variables
0205000E ERROR VPN /IPSEC
IKE Phase 2 waittimeout
IKE phase-2 negotiationfrom 172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1'Reason=Message was notreceived in expected time.Check the connectionbetween local and remotegateway endpoints.
The IPSec tunnelnegotiation failedbecause an expectedresponse was notreceived before theexpected time.
IKE phase-2 negotiation from%s to%sfailed. Tunnel='%s' Reason=Message wasnot received in expected time. Check theconnection between local and remotegateway endpoints.
IKE phase-2 negotiation from${local_addr} to ${peer_addr}failed. Tunnel='${tunnel}'Reason=Message was notreceived in expected time.Check the connection betweenlocal and remote gatewayendpoints.
0205000F WARN VPN /IPSEC
Rejected Phase 2negotiation due toincorrect gateway
Rejected phase-2negotiation from172.16.12.82:500 because'gateway.1*1' is not thepreferred IKE gatewayendpoint.
Rejected Phase 2negotiation the proposaldid not use the preferredIKE gateway endpoint.
Rejected phase-2 negotiation from%sbecause '%s' is not the preferred IKEgateway endpoint.
Rejected quick mode negotiationfrom ${peer_addr} because'${gw-ep}' is not the preferred IKEgateway endpoint.
02050010 INFO VPN /IPSEC
Received quickmode informationalerror message
Received 'No ProposalChosen' message from172.16.12.81:500 for'tunnel.1' tunnel. CheckVPN IKE diagnostic logmessages on the remotegateway endpoint for moreinformation.
Remote gateway sentan information errormessage in response toVPN tunnel proposal.
Received '%s' message from%s for '%s'tunnel. Check VPN IKE diagnostic logmessages on the remote gateway endpointfor more information.
Received '${info_msg}' messagefrom ${peer_addr} for '${tunnel}'tunnel. Check VPN IKEdiagnostic logmessages on theremote gateway endpoint formore information.
02050011 INFO VPN /IPSEC
Droppedsimultaneous Phase2 negotiation
Dropped a simultaneousphase-2 negotiation fromthe peer 172.16.13.204:500
Firebox or XTM devicedropped phase-2negotiation because ofanother Phase 2negotiation in progress.
Dropped a simultaneous phase-2 negotiationfrom the peer%s
Dropped a simultaneous IPSecnegotiation from the peer ${peer_addr}
VPN LogMessages
Log Catalog 137
ID Level Area Name Log Message Example Description Format Message Variables
02060001 WARN VPN /IPSEC
Received XAuth failnotification
Received XAuth failednotification from172.16.24.1:4500.Group:'ToFirebox_mu'
Received notificationthat ExtendedAuthentication(XAuth)failed. Aborting XAuthnegotiation.
Received XAuth failed notification from%s.Group:'%s'
Received XAuth failednotification from ${peer_addr}.Group:'${gateway}'
02060002 WARN VPN /IPSEC
Rejected PSKauthentication,Expect clientXAUTH enabled.
Rejected phase-1authenticationmethod PSKfrom 172.16.24.1:4500,expecting client XAUTHenabled.
Rejected proposedPhase 1 authenticationmethod becauseFirebox or XTM Deviceexpects client ExtendedAuthentication(XAuth)enabled.
Rejected phase-1 authenticationmethod%sfrom%s, expecting client XAUTH enabled.
Rejected phase 1 authenticationmethod ${auth_method} from${peer_addr}, expecting clientXAUTH enabled.
02060003 WARN VPN /IPSEC
Rejected PSKauthentication,Expect serverXAUTH enabled.
Rejected phase-1authenticationmethod PSKfrom 172.16.24.1:4500,expecting server XAUTHenabled.
Rejected proposedPhase 1 authenticationmethod becauseFirebox or XTM Deviceexpects serverExtendedAuthentication(XAuth)enabled.
Rejected phase-1 authenticationmethod%sfrom%s, expecting server XAUTH enabled.
Rejected phase 1 authenticationmethod ${auth_method} from${peer_addr}, expecting serverXAUTH enabled.
02060004 WARN VPN /IPSEC
XAuth negotiationfailed due tomismatchedmode
XAuth negotiation from172.16.24.1:4500 faileddue to amismatchedXAuthMode.
Mobile VPN with IPSecExtendedAuthentication(XAuth)negotiation failedbecause of mismatchedauthenticationmode.
XAuth negotiation from%s failed due to amismatched XAuthMode.
XAuth negotiation from ${peer_addr} failed due to amismatchedXAuthMode
02060005 WARN VPN /IPSEC
Mobile VPN withIPSec authenticationfailed because ofunresponsive peer
MUVPN userauthentication failed due tounresponsive peer at172.16.24.1:4500
Mobile VPN with IPSecuser authenticationfailed because the peerdid not respond.
MUVPN user authentication failed due tounresponsive peer at %s
MUVPN user authenticationfailed due to unresponsive peerat %s
VPN LogMessages
Log Catalog 138
ID Level Area Name Log Message Example Description Format Message Variables
02060006 INFO VPN /IPSEC
Mobile VPN withIPSec userconnected with nogroup
MUVPN user 'user.1' isauthenticated withoutgroup information.
SpecifiedMobile VPNwith IPSec usersuccessfullyauthenticated, but is notamember of any group.
MUVPN user '%s' is authenticated withoutgroup information.
MUVPN user '${user_name}' isauthenticated without groupinformation
02060007 INFO VPN /IPSEC
Mobile user groupinformation
MUVPN user 'user.1' is amember of 'muvpn' group.
