Fireware v12.3 Log Catalog - WatchGuard Technologies
-
Upload
khangminh22 -
Category
Documents
-
view
2 -
download
0
Transcript of Fireware v12.3 Log Catalog - WatchGuard Technologies
Copyright, Trademark, and Patent InformationInformation in this guide is subject to change without notice. No part of this guidemay be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the expresswritten permission of WatchGuard Technologies, Inc.
Copyright© 1998–2019WatchGuard Technologies, Inc. All rights reserved.
All trademarks or trade names mentioned herein, if any, are the property of their respective owners.
Complete copyright, trademark, patent, and licensing information can be found in theCopyright and Licensing Guide, available online at: http://www.watchguard.com/help/documentation/.
Revised: April 2019
About WatchGuard
WatchGuard® Technologies, Inc. is a global leader in network security, providing best-in-class Unified Threat Management, NextGeneration Firewall, secureWi-Fi, and network intelligence products and services tomore than 75,000 customers worldwide. Thecompany’s mission is to make enterprise-grade security accessible to companies of all types and sizes through simplicity, makingWatchGuard an ideal solution for Distributed Enterprises and SMBs. WatchGuard is headquartered in Seattle, Washington, withoffices throughout North America, Europe, Asia Pacific, and Latin America. To learnmore, visit WatchGuard.com.
For additional information, promotions and updates, follow WatchGuard on Twitter, @WatchGuard on Facebook, or on the LinkedInCompany page. Also, visit our InfoSec blog, Secplicity, for real-time information about the latest threats and how to cope with them atwww.secplicity.org.
Address505 Fifth Avenue South
Suite 500Seattle,WA98104
Supportwww.watchguard.com/support
U.S. and Canada +877.232.3531AllOther Countries+1.206.521.3575
SalesU.S. and Canada +1.800.734.9905
AllOther Countries+1.206.613.0895
Copyright, Trademark, and Patent Information
Log Catalog i
ContentsCopyright, Trademark, and Patent Information i
Introduction to the Log Catalog 1
About Log Messages 1
Types of LogMessages 1
Traffic LogMessages 1
Alarm LogMessages 2
Event LogMessages 2
Debug (Diagnostic) LogMessages 2
Statistic LogMessages 3
Read a Log Message 3
Firewall Log Messages 6
Alarm 6
Diagnostic 10
Event 12
Traffic 14
Networking Log Messages 16
Diagnostic 16
Event 26
Proxy Policy Log Messages 37
Event 37
Traffic 38
Management Log Messages 75
Diagnostic 75
Log Catalog ii
Event 77
FireCluster Log Messages 86
Diagnostic 86
Event 88
Security Services Log Messages 93
Event 93
VPN Log Messages 95
Alarm 95
Diagnostic 95
Event 118
Mobile Security Log Messages 120
Event 120
Introduction to the Log CatalogYou can use the tools available inWatchGuard Dimension, WatchGuard SystemManager(WSM), and FirewareWebUI to review the logmessages and events that occur on yourWatchGuard Firebox devices, to examine the activity on your network. Logmessages give youimportant information about the flow of traffic through your network, and are a key component tohelp you troubleshoot problems on your network.
The Fireware Log Catalog describes many of the types of logmessages that your Firebox cangenerate. It includes examples of logmessages for Firebox devices that run Fireware OS,grouped by the product area.
All logmessages included in the Log Catalog are first organized into topics by product area andthen separated into sections in each topic by the logmessage type:
n ALARM— Alarm logmessagesn DIAG—Debug (Diagnostics) logmessagesn EVENT— Event logmessagesn STAT— Statistics logmessagesn TRAFFIC — Traffic logmessages
For more information about logmessage types, seeAbout LogMessages.
Only logmessages that are assigned amessage ID number are included inthe Log Catalog.
To review the logmessages that are defined in the Log Catalog, you can expand the LogMessages section and select a topic for a product area, expand the section for a logmessagetype, and review the logmessage lists to find a specific logmessage.
n To expand a single section, click .n To collapse a single section, click .
n To expand all the sections in a topic, at the top of the topic window, click .
n To collapse all the sections in a topic, at the top of the topic window, click .
Introduction to the Log Catalog
Log Catalog 1
You can also search the Log Catalog for the specific details included in a logmessage.
For more information about options to search the Log Catalog, see Search the Log Catalog.
About Log MessagesYour Firebox can send logmessages to an instance of Dimension, aWSM Log Server, or a syslogserver. You can also configure your Firebox to store logmessages locally on the Firebox. You canuse Traffic Monitor in FirewareWebUI or Firebox SystemManager (FSM) to review logmessages inreal-time. If you send logmessages to Dimension, you can use the Dimension LogManager to reviewthe logmessages from your Firebox devices. If you send logmessages to aWSM Log Server, youcan use LogManager inWatchGuardWebCenter to review logmessages after they are generatedand processed by the Log Server.
Types of Log MessagesFirebox devices can send several types of logmessages for events that occur on the Firebox. Eachmessage includes themessage type in the text of themessage. The logmessages types are:
n Trafficn Alarmn Eventn Debug (Diagnostic)n Statistic
Traffic and event logmessages, and some alarm logmessages, automatically appear in TrafficMonitor by default; you do not have to enable any settings on your Firebox to generate them. Themajority of the other logmessage types must be enabled in the device configuration file before theyappear in Traffic Monitor or LogManager.
Traffic Log MessagesMost of the logmessages that appear in Traffic Monitor are traffic logmessages. Traffic Monitorshows all of the logmessages that are generated by your Firebox and are recorded in your log file.Traffic logmessages show the traffic that moves through your Firebox and how the packet filter andproxy policies were applied. A traffic logmessage can include details that show how NAT (networkaddress translation) was handled for a packet.
The traffic logmessages for traffic managed by packet filter policies contain a set number offields. The information for the same traffic logmessage will look different in Traffic Monitor thanin LogManager.
For a traffic logmessage generated by traffic managed by a proxy policy, your Fireboxgenerates more than one logmessage. The first entry shows the same information as a packetfilter logmessage, but includes this additional information:
proxy_act
The name of the proxy action that handles this packet. A proxy action is a set of rules fora proxy that can be applied tomore than one policy.
rule_name
The name of the specific proxy rule that handles this packet.
content_type
The type of content in the packet that is filtered by the proxy rule.
Other proxy logmessages include a variable number of fields.
Alarm Log MessagesAlarm logmessages are sent when an event occurs that triggers the Firebox to run a command.When the alarm condition is matched, the Firebox generates an alarm logmessage that youcan see in Traffic Monitor, sends the logmessage to your Dimension server, WSM Log Server,or syslog server, and then it completes the specified action for the event.
You can configure your Firebox to send alarm logmessages for specific events that occur onyour device. For example, you can configure an alarm to occur when a specified valuematchesor exceeds a threshold. Other alarm logmessages are set by the Firebox OS, with values thatyou cannot change. For example, the Firebox sends an alarm logmessage when a networkconnection on one of the Firebox interfaces fails, or when a Denial of Service attack occurs.
There are eight categories of alarm logmessages:
n Systemn IPSn AV
Introduction to the Log Catalog
Log Catalog 2
n Policyn Proxyn Countern Denial of Servicen Traffic
The Firebox does not sendmore than 10 alarms in 15minutes for the same conditions.
Event Log MessagesEvent logmessages are generated for activity on your Firebox that is related to actions by the Fireboxand users. Actions that can cause the Firebox to send an event logmessage include:
n Firebox start up and shut downn Firebox and VPN authenticationn Process start up and shut downn Problems with Firebox hardware componentsn Any task completed by a device administrator
Debug (Diagnostic) Log MessagesDebug logmessages include detailed diagnostic information that you can use to help troubleshootproblems on your Firebox . There are 27 different product components that can send debug logmessages. When you configure the logging settings on your Firebox you can specify the level ofdiagnostic logging to see for each different product component enabled on your Firebox. The availablelevels are:
n Offn Errorn Warningn Informationn Debug
Statistic Log MessagesStatistic logmessages include information about the performance of your Firebox. You canconfigure your Firebox to generate logmessages about external interface performance, VPNbandwidth statistics, and Security Services statistics. You can review these logmessages todetermine what changes are necessary in your Firebox settings to improve performance. Tosee these logmessages, performance statistic loggingmust be enabled on the Firebox.
Read a Log MessageEach logmessage generated by your Firebox includes a string of data about the traffic on yourFirebox. If you review the logmessages in Traffic Monitor, the details in the data have differentcolors applied to them to help visually distinguish each detail.
Here is an example of one traffic logmessage from Traffic Monitor:
2014-07-02 17:38:43 Member2 Allow 192.168.228.202 10.0.1.1 webcache/tcp42973 8080 3-Trusted 1-WCI Allowed 60 63 (Outgoing-proxy-00) proc_id="firewall" rc="100" src_ip_nat="69.164.168.163" tcp_info="offset 10S 2982213793 win 2105" msg_id="3000-0148"
When you read logmessages, you can see details about when the connection for the trafficoccurred, the source and destination of the traffic, as well as the disposition of the connection,and other details.
Each logmessage includes these details:
Time Stamp
The logmessage line begins with a time stamp that includes the time and date that thelogmessage was created. The time stamp uses the time zone and current time from theFirebox.
This is the time stamp from the example logmessage above:
2014-07-02 17:38:43
Read a LogMessage
Log Catalog 3
FireCluster Member Information
If the logmessage is from a Firebox that is amember of a FireCluster, the logmessageincludes the cluster member number for the Firebox.
This is the FireCluster member information from the example logmessage above:
Member2
Disposition
Each logmessage indicates the disposition of the traffic: Allow or Deny. If the logmessage isfor traffic that was managed by a proxy policy instead of a packet filter policy, the traffic maybemarked Allow even though the packet body was stripped or altered by the proxy action.
This is the disposition from the example logmessage above:
Allow
Source and Destination Addresses
After the disposition, the logmessage shows the actual source and destination IP addressesof the traffic. If NAT was applied to the traffic, the NAT addresses appear later in the logmessage.
These are the source and destination addresses from the example logmessage above:
192.168.228.202 and 10.0.1.1
Service and Protocol
The next entries in the logmessage are the service and protocol that managed the traffic. Theservice is specified based on the protocol and port the traffic used, not the name of the policythat managed the traffic. If the service cannot be determined, the port number appears instead.
These are the service and protocol from the example logmessage above:
webcache/tcp
Source and Destination Ports
The next details in the logmessage are the source and destination ports. The source portidentifies the return traffic. The destination port determines the service used for the traffic.
These are the source and destination ports from the example logmessage above:
42973 and 8080
Source and Destination Interfaces
The source and destination interfaces appear after the destination port. These are thephysical or virtual interfaces that handle the connection for this traffic.
These are the source and destination interfaces from the example logmessage above:
3-Trusted and 1-WCI
Connection Action
This is the action applied to the traffic connection. For proxy actions, this indicateswhether the contents of the packet are allowed, dropped, or stripped.
This is the connection action from the example logmessage above:
Allowed
Packet Length
The two packet length numbers indicate the packet length (in bytes) and the TTL (TimeTo Live) value. TTL is ametric used to prevent network congestion by only allowing thepacket to pass through a specific number of routing devices before it is discarded.
