Fireware v12.3 Log Catalog - WatchGuard Technologies

Fireware v12.3

Log Message Catalog

WatchGuard FireboxRevised April 2019

Copyright, Trademark, and Patent InformationInformation in this guide is subject to change without notice. No part of this guidemay be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the expresswritten permission of WatchGuard Technologies, Inc.

Copyright© 1998–2019WatchGuard Technologies, Inc. All rights reserved.

All trademarks or trade names mentioned herein, if any, are the property of their respective owners.

Complete copyright, trademark, patent, and licensing information can be found in theCopyright and Licensing Guide, available online at: http://www.watchguard.com/help/documentation/.

Revised: April 2019

About WatchGuard

WatchGuard® Technologies, Inc. is a global leader in network security, providing best-in-class Unified Threat Management, NextGeneration Firewall, secureWi-Fi, and network intelligence products and services tomore than 75,000 customers worldwide. Thecompany’s mission is to make enterprise-grade security accessible to companies of all types and sizes through simplicity, makingWatchGuard an ideal solution for Distributed Enterprises and SMBs. WatchGuard is headquartered in Seattle, Washington, withoffices throughout North America, Europe, Asia Pacific, and Latin America. To learnmore, visit WatchGuard.com.

For additional information, promotions and updates, follow WatchGuard on Twitter, @WatchGuard on Facebook, or on the LinkedInCompany page. Also, visit our InfoSec blog, Secplicity, for real-time information about the latest threats and how to cope with them atwww.secplicity.org.

Address505 Fifth Avenue South

Suite 500Seattle,WA98104

Supportwww.watchguard.com/support

U.S. and Canada +877.232.3531AllOther Countries+1.206.521.3575

SalesU.S. and Canada +1.800.734.9905

AllOther Countries+1.206.613.0895

Copyright, Trademark, and Patent Information

Log Catalog i

http://www.watchguard.com/help/documentation

ContentsCopyright, Trademark, and Patent Information i

Introduction to the Log Catalog 1

About Log Messages 1

Types of LogMessages 1

Traffic LogMessages 1

Alarm LogMessages 2

Event LogMessages 2

Debug (Diagnostic) LogMessages 2

Statistic LogMessages 3

Read a Log Message 3

Firewall Log Messages 6

Alarm 6

Diagnostic 10

Event 12

Traffic 14

Networking Log Messages 16

Diagnostic 16

Event 26

Proxy Policy Log Messages 37

Event 37

Traffic 38

Management Log Messages 75

Diagnostic 75

Log Catalog ii

Event 77

FireCluster Log Messages 86

Diagnostic 86

Event 88

Security Services Log Messages 93

Event 93

VPN Log Messages 95

Alarm 95

Diagnostic 95

Event 118

Mobile Security Log Messages 120

Event 120

Introduction to the Log CatalogYou can use the tools available inWatchGuard Dimension, WatchGuard SystemManager(WSM), and FirewareWebUI to review the logmessages and events that occur on yourWatchGuard Firebox devices, to examine the activity on your network. Logmessages give youimportant information about the flow of traffic through your network, and are a key component tohelp you troubleshoot problems on your network.

The Fireware Log Catalog describes many of the types of logmessages that your Firebox cangenerate. It includes examples of logmessages for Firebox devices that run Fireware OS,grouped by the product area.

All logmessages included in the Log Catalog are first organized into topics by product area andthen separated into sections in each topic by the logmessage type:

n ALARM— Alarm logmessagesn DIAG—Debug (Diagnostics) logmessagesn EVENT— Event logmessagesn STAT— Statistics logmessagesn TRAFFIC — Traffic logmessages

For more information about logmessage types, seeAbout LogMessages.

Only logmessages that are assigned amessage ID number are included inthe Log Catalog.

To review the logmessages that are defined in the Log Catalog, you can expand the LogMessages section and select a topic for a product area, expand the section for a logmessagetype, and review the logmessage lists to find a specific logmessage.

n To expand a single section, click .n To collapse a single section, click .

n To expand all the sections in a topic, at the top of the topic window, click .

n To collapse all the sections in a topic, at the top of the topic window, click .

Introduction to the Log Catalog

Log Catalog 1

You can also search the Log Catalog for the specific details included in a logmessage.

For more information about options to search the Log Catalog, see Search the Log Catalog.

About Log MessagesYour Firebox can send logmessages to an instance of Dimension, aWSM Log Server, or a syslogserver. You can also configure your Firebox to store logmessages locally on the Firebox. You canuse Traffic Monitor in FirewareWebUI or Firebox SystemManager (FSM) to review logmessages inreal-time. If you send logmessages to Dimension, you can use the Dimension LogManager to reviewthe logmessages from your Firebox devices. If you send logmessages to aWSM Log Server, youcan use LogManager inWatchGuardWebCenter to review logmessages after they are generatedand processed by the Log Server.

Types of Log MessagesFirebox devices can send several types of logmessages for events that occur on the Firebox. Eachmessage includes themessage type in the text of themessage. The logmessages types are:

n Trafficn Alarmn Eventn Debug (Diagnostic)n Statistic

Traffic and event logmessages, and some alarm logmessages, automatically appear in TrafficMonitor by default; you do not have to enable any settings on your Firebox to generate them. Themajority of the other logmessage types must be enabled in the device configuration file before theyappear in Traffic Monitor or LogManager.

Traffic Log MessagesMost of the logmessages that appear in Traffic Monitor are traffic logmessages. Traffic Monitorshows all of the logmessages that are generated by your Firebox and are recorded in your log file.Traffic logmessages show the traffic that moves through your Firebox and how the packet filter andproxy policies were applied. A traffic logmessage can include details that show how NAT (networkaddress translation) was handled for a packet.

The traffic logmessages for traffic managed by packet filter policies contain a set number offields. The information for the same traffic logmessage will look different in Traffic Monitor thanin LogManager.

For a traffic logmessage generated by traffic managed by a proxy policy, your Fireboxgenerates more than one logmessage. The first entry shows the same information as a packetfilter logmessage, but includes this additional information:

proxy_act

The name of the proxy action that handles this packet. A proxy action is a set of rules fora proxy that can be applied tomore than one policy.

rule_name

The name of the specific proxy rule that handles this packet.

content_type

The type of content in the packet that is filtered by the proxy rule.

Other proxy logmessages include a variable number of fields.

Alarm Log MessagesAlarm logmessages are sent when an event occurs that triggers the Firebox to run a command.When the alarm condition is matched, the Firebox generates an alarm logmessage that youcan see in Traffic Monitor, sends the logmessage to your Dimension server, WSM Log Server,or syslog server, and then it completes the specified action for the event.

You can configure your Firebox to send alarm logmessages for specific events that occur onyour device. For example, you can configure an alarm to occur when a specified valuematchesor exceeds a threshold. Other alarm logmessages are set by the Firebox OS, with values thatyou cannot change. For example, the Firebox sends an alarm logmessage when a networkconnection on one of the Firebox interfaces fails, or when a Denial of Service attack occurs.

There are eight categories of alarm logmessages:

n Systemn IPSn AV

Introduction to the Log Catalog

Log Catalog 2

n Policyn Proxyn Countern Denial of Servicen Traffic

The Firebox does not sendmore than 10 alarms in 15minutes for the same conditions.

Event Log MessagesEvent logmessages are generated for activity on your Firebox that is related to actions by the Fireboxand users. Actions that can cause the Firebox to send an event logmessage include:

n Firebox start up and shut downn Firebox and VPN authenticationn Process start up and shut downn Problems with Firebox hardware componentsn Any task completed by a device administrator

Debug (Diagnostic) Log MessagesDebug logmessages include detailed diagnostic information that you can use to help troubleshootproblems on your Firebox . There are 27 different product components that can send debug logmessages. When you configure the logging settings on your Firebox you can specify the level ofdiagnostic logging to see for each different product component enabled on your Firebox. The availablelevels are:

n Offn Errorn Warningn Informationn Debug

Statistic Log MessagesStatistic logmessages include information about the performance of your Firebox. You canconfigure your Firebox to generate logmessages about external interface performance, VPNbandwidth statistics, and Security Services statistics. You can review these logmessages todetermine what changes are necessary in your Firebox settings to improve performance. Tosee these logmessages, performance statistic loggingmust be enabled on the Firebox.

Read a Log MessageEach logmessage generated by your Firebox includes a string of data about the traffic on yourFirebox. If you review the logmessages in Traffic Monitor, the details in the data have differentcolors applied to them to help visually distinguish each detail.

Here is an example of one traffic logmessage from Traffic Monitor:

2014-07-02 17:38:43 Member2 Allow 192.168.228.202 10.0.1.1 webcache/tcp42973 8080 3-Trusted 1-WCI Allowed 60 63 (Outgoing-proxy-00) proc_id="firewall" rc="100" src_ip_nat="69.164.168.163" tcp_info="offset 10S 2982213793 win 2105" msg_id="3000-0148"

When you read logmessages, you can see details about when the connection for the trafficoccurred, the source and destination of the traffic, as well as the disposition of the connection,and other details.

Each logmessage includes these details:

Time Stamp

The logmessage line begins with a time stamp that includes the time and date that thelogmessage was created. The time stamp uses the time zone and current time from theFirebox.

This is the time stamp from the example logmessage above:

2014-07-02 17:38:43

Read a LogMessage

Log Catalog 3

FireCluster Member Information

If the logmessage is from a Firebox that is amember of a FireCluster, the logmessageincludes the cluster member number for the Firebox.

This is the FireCluster member information from the example logmessage above:

Member2

Disposition

Each logmessage indicates the disposition of the traffic: Allow or Deny. If the logmessage isfor traffic that was managed by a proxy policy instead of a packet filter policy, the traffic maybemarked Allow even though the packet body was stripped or altered by the proxy action.

This is the disposition from the example logmessage above:

Allow

Source and Destination Addresses

After the disposition, the logmessage shows the actual source and destination IP addressesof the traffic. If NAT was applied to the traffic, the NAT addresses appear later in the logmessage.

These are the source and destination addresses from the example logmessage above:

192.168.228.202 and 10.0.1.1

Service and Protocol

The next entries in the logmessage are the service and protocol that managed the traffic. Theservice is specified based on the protocol and port the traffic used, not the name of the policythat managed the traffic. If the service cannot be determined, the port number appears instead.

These are the service and protocol from the example logmessage above:

webcache/tcp

Source and Destination Ports

The next details in the logmessage are the source and destination ports. The source portidentifies the return traffic. The destination port determines the service used for the traffic.

These are the source and destination ports from the example logmessage above:

42973 and 8080

Source and Destination Interfaces

The source and destination interfaces appear after the destination port. These are thephysical or virtual interfaces that handle the connection for this traffic.

These are the source and destination interfaces from the example logmessage above:

3-Trusted and 1-WCI

Connection Action

This is the action applied to the traffic connection. For proxy actions, this indicateswhether the contents of the packet are allowed, dropped, or stripped.

This is the connection action from the example logmessage above:

Allowed

Packet Length

The two packet length numbers indicate the packet length (in bytes) and the TTL (TimeTo Live) value. TTL is ametric used to prevent network congestion by only allowing thepacket to pass through a specific number of routing devices before it is discarded.

These are the packet length numbers from the example logmessage above:

60 (packet length) and 63 (TTL)

Policy Name

This is the name of the policy on your Firebox that handles the traffic. The number (-00)is automatically appended to policy names, and is part of the internal reference systemon the Firebox.

This is the policy name from the example logmessage above:

(Outgoing-proxy-00)

Process

This section of the logmessage shows the process that handles the traffic.

This is the process from the example logmessage above:

Read a LogMessage

Log Catalog 4

proc_id="firewall"

Return Code

This is the return code for the packet, which is used in reports.

This is the return code from the example logmessage above:

rc="100"

NAT Address

This is the IP address that appears in place of the actual source IP address of the traffic after itleaves the Firebox interface and the NAT rules have been applied. A destination NAT IPaddress can also be included.

This is the NAT address from the example logmessage above:

src_ip_nat="69.164.168.163"

Packet Size

The tcp_info detail includes values for the offset, sequence, and window size for the packetthat initiates the connection. The packet size details that are included depend on the protocoltype.

This is the packet size from the example logmessage above:

tcp_info="offset 10 S 2982213793 win 2105"

Message Identification Number

Each type of logmessage includes a uniquemessage identification number. When you reviewa logmessage in Traffic Monitor, themessage ID number can appear as the value for eitherthe msg_id= detail or the id= detail. In LogManager, themessage ID number appears as thevalue for the id= detail.

Some logmessages do not include amessage ID number. Only logmessages that areassigned amessage ID number are included in the Log Catalog.

The is themessage ID number from the example logmessage above:

msg_id="3000-0148"

Themessage ID numbers included in the Log Catalog do not include the hyphens thatappear in themessage ID number in Traffic Monitor and LogManager. Tomake sure youcan locate themessage ID number in the Log Catalog, when you search the Log Catalogfor themessage ID, remove the hyphen from themessage ID number.

For example, to search for information about message ID number 3000-0148, in theSearch Log Catalog text box, type 300000148.

Read a LogMessage

Log Catalog 5

Firewall Log MessagesFirewall logmessages are generated by your Firebox for events that occur on the Firebox and for traffic managed by some packet filter policies. In addition to normal traffic, this can includemessages related tofeature keys, subscription services, server load balancing, and other features configured on your Firebox.

AlarmFirewall logmessages of theAlarm log type.

ID Level Area Name Log Message Example Description Format Message Variables

30000152 INFO Firewall/PacketFilter

IPv4sourcerouteattack

IPv4 source route attack from 10.0.1.34detected.

IPv4 source route attack wasdetected.

IPv4 source route attack from%s detected.

IPv4 source route from ${src} detected.


IPv4 SYNfloodattack

SYN flood attack against 10.0.1.51 from216.3.21.4 detected.

IPv4 SYN flood attack wasdetected.

SYN flood attack against %sfrom%s detected.

SYN flood attack against ${dst} from${src} detected.


IPv4 ICMPfloodattack

ICMP flood attack against 10.0.1.51 from216.3.21.4 detected.

IPv4 ICMP flood attack wasdetected.

ICMP flood attack against$dst from $src detected.

ICMP flood attack against ${dst} from${src} detected.


IPv4 UDPfloodattack

UDP flood attack against 32.21.56.8 from12.34.23.67 detected.

IPv4 UDP flood attack wasdetected.

UDP flood attack against %sfrom%s detected.

UDP flood attack against ${dst} from${src} detected.


IPv4IPSECfloodattack

IPSEC flood attack against 32.21.56.8 from12.34.23.67 detected.

IPv4 IPSEC flood attack wasdetected.

IPSEC flood attack against%s from%s detected.

IPSEC flood attack against $dst from$src detected.

30000157 INFO Firewall IPv4 IKE IKE flood attack against 32.21.56.8 from12.34.23.67 detected.

IPv4 IKE flood attack wasdetected

IKE flood attack against %sfrom%s detected.

IKE flood attack against ${dst} from${src} detected.

Firewall LogMessages

Log Catalog 6


/PacketFilter

floodattack


IPv4 scanattack

IP scan attack against 32.21.56.8 from12.34.23.67 detected.

IPv4 scan attack wasdetected.

IP scan attack against %sfrom%s detected.

IP scan attack against ${dst} from ${src}detected.


IPv4 portscanattack

PORT scan attack against 32.21.56.8 from12.34.23.67 detected.

IPv4 port scan attack wasdetected.

PORT scan attack against %sfrom%s detected.

Port scan attack against ${dst} from${src} detected.


IPv4DDOSagainstserver

DDOS against server 10.0.1.34 detected. IPv4 DDOS attack against aserver was detected.

DDOS against server%sdetected.

DDOS against server ${dst} detected.


IPv4DDOSattack fromclient

DDOS from client 10.0.1.34 detected. IPv4 DDOS attack from aclient was detected.

DDOS from client $srcdetected.

DDOS from client ${src} detected.


IPv6 SYNfloodattack

SYN flood attack against2001:0db8:85a3:08d3:1319:8a2e:0370:7344from FF01::101 detected.

IPv6 SYN flood attack wasdetected.

SYN flood attack against %sfrom%s detected.

SYN flood attack against ${dst} from${src} detected.


IPv6 ICMPfloodattack

ICMP flood attack against2001:0db8:85a3:08d3:1319:8a2e:0370:7344from FF01::101 detected.

IPv6 ICMP flood attack wasdetected.

ICMP flood attack against %sfrom%s detected.

ICMP flood attack against ${dst} from${src} detected.


Log Catalog 7



IPv6 UDPfloodattack

UDP flood attack against2001:0db8:85a3:08d3:1319:8a2e:0370:7344from FF01::101 detected.

IPv6 UDP flood attack wasdetected.

UDP flood attack against %sfrom%s detected.

UDP flood attack against ${dst} from${src} detected.


IPv6IPSECfloodattack

IPSEC flood attack against2001:0db8:85a3:08d3:1319:8a2e:0370:7344from FF01::101 detected.

IPv6 IPSEC flood attack wasdetected.

IPSEC flood attack against%s from%s detected.

IPSEC flood attack against ${dst} from${src} detected.


IPv6 IKEfloodattack

IKE flood attack against2001:0db8:85a3:08d3:1319:8a2e:0370:7344from FF01::101 detected.

IPv6 IKE flood attack wasdetected.

IKE flood attack against %sfrom%s detected.

IKE flood attack against ${dst} from${src} detected.


AlarmTrafficmatchedpolicy

Policy Name: HTTP-00 Source IP Address:10.0.1.20 Source Port: 4107 Destination IPAddress: 61.135.169.125 Destination Port:80

An alarm logmessage wassent for traffic that matchedthe specified policy.

Policy Name: %s Source IPAddress: %s Source Port: %dDestination IP Address: %sDestination Port: %d

Policy Name: ${pcy_name} Source IPAddress: ${src_ip} Source Port: ${src_port} Destination IP Address: ${dst_ip}Destination Port: ${dst_port}


Blockedsite

Blocked site: Traffic detected from 10.0.1.2to 61.231.45.165.

Traffic was detected to orfrom a blocked site.

Blocked site: Traffic detectedfrom%src to%dst.

Blocked site: Traffic detected from ${src}to ${dst}.


IP spoofing IP spoofing: Traffic detected from 10.0.1.2to 43.123.12.26.

IP spoofing was detectedfrom the IP address specifiedin the logmessage.

IP spoofing: Traffic detectedfrom%src to%dst.

IP spoofing: Traffic detected from ${src}to ${dst}.


IP spoofing IP spoofing: Traffic detected from 10.0.1.2to 43.123.12.26.

IP spoofing was detectedfrom the IP address specifiedin the logmessage.

IP spoofing: Traffic detectedfrom%src to%dst.

IP spoofing: Traffic detected from ${src}to ${dst}.

30000170 INFO Firewall Connection The total number of current sessions (1024) The total number of current The total number of current The total number of current sessions


Log Catalog 8


/PacketFilter

table highwater mark

has reached the high water mark (1024). sessions reached the highwater mark (80%) of themaximum connection table.

sessions (%u) has reached thehigh water mark (%d).

(${value1}) has reached the high watermark (${value2}).


Connectiontable highwater mark

The total number of current sessions (1024)has reached the high water mark (1024).

The total number of currentsessions reached the highwater mark (80%) of themaximum connection table.

The total number of currentsessions (%u) has reached thehigh water mark (%d).

The total number of current sessions(${value1}) has reached the high watermark (${value2}).


Conntracktable is full

The number of connections (2048) hasreached the configured limit (2048).

The conntrack table is full.The number of connectionshas reached the configuredlimit.

The number of connections(%u) has reached theconfigured limit (%d).

The number of connections (${value1})has reached the configured limit(${value2}).


Blockedport

Blocked port: Traffic detected from 10.0.1.2to 61.231.45.165 on port 513.

Traffic was detected on ablocked port.

Blocked port: Traffic detectedfrom%src to%dst on port%port.

Blocked port: Traffic detected from ${src}to ${dst} on port ${port}.


Log Catalog 9

DiagnosticFirewall logmessages of theDebug (Diagnostic) log type.


3000003A ERROR Firewall/PacketFilter

Unable toreadfeaturekeys

Unable to read the featurekeys, some features may beunavailable

Unable to read feature keys file or failto parse feature keys file. Featuresthat require a correct feature key willnot function.

Unable to read the feature keys, somefeatures may be unavailable

—

3000003C ERROR Firewall/PacketFilter

No routeto HTTPredirecthost

Route look up on HTTPredirect host 192.168.111.10for policy "FTP-00" failed,local redirect may not work

Route look up on HTTP redirect hostfor the specified policy failed, andlocal HTTP redirect may not work.

Route look up on HTTP redirect host%u.%u.%u.%u for policy "%s" failed, localredirect may not work

—

3000012E ERROR Firewall/PacketFilter

Possibleloop orARPspoofingdetected

Cannot relearn systemMACaddress, possible loop orMAC spoofing,ip=192.168.111.10,mac=00:50:da:c7:90:5d,interface=5

The appliance received an ARPpacket sent from one of its ownMACaddresses. It is possibly a network orcabling loop, or another device isfaking this device's MAC address.

Cannot relearn systemMAC address,possible loop or MAC spoofing,ip=%hu.%hu.%hu.%hu,mac=%02x:%02x:%02x:%02x:%02x:%02x,interface=%u

Cannot relearn systemMACaddress, possible loop or anotherdevice is faking this device'sMAC address, ip=${ip},mac=${mac},interface=${interface}


Featuresettingsupdated

Application control settingsupdated

Firewall settings for the featurespecified in themessage have beenupdated

%s settings updated —


Firewallis startingup

Firewall is starting up — Firewall is starting up —


Firewallisshuttingdown

Firewall is shutting down — Firewall is shutting down —


Log Catalog 10



Addressexemptedfromblockedsites

IP address 192.168.111.254will not be added to theblocked sites list because itis exempt

The particular IP address is anexemption and will not be added tothe blocked sites list

IP address %s will not be added to theblocked sites list because it is exempt

IP address ${ip} will not be addedto the blocked sites list becauseit is exempt


Blockedsite idletimeout

Idle timeout has occurred forblocked site 192.168.111.10

Idle timeout has occurred for thespecified blocked site, and it will beremoved from the blocked sites list.

Idle timeout has occurred for blocked site%s

—

3000002A INFO Firewall/PacketFilter

Addressalreadyblocked

IP address 192.168.111.10will not be added to theblocked sites list because italready exists.

— IP address %s will not be added to theblocked sites list because it already exists.

IP address ${ip} will not be addedto the blocked sites list becauseit already exists.

3000012D INFO Firewall/PacketFilter

VerifyARPentry

Verify ARP entry for host at192.168.111.10

The appliance sent an ARP request toverify learned ARP entry for a givenhost.

Verify ARP entry for host at%hu.%hu.%hu.%hu

—


Log Catalog 11

EventFirewall logmessages of theEvent log type.

ID Level Area Name Log Messag Example Description Format Message Variables

3000012C ERROR Firewall/PacketFilter

ARPspoofingattack

ARP spoofing attackdetected,ip=192.168.111.10,mac=00:50:da:c7:90:5d,interface=5

Detected an ARP spoofing attack. The logmessage specifies the source IP address,MAC address, and incoming interface of theARP packet.

ARP spoofing attack detected,ip=%u.%u.%u.%u,mac=%02x:%02x:%02x:%02x:%02x:%02x,interface=%u

ARP spoofing attackdetected, ip=${ip},mac=${mac},interface=${interface}


ApplicationControlfeatureexpired

The Application Controlfeature has expired.

The feature key for your Application Controlsubscription has expired.

The Application Control feature has expired. —


IPSfeatureexpired

The IPS feature has expired. The feature key for your Intrusion PreventionServices subscription has expired.

The IPS feature has expired. —

3000002F INFO Firewall/PacketFilter

Featurenotsupportedby featurekey

Feature key does notsupport the feature Policybased routing.

The device feature key does not support thespecified feature.

Feature key does not support the feature%s.

No valid ${featurename} feature


Log Catalog 12

ID Level Area Name Log Messag Example Description Format Message Variables

300000C9 INFO Firewall/PacketFilter

LoadBalanceServer(TCPProbe)

TCP probe packets timeout,Load Balance Server10.10.10.100 port 3030 isoffline.

Load Balance Server status update due toresponse or lack of response to a TCP Probepacket. The logmessage specifies the serverIP address and port.

%s %s , Load Balance Server%hu.%hu.%hu.%hu port %d is %s.

${probemethod}${reason}, LoadBalance Server ${ip}port ${port} is ${status}

300000CB INFO Firewall/PacketFilter

LoadBalanceServer(ICMPProbe)

ICMP probe packetstimeout, Load BalanceServer 10.10.10.100 isoffline.

Update to status of Load Balance Server dueto success or failure of ICMP Probe packet.The logmessage specifies the server IP andstatus.

%s %s , Load Balance Server%u.%u.%u.%u is %s.

${probemethod}${reason}, LoadBalance Server ${ip} is${status}


Log Catalog 13

TrafficFirewall logmessages of the Traffic log type.



Normaltraffic

Allow Firebox 0-External 52 tcp 20 12710.0.1.2 206.190.60.138 62443 80 offset 8 S832026162 win 8192 (HTTP-00)

Details ofnormal trafficeither allowedor denied bythe firewallpolicyspecified inthe logmessage.

%s %s %s %d%s %d%s %s%d%d offset %d%s %d%s%d(%s)

${disposition} ${inif} ${outif} ${ip_pkt_len} ${protocol}${iph_len} ${TTL} {${src_ip}|${src_user}} {${dst_ip|${dst_user}} [${tcp_info}] [${udp_info}] [${icmp_info}][${route_type}] ${policy_name}


ApplicationControlTrafficidentified

Allow 1-Trusted 0-External 40 tcp 20 12710.0.1.2 206.190.60.138 53008 80 offset 5 AF3212213617 win 257 app_name="WorldWideWebHTTP" cat_name="Network Protocols"app_beh_name="connect" app_id="63" app_cat_id="18" app_ctl_disp="2"msg="Application identified" (HTTP-00)

ApplicationControlidentifiedtraffic for anapplication.

%s %s %s %d%s %d%s %s%d%d offset %d%s %d%s%d app_name=\"%s\" cat_name=\"%s\" app_beh_name=\"%s\" appid=\"%d\"app_cat_id=\"%d\" app_ctl_disp=\"%d\" msg=\"%s\" (%s)

${disposition} ${inif} ${outif} ${ip_pkt_len} ${protocol}${iph_len} ${TTL} {${src_ip}|${src_user}} {${dst_ip|${dst_user}} [${tcp_info}] [${udp_info}] app_name=${app_name} cat_name=${cat_name} app_beh_name=${app_beh_name} appid=${appid} app_cat_id=${app_cat_id} app_ctl_disp=${app_ctl_disp}msg=${msg} [${route_type}] ${policy_name}


IPS Trafficdetected

Deny 1-Trusted 0-External 1440 tcp 20 6110.0.1.2 192.168.130.126 55810 80 offset 5 A447868619 win 54 signature_name="EXPLOITApple QuickTime FLIC Animation file bufferoverflow -1-2" signature_cat="Misc"signature_id="1112464" severity="4"msg="IPS detected" (HTTP-00)

IPS detectedtraffic thatmatches anIPSsignature.

%s %s %s %d%s %d%s %s%d%d offset %d%s %d%s%d signature_name=\"%s\"signature_cat=\"%s\"signature_id=\"%s\"severity=\"%d\" msg=\"%s\"(%s)

${disposition} ${inif} ${outif} ${ip_pkt_len} ${protocol}${iph_len} ${TTL} {${src_ip}|${src_user}} {${dst_ip|${dst_user}} [${tcp_info}] [${udp_info}] signature_name=${signature_name} signature_cat=${signature_cat} signature_id=${signature_id} severity=${severity}msg=${msg} [${route_type}] ${policy_name}


Trafficconnectionterminated

Allow 1-Trusted 0-External tcp 10.0.1.2220.181.90.24 53018 80 app_id="63" app_cat_id="18" app_ctl_disp="2" duration="80" sent_bytes="652" rcvd_bytes="423" (HTTP-00)

Record for aterminatedconnection

%s %s %s %d%s %d%s %s%d%d offset %d%s %d%s%d appid=\"%d\" app_cat_id=\"%d\" app_ctl_disp=\"%d\"duration=\"%d\" sent_

${disposition} ${inif} ${outif} ${ip_pkt_len} ${protocol}${iph_len} ${TTL} {${src_ip}|${src_user}} {${dst_ip|${dst_user}} [${tcp_info}] [${udp_info}]appid=${appid} app_cat_id=${app_cat_id} app_ctl_disp=${app_ctl_disp} duration=${duration} sent_


Log Catalog 14


bytes=\"%d\" rcvd_bytes=\"%d\" (%s)

bytes=${sent_bytes} rcvd_bytes=${rcvd_bytes}${policy_name}


Hostiletraffic

Deny 0-External Firebox 52 tcp 20 127206.190.60.138 10.0.0.1 62443 80 offset 8 S832026162 win 8192 blocked sites (InternalPolicy)

Details ofhostile trafficdenied by thefirewallinternalpolicy.

%s %s %s %d%s %d%s %s%d%d offset %d%s %d%s%d(%s)

${inif} ${outif} ${ip_pkt_len} ${protocol} ${iph_len} ${TTL}{${src_ip}|${src_user}} {${dst_ip|${dst_user}} [${tcp_info}] [${udp_info}] [${icmp_info}]


Log Catalog 15

Networking Log MessagesNetworking logmessages are generated for traffic related to the connections through your Firebox. This can include events related to interface activity, dynamic routing, PPPoE connections, DHCP serverrequests, FireCluster management, link monitoring, and wireless connections.

DiagnosticNetworking logmessages of theDebug (Diagnostic) log type.


09000001 ERROR Networking /PPPoE

DuplicatePPPoEInstanceError

Another instance of PPPoE is running Another instance ofthe PPPoE processis already active inthe system.