SpecifiedMobile VPNwith IPSec userbelongs to the specifiedgroup.
MUVPN user '%s' is amember of '%s'group.
MUVPN user '${user_name}' is amember of '${group_name}'group.
02080001 INFO VPN /IPSEC
IKE phase-1negotiatedsuccessful
BOVPN phase-1main-mode completedsuccessfully as initiator for'gateway.1' gatewayendpoint. local-gw:172.16.12.81:500remote-gw:172.16.13.204:500 SAID:0x9d5e7809
IKE phase-1 negotiationwas successfullycompleted.
%s phase-1%s completed successfully as%s for '%s' gateway endpoint. local-gw:%s:%d remote-gw:%s:%d SAID:0x%08x
${tunnel_type} phase-1 ${nego_mode} completed successfullyas ${nego_role} for '${gateway}'gateway endpoint. local-gw:${src}:${sport} remote-gw:${dst}:${dport} SAID:${p1said}
021A0001 ERROR VPN /IPSEC
Dropped receivedIKEv2message
Dropped IKEv2 IKE_SA_INIT message from172.16.12.82:500.Reason=message hasinvalid initiator SPI (allzeros)
Dropped receivedinvalid IKEv2message.
Dropped IKEv2%s message from%s.Reason=%s
Dropped IKEv2 ${exchange_type} message from ${peer_addr}. Reason=${reason}
021A0002 ERROR VPN /IPSEC
IKE SA not found tohandle IKE_SA_INIT_R message
Dropped IKEv2 IKE_SA_INIT message from172.16.12.82:500.Reason=IKE SA not foundto handlemessage withmessage ID 0x0.
IKE SA was not foundto handle the receivedIKE_SA_INIT_Rmessage.
Dropped IKEv2%s message from%s.Reason=IKE SA not found to handlemessage with message ID 0x%x.
Dropped IKEv2 ${exchange_type} message from ${peer_addr}. Reason=IKE SA not foundto handlemessage withmessage ID ${recvd_message_id}.
VPN LogMessages
Log Catalog 139
ID Level Area Name Log Message Example Description Format Message Variables
021A0003 ERROR VPN /IPSEC
Gateway endpointnot found to handleIKE_SA_INIT_Rmessage
Dropped IKEv2 IKE_SA_INIT message from172.16.12.82:500.Reason='gateway.1'gateway endpoint not foundto handlemessage withmessage ID 0x0.
Gateway endpoint wasnot found to handle thereceived IKE_SA_INIT_R message
Dropped IKEv2%s message from%s.Reason='%s' gateway endpoint not found tohandlemessage with message ID 0x%x.
Dropped IKEv2 ${exchange_type} message from ${peer_addr}. Reason='${gw-ep}'gateway endpoint not found tohandle IKE_SA_INIT messagewith message ID ${recvd_message_id}.
021A0004 INFO VPN /IPSEC
IKEv2 IKE SA is indeleting state
Dropped IKEv2 IKE_SA_INIT message from172.16.12.82:500.Gateway-Endpoint='gateway.1'.Reason=IKE SA is inDELETING state.
Received IKEv2message was ignoredbecause thecorresponding IKE SAto handle themessagewas in DELETINGstate.
Dropped IKEv2%s message from%s.Gateway-Endpoint='%s'. Reason=IKE SAis in%s state.
Dropped IKEv2 ${exchange_type} message from ${peer_addr}. Gateway-Endpoint='${gw-ep}' Reason=IKE SA is in${ikev2_ikesa_state} state.
021A0005 ERROR VPN /IPSEC
Invalid message IDin IKEv2 exchange
Dropped IKEv2 IKE_SA_INIT message from172.16.12.82:500.Gateway-Endpoint='gateway.1'.Reason=Invalid messageID in request message.
Received IKEv2message was droppedbecause it has invalidmessage ID.
Dropped IKEv2%s message from%s.Gateway-Endpoint='%s'. Reason=Invalidmessage ID in%s message.
Dropped IKEv2 ${exchange_type} message from ${peer_addr}. Gateway-Endpoint='${gw-ep}'. Reason=Invalid messageID in ${req_or_resp} message.
021A0006 ERROR VPN /IPSEC
IKEv2 gatewayendpoint was notfound to handle thereceivedmessage
IKEv2 IKE_SA_INITexchange from172.16.12.82:500 to172.16.12.81:500 failed.Reason=Matchinggateway endpoint notfound.
IKEv2 gatewayendpoint was not foundto handle the receivedmessage.
IKEv2%s exchange from%s to%s failed.Reason=Matching gateway endpoint notfound.
IKEv2 ${exchange_type}exchange from ${local_addr} to${peer_addr} failed.Reason=Matching gatewayendpoint not found.
VPN LogMessages
Log Catalog 140
ID Level Area Name Log Message Example Description Format Message Variables
021A0007 ERROR VPN /IPSEC
IKEv2 gatewayendpoint version notmatched
IKEv2 IKE_SA_INITexchange from172.16.12.82:500 to172.16.12.81:500 failed.Gateway-Endpoint='gateway.1'.Reason=Received IKEversion did not match theconfigured IKE version.
IKEv2messageexchange failedbecause the receivedIKE version did notmatch the IKE versionconfigured on the localgateway. Check theIKE version in thegateway endpointconfiguration on bothlocal and remotegateways.