These are the packet length numbers from the example logmessage above:
60 (packet length) and 63 (TTL)
Policy Name
This is the name of the policy on your Firebox that handles the traffic. The number (-00)is automatically appended to policy names, and is part of the internal reference systemon the Firebox.
This is the policy name from the example logmessage above:
(Outgoing-proxy-00)
Process
This section of the logmessage shows the process that handles the traffic.
This is the process from the example logmessage above:
Read a LogMessage
Log Catalog 4
proc_id="firewall"
Return Code
This is the return code for the packet, which is used in reports.
This is the return code from the example logmessage above:
rc="100"
NAT Address
This is the IP address that appears in place of the actual source IP address of the traffic after itleaves the Firebox interface and the NAT rules have been applied. A destination NAT IPaddress can also be included.
This is the NAT address from the example logmessage above:
src_ip_nat="69.164.168.163"
Packet Size
The tcp_info detail includes values for the offset, sequence, and window size for the packetthat initiates the connection. The packet size details that are included depend on the protocoltype.
This is the packet size from the example logmessage above:
tcp_info="offset 10 S 2982213793 win 2105"
Message Identification Number
Each type of logmessage includes a uniquemessage identification number. When you reviewa logmessage in Traffic Monitor, themessage ID number can appear as the value for eitherthe msg_id= detail or the id= detail. In LogManager, themessage ID number appears as thevalue for the id= detail.
Some logmessages do not include amessage ID number. Only logmessages that areassigned amessage ID number are included in the Log Catalog.
The is themessage ID number from the example logmessage above:
msg_id="3000-0148"
Themessage ID numbers included in the Log Catalog do not include the hyphens thatappear in themessage ID number in Traffic Monitor and LogManager. Tomake sure youcan locate themessage ID number in the Log Catalog, when you search the Log Catalogfor themessage ID, remove the hyphen from themessage ID number.
For example, to search for information about message ID number 3000-0148, in theSearch Log Catalog text box, type 300000148.
Read a LogMessage
Log Catalog 5
Firewall Log MessagesFirewall logmessages are generated by your Firebox for events that occur on the Firebox and for traffic managed by some packet filter policies. In addition to normal traffic, this can includemessages related tofeature keys, subscription services, server load balancing, and other features configured on your Firebox.
AlarmFirewall logmessages of theAlarm log type.
ID Level Area Name Log Message Example Description Format Message Variables
30000152 INFO Firewall/PacketFilter
IPv4sourcerouteattack
IPv4 source route attack from 10.0.1.34detected.
IPv4 source route attack wasdetected.
IPv4 source route attack from%s detected.
IPv4 source route from ${src} detected.
30000153 INFO Firewall/PacketFilter
IPv4 SYNfloodattack
SYN flood attack against 10.0.1.51 from216.3.21.4 detected.
IPv4 SYN flood attack wasdetected.
SYN flood attack against %sfrom%s detected.
SYN flood attack against ${dst} from${src} detected.
30000154 INFO Firewall/PacketFilter
IPv4 ICMPfloodattack
ICMP flood attack against 10.0.1.51 from216.3.21.4 detected.
IPv4 ICMP flood attack wasdetected.
ICMP flood attack against$dst from $src detected.
ICMP flood attack against ${dst} from${src} detected.
30000155 INFO Firewall/PacketFilter
IPv4 UDPfloodattack
UDP flood attack against 32.21.56.8 from12.34.23.67 detected.
IPv4 UDP flood attack wasdetected.
UDP flood attack against %sfrom%s detected.
UDP flood attack against ${dst} from${src} detected.
30000156 INFO Firewall/PacketFilter
IPv4IPSECfloodattack
IPSEC flood attack against 32.21.56.8 from12.34.23.67 detected.
IPv4 IPSEC flood attack wasdetected.
IPSEC flood attack against%s from%s detected.
IPSEC flood attack against $dst from$src detected.
30000157 INFO Firewall IPv4 IKE IKE flood attack against 32.21.56.8 from12.34.23.67 detected.
IPv4 IKE flood attack wasdetected
IKE flood attack against %sfrom%s detected.
IKE flood attack against ${dst} from${src} detected.
Firewall LogMessages
Log Catalog 6
ID Level Area Name Log Message Example Description Format Message Variables
/PacketFilter
floodattack
30000158 INFO Firewall/PacketFilter
IPv4 scanattack
IP scan attack against 32.21.56.8 from12.34.23.67 detected.
IPv4 scan attack wasdetected.
IP scan attack against %sfrom%s detected.
IP scan attack against ${dst} from ${src}detected.
30000159 INFO Firewall/PacketFilter
IPv4 portscanattack
PORT scan attack against 32.21.56.8 from12.34.23.67 detected.
IPv4 port scan attack wasdetected.
PORT scan attack against %sfrom%s detected.
Port scan attack against ${dst} from${src} detected.
30000160 INFO Firewall/PacketFilter
IPv4DDOSagainstserver
DDOS against server 10.0.1.34 detected. IPv4 DDOS attack against aserver was detected.
DDOS against server%sdetected.
DDOS against server ${dst} detected.
30000161 INFO Firewall/PacketFilter
IPv4DDOSattack fromclient
DDOS from client 10.0.1.34 detected. IPv4 DDOS attack from aclient was detected.
DDOS from client $srcdetected.
DDOS from client ${src} detected.
30000162 INFO Firewall/PacketFilter
IPv6 SYNfloodattack
SYN flood attack against2001:0db8:85a3:08d3:1319:8a2e:0370:7344from FF01::101 detected.
IPv6 SYN flood attack wasdetected.
SYN flood attack against %sfrom%s detected.
SYN flood attack against ${dst} from${src} detected.
30000163 INFO Firewall/PacketFilter
IPv6 ICMPfloodattack
ICMP flood attack against2001:0db8:85a3:08d3:1319:8a2e:0370:7344from FF01::101 detected.
IPv6 ICMP flood attack wasdetected.
ICMP flood attack against %sfrom%s detected.
ICMP flood attack against ${dst} from${src} detected.
Firewall LogMessages
Log Catalog 7
ID Level Area Name Log Message Example Description Format Message Variables
30000164 INFO Firewall/PacketFilter
IPv6 UDPfloodattack
UDP flood attack against2001:0db8:85a3:08d3:1319:8a2e:0370:7344from FF01::101 detected.
IPv6 UDP flood attack wasdetected.
UDP flood attack against %sfrom%s detected.
UDP flood attack against ${dst} from${src} detected.
30000165 INFO Firewall/PacketFilter
IPv6IPSECfloodattack
IPSEC flood attack against2001:0db8:85a3:08d3:1319:8a2e:0370:7344from FF01::101 detected.
IPv6 IPSEC flood attack wasdetected.
IPSEC flood attack against%s from%s detected.
IPSEC flood attack against ${dst} from${src} detected.
30000166 INFO Firewall/PacketFilter
IPv6 IKEfloodattack
IKE flood attack against2001:0db8:85a3:08d3:1319:8a2e:0370:7344from FF01::101 detected.
IPv6 IKE flood attack wasdetected.
IKE flood attack against %sfrom%s detected.
IKE flood attack against ${dst} from${src} detected.
30000167 INFO Firewall/PacketFilter
AlarmTrafficmatchedpolicy
Policy Name: HTTP-00 Source IP Address:10.0.1.20 Source Port: 4107 Destination IPAddress: 61.135.169.125 Destination Port:80
An alarm logmessage wassent for traffic that matchedthe specified policy.
Policy Name: %s Source IPAddress: %s Source Port: %dDestination IP Address: %sDestination Port: %d
Policy Name: ${pcy_name} Source IPAddress: ${src_ip} Source Port: ${src_port} Destination IP Address: ${dst_ip}Destination Port: ${dst_port}
30000168 INFO Firewall/PacketFilter
Blockedsite
Blocked site: Traffic detected from 10.0.1.2to 61.231.45.165.
Traffic was detected to orfrom a blocked site.
Blocked site: Traffic detectedfrom%src to%dst.
Blocked site: Traffic detected from ${src}to ${dst}.
30000169 INFO Firewall/PacketFilter
IP spoofing IP spoofing: Traffic detected from 10.0.1.2to 43.123.12.26.
IP spoofing was detectedfrom the IP address specifiedin the logmessage.
IP spoofing: Traffic detectedfrom%src to%dst.
IP spoofing: Traffic detected from ${src}to ${dst}.
30000169 INFO Firewall/PacketFilter
IP spoofing IP spoofing: Traffic detected from 10.0.1.2to 43.123.12.26.
IP spoofing was detectedfrom the IP address specifiedin the logmessage.
IP spoofing: Traffic detectedfrom%src to%dst.
IP spoofing: Traffic detected from ${src}to ${dst}.
30000170 INFO Firewall Connection The total number of current sessions (1024) The total number of current The total number of current The total number of current sessions
Firewall LogMessages
Log Catalog 8
ID Level Area Name Log Message Example Description Format Message Variables
/PacketFilter
table highwater mark
has reached the high water mark (1024). sessions reached the highwater mark (80%) of themaximum connection table.
sessions (%u) has reached thehigh water mark (%d).
(${value1}) has reached the high watermark (${value2}).
30000170 INFO Firewall/PacketFilter
Connectiontable highwater mark
The total number of current sessions (1024)has reached the high water mark (1024).
The total number of currentsessions reached the highwater mark (80%) of themaximum connection table.
The total number of currentsessions (%u) has reached thehigh water mark (%d).
The total number of current sessions(${value1}) has reached the high watermark (${value2}).
30000171 INFO Firewall/PacketFilter
Conntracktable is full
The number of connections (2048) hasreached the configured limit (2048).
The conntrack table is full.The number of connectionshas reached the configuredlimit.
The number of connections(%u) has reached theconfigured limit (%d).
The number of connections (${value1})has reached the configured limit(${value2}).
30000172 INFO Firewall/PacketFilter
Blockedport
Blocked port: Traffic detected from 10.0.1.2to 61.231.45.165 on port 513.
Traffic was detected on ablocked port.
Blocked port: Traffic detectedfrom%src to%dst on port%port.
Blocked port: Traffic detected from ${src}to ${dst} on port ${port}.
Firewall LogMessages
Log Catalog 9
DiagnosticFirewall logmessages of theDebug (Diagnostic) log type.
ID Level Area Name Log Message Example Description Format Message Variables
3000003A ERROR Firewall/PacketFilter
Unable toreadfeaturekeys
Unable to read the featurekeys, some features may beunavailable
Unable to read feature keys file or failto parse feature keys file. Featuresthat require a correct feature key willnot function.
Unable to read the feature keys, somefeatures may be unavailable
—
3000003C ERROR Firewall/PacketFilter
No routeto HTTPredirecthost
Route look up on HTTPredirect host 192.168.111.10for policy "FTP-00" failed,local redirect may not work
Route look up on HTTP redirect hostfor the specified policy failed, andlocal HTTP redirect may not work.
Route look up on HTTP redirect host%u.%u.%u.%u for policy "%s" failed, localredirect may not work
—
3000012E ERROR Firewall/PacketFilter
Possibleloop orARPspoofingdetected
Cannot relearn systemMACaddress, possible loop orMAC spoofing,ip=192.168.111.10,mac=00:50:da:c7:90:5d,interface=5
The appliance received an ARPpacket sent from one of its ownMACaddresses. It is possibly a network orcabling loop, or another device isfaking this device's MAC address.