Another instance of PPPoE is running —


InvalidPPPoEautomaticrestartsettings

PPPoE automatic restart settings are invalid,automatic restart will not be used

Automatic restart ofPPPoE is disableddue to invalidsettings.

PPPoE automatic restart settings are invalid,automatic restart will not be used

—

09000006 INFO Networking /PPPoE

InitiatePPPoEautomaticrestart

Initiating PPPoE automatic restart PPPoE instance willrestart automatically.

Initiating PPPoE automatic restart —

09000007 WARN Networking /PPPoE

Skip PPPoEautomaticrestart

Skipped PPPoE automatic restart because thelink was not up

PPPoE instance willnot restartautomatically due tono link.

Skipped PPPoE automatic restart because thelink was not up

—

31000003 INFO Networking /NetworkManagement

InitiategratuitousARP

Initiating GARP for eth0 Initiate gratuitousARP for the specifiedinterface.

Initiating GARP for%s Initiating GARP for${dev_name}

31000004 INFO Networking / Initiate Initiating GARP for all interfaces Initiate gratuitous Initiating GARP for all interfaces —

Networking LogMessages

Log Catalog 16


NetworkManagement

gratuitousARP

ARP for all theinterfaces.


Sendinterfacelogical linkstatus event

[eth0] Sending interface status event,logical=up link=up ip=10.0.0.1mask=255.255.255.0

Interface statusevent is sent forlogical link statuschange.

[%s] Sending interface status event%s,logical=%s link=%s ip=%u.%u.%u.%umask=%u.%u.%u.%u

[${dev_name}]Sending interfacestatus event,logical=${logical}link=${link} ip=${ip}mask=${mask}




















Log Catalog 17









Sendinterface linkstatus event

[eth0] Sending interface status event for link up Interface statusevent is sent for linkchange.

[%s] Sending interface status event%s for link%s

[${dev_name}]Sending interfacestatus event for link${link}


Sendinterface linkstatus event

[eth0] Sending interface status event for link up Interface statusevent is sent for linkchange.

[%s] Sending interface status event%s for link%s

[${dev_name}]Sending interfacestatus event for link${link}


A changewas made tothe IPaddress ofthe externalinterface

[eth0 (External)] External Interface set IPaddress

Handle IP addressfor the specifiedexternal interface.

[%s (%s)] External Interface%s IP address [${dev_name} (${if_name})] ExternalInterface${operation} IPaddress


A changewas made tothe IPaddress ofthe externalinterface





A changewas made tothe IPaddress ofthe external





Log Catalog 18


interface

31000035 ERROR Networking /NetworkManagement

Ignoreunknownaddressoperation

[eth0 (External)] Ignoring unknown addressoperation sss

Ignore unknownaddress operation onthe specifiedinterface.

[%s (%s)] Ignoring unknown address operation%s

[${dev_name} (${if_name})] Ignoringunknown addressoperation${operation}














Layer 2traffic gate isclosed

[Cluster] The traffic gate of layer2 is closed dueto cluster role backup

Layer 2 traffic gate isclosed due to thespecified reason.

[Cluster] The traffic gate of layer2 is closed dueto cluster role%s

[Cluster] The trafficgate of layer2 isclosed due tocluster role ${role}


Layer 2traffic gate isopened

[Cluster] The traffic gate of layer2 is openeddue to cluster role master

Layer 2 traffic gate isopened due to thespecified reason.

[Cluster] The traffic gate of layer2 is openeddue to cluster role%s

[Cluster] The trafficgate of layer2 isopened due tocluster role ${role}


Traffic signalchanged

[Cluster] Traffic signal become green Traffic signal ischanged to thespecified status.

[Cluster] Traffic signal become%s [Cluster] Trafficsignal become${status}


Log Catalog 19



Startingwireless AP

Starting wireless AP ath1 Starting specifiedwireless AP.

Starting wireless AP %s —


Stoppingwireless AP

Stopping wireless AP ath1 Stopping thespecified wirelessAccess Point.

Stopping wireless AP %s —


Startprocessingconfiguration

Starts processing a configuration setting Started to processconfigurationsettings.

Starts processing a configuration setting —


Updatebridgemodesettings

Updating global bridgemode setting Update global bridgemode settings.

Updating global bridgemode setting —


Update drop-in modesettings

Updating global drop-in mode setting Update global drop-inmode settings.

Updating global drop-in mode setting —


Clean upstaleconnections

[Cluster] Clean up stale IP connections withexpired address 192.168.1.22 for PPPoEinterface eth0

Clean up staleconnections for theexpired IP addresson dynamicinterface.

[Cluster] Clean up stale IP connections withexpired address %s for%s interface%s

[Cluster] Clean upstale IPconnections withexpired address${ip} for dynamicinterface ${dev_name}


Clean upstaleconnections

[Cluster] Clean up stale IP connections withexpired address 192.168.1.22 for PPPoEinterface eth0

Clean up staleconnections for theexpired IP addresson dynamicinterface.

[Cluster] Clean up stale IP connections withexpired address %s for%s interface%s

[Cluster] Clean upstale IPconnections withexpired address${ip} for dynamicinterface ${dev_name}


Log Catalog 20



DNSWatchserversshould notbe in use

DNSWatch is expired or was disabled. YourFirebox does not have a configured DNSserver. Tomake sure your Firebox does not usethe DNSWatch servers, youmust specify aDNS server in the network DNS/WINSsettings.

DNSWatch serversshould not be in usebut the Firebox doesnot have analternative DNSserver it can use.

DNSWatch is expired or was disabled. YourFirebox does not have a configured DNSserver. Tomake sure your Firebox does notuse the DNSWatch servers, youmust specifya DNS server in the network DNS/WINSsettings.

—


Capturestopped

Capture stopped, insufficient space Capture stopped dueto the specifiedreason.

Capture stopped, %s Capture stopped,${reason}

45000001 ERROR Networking /Modem

Duplicatemodeminstancerunning

Another instance of Modem is running System loadedModem process, butanother instance isalready active.

Another instance of Modem is running —

3100000F INFO Networking /NetworkManagement

Add bridgeinterface

Adding bridge tbr0 Add bridge interfacein bridgemode.

Adding bridge%s Adding bridge${dev_name}

3100003D INFO Networking /NetworkManagement

Update ARPrules

[Cluster] Update arp rules for cluster rolebackup

Update ARP rules forthe specified clusterrole.

[Cluster] Update arp rules for cluster role%s [Cluster] Updatearp rules for clusterrole ${role}


Fix upmultipathgateways

[ECMP] Fixup 2multipath gatewaysuccessfully

Fix upmultipathgateways of thespecified numbersuccessfully.

[ECMP] Fixup%dmultipath gatewaysuccessfully

[ECMP] Fixup${num}multipathgatewaysuccessfully

3100005A INFO Networking /NetworkManagement

Updatewirelesssettings

Updating wireless setting Update wirelesssettings

Updating wireless setting —


Log Catalog 21


3100005B INFO Networking /NetworkManagement

UpdatesecondaryIP settings

Updating Trust-1 secondary IP(s) setting Update secondary IPaddress settings forthe specifiedinterface.

Updating%s secondary IP(s) setting Updating ${if_name} secondary IP(s) setting

3100005C INFO Networking /NetworkManagement

Update routesettings

Updating route setting Update routesettings.

Updating route setting —


Update 1to1NATsettings

Updating 1to1 NAT setting Update 1-to-1 NATsettings.

Updating 1to1 NAT setting —

3100005E INFO Networking /NetworkManagement

Update DNSsettings

Updating DNS setting Update DNSsettings.

Updating DNS setting —

5A000001 INFO Networking /DynamicDNS

ResponsefromDynamicDNS server

Response from server: update succeeded withno change, abusive warning (1)

Receive thespecified responsefrom the dynamicDNS server.

Response from server: %s (%d) Response fromserver: ${response}(${ret_code})


ResponsefromDynamicDNS server

Response from server: update succeeded withno change, abusive warning (1)

Receive thespecified responsefrom the dynamicDNS server.

Response from server: %s (%d) Response fromserver: ${response}(${ret_code})


DynamicDNSDomainNameResolved

Resolved domainmembers.dyndns.org to204.13.248.111

Dynamic DNSserver domain namesuccessfullyresolved to an IPaddress.

Resolved domain%s to%s Resolved domain${domain} to ${ip}


DynamicDNSDomain

Resolved domainmembers.dyndns.org to204.13.248.111

Dynamic DNSserver domain namesuccessfully

Resolved domain%s to%s Resolved domain${domain} to ${ip}


Log Catalog 22


NameResolved

resolved to an IPaddress.


Connectedto the server

Connected to: members.dyndns.org /204.13.248.111

Connected to thespecified dynamicDNS server.

Connected to: %s / %s Connected to:${server_name} /${server_ip}


Connectedto the server

Connected to: members.dyndns.org /204.13.248.111

Connected to thespecified dynamicDNS server.

Connected to: %s / %s Connected to:${server_name} /${server_ip}


Connectingto the server

Connecting to: members.dyndns.com /204.13.248.111

Connecting to thespecified dynamicDNS server.

Connecting to: %s / %s Connecting to:${server_name} /${server_ip}


Connectingto the server

Connecting to: members.dyndns.com /204.13.248.111

Connecting to thespecified dynamicDNS server.

Connecting to: %s / %s Connecting to:${server_name} /${server_ip}


ActivatedynamicDNS

Activating DynDNS on interface: External Activate dynamicDNS on the specifiedinterface.

Activating DynDNS on interface: %s Activating DynDNSon interface: ${if_name}

5A000006 DEBUG Networking /DynamicDNS

Receivedreply fromthe server

Received reply: HTTP/1.1 200OK Date: Tue,27 Nov 2012 17:14:57 GMT Server: ApacheContent-Type: text/plain Connection: closegood 192.168.53.88

Received thespecified reply fromthe dynamic DNSserver.

Received reply: %s Received reply:${reply}

5A000007 ERROR Networking /DynamicDNS

Unable toresolvedomainname

Could not resolve server: members.dyndns.org Could not resolvedomain for dynamicDNS server.

Could not resolve server: %s Could not resolveserver: ${server}


Failed toconnect tothe server

Could not connect to members.dyndns.org /204.13.248.111, connection refused

Could not connect tothe dynamic DNSserver due tospecified reason.

Could not connect to%s / %s, %m Could not connectto ${server_name} /${server_ip},${reason}


Log Catalog 23













Unable toconnect toserver

Unable to connect to server:members.dyndns.org / 204.13.248.111

Unable to connect tothe specifieddynamic DNSserver.

Unable to connect to server: %s / %s Unable to connectto server: ${server_name} / ${server_ip}


Unable toconnect toserver

Unable to connect to server:members.dyndns.org / 204.13.248.111

Unable to connect tothe specifieddynamic DNSserver.

Unable to connect to server: %s / %s Unable to connectto server: ${server_name} / ${server_ip}

5A00000A ERROR Networking /DynamicDNS

No responsefrom server

No response from server members.dyndns.org/ 204.13.248.111

Not able to getresponse fromspecified dynamicDNS server.

No response from server%s / %s No response fromserver ${server_name} / ${server_ip}

5A00000A ERROR Networking /DynamicDNS

No responsefrom server

No response from server members.dyndns.org/ 204.13.248.111

Not able to getresponse fromspecified dynamicDNS server.

No response from server%s / %s No response fromserver ${server_name} / ${server_ip}


Log Catalog 24


5A00000B ERROR Networking /DynamicDNS

Invalidresponsefrom server

Invalid response from server (-2) The dynamic DNSserver returned aninvalid responsecode. The logmessage specifiesthat code.

Invalid response from server (%d) Invalid responsefrom server (${ret_code})

5A00000C INFO Networking /DynamicDNS

The time fornext update

Next update is on Tue, 27 Nov 2012 17:14:57 The logmessagespecifies the nextupdate time fordynamic DNS.

Next update is on%s Next update is on${time}

5A00000D DEBUG Networking /DynamicDNS

Send updaterequest

Sending update request (138 bytes): GET/nic/update?system=dyndns

Sending dynamicDNS update request.The logmessagespecifies the sizeand content of therequest.

Sending update request (%zu bytes): %s Sending updaterequest (${size}bytes): ${content}

5A00000D DEBUG Networking /DynamicDNS

Send updaterequest

Sending update request (138 bytes): GET/nic/update?system=dyndns

Sending dynamicDNS update request.The logmessagespecifies the sizeand content of therequest.

Sending update request (%zu bytes): %s Sending updaterequest (${size}bytes): ${content}


Log Catalog 25

EventNetworking logmessages of theEvent log type.



Authenticationfailure

PPPoE authentication failed The Firebox or XTM devicefailed to authenticate forPPPoE.

PPPoE authentication failed —


PPPoEstopped

PPPoE stopped unexpectedly(unknown error)

PPPoE stoppedunexpectedly due to anunknown error.

PPPoE stopped unexpectedly(unknown error)

—


Enforce staticIP address

[eth2 (External)] EnforcedPPPoE static IP address:192.168.3.48 is replaced with192.168.3.29

Replaced the assignedPPPoE IP address with theconfigured static IPaddress. The assigned IPaddress is retained as asecondary IP address forthe interface.

[%s (%s)] Enforced PPPoEstatic IP address: %s is replacedwith%s

[${dev_name} (${if_name})] EnforcedPPPoE static IP address: ${nego_ip} isreplaced with ${static_ip}














Log Catalog 26









Sessionestablished

[eth0 (External)] PPPoE session[11] is established, acquired IPaddress 192.168.3.48, peer192.168.3.254

The specified interfaceestablished a PPPoEsession. The logmessagealso specifies the sessionID, acquired IP address,and peer IP address.

[%s (%s)] PPPoE session[%d] isestablished, acquired IP address%s, peer%s

[${physical_name} (${ifname})] PPPoEsession[${session_id}] is established,acquired IP address ${ipaddr}, peer${peer_addr}


Sessionestablished






Sessionestablished






Sessionestablished






Log Catalog 27



Sessionestablished





16000001 ERROR Networking /DHCPServer

DHCPdiscover

DHCPDISCOVER from00:50:04:ce:c6:3d via eth1:network 192.168.111.0/24: nofree leases

Received DHCP discoverfrom the client, but there areno free leases available.

%s —

16000002 INFO Networking /DHCPServer

DHCP offer DHCPOFFER on192.168.111.20 to84:2b:2b:a6:02:3f (client) viaeth1

The DHCP server offeredan IP address to thespecified client device.

%s —

16000003 INFO Networking /DHCPServer

DHCPrequest

DHCPREQUEST for192.168.111.20 from84:2b:2b:a6:02:3f (client) viaeth1

Received DHCP request forspecified IP address fromthe specified client.

%s —


Interfaceinitializing

[eth1 (Trusted)] Interfaceinitializing

Initializing the specifiedinterface.

[%s (%s)] Interface initializing [${dev_name} (${if_name})] Interfaceinitializing


Interfaceinitializing

[eth1 (Trusted)] Interfaceinitializing

Initializing the specifiedinterface.

[%s (%s)] Interface initializing [${dev_name} (${if_name})] Interfaceinitializing


Failed to addbridge

Failed to add bridge tbr0 VLANID 1

Failed to add bridge Failed to add bridge%s VLAN ID%d

—

31000029 ERROR Networking /Network

Failed to addinterface IP

[eth1 (Trusted)] Failed to addaddress 198.51.100.0

Failed to add the specifiedIP address to the specified

[%s (%s)] Failed to%s address%s

—


Log Catalog 28


Management address interface.


Clustermanagementinterfacechange

[Cluster] Management interfacesetting is changed: interfacefrom eth1 to eth2, IPv4 addressfrom 10.0.1.3 to 10.0.2.3, IPv4mask from 24 to 24, IPv6 CIDRfrom 2000::1/64 to 2001::2/64

The configuration for thecluster managementinterface changed. The logmessage specifies changesto the interface, IP address,mask and IPv6 address.

[Cluster] Management interfacesetting is changed: interface from%s to%s, IPv4 address from%u.%u.%u.%u to%u.%u.%u.%u IPv4mask from%d to%d IPv6 CIDR from%s to%s%s

[Cluster] Management interface settingis changed: interface from ${pre_if} to${new_if}, IPv4 address from ${pre_ip}to ${new_ip} IPv4mask from ${pre_mask} to ${new_mask} IPv6 CIDR from${pre_ipv6} to%{new_ipv6}%s




















Log Catalog 29



























Activatingexternalinterface

[eth0 (External)] Activatingexternal interface

Activating specifiedexternal interface.

[%s (%s)] Activating externalinterface

[${dev_name} (${if_name})] Activatingexternal interface


Log Catalog 30



Activatingexternalinterface

[eth0 (External)] Activatingexternal interface

Activating specifiedexternal interface.

[%s (%s)] Activating externalinterface

[${dev_name} (${if_name})] Activatingexternal interface


Deactivatingexternalinterface

[eth0 (External)] Deactivatingexternal interface

Deactivating the specifiedexternal interface.

[%s (%s)] Deactivating externalinterface

[${dev_name} (${if_name})]Deactivating external interface


Deactivatingexternalinterface

[eth0 (External)] Deactivatingexternal interface

Deactivating the specifiedexternal interface.

[%s (%s)] Deactivating externalinterface

[${dev_name} (${if_name})]Deactivating external interface


Startingwireless APservice

Starting wireless AP service Starting wireless APservice.

Starting wireless AP service —


Detect roguewireless AP

Starting the scan for roguewireless AP detection

Starting rogue wireless APdetection scan.

Starting the scan for roguewireless AP detection

—


Stop detectingrogue wirelessAP

Stopping the scan for roguewireless AP detection

Stopping rogue wireless APdetection scan.

Stopping the scan for roguewireless AP detection

—


Restartdetectingrogue wirelessAP

Restart the scan for roguewireless AP detection

Restart rogue wireless APdetection scan.

Restart the scan for roguewireless AP detection

—


IPv6 interfaceactivated.

[eth0 (External)] IPv6 interface isactivated.

An IPv6 interface wasactivated. The logmessagespecifies the interface.

[%s (%s)] IPv6 interface isactivated.

—


PPPoE IPaddresschange during

[eth0 (External)] PPPoE IPaddress changed during clusterfailover, from 192.168.1.22 to192.168.1.23

The cluster completed afailover. During the failover,the PPPoE IP addresschanged.

[%s (%s)] PPPoE IP addresschanged during cluster failover,from%s to%s

[${dev_name} (${if_name})] PPPoE IPaddress changes during cluster failover,from ${pre_ip} to ${new_ip}


Log Catalog 31


clusterfailover


PPPoE IPaddresschange duringclusterfailover


















No change forPPPoE IPaddressduring clusterfailover

[eth0 (External)] PPPoE IPaddress 192.168.1.22 did notchange during cluster failover

PPPoE IP address did notchange during clusterfailover.

[%s (%s)] PPPoE IP address%u.%u.%u.%u did not changeduring cluster failover

—


DHCP IPaddresschange duringclusterfailover

[eth0 (External)] DHCP IPaddress changed during clusterfailover, from 192.168.1.22 to192.168.1.23

The cluster completed afailover. During the failover,the DHCP IP addresschanged.

[%s (%s)] DHCP IP addresschanged during cluster failover,from%s to%s

[${dev_name} (${if_name})] DHCP IPaddress changes during cluster failover,from ${pre_ip} to ${new_ip}


DHCP IPaddresschange during

[eth0 (External)] DHCP IPaddress changed during clusterfailover, from 192.168.1.22 to

The cluster completed afailover. During the failover,the DHCP IP address




Log Catalog 32


clusterfailover

192.168.1.23 changed.














No change forDHCP IPaddressduring clusterfailover

[eth0 (External)] DHCP IPaddress 192.168.1.22 did notchange during cluster failover

DHCP IP address did notchange during clusterfailover.

[%s (%s)] DHCP IP address%u.%u.%u.%u did not changeduring cluster failover

—

45000003 INFO Networking /Modem

Modemdisconnected

modem0 disconnected Specifiedmodem isdisconnected.

%s disconnected —

45000004 ERROR Networking /Modem

Modemauthenticationfailed

Modem authentication failed,check your modem configuration

Modem authenticationfailed.

Modem authentication failed,check your modem configuration

—

49000001 ERROR Networking /LinkMonitoring

Multi-WANDomain NameResolutionFailed

[Link Monitor] External unable toresolve domain namewww.example.com

Specified interface failed toresolve specified domainname for ping or TCP testfor failover.

[Link Monitor] %s unable toresolve domain name%s

—

49000002 WARN Networking /LinkMonitoring

Multi-WanProbe Failed

[Link Monitor] No responsereceived on External from TCPhost 192.168.1.218 port 9999

Specified interface did notreceive a response to Probefor failover.

[Link Monitor] No responsereceived on%s from%s

[Link Monitor] No response received on${if_name} from ${target}


Log Catalog 33


49000002 WARN Networking /LinkMonitoring

Multi-WanProbe Failed

[Link Monitor] No responsereceived on External from TCPhost 192.168.1.218 port 9999

Specified interface did notreceive a response to Probefor failover.

[Link Monitor] No responsereceived on%s from%s

[Link Monitor] No response received on${if_name} from ${target}

49000003 ERROR Networking /LinkMonitoring

Probe failure [Link Monitor] External interfacefailed because a probe to thetarget host failed

Specified interfacemarkedas Failed due to noresponse from ping or TCPhost.

[Link Monitor] %s interface failedbecause a probe to the targethost failed

—

68000001 INFO Networking /Discovery

Network scancompleted

On demand scan completed Specified type of scancompleted

%s scan completed ${scan_type} scan completed


Network scanstarted

On demand scan— stage 2started

Specified type and stage ofscan started

%s scan%s started ${scan_type} scan${scan_stage}started


Network scanstarted

On demand scan— stage 2started

Specified type and stage ofscan started

%s scan%s started ${scan_type} scan${scan_stage}started


On demandscan— stage1 completed

On demand scan— stage 1completed



On demand scan— stage 1 completed

0900000A INFO Networking /PPPoE

Disconnect [eth0 (External)] PPPoE session[11] is disconnected.

The PPPoE session for thespecified interface isdisconnected.

[%s (%s)]PPPoE session[%d] isdisconnected.

—


Interfaceshutting down

[eth1 (Trusted)] Interfaceshutting down

Shutting down the specifiedinterface.

[%s (%s)] Interface shuttingdown

[${dev_name} (${if_name})] Interfaceshutting down


Interfaceshutting down

[eth1 (Trusted)] Interfaceshutting down

Shutting down the specifiedinterface.

[%s (%s)] Interface shuttingdown

[${dev_name} (${if_name})] Interfaceshutting down


Log Catalog 34


3100000B INFO Networking /NetworkManagement

Multi-WANinterfaceactivated.

[eth1 (Trusted)] Interface isactivated due to link-monitorsuccess.

Interface is activated due tolink-monitor success. Thelogmessage specifies theinterface.

[%s (%s)] Interface is activateddue to link-monitor success.

—

3100000D WARN Networking /NetworkManagement

Multi-WANinterfacedeactivated

[eth1 (Trusted)] Interface isdeactivated due to link-monitorfailure.

Interface is deactivated dueto link-monitor failure. Thelogmessage specifies theinterface.

[%s (%s)] Interface isdeactivated due to link-monitorfailure.

—

3100002B ERROR Networking /NetworkManagement

Interface isdisabled

[eth1 (Trusted)] Interface isdisabled because it does notexist

Specified interface does notexist, The interface statusis set to disabled.

[%s (%s)] Interface is disabledbecause it does not exist

[${dev_name} (${if_name})] Interface isdisabled because it does not exist

3100002B ERROR Networking /NetworkManagement

Interface isdisabled

[eth1 (Trusted)] Interface isdisabled because it does notexist

Specified interface does notexist, The interface statusis set to disabled.

[%s (%s)] Interface is disabledbecause it does not exist

[${dev_name} (${if_name})] Interface isdisabled because it does not exist

3100002C WARN Networking /NetworkManagement

Interface linkstatuschanged

[eth1 (Trusted)] Interface linkstatus changed to UP

The interface link status haschanged. The logmessagespecifies the new status.

[%s (%s)] Interface link statuschanged to%s

—

3100003A WARN Networking /NetworkManagement

Cluster isenabled

Cluster is enabled and is forming Cluster is enabled and isforming.

Cluster is enabled and is forming —

3100003B WARN Networking /NetworkManagement

Clustersettingchanged todisabled

Cluster setting changed fromenabled to disabled

The cluster setting waschanged from enabled todisabled.

Cluster setting changed fromenabled to disabled

—

3100003E INFO Networking /NetworkManagement

Cluster A/Prole changed

[Cluster] Cluster A/P rolesuccessfully changed frommaster to idle.

The role of this device in theactive/passive (A/P) clusterchanged. The logmessagespecifies the old and newroles.

[Cluster] Cluster A/P rolesuccessfully changed from%s to%s.

—


Log Catalog 35



Cluster A/Arole changed

[Cluster] Cluster A/A rolesuccessfully changed frommaster to idle.

The Cluster active/active(A/A) role changed. The logmessage specifies the oldand new roles.

[Cluster] Cluster A/A rolesuccessfully changed from%s to%s.

—

3100006A WARN Networking /NetworkManagement

IPv6 interfacedeactivated.

[eth0 (External)] IPv6 interface isdeactivated.

IPv6 interface wasdeactivated. The logmessage specifies theinterface.

[%s (%s)] IPv6 interface isdeactivated.

—


IPv6 interfaceshutting down

[eth0 (External)] IPv6 interfaceshutting down

Shutting down specifiedIPv6 interface.

[%s (%s)] IPv6 interface shuttingdown

[${dev_name} (${if_name})] IPv6interface shutting down


IPv6 interfaceshutting down

[eth0 (External)] IPv6 interfaceshutting down

Shutting down specifiedIPv6 interface.

[%s (%s)] IPv6 interface shuttingdown

[${dev_name} (${if_name})] IPv6interface shutting down


IPv6 interfaceinitializing

[eth0 (External)] IPv6 interfaceinitializing

Initializing specified IPv6interface.

[%s (%s)] IPv6 interfaceinitializing

[${dev_name} (${if_name})] IPv6interface initializing


IPv6 interfaceinitializing

[eth0 (External)] IPv6 interfaceinitializing

Initializing specified IPv6interface.

[%s (%s)] IPv6 interfaceinitializing

[${dev_name} (${if_name})] IPv6interface initializing


Log Catalog 36

Proxy Policy Log MessagesProxy policy logmessages are generated for traffic managed by the proxy policies configured on your Firebox. This can include events related to traffic through the proxy, proxy actions, authentication, SubscriptionServices, and Security Services. For information about logmessages from Security Services processes, seeSecurity Services LogMessages on page 93.

EventProxy Policy logmessages of theEvent log type.

ID Level Area Name Log Message Example Description FormatMessageVariables

0F000001 INFO Proxy /ConnectionFrameworkManager

HTTPScontentinspectionlist imported

HTTPS content inspection exception listimported

When a pre-definedHTTPS exception list isimported, this event logis generated to informthe user.

HTTPS content inspection exception list imported —

0F010015 WARN Proxy /ConnectionFrameworkManager

APT threatnotified

APT threat notified. Details='Policy Name:HTTPS-proxy-00 Reason: high APT threatdetected Task_UUID:d09445005c3f4a9a9bb78c8cb34edc2a SourceIP: 10.0.1.2 Source Port: 43130 Destination IP:67.228.175.200 Destination Port: 443 ProxyType: HTTP Proxy Host: analysis.lastline.comPath: /docs/lastline-demo-sample.exe'

When APT serveranalysis result returnedand identified as certainlevel threat, this eventlog will be generated toinform that the APTnotification has beensent with detailedinformation.

APT threat notified. Details='%s' —

0F010016 INFO Proxy /ConnectionFrameworkManager

APT saferesult fromfilesubmission.Details='%s'

Cannot get the rule from ruleset'request/download'

— APT safe result from file submission. Details='PolicyName: HTTP-OUT-00 Reason: cleanMessage: APTsafe object Task_UUID:7a1e1500e92a410fa44d907f96b9209eMD5:d2723ba60dc88ec1ea449be9eee601cc Source IP:10.0.1.2 Source Port: 50293 Destination IP:100.100.100.3 Destination Port: 80 Proxy Type:HTTP Proxy Host: 100.100.100.3 Path: /test.exe'

—

Proxy Policy LogMessages

Log Catalog 37


1C0200CD ERROR Proxy /FTP

Rulesetlookup failed

Ruleset 'envelope/greeting' lookup failed FTP proxy -- Failed tocheck the specifiedruleset

Cannot get the rule from ruleset '%s' —

1B0400CE ERROR Proxy /SMTP

Rulesetlookup failed

Ruleset 'envelope/greeting' lookup failed SMTP proxy -- Failed tocheck the specifiedruleset

Ruleset '%s' lookup failed —

TrafficProxy Policy logmessages of the Traffic log type.

ID Level Area NameLog MessageExample Log Message Example Description

MessageVariables

1DFF0000 INFO Proxy /DNS

DNS invalidnumber ofquestions

Invalidnumber ofquestions

The traffic was blocked becausethemessage included an invalidnumber of questions.

Deny 1-Trusted 0-External udp 10.0.1.5 192.168.53.143 56701 53msg="ProxyDeny: DNS invalid number of questions" (DNS-proxy-00)

—


DNSoversizedquery name

Query nameoversized

The DNS query was blockedbecause the DNS query nameexceeded the allowed buffer size,which varies from 0 kilobytes to 64kilobytes.

Deny 1-Trusted 0-External udp 10.0.1.5 192.168.53.143 56702 53msg="ProxyDeny: DNS oversized query name" (DNS-proxy-00)

—


DNScompressedquery name

Query namecompressed

The DNS query was blockedbecause the domain namewascompressed.

Deny 1-Trusted 0-External udp 10.0.1.5 192.168.53.143 56703 53msg="ProxyDeny: DNS compressed query name" (DNS-proxy-00)

—


DNS Parseerror

Parse error The DNS request was blockedbecause the proxy failed to parsethe domain name.