IKEv2%s exchange from%s to%s failed.Gateway-Endpoint='%s'. Reason=ReceivedIKE version did not match the configuredIKE version.
IKEv2 ${exchange_type}exchange from ${local_addr} to${peer_addr} failed. Gateway-Endpoint='${gw-ep}'.Reason=Received IKE versiondid not match the configured IKEversion.
021A0008 ERROR VPN /IPSEC
IKEv2 gatewayendpoint is disabled
IKEv2 IKE_SA_INITexchange from172.16.12.82:500 to172.16.12.81:500 failed.Gateway-Endpoint='gateway.1'.Reason=gateway endpointis disabled.
The IKEv2 gatewayendpoint is disabled. Itcannot be used in tunnelnegotiation.
IKEv2%s exchange from%s to%s failed.Gateway-Endpoint='%s'. Reason=gatewayendpoint is disabled.
IKEv2 ${exchange_type}exchange from ${local_addr} to${peer_addr} failed. Gateway-Endpoint='${gw-ep}'.Reason=gateway endpoint isdisabled.
021A0009 ERROR VPN /IPSEC
IKEv2 gateway IDmismatch
IKEv2 IKE_AUTHexchange from172.16.12.82:500 to172.16.12.81:500 failed.Gateway-Endpoint='gateway.1'.Reason=Gateway endpointwith matching ID was notfound.
IKEv2 IKE_AUTHnegotiation failedbecause the remote IDconfigured in thegateway endpoint didnot match proposed IDreceived from theremote gateway.
IKEv2%s exchange from%s to%s failed.Gateway-Endpoint='%s'. Reason=Gatewayendpoint with matching ID was not found.
IKEv2 ${exchange_type}exchange from ${local_addr} to${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Gateway endpoint withmatching ID was not found.
021A000A ERROR VPN /IPSEC
IKEv2 IKE_SA_INITmessage received onwrong interface
IKEv2 IKE_SA_INITexchange from172.16.12.82:500 to
IKEv2 IKE_SA_INITnegotiation failedbecause IKE message
IKEv2%s exchange from%s to%s failed.Gateway-Endpoint='%s'. Reason=Receivedmessage on wrong interface '%s'(index:%d).
IKEv2 ${exchange_type}exchange from ${local_addr} to${peer_addr} failed. Gateway-
VPN LogMessages
Log Catalog 141
ID Level Area Name Log Message Example Description Format Message Variables
172.16.12.81:500 failed.Gateway-Endpoint='gateway.1'.Reason=Receivedmessage on wronginterface 'eth0'(index:3).Expecting it to be receivedon 'eth6'.
from peer was receivedon the wrong interface.
Expecting it to be received on '%s'. Endpoint='${gw-ep}'.Reason=Receivedmessage onwrong interface. '${received_if}'(index:${received_ifindex}).Expecting it to be received on'${expected_if}'.
021A000B ERROR VPN /IPSEC
IKEv2 remotegateway endpoint IDmismatch
IKEv2 IKE_AUTHexchange from172.16.12.82:500 to172.16.12.81:500 failed.Gateway-Endpoint='gateway.1'.Reason=Received ID didnot match the configuredremote gateway endpointID.
IKEv2 IKE_AUTHnegotiation failedbecause the remote IDin the gateway endpointconfiguration did notmatch the proposed IDreceived from theremote gateway.
IKEv2%s exchange from%s to%s failed.Gateway-Endpoint='%s'. Reason=ReceivedID did not match the configured remotegateway endpoint ID.
IKEv2 ${exchange_type}exchange from ${local_addr} to${peer_addr} failed. Gateway-Endpoint='${gw-ep}'.Reason=Received ID did notmatch the configured remotegateway endpoint ID.
021A000C ERROR VPN /IPSEC
IKEv2 local gatewayendpoint IDmismatch
IKEv2 IKE_AUTHexchange from172.16.12.82:500 to172.16.12.81:500 failed.Gateway-Endpoint='gateway.1'.Reason=Received ID didnot match the configuredlocal gateway endpoint ID.
IKEv2 IKE_AUTHnegotiation failedbecause the local ID inthe gateway endpointconfiguration did notmatch the proposed IDreceived from theremote gateway.
IKEv2%s exchange from%s to%s failed.Gateway-Endpoint='%s'. Reason=ReceivedID did not match the configured localgateway endpoint ID.
IKEv2 ${exchange_type}exchange from ${local_addr} to${peer_addr} failed. Gateway-Endpoint='${gw-ep}'.Reason=Received ID did notmatch the configured localgateway endpoint ID.
VPN LogMessages
Log Catalog 142
ID Level Area Name Log Message Example Description Format Message Variables
021A000D ERROR VPN /IPSEC
Received IKEv2message does nothave expectedpayloads
IKEv2 IKE_AUTHexchange from172.16.12.82:500 to172.16.12.81:500 failed.Gateway-Endpoint='gateway.1'.Reason=Received IKE_AUTH responsemessagedoes not have the expectedpayloads.
IKEv2messageexchange failedbecause the receivedmessage from the peerdoes not have theexpected payloads
IKEv2%s exchange from%s to%s failed.Gateway-Endpoint='%s'. Reason=Received%s message does not have the expectedpayloads.
IKEv2 ${exchange_type}exchange from ${local_addr} to${peer_addr} failed. Gateway-Endpoint='${gw-ep}'.Reason=Received ${msg_info}message does not have theexpected payloads.