Cannot relearn systemMAC address,possible loop or MAC spoofing,ip=%hu.%hu.%hu.%hu,mac=%02x:%02x:%02x:%02x:%02x:%02x,interface=%u
Cannot relearn systemMACaddress, possible loop or anotherdevice is faking this device'sMAC address, ip=${ip},mac=${mac},interface=${interface}
30000006 INFO Firewall/PacketFilter
Featuresettingsupdated
Application control settingsupdated
Firewall settings for the featurespecified in themessage have beenupdated
%s settings updated —
30000027 INFO Firewall/PacketFilter
Firewallis startingup
Firewall is starting up — Firewall is starting up —
30000028 INFO Firewall/PacketFilter
Firewallisshuttingdown
Firewall is shutting down — Firewall is shutting down —
Firewall LogMessages
Log Catalog 10
ID Level Area Name Log Message Example Description Format Message Variables
30000029 INFO Firewall/PacketFilter
Addressexemptedfromblockedsites
IP address 192.168.111.254will not be added to theblocked sites list because itis exempt
The particular IP address is anexemption and will not be added tothe blocked sites list
IP address %s will not be added to theblocked sites list because it is exempt
IP address ${ip} will not be addedto the blocked sites list becauseit is exempt
30000040 INFO Firewall/PacketFilter
Blockedsite idletimeout
Idle timeout has occurred forblocked site 192.168.111.10
Idle timeout has occurred for thespecified blocked site, and it will beremoved from the blocked sites list.
Idle timeout has occurred for blocked site%s
—
3000002A INFO Firewall/PacketFilter
Addressalreadyblocked
IP address 192.168.111.10will not be added to theblocked sites list because italready exists.
— IP address %s will not be added to theblocked sites list because it already exists.
IP address ${ip} will not be addedto the blocked sites list becauseit already exists.
3000012D INFO Firewall/PacketFilter
VerifyARPentry
Verify ARP entry for host at192.168.111.10
The appliance sent an ARP request toverify learned ARP entry for a givenhost.
Verify ARP entry for host at%hu.%hu.%hu.%hu
—
Firewall LogMessages
Log Catalog 11
EventFirewall logmessages of theEvent log type.
ID Level Area Name Log Messag Example Description Format Message Variables
3000012C ERROR Firewall/PacketFilter
ARPspoofingattack
ARP spoofing attackdetected,ip=192.168.111.10,mac=00:50:da:c7:90:5d,interface=5
Detected an ARP spoofing attack. The logmessage specifies the source IP address,MAC address, and incoming interface of theARP packet.
ARP spoofing attack detected,ip=%u.%u.%u.%u,mac=%02x:%02x:%02x:%02x:%02x:%02x,interface=%u
ARP spoofing attackdetected, ip=${ip},mac=${mac},interface=${interface}
30000004 INFO Firewall/PacketFilter
ApplicationControlfeatureexpired
The Application Controlfeature has expired.
The feature key for your Application Controlsubscription has expired.
The Application Control feature has expired. —
30000005 INFO Firewall/PacketFilter
IPSfeatureexpired
The IPS feature has expired. The feature key for your Intrusion PreventionServices subscription has expired.
The IPS feature has expired. —
3000002F INFO Firewall/PacketFilter
Featurenotsupportedby featurekey
Feature key does notsupport the feature Policybased routing.
The device feature key does not support thespecified feature.
Feature key does not support the feature%s.
No valid ${featurename} feature
Firewall LogMessages
Log Catalog 12
ID Level Area Name Log Messag Example Description Format Message Variables
300000C9 INFO Firewall/PacketFilter
LoadBalanceServer(TCPProbe)
TCP probe packets timeout,Load Balance Server10.10.10.100 port 3030 isoffline.
Load Balance Server status update due toresponse or lack of response to a TCP Probepacket. The logmessage specifies the serverIP address and port.
%s %s , Load Balance Server%hu.%hu.%hu.%hu port %d is %s.
${probemethod}${reason}, LoadBalance Server ${ip}port ${port} is ${status}
300000CB INFO Firewall/PacketFilter
LoadBalanceServer(ICMPProbe)
ICMP probe packetstimeout, Load BalanceServer 10.10.10.100 isoffline.
Update to status of Load Balance Server dueto success or failure of ICMP Probe packet.The logmessage specifies the server IP andstatus.
%s %s , Load Balance Server%u.%u.%u.%u is %s.
${probemethod}${reason}, LoadBalance Server ${ip} is${status}
Firewall LogMessages
Log Catalog 13
TrafficFirewall logmessages of the Traffic log type.
ID Level Area Name Log Message Example Description Format Message Variables
30000148 INFO Firewall/PacketFilter
Normaltraffic
Allow Firebox 0-External 52 tcp 20 12710.0.1.2 206.190.60.138 62443 80 offset 8 S832026162 win 8192 (HTTP-00)
Details ofnormal trafficeither allowedor denied bythe firewallpolicyspecified inthe logmessage.
%s %s %s %d%s %d%s %s%d%d offset %d%s %d%s%d(%s)
${disposition} ${inif} ${outif} ${ip_pkt_len} ${protocol}${iph_len} ${TTL} {${src_ip}|${src_user}} {${dst_ip|${dst_user}} [${tcp_info}] [${udp_info}] [${icmp_info}][${route_type}] ${policy_name}
30000149 INFO Firewall/PacketFilter
ApplicationControlTrafficidentified
Allow 1-Trusted 0-External 40 tcp 20 12710.0.1.2 206.190.60.138 53008 80 offset 5 AF3212213617 win 257 app_name="WorldWideWebHTTP" cat_name="Network Protocols"app_beh_name="connect" app_id="63" app_cat_id="18" app_ctl_disp="2"msg="Application identified" (HTTP-00)
ApplicationControlidentifiedtraffic for anapplication.
%s %s %s %d%s %d%s %s%d%d offset %d%s %d%s%d app_name=\"%s\" cat_name=\"%s\" app_beh_name=\"%s\" appid=\"%d\"app_cat_id=\"%d\" app_ctl_disp=\"%d\" msg=\"%s\" (%s)
${disposition} ${inif} ${outif} ${ip_pkt_len} ${protocol}${iph_len} ${TTL} {${src_ip}|${src_user}} {${dst_ip|${dst_user}} [${tcp_info}] [${udp_info}] app_name=${app_name} cat_name=${cat_name} app_beh_name=${app_beh_name} appid=${appid} app_cat_id=${app_cat_id} app_ctl_disp=${app_ctl_disp}msg=${msg} [${route_type}] ${policy_name}
30000150 INFO Firewall/PacketFilter
IPS Trafficdetected
Deny 1-Trusted 0-External 1440 tcp 20 6110.0.1.2 192.168.130.126 55810 80 offset 5 A447868619 win 54 signature_name="EXPLOITApple QuickTime FLIC Animation file bufferoverflow -1-2" signature_cat="Misc"signature_id="1112464" severity="4"msg="IPS detected" (HTTP-00)
IPS detectedtraffic thatmatches anIPSsignature.
%s %s %s %d%s %d%s %s%d%d offset %d%s %d%s%d signature_name=\"%s\"signature_cat=\"%s\"signature_id=\"%s\"severity=\"%d\" msg=\"%s\"(%s)
${disposition} ${inif} ${outif} ${ip_pkt_len} ${protocol}${iph_len} ${TTL} {${src_ip}|${src_user}} {${dst_ip|${dst_user}} [${tcp_info}] [${udp_info}] signature_name=${signature_name} signature_cat=${signature_cat} signature_id=${signature_id} severity=${severity}msg=${msg} [${route_type}] ${policy_name}
30000151 INFO Firewall/PacketFilter
Trafficconnectionterminated
Allow 1-Trusted 0-External tcp 10.0.1.2220.181.90.24 53018 80 app_id="63" app_cat_id="18" app_ctl_disp="2" duration="80" sent_bytes="652" rcvd_bytes="423" (HTTP-00)
Record for aterminatedconnection
%s %s %s %d%s %d%s %s%d%d offset %d%s %d%s%d appid=\"%d\" app_cat_id=\"%d\" app_ctl_disp=\"%d\"duration=\"%d\" sent_
${disposition} ${inif} ${outif} ${ip_pkt_len} ${protocol}${iph_len} ${TTL} {${src_ip}|${src_user}} {${dst_ip|${dst_user}} [${tcp_info}] [${udp_info}]appid=${appid} app_cat_id=${app_cat_id} app_ctl_disp=${app_ctl_disp} duration=${duration} sent_
Firewall LogMessages
Log Catalog 14
ID Level Area Name Log Message Example Description Format Message Variables
bytes=\"%d\" rcvd_bytes=\"%d\" (%s)
bytes=${sent_bytes} rcvd_bytes=${rcvd_bytes}${policy_name}
30000173 INFO Firewall/PacketFilter
Hostiletraffic
Deny 0-External Firebox 52 tcp 20 127206.190.60.138 10.0.0.1 62443 80 offset 8 S832026162 win 8192 blocked sites (InternalPolicy)
Details ofhostile trafficdenied by thefirewallinternalpolicy.
%s %s %s %d%s %d%s %s%d%d offset %d%s %d%s%d(%s)
${inif} ${outif} ${ip_pkt_len} ${protocol} ${iph_len} ${TTL}{${src_ip}|${src_user}} {${dst_ip|${dst_user}} [${tcp_info}] [${udp_info}] [${icmp_info}]
Firewall LogMessages
Log Catalog 15
Networking Log MessagesNetworking logmessages are generated for traffic related to the connections through your Firebox. This can include events related to interface activity, dynamic routing, PPPoE connections, DHCP serverrequests, FireCluster management, link monitoring, and wireless connections.
DiagnosticNetworking logmessages of theDebug (Diagnostic) log type.
ID Level Area Name Log Message Example Description Format Message Variables
09000001 ERROR Networking /PPPoE
DuplicatePPPoEInstanceError
Another instance of PPPoE is running Another instance ofthe PPPoE processis already active inthe system.
Another instance of PPPoE is running —
09000002 ERROR Networking /PPPoE
InvalidPPPoEautomaticrestartsettings
PPPoE automatic restart settings are invalid,automatic restart will not be used
Automatic restart ofPPPoE is disableddue to invalidsettings.
PPPoE automatic restart settings are invalid,automatic restart will not be used
—
09000006 INFO Networking /PPPoE
InitiatePPPoEautomaticrestart
Initiating PPPoE automatic restart PPPoE instance willrestart automatically.
Initiating PPPoE automatic restart —
09000007 WARN Networking /PPPoE
Skip PPPoEautomaticrestart
Skipped PPPoE automatic restart because thelink was not up
PPPoE instance willnot restartautomatically due tono link.
Skipped PPPoE automatic restart because thelink was not up
—
31000003 INFO Networking /NetworkManagement
InitiategratuitousARP
Initiating GARP for eth0 Initiate gratuitousARP for the specifiedinterface.
Initiating GARP for%s Initiating GARP for${dev_name}
31000004 INFO Networking / Initiate Initiating GARP for all interfaces Initiate gratuitous Initiating GARP for all interfaces —
Networking LogMessages
Log Catalog 16
ID Level Area Name Log Message Example Description Format Message Variables
NetworkManagement
gratuitousARP
ARP for all theinterfaces.
31000030 INFO Networking /NetworkManagement
Sendinterfacelogical linkstatus event
[eth0] Sending interface status event,logical=up link=up ip=10.0.0.1mask=255.255.255.0
Interface statusevent is sent forlogical link statuschange.