Deny 1-Trusted 0-External udp 10.0.1.5 192.168.53.143 56704 53msg="ProxyDeny: DNS parse error" (DNS-proxy-00)

—


Log Catalog 38


MessageVariables


DNS NotInternetCLASS

Not InternetCLASS

TheDNS query was not InternetCLASS. The logmessagespecifies the action taken and theCLASS.

Deny 1-Trusted 0-External udp 10.0.1.5 192.168.53.143 46828 53msg="ProxyDeny: DNS Not Internet CLASS" proxy_act="DNS-Outgoing.1"query_class="ANY" (DNS-proxy-00)

—


DNSOpCodematch

OPcodematch

TheOpCodematched a configuredrule, or the default rule of nomatch.The logmessage specifies theaction taken, the rule, and theOpCode.

Deny 1-Trusted 0-External udp 10.0.1.3 192.168.130.81 36755 53msg="ProxyDeny: DNS OpCodematch" proxy_act="DNS-Outgoing.1" rule_name="Query" query_opcode="QUERY" (DNS-proxy-00)

—


DNS querytypematch

Query typematch

The query typematched aconfigured rule, or the default ruleof nomatch. The logmessagespecifies the action taken, the rulematched, and the query type.

Deny 2-Optional-1 0-External udp 10.0.2.2 192.168.130.245 53710 53msg="ProxyDeny: DNS query typematch" proxy_act="DNS-Outgoing.1" rule_name="PTR record" query_type="PTR" (DNS-proxy-00)

—


DNSundersizedquestion

Questionundersized

The DNS query was blockedbecause the query size was lessthan theminimum valid size of 17bytes.

Deny 1-Trusted 0-External udp 10.0.1.5 192.168.53.143 56704 53msg="ProxyDeny: DNS undersized question" (DNS-proxy-00)

—


DNSoversizedquestion

Questionoversized

The DNS query was blockedbecause the query size exceedsthemaximum allowed size of 271bytes.

Deny 1-Trusted 0-External udp 10.0.1.5 192.168.53.143 56705 53msg="ProxyDeny: DNS oversized question" (DNS-proxy-00)

—


DNS timeout Timeout The DNS connection was idlelonger than the configured timeoutvalue in the DNS policy.

Deny 1-Trusted 0-External udp 10.0.1.5 192.168.53.143 54807 53msg="ProxyDrop: DNS timeout" (DNS-proxy-00)

—


Log Catalog 39


MessageVariables

1DFF000A INFO Proxy /DNS

DNSundersizedanswer

Responseanswerundersized

The DNS response was blockedbecause the response size wasless than theminimum value of 17bytes.

Deny 1-Trusted 0-External udp 10.0.1.5 192.168.53.143 56706 53msg="ProxyDeny: DNS undersized answer" (DNS-proxy-00)

—

1DFF000C INFO Proxy /DNS

DNS invalidresponse

Response IDInvalid

The DNS response was blockedbecause the response ID did notmatch the current or previousrequest ID.

Deny 1-Trusted 0-External udp 10.0.1.5 192.168.53.143 56706 53msg="ProxyDeny: DNS invalid response" (DNS-proxy-00)

—

1DFF000E INFO Proxy /DNS

DNSquestionmatch

Queryquestionmatch

The DNS query namematched aconfigured rule, or the default ruleof nomatch. The logmessagespecifies the rule matched, actiontaken, and query name.

Deny 1-Trusted 0-External udp 10.0.1.3 192.168.130.81 59806 53msg="ProxyDeny: DNS questionmatch" proxy_act="DNS-Outgoing.1" rule_name="GStatic" query_type="A" question="ssl.gstatic.com" (DNS-proxy-00)

—

1DFF000F INFO Proxy /DNS

DNS request Request The DNS request audit logspecifies the query type and name.

Allow 2-Optional-1 0-External udp 10.0.2.2 192.168.130.245 61758 53msg="DNSrequest" proxy_act="DNS-Outgoing.1" query_type="PTR"question="1.0.0.127.dnsbugtest.1.0.0.127.in-addr.arpa" (DNS-proxy-00)

—


DNS IPSmatch

IPS match Intrusion Prevention Service (IPS)detected an intrusion threat. Thelogmessage specifies thesignature ID, threat severity,signature name, and signaturecategory.

Deny 0-External 1-Trusted udp 10.0.1.5 192.168.53.143 1024 53msg="ProxyDrop: DNS IPS match" proxy_act="DNS-Outgoing.1" signature_id="1056125" severity="4" signature_name="EXPLOIT Tftpd32 DNS ServerBuffer Overflow" signature_cat="Buffer Over Flow" (DNS-proxy-00)

—


DNS Appmatch

Applicationmatch

Application Control identified theapplication type from the DNSclient query and server response.The logmessage specifies theapplication name and ID, theapplication category name and ID,and the behavior name and ID.

Allow 1-Trusted 0-External udp 10.0.1.3 192.168.130.81 36755 53msg="ProxyAllow: DNS Appmatch" proxy_act="DNS-Outgoing.1" app_cat_name="Network Management" app_cat_id="9" app_name="DNS" app_id="61"app_beh_name="access" app_beh_id="6" (DNS-proxy-00)

—


Log Catalog 40


MessageVariables

1CFF0019 ERROR Proxy /FTP

FTP BounceAttempt

FTP BounceAttempt

FTP proxy -- User attempted FTPbounce

Deny 1-Trusted 0-External tcp 10.0.1.2 192.168.53.164 37989 21msg="ProxyBlock: FTP Bounce Attempt" proxy_act="FTP-Client.Standard"bounce ip="10.0.1.101"

—

1CFF0000 INFO Proxy /FTP

FTP username toolong

User nametoo long

The user name exceeds themaximum length specified in theFTP proxy. The default is 64characters.

Deny 1-Trusted 0-External tcp 10.0.1.49 11.11.11.2 60774 21msg="ProxyDeny:FTP user name too long" proxy_act="FTP-Client.1" user="testusertestuser1"length="17" (FTP-proxy-00)

—


FTP userpasswordtoo long

Password toolong

The password specified for theuser exceeds themaximum lengthconfigured in the FTP proxy. Thedefault maximum length is 32characters.

Deny 1-Trusted 0-External tcp 10.0.1.49 11.11.11.2 60776 21msg="ProxyDeny:FTP user password too long" proxy_act="FTP-Client.1" length="17" (FTP-proxy-00)

—


FTP file ordirectoryname toolong

File ordirectoryname too long

The file or directory name exceedsthemaximum length configured inthe FTP proxy. The defaultmaximum length is 1,024 bytes.

Deny 1-Trusted 0-External tcp 10.0.1.49 11.11.11.2 60782 21msg="ProxyDeny:FTP file or directory name too long" proxy_act="FTP-Client.1" length="5" (FTP-proxy-00)

—


FTPcommandline too long

Command linetoo long

The command exceeded themaximum length configured in theFTP proxy. The default maximumlength is 1,030 characters.

Deny 1-Trusted 0-External tcp 10.0.1.49 11.11.11.2 60784 21msg="ProxyDeny:FTP command line too long" proxy_act="FTP-Client.1" length="12" (FTP-proxy-00)

—


FTPexceededmaximumpermittedloginattempts

Exceededmaximumallowed loginattempts

The user exceeded the configuredmaximum number of allowed failedlog in attepmts per connection. Thedefault limit is 6.

Deny 1-Trusted 0-External tcp 10.0.1.49 11.11.11.2 49162 21msg="ProxyDrop:FTP exceededmaximum permitted login attempts" (FTP-proxy-00)

—


Log Catalog 41


MessageVariables


FTPcommandmatch

Commandmatch

The commandmatched aconfigured rule, or the default of nomatch. For the FTP-server proxyaction, the default is to deny anycommand that does not appear onthe list. For the FTP-client proxyaction, there is no defaultrestriction on commands. The logmessage specifies the proxyaction, action taken, and thecommand.

Deny 1-Trusted 0-External tcp 10.0.1.49 11.11.11.2 49196 21msg="ProxyDeny:FTP commandmatch" proxy_act="FTP-Client.2" rule_name="LIST"command="ls" (FTP-proxy-00)

—


FTPdownloadmatch

Downloadmatch

The file typematched a configureddownload rule, or the default rule ofnomatch. The logmessagespecifies the proxy action, actiontaken, and file type.

Deny 1-Trusted 0-External tcp 10.0.1.49 11.11.11.2 49208 21msg="ProxyDeny:FTP downloadmatch" proxy_act="FTP-Client.2" rule_name="*.zip" file_name="hostname.zip" (FTP-proxy-00)

—


FTP uploadmatch

Uploadmatch The file typematched a configuredupload rule, or the default rule of nomatch. The logmessage specifiesthe proxy action, action taken, andfile type.

Deny 1-Trusted 0-External tcp 10.0.1.49 11.11.11.2 49228 21msg="ProxyDeny:FTP uploadmatch" proxy_act="FTP-Client.2" rule_name="ISO" file_name="test.iso" (FTP-proxy-00)

—


FTP timeout Timeout The connection exceeded theconfigured idle time value. Thedefault is 180 seconds.

Deny 1-Trusted 0-External tcp 10.0.1.49 11.11.11.2 49561 21msg="ProxyDrop:FTP timeout" (FTP-proxy-00)

—


FTP invalidrequest

Invalidrequest

The FTP proxy rejected thecommand because of a lack ofrequired arguments, such as a username. The logmessage specifiesthe proxy action and command.

Deny 1-Trusted 0-External tcp 10.0.1.49 11.11.11.2 49579 21msg="ProxyDeny:FTP invalid request" proxy_act="FTP-Client.2" reason="No username valueprovided for USER command" (FTP-proxy-00)

—


Log Catalog 42


MessageVariables

1CFF000C INFO Proxy /FTP

FTP request Request This logmessage for the FTPrequest transaction includes thesource and destination IPaddresses for the initialconnections.

Allow 1-Trusted 0-External tcp 10.0.1.49 11.11.11.2 49590 21msg="FTPrequest" proxy_act="FTP-Client.2" ctl_src="10.0.1.49:47553" ctl_dst="11.11.11.2:5120" file="test.exe" rcvd_bytes="1084" sent_bytes="0"user="testuser" type="download" (FTP-proxy-00)

—

1CFF000D INFO Proxy /FTP

FTP IPSmatch

IPS match Intrusion Prevention Service (IPS)detected a threat. The actionconfigured for an IPS Match will beapplied to the traffic. The logmessage includes the signatureID, threat severity, signaturename, and signature category.

Deny 0-External 1-Trusted tcp 11.11.11.2 11.11.11.5 1024 21msg="ProxyDrop:FTP IPS match" proxy_act="FTP-Client.3" signature_id="1110297" severity="4"signature_name="EXPLOIT FlashGet FTP PWD Command Stack bufferoverflow -1" signature_cat="Buffer Over Flow" (FTP-proxy-00)

—

1CFF000E INFO Proxy /FTP

FTP Virusfound

GAV Virusfound

Gateway AntiVirus (GAV) detecteda virus or malware in theattachment. The logmessagespecifies the detected virus nameand the file name of theattachment.

Deny 0-External 1-Trusted tcp 11.11.11.2 11.11.11.5 20 56528msg="ProxyDrop:FTP Virus found" proxy_act="FTP-Client.3" ctl_src="11.11.11.2:5120" ctl_dst="10.0.1.49:47553" virus="EICAR_Test" file="eicar.com" (FTP-proxy-00)

—

1CFF000F INFO Proxy /FTP

FTP AVscanningerror

GAV scanerror

Gateway AntiVirus (GAV) failed toscan due to the error specified inthe logmessage.

Deny 0-External 1-Trusted tcp 11.11.11.2 11.11.11.5 20 44485msg="ProxyDrop:FTP AV scanning error" proxy_act="FTP-Client.3" ctl_src="11.11.11.2:5120" ctl_dst="10.0.1.49:47553" error="avg scanner is not created" file="eicar.com" (FTP-proxy-00)

—


FTP Appmatch

Applicationmatch

Application Control identified anapplication in the FTP clientrequest or server response. The logmessage specifies the proxyaction, application control action,action taken, application name andID, application category and ID,and application behavior name and

Allow 1-Trusted 0-External tcp 10.0.1.49 11.11.11.2 49843 21msg="ProxyAllow:FTP Appmatch" proxy_act="FTP-Client.3" app_cat_name="File Transfer" app_cat_id="3" app_name="FTP Applications" app_id="1" app_beh_name="authority"app_beh_id="1" (FTP-proxy-00)

—


Log Catalog 43


MessageVariables

ID.


FTP DLPviolationfound

DLP violationfound

Data Loss Prevention (DLP)detected a rule violation. The logmessage specifies the proxyaction, the DLP sensor name, DLPrule name, the authenticated user,and the file name. The logmessage also specifies the sourceand destination IP addresses andport for the control channel of theFTP session.

Deny 0-External 1-Trusted tcp 11.11.11.2 11.11.11.5 20 37611msg="ProxyDrop:FTP DLP violation found" proxy_act="FTP-Client.3" ctl_src="10.0.1.49:47553"ctl_dst="11.11.11.2:5120" dlp_sensor="test" dlp_rule="SocialsecuritynumberswithqualifyingtermsUSA" authenticated_user="testuser" file="test.docx" (FTP-proxy-00)

—


FTP cannotperform DLPscan

DLP cannotperform scan

Data Loss Prevention (DLP) failedto scan because of the errorspecified in the logmessage.

Allow 0-External 1-Trusted tcp 11.11.11.2 11.11.11.5 20 52217msg="ProxyAllow: FTP cannot perform DLP scan" proxy_act="FTP-Client.3"ctl_src="11.11.11.2:5120" ctl_dst="10.0.1.49:47553" error="Error: DLP notinitialized" file="ssn.docx" (FTP-proxy-00)

—


FTP DLPobjectunscannable

DLP cannotscan object

Data Loss Prevention (DLP) couldnot scan and analyze theattachment because it isencrypted. The logmessagespecifies the DLP sensor name,error message, the authenticateduser, and the file name.

Allow 0-External 1-Trusted tcp 11.11.11.2 11.11.11.5 20 43974msg="ProxyAllow: FTP DLP object unscannable" proxy_act="FTP-Client.3" ctl_src="11.11.11.2:5120" ctl_dst="10.0.1.49:47553" dlp_sensor="test"error="unscannable object (File was encrypted)" authenticated_user="testuser"file="test.zip" (FTP-proxy-00)

—


FTP DLPobject toolarge

DLP objecttoo large

Data Loss Prevention (DLP) couldnot analyze the attachmentbecause the file was larger than theconfigured limit. The limit varies byplatform, from one to fiveMB. Thelogmessage specifies the DLPsensor name and error message.

Allow 0-External 1-Trusted tcp 11.11.11.2 11.11.11.5 20 43813msg="ProxyAllow: FTP DLP object too large" proxy_act="FTP-Client.3"error="DLP scan limit (5242880) exceeded" (FTP-proxy-00)

—


Log Catalog 44


MessageVariables


FTP APTdetected

APT threatdetected

APT Blocker identified a threat.The logmessage specifies thethreat level, threat name, threatclass, malicious activities, and filenamewhere the threat waslocated.

Deny 0-External 1-Trusted tcp 11.11.11.2 11.11.11.5 20 58661msg="ProxyDrop:FTP APT detected" proxy_act="FTP-Client.3" ctl_src="11.11.11.2:5120" ctl_dst="10.0.1.49:47553" md5="03e7ef270a157090e2f68079603b10fc" task_uuid="d21914d5a2bc4b618fae72da3b1c137e" threat_level="low" file="apt.txt"(FTP-proxy-00)

—


FTP Filesubmitted toAPTanalysisserver

File submittedto APTanalysisserver

File submitted to APT analysisserver for deep threat analysis. Aseparate logmessage will appearwhen the result is retrieved fromthe APT analysis server.

Allow 0-External 1-Trusted tcp 11.11.11.2 11.11.11.5 20 43490msg="ProxyAllow: FTP File submitted to APT analysis server" proxy_act="FTP-Client.3" ctl_src="11.11.11.2:5120" ctl_dst="10.0.1.49:47553"md5="03e7ef270a157090e2f68079603b10fc" task_uuid="d21914d5a2bc4b618fae72da3b1c137e" file="apt.txt"

—


FTP Filereported safefrom APThash check

File reportedsafe from APThash check

APT hash check did not report athreat from the object

Allow 0-External 1-Trusted tcp 11.11.11.2 11.11.11.5 20 43490msg="ProxyAllow: FTP File reported safe from APT hash check" proxy_act="FTP-Client.3" ctl_src="11.11.11.2:5120" ctl_dst="10.0.1.49:47553"md5="03e7ef270a157090e2f68079603b10fc" task_uuid="d21914d5a2bc4b618fae72da3b1c137e" file="apt.txt"

—

2AFF0000 INFO Proxy /H.323

H323timeout

Timeout The connection was idle longerthan the configured timeout value.The default value is 180 seconds.

Deny 1-Trusted 0-External tcp 10.0.1.5 192.168.53.143 1720 1720msg="ProxyDrop: H323 timeout" (H323-ALG-00)

—


H323request

Request This logmessage specifies the IPaddresses for the completed H323call.

Allow 1-Trusted 0-External tcp 10.0.1.2 192.168.53.167 3233 1720msg="H323request" proxy_act="H.323-Client.1" call_from="10.0.1.2" call_to="192.168.53.167" rcvd_bytes="171444" sent_bytes="256488" (H323-ALG-00)

—


H323 codec Codec Themedia codec is deniedbecause it matched a configuredDenied Codec. The logmessagespecifies the codec.

Deny 1-Trusted 0-External tcp 10.0.1.2 192.168.53.167 3230 1720msg="ProxyDeny: H323 codec" proxy_act="H.323-Client.1" codec="(unknown)"(H323-ALG-00)

—


Log Catalog 45


MessageVariables


H323Accesscontrol

Accesscontrol

The header address is allowed ordenied because it matches anAccess Control rule configured inthe H323 policy. The logmessagespecifies the address.

Allow 1-Trusted 0-External tcp 10.0.1.2 192.168.53.167 3232 1720msg="ProxyAllow: H323 Access control" proxy_act="H.323-Client.1" From-header="10.0.1.2" (H323-ALG-00)

—


H323 IPSmatch

IPS match Intrusion Prevention Service (IPS)detected an intrusion threat. Thelogmessage specifies thesignature ID, threat severity,signature name, signaturecategory, destination host name,and URI path.

Deny 0-External 1-Trusted tcp 10.0.1.5 192.168.53.143 3234 3230msg="ProxyDrop: H323 IPS match" proxy_act="H.323-Client.1" signature_id="1112506" severity="4" signature_name="EXPLOIT Digium Asterisk InvalidRTP Payload Type NumberMemory Corruption" signature_cat="Access Control"(H323-ALG-00)

—


H323 Appmatch

Applicationmatch

Application Control detected anapplication type from thetransaction. The logmessagespecifies the action taken, theapplication name and ID,application category name and ID,and the application behavior nameand ID.

Deny 1-Trusted 0-External tcp 10.0.1.6 192.168.53.167 3234 3230msg="ProxyDrop: H323 Appmatch" proxy_act="H.323-Client.1" app_cat_name="Voice over IP" app_cat_id="6" app_name="H.323" app_id="2" app_beh_name="access" app_beh_id="6" (H323-ALG-00)

—

1AFF0001 INFO Proxy /HTTP

HTTP serverresponsetimeout

Sessiontimeout withserver idle

The HTTP session has timed outbecause no traffic has beenreceived from the server for thespecified amount of time. (Default:10minutes)

Deny 1-Trusted 6-Ext-access tcp 10.0.1.2 192.168.53.82 60654 80msg="ProxyDeny: HTTP server response timeout" (HTTP-proxy-00)

—


HTTP clientrequesttimeout

Sessiontimeout withclient idle

The HTTP session has timed outbecause no traffic has beenreceived from the client for thespecified amount of time. (Default:10minutes)

Deny 1-Trusted 6-Ext-access tcp 10.0.1.2 23.3.105.139 60680 80msg="ProxyDeny: HTTP client request timeout" (HTTP-proxy-00)

—


Log Catalog 46


MessageVariables


HTTP closecompletetimeout

Sessiontimeout withclosecompletecommandtimeout

The Close HTTP Sessioncommand timed out because noresponse to the FIN packet wasreceived within the response timelimit (3 minutes).

Deny 1-Trusted 6-Ext-access tcp 10.0.1.2 182.168.53.82 60654 80msg="ProxyDeny: HTTP close complete timeout" (HTTP-proxy-00)

—


HTTP Start-Line oversize

OversizeStart-Line

The first line of the client request orserver response is longer than theconfiguredmaximum line length.The default maximum length is4,096 bytes.

Deny 1-Trusted 6-Ext-access tcp 10.0.1.2 134.170.188.84 52662 80msg="ProxyDeny: HTTP Start-Line oversize" (HTTP-proxy-00)

—


HTTP InvalidRequest-Line Format

InvalidRequest-Lineformat

The request line from the clientdoes not match the standardformat of [Method][SP][Request-URI][SP][HTTP/Version]. Theincorrect status-line is specified inthe logmessage.

Deny 1-Trusted 0-External tcp 10.0.1.2 192.168.53.92 52668 80msg="ProxyDeny: HTTP invalid Request-Line Format" proxy_act="HTTP-Client.5" line="\x03\x03\x0d\x0a" (HTTP-proxy-00)

—


HTTP invalidStatus-Lineformat

Invalid Status-Line format

The status line from the serverdoes not match the standardformat of [HTTP/Version][SP][Status Code][SP][Reason]. Theincorrect status-line is specified inthe logmessage.

Deny 1-Trusted 6-Ext-access tcp 10.0.1.2 194.219.221.195 64610 80msg="ProxyDeny: HTTP invalid Status-Line format" proxy_act="HTTP-Client.2"line="\x03\x00\x00Kh\x80\x00\x07\x02,\x97\x02\xcc\x18M\xe4\xbe\xff\xa8\x87_a\x07\xb1\xa3d\x9f\x82\xc2\xea\xa2\xe17\x9f\xc8@+\xde\x7f\x7f\x0a" (HTTP-proxy-00)

—


HTTPheader lineoversize

Header lineoversize

A single client request or serverresponse line is longer than theconfiguredmaximum line length.The default maximum length is4,096 bytes.

Deny 1-Trusted 6-Ext-access tcp 10.0.1.2 74.125.25.105 64152 80msg="ProxyDeny: HTTP header line oversize" proxy_act="HTTP-Client.4"line="X-Frame-Options: " (HTTP-proxy-00)

—


Log Catalog 47


MessageVariables


HTTPheader blockoversize

Header blockoversize

The client request or serverresponse header block length islonger than the configured limit. Ifmaximum total length is enabled,the default limit is 16,384 bytes.

Deny 1-Trusted 0-External tcp 10.0.1.2 77.237.248.69 50019 80msg="ProxyDeny: HTTP header block oversize" proxy_act="HTTP-Client.1"line="Date: Fri, 30May 2014 16:50:51 GMT\x0d\x0a" (HTTP-proxy-00)

—


HTTPheader blockparse error

Header blockparse error

The HTTP proxy cannot processthe header line because the formatis incorrect. The required format is[Name]:[Value].

Deny 1-Trusted 0-External tcp 10.0.1.2 54.230.68.99 58900 80msg="ProxyDeny:header block parse error" (HTTP-proxy-00)

—

1AFF000A INFO Proxy /HTTP

HTTPrequest URLpathmissing

Requestmissing URLpath

The HTTP proxy cannot completethe URL because the host or URIvalue is missing. The HTTPrequest is denied.

Deny 1-Trusted 0-External tcp 10.0.1.2 54.230.68.99 58900 80msg="ProxyDeny:HTTP request URL pathmissing" proxy_act="HTTP-Client.1" line="Date: Fri, 30May 2014 18:50:51 GMT\x0d\x0a"

—

1AFF000B INFO Proxy /HTTP

HTTPrequest URLmatch

Request URLmatch

The requested URLmatched aconfigured URL path in the HTTPproxy. By default, all URL pathsare allowed.

Allow 1-Trusted 0-External tcp 10.0.1.2 173.194.33.185 60351 80msg="ProxyAllow: HTTP request URLmatch" proxy_act="HTTP-Client.1" rule_name="Default" dstname="pagead2.googlesyndication.com"arg="/pagead/osd.js" (HTTP-proxy-00)

—

1AFF000C INFO Proxy /HTTP

HTTP chunksize lineoversize

Chunk sizeline oversize

The HTTP chunk size line does notterminate correctly with a carriagereturn and line-feed (CRLF). Theinvalid line is specified in the logmessage.

Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 40656 80msg="ProxyDeny: HTTP chunk size line oversize" proxy_act="HTTP-Client.2"line="\x03\x00\x00Kh\x80\x00\x07\x02,\x97\x02\xcc\x18M\xe4\xbe\xff\xa8\x87_a\x07\xb1\xa3d\x9f\x82\xc2\xea\xa2\xe17\x9f\xc8@+\xde\x7f\x7f\x0a" (HTTP-proxy-00)

—

1AFF000D INFO Proxy /HTTP

HTTP chunksize invalid

Chunk sizeline invalid

The HTTP chunk size line has aninvalid hexadecimal value. Theinvalid line is specified in the logmessage.

Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 40722 80msg="ProxyDeny: HTTP chunk size invalid" proxy_act="HTTP-Client.2"line="k7\x0d\x0a" (HTTP-proxy-00)

—


Log Catalog 48


MessageVariables

1AFF000E INFO Proxy /HTTP

HTTP chunkCRLF tailmissing

Chunk noCRLF tail

The HTTP chunk does not closewith a carriage return and line feed(CRLF) because the chunk block ismissing the closing characters.This is required for each chunkwhen chunked transfer-encoding isin use. The logmessage includesthe invalid chunk tail line.

Deny 1-Trusted 0-External tcp 10.0.1.2 77.237.248.69 50019 80msg="ProxyDeny: HTTP chunk CRLF tail missing" proxy_act="HTTP-Client.1"line="This stringmissing the Carriage Return in the terminating CF-LF pair\x0a"(HTTP-proxy-00)

—

1AFF000F INFO Proxy /HTTP

HTTP footerline oversize

Footer lineoversize

One line of the HTTP footer, anadditional header sent at the end ofamessage is larger than theconfigured line limit. The defaultline limit is 4,096 bytes.

Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 40662 80msg="ProxyDeny: HTTP footer line oversize" proxy_act="HTTP-Client.2"line="\x03\x00\x00Kh\x80\x00\x07\x02,\x97\x02\xcc\x18M\xe4\xbe\xff\xa8\x87_a\x07\xb1\xa3d\x9f\x82\xc2\xea\xa2\xe17\x9f\xc8@+\xde\x7f\x7f\x0a" (HTTP-proxy-00)

—


HTTP footerblockoversize

Footer blockoversize

The HTTP footer includesadditional header information thatis larger than the configured blocklimit size. The default totalmessage limit, if enabled, is 16,384bytes. The logmessage includesinformation about the invalid line.

Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 40688 80msg="ProxyDeny: HTTP footer block oversize" proxy_act="HTTP-Client.2"line="\x03\x00\x00Kh\x80\x00\x07\x02,\x97\x02\xcc\x18M\xe4\xbe\xff\xa8\x87_a\x07\xb1\xa3d\x9f\x82\xc2\xea\xa2\xe17\x9f\xc8@+\xde\x7f\x7f\x0a" (HTTP-proxy-00)

—


HTTP footerblock parseerror

Footer blockparse error

The HTTP footer includes anadditional header field with syntaxthat violates the header formatrestrictions.

Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 40705 80msg="ProxyDeny: HTTP footer block parse error" (HTTP-proxy-00)

—


HTTP BodyContentTypematch

Body contenttypematch

The HTTP content either matchesa configured Body Content Type orno Body Content Type is defined(only the default rule is in use).

Allow 1-Trusted 0-External tcp 10.0.1.2 192.168.53.92 52089 80msg="ProxyAllow: HTTP Body Content Typematch" proxy_act="HTTP-Client.1" rule_name="Default" (HTTP-proxy-00)

—


HTTPheader

Headercontent

The HTTP header line does not Allow 1-Trusted 0-External tcp 10.0.1.2 192.168.53.92 41048 80msg="ProxyStrip: HTTP header malformed" proxy_act="393296"

—


Log Catalog 49


MessageVariables

malformed malformed follow the correct syntax for aclient request or server responseheader. The logmessage containsthe header line with the syntaxerror.

header="WWW-Authenticate: \x0d\x0a"


HTTPheadertransferencodingmatch

HeaderTransfer-Encodingmatch

The Transfer-Encoding in theHTTP header matches aconfigured rule, or the default ruleof nomatch. The logmessagespecifies thematching rule nameand header value.

Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 40719 80msg="ProxyAllow: HTTP header Transfer-Encodingmatch" proxy_act="HTTP-Client.2" rule_name="chunked" encoding="chunked" (HTTP-proxy-00)

—


HTTPheaderContentTypematch

Headercontent typematch

The HTTP header Content Typematches a configured rule, or thedefault rule of nomatch. The logmessage specifies thematchingrule name and header value.

Allow 1-Trusted 0-External tcp 10.0.1.2 198.252.206.140 52047 80msg="ProxyAllow: HTTP header Content Typematch" proxy_act="HTTP-Client.1" rule_name="text/*" content_type="text/html" (HTTP-proxy-00)

—


HTTPrequestversionmatch

Requestversionmatch

The HTTP version specified in theHTTP request linematches aconfigured rule, or the default ruleof nomatch. The log specifies thematched rule name and the requestline.

Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 40627 80msg="ProxyDeny: HTTP request versionmatch" proxy_act="HTTP-Client.2"rule_name="Default" line="GET /index.html HTTP/1.8\x0d\x0a" (HTTP-proxy-00)

—


HTTPrequestmethodmatch

Requestmethodmatch

The HTTP request methodspecified in the Request-Linematches a configured rule, or thedefault rule of nomatch. The logmessage specifies thematchedrule name and themethod.