021A000E ERROR VPN /IPSEC
IKEv2 IKE proposalmismatch
IKEv2 IKE_SA_INITexchange from198.51.100.2:500 to203.0.113.2:500 failed.Gateway-Endpoint='gateway.1'.Reason=IKE proposal didnot match. Receivedencryption 3DES,expected AES.
The IKEv2messageexchange failedbecause the IKEproposal in the receivedmessage did not matchthe expected proposal.
IKEv2%s exchange from%s to%s failed.Gateway-Endpoint='%s'. Reason=%s
IKEv2 ${exchange_type}exchange from ${local_addr} to${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=${msg_info}
021A000F ERROR VPN /IPSEC
IKEv2 KE DH-Groupmismatch
IKEv2 IKE_SA_INITexchange from172.16.12.82:500 to172.16.12.81:500 failed.Gateway-Endpoint='gateway.1'.Reason=DH-Group 14 inthe KE payload does notmatch DH-Group 5selected in the IKE_SA_INIT response proposal.
IKEv2messageexchange failedbecause the DH groupin the received KeyExchange (KE) payloaddoes not match the DH-Group in the selectedproposal.
IKEv2%s exchange from%s to%s failed.Gateway-Endpoint='%s'. Reason=DH-Group%d in the KE payload does not matchDH-Group%d selected in the%s proposal.
IKEv2 ${exchange_type}exchange from ${local_addr} to${peer_addr} failed. Gateway-Endpoint='${gw-ep}'.Reason=DH-Group ${recvd_dh_group} in the KE payload doesnot match the DH-Group${selected_dh_group} selected inthe ${msg_info} proposal.
VPN LogMessages
Log Catalog 143
ID Level Area Name Log Message Example Description Format Message Variables
021A0010 ERROR VPN /IPSEC
IKEv2 IPSec KEDH-Groupmismatch
IKEv2 CREATE_CHILD_SA exchange from172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1'.Reason=DH-Group 14 inthe KE payload does notmatch DH-Group 5selected in the CREATE_CHILD_SA requestproposal.
IKEv2messageexchange failedbecause the DH groupin the received KeyExchange (KE) payloaddoes not match the DH-Group in the selectedproposal.
IKEv2%s exchange from%s to%s failed.Tunnel='%s'. Reason=DH-Group%d in theKE payload does not match DH-Group%dselected in the%s proposal.
IKEv2 ${exchange_type}exchange from ${local_addr} to${peer_addr} failed. Gateway-Endpoint='${gw-ep}'.Reason=DH-Group ${recvd_dh_group} in the KE payload doesnot match the DH-Group${selected_dh_group} selected inthe ${msg_info} proposal.
021A0011 ERROR VPN /IPSEC
Receivedunacceptable trafficselector during firstCHILD SAnegotiation.
IKEv2 IKE_AUTHexchange from172.16.12.82:500 to172.16.12.81:500 failed.Gateway-Endpoint='gateway.1'.Reason=Receivedunacceptable trafficselector in IKE_AUTHrequest.
IKEv2 first CHILD SAcreation failed becausethe peer sent anunacceptable trafficselector.
IKEv2%s exchange from%s to%s failed.Gateway-Endpoint='%s'. Reason=Receivedunacceptable traffic selector in%s.
IKEv2 ${exchange_type}exchange from ${local_addr} to${peer_addr} failed. Gateway-Endpoint='${gw-ep}'.Reason=Received unacceptabletraffic selector in ${msg_info}.
021A0012 ERROR VPN /IPSEC
IKEv2 peerauthenticationmethodmismatch.
IKEv2 IKE_AUTHexchange from172.16.12.82:500 to172.16.12.81:500 failed.Gateway-Endpoint='gateway.1'.Reason=ReceivedauthenticationmethodPSK, expecting RSAcertificate.
IKEv2 tunnelnegotiation failedbecause the incorrectauthenticate methodwas proposed by theremote gateway.
IKEv2%s exchange from%s to%s failed.Gateway-Endpoint='%s'. Reason=Receivedauthenticationmethod%s, expecting%s.
IKEv2 ${exchange_type}exchange from ${local_addr} to${peer_addr} failed.Reason=Receivedauthenticationmethod${received}, expecting${expected}.
VPN LogMessages
Log Catalog 144
ID Level Area Name Log Message Example Description Format Message Variables
021A0013 ERROR VPN /IPSEC
IKEv2 peerauthentication failed
IKEv2 IKE_AUTHexchange from172.16.12.82:500 to172.16.12.81:500 failed.Gateway-Endpoint='gateway.1'.Reason=Remote gatewayendpoint RSA certificateauthentication failed.
IKEv2 tunnelnegotiation failedbecause the localgateway could notauthenticate the remotegateway.
IKEv2%s exchange from%s to%s failed.Gateway-Endpoint='%s'. Reason=Remotegateway endpoint %s authentication failed.
IKEv2 ${exchange_type}exchange from ${local_addr} to${peer_addr} failed.Reason=Remote gatewayendpoint ${auth_method}authentication failed.
021A0014 ERROR VPN /IPSEC
IKEv2 PSKmismatch
IKEv2 IKE_AUTHexchange from172.16.12.82:500 to172.16.12.81:500 failed.Gateway-Endpoint='gateway.1'.Reason=Remote gatewayendpoint authenticationfailed due to a possibleshared secret mismatch.
IKEv2 tunnelnegotiation failedbecause of possiblePSK mismatch.
IKEv2%s exchange from%s to%s failed.Gateway-Endpoint='%s'. Reason=Remotegateway endpoint authentication failed dueto a possible shared secret mismatch.