[%s] Sending interface status event%s,logical=%s link=%s ip=%u.%u.%u.%umask=%u.%u.%u.%u
[${dev_name}]Sending interfacestatus event,logical=${logical}link=${link} ip=${ip}mask=${mask}
31000030 INFO Networking /NetworkManagement
Sendinterfacelogical linkstatus event
[eth0] Sending interface status event,logical=up link=up ip=10.0.0.1mask=255.255.255.0
Interface statusevent is sent forlogical link statuschange.
[%s] Sending interface status event%s,logical=%s link=%s ip=%u.%u.%u.%umask=%u.%u.%u.%u
[${dev_name}]Sending interfacestatus event,logical=${logical}link=${link} ip=${ip}mask=${mask}
31000030 INFO Networking /NetworkManagement
Sendinterfacelogical linkstatus event
[eth0] Sending interface status event,logical=up link=up ip=10.0.0.1mask=255.255.255.0
Interface statusevent is sent forlogical link statuschange.
[%s] Sending interface status event%s,logical=%s link=%s ip=%u.%u.%u.%umask=%u.%u.%u.%u
[${dev_name}]Sending interfacestatus event,logical=${logical}link=${link} ip=${ip}mask=${mask}
31000030 INFO Networking /NetworkManagement
Sendinterfacelogical linkstatus event
[eth0] Sending interface status event,logical=up link=up ip=10.0.0.1mask=255.255.255.0
Interface statusevent is sent forlogical link statuschange.
[%s] Sending interface status event%s,logical=%s link=%s ip=%u.%u.%u.%umask=%u.%u.%u.%u
[${dev_name}]Sending interfacestatus event,logical=${logical}link=${link} ip=${ip}mask=${mask}
Networking LogMessages
Log Catalog 17
ID Level Area Name Log Message Example Description Format Message Variables
31000030 INFO Networking /NetworkManagement
Sendinterfacelogical linkstatus event
[eth0] Sending interface status event,logical=up link=up ip=10.0.0.1mask=255.255.255.0
Interface statusevent is sent forlogical link statuschange.
[%s] Sending interface status event%s,logical=%s link=%s ip=%u.%u.%u.%umask=%u.%u.%u.%u
[${dev_name}]Sending interfacestatus event,logical=${logical}link=${link} ip=${ip}mask=${mask}
31000031 INFO Networking /NetworkManagement
Sendinterface linkstatus event
[eth0] Sending interface status event for link up Interface statusevent is sent for linkchange.
[%s] Sending interface status event%s for link%s
[${dev_name}]Sending interfacestatus event for link${link}
31000031 INFO Networking /NetworkManagement
Sendinterface linkstatus event
[eth0] Sending interface status event for link up Interface statusevent is sent for linkchange.
[%s] Sending interface status event%s for link%s
[${dev_name}]Sending interfacestatus event for link${link}
31000034 INFO Networking /NetworkManagement
A changewas made tothe IPaddress ofthe externalinterface
[eth0 (External)] External Interface set IPaddress
Handle IP addressfor the specifiedexternal interface.
[%s (%s)] External Interface%s IP address [${dev_name} (${if_name})] ExternalInterface${operation} IPaddress
31000034 INFO Networking /NetworkManagement
A changewas made tothe IPaddress ofthe externalinterface
[eth0 (External)] External Interface set IPaddress
Handle IP addressfor the specifiedexternal interface.
[%s (%s)] External Interface%s IP address [${dev_name} (${if_name})] ExternalInterface${operation} IPaddress
31000034 INFO Networking /NetworkManagement
A changewas made tothe IPaddress ofthe external
[eth0 (External)] External Interface set IPaddress
Handle IP addressfor the specifiedexternal interface.
[%s (%s)] External Interface%s IP address [${dev_name} (${if_name})] ExternalInterface${operation} IPaddress
Networking LogMessages
Log Catalog 18
ID Level Area Name Log Message Example Description Format Message Variables
interface
31000035 ERROR Networking /NetworkManagement
Ignoreunknownaddressoperation
[eth0 (External)] Ignoring unknown addressoperation sss
Ignore unknownaddress operation onthe specifiedinterface.
[%s (%s)] Ignoring unknown address operation%s
[${dev_name} (${if_name})] Ignoringunknown addressoperation${operation}
31000035 ERROR Networking /NetworkManagement
Ignoreunknownaddressoperation
[eth0 (External)] Ignoring unknown addressoperation sss
Ignore unknownaddress operation onthe specifiedinterface.
[%s (%s)] Ignoring unknown address operation%s
[${dev_name} (${if_name})] Ignoringunknown addressoperation${operation}
31000035 ERROR Networking /NetworkManagement
Ignoreunknownaddressoperation
[eth0 (External)] Ignoring unknown addressoperation sss
Ignore unknownaddress operation onthe specifiedinterface.
[%s (%s)] Ignoring unknown address operation%s
[${dev_name} (${if_name})] Ignoringunknown addressoperation${operation}
31000036 INFO Networking /NetworkManagement
Layer 2traffic gate isclosed
[Cluster] The traffic gate of layer2 is closed dueto cluster role backup
Layer 2 traffic gate isclosed due to thespecified reason.
[Cluster] The traffic gate of layer2 is closed dueto cluster role%s
[Cluster] The trafficgate of layer2 isclosed due tocluster role ${role}
31000037 INFO Networking /NetworkManagement
Layer 2traffic gate isopened
[Cluster] The traffic gate of layer2 is openeddue to cluster role master
Layer 2 traffic gate isopened due to thespecified reason.
[Cluster] The traffic gate of layer2 is openeddue to cluster role%s
[Cluster] The trafficgate of layer2 isopened due tocluster role ${role}
31000038 INFO Networking /NetworkManagement
Traffic signalchanged
[Cluster] Traffic signal become green Traffic signal ischanged to thespecified status.
[Cluster] Traffic signal become%s [Cluster] Trafficsignal become${status}
Networking LogMessages
Log Catalog 19
ID Level Area Name Log Message Example Description Format Message Variables
31000050 INFO Networking /NetworkManagement
Startingwireless AP
Starting wireless AP ath1 Starting specifiedwireless AP.
Starting wireless AP %s —
31000051 INFO Networking /NetworkManagement
Stoppingwireless AP
Stopping wireless AP ath1 Stopping thespecified wirelessAccess Point.
Stopping wireless AP %s —
31000057 INFO Networking /NetworkManagement
Startprocessingconfiguration
Starts processing a configuration setting Started to processconfigurationsettings.
Starts processing a configuration setting —
31000058 INFO Networking /NetworkManagement
Updatebridgemodesettings
Updating global bridgemode setting Update global bridgemode settings.
Updating global bridgemode setting —
31000059 INFO Networking /NetworkManagement
Update drop-in modesettings
Updating global drop-in mode setting Update global drop-inmode settings.
Updating global drop-in mode setting —
31000070 INFO Networking /NetworkManagement
Clean upstaleconnections
[Cluster] Clean up stale IP connections withexpired address 192.168.1.22 for PPPoEinterface eth0
Clean up staleconnections for theexpired IP addresson dynamicinterface.
[Cluster] Clean up stale IP connections withexpired address %s for%s interface%s
[Cluster] Clean upstale IPconnections withexpired address${ip} for dynamicinterface ${dev_name}
31000070 INFO Networking /NetworkManagement
Clean upstaleconnections
[Cluster] Clean up stale IP connections withexpired address 192.168.1.22 for PPPoEinterface eth0
Clean up staleconnections for theexpired IP addresson dynamicinterface.
[Cluster] Clean up stale IP connections withexpired address %s for%s interface%s
[Cluster] Clean upstale IPconnections withexpired address${ip} for dynamicinterface ${dev_name}
Networking LogMessages
Log Catalog 20
ID Level Area Name Log Message Example Description Format Message Variables
31000075 ERROR Networking /NetworkManagement
DNSWatchserversshould notbe in use
DNSWatch is expired or was disabled. YourFirebox does not have a configured DNSserver. Tomake sure your Firebox does not usethe DNSWatch servers, youmust specify aDNS server in the network DNS/WINSsettings.
DNSWatch serversshould not be in usebut the Firebox doesnot have analternative DNSserver it can use.
DNSWatch is expired or was disabled. YourFirebox does not have a configured DNSserver. Tomake sure your Firebox does notuse the DNSWatch servers, youmust specifya DNS server in the network DNS/WINSsettings.
—
31130001 ERROR Networking /NetworkManagement
Capturestopped
Capture stopped, insufficient space Capture stopped dueto the specifiedreason.
Capture stopped, %s Capture stopped,${reason}
45000001 ERROR Networking /Modem
Duplicatemodeminstancerunning
Another instance of Modem is running System loadedModem process, butanother instance isalready active.
Another instance of Modem is running —
3100000F INFO Networking /NetworkManagement
Add bridgeinterface
Adding bridge tbr0 Add bridge interfacein bridgemode.
Adding bridge%s Adding bridge${dev_name}
3100003D INFO Networking /NetworkManagement
Update ARPrules
[Cluster] Update arp rules for cluster rolebackup
Update ARP rules forthe specified clusterrole.
[Cluster] Update arp rules for cluster role%s [Cluster] Updatearp rules for clusterrole ${role}
3100004F INFO Networking /NetworkManagement
Fix upmultipathgateways
[ECMP] Fixup 2multipath gatewaysuccessfully
Fix upmultipathgateways of thespecified numbersuccessfully.
[ECMP] Fixup%dmultipath gatewaysuccessfully
[ECMP] Fixup${num}multipathgatewaysuccessfully
3100005A INFO Networking /NetworkManagement
Updatewirelesssettings
Updating wireless setting Update wirelesssettings
Updating wireless setting —
Networking LogMessages
Log Catalog 21
ID Level Area Name Log Message Example Description Format Message Variables
3100005B INFO Networking /NetworkManagement
UpdatesecondaryIP settings
Updating Trust-1 secondary IP(s) setting Update secondary IPaddress settings forthe specifiedinterface.
Updating%s secondary IP(s) setting Updating ${if_name} secondary IP(s) setting
3100005C INFO Networking /NetworkManagement
Update routesettings
Updating route setting Update routesettings.
Updating route setting —
3100005D INFO Networking /NetworkManagement
Update 1to1NATsettings
Updating 1to1 NAT setting Update 1-to-1 NATsettings.
Updating 1to1 NAT setting —
3100005E INFO Networking /NetworkManagement
Update DNSsettings
Updating DNS setting Update DNSsettings.
Updating DNS setting —
5A000001 INFO Networking /DynamicDNS
ResponsefromDynamicDNS server
Response from server: update succeeded withno change, abusive warning (1)
Receive thespecified responsefrom the dynamicDNS server.
Response from server: %s (%d) Response fromserver: ${response}(${ret_code})
5A000001 INFO Networking /DynamicDNS
ResponsefromDynamicDNS server
Response from server: update succeeded withno change, abusive warning (1)
Receive thespecified responsefrom the dynamicDNS server.
Response from server: %s (%d) Response fromserver: ${response}(${ret_code})
5A000002 INFO Networking /DynamicDNS
DynamicDNSDomainNameResolved
Resolved domainmembers.dyndns.org to204.13.248.111
Dynamic DNSserver domain namesuccessfullyresolved to an IPaddress.