Allow 1-Trusted 0-External tcp 10.0.1.2 50.16.229.215 52301 80msg="ProxyAllow: HTTP request methodmatch" proxy_act="HTTP-Client.1"rule_name="GET" method="GET" (HTTP-proxy-00)

—


Log Catalog 50


MessageVariables


HTTPheadermatch

Header match The HTTP header linematches aconfigured rule, or the default ruleof nomatch. The logmessagespecifies thematched rule nameand header line.

Allow 1-Trusted 0-External tcp 10.0.1.2 50.16.229.215 52301 80msg="ProxyAllow: HTTP header match" proxy_act="HTTP-Client.1" rule_name="Default" header="Host: www.walkscore.com\x0d\x0a" (HTTP-proxy-00)

—


HTTPheadercookiedomainmatch

Header cookiedomainmatch

The cookie domain headermatches a configured rule, or thedefault rule of nomatch. The logmessage includes thematchedrule name and the cookie domain.

Deny 1-Trusted 0-External tcp 10.0.1.2 50.16.229.215 52466 80msg="ProxyDeny: HTTP header cookie domainmatch" proxy_act="HTTP-Client.1" rule_name="DoubleClick.com" domain=".doubleclick.com" (HTTP-proxy-00)

—


HTTPrequest hostmissing

Request hostmissing

The HTTP request header ismissing the host value.

Deny 1-Trusted 6-Ext-access tcp 10.0.1.2 192.168.53.82 60654 80msg="ProxyDeny: HTTP request host missing" (HTTP-proxy-00)

—


HTTPheader authschemematch

Headerauthenticationschemematch

The authentication scheme in theHTTP header server responsematches one of the configuredrules, or the default rule of nomatch. The logmessage specifiesthematched rule name and theauthentication scheme.

Allow 1-Trusted 6-Ext-access tcp 10.0.1.2 192.168.53.92 4910 80msg="ProxyAllow: HTTP Header auth schemematch" proxy_act="HTTP-Client.1" rule_name="Basic" scheme="Basic" (HTTP-proxy-00)

—


HTTPrequestmethodunsupported

Requestmethod notsupported

The HTTP request method doesnot match a configured rule. Thelogmessage specifies themethodin use.

Deny 1-Trusted 6-Ext-access tcp 10.0.1.2 192.168.53.92 64152 80msg="ProxyDeny: HTTP request method unsupported" proxy_act="HTTP-Client.1" method="OPTIONS" (HTTP-proxy-00)

—


HTTPrequest portmismatch

Request portmismatch

Relative-URI is in use and the portspecified in the HTTP request hostheader does not match the portused for the connection.

Deny 1-Trusted 6-Ext-access tcp 10.0.1.2 192.168.53.92 64152 80msg="ProxyDeny: HTTP request port mismatch" proxy_act="HTTP-Client.1"(HTTP-proxy-00)

—


Log Catalog 51


MessageVariables


HTTPRequestcategories

Requestcategories

The HTTP request is sent to a webaddress that matched a selectedWebBlocker category. The logmessage specifies the actiontaken by the proxy, the URL, andthe category matched.

Allow 1-Trusted 0-External tcp 10.0.1.2 50.16.210.117 50790 80msg="ProxyAllow: HTTP Request categories" proxy_act="HTTP-Client.2"cats="ReferenceMaterials" op="GET" dstname="www.walkscore.com" arg="/"(HTTP-proxy-00)

—


HTTPserviceunavailable

Serviceunavailable

WebBlocker categorization failedbecause the configuredWebBlocker server is notavailable. The logmessagespecifies the profile name and amore detailed error message.

Deny 2-Internal-traffic 4-External-traffic tcp 192.168.2.23 23.21.224.150 60921 80msg="ProxyDeny: HTTP service unavailable" proxy_act="HTTP-Client.1"service="WebBlocker.1" details="Webblocker server is not available" (HTTP-proxy-00)

—


HTTPrequest URLpathoversize

Request URLpath oversize

The URI in the HTTP Request-Lineis longer than the configured limit.The default limit is 2,048 bytes.The logmessage specifies theoversize URI.

Deny 1-Trusted 6-Ext-access tcp 10.0.1.2 173.194.33.167 64279 80msg="ProxyDeny: HTTP request URL path oversize" proxy_act="HTTP-Client.1" path="/crx/blobs/QwAAAHF3InbmK-wFIemaY3I3BCMqOfjjbz3ZPr0OdvcXp8cUu10k48t_h-qsRfYvKPciETPh6ZMAQTV8WL-Rx-lfADpBbs0T0xmHzDv3tYNK4R4eAMZSmuX1YAUWVQlL6kSI-xpS-vSmdvbuQg/extension_0_1_0_12919.crx" (HTTP-proxy-00)

—


HTTPrequest

Request A detailed summary of the lastHTTP proxy transaction.

Allow 1-Trusted 6-Ext-access tcp 10.0.1.2 192.168.53.92 64425 80msg="HTTPrequest" proxy_act="HTTP-Client.1" op="GET" dstname="192.168.53.92"arg="/" sent_bytes="339" rcvd_bytes="2" elapsed_time="5.037750 sec(s)"(HTTP-proxy-00)

—


Log Catalog 52


MessageVariables


HTTPheader IPSmatch

Header IPSrule match

Intrusion Prevention Service (IPS)detected an intrusion in the clientrequest or server response header.The logmessage specifies theaction taken, signature ID, threatseverity, signature name, signaturecategory, destination host name,and URI path.

Deny 1-Trusted 0-External tcp 10.0.1.2 107.20.162.187 55531 80msg="ProxyDeny: HTTP header IPS match" proxy_act="HTTP-Client.1"signature_id="1055396" severity="5" signature_name="WEB Cross-siteScripting -9" signature_cat="Web Attack" host="intext.nav-links.com"path="/util/intexteval.pl?action=startup" (HTTP-proxy-00)

—


HTTP bodyIPS match

Body IPS rulematch

Intrusion Prevention Service (IPS)detected an intrusion in the clientrequest or server response contentbody. The logmessage specifiesthe action taken, signature ID,threat severity, signature name,signature category, destinationhost name, and URI path.

Deny 4-Trusted-1 0-External tcp 192.168.53.92 188.40.238.252 45617 443msg="ProxyDeny: HTTP body IPS match" proxy_act="HTTP-Client.4"signature_id="1051723" severity="5" signature_name="Virus Eicar test string"signature_cat="Virus/Worm" host="secure.eicar.org" path="/eicar.com.txt" src_user="[email protected]" (HTTPS-proxy-00)

—


HTTP Virusfound

GAV Virusfound

Gateway AntiVirus (GAV) detecteda virus or malware. The logmessage specifies the virus name,destination host name, and URIpath.

Deny 2-Internal-traffic 4-External-traffic tcp 10.0.1.8 192.168.53.92 57525 80msg="ProxyDrop: HTTP Virus found" proxy_act="HTTP-Client.1"virus="EICAR_Test" host="192.168.53.92" path="/viruses/eicar.com" (HTTP-proxy-00)

—


HTTP AVscanningerror

GAV scanerror

Gateway AntiVirus (GAV) failed toscan because of an error. The logmessage specifies the errormessage, the destination hostname, and URI path.

Allow 1-Trusted 0-External tcp 10.0.1.2 8.25.35.115 51859 80msg="ProxyAllow:HTTP AV scanning error" proxy_act="HTTP-Client.3" error="avg scanner is notcreated" host="api.yontoo.com" path="/LoadJS.ashx" (HTTP-proxy-00)

—


HTTPTrusted host

Trusted host The destination host namematches a proxy exceptionconfigured in the HTTP proxy.

Allow 1-Trusted 0-External tcp 10.0.1.2 134.170.51.254 51941 80msg="ProxyAllow: HTTP Trusted host" proxy_act="HTTP-Client.3" rule_name="*.windowsupdate.com" (HTTP-proxy-00)

—


Log Catalog 53


MessageVariables


HTTP badreputation

Bad reputation The HTTP proxy blocked accessto the destination address becauseof a bad reputation score for theURL.

Deny 1-Trusted 0-External tcp 172.16.1.101 188.40.238.250 36834 80msg="ProxyDeny: HTTP bad reputation" proxy_act="HTTP-ACT-OUT"reputation="100" host="www.eicar.org" path="/download/eicar_com.zip" (HTTP-OUT-00)

—


HTTP goodreputation

Goodreputation

The HTTP proxy did not completea Gateway AntiVirus (GAV) scanfor traffic to the destination addressbecause the URL received a goodreputation score.

Allow 4-Trusted-1 0-External tcp 192.168.53.92 198.35.26.96 45365 80msg="ProxyAllow: HTTP good reputation" proxy_act="HTTP-Client.4"reputation="1" host="en.wikipedia.org" path="/favicon.ico" src_user="[email protected]" (HTTP-00)

—


HTTP Appmatch

Applicationmatch

Application Control identified theapplication type from the HTTPclient request or server responsestream.

Allow 4-Trusted-1 0-External tcp 192.168.53.92 198.35.26.96 45365 80msg="ProxyAllow: HTTP Appmatch" proxy_act="HTTP-Client.4" app_cat_name="Web" app_cat_id="13" app_name="Mozilla Firefox" app_id="12" app_beh_name="access" app_beh_id="6" src_user="[email protected]" (HTTP-00)

—


HTTP DLPviolationfound

DLP violationfound

Data Loss Prevention (DLP)detected a violation of DLP rules.The logmessage only includesinformation about the first rulematched.

Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.3 59568 80msg="ProxyAllow: HTTP DLP violation found" proxy_act="HTTP-Client.1" dlp_sensor="sample_dlp_test" dlp_rule="BankaccountdetailsnearpersonallyidentifiableinformationUSA"host="100.100.100.3" path="/cgi-bin/upload.cgi" (HTTP-OUT.1-00)

—


HTTPcannotperform DLPScan


Data Loss Prevention (DLP) failedto scan the traffic because of theerror specified in the logmessage.

Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 62398 80msg="ProxyAllow: HTTP cannot perform DLP scan" proxy_act="HTTP-Client.1"dlp_sensor="sample_dlp_test" error="Cannot Perform DLP scanning" (HTTP-proxy-00)

—


HTTP DLPobjectunscannable

DLP objectunscannable

Data Loss Prevention (DLP)cannot extract data from an objectbecause it is encrypted.

Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 40608 80msg="ProxyAllow: HTTP DLP object unscannable" proxy_act="HTTP-Client.2"dlp_sensor="PCI Audit Sensor.1" error="unscannable object (File wasencrypted)" host="100.100.100.11" path="/password-protected.zip" (HTTP-proxy-00)

—


HTTP DLPobject too

HTTP objecttoo large

Data Loss Prevention (DLP)cannot scan the object because it

Allow 2-optional 0-External tcp 192.168.53.92 172.16.10.14 8902 80msg="ProxyAllow: HTTP DLP object too large" proxy_act="HTTP-Client.1" dlp_

—


Log Catalog 54


MessageVariables

large is larger than the configured limit.The default value varies by devicetype and ranges between 1 and 5MB.

sensor="DLPSensor.1" error="DLP scan limit exceeded" (HTTP-proxy-00)


HTTP Rangeheader

Range header This is the configured action (allowor strip) for the HTTP proxy Rangeheader. The default action is strip.The HTTP proxy Range headercan allow partial file transfers thatimpact content scans because thefull content is not presented.

Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.15 40535 80msg="ProxyStrip: HTTP Range header" proxy_act="HTTP-Client.1"header="Accept-Ranges: bytes\x0d\x0a" (HTTP-proxy-00)

—


HTTP APTdetected

APT threatdetected

APT Blocker detected a threat. Thelogmessage specifies the thethreat level, threat name, threatclass, malicious activities,destination host name, and URIpath.

Deny 2-Internal-traffic 4-External-traffic tcp 192.168.2.20 192.168.3.30 48120 80msg="ProxyDrop: HTTP APT detected" proxy_act="HTTP-Client.1"host="192.168.3.30" path="/apt_sample.exe"md5="2e77cadb722944a3979571b444ed5183"

—


HTTP Filesubmitted toAPTanalysisserver


File submitted to APT analysisserver for deep threat analysis. Theanalysis result will be notified whenthe analysis result is fetched fromAPT analysis server.

Allow 2-Internal-traffic 4-External-traffic tcp 192.168.2.20 192.168.3.30 34063 80msg="ProxyAllow: HTTP File submitted to APT analysis server" proxy_act="HTTP-Client.1" host="192.168.3.30" path="/test/sample.exe"md5="dd0af53fec2267757cd90d633acd549a" task_uuid="35c8ac1aaeee4e5186d584318deb397b" (HTTP-proxy-00)

—


HTTPconnecttunnel portmatch

Connecttunnel portmatch

The HTTP CONNECT tunnelrequest port matches a configuredrule, or the default rule of nomatch.The logmessage specifies thematched rule name and port.

Allow 1-Trusted Firebox tcp 10.0.1.3 100.100.100.16 53531 3128msg="ProxyReplace: HTTP connect tunnel port match" proxy_act="Explicit-Web.Standard.1" rule_name="Redirect-HTTPS" port="443" (Explicit-proxy-00)

—


Log Catalog 55


MessageVariables


HTTPwebproxyredirect

Webproxyredirect

The HTTPWebproxy connectionwas redirected to a different proxyaction because of the configurationsetting in explicit proxy. The logmessage specifies the new proxyaction used.

Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.16 53532 3128msg="ProxyReplace: HTTP webproxy redirect" proxy_act="Explicit-Web.Standard.1" redirect_action="HTTPS-Client.Standard" (Explicit-proxy-00)

—


HTTP Filereported safefrom APThash check



Allow 2-Internal-traffic 4-External-traffic tcp 192.168.2.20 192.168.3.30 34063 80msg="ProxyAllow: HTTP File reported safe from APT hash check" proxy_act="HTTP-Client.1" host="192.168.3.30" path="/test/sample.exe"md5="dd0af53fec2267757cd90d633acd549a" task_uuid="35c8ac1aaeee4e5186d584318deb397b" (HTTP-proxy-00)

—


HTTPContentredirect

Contentredirect

The HTTP content actionconnection was redirected to adifferent proxy action because ofthe configuration. The logmessagespecifies the new proxy actionused as well as the current sslstatus.

Allow 0-External 3-Optional-2 tcp 203.0.113.2 203.0.113.3 50560 80msg="ProxyReplace: HTTP Content Action redirect" proxy_act="HTTP-Content.Standard.1" redirect_action="HTTP-Server.Standard.2" srv_ip="10.0.2.8" srv_port="80" ssl_offload="0" client_ssl="NONE" server_ssl="NONE" (HTTP-proxy-00)

—


HTTPRequestcontentmatch

RequestContentmatch

The request contained contentwhichmatched a configuredcontent rule in the HTTP proxy.The logmessage specifies thecontent whichmatched the rule aswell as rule details.

Allow 0-External 1-Trusted tcp 203.0.113.2 203.0.113.2 50428 80msg="ProxyReplace: HTTP Request content match" proxy_act="HTTP-Content.Standard.1" rule_name="forums" content_type="URN"dstname="203.0.113.2" arg="/forums/index.html" srv_ip="10.0.2.8" srv_port="80" ssl_offload="1" redirect_action="HTTP-Server.Standard.1" (HTTP-proxy-00)

—

2CFF0000 INFO Proxy /HTTPS

HTTPSRequest

Request HTTPS transaction log includesserver name, certificate details andaction taken.

Allow 1-Trusted 0-External tcp 10.0.1.2 173.194.33.184 59277 443msg="HTTPSRequest" proxy_act="HTTPS-Client.Standard.3" sni="www.gstatic.com"cn="*.google.com" cert_issuer="CN=olympus.wgti.net,OU=QA,O=WGTI,L=Seattle,ST=WA,C=US"cert_subject="CN=*.google.com,O=Google Inc,L=MountainView,ST=California,C=US" action="allow" (HTTPS-proxy-00)

—


Log Catalog 56


MessageVariables


HTTPSRequestcategories

WebBlockerRequestcategories

WebBlocker identified the categoryfor a web request. The logmessage specifies the categoryand host name.

Allow 1-Trusted 0-External tcp 10.0.1.2 74.125.25.104 44773 443msg="ProxyAllow: HTTPS Request categories" proxy_act="HTTPS-Client.1"service="Def" cats="Search Engines and Portals" dstname="www.google.com"(HTTPS-proxy-00)

—


HTTPSserviceunavailable

WebBlockerserviceunavailable

WebBlocker failed because aWebBlocker Server was notavailable.

Allow 1-Trusted 0-External tcp 10.0.1.2 74.125.25.147 51566 443msg="ProxyAllow: HTTPS service unavailable" proxy_act="HTTPS-Client.1"error="Webblocker server is not available" service="Def" cats=""dstname="www.google.com" (HTTPS-proxy-00)

—


HTTPSdomainnamematch

Domain namematch

This rule log includes thematchedrule name or default rule of nomatch and the patterns its beenmatched against.

Allow 1-Trusted 0-External tcp 10.0.1.2 173.194.33.176 59545 443msg="ProxyAllow: HTTPS domain namematch" proxy_act="HTTPS-Client.Standard.3" rule_name="*.google.com" sni="www.google.com" cn=""ipaddress="173.194.33.176" (HTTPS-proxy-00)

—


HTTPSinvalidprotocol

Protocolinvalid

The HTTPS proxy detected aninvalid SSL version.

Deny 1-Trusted 0-External tcp 10.0.1.2 192.168.53.143 41551 443msg="ProxyDrop: HTTPS invalid protocol" proxy_act="HTTPS-Client.1"version="0x9999" length="123" data="\x16\x03\x01\x00{\x01\x00\x00w\x99\x99"(HTTPS-proxy-00)

—


HTTPStimeout

Timeout The HTTPS connection was idlelonger than the timeout valueconfigured in the HTTPS policy.The default is 180 seconds.

Deny 1-Trusted 0-External tcp 10.0.1.5 192.168.53.143 54707 443msg="ProxyDrop: HTTPS timeout" (HTTPS-proxy-00)

—


HTTPScontentinspection

Contentinspection

The HTTPS traffic was directed toa different proxy action because ofthe Content Inspection settings inthe HTTPS proxy. The logmessage specifies the new proxyaction used for content inspection,as well as the TLS ciphers used forthe server and client.

Allow 1-Trusted 0-External tcp 10.0.1.2 173.194.33.180 59276 443msg="ProxyInspect: HTTPS content inspection" proxy_act="HTTPS-Client.Standard.3" inspect_action="HTTP-Client.Standard" server_ssl="ECDHE-RSA-AES256-SHA384" client_ssl="ECDHE-RSA-AES256-GCM-SHA384" (HTTPS-proxy-00)

—

22FF0000 INFO Proxy / IMAP Request This audit logmessage specifies Allow 1-Trusted 0-External tcp 10.0.1.70 10.148.22.60 53589 143msg="IMAP —


Log Catalog 57


MessageVariables

IMAP Request the email message transactionresult.

Request" proxy_act="IMAP-Client.Standard.1" email_len="652" action="allow"reason="" mbx="INBOX" user="wg" auth_method="plain" (IMAP-proxy-00)

22FF0001 INFO Proxy /IMAP

IMAPTimeout

Timeout The connection was idle for longerthan the configured timeout limit.The default limit is 1minute.

Deny 1-Trusted 0-External tcp 10.0.1.70 10.148.22.60 53589 143msg="IMAPTimeout" proxy_act="IMAP-Client.Standard.1" timeout="120" (IMAP-proxy-00)

—


IMAPMalformedCommand

MalformedCommand

The IMAP client sentmalformed/unsupported command

Deny 1-Trusted 0-External tcp 10.0.1.70 10.148.22.60 53589 143msg="IMAPMalformed Command" proxy_act="IMAP-Client.Standard.1"command="CONDSTORE" mbx="INBOX" user="wg" auth_method="plain"(IMAP-proxy-00)

—


IMAPMalformedResponse

MalformedResponse

The IMAP server sentmalformed/unsupported response

Deny 1-Trusted 0-External tcp 10.0.1.70 10.148.22.60 53589 143msg="IMAPMalformed Response" proxy_act="IMAP-Client.Standard.1" response="* 3597EXISTS" mbx="INBOX" user="wg" auth_method="plain" (IMAP-proxy-00)

—


IMAPContentType

Content Type A MIME-typematched aconfigured content type rule, or thedefault rule of nomatch. The logmessage specifies the rule, MIME-type, and user-related information.

Allow 1-Trusted 0-External tcp 10.0.1.73 10.148.22.60 54116 143msg="ProxyAvScan: IMAP Content Type" proxy_act="IMAP-Client.Standard.1"rule_name="All text types" content_type="text/plain" mbx="inbox" user="wg"auth_method="plain" (IMAP-proxy-00)

—


IMAPFilename

Filename The attachment matches aconfigured file name rule, or thedefault rule of nomatch. The logmessage specifies the rule, filename, and user-relatedinformation.

Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 56079 143msg="ProxyStrip: IMAP Filename" proxy_act="IMAP-Client.Standard.1" rule_name="Word documents" filename="bug92408.doc"attachment="bug92408.zip.zip" mbx="inbox" user="wg" auth_method="plain"(IMAP-proxy-00)

—


IMAP VirusFound

Virus Found Gateway AntiVirus detected avirus or malware in the file. The logmessage specifies the virus name,file name, and user-relatedinformation.

Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 50633 143msg="ProxyAllow: IMAP Virus Found" proxy_act="IMAP-Client.Standard.1"virus="Eicar" mbx="INBOX" user="wg" (IMAP-proxy-00)

—


Log Catalog 58


MessageVariables


IMAPCannotPerformGateway AVScan

CannotPerformGateway AVScan

Gateway AntiVirus (GAV) failed toscan because of the error specifiedin the logmessage

Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 50633 143msg="ProxyLock: IMAP Cannot Perform Gateway AV Scan" proxy_act="IMAP-Client.Standard.1" error="unable to scan" mbx="INBOX" user="wg" (IMAP-proxy-00)

—

22FF000A INFO Proxy /IMAP

IMAP APTdetected

APT detected APT Blocker found the threatspecified in the logmessage in anattached file.

Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 60275 143msg="ProxyStrip: IMAP APT detected" proxy_act="IMAP-Client.Standard.1"filename="lastline-demo-sample.exe"md5="7abebcf53e97b586c92a9ce5b9985cd4" task_uuid="e8a3730d1f88491c8821712e85d94929" threat_level="high" mbx="INBOX"user="wg" (IMAP-proxy-00)

—

22FF000C INFO Proxy /IMAP

IMAP FileSubmitted toAPTanalysisserver

File Submittedto APTanalysisserver


Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 60275 143msg="ProxyStrip: IMAP File submitted to APT analysis server" proxy_act="IMAP-Client.Standard.1"filename="971d3aa1c683c69f425cc6ddf66833d3d172f0fd.apk"md5="7abebcf53e97b586c92a9ce5b9985cd4" task_uuid="e8a3730d1f88491c8821712e85d94929"APT detected" mbx="INBOX"user="wg" (IMAP-proxy-00)

—

22FF000D INFO Proxy /IMAP

IMAP Filereported safefrom APThash check


APT hash check did not report athreat from the object.

Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 60275 143msg="ProxyStrip: IMAP File reported safe from APT hash check" proxy_act="IMAP-Client.Standard.1"filename="971d3aa1c683c69f425cc6ddf66833d3d172f0fd.apk"md5="7abebcf53e97b586c92a9ce5b9985cd4" task_uuid="e8a3730d1f88491c8821712e85d94929"APT detected" mbx="INBOX"user="wg" (IMAP-proxy-00)

—

22FF000E INFO Proxy /IMAP

IMAPClassified asconfirmedSPAM

spamBlockerconfirmedspam

spamBlocker classified themessage as confirmed SPAM. Thelogmessage specifies the user-related information

Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 60275 143msg="ProxyReplace: IMAP Classified as confirmed SPAM" proxy_act="IMAP-Client.Standard.1" mbx="INBOX" user="wg" (IMAP-proxy-00)

—


Log Catalog 59


MessageVariables

22FF000F INFO Proxy /IMAP

IMAPClassified asbulk mail

spamBlockerbulk mail

spamBlocker classified themessage as bulk mail. The logmessage specifies the user-relatedinformation

Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 60275 143msg="ProxyReplace: IMAP Classified as bulk mail" proxy_act="IMAP-Client.Standard.1" mbx="INBOX" user="wg" (IMAP-proxy-00)

—


IMAPClassified assuspectSPAM

spamBlockersuspect spam

spamBlocker classified themessage as suspect SPAM. Thelogmessage specifies the user-related information

Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 60275 143msg="ProxyReplace: IMAP Classified as suspect SPAM" proxy_act="IMAP-Client.Standard.1" mbx="INBOX" user="wg" (IMAP-proxy-00)

—


IMAPMessagecould not bescored

spamBlockernot scored

spamBlocker cannot score themessage. The logmessagespecifies the user-relatedinformation

Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 60275 143msg="ProxyAllow: IMAP Message could not be scored" proxy_act="IMAP-Client.Standard.1" mbx="INBOX" user="wg" (IMAP-proxy-00)

—


IMAPspamBlockerexceptionwasmatched

spamBlockerexceptionmatched

The sender for the email matched aspamBlocker exception rule. Thelogmessage specifies the rule anduser-related information.

Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 60275 143msg="ProxyAllow: IMAP spamBlocker exception was matched" proxy_act="IMAP-Client.Standard.1" mbx="INBOX" user="wg" (IMAP-proxy-00)

—


IMAPClassified asnot SPAM

spamBlockernot spam

spamBlocker classified themessage as not SPAM. The logmessage specifies the user-relatedinformation.

Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 60275 143msg="ProxyAllow: IMAP Classified as not SPAM" proxy_act="IMAP-Client.Standard.1" mbx="INBOX" user="wg" (IMAP-proxy-00)

—


Log Catalog 60


MessageVariables


IMAPMessageclassificationis unknownbecause anerroroccurredwhileclassifying

spamBlockernot spam

spamBlocker was unable toclassify themessage because ofthe error specified in the logmessage. The logmessagespecifies the user-relatedinformation.

Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 60275 143msg="ProxyAllow: IMAP Message classification is unknown because an erroroccurred while classifying" proxy_act="IMAP-Client.Standard.1" mbx="INBOX"user="wg" (IMAP-proxy-00)

—


IMAPGateway AVobject toolarge

GAV file toolarge

The attachment file size exceedsthe Gateway AV scan size limit.

Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 50698 143msg="ProxyAllow: IMAP Gateway AV object too large" proxy_act="IMAP-Client.OUT" attachment="large_file.doc" error="File exceeding the scan sizelimit" mbx="INBOX" user="wg" (IMAP-proxy-00)

—


Gateway AVobjectencrypted(password-protected)

GAV fileencrypted

The attachment file is encrypted orpassword-protected.

Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 50698 143msg="ProxyAllow: IMAP Gateway AV object enrcypted (password-protected)"proxy_act="IMAP-Client.OUT" attachment="password-protected.zip"error="Object Encrypted" mbx="INBOX" user="wg" (IMAP-proxy-00)

—


IMAP invalidTLS protocol

Protocolinvalid

The IMAP proxy detected invalidTLS protocol.

Deny 1-Trusted 0-External tcp 10.0.1.2 192.168.53.143 41551 993msg="ProxyDrop: IMAP invalid TLS protocol" proxy_act="IMAP-Client.1" (IMAP-proxy-00)

—


IMAP TLScontentinspection

ContentInspection

The IMAP proxy decrypted asecure connection for contentinspection.

Deny 1-Trusted 0-External tcp 10.0.1.2 192.168.53.143 41551 993msg="ProxyInspect: IMAP TLS content inspection" proxy_act="IMAP-Client.1"server_ssl="ECDHE-RSA-AES256-SHA384" client_ssl="ECDHE-RSA-AES256-GCM-SHA384" (IMAP-proxy-00)

—

21FF0000 INFO Proxy /POP3

POP3CAPA CAPA TheCAPA response contained theunknown or blocked capability thatis specified in the logmessage.

Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 43924 110msg="ProxyDeny: POP3CAPA" keyword="VERF": (POP3-proxy-00)

—


Log Catalog 61


MessageVariables


POP3 AUTH Authentication The authentication typematched arule, or the default rule of nomatch.The logmessage specifies the rulename and authentication type.

Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 44047 110msg="ProxyDeny: POP3 AUTH" proxy_act="POP3-Client.2" rule_name="Default" authtype="KERBOSE_V12" (POP3-proxy-00)

—


POP3command

Command The client sent an authenticationcommandwhen it was not allowed.

Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 44225 110msg="ProxyDeny: POP3 command" proxy_act="POP3-Client.2"keyword="AUTH KERBEROS_V12\x0d\x0a" (POP3-proxy-00)

—


POP3header

Header A POP3 header matched aconfigured Header rule, or thedefault rule of nomatch. The logmessage specifies the rule andheader.

Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 43909 110msg="ProxyStrip: POP3 header" proxy_act="POP3-Client.1" rule_name="Default" header="Delivered-To: wg@localhost" (POP3-proxy-00)

—


POP3content type

Content type A MIME-typematched aconfigured content type rule, or thedefault rule of nomatch. The logmessage specifies the rule, MIME-type, and user name.

Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 43909 110msg="ProxyAllow: POP3 content type" proxy_act="POP3-Client.1" rule_name="All text types" content_type="text/plain" user="wg" (POP3-proxy-00)

—


POP3filename

File name The attachment matches aconfigured file name rule, or thedefault rule of nomatch. The logmessage specifies the rule, filename, and user name.

Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 44035 110msg="ProxyAvScan: POP3 filename" proxy_act="POP3-Client.1" rule_name="Text files" file_name="high-triggerme.txt" user="wg" (POP3-proxy-00)

—


POP3timeout

Timeout The connection was idle for longerthan the configured timeout limit.The default limit is 1minute.

Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 44042 110msg="ProxyDeny: POP3 timeout" proxy_act="POP3-Client.1" timeout="180"(POP3-proxy-00)

—

21FF000A INFO Proxy /POP3

POP3request

Request This audit logmessage specifiesthe bytes sent, bytes received, anduser.

Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 43909 110msg="POP3request" proxy_act="POP3-Client.1" rcvd_bytes="625052" sent_bytes="1433"user="wg" (POP3-proxy-00)

—


Log Catalog 62


MessageVariables

21FF000C INFO Proxy /POP3

POP3 IPSmatch

IPS match Intrusion Prevention Service (IPS)detected an intrusion threat. Thelogmessage specifies the actiontaken, the signature ID, threatseverity, signature name, andsignature category.

Deny 0-External 1-Trusted tcp 172.16.180.2 172.16.181.2 1024 25msg="ProxyDrop: POP3 IPS match" proxy_act="POP3-Incoming.1" signature_id="1110401" severity="4" signature_name="EXPLOIT IBM Lotus Notes Lotus 1-2-3Work Sheet File Viewer Buffer Overflow (CVE-2007-6593)" signature_cat="Buffer Over Flow" (POP3-proxy-00)

—

21FF000F INFO Proxy /POP3

POP3 Virusfound

GAV Virusfound

Gateway AntiVirus detected avirus or malware in the file. The logmessage specifies the virus name,user, and file name.

Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 44042 110msg="ProxyAllow: POP3 Virus found" proxy_act="POP3-Client.1" user="wg"filename="sample.apt" virus="Generic34.EFX" (POP3-proxy-00)

—


POP3cannotperformGateway AV

GAV cannotperform scan

Gateway AntiVirus (GAV) failed toscan because of the error specifiedin the logmessage.

Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39589 25msg="ProxyLock: POP3Cannot perform Gateway AV scan" proxy_act="POP3-Client.1" user="wg" filename="message.scr" error="scan request failed" (POP3-proxy-00)

—


POP3 linelength toolong

Line length toolong

A line exceeds the configured limit.The default is 1,000 bytes. The logmessage specifies the line length.

Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39457 25msg="ProxyDeny: POP3 line length too long" proxy_act="POP3-Client.1" line_length="22121" (POP3-proxy-00)

—


POP3messageformat

Messageformat

Themessage is not in an allowedformat. The logmessage specifiesthe error and the user.

Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 44061 110msg="ProxyStrip: POP3message format" proxy_act="POP3-Client.2" file_name="sm_conns.txt" type="uuencode" (POP3-proxy-00)

—


POP3encodingerror

Encoding error The proxy was unable to decodeand encode themessage becauseof the error specified in the logmessage.

Allow 0-External 1-Trusted tcp 100.100.106.253 100.100.106.55 51064 110msg="ProxyStrip: POP3 encoding error" proxy_act="POP3-Server.1"message="invalid b64 characters in input" (POP3-IN-00)

—


POP3Classified asconfirmedSPAM


spamBlocker classified themessage as confirmed SPAM. Thelogmessage specifies the senderand recipients.

Allow 1-Trusted 0-External tcp 10.0.55.253 100.100.100.155 45551 110msg="ProxyReplace: POP3Classified as confirmed SPAM" (POP3-OUT-00)

—


Log Catalog 63


MessageVariables


POP3Classified assuspectSPAM

spamBlockerBULK spam

spamBlocker classified themessage as bulk SPAM. The logmessage specifies the sender andrecipients.

Allow 0-External 1-Trusted tcp 100.100.106.253 100.100.106.55 46177 110msg="ProxyReplace: POP3Classified as suspect SPAM" (POP3-IN-00)

—


POP3Classified assuspectSPAM


spamBlocker classified themessage as suspect SPAM. Thelogmessage specifies the senderand recipients.

Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 44249 110msg="ProxyReplace: POP3Classified as suspect SPAM" (POP3-proxy-00)

—

21FF001A INFO Proxy /POP3

POP3spamBlockerexceptionwasmatched


The sender for the email matched aspamBlocker exception rule. Thelogmessage specifies the sender,recipient, and subject.

Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 43913 110msg="ProxyAllow: POP3 spamBlocker exception was matched" proxy_act="POP3-Client.1" from="[email protected]" to="wg@localhost" subj_tag="(none)" (POP3-proxy-00)

—

21FF001B INFO Proxy /POP3

POP3Classified asnot SPAM

spamBlockernot spam

spamBlocker classified themessage as not SPAM. The logmessage specifies the sender andrecipients.

Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 43924 110msg="ProxyAllow: POP3Classified as not SPAM" (POP3-proxy-00)

—

21FF001C INFO Proxy /POP3

POP3messageclassificationis unknownbecause anerroroccurredwhileclassifying

spamBlockerclassificationunknown

spamBlocker was unable toclassify themessage because ofthe error specified in the logmessage.

Allow 1-Trusted 0-External tcp 10.0.55.253 100.100.100.155 53776 110msg="ProxyAllow: POP3message classification is unknown because an erroroccurred while classifying" (POP3-OUT-00)

—

21FF001D INFO Proxy /POP3

POP3 extrapadcharacters inbase64 input

Extra padcharacters

The POP3 proxy encountered extrapad characters in the body of abase64-encodedmessage.

Allow 0-External 1-Trusted tcp 100.100.106.253 100.100.106.55 46177 110msg="ProxyStrip: POP3 Extra pad characters in base64 input" proxy_act="POP3-Server.1" pad_error="1" (POP3-IN-00)

—


Log Catalog 64


MessageVariables

21FF001E INFO Proxy /POP3

POP3 Appmatch

Applicationmatch

Application Control identified theapplication from the emailmessage. The log specifies theapplication name and ID,application category and ID, andthe application behavior name andID.

Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 44042 110msg="ProxyAllow: POP3 Appmatch" proxy_act="POP3-Client.1" app_cat_name="Mail and Collaboration" app_cat_id="5" app_name="POP3" app_id="2"app_beh_name="communicate" app_beh_id="2" (POP3-proxy-00)

—

21FF001F INFO Proxy /POP3

POP3 APTdetected

APT threatdetected

APT Blocker found the threatspecified in the logmessage in anattached file.

Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.3 47193 110msg="ProxyDrop: POP3 APT detected" proxy_act="POP3-Client.Standard.1"user="wg" filename="971d3aa1c683c69f425cc6ddf66833d3d172f0fd.apk"md5="7abebcf53e97b586c92a9ce5b9985cd4" task_uuid="e8a3730d1f88491c8821712e85d94929" threat_level="high" (POP3-proxy-00)

—


POP3 Filesubmitted toAPTanalysisserver



Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.3 47187 110msg="ProxyAllow: POP3 File submitted to APT analysis server" proxy_act="POP3-Client.Standard.1" user="wg"filename="971d3aa1c683c69f425cc6ddf66833d3d172f0fd.apk"md5="7abebcf53e97b586c92a9ce5b9985cd4" task_uuid="e8a3730d1f88491c8821712e85d94929" (POP3-proxy-00)

—


POP3 Filereported safefrom APThash check



Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.3 47187 110msg="ProxyAllow: POP3 File reported safe from APT hash check" proxy_act="POP3-Client.Standard.1" user="wg"filename="971d3aa1c683c69f425cc6ddf66833d3d172f0fd.apk"md5="7abebcf53e97b586c92a9ce5b9985cd4" task_uuid="e8a3730d1f88491c8821712e85d94929" (POP3-proxy-00)

—

28FF0000 INFO Proxy /SIP

SIP timeout Timeout The connection was idle for longerthan the configured timeout value.The default value is 180 seconds.

Deny 1-Trusted 0-External udp 10.0.1.5 192.168.53.143 5060 5060msg="ProxyDrop: SIP timeout" (SIP-ALG-00)

—


SIP request Request The logmessage specifies thesource and destination of the

Allow 1-Trusted 0-External udp 10.0.1.3 192.168.53.143 5060 5060msg="SIPrequest" proxy_act="SIP-Client.1" call_from="10.0.1.3" call_

—


Log Catalog 65


MessageVariables

allowed call. to="192.168.53.143" (SIP-ALG-00)


SIP codec Codec The codec is allowed or deniedbased on the setting for DeniedCodecs in the SIP policy.

Deny 1-Trusted 0-External udp 10.0.1.3 192.168.53.143 5060 5060msg="ProxyDeny: SIP codec" proxy_act="SIP-Client.1" codec="speex" (SIP-ALG-00)

—


SIP Accesscontrol

Accesscontrol

The header address is allowed ordenied based on the AccessControl settings. The logmessagespecifies the action taken, headerandmessage ID.

Allow 1-Trusted 0-External udp 10.0.1.3 192.168.53.143 5060 5060msg="ProxyAllow: SIP Access control" proxy_act="SIP-Client.1" To-header="[email protected]" (SIP-ALG-00)

—


SIP IPSmatch

IPS match Intrusion Prevention Service (IPS)detected an intrusion threat. Thelogmessage specifies thesignature ID, threat severity,signature name, signaturecategory, destination host nameand URI path.

Deny 0-External 1-Trusted udp 10.0.1.5 192.168.53.143 5060 5060msg="ProxyDrop: SIP IPS match" proxy_act="SIP-Client.1" signature_id="1057422" severity="4" signature_name="SIP Digium Asterisk SIP SDPHeader Parsing Stack Buffer Overflow -1" signature_cat="Buffer Over Flow"(SIP-ALG-00)

—


SIP Appmatch

Applicationmatch

Application Control identified anapplication from the transaction.The logmessage specifies theaction taken, the application nameand ID, application category nameand ID, and the applicationbehavior name and ID.

Deny 1-Trusted 0-External udp 10.0.1.4 192.168.53.143 5060 5060msg="ProxyDrop: SIP Appmatch" proxy_act="SIP-Client.1" signature_id="12"app_name="SIP" beh_name="communicate" app_msg="Applicationmatched.application name: SIP; behavior name:communicate" (SIP-ALG-00)

—

1BFF0000 INFO Proxy /SMTP

SMTPgreeting

Greeting The host name in the SMTP proxyHELO or EHLO commandmatched one of the GreetingRules, or the default rule of nomatch.

Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39366 25msg="ProxyDeny: SMTP greeting" proxy_act="SMTP-Outgoing.1" rule_name="*.test.net" hostname="testbox.test.net" (SMTP-proxy-00)

—

1BFF0001 INFO Proxy / SMTP ESMTP The EHLO response from the Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39371 25 —


Log Catalog 66


MessageVariables

SMTP ESMTPoption

option SMTP server includes an ESMTPoption that is disabled or unknown.

msg="ProxyStrip: SMTP ESMTP option" proxy_act="SMTP-Outgoing.1"keyword="VRFY" (SMTP-proxy-00)


SMTPAUTH

Authentication(AUTH)

The EHLO response from theSMTP server included anauthentication type that matches aconfigured authentication rule. Thelogmessage specifies the proxyaction, the rule name, the actiontaken, and the authentication type.

Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39374 25msg="ProxyDeny: SMTP AUTH" proxy_act="SMTP-Outgoing.1" rule_name="PLAIN" authtype="PLAIN" (SMTP-proxy-00)

—


SMTPheader

Header A MIME header matched aconfigured rule, or the default ruleof nomatch.

Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39379 25msg="ProxyStrip: SMTP header" proxy_act="SMTP-Outgoing.1" rule_name="Default" header="X-MimeOLE: Produced By Microsoft ExchangeV6.0.6603.0" (SMTP-proxy-00)

—


SMTP Fromaddress

From address The sender address matched a rulespecified in theMail From rules.

Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39383 25msg="ProxyDeny: SMTP From address" proxy_act="SMTP-Outgoing.1" rule_name="jsmith@*.com->ex-employee" address="[email protected]" (SMTP-proxy-00)

—


SMTP Toaddress

To address The recipient address matched arule specified in the Rcpt To rules.

Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39384 25msg="ProxyDeny: SMTP To address" proxy_act="SMTP-Outgoing.1" rule_name="Default" address="[email protected]" (SMTP-proxy-00)

—


SMTPcontent type

Content type Some of themessage contentmatched a content filter rule.

Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39391 25msg="ProxyAvScan: SMTP content type" proxy_act="SMTP-Outgoing.1" rule_name="Default" content_type="application/x-gzip" sender="[email protected]"recipients="wg@localhost" (SMTP-proxy-00)

—


SMTPfilename

Filename An email attachment matched a filename rule, or the attachment isuuencoded and the SMTP proxyallows uuencoded attachments.

Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39436 25msg="ProxyStrip: SMTP filename" proxy_act="SMTP-Outgoing.1" rule_name="*.exe" file_name="app.exe" sender="[email protected]"recipients="wg@localhost" (SMTP-proxy-00)

—


Log Catalog 67


MessageVariables

1BFF000A INFO Proxy /SMTP

SMTPtimeout

Timeout The SMTP connection was idle forlonger than the configured idletimeout limit. The default is 10minutes.

Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39402 25msg="ProxyDeny: SMTP timeout" proxy_act="SMTP-Outgoing.1" timeout="60"(SMTP-proxy-00)

—

1BFF000C INFO Proxy /SMTP

SMTP Virusfound

GAV Virusfound

Gateway AntiVirus (GAV) detecteda virus or malware in an emailattachment.

Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39445 25msg="ProxyStrip: SMTP Virus found" proxy_act="SMTP-Outgoing.1"sender="[email protected]" recipients="wg@localhost" virus="I-Worm/Netsky.CORRUPTED" filename="message.scr" (SMTP-proxy-00)

—

1BFF000E INFO Proxy /SMTP

SMTPcannotperformGateway AVscan

GAV cannotperform scan

Gateway AntiVirus (GAV) couldnot complete the scan because ofthe error that is specified in the logmessage.

Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39589 25msg="ProxyLock: SMTP cannot perform Gateway AV scan" proxy_act="SMTP-Outgoing.1" sender="[email protected]" recipients="wg@localhost"error="scan request failed" filename="message.scr" (SMTP-proxy-00)

—

1BFF000F INFO Proxy /SMTP

SMTPrequest

Request This SMTP audit log specifies thebytes sent, bytes received, thesender and recipient addresses,and the sender and recipient TLScipher.

Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39398 25msg="SMTPrequest" proxy_act="SMTP-Outgoing.1" rcvd_bytes="272" sent_bytes="282"sender="[email protected]" recipients="wg@localhost" server_ssl="ECDHE-RSA-AES256-GCM-SHA384" client_ssl="AES128-SHA256" tls_profile="TLS-Client.Standard"(SMTP-proxy-00)

—


SMTPmessageformat

Messageformat

The email message formatmatched amessage format rulespecified in the SMTP proxy. Thelogmessage includes the errormessage.

Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39452 25msg="ProxyDeny: SMTP message format" proxy_act="SMTP-Outgoing.1" file_name="sm_conns.txt" type="uuencode" sender="[email protected]"recipients="wg@localhost" (SMTP-proxy-00)

—


SMTP IPSmatch

IPS match Intrusion Prevention Service (IPS)detected a threat. The logmessagespecifies the signature name andID, threat severity, and signaturecategory.

Deny 0-External 1-Trusted tcp 172.16.180.2 172.16.181.2 1024 25msg="ProxyDrop: SMTP IPS match" proxy_act="SMTP-Incoming.1" signature_id="1110401" severity="4" signature_name="EXPLOIT IBM Lotus Notes Lotus 1-2-3Work Sheet File Viewer Buffer Overflow (CVE-2007-6593)" signature_cat="Buffer Over Flow" (SMTP-proxy-00)

—


Log Catalog 68


MessageVariables


SMTP toomanyrecipients

Toomanyrecipients

The number of email recipientsspecified in the email messageexceeds the configured limit. Thedefault limit is 99 for inboundmessages and unlimited foroutboundmessages. The logmessage specifies the proxyaction and number of recipients.

Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39404 25msg="ProxyDeny: toomany recipients" proxy_act="SMTP-Outgoing.1" rule_name="Default" content_type="" sender="[email protected]"recipients="[email protected];[email protected]" (SMTP-proxy-00)

—


SMTPresponsesize too long

Responsesize too long

The SMTP server responseexceeds the configured limit. Thedefault limit is 10,000 KB. The logmessage specifies the size of theresponse.

Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39973 25msg="ProxyDeny: SMTP response size too long" proxy_act="SMTP-Outgoing.1"response_size="5030" (SMTP-proxy-00)

—


SMTP linelength toolong

Line too long The email message contains a linethat exceeds the configured limit.The default is 1,000 bytes. The logmessage specifies the line length.

Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39457 25msg="ProxyDeny: SMTP line length too long" proxy_act="SMTP-Outgoing.1"line_length="32110" (SMTP-proxy-00)

—


SMTPmessagesize too long

Message toolong

The SMTP message lengthexceeds the configured limit. Thedefault limit is 10,000 kb.

Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39466 25msg="ProxyDeny: SMTP message size too long" proxy_act="SMTP-Outgoing.1"size="16384" (SMTP-proxy-00)

—


SMTPheader sizetoo long

Header toolong

The SMTP message contains aheader that exceeds the configuredMaximum Header Length. Thedefault is 20,000 bytes.

Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39473 25msg="ProxyDeny: SMTP header size too long" proxy_act="SMTP-Outgoing.1"headers_size="12157" (SMTP-proxy-00)

—


SMTPcommand

Command The SMTP request contains acommand that is not supported oris not valid for the emailtransaction. The logmessagespecifies the proxy action, actiontaken, SMTP command, and the

Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39474 25msg="ProxyDeny: SMTP command" proxy_act="SMTP-Outgoing.1"keyword="VERIFY\x0d\x0a" response="500" (SMTP-proxy-00)

—


Log Catalog 69


MessageVariables

response code.


SMTPClassified asconfirmedSPAM


spamBlocker has classified themessage as confirmed SPAM. Thelogmessage specifies the proxyaction, the action taken, and thesender and recipient addresses.

Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39446 25msg="ProxyDeny: SMTP Classified as confirmed SPAM" proxy_act="SMTP-Outgoing.1" sender="[email protected]" recipients="wg@localhost" (SMTP-proxy-00)

—


SMTPClassified asbulk mail

spamBlockerbulk spam

spamBlocker has classified themessage as bulk SPAM. The logmessage specifies the proxyaction, the action taken, and thesender and recipient addresses.

Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39499 25msg="ProxyReplace: SMTP Classified as bulk mail" proxy_act="SMTP-Outgoing.1" sender="[email protected]" recipients="wg@localhost" (SMTP-proxy-00)

—

1BFF001B INFO Proxy /SMTP

SMTPClassified assuspectSPAM


spamBlocker has classified themessage as suspect SPAM. Thelogmessage specifies the proxyaction, the action taken, and thesender and recipient addresses.

Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39999 25msg="ProxyAllow: SMTP Classified as suspect SPAM" proxy_act="SMTP-Outgoing.1" sender="[email protected]" recipients="wg@localhost" (SMTP-proxy-00)

—


SMTPClassified asnot SPAM

spamBlockernot SPAM

spamBlocker has classified themessage as not SPAM. The logmessage specifies the proxyaction, the action taken, and thesender and recipient addresses.

Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39487 25msg="ProxyAllow: SMTP Classified as not SPAM" proxy_act="SMTP-Outgoing.1" sender="[email protected]" recipients="wg@localhost" (SMTP-proxy-00)

—


Log Catalog 70


MessageVariables

1BFF001D INFO Proxy /SMTP

SMTPmessageclassificationis unknownbecause anerroroccurredwhileclassifying

spamBlockerclassificationunknown

spamBlocker was unable toclassify the email messagebecause of an error. The logmessage specifies the sender andrecipient addresses.

Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39524 25msg="ProxyDeny: SMTP message classification is unknown because an erroroccurred while classifying" proxy_act="SMTP-Outgoing.1"sender="[email protected]" recipients="wg@localhost" (SMTP-proxy-00)

—

1BFF001E INFO Proxy /SMTP

SMTPspamBlockerexceptionwasmatched


The sender or recipient of the emailmessagematches a spamBlockerexception specified in the SMTPproxy.

Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39476 25msg="ProxyAvScan: SMTP spamBlocker exception" proxy_act="SMTP-Outgoing.1" rule_name="Default" content_type=""sender="[email protected]" recipients="wg@localhost" (SMTP-proxy-00)

—

1BFF001F INFO Proxy /SMTP

SMTP Anerror wasfound by ourdecoder

Decoder error The SMTP proxy was unable todecode the email message due tothe error specified in the logmessage.

Allow 1-Trusted 0-External tcp 10.0.55.253 100.100.100.155 36921 25msg="ProxyStrip: SMTP An error was found by our decoder" proxy_act="SMTP-Outgoing.1" message="invalid b64 characters in input" (SMTP-OUT-00)

—


SMTP extrapadcharacters inbase64 input

Extra padcharacters inbase64encoding

The SMTP proxy encounteredextra pad characters when thebody of the base64-encodedmessage was processed.

Allow 1-Trusted 0-External tcp 10.0.55.253 100.100.100.155 36664 25msg="ProxyStrip: SMTP extra pad characters in base64 input" proxy_act="SMTP-Outgoing.1" pad_error="1" (SMTP-OUT-00)

—


SMTP MailFromaddress toolong

Mail fromaddress toolong

A sender email address exceededthe configuredmaximum addresslength. The address length isunlimited by default.

Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39497 25msg="ProxyDeny: SMTP Mail From address too long" proxy_act="SMTP-Outgoing.1"address="[email protected]"length="56" response="553" (SMTP-proxy-00)

—


SMTP Appmatch

Applicationmatch

Application Control identified theapplication in themail messagethat is specified in the log

Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39913 25msg="ProxyDrop: SMTP Appmatch" proxy_act="SMTP-Outgoing.1" app_cat_name="Mail and Collaboration" app_cat_id="5" app_name="SMTP" app_id="1"

—


Log Catalog 71


MessageVariables

message. app_beh_name="access" app_beh_id="6" (SMTP-proxy-00)


SMTP DLPviolationFound

DLP violationfound

Data Loss Prevention (DLP)detected the rule violation that isspecified in the logmessage.

Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39510 25msg="ProxyAllow: SMTP DLP violation Found" proxy_act="SMTP-Outgoing.1"dlp_sensor="PCI Audit Sensor.1" dlp_rule="SocialsecuritynumbersUSA"sender="[email protected]" recipients="wg@localhost" filename="ssn.docx"(SMTP-proxy-00)

—


SMTPcannotperform DLPScan


Data Loss Prevention (DLP) isunable to scan because of the errorspecified in the logmessage.

Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39589 25msg="ProxyLock: SMTP cannot perform DLP scan" proxy_act="SMTP-Outgoing.1" sender="[email protected]" recipients="wg@localhost"error="scan request failed" filename="message.scr" (SMTP-proxy-00)

—


SMTP DLPobjectunscannable

DLP cannotscan object

Data Loss Prevention (DLP) isunable to extract data from anobject because the object isencrypted.

Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39900 25msg="ProxyAllow: SMTP DLP object unscannable" proxy_act="SMTP-Outgoing.1" dlp_sensor="PCI Audit Sensor.1" error="unscannable object (Filewas encrypted)" sender="[email protected]" recipients="wg@localhost" (SMTP-proxy-00)

—


SMTP DLPobject toolarge

DLP objecttoo large

The file requested for Data LossPrevention (DLP) analysis is largerthan the configured limit. Thedefault value varies by platform,from one to fiveMB. The logspecifies the DLP sensor nameand error message.

May 30 06:36:45 2014 gary_xtmv local1.info smtp-proxy[2861]: msg_id="1BFF-0027" Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.3 50976 25msg="ProxyAllow: SMTP DLP oject too large" proxy_act="SMTP-Outgoing.1"sender="[email protected]" recipients="wg@localhost" error="DLP scanlimit (524288) exceeded" filename="2M-dlp-violates-end.txt" (SMTP-proxy-00)

—


SMTP APTdetected

APT threatdetected

APT Blocker found the threatspecified in the logmessage in anattached file.

Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39771 25msg="ProxyAllow: SMTP APT detected" proxy_act="SMTP-Outgoing.1"sender="[email protected]" recipients="wg@localhost"filename="ecc59a46b439bdf63b058964e29ace0c"md5="ecc59a46b439bdf63b058964e29ace0c" task_uuid="b239bc669b534fcfa61bd78e156c9b19" threat_level="high" (SMTP-proxy-00)

—


Log Catalog 72


MessageVariables


SMTP Filesubmitted toAPTanalysisserver



Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39965 25msg="ProxyAllow: SMTP File submitted to APT analysis server" proxy_act="SMTP-Outgoing.1" sender="[email protected]" recipients="wg@localhost"filename="regex2.dll" md5="547c43567ab8c08eb30f6c6bacb479a3" task_uuid="b8517202826a43fc93dba00f9e8c30ed" (SMTP-proxy-00)

—

1BFF002B INFO Proxy /SMTP

SMTP Filereported safefrom APThash check



Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39965 25msg="ProxyAllow: SMTP File reported safe from APT hash check" proxy_act="SMTP-Outgoing.1" sender="[email protected]" recipients="wg@localhost"filename="regex2.dll" md5="547c43567ab8c08eb30f6c6bacb479a3" task_uuid="b8517202826a43fc93dba00f9e8c30ed" (SMTP-proxy-00)

—


SMTPinvalid TLSprotocol

Protocolinvalid

The SMTP proxy detected invalidTLS protocol.

Deny 1-Trusted 0-External tcp 10.0.1.2 192.168.53.143 41551 465msg="ProxyDrop: SMTP invalid TLS protocol" proxy_act="SMTP-Outgoing.1"(SMTP-proxy-00)

—

2DFF0000 INFO Proxy /TCP-UDP

IP Request Request TCP-UDP transaction log for thetraffic that is configured to allow ordeny.

Allow ppp0 0-External tcp 10.0.1.46 206.191.171.104 49391 80msg="IPRequest" proxy_act="TCP-UDP-Proxy.Standard.1" sent_bytes="72271" rcvd_bytes="72271" src_user="testuser@Firebox-DB" (TCP-UDP-proxy-00)

—


IP IPSmatch

IPS match Intrusion Prevention Service (IPS)detected an intrusion threat inTCP-UDP proxy traffic. The logmessage specifies the actiontaken, signature ID, threatseverity, signature name, andsignature category.

Deny 0-External 1-Trusted udp 10.0.1.5 192.168.53.143 1025 80msg="ProxyDrop: TCP-UDP IPS match" proxy_act="TCP-UDP-Proxy.1"signature_id="1110070" severity="4" signature_name="DOS Apachemod_sslHTTPS Request DOS -1" signature_cat="Dos/DDoS" (TCP-UDP-proxy-00)

—


Log Catalog 73


MessageVariables


IP protocol Protocol The TCP-UDP proxy recognizedthe protocol. The logmessagespecifies the action taken, and therule name.

Allow 1-Trusted 0-External tcp 10.0.1.2 91.189.95.36 53246 80msg="ProxyReplace: IP protocol" proxy_act="TCP-UDP-Proxy.1" rule_name="HTTP-Client.1" new_action="HTTP-Client.1" (TCP-UDP-proxy-00)

—


IP Appmatch

Applicationmatch

Application Control identified theapplication type from the TCP-UDP proxy traffic. The logmessage specifies the actiontaken, the application name andID, the application category nameand ID, and the applicationbehavior and ID.

Allow 1-Trusted 0-External udp 10.0.1.3 4.2.2.1 63690 53msg="ProxyAllow: IPAppmatch" proxy_act="TCP-UDP-Proxy.1" app_cat_name="NetworkManagement" app_cat_id="9" app_name="DNS" app_id="61" app_beh_name="access" app_beh_id="6" (TCP-UDP-proxy-00)

—


Log Catalog 74

Management Log MessagesManagement logmessages are generated for activity on your Firebox. This includes when changes aremade to the device configuration and DeviceManagement user accounts, for user authentication to theFirebox, and actions related to LiveSecurity and system settings.

DiagnosticManagement logmessages of theDebug (Diagnostic) log type.


55010010 INFO Management/ System

USB driveformat

— USB drive format operationwas %s

USB drive format operationwas successful

USB drive format ${result}


Generatesystemdiagnostic filefailed

— Generate system diagnosticfile to%s failed

Generate system diagnosticfile to USB drive failed

Generate system diagnostic fileto ${device} failed


Periodic supportsnapshot isenabled

— System periodic supportsnapshot is enabled

System periodic supportsnapshot is enabled

—


Generatesystemdiagnosticsuccessfully

— Exported system diagnosticfile to%s successfully

Exported system diagnosticfile to server successfully

Generate system diagnostic fileto ${device} successfully


Reset to thedefaultconfigurationfailed

The default configuration settings were notrestored after a system reset.

Reset to the defaultconfiguration failed when thedevice was rebooted.

Reset to the defaultconfiguration failed when thedevice was rebooted.

5501000C INFO Management/ System

Device restorefailed

Device auto restore from a specific image ina USB drive disc or normal restore from anormal image failed

Device%s restore from%simage failed due to%s

Device auto restore from USBdrive image failed due to USBdrive not found

Device ${restore_type} restorefrom ${image_source} imagefailed for ${reason}

Management LogMessages

Log Catalog 75


5501000D INFO Management/ System

Creating USBauto restoreimage failed

— Creation of USB auto restoreimage failed due to%s

Creation of USB auto restoreimage failed due to no USBdrive

Creation of USB auto restoreimage failed: ${reason}

5501001B INFO Management/ System

System backupfailed

— System backup%s faileddue to%s.

System backup to USB drivefailed due to write file to USBdrive error

System backup ${dest device}failed: ${reason}

5501001C INFO Management/ System

USB autorestore failedreason

— USB auto restore failed dueto%s

USB auto restore failed due tonot detect the USB drive

USB auto restore failed for${reason}


Log Catalog 76

EventManagement logmessages of theEvent log type.


3E000002 INFO Management /Accounting

User loginsucceeded

Management user admin from 10.0.1.2logged in

A user successfully logged in. The logmessage specifies the user type, user name,and IP address.

%s %s%s%s from%slogged in%s%s%s%s

${user_type}${user_name}${auth_server} from{ipaddr} logged in${virtual_ip} ${msg}

3E000004 INFO Management /Accounting

User logout Management user admin from 10.0.1.2logged out

A user successfully logged out. The logmessage specifies the user type, user name,and IP address.

%s %s%s%s from%slogged out%s%s%s%s

${user_type}${user_name}${auth_server} from{ipaddr} logged out${virtual_ip} ${msg}

3E000003 WARN Management /Accounting

User login failed Management user admin from 10.0.1.2log in attempt was rejected.