IKEv2 ${exchange_type}exchange from ${local_addr} to${peer_addr} failed.Reason=Remote gatewayendpoint authentication faileddue to a possible shared secretmismatch.
021A0015 ERROR VPN /IPSEC
Received IKEv2IKE_SA_INITnotification errormessage.
IKEv2 IKE_SA_INITexchange from172.16.12.82:500 to172.16.12.81:500 failed.Gateway-Endpoint='gateway.1'.Reason=Received N(NO_PROPOSAL_CHOSEN)message.
IKEv2 IKE_SA_INITnegotiation failedbecause the peer sent anotification errormessage.
IKEv2%s exchange from%s to%s failed.Gateway-Endpoint='%s'. Reason=Received%s message.
IKEv2 ${exchange_type}exchange from ${local_addr} to${peer_addr} failed. Gateway-Endpoint='${gw-ep}'.Reason=Received ${notify_msg}message.
021A0016 ERROR VPN /IPSEC
Received IKEv2CREATE_CHILD_SA/IKE_AUTHnotification error
IKEv2 IKE_AUTHexchange from10.139.36.185:500 to10.139.36.195:500 failed.
IKEv2 CREATE_CHILD_SA/IKE_AUTHnegotiation failedbecause peer sent a
IKEv2%s exchange from%s to%s failed.Tunnel='%s'. Reason=Received%smessage.
IKEv2 ${exchange_type}exchange from ${local_addr} to${peer_addr} failed.Tunnel='${tunnel_name}'.
VPN LogMessages
Log Catalog 145
ID Level Area Name Log Message Example Description Format Message Variables
message. Tunnel='tunnel.1'.Reason=Received N(NO_PROPOSAL_CHOSEN)message.
notification errormessage.
Reason=Received ${notify_msg}message.
021A0017 INFO VPN /IPSEC
IKEv2 IKE SAestablished
IKEv2 IKE SA establishedsuccessfully as initiator for'gateway.1' gatewayendpoint. local-gw:10.139.36.185:500remote-gw:10.139.36.195:500 SAID:0xbc2188a5.
IKEv2 IKE SA isestablished becauseIKE_AUTH negotiationis finished or IKE SA isrekeyed.
IKEv2 IKE SA established successfully as%s for '%s' gateway endpoint. local-gw:%sremote-gw:%s SA ID:0x%08x.
IKEv2 IKE SA establishedsuccessfully as ${exchange_role} for '${gw-ep}' gatewayendpoint. local-gw:${local_addr}remote-gw:${peer_addr} SAID:${sa_id}.
021A0018 ERROR VPN /IPSEC
IKEv2 tunnelproposal mismatch.
IKEv2 CREATE_CHILD_SA exchange from198.51.100.2:500 to203.0.113.2:500 failed.Tunnel='tunnel.1'.Reason=IPSec proposaldid not match. Receivedencryption 3DES,expected AES.
The IKEv2messageexchange failedbecause the IPSecproposal in the receivedmessage did not matchthe expected proposal.
IKEv2%s exchange from%s to%s failed.Tunnel='%s'. Reason=%s
IKEv2 ${exchange_type}exchange from ${local_addr} to${peer_addr} failed.Tunnel='${tunnel}'.Reason=${msg_info}
021A0019 ERROR VPN /IPSEC
Received invalid SPIduring first CHILDSA negotiation.
IKEv2 IKE_AUTHexchange from172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1'.Reason=Peer proposedinvalid SPI in IKE_AUTHrequest.
IKEv2 first CHILD SAcreation failed becausethe peer sent an invalidSPI.
IKEv2%s exchange from%s to%s failed.Tunnel='%s'. Reason=Peer proposed invalidSPI in%s.
IKEv2 ${exchange_type}exchange from ${local_addr} to${peer_addr} failed.Tunnel='${tunnel}'. Reason=Peerproposed invalid SPI in ${msg_info}.
021A001A ERROR VPN /IPSEC
Received invalid SPIduring IKEv2 IPSec
IKEv2 CREATE_CHILD_SA exchange from
IKEv2 IPSec SA rekeyfailed because the peer
IKEv2%s exchange from%s to%s failed.Tunnel='%s'. Reason=Could not find child
IKEv2 ${exchange_type}exchange from ${local_addr} to
VPN LogMessages
Log Catalog 146
ID Level Area Name Log Message Example Description Format Message Variables
SA rekey 172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1'.Reason=Could not findchild SA by received SPI0xbaba1509 in CREATE_CHILD_SA(REKEY[CHILD SA]) request.
sent an invalid SPI. SA by received SPI %0x in%s. ${peer_addr} failed.Tunnel='${tunnel}'.Reason=Could not find child SAby received SPI ${spi} in ${msg_info}.
021A001B ERROR VPN /IPSEC
No response fromremote gateway
IKEv2 exchange from172.16.12.82:500 to172.16.12.81:500 failed.Gateway-Endpoint='gateway.1'.Reason=No response forIKE_AUTH requestmessage. Check theconnection between thelocal and remote gatewayendpoints.
IKEv2 connection wasterminated becausethere was no responsefrom the remote site.
IKEv2 exchange from%s to%s failed.Gateway-Endpoint='%s'. Reason=Noresponse for%s message. Check theconnection between the local and remotegateway endpoints.
IKEv2 exchange from ${local_addr} to ${peer_addr} failed.Gateway-Endpoint='${gw-ep}'.Reason=No response for ${msg_info} message. Check theconnection between the local andremote gateway endpoints.