Resolved domain%s to%s Resolved domain${domain} to ${ip}
5A000002 INFO Networking /DynamicDNS
DynamicDNSDomain
Resolved domainmembers.dyndns.org to204.13.248.111
Dynamic DNSserver domain namesuccessfully
Resolved domain%s to%s Resolved domain${domain} to ${ip}
Networking LogMessages
Log Catalog 22
ID Level Area Name Log Message Example Description Format Message Variables
NameResolved
resolved to an IPaddress.
5A000003 INFO Networking /DynamicDNS
Connectedto the server
Connected to: members.dyndns.org /204.13.248.111
Connected to thespecified dynamicDNS server.
Connected to: %s / %s Connected to:${server_name} /${server_ip}
5A000003 INFO Networking /DynamicDNS
Connectedto the server
Connected to: members.dyndns.org /204.13.248.111
Connected to thespecified dynamicDNS server.
Connected to: %s / %s Connected to:${server_name} /${server_ip}
5A000004 INFO Networking /DynamicDNS
Connectingto the server
Connecting to: members.dyndns.com /204.13.248.111
Connecting to thespecified dynamicDNS server.
Connecting to: %s / %s Connecting to:${server_name} /${server_ip}
5A000004 INFO Networking /DynamicDNS
Connectingto the server
Connecting to: members.dyndns.com /204.13.248.111
Connecting to thespecified dynamicDNS server.
Connecting to: %s / %s Connecting to:${server_name} /${server_ip}
5A000005 INFO Networking /DynamicDNS
ActivatedynamicDNS
Activating DynDNS on interface: External Activate dynamicDNS on the specifiedinterface.
Activating DynDNS on interface: %s Activating DynDNSon interface: ${if_name}
5A000006 DEBUG Networking /DynamicDNS
Receivedreply fromthe server
Received reply: HTTP/1.1 200OK Date: Tue,27 Nov 2012 17:14:57 GMT Server: ApacheContent-Type: text/plain Connection: closegood 192.168.53.88
Received thespecified reply fromthe dynamic DNSserver.
Received reply: %s Received reply:${reply}
5A000007 ERROR Networking /DynamicDNS
Unable toresolvedomainname
Could not resolve server: members.dyndns.org Could not resolvedomain for dynamicDNS server.
Could not resolve server: %s Could not resolveserver: ${server}
5A000008 ERROR Networking /DynamicDNS
Failed toconnect tothe server
Could not connect to members.dyndns.org /204.13.248.111, connection refused
Could not connect tothe dynamic DNSserver due tospecified reason.
Could not connect to%s / %s, %m Could not connectto ${server_name} /${server_ip},${reason}
Networking LogMessages
Log Catalog 23
ID Level Area Name Log Message Example Description Format Message Variables
5A000008 ERROR Networking /DynamicDNS
Failed toconnect tothe server
Could not connect to members.dyndns.org /204.13.248.111, connection refused
Could not connect tothe dynamic DNSserver due tospecified reason.
Could not connect to%s / %s, %m Could not connectto ${server_name} /${server_ip},${reason}
5A000008 ERROR Networking /DynamicDNS
Failed toconnect tothe server
Could not connect to members.dyndns.org /204.13.248.111, connection refused
Could not connect tothe dynamic DNSserver due tospecified reason.
Could not connect to%s / %s, %m Could not connectto ${server_name} /${server_ip},${reason}
5A000009 ERROR Networking /DynamicDNS
Unable toconnect toserver
Unable to connect to server:members.dyndns.org / 204.13.248.111
Unable to connect tothe specifieddynamic DNSserver.
Unable to connect to server: %s / %s Unable to connectto server: ${server_name} / ${server_ip}
5A000009 ERROR Networking /DynamicDNS
Unable toconnect toserver
Unable to connect to server:members.dyndns.org / 204.13.248.111
Unable to connect tothe specifieddynamic DNSserver.
Unable to connect to server: %s / %s Unable to connectto server: ${server_name} / ${server_ip}
5A00000A ERROR Networking /DynamicDNS
No responsefrom server
No response from server members.dyndns.org/ 204.13.248.111
Not able to getresponse fromspecified dynamicDNS server.
No response from server%s / %s No response fromserver ${server_name} / ${server_ip}
5A00000A ERROR Networking /DynamicDNS
No responsefrom server
No response from server members.dyndns.org/ 204.13.248.111
Not able to getresponse fromspecified dynamicDNS server.
No response from server%s / %s No response fromserver ${server_name} / ${server_ip}
Networking LogMessages
Log Catalog 24
ID Level Area Name Log Message Example Description Format Message Variables
5A00000B ERROR Networking /DynamicDNS
Invalidresponsefrom server
Invalid response from server (-2) The dynamic DNSserver returned aninvalid responsecode. The logmessage specifiesthat code.
Invalid response from server (%d) Invalid responsefrom server (${ret_code})
5A00000C INFO Networking /DynamicDNS
The time fornext update
Next update is on Tue, 27 Nov 2012 17:14:57 The logmessagespecifies the nextupdate time fordynamic DNS.
Next update is on%s Next update is on${time}
5A00000D DEBUG Networking /DynamicDNS
Send updaterequest
Sending update request (138 bytes): GET/nic/update?system=dyndns
Sending dynamicDNS update request.The logmessagespecifies the sizeand content of therequest.
Sending update request (%zu bytes): %s Sending updaterequest (${size}bytes): ${content}
5A00000D DEBUG Networking /DynamicDNS
Send updaterequest
Sending update request (138 bytes): GET/nic/update?system=dyndns
Sending dynamicDNS update request.The logmessagespecifies the sizeand content of therequest.
Sending update request (%zu bytes): %s Sending updaterequest (${size}bytes): ${content}
Networking LogMessages
Log Catalog 25
EventNetworking logmessages of theEvent log type.
ID Level Area Name Log Message Example Description Format Message Variables
09000004 ERROR Networking /PPPoE
Authenticationfailure
PPPoE authentication failed The Firebox or XTM devicefailed to authenticate forPPPoE.
PPPoE authentication failed —
09000005 ERROR Networking /PPPoE
PPPoEstopped
PPPoE stopped unexpectedly(unknown error)
PPPoE stoppedunexpectedly due to anunknown error.
PPPoE stopped unexpectedly(unknown error)
—
09000008 INFO Networking /PPPoE
Enforce staticIP address
[eth2 (External)] EnforcedPPPoE static IP address:192.168.3.48 is replaced with192.168.3.29
Replaced the assignedPPPoE IP address with theconfigured static IPaddress. The assigned IPaddress is retained as asecondary IP address forthe interface.
[%s (%s)] Enforced PPPoEstatic IP address: %s is replacedwith%s
[${dev_name} (${if_name})] EnforcedPPPoE static IP address: ${nego_ip} isreplaced with ${static_ip}
09000008 INFO Networking /PPPoE
Enforce staticIP address
[eth2 (External)] EnforcedPPPoE static IP address:192.168.3.48 is replaced with192.168.3.29
Replaced the assignedPPPoE IP address with theconfigured static IPaddress. The assigned IPaddress is retained as asecondary IP address forthe interface.
[%s (%s)] Enforced PPPoEstatic IP address: %s is replacedwith%s
[${dev_name} (${if_name})] EnforcedPPPoE static IP address: ${nego_ip} isreplaced with ${static_ip}
09000008 INFO Networking /PPPoE
Enforce staticIP address
[eth2 (External)] EnforcedPPPoE static IP address:192.168.3.48 is replaced with192.168.3.29
Replaced the assignedPPPoE IP address with theconfigured static IPaddress. The assigned IPaddress is retained as asecondary IP address forthe interface.
[%s (%s)] Enforced PPPoEstatic IP address: %s is replacedwith%s
[${dev_name} (${if_name})] EnforcedPPPoE static IP address: ${nego_ip} isreplaced with ${static_ip}
Networking LogMessages
Log Catalog 26
ID Level Area Name Log Message Example Description Format Message Variables
09000008 INFO Networking /PPPoE
Enforce staticIP address
[eth2 (External)] EnforcedPPPoE static IP address:192.168.3.48 is replaced with192.168.3.29
Replaced the assignedPPPoE IP address with theconfigured static IPaddress. The assigned IPaddress is retained as asecondary IP address forthe interface.
[%s (%s)] Enforced PPPoEstatic IP address: %s is replacedwith%s
[${dev_name} (${if_name})] EnforcedPPPoE static IP address: ${nego_ip} isreplaced with ${static_ip}
09000009 INFO Networking /PPPoE
Sessionestablished
[eth0 (External)] PPPoE session[11] is established, acquired IPaddress 192.168.3.48, peer192.168.3.254
The specified interfaceestablished a PPPoEsession. The logmessagealso specifies the sessionID, acquired IP address,and peer IP address.
[%s (%s)] PPPoE session[%d] isestablished, acquired IP address%s, peer%s
[${physical_name} (${ifname})] PPPoEsession[${session_id}] is established,acquired IP address ${ipaddr}, peer${peer_addr}
09000009 INFO Networking /PPPoE
Sessionestablished
[eth0 (External)] PPPoE session[11] is established, acquired IPaddress 192.168.3.48, peer192.168.3.254
The specified interfaceestablished a PPPoEsession. The logmessagealso specifies the sessionID, acquired IP address,and peer IP address.
[%s (%s)] PPPoE session[%d] isestablished, acquired IP address%s, peer%s
[${physical_name} (${ifname})] PPPoEsession[${session_id}] is established,acquired IP address ${ipaddr}, peer${peer_addr}
09000009 INFO Networking /PPPoE
Sessionestablished
[eth0 (External)] PPPoE session[11] is established, acquired IPaddress 192.168.3.48, peer192.168.3.254
The specified interfaceestablished a PPPoEsession. The logmessagealso specifies the sessionID, acquired IP address,and peer IP address.
[%s (%s)] PPPoE session[%d] isestablished, acquired IP address%s, peer%s
[${physical_name} (${ifname})] PPPoEsession[${session_id}] is established,acquired IP address ${ipaddr}, peer${peer_addr}
09000009 INFO Networking /PPPoE
Sessionestablished
[eth0 (External)] PPPoE session[11] is established, acquired IPaddress 192.168.3.48, peer192.168.3.254
The specified interfaceestablished a PPPoEsession. The logmessagealso specifies the sessionID, acquired IP address,and peer IP address.
[%s (%s)] PPPoE session[%d] isestablished, acquired IP address%s, peer%s
[${physical_name} (${ifname})] PPPoEsession[${session_id}] is established,acquired IP address ${ipaddr}, peer${peer_addr}
Networking LogMessages
Log Catalog 27
ID Level Area Name Log Message Example Description Format Message Variables
09000009 INFO Networking /PPPoE
Sessionestablished
[eth0 (External)] PPPoE session[11] is established, acquired IPaddress 192.168.3.48, peer192.168.3.254
The specified interfaceestablished a PPPoEsession. The logmessagealso specifies the sessionID, acquired IP address,and peer IP address.
[%s (%s)] PPPoE session[%d] isestablished, acquired IP address%s, peer%s
[${physical_name} (${ifname})] PPPoEsession[${session_id}] is established,acquired IP address ${ipaddr}, peer${peer_addr}
16000001 ERROR Networking /DHCPServer
DHCPdiscover
DHCPDISCOVER from00:50:04:ce:c6:3d via eth1:network 192.168.111.0/24: nofree leases
Received DHCP discoverfrom the client, but there areno free leases available.