A user log in attempt failed. The logmessagespecifies the user type, user name, IPaddress, and the failure reason, if available.

%s %s%s%s from%slog in attempt wasrejected%s%s%s%s

${user_type}${user_name}${auth_server} from{ipaddr} rejected${virtual_ip} ${msg}

11000003 INFO Management /Authentication

Authenticationserverunavailable

Authentication server 192.168.1.1:389is not responding

The external authentication server is notavailable.

Authentication server%s:%d is notresponding

—


Log Catalog 77



Userauthenticationsucceeded

Authentication of firewall user[user1@Firebox-DB] from 198.51.100.2was accepted

The user successfully authenticated. The logmessage specifies whether this is anadministrative user, a firewall user, or anothertype of user.

Authentication of %suser [%s@%s] from%swas accepted

Authentication of${user_type} user[${user_name}@${auth_server}] from${ipaddr} wasaccepted.


User unlock User test is unlocked automatically It indicates a user unlock and how he/she isunlocked

User%s is unlocked%s User ${name} isunlocked ${how}


Fireboxconnected toSSO agent

Firebox connected to the SSO agent at10.0.1.25 successfully.

Firebox connected to the SSO agentsuccessfully

Firebox connected to theSSO agent at %ssuccessfully.

—


Firebox closedthe connection

Firebox closed the connection to theSSO agent at 10.0.1.25.

Firebox closed the connection to the SSOagent.

Firebox closed theconnection to the SSOagent at %s.

—


Firebox failed toconnect to theSSO agent

Firebox failed to connect to the SSOagent at 10.0.1.25. Reason: timeout.

Firebox failed to connect to the SSO agent. Firebox failed to connectto the SSO agent at %s.Reason: %s.

—


Successful SSOagent failover

SSOAgent failover from 10.0.1.25 to10.0.1.26 was successful.

Successful SSO agent failover. SSOAgent failover from%s to%s wassuccessful.

—


UnsuccessfulSSO failover

SSO agent failover from 10.0.1.25 to10.0.1.26 failed. Reason: incompatibleSSO agent version.

Unsuccessful SSO failover. SSO agent failover from%s to%s failed.Reason: %s.

—

11000005 WARN Management /Authentication

Userauthenticationfailed

Authentication of Firewall user[test@RADIUS] from 10.0.1.2 wasrejected, received an Access-Rejectresponse from the RADIUS server

User authentication failed. The logmessagespecifies the reason.

Authentication of %suser [%s@%s] from%swas rejected, %s

Authentication of${user_type} user[${user_name}@${auth_server}] from ${ip_


Log Catalog 78


addr} was rejected,${reason}


user lock User test is locked out briefly after 3login failures

It indicates a user lockout and how and whyhe/she is locked out

User%s is locked out%s after %d loginfailures

User ${name} islocked out${lockout_type}after ${failure_count} login failures


BOVPN TLSclientauthenticationfailed

Authentication of BOVPN TLS client[EasternOffice] from 198.51.100.2 wasrejected, pre-shared key is incorrect

BOVPN TLS client authentication failed. Thelogmessage specifies the reason.

Authentication ofBOVPN TLS client [%s]from%s was rejected,%s

Authentication ofBOVPN TLS client[${client_name}]from ${ip_addr}was rejected,${reason}

1100000C WARN Management /Authentication

Authenticationerror

Authentication error. Domain not foundfor user1.

Authentication failed. The logmessagespecifies the reason.

Authentication error. %sfor%s.

Authenticationerror. ${error} for${user_name}.

1100000D WARN Management /Authentication

Authenticationserverunavailable

Authentication of user[[email protected]] failed. Bothprimary and secondary servers areunavailable.

Authentication failed because both the primaryand secondary authentication servers areunavailable.

Authentication of user[%s@%s] failed. Bothprimary and secondaryservers are unavailable.

—

1100000E WARN Management /Authentication

UnsupportedRADIUS method

Authentication of firewall user[user1@RADIUS] failed. RADIUSauthenticationmethodMSCHAP_V1 isnot supported.

Authentication failed because the specifiedRADIUS method is not supported.

Authentication of %suser [%s@%s] failed.RADIUS authenticationmethod%s is notsupported.

—

1100000F WARN Management /Authentication

Groupsmaximumreached

Themaximum number of groups (31)has been reached

Authentication failed because themaximumnumber of groups has been reached.

Themaximum numberof groups (%d) has beenreached

—


Log Catalog 79


40010002 ERROR Management /Certificate

CA certificateupdated failed

CA certificate update failed. Current CAcertificate version: 1.2.

CA certificate updated failed. CA certificate updatefailed. Current CAcertificate version: %s.

CA certificateupdate failed.Current CAcertificate version:${current CAversion number}.

40010001 INFO Management /Certificate

CA certificateupdatedsuccessfully

CA certificate updated successfully toversion 1.3.

The CA certificate updated successfully to thespecified new version.

CA certificate updatedsuccessfully to version%s.

CA certificateupdatedsuccessfully toversion ${new CAversion number}.

01010001 INFO Management /Configuration

Deviceconfigurationchange

Management user admin@Firebox-DBfrom 10.139.36.22 {modified | added |deleted } Blocked Sites Exceptions

The device configuration has been changed. Management user%s@%s from%s %s%s %s

Management user${user}@${domain}from ${ipaddr}${operation}${subsystem}${object}


Administrativeaccounts resetto default

Administrative accounts were reset tothe default settings

The administrative accounts were returned tothe default settings. This could be because thesystem is in safemode, or because of acorrupted administrative account file.

Administrative accountswere reset to the defaultsettings

—


Feature keyadded

admin added feature key'883B25CCF32949EE'

An administrator added a feature key. The logmessage specifies the feature key ID.

%s added feature key'%s'

—


Feature keyremoved

admin removed feature key'883B25CCF32949EE'

An administrator has removed a feature key.The logmessage specifies the feature key ID.

%s removed feature key'%s'

—


Featureexpirationreminder

'LIVESECURITY' feature will expire in90 days.

A feature will soon expire. The logmessagespecifies the feature and the number of daysuntil it expires.

'%s' feature will expire in%d days.

—

01040001 INFO Management / Default device Device default configuration was The device configuration was reset to the Device default —


Log Catalog 80


Configuration settings in usefor safemode

loaded in safemode default settings because the device is in safemode.

configuration wasloaded in safemode

01020003 WARN Management /Configuration

Feature expired — '%s' feature expired. Contact WatchGuard torenew your subscription.

'LIVESECURITY'feature expired. ContactWatchGuard to renewyour subscription.

5D000001 ERROR Management /DeviceFeedback

Cloud upgradefailed

Failed to finish system upgraderequested by cloud

Firebox failed to upgrade firmware requestedby WatchGuard cloud.

Failed to finish systemupgrade requested bycloud

—

5D000002 INFO Management /DeviceFeedback

Cloud upgradesuccess

System upgraded from 12.2.1 to 12.3requested by cloud

Firebox successfully upgraded firmwarerequested by WatchGuard cloud.

System upgraded from%s to%s requested bycloud

—

41000002 ERROR Management /LiveSecurity

RapidDeployfailed

RapidDeploy package was not applied:Cannot find result.xml

The RapidDeploy package was not applied tothe device. The logmessage specifies thereason.

RapidDeploy packagewas not applied: %s

RapidDeployfailed: ${reason}


New RSS feedupdate failed

New RSS feed from LiveSecurityService was not updated: errorretrieving response from server

New RSS feed from the LiveSecurity Servicefailed to update.

New RSS feed fromLiveSecurity Servicewas not updated: %s

—


Feature keydownload failed

Feature key from LiveSecurity Servicewas not received: error parsingresponse from LiveSecurity service

The feature key could not be downloaded fromthe LiveSecurity Service. The logmessagespecifies the reason.

Feature key fromLiveSecurity Servicewas not received: %s

—


Wireless countryspecificationupdate failed

Wireless country specification fromLiveSecurity Service was not received:received error code <n> from LSS

Thewireless country specification could not bedownloaded from the LiveSecurity service. Thelogmessage specifies the failure reason andthe number of retries.

Wireless countryspecification fromLiveSecurity Servicewas not received: %s,(retry_count=%d)

—


RapidDeployconfigurationfrom USB failed

RapidDeploy configuration from aUSBdrive was not applied: config linemissing

The RapidDeploy configuration was notsuccessfully applied from aUSB drive. The logmessage specifies the reason.

RapidDeployconfiguration from a

—


Log Catalog 81


USB drive was notapplied: %s

41000001 INFO Management /LiveSecurity

RapidDeploysucceeded

RapidDeploy package was appliedsuccessfully

The RapidDeploy package from theLiveSecurity service was successfully appliedto the device.

RapidDeploy packagewas appliedsuccessfully

—


New RSS feedupdatesucceeded

New RSS feed from LiveSecurityService was updated

New RSS feed from the LiveSecurity Servicewas updated.

New RSS feed fromLiveSecurity Servicewas updated

—


Feature keydownloadsucceeded

Feature key from LiveSecurity Servicewas received

The feature key for the device wassuccessfully downloaded from theLiveSecurity Service.

Feature key fromLiveSecurity Servicewas received

—


Wireless countryspecificationupdatesucceeded

Wireless country specification wasupdated

The wireless country specification wassuccessfully updated from the LiveSecurityservice.

Wireless countryspecification wasupdated

—


RapidDeployconfigurationfrom USBsucceeded

RapidDeploy configuration from aUSBdrive was applied successfully

The RapidDeploy configuration wassuccessfully applied from aUSB drive.

RapidDeployconfiguration from aUSB drive was appliedsuccessfully

—

3D040001 INFO Management /Logging

Primary LogServerconnected

Connected to the primary Log Server at198.51.100.0

The device successfully connected to theWatchGuard Log Server designated as theprimary server.

Connected to theprimary Log Server at%s

—

3D040002 INFO Management /Logging

Backup LogServerconnected

Connected to the backup Log Server at198.51.100.0

The device successfully connected to theWatchGuard Log Server designated as thebackup server.

Connected to thebackup Log Server at%s

—

15000000 INFO Management /ManagementClient

Deviceconfigurationupdate with audittrail

The configuration file and feature keyfor the device were successfullyupdated after a request from admin from

The updated configuration file wassuccessfully sent to the device from thespecifiedManagement Server. The log

The configuration file%sfor the device%ssuccessfully updated

—


Log Catalog 82


theManagement Server at10.139.44.88. Revision: dummy_config_rev_id. Comments: update tcpsegment.

message indicates if the feature key wasupdated. The logmessagemight also specifythe revision ID and includes comments aboutthe update.

after a request from%sfrom theManagementServer at%s.%s%s%s%s.


Deviceconfigurationupdate

Device configuration file wassuccessfully updated. Configuration fileretrieved from theManagement Serverat 10.139.44.88.

The device retrieved an updated configurationfile from the specifiedManagement Server.The logmessage also indicates if deviceretrieved a feature key.

Device configuration file%s successfullyupdated. Configurationfile retrieved from theManagement Server at%s.

—


IPSec certificateimport

The IPSec certificate was successfullyimported from theManagement Serverat 10.139.44.88.

The IPsec certificate was successfullyimported from the specifiedManagementServer.

The IPSec certificatewas successfullyimported from theManagement Server at%s.

—


ManagementServer CAcertificate import

TheManagement Server CA certificatewas successfully imported from theManagement Server at 10.139.44.88.

TheManagement Server CA certificate wassuccessfully imported from the specifiedManagement Server.

TheManagement ServerCA certificate wassuccessfully importedfrom theManagementServer at %s.

—

58000001 INFO Management /NTP

System timechanged

System time changed to 2012-08-2908:20:00 by NTP

The system time was changed by the NTPprocess.

System time changed to%s by NTP

—

55010002 ERROR Management /System

LIVESECURITYfeature not found

Valid 'LIVESECURITY' feature notfound

— Valid 'LIVESECURITY'feature not found

—

55010003 ERROR Management /System

LIVESECURITYexpired

'LIVESECURITY' feature expired (TueMay 14 12:25:00 2013) prior to packagerelease date (WedMay 15 01:00:002013 )

— 'LIVESECURITY'feature expired (%s)prior to package releasedate (%s)

'LIVESECURITY'feature expired(${expiration time})prior to packagerelease date(${package release


Log Catalog 83


time})

55010000 INFO Management /System

Bootup time System boot up at 2000-01-01 00:00:01 — System boot up at %s System boot up at${time}


Shutdown Shutdown requested by system — Shutdown requested bysystem

—


Reboot System is rebooting — System is rebooting —


Upgradesucceeded

System upgrade to 11.9 successful,system needs to reboot

— System upgrade to%ssuccessful, %s

System upgrade to${software version}successful ${boxneed reboot or not}


Automatic reboot System is automatically rebooting at12:09

— System is automaticallyrebooting at %d:%d

System isautomaticallyrebooting at${hour}:${second}


Time change System time changed from 2012-10-512:30:15 to 2012-10-6 14:10:00

— System time changedfrom%s to%s

System timechanged from ${oldvalue} to ${newvalue}


USB autorestore started

USB auto restore started — USB auto restorestarted

—


Featureexpirationreminder

'LIVESECURITY' feature will expire onSat., Jan 5, 11:27:23 CST 2013.

— 'LIVESECURITY'feature will expire on%s

'LIVESECURITY'feature will expireon ${expirationtime}


Backupsucceeded

System backup succeeded — System backupsucceeded

—


Log Catalog 84



Device restoresuccess

Device auto restore from USB drivesucceeded

Device auto restore from a specific image inUSB drive or normal restore from a normalimage

Device%s restore from%s image succeeded

Device ${restore_type} restore from${image_source}image succeeded


USB autorestore imagecreated

USB auto restore image successfullycreated

— USB auto restore imagesuccessfully created

—

5501000B INFO Management /System

Device restore Device auto restore from USB driveimage initiated, reboot needed

Device was restored from a saved backupimage. The backup image was either autorestored from aUSB drive or restored fromanother location.

Device%s restore from%s image initiated%s

Device ${restore_type} restore from${image_source}imageinitiated${reboot_option}

5501001D INFO Management /System

Logo uploadsucceeded

Upload of logo succeeded — Upload of logosucceeded

—

55010019 WARN Management /System

Configurationreset failedduring adowngrade

During a system downgrade, theconfiguration reset failed

— During a systemdowngrade, theconfiguration reset failed

—

5501001A WARN Management /System

Upgrade failed System upgrade failed:'LIVESECURITY' feature expired

— System upgrade failed:%s

System upgradefailed: ${reason}

50000001 WARN Management /Web Service

User login failed(wgagent)

WSMUser status from 10.0.1.2 log inattempt was rejected - Invalidcredentials.

A user log in attempt failed. The logmessagespecifies the UI type, User Name, IP address,and (if available) the failure reason.

%s %s@%s from%slog in attempt wasrejected -%s.

%{ui_type} ${user_name}@${auth_server} from${ipaddr} log inattempt wasrejected ${msg}.


Log Catalog 85

FireCluster Log MessagesFireCluster logmessages are for events related to your Fireboxes that aremembers of a FireCluster. This includes actions related tomanagement of the FireCluster, operational errors of cluster members, eventsthat occur on cluster members, and changes to the status of a cluster member.

DiagnosticFireCluster logmessages of theDebug (Diagnostic) log type.


3A00000C ERROR Cluster /EventMonitoring

VRRPinitializationfailed

Initialization of Virtual Router Redundancy Protocol(VRRP) failed.

Cluster VRRPinitialization failed

Cluster VRRP initializationfailed

—

3A000002 INFO Cluster /EventMonitoring

VRRP enabled Virtual Router Redundancy Protocol (VRRP) is nowenabled for this Active/Passive Cluster.

VRRP is now enabledfor Cluster.

VRRP is now enabled forCluster.

—


VRRP startmaster

VRRP started in master state. Virtual Router withcluster ID %d started inmaster state.

Virtual Router with clusterID 1 started in masterstate.


VR shutdown Virtual Router returned to initial state. Virtual Router withcluster ID %d returnedto initial state.

Virtual Router with clusterID 1 returned to initialstate.

Virtual Router with clusterID ${id} returned to initialstate


VR pause Virtual Router becomes backup due to a pause event. Virtual Router withcluster ID %d becomesbackup on pause event

Virtual Router with clusterID 1 becomes backup onpause event

Virtual Router with clusterID ${id} becomes backupon pause event


VR resume Virtual Router becomes master due to a resume event. Virtual Router withcluster ID %d becomesmaster on resume event

Virtual Router with clusterID 1 becomes master onresume event

Virtual Router with clusterID ${id} becomes masteron resume event

FireCluster LogMessages

Log Catalog 86



VR backupstate

Virtual Router state changed frommaster to backup Virtual Router withcluster ID %d statechanged frommaster tobackup

Virtual Router with clusterID 1 state changed frommaster to backup

Virtual Router with clusterID ${id} state changedfrommaster to backup

3A00000A INFO Cluster /EventMonitoring

VR notificationgap

Member Virtual Router changed state tomaster due tonotification gap from current master

Member%s VirtualRouter with cluster ID%d changed state tomaster due to%dsecond notification gapfrom current masterwith IP %s

Member 80B20002E5BCDVirtual Router with clusterID 1 changed state tomaster due to 3 secondnotification gap fromcurrent master with IP10.0.4.1

Member ${member} VirtualRouter with cluster ID ${id}changed state tomasterdue to ${value} secondnotification gap fromcurrent master with IP${ip}

3A00000B INFO Cluster /EventMonitoring

VRRP masterstate

Virtual Router state changed tomaster Virtual Router withcluster ID %d statechanged tomaster

Virtual Router with clusterID 1 state changed tomaster

Virtual Router with clusterID ${id} state changed tomaster

38000002 ERROR Cluster /Management

DHCPoverwrite

A DHCP server has attempted to assign an IP addressto cluster member on the Cluster Interface. This logmessage recommends the admin isolate the Clusterinterface network from the DHCP server, and specifiesthe interface number and IP address the clusterattempted to assign to themember.

A DHCP server isinterfering with staticaddress assignment ofcluster IP address %son eth%d. DisableDHCP server access toeth%d.

A DHCP server isinterfering with staticaddress assignment ofcluster IP address 10.0.0.1on eth0. Disable DHCPserver access to eth5.

A DHCP server isinterfering with staticaddress assignment ofcluster IP ${ip} oneth${port}. Please disableDHCP server access toeth${port}.

38000003 INFO Cluster /Management

Clusterinterface up

Cluster interface link status changed to up. Cluster interface%s isup.

Cluster interface eth5 isup.

Cluster interface ${ifname}is up.

3800025C INFO Cluster /Management

Configurationupdate

Cluster member received an updated configurationfrom themaster. The logmessage specifies themember serial number and configuration versionnumber.

Cluster member%sreceived updatedconfiguration; version%d.

Cluster member80B20002E5BCDreceived updatedconfiguration; version 3.

Cluster member${member} receivedupdated configuration;version ${version}.

38000004 WARN Cluster /Management

Clusterinterface down

Cluster interface link status changed to down. Cluster interface%s isdown.

Cluster interface eth5 isdown.

Cluster interface ${ifname}is down


Log Catalog 87



Timesynchronizationfailure

The cluster master's attempt to synchronize time to acluster member failed

Cluster timesynchronization failed.

Cluster timesynchronization failed.

—

3B000001 INFO Cluster /Transport

Channel statuschange

The cluster communication channel between thespecifiedmembers changed state.

Cluster channel frommember%s tomasteris %s.

Cluster channel frommember 80B20002E5BCDtomaster is up

Cluster channel frommember ${member} tomaster is ${state}.

EventFireCluster logmessages of theEvent log type.


3A00000E INFO Cluster /EventMonitoring

VR enabled The Virtual Router representing thecluster is now enabled

Virtual Router withcluster ID %d isnow enabled

Virtual Router withcluster ID 1 is nowenabled

Virtual Router withcluster ID ${id} is nowenabled

3A00000F INFO Cluster /EventMonitoring

VR disabled The Virtual Router representing thecluster is now disabled

Virtual Router withcluster ID %d isnow disabled

Virtual Router withcluster ID 1 is nowdisabled

Virtual Router withcluster ID ${id} is nowdisabled

38000280 ERROR Cluster /Management

Device discoveryfailed

The cluster master was unable toissue a device discovery message.

Cluster master%swas unable to issuea device discoverymessage.

Cluster master80B20002E5BCD wasunable to issue a devicediscovery message.

Cluster master${master} was unableto issue a devicediscovery message.

3800027E ERROR Cluster /Management

Factory-default resetfailed

Failed to reset to factory-defaultsettings.

Failed to resetcluster member%sto factory-defaultsettings.

Failed to reset clustermember80B20002E5BCD tofactory-default settings.

Failed to resetmember ${member} tofactory-defaultsettings.

38000282 INFO Cluster /Management

Member ready to join Local member has FireClusterenabled and is ready to join.

Member%s isready to join thecluster.

Member80B20002E5BCD isready to join the cluster.

Member ${member} isready to join thecluster.


Log Catalog 88


3800025A INFO Cluster /Management

Cluster enabled Cluster was enabled on thespecifiedmember.

Cluster enabled onmember%s.

Cluster enabled onmember80B20002E5BCD.

Cluster enabled onmember ${member}.

3800025B INFO Cluster /Management

Cluster disabled onmaster

Cluster disabled on the clustermember while it was the clustermaster.

Cluster disabled oncluster master%s.

Cluster disabled oncluster master80B20002E5BCD.

Cluster disabled oncluster master${master}.


Cluster disabled The non-master member of thecluster will be reset to factorydefault-settings because FireClusteris disabled.

Cluster disabled.Non-mastermember%s will bereset to factory-default settings.

Cluster disabled. Non-master member80B20002E5BCD will bereset to factory-defaultsettings.

Cluster disabled. Non-master member%swill be reset tofactory-defaultsettings.


Critical configurationchange

The non-master member of thecluster will be reset to factory-default settings due to a criticalconfiguration change. Aconfiguration change is critical if itwould cause themaster and backupmaster to lose the TCP connectionon the cluster interface.

Non-mastermember%s will bereset to factory-default settings dueto a critical clusterconfigurationchange.

Non-master member80B20002E5BCD will bereset to factory-defaultsettings due to a criticalcluster configurationchange.

Non-master member${member} will bereset to factorydefault-settings due toa critical clusterconfiguration change.

3800027A WARN Cluster /Management

Non-master memberremoved

The non-master member of theCluster will be reset to factory-default settings because it wasremoved from the cluster.

Non-master clustermember%s wasremoved fromcluster, and will bereset to factory-default settings.

Non-master clustermember80B20002E5BCD wasremoved from cluster,and will be reset tofactory-default settings.

Non-master clustermember%s wasremoved from cluster,and will be reset tofactory-defaultsettings.


Log Catalog 89


39000007 ERROR Cluster /Operations

Failover due toWAI Themaster failed over to thespecifiedmember because thatmember has a higher health scorethan themaster.

Master%s failedover to member%s,which has a greaterWeighted AverageIndex.

Master80B20002E5BCD failedover to member80B20002E5BFE, whichhas a greaterWeightedAverage Index.

Master ${master}failover to member${member} withgreaterWeightedAverage Index.

39000019 ERROR Cluster /Operations

Failover due tointerface state change

A cluster failover event occurred dueto a change of interface state.

Cluster failover dueto interface%s link%s event.

Cluster failover due tointerface eth4 link downevent.

Cluster failover due tointerface ${ifname}link ${state} event.

3900000C ERROR Cluster /Operations

Synchronization failed Full state synchronization from themaster to the specifiedmemberfailed. Member state will not changeto BackupMaster.

Full statesynchronizationfrommaster%s tobackupmaster%sfailed.

Full statesynchronization frommaster80B20002E5BCD tobackupmaster80B20002E5BFE failed.

Full statesynchronization frommaster ${master} tobackupmaster${member} failed.

3900000D ERROR Cluster /Operations

Synchronizationtimeout

Full state synchronization from themaster to the specifiedmembertimed out. Member state will notchange to BackupMaster.

Full statesynchronizationfrommaster%s tobackupmaster%stimed out.

Full statesynchronization frommaster80B20002E5BCD tobackupmaster80B20002E5BFE timedout.

Full statesynchronization frommaster ${master} tobackupmaster${member} timed out.

3900000F ERROR Cluster /Operations

Failover due to link-down

Cluster failover due to a link failureon the current master, which nowhas a health index lower than thebackupmaster. The logmessagespecifies which interface has thelink down.

Master%s failed-over to member%sdue to a link-downevent on interface%s.

Master80B20002E5BCD failed-over to member80B20002E5BFE due toa link-down event oninterface eth3.

Master ${master}failed-over to member${member} due to alink-down event oninterface ${ifname}.

39000005 INFO Cluster /Operations

Member promoted tomaster

The specifiedmember has becomemaster.

Member%s is nowmaster.

Member80B20002E5BCD isnow master.

Member ${member} isnow master.


Log Catalog 90



Member role change The cluster member changed to thespecified role.

Member%schanged role to%s.

Member80B20002E5BCDchanged role to master

Member ${member}role changed to${role}.


Interface link statuschange

Specifiedmonitored interface linkstatus changed, which will changethe health index for themember.

Monitored interface%s link is %s.

Monitored interface eth0link is down.

Monitored interface${ifname} link is${state}.


New master The specifiedmember has takenover as master..

Member%s tookover as master frommember%s.

Member80B20002E5BCD tookover as master frommember80B20002E5BFE.

Member ${member}took over as masterfrommember${member}.


Failover initiated byadministrator

The administrator has initiated afailover.

Master%s initiatedfailover byadministratorrequest.

Master80B20002E5BCDinitiated failover byadministrator request.

Master ${master}initiated failover byadministratorrequest..


Member Role Change The role of the specified Clustermember changed.

Cluster member%schanged role from%s to%s.

Cluster member80B20002E5BCDchanged role from idle tobackupmaster

Cluster member${member} changedrole from ${role} to${role}.

3900000E INFO Cluster /Operations

Synchronizationsuccessful

Full state synchronization to thespecifiedmember was successful.Member status changed to backupmaster.

Full statesynchronizationfrommaster%s tobackupmaster%scompletedsuccessfully.

Full statesynchronization frommaster80B20002E5BCD tobackupmaster80B20002E5BFEcompleted successfully.

Full statesynchronization frommaster ${master} tobackupmaster${member} completedsuccessfully


Log Catalog 91


39000003 WARN Cluster /Operations

Heartbeat lost The specified Cluster failed toreceive a heartbeat message.

Master%s detectedloss of heartbeatfrommember%s,cluster channel isup.

Master80B20002E5BFEdetected loss ofheartbeat frommember80B20002E5BCD,cluster channel is up.

Master ${master}detected loss ofheartbeat frommember ${member},cluster channel is up.

39000016 WARN Cluster /Operations

Cannot initiate failover The failover requested byadministrator cannot proceedbecause themaster has a higherhealth index, or the backupmaster isunreachable.

Cannot initiatefailover frommaster%s tomember%sdue to higherWeighted AverageIndex on currentmaster or backupmaster isunreachable.

Cannot initiate failoverfrommaster80B20002E5BCD tomember80B20002E5BFE due tohigherWeightedAverage Index oncurrent master or backupmaster is unreachable.

Cannot initiate failoverfrommaster ${master}to member ${member}due to higherWeighted AverageIndex on currentmaster or othermember isunreachable.


Log Catalog 92

Security Services Log MessagesSecurity Services logmessages are generated for processes related to the Security Services configured on your Firebox. For the logmessages from Security Services traffic and events, review the proxy logmessages for the proxy policies where the Security Services are enabled. For more information, seeProxy Policy LogMessages on page 37.

EventSecurity Services logmessages of theEvent log type.


1F000001 ERROR Security Services /Gateway Anti-Virus

Process failed to start Cannot start ScanD ScanD -- Process failed to start Cannot start ScanD —

1F010015 INFO Security Services /Gateway Anti-Virus

Ready for service ScanD ready ScanD -- Ready for service ScanD ready —

2E000005 ERROR Security Services /Signature Update

Process exiting SIGD shutting down SIGD -- Process exiting SIGD shutting down —


Process crashed SIGD crashed SIGD -- Process crashed SIGD crashed —


Failed to start the signatureupdate for the specifiedservices

Cannot start the signature update for'IPS'

SIGD -- Failed to the startsignature update for the specifiedservices

Cannot start the signatureupdate for '%s'

—


Failed to check the availablesignature version on the server

Cannot complete the version check SIGD -- Failed to check theavailable signature version on theserver

Cannot complete theversion check

—

2E01001A ERROR Security Services /Signature Update

Signature update process failedto start

Cannot start the signature updateprocess

SIGD -- Signature update processfailed to start

Cannot start the signatureupdate process

—

2E01001B ERROR Security Services /Signature Update

Signature update processcrashed

SIGD Worker crashed SIGD -- Signature update processcrashed

SIGD Worker crashed —

Security Services LogMessages

Log Catalog 93



Signature update process forthe specified version failed

Manual DLP update for version(4.94)failed (Valid feature key not available)

SIGD -- Signature update processfor the specified version failed

%s %s update for version(%s) failed (%s)

—

2E020065 INFO Security Services /Signature Update

Signature update processstarted

Scheduled DLP update started SIGD -- Signature update processstarted

%s %s update started —


Signature update processcompleted

Scheduled DLP update for version(4.94) completed

SIGD -- Signature update processcompleted

%s %s update for version(%s) completed

—


Device has the latest signatureversion for the specified service

Device already has the latest DLPsignature version (4.94)

SIGD -- Device has the latestsignature version for specifiedservice

Device already has thelatest %s signature version(%s)

—

2E010017 WARN Security Services /Signature Update

License failed to load Cannot load the license SIGD -- License failed to load Cannot load the license —

23000001 ERROR Security Services /spamBlocker

Failed to start Cannot start spamD spamD -- Failed to start Cannot start spamD —

23000002 INFO Security Services /spamBlocker

Ready for service spamD ready spamD -- Ready for service spamD ready —

Security Services LogMessages

Log Catalog 94

VPN Log MessagesVPN logmessages are generated for processes related to the all VPNs configured on your Firebox. This includes changes to the VPN configuration, tunnel status, and daemon activity.