021A001C INFO VPN /IPSEC
IKEv2 IKE SA iswaiting for the userauthentication result
Dropped IKEv2 IKE_AUTHmessage from198.51.100.2:4500.Gateway-Endpoint='ikev2_mobileuser'.Reason=Waiting for theEAP_MSCHAPv2 userauthentication result.
The Firebox ignored anIKEv2messagebecause thecorresponding IKE SAis waiting for the userauthentication resultfrom the authenticationmodule.
Dropped IKEv2%s message from%s.Gateway-Endpoint='%s'. Reason=Waitingfor the%s user authentication result.
Dropped IKEv2 ${exchange_type} message from ${peer_addr}. Gateway-Endpoint='${gw-ep}' Reason=Waiting for the${user-auth-protocol} userauthentication result.
VPN LogMessages
Log Catalog 147
ID Level Area Name Log Message Example Description Format Message Variables
021A001D ERROR VPN /IPSEC
IKEv2 gateway IDmismatch
IKEv2 IKE_AUTHexchange from198.51.100.2 to203.0.113.2:500 failed.Gateway-Endpoint='ikev2_mobileuser'. Reason=TheMobile VPN with IKEv2profile is not enabled.
IKEv2 IKE_AUTHnegotiation failedbecauseMobile VPNfor IKEv2 is not enabledon this gateway.
IKEv2%s exchange from%s to%s failed.Gateway-Endpoint='%s'. Reason=TheMobile VPN with IKEv2 profile is notenabled.
IKEv2 ${exchange_type}exchange from ${local_addr} to${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Mobile VPN with IKEv2profile is not enabled.
021A001E ERROR VPN /IPSEC
IKEv2 receivedinvalid EAPinformation
IKEv2 IKE_AUTH EAPexchange from198.51.100.2:4500 to203.0.113.2:4500 failed.Gateway-Endpoint='WGIKEv2MVPN'.Reason='example'authentication domain isnot configured.
IKEv2 IKE_AUTH EAPnegotiation failedbecause IKEv2MobileVPN client sent invalidinformation.
IKEv2%s EAP exchange from%s to%sfailed. Gateway-Endpoint='%s'.Reason=%s
IKEv2 ${exchange_type} EAPexchange from ${local_addr} to${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=${reason}
021A001F ERROR VPN /IPSEC
IKEv2 IKE_SA_INITmessage received onwrong interface IP
IKEv2 IKE_SA_INITexchange from198.51.100.2:500 to192.0.2.2:500 failed.Gateway-Endpoint='gateway.1'.Reason=Receivedmessage with wronginterface IP address192.0.2.2. Expecting peerto use remote gatewayendpoint IP address203.0.113.2.
IKEv2messageexchange failedbecause IKE messagefrom the peer wasreceived on the wronginterface IP address.Check the local andremote gateway IPaddress in the gatewayendpoint configurationon both the local andremote gateways.
IKEv2%s exchange from%s to%s failed.Gateway-Endpoint='%s'. Reason=Receivedmessage with wrong interface IP address%s. Expecting peer to use remote gatewayendpoint IP address %s.
IKEv2 ${exchange_type}exchange from ${local_addr} to${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Receivedmessagewith the wrong interface IPaddress ${received_ip}.Expecting peer to use remotegateway endpoint IP address${expected_ip}.
021A0020 ERROR VPN /IPSEC
IKEv2 IKE_AUTHmessage received on
IKEv2 IKE_AUTH IKEv2message IKEv2%s exchange from%s to%s failed.Gateway-Endpoint='%s'. Reason=Received
IKEv2 ${exchange_type}exchange from ${local_addr} to
VPN LogMessages
Log Catalog 148
ID Level Area Name Log Message Example Description Format Message Variables
wrong interface IP exchange from198.51.100.2:500 to192.0.2.2:500 failed.Gateway-Endpoint='m500-197'. Reason=Receivedmessage with the wronginterface IP address192.0.2.2. Expecting peerto use remote gatewayendpoint IP address203.0.113.2.
exchange failedbecause IKE messagefrom the peer wasreceived on the wronginterface IP address.Check the local andremote gateway IPaddress in the gatewayendpoint configurationon both the local andremote gateways.
message with wrong interface IP address%s. Expecting peer to use remote gatewayendpoint IP address %s.
${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Receivedmessagewith wrong interface IP address${received_ip}. Expecting peer touse remote gateway endpoint IPaddress ${expected_ip}.
25000000 INFO VPN /SSLVPN
User login Mobile VPN with SSL usertsmith logged in. Virtual IPaddress is 192.168.113.2.Real IP address is192.51.100.2.
%s %s logged in.Virtual IP address is%s. Real IP address is%s.
A user logged in to VPN with SSL. The logmessage specifies the VPN user type,andthe user's name, virtual IP address, and realIP address.
${vpn_user_type} ${user_name}logged in. Virtual IP address is${virtual_ipaddr}. Real IPaddress is ${real_ipaddr}.
25000001 INFO VPN /SSLVPN
User log off Mobile VPN with SSL usertsmith logged off. Virtual IPaddress is 192.168.113.2.
%s %s logged off.Virtual IP address is%s.
The VPN with SSL user with the specifiedvirtual IP address logged out.
${vpn_user_type} ${user_name}logged off. Virtual IP addresswas ${virtual_ipaddr}.
5B010004 INFO VPN /L2TP
Update user session UpdatedMobile VPN withL2TP session for user'Firebox-DB\test', virtual IPaddress '192.168.113.2'.