%s —
16000002 INFO Networking /DHCPServer
DHCP offer DHCPOFFER on192.168.111.20 to84:2b:2b:a6:02:3f (client) viaeth1
The DHCP server offeredan IP address to thespecified client device.
%s —
16000003 INFO Networking /DHCPServer
DHCPrequest
DHCPREQUEST for192.168.111.20 from84:2b:2b:a6:02:3f (client) viaeth1
Received DHCP request forspecified IP address fromthe specified client.
%s —
31000009 INFO Networking /NetworkManagement
Interfaceinitializing
[eth1 (Trusted)] Interfaceinitializing
Initializing the specifiedinterface.
[%s (%s)] Interface initializing [${dev_name} (${if_name})] Interfaceinitializing
31000009 INFO Networking /NetworkManagement
Interfaceinitializing
[eth1 (Trusted)] Interfaceinitializing
Initializing the specifiedinterface.
[%s (%s)] Interface initializing [${dev_name} (${if_name})] Interfaceinitializing
31000010 ERROR Networking /NetworkManagement
Failed to addbridge
Failed to add bridge tbr0 VLANID 1
Failed to add bridge Failed to add bridge%s VLAN ID%d
—
31000029 ERROR Networking /Network
Failed to addinterface IP
[eth1 (Trusted)] Failed to addaddress 198.51.100.0
Failed to add the specifiedIP address to the specified
[%s (%s)] Failed to%s address%s
—
Networking LogMessages
Log Catalog 28
ID Level Area Name Log Message Example Description Format Message Variables
Management address interface.
31000039 INFO Networking /NetworkManagement
Clustermanagementinterfacechange
[Cluster] Management interfacesetting is changed: interfacefrom eth1 to eth2, IPv4 addressfrom 10.0.1.3 to 10.0.2.3, IPv4mask from 24 to 24, IPv6 CIDRfrom 2000::1/64 to 2001::2/64
The configuration for thecluster managementinterface changed. The logmessage specifies changesto the interface, IP address,mask and IPv6 address.
[Cluster] Management interfacesetting is changed: interface from%s to%s, IPv4 address from%u.%u.%u.%u to%u.%u.%u.%u IPv4mask from%d to%d IPv6 CIDR from%s to%s%s
[Cluster] Management interface settingis changed: interface from ${pre_if} to${new_if}, IPv4 address from ${pre_ip}to ${new_ip} IPv4mask from ${pre_mask} to ${new_mask} IPv6 CIDR from${pre_ipv6} to%{new_ipv6}%s
31000039 INFO Networking /NetworkManagement
Clustermanagementinterfacechange
[Cluster] Management interfacesetting is changed: interfacefrom eth1 to eth2, IPv4 addressfrom 10.0.1.3 to 10.0.2.3, IPv4mask from 24 to 24, IPv6 CIDRfrom 2000::1/64 to 2001::2/64
The configuration for thecluster managementinterface changed. The logmessage specifies changesto the interface, IP address,mask and IPv6 address.
[Cluster] Management interfacesetting is changed: interface from%s to%s, IPv4 address from%u.%u.%u.%u to%u.%u.%u.%u IPv4mask from%d to%d IPv6 CIDR from%s to%s%s
[Cluster] Management interface settingis changed: interface from ${pre_if} to${new_if}, IPv4 address from ${pre_ip}to ${new_ip} IPv4mask from ${pre_mask} to ${new_mask} IPv6 CIDR from${pre_ipv6} to%{new_ipv6}%s
31000039 INFO Networking /NetworkManagement
Clustermanagementinterfacechange
[Cluster] Management interfacesetting is changed: interfacefrom eth1 to eth2, IPv4 addressfrom 10.0.1.3 to 10.0.2.3, IPv4mask from 24 to 24, IPv6 CIDRfrom 2000::1/64 to 2001::2/64
The configuration for thecluster managementinterface changed. The logmessage specifies changesto the interface, IP address,mask and IPv6 address.
[Cluster] Management interfacesetting is changed: interface from%s to%s, IPv4 address from%u.%u.%u.%u to%u.%u.%u.%u IPv4mask from%d to%d IPv6 CIDR from%s to%s%s
[Cluster] Management interface settingis changed: interface from ${pre_if} to${new_if}, IPv4 address from ${pre_ip}to ${new_ip} IPv4mask from ${pre_mask} to ${new_mask} IPv6 CIDR from${pre_ipv6} to%{new_ipv6}%s
31000039 INFO Networking /NetworkManagement
Clustermanagementinterfacechange
[Cluster] Management interfacesetting is changed: interfacefrom eth1 to eth2, IPv4 addressfrom 10.0.1.3 to 10.0.2.3, IPv4mask from 24 to 24, IPv6 CIDRfrom 2000::1/64 to 2001::2/64
The configuration for thecluster managementinterface changed. The logmessage specifies changesto the interface, IP address,mask and IPv6 address.
[Cluster] Management interfacesetting is changed: interface from%s to%s, IPv4 address from%u.%u.%u.%u to%u.%u.%u.%u IPv4mask from%d to%d IPv6 CIDR from%s to%s%s
[Cluster] Management interface settingis changed: interface from ${pre_if} to${new_if}, IPv4 address from ${pre_ip}to ${new_ip} IPv4mask from ${pre_mask} to ${new_mask} IPv6 CIDR from${pre_ipv6} to%{new_ipv6}%s
Networking LogMessages
Log Catalog 29
ID Level Area Name Log Message Example Description Format Message Variables
31000039 INFO Networking /NetworkManagement
Clustermanagementinterfacechange
[Cluster] Management interfacesetting is changed: interfacefrom eth1 to eth2, IPv4 addressfrom 10.0.1.3 to 10.0.2.3, IPv4mask from 24 to 24, IPv6 CIDRfrom 2000::1/64 to 2001::2/64
The configuration for thecluster managementinterface changed. The logmessage specifies changesto the interface, IP address,mask and IPv6 address.
[Cluster] Management interfacesetting is changed: interface from%s to%s, IPv4 address from%u.%u.%u.%u to%u.%u.%u.%u IPv4mask from%d to%d IPv6 CIDR from%s to%s%s
[Cluster] Management interface settingis changed: interface from ${pre_if} to${new_if}, IPv4 address from ${pre_ip}to ${new_ip} IPv4mask from ${pre_mask} to ${new_mask} IPv6 CIDR from${pre_ipv6} to%{new_ipv6}%s
31000039 INFO Networking /NetworkManagement
Clustermanagementinterfacechange
[Cluster] Management interfacesetting is changed: interfacefrom eth1 to eth2, IPv4 addressfrom 10.0.1.3 to 10.0.2.3, IPv4mask from 24 to 24, IPv6 CIDRfrom 2000::1/64 to 2001::2/64
The configuration for thecluster managementinterface changed. The logmessage specifies changesto the interface, IP address,mask and IPv6 address.
[Cluster] Management interfacesetting is changed: interface from%s to%s, IPv4 address from%u.%u.%u.%u to%u.%u.%u.%u IPv4mask from%d to%d IPv6 CIDR from%s to%s%s
[Cluster] Management interface settingis changed: interface from ${pre_if} to${new_if}, IPv4 address from ${pre_ip}to ${new_ip} IPv4mask from ${pre_mask} to ${new_mask} IPv6 CIDR from${pre_ipv6} to%{new_ipv6}%s
31000039 INFO Networking /NetworkManagement
Clustermanagementinterfacechange
[Cluster] Management interfacesetting is changed: interfacefrom eth1 to eth2, IPv4 addressfrom 10.0.1.3 to 10.0.2.3, IPv4mask from 24 to 24, IPv6 CIDRfrom 2000::1/64 to 2001::2/64
The configuration for thecluster managementinterface changed. The logmessage specifies changesto the interface, IP address,mask and IPv6 address.
[Cluster] Management interfacesetting is changed: interface from%s to%s, IPv4 address from%u.%u.%u.%u to%u.%u.%u.%u IPv4mask from%d to%d IPv6 CIDR from%s to%s%s
[Cluster] Management interface settingis changed: interface from ${pre_if} to${new_if}, IPv4 address from ${pre_ip}to ${new_ip} IPv4mask from ${pre_mask} to ${new_mask} IPv6 CIDR from${pre_ipv6} to%{new_ipv6}%s
31000039 INFO Networking /NetworkManagement
Clustermanagementinterfacechange
[Cluster] Management interfacesetting is changed: interfacefrom eth1 to eth2, IPv4 addressfrom 10.0.1.3 to 10.0.2.3, IPv4mask from 24 to 24, IPv6 CIDRfrom 2000::1/64 to 2001::2/64
The configuration for thecluster managementinterface changed. The logmessage specifies changesto the interface, IP address,mask and IPv6 address.
[Cluster] Management interfacesetting is changed: interface from%s to%s, IPv4 address from%u.%u.%u.%u to%u.%u.%u.%u IPv4mask from%d to%d IPv6 CIDR from%s to%s%s
[Cluster] Management interface settingis changed: interface from ${pre_if} to${new_if}, IPv4 address from ${pre_ip}to ${new_ip} IPv4mask from ${pre_mask} to ${new_mask} IPv6 CIDR from${pre_ipv6} to%{new_ipv6}%s
31000046 INFO Networking /NetworkManagement
Activatingexternalinterface
[eth0 (External)] Activatingexternal interface
Activating specifiedexternal interface.
[%s (%s)] Activating externalinterface
[${dev_name} (${if_name})] Activatingexternal interface
Networking LogMessages
Log Catalog 30
ID Level Area Name Log Message Example Description Format Message Variables
31000046 INFO Networking /NetworkManagement
Activatingexternalinterface
[eth0 (External)] Activatingexternal interface
Activating specifiedexternal interface.
[%s (%s)] Activating externalinterface
[${dev_name} (${if_name})] Activatingexternal interface
31000047 INFO Networking /NetworkManagement
Deactivatingexternalinterface
[eth0 (External)] Deactivatingexternal interface
Deactivating the specifiedexternal interface.
[%s (%s)] Deactivating externalinterface
[${dev_name} (${if_name})]Deactivating external interface
31000047 INFO Networking /NetworkManagement
Deactivatingexternalinterface
[eth0 (External)] Deactivatingexternal interface
Deactivating the specifiedexternal interface.
[%s (%s)] Deactivating externalinterface
[${dev_name} (${if_name})]Deactivating external interface
31000052 INFO Networking /NetworkManagement
Startingwireless APservice
Starting wireless AP service Starting wireless APservice.
Starting wireless AP service —
31000054 INFO Networking /NetworkManagement
Detect roguewireless AP
Starting the scan for roguewireless AP detection
Starting rogue wireless APdetection scan.
Starting the scan for roguewireless AP detection
—
31000055 INFO Networking /NetworkManagement
Stop detectingrogue wirelessAP
Stopping the scan for roguewireless AP detection
Stopping rogue wireless APdetection scan.
Stopping the scan for roguewireless AP detection
—
31000056 INFO Networking /NetworkManagement
Restartdetectingrogue wirelessAP
Restart the scan for roguewireless AP detection
Restart rogue wireless APdetection scan.
Restart the scan for roguewireless AP detection
—
31000069 INFO Networking /NetworkManagement
IPv6 interfaceactivated.