AlarmVPN logmessages of theAlarm log type.


020B0001 INFO VPN /IPSEC

Tunnelstatuschanged

BOVPN tunnel 'tunnel.2' local172.16.12.81/255.255.255.255 remote172.16.13.204/255.255.255.255 under gateway'gateway.1' is down.

The status of theIPSec tunnel changedto up or down.

%s tunnel '%s' local %sremote%s undergateway '%s' is %s

${tunnel_type} tunnel '${tunnel}' local${local} remote ${remote} under gateway'$(gateway}' is ${status}

DiagnosticVPN logmessages of theDebug (Diagnostic) log type.


02000001 ERROR VPN /IPSEC

Defaultcertificate notfound

The default IPSec certificate is notinstalled on the device

The IPSec tunnel could not benegotiated because the defaultIPSec certificate is not installed oris not valid.

The default IPSeccertificate is not installed onthe device

—


Failed to readcertificate

Could not read [DSA | RSA]certificate with [n] ID

The IPSec tunnel could not benegotiated because the IPSeccertificate is not valid.

Could not read%scertificate with%d ID

Could not read ${cert_type} certificatewith ${id} ID

VPN LogMessages

Log Catalog 95



IKE Phase 1expectingmainmode

IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'Reason=Received 'Aggressivemode' exchange type. Expectingmainmode.

IKE Phase 1 negotiation failedbecause of incorrect exchangetype in proposal from remotegateway. The logmessagespecifies the expected andreceived exchange type.

IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Received '%s'exchange type. Expectingmainmode.

IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Received '${exchange_type}' exchange type. Expectingmainmode.


IKE Phase 1expectingaggressivemode

IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'Reason=Received 'Mainmode'exchange type. Expectingaggressivemode.

IKE Phase 1 negotiation failedbecause of incorrect exchangetype in proposal from remotegateway. The logmessagespecifies the expected andreceived exchange type.

IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Received '%s'exchange type. Expectingaggressivemode.

IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Received '${exchange_type}' exchange type. Expectingaggressivemode.


IKE Phase 1DH groupmismatch

IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'Reason=Received DH group 2,expecting 14

IKE Phase 1 negotiation failedbecause of incorrect Diffe-Hellman group in proposal fromremote gateway. The logmessagespecifies the received andexpected group number.

IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Received DHgroup%d, expecting%d

IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Received DH group${received}, expecting ${expected}


IKE Phase 1hashmismatch

IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'Reason=Received hash SHA1,expectingMD5

IKE Phase 1 negotiation failedbecause of incorrect hash type inproposal from remote gateway.The logmessage specifies thereceived and expected hash type.

IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Received hash%s, expecting%s

IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Received hash ${received},expecting ${expected}

VPN LogMessages

Log Catalog 96



IKE Phase 1encryptionmismatch

IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'Reason=Received encryption3DES, expecting AES

IKE Phase 1 negotiation failedbecause of incorrect encryptiontype in proposal from remotegateway. The logmessagespecifies the received andexpected encryption type.

IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Receivedencryption%s, expecting%s

IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Received encryption${received}, expecting ${expected}


IKE Phase 1authenticationmethodmismatch

IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'Reason=Received authenticationmethod PSK, expecting RSAcertificate

IKE Phase 1 negotiation failedbecause of incorrectauthenticationmethod in proposalfrom remote gateway. The logmessage specifies the receivedand expected authenticationmethods.

IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Receivedauthenticationmethod%s,expecting%s

IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Received authenticationmethod ${received}, expecting${expected}


IKE Phase 1AES keylengthmismatch

IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'Reason=Received AES key length128, expecting 256

IKE Phase 1 negotiation failedbecause of incorrect AES keylength in proposal from remotegateway. The logmessagespecifies the received andexpected AES key length.

IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Received AES keylength%d, expecting%d

IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Received AES key length${received}, expecting ${expected}


IKE Phase 1invalid firstmessage

IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'Reason=Received invalidmain/aggressivemode firstmessage. Check VPN IKEdiagnostic logmessages for moreinformation.

IKE Phase 1 negotiation failedbecause of invalid first messagereceived by local gateway. The logmessage specifies the reason.

IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Received invalidmain/aggressivemode firstmessage. Check VPN IKEdiagnostic logmessages formore information.

IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Received invalidmain/aggressivemode first message.Check VPN IKE diagnostic logmessages for more information.

VPN LogMessages

Log Catalog 97



IKE Phase 1remotegateway IDmismatch

IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'Reason=Authentication failure duetomismatched ID setting

IKE Phase 1 negotiation failedbecause remote ID in gatewayconfiguration did not matchproposal from remote gateway.

IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Authenticationfailure due tomismatchedID setting

IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Authentication failure due tomismatched ID setting


IKE Phase 1pre-shared keyauthenticationfailure

IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1' Reason=Pre-shared key authentication failure

IKE Phase 1 negotiation failedbecause pre-shared key inproposal did not match gatewayconfiguration.

IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Pre-shared keyauthentication failure

IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}' Reason=Pre-shared key authentication failure


IKE Phase 1retry timeout

IKE phase-1 negotiation from172.16.12.81:500 to172.16.12.82:500 failed. Gateway-Endpoint='gateway.1'Reason=Message retry timeout.Check the connection between localand remote gateway endpoints.

IKE Phase 1 negotiation failedbecause of no response fromremote site.

IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Message retrytimeout. Check theconnection between localand remote gatewayendpoints.

IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Message retry timeout.Check the connection between localand remote gateway endpoints.


CA certificatenot available

IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1' Reason=NoCA certificate available

IKE phase-1 negotiation failedbecause no Certificate Authority(CA) certificate is available.

IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=%s

IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=${reason}


IKE Phase 1peer certificateCA is notsupported

IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1' Reason=Peercertificate is not issued by knowntrusted CA

IKE Phase 1 negotiation failedbecause peer certificate is notissued by a known and trustedCertificate Authority(CA).



VPN LogMessages

Log Catalog 98



IKE Phase 1receivedcertificate withinvalid CAname

IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'Reason=Received certificate withinvalid CA name

IKE Phase 1 negotiation failedbecause of invalid CertificateAuthority (CA) name in certificatefor remote gateway.




IKE Phase 1possibleshared secretmismatch

IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'Reason=Message decryption faileddue to possible shared secretmismatch

IKE Phase 1 negotiation failedbecause of possible shared keymismatch.

IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Messagedecryption failed due topossible shared secretmismatch

IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Message decryption faileddue to possible shared secretmismatch


DSScertificate IDmismatch

IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'Reason=Authentication failure duetomismatched DSS certificate IDsetting

IKE Phase 1 negotiation failedbecause of mismatched DSScertificate ID setting.

IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Authenticationfailure due tomismatchedDSS certificate ID setting

IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Authentication failure due tomismatched DSS certificate IDsetting


Failed to getID informationfromcertificate

IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'Reason=Failed to get ID informationfrom certificate 20001

IKE phase-1 negotiation failedbecause failed to get IDinformation from certificate.

IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Failed to get IDinformation from certificate%d

IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}' Reason=Failedto get ID information from certificate${certificate_id}


IKE Phase 1invalidaggressivemode ID

IKE phase-1 negotiation from198.51.100.2:500 to 203.0.113.2:500failed. Gateway-Endpoint='gateway.1'Reason=Received ID did not match

IKE Phase 1 negotiation failedbecause received ID did not matchwith configured ID on localgateway. Check aggressivemodeID information in gateway endpoint

IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Received ID didnot match with configured

IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Received ID did not matchwith configured aggressivemode ID.

VPN LogMessages

Log Catalog 99


with configured aggressivemode ID. configuration on both local andremote gateways.

aggressivemode ID.


IKE Phase 2PFSmismatch

IKE phase-2 negotiation from172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1' Reason=Receivedproposal without PFS, ExpectingPFS enabled

The IPSec tunnel negotiationfailed because the PerfectForward Secrecy (PFS) value didnot match the Phase 2configuration.

IKE phase-2 negotiationfrom%s to%s failed.Tunnel='%s'Reason=Received proposalwithout PFS, ExpectingPFS enabled

IKE phase-2 negotiation from ${local_addr} to ${peer_addr} failed.Tunnel='${tunnel}' Reason=Receivedproposal without PFS, Expecting PFSenabled


IKE Phase-2proposal typemismatch

IKE phase-2 negotiation from172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1' Reason=Receivedprotocol 'AH'. Expecting 'ESP' inphase-2 proposal.

The IPSec tunnel negotiationfailed because the proposal did notmatch the Phase 2 configuration.The logmessage specifies thereceived and expected proposals.

IKE phase-2 negotiationfrom%s to%s failed.Tunnel='%s'Reason=Received protocol'%s'. Expecting '%s' inphase-2 proposal.

IKE phase-2 negotiation from ${local_addr} to ${peer_addr} failed.Tunnel='${tunnel}' Reason=Receivedprotocol '${received_proto}'.Expecting '${expected_proto}' inphase-2 proposal.


IKE Phase 2AHauthenticationmethodmismatch

IKE phase-2 negotiation from172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1' Reason=ReceivedAH authenticationMD5, expectingSHA1

The IPSec tunnel negotiationfailed because the proposed AHauthenticationmethod did notmatch the Phase 2 configuration.The logmessage specifies thereceived and expected AHauthenticationmethod.

IKE phase-2 negotiationfrom%s to%s failed.Tunnel='%s'Reason=Received AHauthentication%s,expecting%s

IKE phase-2 negotiation from ${local_addr} to ${peer_addr} failed.Tunnel='${tunnel}' Reason=ReceivedAH authentication ${received},expecting ${expected}


IKE Phase 2ESPencryptionmethodmismatch

IKE phase-2 negotiation from172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1' Reason=ReceivedESP encryption DES, expectingAES

The IPSec tunnel negotiationfailed because the proposed ESPencryptionmethod did not matchthe Phase 2 configuration. The logmessage specifies the receivedand expected ESP encryptionmethod.

IKE phase-2 negotiationfrom%s to%s failed.Tunnel='%s'Reason=Received ESPencryption%s, expecting%s

IKE phase-2 negotiation from ${local_addr} to ${peer_addr} failed.Tunnel='${tunnel}' Reason=ReceivedESP encryption ${received},expecting ${expected}

VPN LogMessages

Log Catalog 100



IKE Phase 2PFS DH groupmismatch

IKE phase-2 negotiation from172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1' Reason=ReceivedPFS DH group 2, expecting 5

The IPSec tunnel negotiationfailed because the proposedPerfect Forward Secrecy Diffe-Hellman (PFS DH) group numberdid not match the Phase 2configuration. The logmessagespecifies the received andexpected PFS DH group numbers.

IKE phase-2 negotiationfrom%s to%s failed.Tunnel='%s'Reason=Received PFS DHgroup%d, expecting%d

IKE phase-2 negotiation from ${local_addr} to ${peer_addr} failed.Tunnel='${tunnel}' Reason=ReceivedPFS DH group ${received}, expecting${expected}


IKE Phase 2ESPauthenticationmethodmismatch

IKE phase-2 negotiation from172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1' Reason=ReceivedESP authenticationMD5-HMAC,expecting SHA1-HMAC

The IPSec tunnel negotiationfailed because the proposed ESPauthenticationmethod did notmatch the Phase 2 configuration.The logmessage specifies thereceived and expected ESPauthenticationmethod.

IKE phase-2 negotiationfrom%s to%s failed.Tunnel='%s'Reason=Received ESPauthentication%s,expecting%s

IKE phase-2 negotiation from ${local_addr} to ${peer_addr} failed.Tunnel='${tunnel}' Reason=ReceivedESP authentication ${received},expecting ${expected}


IKE Phase 2AES keylengthmismatch

IKE phase-2 negotiation from172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1' Reason=ReceivedAES key length 128, expecting 256

The IPSec tunnel negotiationfailed because the proposed AESencryption key length did notmatch the Phase 2 configuration.The logmessage specifies thereceived and expected AES keylength.

IKE phase-2 negotiationfrom%s to%s failed.Tunnel='%s'Reason=Received AES keylength%d, expecting%d

IKE phase-2 negotiation from ${local_addr} to ${peer_addr} failed.Tunnel='${tunnel}' Reason=ReceivedAES key length ${received},expecting ${expected}

0203000A ERROR VPN /IPSEC

IKE Phase 1invalid MainMode secondmessage

IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'Reason=Received invalid mainmode secondmessage. Check VPNIKE diagnostic logmessages formore information.

IKE Phase 1 negotiation failedbecause of invalid secondmessage received by localgateway.

IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Received invalidmainmode secondmessage. Check VPN IKEdiagnostic logmessages formore information.

IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Received invalid mainmodesecondmessage. Check VPN IKEdiagnostic logmessages for moreinformation.

VPN LogMessages

Log Catalog 101


0203000B ERROR VPN /IPSEC

IKE Phase 1invalid MainMode KeyExchangepayload

IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'Reason=Received invalid mainmode KE payload. Check VPN IKEdiagnostic logmessages for moreinformation.

IKE Phase 1 negotiation failedbecause local gateway receivedinvalid MainMode Key Exchange(KE) payload

IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Received invalidmainmode KE payload.Check VPN IKE diagnosticlogmessages for moreinformation.

IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Received invalid mainmodeKE payload. Check VPN IKEdiagnostic logmessages for moreinformation.

0203000C ERROR VPN /IPSEC

IKE Phase 1invalid mainmode ID

IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'Reason=Received invalid mainmode ID payload. Check VPN IKEdiagnostic logmessages for moreinformation.

IKE Phase 1 negotiation failedbecause of invalid MainMode IDpayload received by localgateway.

IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Received invalidmainmode ID payload.Check VPN IKE diagnosticlogmessages for moreinformation.

IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Received invalid mainmodeID payload. Check VPN IKEdiagnostic logmessages for moreinformation.

0203000D ERROR VPN /IPSEC

IKE Phase 1invalidaggressivemode hash

IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'Reason=Received invalidaggressivemode hash payload.Check VPN IKE diagnostic logmessages for more information.

IKE Phase 1 negotiation failedbecause invalid aggressivemodehash payload received byspecified local gateway.

IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Received invalidaggressivemode hashpayload. Check VPN IKEdiagnostic logmessages formore information.

IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Received invalid aggressivemode hash payload. Check VPN IKEdiagnostic logmessages for moreinformation.

0203000E ERROR VPN /IPSEC

IKE Phase 1invalidAggressivemode SApayload

IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'Reason=Received invalidaggressivemode SA payload.Check VPN IKE diagnostic logmessages for more information.

IKE Phase 1 negotiation failedbecause of invalid Aggressivemode security association (SA)payload received by specifiedlocal gateway.

IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Received invalidaggressivemode SApayload. Check VPN IKEdiagnostic logmessages formore information.

IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Received invalid aggressivemode SA payload. Check VPN IKEdiagnostic logmessages for moreinformation.

VPN LogMessages

Log Catalog 102



IKE Phase 1IKE versionmismatch

IKE phase-1 negotiation from198.51.100.2:500 to 203.0.113.2:500failed. Gateway-Endpoint='gateway.1'Reason=Received IKE version didnot match the configured IKEversion.

IKE Phase 1 negotiation failedbecause the received IKE versiondid not match the IKE versionconfigured on the local gateway.Check the IKE version in thegateway endpoint configuration onboth the local and remotegateways.

IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Received IKEversion did not match theconfigured IKE version.

IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Received IKE version didnot match the configured IKE version.


IKE Phase 1messagereceived onwronginterface IP

IKE phase-1 negotiation from198.51.100.2:500 to 192.0.2.2:500failed. Gateway-Endpoint='gateway.1'Reason=Receivedmessage withwrong interface IP address192.0.2.2. Expecting peer to useremote gateway endpoint IP address203.0.113.2.

IKE Phase 1 negotiation failedbecause IKE message from thepeer was received on the wronginterface IP address. Check thelocal and remote gateway IPaddress in the gateway endpointconfiguration on both the local andremote gateways.

IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Receivedmessage with wronginterface IP address %s.Expecting peer to useremote gateway endpoint IPaddress %s.

IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Receivedmessage withwrong interface IP address${received_ip}. Expecting peer to useremote gateway endpoint IP address${expected_ip}.


IKE Phase 2tunnel routemismatch

IKE phase-2 negotiation from172.16.12.82:500 to172.16.12.81:500 failed.Gateway='gateway.1' Reason=Nomatching tunnel route for peerproposed local:192.168.81.0/24remote:192.168.82.0/28

The IPSec tunnel negotiationfailed because the proposed tunnelroutes did not match the tunnelconfiguration. The logmessagespecifies the received andexpected tunnel routes.

IKE phase-2 negotiationfrom%s to%s failed.Gateway='%s' Reason=Nomatching tunnel route forpeer proposed local:%s/%dremote:%s/%d

IKE phase-2 negotiation from ${local_addr} to ${peer_addr} failed.Gateway='${gateway}' Reason=Nomatching tunnel route for peerproposed local:${tr_local} remote:${tr_remote}


IKE Phase 2message retrytimeout

IKE phase-2 negotiation from172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1' Reason=Messageretry timeout. Check VPN IKEdiagnostic logmessages for moreinformation.

The IPSec tunnel negotiationfailed because an expectedresponse was not received beforethemessage retry timeout.

IKE phase-2 negotiationfrom%s to%s failed.Tunnel='%s'Reason=Message retrytimeout. Check VPN IKEdiagnostic logmessages formore information.

IKE phase-2 negotiation from ${local_addr} to ${peer_addr} failed.Tunnel='${tunnel}' Reason=Messageretry timeout. Check VPN IKEdiagnostic logmessages for moreinformation.

VPN LogMessages

Log Catalog 103


0205000C ERROR VPN /IPSEC

IKE Phase2message retrytimeoutbecausePhase 1 SAexpired

IKE phase-2 negotiation from172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1' Reason=Messageretry timeout because phase-1 SAexpired

The IPSec tunnel negotiationfailed because the Phase 1Security Association (SA) expired.

IKE phase-2 negotiationfrom%s to%s failed.Tunnel='%s'Reason=Message retrytimeout because phase-1SA expired

IKE phase-2 negotiation from ${local_addr} to ${peer_addr} failed.Tunnel='${tunnel}' Reason=Messageretry timeout because phase-1 SAexpired

0205000D ERROR VPN /IPSEC

IKE Phase 2PFS notenabled

IKE phase-2 negotiation from172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1' Reason=Receivedproposal with PFS. PFS notenabled.

The IPSec tunnel negotiationfailed because the PerfectForward Secrecy (PFS) value didnot match the Phase 2configuration.

IKE phase-2 negotiationfrom%s to%s failed.Tunnel='%s'Reason=Received proposalwith PFS. PFS not enabled.

IKE phase-2 negotiation from ${local_addr} to ${peer_addr} failed.Tunnel='${tunnel}' Reason=Receivedproposal with PFS. PFS not enabled.

0205000E ERROR VPN /IPSEC

IKE Phase 2wait timeout

IKE phase-2 negotiation from172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1' Reason=Messagewas not received in expected time.Check the connection between localand remote gateway endpoints.

The IPSec tunnel negotiationfailed because an expectedresponse was not received beforethe expected time.

IKE phase-2 negotiationfrom%s to%s failed.Tunnel='%s'Reason=Message was notreceived in expected time.Check the connectionbetween local and remotegateway endpoints.

IKE phase-2 negotiation from ${local_addr} to ${peer_addr} failed.Tunnel='${tunnel}' Reason=Messagewas not received in expected time.Check the connection between localand remote gateway endpoints.

021A0001 ERROR VPN /IPSEC

DroppedreceivedIKEv2message

Dropped IKEv2 IKE_SA_INITmessage from 172.16.12.82:500.Reason=message has invalidinitiator SPI (all zeros)

Dropped received invalid IKEv2message.

Dropped IKEv2%smessage from%s.Reason=%s

Dropped IKEv2 ${exchange_type}message from ${peer_addr}.Reason=${reason}


IKE SA notfound tohandle IKE_SA_INIT_Rmessage

Dropped IKEv2 IKE_SA_INITmessage from 172.16.12.82:500.Reason=IKE SA not found to handlemessage with message ID 0x0.

IKE SA was not found to handlethe received IKE_SA_INIT_Rmessage.

Dropped IKEv2%smessage from%s.Reason=IKE SA not foundto handlemessage withmessage ID 0x%x.

Dropped IKEv2 ${exchange_type}message from ${peer_addr}.Reason=IKE SA not found to handlemessage with message ID ${recvd_message_id}.


Gateway Dropped IKEv2 IKE_SA_INIT Gateway endpoint was not foundto handle the received IKE_SA_

Dropped IKEv2%s Dropped IKEv2 ${exchange_type}

VPN LogMessages

Log Catalog 104


endpoint notfound tohandle IKE_SA_INIT_Rmessage

message from 172.16.12.82:500.Reason='gateway.1' gatewayendpoint not found to handlemessage with message ID 0x0.

INIT_R message message from%s.Reason='%s' gatewayendpoint not found to handlemessage with message ID0x%x.

message from ${peer_addr}.Reason='${gw-ep}' gateway endpointnot found to handle IKE_SA_INITmessage with message ID ${recvd_message_id}.


Invalidmessage ID inIKEv2exchange

Dropped IKEv2 IKE_SA_INITmessage from 172.16.12.82:500.Gateway-Endpoint='gateway.1'.Reason=Invalid message ID inrequest message.

Received IKEv2message wasdropped because it has invalidmessage ID.

Dropped IKEv2%smessage from%s.Gateway-Endpoint='%s'.Reason=Invalid messageID in%s message.

Dropped IKEv2 ${exchange_type}message from ${peer_addr}.Gateway-Endpoint='${gw-ep}'.Reason=Invalid message ID in ${req_or_resp} message.


IKEv2gatewayendpoint wasnot found tohandle thereceivedmessage

IKEv2 IKE_SA_INIT exchange from172.16.12.82:500 to172.16.12.81:500 failed.Reason=Matching gateway endpointnot found.

IKEv2 gateway endpoint was notfound to handle the receivedmessage.

IKEv2%s exchange from%s to%s failed.Reason=Matching gatewayendpoint not found.

IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Reason=Matching gatewayendpoint not found.


IKEv2gatewayendpointversion notmatched

IKEv2 IKE_SA_INIT exchange from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'.Reason=Received IKE version didnot match the configured IKEversion.

IKEv2message exchange failedbecause the received IKE versiondid not match the IKE versionconfigured on the local gateway.Check the IKE version in thegateway endpoint configuration onboth local and remote gateways.

IKEv2%s exchange from%s to%s failed. Gateway-Endpoint='%s'.Reason=Received IKEversion did not match theconfigured IKE version.

IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}'.Reason=Received IKE version didnot match the configured IKE version.


IKEv2gatewayendpoint isdisabled

IKEv2 IKE_SA_INIT exchange from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'.Reason=gateway endpoint isdisabled.

The IKEv2 gateway endpoint isdisabled. It cannot be used intunnel negotiation.

IKEv2%s exchange from%s to%s failed. Gateway-Endpoint='%s'.Reason=gateway endpointis disabled.

IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}'.Reason=gateway endpoint isdisabled.

VPN LogMessages

Log Catalog 105



IKEv2gateway IDmismatch

IKEv2 IKE_AUTH exchange from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'.Reason=Gateway endpoint withmatching ID was not found.

IKEv2 IKE_AUTH negotiationfailed because the remote IDconfigured in the gateway endpointdid not match proposed IDreceived from the remote gateway.

IKEv2%s exchange from%s to%s failed. Gateway-Endpoint='%s'.Reason=Gateway endpointwith matching ID was notfound.

IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}'Reason=Gateway endpoint withmatching ID was not found.

021A000A ERROR VPN /IPSEC

IKEv2 IKE_SA_INITmessagereceived onwronginterface

IKEv2 IKE_SA_INIT exchange from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'.Reason=Receivedmessage onwrong interface 'eth0'(index:3).Expecting it to be received on 'eth6'.

IKEv2 IKE_SA_INIT negotiationfailed because IKE message frompeer was received on the wronginterface.

IKEv2%s exchange from%s to%s failed. Gateway-Endpoint='%s'.Reason=Receivedmessage on wrong interface'%s'(index:%d). Expecting itto be received on '%s'.

IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}'.Reason=Receivedmessage onwrong interface. '${received_if}'(index:${received_ifindex}). Expectingit to be received on '${expected_if}'.

021A000B ERROR VPN /IPSEC

IKEv2 remotegatewayendpoint IDmismatch

IKEv2 IKE_AUTH exchange from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'.Reason=Received ID did not matchthe configured remote gatewayendpoint ID.

IKEv2 IKE_AUTH negotiationfailed because the remote ID in thegateway endpoint configuration didnot match the proposed IDreceived from the remote gateway.

IKEv2%s exchange from%s to%s failed. Gateway-Endpoint='%s'.Reason=Received ID didnot match the configuredremote gateway endpointID.

IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}'.Reason=Received ID did not matchthe configured remote gatewayendpoint ID.

021A000C ERROR VPN /IPSEC

IKEv2 localgatewayendpoint IDmismatch

IKEv2 IKE_AUTH exchange from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'.Reason=Received ID did not matchthe configured local gatewayendpoint ID.

IKEv2 IKE_AUTH negotiationfailed because the local ID in thegateway endpoint configuration didnot match the proposed IDreceived from the remote gateway.

IKEv2%s exchange from%s to%s failed. Gateway-Endpoint='%s'.Reason=Received ID didnot match the configuredlocal gateway endpoint ID.

IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}'.Reason=Received ID did not matchthe configured local gateway endpointID.

VPN LogMessages

Log Catalog 106


021A000D ERROR VPN /IPSEC

ReceivedIKEv2message doesnot haveexpectedpayloads

IKEv2 IKE_AUTH exchange from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'.Reason=Received IKE_AUTHresponsemessage does not havethe expected payloads.

IKEv2message exchange failedbecause the receivedmessagefrom the peer does not have theexpected payloads

IKEv2%s exchange from%s to%s failed. Gateway-Endpoint='%s'.Reason=Received%smessage does not have theexpected payloads.

IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}'.Reason=Received ${msg_info}message does not have the expectedpayloads.

021A000E ERROR VPN /IPSEC

IKEv2 IKEproposalmismatch

IKEv2 IKE_SA_INIT exchange from198.51.100.2:500 to 203.0.113.2:500failed. Gateway-Endpoint='gateway.1'. Reason=IKEproposal did not match. Receivedencryption 3DES, expected AES.

The IKEv2message exchangefailed because the IKE proposal inthe receivedmessage did notmatch the expected proposal.

IKEv2%s exchange from%s to%s failed. Gateway-Endpoint='%s'.Reason=%s

IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}'Reason=${msg_info}

021A000F ERROR VPN /IPSEC

IKEv2 KE DH-Groupmismatch

IKEv2 IKE_SA_INIT exchange from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'. Reason=DH-Group 14 in the KE payload does notmatch DH-Group 5 selected in theIKE_SA_INIT response proposal.

IKEv2message exchange failedbecause the DH group in thereceived Key Exchange (KE)payload does not match the DH-Group in the selected proposal.

IKEv2%s exchange from%s to%s failed. Gateway-Endpoint='%s'.Reason=DH-Group%d inthe KE payload does notmatch DH-Group%dselected in the%s proposal.

IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}'.Reason=DH-Group ${recvd_dh_group} in the KE payload does notmatch the DH-Group ${selected_dh_group} selected in the ${msg_info}proposal.


IKEv2 IPSecKE DH-Groupmismatch

IKEv2 CREATE_CHILD_SAexchange from 172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1'. Reason=DH-Group 14 in the KE payload does notmatch DH-Group 5 selected in theCREATE_CHILD_SA requestproposal.

IKEv2message exchange failedbecause the DH group in thereceived Key Exchange (KE)payload does not match the DH-Group in the selected proposal.

IKEv2%s exchange from%s to%s failed.Tunnel='%s'. Reason=DH-Group%d in the KE payloaddoes not match DH-Group%d selected in the%sproposal.

IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}'.Reason=DH-Group ${recvd_dh_group} in the KE payload does notmatch the DH-Group ${selected_dh_group} selected in the ${msg_info}proposal.

VPN LogMessages

Log Catalog 107



Receivedunacceptabletraffic selectorduring firstCHILD SAnegotiation.

IKEv2 IKE_AUTH exchange from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'.Reason=Received unacceptabletraffic selector in IKE_AUTHrequest.

IKEv2 first CHILD SA creationfailed because the peer sent anunacceptable traffic selector.

IKEv2%s exchange from%s to%s failed. Gateway-Endpoint='%s'.Reason=Receivedunacceptable traffic selectorin%s.

IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}'.Reason=Received unacceptabletraffic selector in ${msg_info}.


IKEv2 peerauthenticationmethodmismatch.

IKEv2 IKE_AUTH exchange from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'.Reason=Received authenticationmethod PSK, expecting RSAcertificate.

IKEv2 tunnel negotiation failedbecause the incorrect authenticatemethod was proposed by theremote gateway.

IKEv2%s exchange from%s to%s failed. Gateway-Endpoint='%s'.Reason=Receivedauthenticationmethod%s,expecting%s.

IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Reason=Receivedauthenticationmethod ${received},expecting ${expected}.


IKEv2 peerauthenticationfailed

IKEv2 IKE_AUTH exchange from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'.Reason=Remote gateway endpointRSA certificate authentication failed.

IKEv2 tunnel negotiation failedbecause the local gateway couldnot authenticate the remotegateway.

IKEv2%s exchange from%s to%s failed. Gateway-Endpoint='%s'.Reason=Remote gatewayendpoint %s authenticationfailed.

IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Reason=Remote gatewayendpoint ${auth_method}authentication failed.


IKEv2 PSKmismatch

IKEv2 IKE_AUTH exchange from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'.Reason=Remote gateway endpointauthentication failed due to apossible shared secret mismatch.

IKEv2 tunnel negotiation failedbecause of possible PSKmismatch.