UpdatedMobile VPNwith L2TP session foruser '%s\%s', virtual IPaddress '%s'.
Mobile VPN with L2TP updated the sessionfor the specified user. The logmessagespecifies the assigned virtual IP address.
–
5B010005 INFO VPN /L2TP
Delete user session DeletedMobile VPN withL2TP session for user'Firebox-DB\test', virtual IPaddress '192.168.113.2'.
DeletedMobile VPNwith L2TP session foruser '%s\%s', virtual IPaddress '%s'.
Deleted aMobile VPN with L2TP sessionwith the specified virtual IP address.
–
VPN LogMessages
Log Catalog 149
EventVPN logmessages of theEvent log type.
ID Level Area Name Log Message Example Description Format Message Variables
02010001 INFO VPN /IPSEC
IKE process starts WatchGuard ikedv11.6.B341909 (C) 1996-2012WatchGuardTechnologies Inc. starts atWed Jun 30 21:49:08 2012
The IPSec IKE processstarted.
WatchGuard iked v%s %s starts at %s –
02010002 INFO VPN /IPSEC
Configuration updatestarted
Started processing aconfiguration setting
An IPSec configurationupdate started.
Started to process a configuration setting –
02010003 INFO VPN /IPSEC
Configuration updatecompleted
A configuration setting hasbeen processedsuccessfully
An IPSec configurationupdate wassuccessfully completed.
A configuration setting has been processedsuccessfully
–
02010004 WARN VPN /IPSEC
Device not activated WARNING! Tunnelnegotiation is NOT allowedbecause the local box is notactivated yet(no"LIVESECURITY" featurekey is found)!!
The device is notactivated. IPSec tunnelscannot be established.
WARNING! Tunnel negotiation is NOTallowed because the local box is notactivated yet(no "LIVESECURITY" featurekey is found)!!
–
02070001 INFO VPN /IPSEC
Tunnel establishedor re-keyed
'gateway.1' BOVPN IPSectunnel is established.local:192.168.81.0/28remote:192.168.25.0/28 in-SA:0x445e72b7 out-SA:0x5f9f256frole:responder
The IPSec tunnel wasestablished or re-keyedsuccessfully. The logmessage includes thesecurity associationidentifiers.
'%s' %s IPSec tunnel is %s. local:%sremote:%s in-SA:0x%08x out-SA:0x%08xrole:%s
${gateway} ${tunnel_type}IPSec tunnel is ${action}.local:${local} remote:${remote}in-spi:${in_spi} out-spi:${out_spi} role:${nego_role}
02090001 WARN VPN /IPSEC
BOVPN tunnel limitreached
Themaximum number ofallowed active BOVPNtunnels has been reached(Maximum: 500 Current:
Themaximum allowednumber of BOVPNtunnel routes have beenestablished. No new
Themaximum number of active allowedBOVPN tunnels has been reached(Maximum: %dCurrent: %d)
–
VPN LogMessages
Log Catalog 150
ID Level Area Name Log Message Example Description Format Message Variables
500). tunnel routes can becreated until activetunnel routes expire orare deleted.
02090002 INFO VPN /IPSEC
IKE process --FireCluster rolechanged
A FireCluster failoveroccurred. The clustermaster has changed.
The cluster master haschanged because of aFireCluster failover. Thelocal device will nothandle IKE negotiation.
A FireCluster failover occurred. The clustermaster has changed.
–
5B010001 INFO VPN / L2TP Daemon started TheMobile VPN with L2TPdaemon startedsuccessfully.
TheMobile VPN withL2TP daemon startedsuccessfully.
TheMobile VPN with L2TP daemonstarted.
–
5B010002 INFO VPN / L2TP Configurationupdated
Updating configuration forMobile VPN with L2TP.
Updating configurationfor Mobile VPN withL2TP.
TheMobile VPN with L2TP daemonreceived a configuration update.
–
5B010003 INFO VPN / L2TP Daemon stopped StoppedMobile VPN withL2TP daemon.
StoppedMobile VPNwith L2TP daemon.
TheMobile VPN with L2TP daemonstopped.
–
78000000 ERROR VPN / VPNTDR HostSensorEnforcementModule
VPN TDR HostSensor Enforcementfailure
VPN (SSL) connection [email protected] tomeet TDR HostSensor Enforcementrequirement: Host Sensorconnection failed.
VPN (%s) connection byuser%s%s%s failed tomeet TDR Host SensorEnforcementrequirement: %s.
Mobile VPN connection did not meet TDRHost Sensor Enforcement requirement
VPN ({$vpn_type}) connectionby user ${user}@${domain}failed tomeet TDR HostSensor Enforcementrequirement: ${reason}.
78000001 INFO VPN / VPNTDR HostSensorEnforcementModule
VPN TDR HostSensor Enforcementsuccess
VPN (IKEv2) connection byuser jdoe@Firebox-DB metall TDR Host SensorEnforcement requirements.
VPN (%s) connection byuser%s%s%s met allTDR Host SensorEnforcementrequirements.
Mobile VPN connectionmet all TDR HostSensor Enforcement requirement
VPN ({$vpn_type}) connectionby user ${user}@${domain}met all TDR Host SensorEnforcement requirements.
VPN LogMessages
Log Catalog 151
Mobile Security Log MessagesMobile Security logmessages are generated for activity related to traffic through your Firebox frommobile devices. This includes traffic related to FireClient and Endpoint Manager.