[eth0 (External)] IPv6 interface isactivated.
An IPv6 interface wasactivated. The logmessagespecifies the interface.
[%s (%s)] IPv6 interface isactivated.
—
31000071 INFO Networking /NetworkManagement
PPPoE IPaddresschange during
[eth0 (External)] PPPoE IPaddress changed during clusterfailover, from 192.168.1.22 to192.168.1.23
The cluster completed afailover. During the failover,the PPPoE IP addresschanged.
[%s (%s)] PPPoE IP addresschanged during cluster failover,from%s to%s
[${dev_name} (${if_name})] PPPoE IPaddress changes during cluster failover,from ${pre_ip} to ${new_ip}
Networking LogMessages
Log Catalog 31
ID Level Area Name Log Message Example Description Format Message Variables
clusterfailover
31000071 INFO Networking /NetworkManagement
PPPoE IPaddresschange duringclusterfailover
[eth0 (External)] PPPoE IPaddress changed during clusterfailover, from 192.168.1.22 to192.168.1.23
The cluster completed afailover. During the failover,the PPPoE IP addresschanged.
[%s (%s)] PPPoE IP addresschanged during cluster failover,from%s to%s
[${dev_name} (${if_name})] PPPoE IPaddress changes during cluster failover,from ${pre_ip} to ${new_ip}
31000071 INFO Networking /NetworkManagement
PPPoE IPaddresschange duringclusterfailover
[eth0 (External)] PPPoE IPaddress changed during clusterfailover, from 192.168.1.22 to192.168.1.23
The cluster completed afailover. During the failover,the PPPoE IP addresschanged.
[%s (%s)] PPPoE IP addresschanged during cluster failover,from%s to%s
[${dev_name} (${if_name})] PPPoE IPaddress changes during cluster failover,from ${pre_ip} to ${new_ip}
31000071 INFO Networking /NetworkManagement
PPPoE IPaddresschange duringclusterfailover
[eth0 (External)] PPPoE IPaddress changed during clusterfailover, from 192.168.1.22 to192.168.1.23
The cluster completed afailover. During the failover,the PPPoE IP addresschanged.
[%s (%s)] PPPoE IP addresschanged during cluster failover,from%s to%s
[${dev_name} (${if_name})] PPPoE IPaddress changes during cluster failover,from ${pre_ip} to ${new_ip}
31000072 INFO Networking /NetworkManagement
No change forPPPoE IPaddressduring clusterfailover
[eth0 (External)] PPPoE IPaddress 192.168.1.22 did notchange during cluster failover
PPPoE IP address did notchange during clusterfailover.
[%s (%s)] PPPoE IP address%u.%u.%u.%u did not changeduring cluster failover
—
31000073 INFO Networking /NetworkManagement
DHCP IPaddresschange duringclusterfailover
[eth0 (External)] DHCP IPaddress changed during clusterfailover, from 192.168.1.22 to192.168.1.23
The cluster completed afailover. During the failover,the DHCP IP addresschanged.
[%s (%s)] DHCP IP addresschanged during cluster failover,from%s to%s
[${dev_name} (${if_name})] DHCP IPaddress changes during cluster failover,from ${pre_ip} to ${new_ip}
31000073 INFO Networking /NetworkManagement
DHCP IPaddresschange during
[eth0 (External)] DHCP IPaddress changed during clusterfailover, from 192.168.1.22 to
The cluster completed afailover. During the failover,the DHCP IP address
[%s (%s)] DHCP IP addresschanged during cluster failover,from%s to%s
[${dev_name} (${if_name})] DHCP IPaddress changes during cluster failover,from ${pre_ip} to ${new_ip}
Networking LogMessages
Log Catalog 32
ID Level Area Name Log Message Example Description Format Message Variables
clusterfailover
192.168.1.23 changed.
31000073 INFO Networking /NetworkManagement
DHCP IPaddresschange duringclusterfailover
[eth0 (External)] DHCP IPaddress changed during clusterfailover, from 192.168.1.22 to192.168.1.23
The cluster completed afailover. During the failover,the DHCP IP addresschanged.
[%s (%s)] DHCP IP addresschanged during cluster failover,from%s to%s
[${dev_name} (${if_name})] DHCP IPaddress changes during cluster failover,from ${pre_ip} to ${new_ip}
31000073 INFO Networking /NetworkManagement
DHCP IPaddresschange duringclusterfailover
[eth0 (External)] DHCP IPaddress changed during clusterfailover, from 192.168.1.22 to192.168.1.23
The cluster completed afailover. During the failover,the DHCP IP addresschanged.
[%s (%s)] DHCP IP addresschanged during cluster failover,from%s to%s
[${dev_name} (${if_name})] DHCP IPaddress changes during cluster failover,from ${pre_ip} to ${new_ip}
31000074 INFO Networking /NetworkManagement
No change forDHCP IPaddressduring clusterfailover
[eth0 (External)] DHCP IPaddress 192.168.1.22 did notchange during cluster failover
DHCP IP address did notchange during clusterfailover.
[%s (%s)] DHCP IP address%u.%u.%u.%u did not changeduring cluster failover
—
45000003 INFO Networking /Modem
Modemdisconnected
modem0 disconnected Specifiedmodem isdisconnected.
%s disconnected —
45000004 ERROR Networking /Modem
Modemauthenticationfailed
Modem authentication failed,check your modem configuration
Modem authenticationfailed.
Modem authentication failed,check your modem configuration
—
49000001 ERROR Networking /LinkMonitoring
Multi-WANDomain NameResolutionFailed
[Link Monitor] External unable toresolve domain namewww.example.com
Specified interface failed toresolve specified domainname for ping or TCP testfor failover.
[Link Monitor] %s unable toresolve domain name%s
—
49000002 WARN Networking /LinkMonitoring
Multi-WanProbe Failed
[Link Monitor] No responsereceived on External from TCPhost 192.168.1.218 port 9999
Specified interface did notreceive a response to Probefor failover.
[Link Monitor] No responsereceived on%s from%s
[Link Monitor] No response received on${if_name} from ${target}
Networking LogMessages
Log Catalog 33
ID Level Area Name Log Message Example Description Format Message Variables
49000002 WARN Networking /LinkMonitoring
Multi-WanProbe Failed
[Link Monitor] No responsereceived on External from TCPhost 192.168.1.218 port 9999
Specified interface did notreceive a response to Probefor failover.
[Link Monitor] No responsereceived on%s from%s
[Link Monitor] No response received on${if_name} from ${target}
49000003 ERROR Networking /LinkMonitoring
Probe failure [Link Monitor] External interfacefailed because a probe to thetarget host failed
Specified interfacemarkedas Failed due to noresponse from ping or TCPhost.
[Link Monitor] %s interface failedbecause a probe to the targethost failed
—
68000001 INFO Networking /Discovery
Network scancompleted
On demand scan completed Specified type of scancompleted
%s scan completed ${scan_type} scan completed
68000002 INFO Networking /Discovery
Network scanstarted
On demand scan— stage 2started
Specified type and stage ofscan started
%s scan%s started ${scan_type} scan${scan_stage}started
68000002 INFO Networking /Discovery
Network scanstarted
On demand scan— stage 2started
Specified type and stage ofscan started
%s scan%s started ${scan_type} scan${scan_stage}started
68000003 INFO Networking /Discovery
On demandscan— stage1 completed
On demand scan— stage 1completed
On demand scan— stage 1completed
On demand scan— stage 1completed
On demand scan— stage 1 completed
0900000A INFO Networking /PPPoE
Disconnect [eth0 (External)] PPPoE session[11] is disconnected.
The PPPoE session for thespecified interface isdisconnected.
[%s (%s)]PPPoE session[%d] isdisconnected.
—
3100000A INFO Networking /NetworkManagement
Interfaceshutting down
[eth1 (Trusted)] Interfaceshutting down
Shutting down the specifiedinterface.
[%s (%s)] Interface shuttingdown
[${dev_name} (${if_name})] Interfaceshutting down
3100000A INFO Networking /NetworkManagement
Interfaceshutting down
[eth1 (Trusted)] Interfaceshutting down
Shutting down the specifiedinterface.
[%s (%s)] Interface shuttingdown
[${dev_name} (${if_name})] Interfaceshutting down
Networking LogMessages
Log Catalog 34
ID Level Area Name Log Message Example Description Format Message Variables
3100000B INFO Networking /NetworkManagement
Multi-WANinterfaceactivated.
[eth1 (Trusted)] Interface isactivated due to link-monitorsuccess.
Interface is activated due tolink-monitor success. Thelogmessage specifies theinterface.
[%s (%s)] Interface is activateddue to link-monitor success.
—
3100000D WARN Networking /NetworkManagement
Multi-WANinterfacedeactivated
[eth1 (Trusted)] Interface isdeactivated due to link-monitorfailure.
Interface is deactivated dueto link-monitor failure. Thelogmessage specifies theinterface.
[%s (%s)] Interface isdeactivated due to link-monitorfailure.
—
3100002B ERROR Networking /NetworkManagement
Interface isdisabled
[eth1 (Trusted)] Interface isdisabled because it does notexist
Specified interface does notexist, The interface statusis set to disabled.
[%s (%s)] Interface is disabledbecause it does not exist
[${dev_name} (${if_name})] Interface isdisabled because it does not exist
3100002B ERROR Networking /NetworkManagement
Interface isdisabled
[eth1 (Trusted)] Interface isdisabled because it does notexist
Specified interface does notexist, The interface statusis set to disabled.
[%s (%s)] Interface is disabledbecause it does not exist
[${dev_name} (${if_name})] Interface isdisabled because it does not exist
3100002C WARN Networking /NetworkManagement
Interface linkstatuschanged
[eth1 (Trusted)] Interface linkstatus changed to UP
The interface link status haschanged. The logmessagespecifies the new status.
[%s (%s)] Interface link statuschanged to%s
—
3100003A WARN Networking /NetworkManagement
Cluster isenabled
Cluster is enabled and is forming Cluster is enabled and isforming.
Cluster is enabled and is forming —
3100003B WARN Networking /NetworkManagement
Clustersettingchanged todisabled
Cluster setting changed fromenabled to disabled
The cluster setting waschanged from enabled todisabled.
Cluster setting changed fromenabled to disabled
—
3100003E INFO Networking /NetworkManagement
Cluster A/Prole changed
[Cluster] Cluster A/P rolesuccessfully changed frommaster to idle.
The role of this device in theactive/passive (A/P) clusterchanged. The logmessagespecifies the old and newroles.
[Cluster] Cluster A/P rolesuccessfully changed from%s to%s.
—
Networking LogMessages
Log Catalog 35
ID Level Area Name Log Message Example Description Format Message Variables
3100003F INFO Networking /NetworkManagement
Cluster A/Arole changed
[Cluster] Cluster A/A rolesuccessfully changed frommaster to idle.
The Cluster active/active(A/A) role changed. The logmessage specifies the oldand new roles.
[Cluster] Cluster A/A rolesuccessfully changed from%s to%s.
—
3100006A WARN Networking /NetworkManagement
IPv6 interfacedeactivated.
[eth0 (External)] IPv6 interface isdeactivated.
IPv6 interface wasdeactivated. The logmessage specifies theinterface.
[%s (%s)] IPv6 interface isdeactivated.