IKEv2%s exchange from%s to%s failed. Gateway-Endpoint='%s'.Reason=Remote gatewayendpoint authenticationfailed due to a possibleshared secret mismatch.

IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Reason=Remote gatewayendpoint authentication failed due to apossible shared secret mismatch.

VPN LogMessages

Log Catalog 108



ReceivedIKEv2 IKE_SA_INITnotificationerrormessage.

IKEv2 IKE_SA_INIT exchange from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'.Reason=Received N(NO_PROPOSAL_CHOSEN)message.

IKEv2 IKE_SA_INIT negotiationfailed because the peer sent anotification error message.

IKEv2%s exchange from%s to%s failed. Gateway-Endpoint='%s'.Reason=Received%smessage.

IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}'.Reason=Received ${notify_msg}message.


ReceivedIKEv2CREATE_CHILD_SA/IKE_AUTHnotificationerrormessage.

IKEv2 IKE_AUTH exchange from10.139.36.185:500 to10.139.36.195:500 failed.Tunnel='tunnel.1'.Reason=Received N(NO_PROPOSAL_CHOSEN)message.

IKEv2 CREATE_CHILD_SA/IKE_AUTH negotiation failedbecause peer sent a notificationerror message.

IKEv2%s exchange from%s to%s failed.Tunnel='%s'.Reason=Received%smessage.

IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Tunnel='${tunnel_name}'.Reason=Received ${notify_msg}message.


IKEv2 tunnelproposalmismatch.

IKEv2 CREATE_CHILD_SAexchange from 198.51.100.2:500 to203.0.113.2:500 failed.Tunnel='tunnel.1'. Reason=IPSecproposal did not match. Receivedencryption 3DES, expected AES.

The IKEv2message exchangefailed because the IPSec proposalin the receivedmessage did notmatch the expected proposal.

IKEv2%s exchange from%s to%s failed.Tunnel='%s'. Reason=%s

IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Tunnel='${tunnel}'.Reason=${msg_info}


Receivedinvalid SPIduring firstCHILD SAnegotiation.

IKEv2 IKE_AUTH exchange from172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1'. Reason=Peerproposed invalid SPI in IKE_AUTHrequest.

IKEv2 first CHILD SA creationfailed because the peer sent aninvalid SPI.

IKEv2%s exchange from%s to%s failed.Tunnel='%s'. Reason=Peerproposed invalid SPI in%s.

IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Tunnel='${tunnel}'.Reason=Peer proposed invalid SPI in${msg_info}.

VPN LogMessages

Log Catalog 109


021A001A ERROR VPN /IPSEC

Receivedinvalid SPIduring IKEv2IPSec SArekey

IKEv2 CREATE_CHILD_SAexchange from 172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1'. Reason=Couldnot find child SA by received SPI0xbaba1509 in CREATE_CHILD_SA(REKEY[CHILD SA]) request.

IKEv2 IPSec SA rekey failedbecause the peer sent an invalidSPI.

IKEv2%s exchange from%s to%s failed.Tunnel='%s'.Reason=Could not find childSA by received SPI %0x in%s.

IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Tunnel='${tunnel}'.Reason=Could not find child SA byreceived SPI ${spi} in ${msg_info}.

021A001B ERROR VPN /IPSEC

No responsefrom remotegateway

IKEv2 exchange from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'. Reason=Noresponse for IKE_AUTH requestmessage. Check the connectionbetween the local and remotegateway endpoints.

IKEv2 connection was terminatedbecause there was no responsefrom the remote site.

IKEv2 exchange from%s to%s failed. Gateway-Endpoint='%s'. Reason=Noresponse for%s message.Check the connectionbetween the local andremote gateway endpoints.

IKEv2 exchange from ${local_addr} to${peer_addr} failed. Gateway-Endpoint='${gw-ep}'. Reason=Noresponse for ${msg_info} message.Check the connection between thelocal and remote gateway endpoints.

021A001D ERROR VPN /IPSEC

IKEv2gateway IDmismatch

IKEv2 IKE_AUTH exchange from198.51.100.2 to 203.0.113.2:500failed. Gateway-Endpoint='ikev2_mobileuser'. Reason=TheMobileVPN with IKEv2 profile is notenabled.

IKEv2 IKE_AUTH negotiationfailed becauseMobile VPN forIKEv2 is not enabled on thisgateway.

IKEv2%s exchange from%s to%s failed. Gateway-Endpoint='%s'.Reason=TheMobile VPNwith IKEv2 profile is notenabled.

IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}'Reason=Mobile VPN with IKEv2profile is not enabled.

021A001E ERROR VPN /IPSEC

IKEv2receivedinvalid EAPinformation

IKEv2 IKE_AUTH EAP exchangefrom 198.51.100.2:4500 to203.0.113.2:4500 failed. Gateway-Endpoint='WG IKEv2MVPN'.Reason='example' authenticationdomain is not configured.

IKEv2 IKE_AUTH EAPnegotiation failed because IKEv2Mobile VPN client sent invalidinformation.

IKEv2%s EAP exchangefrom%s to%s failed.Gateway-Endpoint='%s'.Reason=%s

IKEv2 ${exchange_type} EAPexchange from ${local_addr} to${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=${reason}

VPN LogMessages

Log Catalog 110


021A001F ERROR VPN /IPSEC

IKEv2 IKE_SA_INITmessagereceived onwronginterface IP

IKEv2 IKE_SA_INIT exchange from198.51.100.2:500 to 192.0.2.2:500failed. Gateway-Endpoint='gateway.1'.Reason=Receivedmessage withwrong interface IP address192.0.2.2. Expecting peer to useremote gateway endpoint IP address203.0.113.2.

IKEv2message exchange failedbecause IKE message from thepeer was received on the wronginterface IP address. Check thelocal and remote gateway IPaddress in the gateway endpointconfiguration on both the local andremote gateways.

IKEv2%s exchange from%s to%s failed. Gateway-Endpoint='%s'.Reason=Receivedmessage with wronginterface IP address %s.Expecting peer to useremote gateway endpoint IPaddress %s.

IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}'Reason=Receivedmessage with thewrong interface IP address${received_ip}. Expecting peer to useremote gateway endpoint IP address${expected_ip}.


IKEv2 IKE_AUTHmessagereceived onwronginterface IP

IKEv2 IKE_AUTH exchange from198.51.100.2:500 to 192.0.2.2:500failed. Gateway-Endpoint='m500-197'. Reason=Receivedmessagewith the wrong interface IP address192.0.2.2. Expecting peer to useremote gateway endpoint IP address203.0.113.2.

IKEv2message exchange failedbecause IKE message from thepeer was received on the wronginterface IP address. Check thelocal and remote gateway IPaddress in the gateway endpointconfiguration on both the local andremote gateways.

IKEv2%s exchange from%s to%s failed. Gateway-Endpoint='%s'.Reason=Receivedmessage with wronginterface IP address %s.Expecting peer to useremote gateway endpoint IPaddress %s.

IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}'Reason=Receivedmessage withwrong interface IP address${received_ip}. Expecting peer to useremote gateway endpoint IP address${expected_ip}.

02030010 INFO VPN /IPSEC

IKE Phase 1matchingMainMode policynot found

IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed.Reason=Mainmodematching policynot found

IKE Phase 1 negotiation becauselocal gateway did not find amatching Aggressivemode policy.

IKE phase-1 negotiationfrom%s to%s failed.Reason=Mainmodematching policy not found

IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed.Reason=Mainmodematching policynot found


IKE Phase 1negotiationfailed

IKE phase-1 negotiation from2.2.2.2:500 to 1.1.1.1:500 failed.Reason=Received invalid message

IKE Phase 1 negotiation failedbecause of the reason specified inthe log

IKE phase-1 negotiationfrom%s:%d to%s:%dfailed. Reason=%s

IKE phase-1 negotiation from${src}:${sport} to ${dst}:${dport} failed- ${reason}

VPN LogMessages

Log Catalog 111



Receivedinformationalerror message

Received 'Invalid Exchange Type'message from 172.16.12.81:500 for'gateway.1' gateway endpoint.Check VPN IKE diagnostic logmessages on the remote gatewayendpoint for more information.

Received the specified informationor error message from remotegateway.

Received '%s' messagefrom%s for '%s' gatewayendpoint. Check VPN IKEdiagnostic logmessages onthe remote gatewayendpoint for moreinformation.

Received '${info_msg}' message from${peer_addr} for '${gw-ep}' gatewayendpoint. Check VPN IKE diagnosticlogmessages on the remote gatewayendpoint for more information.


Received IKEmessage forunknownPhase 1 SA

Received IKE message from172.16.13.204:500 for unknown P1SA. Sending delete message toremote gateway 'gateway.1'.

Received IKE message forunknown P1 SA. Sending deletemessage to remote gateway

Received IKE messagefrom%s for unknown P1SA. Sending deletemessage to remote gateway'%s'.

Received IKE message from ${peer_addr} for unknown P1 SA. Sendingdelete message to remote gateway'${gateway}'.


IKE Phase 1messagereceived onwronginterface

IKE phase-1 negotiation from198.51.100.2:500 to 203.0.113.2:500failed. Reason=Received IKEmessage on wrong interface 'eth0'(index:3). Expecting it to be receivedon 'eth6'.

IKE Phase 1 negotiation failedbecause of IKE message peerwas received on wrong interface.

IKE phase-1 negotiationfrom%s to%s failed.Reason=Received IKEmessage on wrong interface'%s'(index:%d). Expecting itto be received on '%s'.

IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed.Reason=Received IKE message onwrong interface '${received_if}'(index:${received_ifindex}). Expectingit to be received on '${expected_if}'


Receivedquick modeinformationalerror message

Received 'No Proposal Chosen'message from 172.16.12.81:500 for'tunnel.1' tunnel. Check VPN IKEdiagnostic logmessages on theremote gateway endpoint for moreinformation.

Remote gateway sent aninformation error message inresponse to VPN tunnel proposal.

Received '%s' messagefrom%s for '%s' tunnel.Check VPN IKE diagnosticlogmessages on the remotegateway endpoint for moreinformation.

Received '${info_msg}' message from${peer_addr} for '${tunnel}' tunnel.Check VPN IKE diagnostic logmessages on the remote gatewayendpoint for more information.


DroppedsimultaneousPhase 2negotiation

Dropped a simultaneous phase-2negotiation from the peer172.16.13.204:500

Firebox or XTM device droppedphase-2 negotiation because ofanother Phase 2 negotiation inprogress.

Dropped a simultaneousphase-2 negotiation from thepeer%s

Dropped a simultaneous IPSecnegotiation from the peer ${peer_addr}


Mobile VPNwith IPSecuser

MUVPN user 'user.1' isauthenticated without groupinformation.

SpecifiedMobile VPN with IPSecuser successfully authenticated,but is not amember of any group.

MUVPN user '%s' isauthenticated without groupinformation.

MUVPN user '${user_name}' isauthenticated without groupinformation

VPN LogMessages

Log Catalog 112


connectedwith no group


Mobile usergroupinformation

MUVPN user 'user.1' is amember of'muvpn' group.

SpecifiedMobile VPN with IPSecuser belongs to the specifiedgroup.

MUVPN user '%s' is amember of '%s' group.

MUVPN user '${user_name}' is amember of '${group_name}' group.


IKE phase-1negotiatedsuccessful

BOVPN phase-1main-modecompleted successfully as initiatorfor 'gateway.1' gateway endpoint.local-gw:172.16.12.81:500 remote-gw:172.16.13.204:500 SAID:0x9d5e7809

IKE phase-1 negotiation wassuccessfully completed.

%s phase-1%s completedsuccessfully as %s for '%s'gateway endpoint. local-gw:%s:%d remote-gw:%s:%d SA ID:0x%08x

${tunnel_type} phase-1 ${nego_mode}completed successfully as ${nego_role} for '${gateway}' gatewayendpoint. local-gw:${src}:${sport}remote-gw:${dst}:${dport} SAID:${p1said}

0203000F INFO VPN /IPSEC

IKE Phase 1matchingaggressivemode policynot found

IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed.Reason=Aggressivemodematchingpolicy not found

IKE Phase 1 negotiation becauselocal gateway did not find amatching aggressivemode policy.

IKE phase-1 negotiationfrom%s to%s failed.Reason=Aggressivemodematching policy not found

IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed.Reason=Aggressivemodematchingpolicy not found

021A0004 INFO VPN /IPSEC

IKEv2 IKE SAis in deletingstate

Dropped IKEv2 IKE_SA_INITmessage from 172.16.12.82:500.Gateway-Endpoint='gateway.1'.Reason=IKE SA is in DELETINGstate.

Received IKEv2message wasignored because thecorresponding IKE SA to handlethemessage was in DELETINGstate.

Dropped IKEv2%smessage from%s.Gateway-Endpoint='%s'.Reason=IKE SA is in%sstate.

Dropped IKEv2 ${exchange_type}message from ${peer_addr}.Gateway-Endpoint='${gw-ep}'Reason=IKE SA is in ${ikev2_ikesa_state} state.

021A0017 INFO VPN /IPSEC

IKEv2 IKE SAestablished

IKEv2 IKE SA establishedsuccessfully as initiator for'gateway.1' gateway endpoint. local-gw:10.139.36.185:500 remote-gw:10.139.36.195:500 SAID:0xbc2188a5.

IKEv2 IKE SA is establishedbecause IKE_AUTH negotiation isfinished or IKE SA is rekeyed.

IKEv2 IKE SA establishedsuccessfully as %s for '%s'gateway endpoint. local-gw:%s remote-gw:%s SAID:0x%08x.

IKEv2 IKE SA establishedsuccessfully as ${exchange_role} for'${gw-ep}' gateway endpoint. local-gw:${local_addr} remote-gw:${peer_addr} SA ID:${sa_id}.

021A001C INFO VPN /IPSEC

IKEv2 IKE SAis waiting forthe user

Dropped IKEv2 IKE_AUTHmessage from 198.51.100.2:4500.Gateway-Endpoint='ikev2_

The Firebox ignored an IKEv2message because thecorresponding IKE SA is waiting

Dropped IKEv2%smessage from%s.Gateway-Endpoint='%s'.

Dropped IKEv2 ${exchange_type}message from ${peer_addr}.Gateway-Endpoint='${gw-ep}'

VPN LogMessages

Log Catalog 113


authenticationresult

mobileuser'. Reason=Waiting for theEAP_MSCHAPv2 userauthentication result.

for the user authentication resultfrom the authenticationmodule.

Reason=Waiting for the%suser authentication result.

Reason=Waiting for the ${user-auth-protocol} user authentication result.

021A001C INFO VPN /IPSEC

IKEv2 IKE SAis waiting forthe userauthenticationresult

Dropped IKEv2 IKE_AUTHmessage from 198.51.100.2:4500.Gateway-Endpoint='ikev2_mobileuser'. Reason=Waiting for theEAP_MSCHAPv2 userauthentication result.

The Firebox ignored an IKEv2message because thecorresponding IKE SA is waitingfor the user authentication resultfrom the authenticationmodule.

Dropped IKEv2%smessage from%s.Gateway-Endpoint='%s'.Reason=Waiting for the%suser authentication result.

Dropped IKEv2 ${exchange_type}message from ${peer_addr}.Gateway-Endpoint='${gw-ep}'Reason=Waiting for the ${user-auth-protocol} user authentication result.

02020001 WARN VPN /IPSEC

IP address notavailable forMobile VPNwith IPSecuser

Virtual IP address from 'abcd'address pool is not available forMobile VPN with IPSec user 'Bob'

All virtual IP addresses allocatedto this Mobile VPN with IPSecgroup are already assigned. NewMobile VPN with IPSec tunnelscannot be established unlessexisting tunnels are deleted.

Virtual IP address from '%s'address pool is not availablefor Mobile VPN with IPSecuser '%s'

Virtual IP address from ${pool_name}address pool is not available forMobile VPN with IPSec user ${user}


Mobile userrejected -maximum userconnectionsreached

RejectedMUVPN IPSec user from2.2.2.2 becausemaximum alloweduser connections has been reached.Maximum:50

SpecifiedMobile VPN with IPSecuser connection rejected becausethe specified concurrent userconnections limit has beenreached. The logmessagespecifies the concurrent userconnections limit.

RejectedMUVPN IPSecuser from%s becausemaximum allowed userconnections has beenreached. Maximum:%d

RejectedMUVPN IPSec user from${peer_addr} becausemaximumallowed user connections has beenreached. Maximum:${max_value}


DPD R_U_THERE_ACKnot received

Remote gateway 'gateway.1' with IP172.16.13.204:500 did not sendDPD R_U_THERE_ACK message.2 retries left

Firebox or XTM device sent aDPD_R_U_THERE request toremote gateway, but did notreceive DPD R_U_THERE_ACKresponse. The logmessagespecifies the number of retriesbefore it will delete the VPNtunnel.

Remote gateway '%s' withIP %s did not send DPD R_U_THERE_ACK message.%d retries left

Remote gateway '${gw-ep}' with IP${peer_addr} did not send DPD R_U_THERE_ACK message. ${n} retriesleft.

VPN LogMessages

Log Catalog 114



DPD maxfailure

Remote gateway 'gateway.1' with IP172.16.13.204:500 presumed deaddue to DPD failure. Deleted alltunnels that use this gateway.Check the connection between localand remote gateway endpoints.

The Firebox or XTM devicedeleted a VPN tunnel because theremote gateway did not respond toDPD R_U_THERE requests.

Remote gateway '%s' withIP %s presumed dead dueto DPD failure.%s

Remote gateway '${gw-ep}' with IP${peer_addr} presumed dead due toDPD failure. ${action}


Did notreceiveKEEP_ALIVE_ACKresponse

Remote gateway 'gateway.1' with IP172.16.13.204:500 did not sendKEEP_ALIVE_ACK message. 2retries left.

Firebox or XTM device sent aKEEP_ALIVE request to remotegateway, but did not receiveKEEP_ALIVE_ACK response.The logmessage specifies thenumber of retries before it willdelete the VPN tunnel.

Remote gateway '%s' withIP %s did not send KEEP_ALIVE_ACK message. %dretries left.

Remote gateway '${gw-ep}' with IP${peer_addr} did not send KEEP_ALIVE_ACK message. ${n} retriesleft.


Deleted VPNtunnels due tokeep-alivefailure

Remote gateway 'gateway.1' with IP172.16.13.204:500 presumed deaddue to keep-alive negotiation failure.Deleted all tunnels that use thisgateway. Check the connectionbetween local and remote gatewayendpoints.

Firebox or XTM device deleted oneor more VPN tunnels because theremote gateway did not respond tokeep-alive requests.

Remote gateway '%s' withIP %s presumed dead dueto keep-alive negotiationfailure.%s

Remote gateway '${gw-ep}' with IP${peer_addr} presumed dead due tokeep-alive negotiation failure.${action}


ReceivedXAuth failnotification

Received XAuth failed notificationfrom 172.16.24.1:4500.Group:'ToFirebox_mu'

Received notification thatExtended Authentication(XAuth)failed. Aborting XAuth negotiation.

Received XAuth failednotification from%s.Group:'%s'

Received XAuth failed notificationfrom ${peer_addr}. Group:'${gateway}'


Rejected PSKauthentication,Expect clientXAUTHenabled.

Rejected phase-1 authenticationmethod PSK from 172.16.24.1:4500,expecting client XAUTH enabled.

Rejected proposed Phase 1authenticationmethod becauseFirebox or XTM Device expectsclient Extended Authentication(XAuth) enabled.

Rejected phase-1authenticationmethod%sfrom%s, expecting clientXAUTH enabled.

Rejected phase 1 authenticationmethod ${auth_method} from ${peer_addr}, expecting client XAUTHenabled.


Rejected PSKauthentication,Expect server

Rejected phase-1 authenticationmethod PSK from 172.16.24.1:4500,expecting server XAUTH enabled.

Rejected proposed Phase 1authenticationmethod becauseFirebox or XTM Device expects

Rejected phase-1authenticationmethod%sfrom%s, expecting server

Rejected phase 1 authenticationmethod ${auth_method} from ${peer_addr}, expecting server XAUTH

VPN LogMessages

Log Catalog 115


XAUTHenabled.

server Extended Authentication(XAuth) enabled.

XAUTH enabled. enabled.


XAuthnegotiationfailed due tomismatchedmode

XAuth negotiation from172.16.24.1:4500 failed due to amismatched XAuthMode.

Mobile VPN with IPSec ExtendedAuthentication(XAuth) negotiationfailed because of mismatchedauthenticationmode.

XAuth negotiation from%sfailed due to amismatchedXAuthMode.

XAuth negotiation from ${peer_addr}failed due to amismatchedXAuthMode


Mobile VPNwith IPSecauthenticationfailed becauseofunresponsivepeer

MUVPN user authentication faileddue to unresponsive peer at172.16.24.1:4500

Mobile VPN with IPSec userauthentication failed because thepeer did not respond.

MUVPN user authenticationfailed due to unresponsivepeer at %s

MUVPN user authentication faileddue to unresponsive peer at %s

0205000F WARN VPN /IPSEC

RejectedPhase 2negotiationdue toincorrectgateway

Rejected phase-2 negotiation from172.16.12.82:500 because'gateway.1*1' is not the preferredIKE gateway endpoint.

Rejected Phase 2 negotiation theproposal did not use the preferredIKE gateway endpoint.

Rejected phase-2negotiation from%sbecause '%s' is not thepreferred IKE gatewayendpoint.

Rejected quick mode negotiation from${peer_addr} because '${gw-ep}' is notthe preferred IKE gateway endpoint.

5B010004 INFO VPN /L2TP

Update usersession

UpdatedMobile VPN with L2TPsession for user 'Firebox-DB\test',virtual IP address '192.168.113.2'.

Mobile VPN with L2TP updatedthe session for the specified user.The logmessage specifies theassigned virtual IP address.

UpdatedMobile VPN withL2TP session for user'%s\%s', virtual IP address'%s'.

—


Delete usersession

DeletedMobile VPN with L2TPsession for user 'Firebox-DB\test',virtual IP address '192.168.113.2'.

Deleted aMobile VPN with L2TPsession with the specified virtualIP address.

DeletedMobile VPN withL2TP session for user'%s\%s', virtual IP address'%s'.

—

25000000 INFO VPN /SSLVPN

User login Mobile VPN with SSL user tsmithlogged in. Virtual IP address is

A user logged in to VPN with SSL.The logmessage specifies the

%s %s logged in. Virtual IPaddress is %s. Real IP

${vpn_user_type} ${user_name}logged in. Virtual IP address is

VPN LogMessages

Log Catalog 116


192.168.113.2. Real IP address is192.51.100.2.

VPN user type,and the user'sname, virtual IP address, and realIP address.

address is %s. ${virtual_ipaddr}. Real IP address is${real_ipaddr}.

25000001 INFO VPN /SSLVPN

User log off Mobile VPN with SSL user tsmithlogged off. Virtual IP address is192.168.113.2.

The VPN with SSL user with thespecified virtual IP address loggedout.

%s %s logged off. Virtual IPaddress is %s.

${vpn_user_type} ${user_name}logged off. Virtual IP address was${virtual_ipaddr}.

VPN LogMessages

Log Catalog 117

EventVPN logmessages of theEvent log type.



IKE processstarts

WatchGuard iked v11.6.B341909 (C)1996-2012WatchGuardTechnologies Inc. starts at Wed Jun30 21:49:08 2012

The IPSec IKE process started. WatchGuard iked v%s %s startsat %s

—


Configurationupdatestarted

Started processing a configurationsetting

An IPSec configuration update started. Started to process aconfiguration setting

—


Configurationupdatecompleted

A configuration setting has beenprocessed successfully

An IPSec configuration update wassuccessfully completed.

A configuration setting has beenprocessed successfully

—


Tunnelestablishedor re-keyed

'gateway.1' BOVPN IPSec tunnel isestablished. local:192.168.81.0/28remote:192.168.25.0/28 in-SA:0x445e72b7 out-SA:0x5f9f256frole:responder

The IPSec tunnel was established or re-keyed successfully. The logmessageincludes the security associationidentifiers.

'%s' %s IPSec tunnel is %s.local:%s remote:%s in-SA:0x%08x out-SA:0x%08xrole:%s

${gateway} ${tunnel_type} IPSectunnel is ${action}. local:${local}remote:${remote} in-spi:${in_spi}out-spi:${out_spi} role:${nego_role}


IKE process-- FireClusterrole changed

A FireCluster failover occurred. Thecluster master has changed.

The cluster master has changedbecause of a FireCluster failover. Thelocal device will not handle IKEnegotiation.

A FireCluster failover occurred.The cluster master has changed.

—


Device notactivated

WARNING! Tunnel negotiation isNOT allowed because the local boxis not activated yet(no"LIVESECURITY" feature key isfound)!!

The device is not activated. IPSectunnels cannot be established.

WARNING! Tunnel negotiationis NOT allowed because thelocal box is not activated yet(no"LIVESECURITY" feature key isfound)!!

—

VPN LogMessages

Log Catalog 118



BOVPNtunnel limitreached

Themaximum number of allowedactive BOVPN tunnels has beenreached (Maximum: 500 Current:500).

Themaximum allowed number ofBOVPN tunnel routes have beenestablished. No new tunnel routes canbe created until active tunnel routesexpire or are deleted.

Themaximum number of activeallowed BOVPN tunnels hasbeen reached (Maximum: %dCurrent: %d)

—


Configurationupdated

Updating configuration for MobileVPN with L2TP.

TheMobile VPN with L2TP daemonreceived a configuration update.

Updating configuration for MobileVPN with L2TP.

—


Daemonstopped

StoppedMobile VPN with L2TPdaemon.

TheMobile VPN with L2TP daemonstopped.

StoppedMobile VPN with L2TPdaemon.

—

VPN LogMessages

Log Catalog 119

Mobile Security Log MessagesMobile Security logmessages are generated for activity related to traffic through your Firebox frommobile devices. This includes traffic related to FireClient and Endpoint Manager.

EventMobile Security logmessages of theEvent log type.


70000001 ERROR MobileSecurity/EndpointManager

Mobilesecuritylicense limitreached

Rejected a FireClient user loginbecause the licensedmaximum number ofconcurrent Mobile Securityusers has been reached.Maximum: 50

A user login from FireClient was rejected because thenumber of concurrently connectedMobile Security usershas reached the limit supported by theMobile Securitylicense. The logmessage specifies themaximumallowed number of concurrent Mobile Security users.

Rejected a FireClient userlogin because the licensedmaximum number ofconcurrent Mobile Securityusers has been reached.Maximum: %d

—

70010000 INFO MobileSecurity/EndpointManager

Mobiledeviceconnect

Mobile device eee66f78-3d74-4002-8161-95938dca4390 isconnected.

FireClient on the device has connected to the Firebox. Mobile device%s isconnected.

—


Mobiledevice useralready login

Mobile device eee66f78-3d74-4002-8161-95938dca4390: userjoe has already logged in.

User has logged in to Firebox from the device prior to theconnection request.

Mobile device%s: user%shas already logged in.

—


Mobiledevice userlogin

Mobile device eee66f78-3d74-4002-8161-95938dca4390: userjoe logged in.

User has logged in to Firebox through FireClient on thedevice.

Mobile device%s: user%slogged in.

—

Mobile Security LogMessages

Log Catalog 120



Mobiledevice userlogout

Mobile device eee66f78-3d74-4002-8161-95938dca4390: userjoe logged out.

User has logged out of Firebox from FireClient on thedevice.

Mobile device%s: user%slogged out.

—


Mobiledevice idledisconnected

Mobile device eee66f78-3d74-4002-8161-95938dca4390 isdisconnected due to FireClientinactivity.

FireClient on the device is considered disconnected dueto inactivity.

Mobile device%s isdisconnected due toFireClient inactivity.

—


Mobiledevicedisconneted

Mobile device eee66f78-3d74-4002-8161-95938dca4390 isdisconnected.

FireClient on the device has disconnected. Mobile device%s isdisconnected.

—


MobiledeviceUnknowncompliance

Mobile device eee66f78-3d74-4002-8161-95938dca4390compliance status is Unknown.

Mobile device compliance status is Unknown. Thiscould be because the compliance check is in progress,or because FireClient on the device is not responding.

Mobile device%scompliance status isUnknown.

—


MobiledeviceCompliant

Mobile device eee66f78-3d74-4002-8161-95938dca4390compliance status isCompliant.

Mobile device compliance status is Compliant, becauseit meets the compliance requirements.

Mobile device%scompliance status isCompliant.

—


Mobiledevice NotCompliant

Mobile device eee66f78-3d74-4002-8161-95938dca4390compliance status is NotCompliant.

Mobile device compliance status is Not Compliant,because it does not meet the compliance requirements.

Mobile device%scompliance status is NotCompliant.

—


Log Catalog 121



Mobiledevice usersessionrecreated

Mobile device eee66f78-3d74-4002-8161-95938dca4390:session for user joe isrecreated.

User session is recreated because themobile device IPaddress changed. .

Mobile device%s: sessionfor user%s is recreated.

—


MobiledeviceAuthorizationAgreementsign action

Mobile device eee66f78-3d74-4002-8161-95938dca4390:device authorization agreement(version 1) is accepted by userjoe on 2015-09-01 09:10:12+0800.

The Device Authorization Agreement is either acceptedor declined by a user at the specified local time.

Mobile device%s: deviceauthorization agreement(version%d) is %s by user%s on%s.

device ${device id}:device authorizationagreement (version${ver_number}) is${action} by user${user} on ${local_time}

70000002 WARN MobileSecurity/EndpointManager

Mobilesecuritylicense highwatermarkreached

The number of connectedMobile Security users hasreached 90 percent of thelicensed capacity. Maximum:50

The number of concurrently connectedMobile Securityusers has reached 90 percent of the capacity supportedby theMobile Security license. The logmessagespecifies the supportedmaximum number of concurrentMobile Security users.

The number of connectedMobile Security users hasreached 90 percent of thelicensed capacity.Maximum: %d

—


Log Catalog 122

Fireware v12.3 Log Catalog - WatchGuard Technologies

Documents

Transcript of Fireware v12.3 Log Catalog - WatchGuard Technologies