Mobile Security LogMessages
Log Catalog 152
EventMobile Security logmessages of theEvent log type.
ID Level Area Name Log Message Example Description Format Message Variables
70000001 ERROR MobileSecurity /EndpointManager
Mobile securitylicense limit reached
Rejected a FireClient user loginbecause the licensedmaximumnumber of concurrent MobileSecurity users has beenreached. Maximum: 50
A user loginfromFireClientwas rejectedbecause thenumber ofconcurrentlyconnectedMobileSecurityusers hasreached thelimitsupported bytheMobileSecuritylicense. Thelogmessagespecifies themaximumallowednumber ofconcurrentMobileSecurityusers.
Rejected a FireClient user login because thelicensedmaximum number of concurrentMobile Security users has been reached.Maximum: %d
–
70000002 WARN MobileSecurity /EndpointManager
Mobile securitylicense highwatermark reached
The number of connectedMobile Security users hasreached 90 percent of thelicensed capacity. Maximum:
The numberofconcurrently
The number of connectedMobile Securityusers has reached 90 percent of the licensedcapacity. Maximum: %d
–
Mobile Security LogMessages
Log Catalog 153
ID Level Area Name Log Message Example Description Format Message Variables
50 connectedMobileSecurityusers hasreached 90percent of thecapacitysupported bytheMobileSecuritylicense. Thelogmessagespecifies thesupportedmaximumnumber ofconcurrentMobileSecurityusers.
70010000 INFO MobileSecurity /EndpointManager
Mobile deviceconnect
Mobile device eee66f78-3d74-4002-8161-95938dca4390 isconnected.
FireClient onthe devicehasconnected tothe Firebox.
Mobile device%s is connected. –
70010001 INFO MobileSecurity /EndpointManager
Mobile device useralready login
Mobile device eee66f78-3d74-4002-8161-95938dca4390: userjoe has already logged in.
User haslogged in toFirebox fromthe deviceprior to theconnectionrequest.
Mobile device%s: user%s has already loggedin.
–
Mobile Security LogMessages
Log Catalog 154
ID Level Area Name Log Message Example Description Format Message Variables
70010002 INFO MobileSecurity /EndpointManager
Mobile device userlogin
Mobile device eee66f78-3d74-4002-8161-95938dca4390: userjoe logged in.
User haslogged in toFireboxthroughFireClient onthe device.
Mobile device%s: user%s logged in. –
70010003 INFO MobileSecurity /EndpointManager
Mobile device userlogout
Mobile device eee66f78-3d74-4002-8161-95938dca4390: userjoe logged out.
User haslogged out ofFirebox fromFireClient onthe device.
Mobile device%s: user%s logged out. –
70010004 INFO MobileSecurity /EndpointManager
Mobile device idledisconnected
Mobile device eee66f78-3d74-4002-8161-95938dca4390 isdisconnected due to FireClientinactivity.
FireClient onthe device isconsidereddisconnecteddue toinactivity.
Mobile device%s is disconnected due toFireClient inactivity.
–
70010005 INFO MobileSecurity /EndpointManager
Mobile devicedisconneted
Mobile device eee66f78-3d74-4002-8161-95938dca4390 isdisconnected.
FireClient onthe devicehasdisconnected.
Mobile device%s is disconnected. –
Mobile Security LogMessages
Log Catalog 155
ID Level Area Name Log Message Example Description Format Message Variables
70010006 INFO MobileSecurity /EndpointManager
Mobile deviceUnknown compliance
Mobile device eee66f78-3d74-4002-8161-95938dca4390compliance status is Unknown.
Mobile devicecompliancestatus isUnknown.This could bebecause thecompliancecheck is inprogress, orbecauseFireClient onthe device isnotresponding.
Mobile device%s compliance status isUnknown.
–
70010007 INFO MobileSecurity /EndpointManager
Mobile deviceCompliant
Mobile device eee66f78-3d74-4002-8161-95938dca4390compliance status isCompliant.
Mobile devicecompliancestatus isCompliant,because itmeets thecompliancerequirements.
Mobile device%s compliance status isCompliant.
–
70010008 INFO MobileSecurity /EndpointManager
Mobile device NotCompliant
Mobile device eee66f78-3d74-4002-8161-95938dca4390compliance status is NotCompliant.
Mobile devicecompliancestatus is NotCompliant,because itdoes not meetthecompliancerequirements.
Mobile device%s compliance status is NotCompliant.
–
70010009 INFO Mobile Mobile device user Mobile device eee66f78-3d74- User session Mobile device%s: session for user%s is –
Mobile Security LogMessages
Log Catalog 156
ID Level Area Name Log Message Example Description Format Message Variables
Security /EndpointManager
session recreated 4002-8161-95938dca4390:session for user joe isrecreated.
is recreatedbecause themobile deviceIP addresschanged. .
recreated.
70020000 INFO MobileSecurity /EndpointManager
Mobile deviceAuthorizationAgreement signaction
Mobile device eee66f78-3d74-4002-8161-95938dca4390:device authorization agreement(version 1) is accepted by userjoe on 2015-09-01 09:10:12+0800.
The DeviceAuthorizationAgreement iseitheraccepted ordeclined by auser at thespecifiedlocal time.
Mobile device%s: device authorizationagreement (version%d) is %s by user%s on%s.
device ${device id}: deviceauthorization agreement(version ${ver_number}) is${action} by user ${user} on${local_time}
Mobile Security LogMessages
Log Catalog 157