—
3100006C INFO Networking /NetworkManagement
IPv6 interfaceshutting down
[eth0 (External)] IPv6 interfaceshutting down
Shutting down specifiedIPv6 interface.
[%s (%s)] IPv6 interface shuttingdown
[${dev_name} (${if_name})] IPv6interface shutting down
3100006C INFO Networking /NetworkManagement
IPv6 interfaceshutting down
[eth0 (External)] IPv6 interfaceshutting down
Shutting down specifiedIPv6 interface.
[%s (%s)] IPv6 interface shuttingdown
[${dev_name} (${if_name})] IPv6interface shutting down
3100006D INFO Networking /NetworkManagement
IPv6 interfaceinitializing
[eth0 (External)] IPv6 interfaceinitializing
Initializing specified IPv6interface.
[%s (%s)] IPv6 interfaceinitializing
[${dev_name} (${if_name})] IPv6interface initializing
3100006D INFO Networking /NetworkManagement
IPv6 interfaceinitializing
[eth0 (External)] IPv6 interfaceinitializing
Initializing specified IPv6interface.
[%s (%s)] IPv6 interfaceinitializing
[${dev_name} (${if_name})] IPv6interface initializing
Networking LogMessages
Log Catalog 36
Proxy Policy Log MessagesProxy policy logmessages are generated for traffic managed by the proxy policies configured on your Firebox. This can include events related to traffic through the proxy, proxy actions, authentication, SubscriptionServices, and Security Services. For information about logmessages from Security Services processes, seeSecurity Services LogMessages on page 93.
EventProxy Policy logmessages of theEvent log type.
ID Level Area Name Log Message Example Description FormatMessageVariables
0F000001 INFO Proxy /ConnectionFrameworkManager
HTTPScontentinspectionlist imported
HTTPS content inspection exception listimported
When a pre-definedHTTPS exception list isimported, this event logis generated to informthe user.
HTTPS content inspection exception list imported —
0F010015 WARN Proxy /ConnectionFrameworkManager
APT threatnotified
APT threat notified. Details='Policy Name:HTTPS-proxy-00 Reason: high APT threatdetected Task_UUID:d09445005c3f4a9a9bb78c8cb34edc2a SourceIP: 10.0.1.2 Source Port: 43130 Destination IP:67.228.175.200 Destination Port: 443 ProxyType: HTTP Proxy Host: analysis.lastline.comPath: /docs/lastline-demo-sample.exe'
When APT serveranalysis result returnedand identified as certainlevel threat, this eventlog will be generated toinform that the APTnotification has beensent with detailedinformation.
APT threat notified. Details='%s' —
0F010016 INFO Proxy /ConnectionFrameworkManager
APT saferesult fromfilesubmission.Details='%s'
Cannot get the rule from ruleset'request/download'
— APT safe result from file submission. Details='PolicyName: HTTP-OUT-00 Reason: cleanMessage: APTsafe object Task_UUID:7a1e1500e92a410fa44d907f96b9209eMD5:d2723ba60dc88ec1ea449be9eee601cc Source IP:10.0.1.2 Source Port: 50293 Destination IP:100.100.100.3 Destination Port: 80 Proxy Type:HTTP Proxy Host: 100.100.100.3 Path: /test.exe'
—
Proxy Policy LogMessages
Log Catalog 37
ID Level Area Name Log Message Example Description FormatMessageVariables
1C0200CD ERROR Proxy /FTP
Rulesetlookup failed
Ruleset 'envelope/greeting' lookup failed FTP proxy -- Failed tocheck the specifiedruleset
Cannot get the rule from ruleset '%s' —
1B0400CE ERROR Proxy /SMTP
Rulesetlookup failed
Ruleset 'envelope/greeting' lookup failed SMTP proxy -- Failed tocheck the specifiedruleset
Ruleset '%s' lookup failed —
TrafficProxy Policy logmessages of the Traffic log type.
ID Level Area NameLog MessageExample Log Message Example Description
MessageVariables
1DFF0000 INFO Proxy /DNS
DNS invalidnumber ofquestions
Invalidnumber ofquestions
The traffic was blocked becausethemessage included an invalidnumber of questions.
Deny 1-Trusted 0-External udp 10.0.1.5 192.168.53.143 56701 53msg="ProxyDeny: DNS invalid number of questions" (DNS-proxy-00)
—
1DFF0001 INFO Proxy /DNS
DNSoversizedquery name
Query nameoversized
The DNS query was blockedbecause the DNS query nameexceeded the allowed buffer size,which varies from 0 kilobytes to 64kilobytes.
Deny 1-Trusted 0-External udp 10.0.1.5 192.168.53.143 56702 53msg="ProxyDeny: DNS oversized query name" (DNS-proxy-00)
—
1DFF0002 INFO Proxy /DNS
DNScompressedquery name
Query namecompressed
The DNS query was blockedbecause the domain namewascompressed.
Deny 1-Trusted 0-External udp 10.0.1.5 192.168.53.143 56703 53msg="ProxyDeny: DNS compressed query name" (DNS-proxy-00)
—
1DFF0003 INFO Proxy /DNS
DNS Parseerror
Parse error The DNS request was blockedbecause the proxy failed to parsethe domain name.
Deny 1-Trusted 0-External udp 10.0.1.5 192.168.53.143 56704 53msg="ProxyDeny: DNS parse error" (DNS-proxy-00)
—
Proxy Policy LogMessages
Log Catalog 38
ID Level Area NameLog MessageExample Log Message Example Description
MessageVariables
1DFF0004 INFO Proxy /DNS
DNS NotInternetCLASS
Not InternetCLASS
TheDNS query was not InternetCLASS. The logmessagespecifies the action taken and theCLASS.
Deny 1-Trusted 0-External udp 10.0.1.5 192.168.53.143 46828 53msg="ProxyDeny: DNS Not Internet CLASS" proxy_act="DNS-Outgoing.1"query_class="ANY" (DNS-proxy-00)
—
1DFF0005 INFO Proxy /DNS
DNSOpCodematch
OPcodematch
TheOpCodematched a configuredrule, or the default rule of nomatch.The logmessage specifies theaction taken, the rule, and theOpCode.
Deny 1-Trusted 0-External udp 10.0.1.3 192.168.130.81 36755 53msg="ProxyDeny: DNS OpCodematch" proxy_act="DNS-Outgoing.1" rule_name="Query" query_opcode="QUERY" (DNS-proxy-00)
—
1DFF0006 INFO Proxy /DNS
DNS querytypematch
Query typematch
The query typematched aconfigured rule, or the default ruleof nomatch. The logmessagespecifies the action taken, the rulematched, and the query type.
Deny 2-Optional-1 0-External udp 10.0.2.2 192.168.130.245 53710 53msg="ProxyDeny: DNS query typematch" proxy_act="DNS-Outgoing.1" rule_name="PTR record" query_type="PTR" (DNS-proxy-00)
—
1DFF0007 INFO Proxy /DNS
DNSundersizedquestion
Questionundersized
The DNS query was blockedbecause the query size was lessthan theminimum valid size of 17bytes.
Deny 1-Trusted 0-External udp 10.0.1.5 192.168.53.143 56704 53msg="ProxyDeny: DNS undersized question" (DNS-proxy-00)
—
1DFF0008 INFO Proxy /DNS
DNSoversizedquestion
Questionoversized
The DNS query was blockedbecause the query size exceedsthemaximum allowed size of 271bytes.
Deny 1-Trusted 0-External udp 10.0.1.5 192.168.53.143 56705 53msg="ProxyDeny: DNS oversized question" (DNS-proxy-00)
—
1DFF0009 INFO Proxy /DNS
DNS timeout Timeout The DNS connection was idlelonger than the configured timeoutvalue in the DNS policy.
Deny 1-Trusted 0-External udp 10.0.1.5 192.168.53.143 54807 53msg="ProxyDrop: DNS timeout" (DNS-proxy-00)
—
Proxy Policy LogMessages
Log Catalog 39
ID Level Area NameLog MessageExample Log Message Example Description
MessageVariables
1DFF000A INFO Proxy /DNS
DNSundersizedanswer
Responseanswerundersized
The DNS response was blockedbecause the response size wasless than theminimum value of 17bytes.
Deny 1-Trusted 0-External udp 10.0.1.5 192.168.53.143 56706 53msg="ProxyDeny: DNS undersized answer" (DNS-proxy-00)
—
1DFF000C INFO Proxy /DNS
DNS invalidresponse
Response IDInvalid
The DNS response was blockedbecause the response ID did notmatch the current or previousrequest ID.
Deny 1-Trusted 0-External udp 10.0.1.5 192.168.53.143 56706 53msg="ProxyDeny: DNS invalid response" (DNS-proxy-00)
—
1DFF000E INFO Proxy /DNS
DNSquestionmatch
Queryquestionmatch
The DNS query namematched aconfigured rule, or the default ruleof nomatch. The logmessagespecifies the rule matched, actiontaken, and query name.
Deny 1-Trusted 0-External udp 10.0.1.3 192.168.130.81 59806 53msg="ProxyDeny: DNS questionmatch" proxy_act="DNS-Outgoing.1" rule_name="GStatic" query_type="A" question="ssl.gstatic.com" (DNS-proxy-00)
—
1DFF000F INFO Proxy /DNS
DNS request Request The DNS request audit logspecifies the query type and name.
Allow 2-Optional-1 0-External udp 10.0.2.2 192.168.130.245 61758 53msg="DNSrequest" proxy_act="DNS-Outgoing.1" query_type="PTR"question="1.0.0.127.dnsbugtest.1.0.0.127.in-addr.arpa" (DNS-proxy-00)
—
1DFF0010 INFO Proxy /DNS
DNS IPSmatch
IPS match Intrusion Prevention Service (IPS)detected an intrusion threat. Thelogmessage specifies thesignature ID, threat severity,signature name, and signaturecategory.
Deny 0-External 1-Trusted udp 10.0.1.5 192.168.53.143 1024 53msg="ProxyDrop: DNS IPS match" proxy_act="DNS-Outgoing.1" signature_id="1056125" severity="4" signature_name="EXPLOIT Tftpd32 DNS ServerBuffer Overflow" signature_cat="Buffer Over Flow" (DNS-proxy-00)
—
1DFF0012 INFO Proxy /DNS
DNS Appmatch
Applicationmatch
Application Control identified theapplication type from the DNSclient query and server response.The logmessage specifies theapplication name and ID, theapplication category name and ID,and the behavior name and ID.
Allow 1-Trusted 0-External udp 10.0.1.3 192.168.130.81 36755 53msg="ProxyAllow: DNS Appmatch" proxy_act="DNS-Outgoing.1" app_cat_name="Network Management" app_cat_id="9" app_name="DNS" app_id="61"app_beh_name="access" app_beh_id="6" (DNS-proxy-00)
—
Proxy Policy LogMessages
Log Catalog 40
ID Level Area NameLog MessageExample Log Message Example Description
MessageVariables
1CFF0019 ERROR Proxy /FTP
FTP BounceAttempt
FTP BounceAttempt
FTP proxy -- User attempted FTPbounce
Deny 1-Trusted 0-External tcp 10.0.1.2 192.168.53.164 37989 21msg="ProxyBlock: FTP Bounce Attempt" proxy_act="FTP-Client.Standard"bounce ip="10.0.1.101"
—
1CFF0000 INFO Proxy /FTP
FTP username toolong
User nametoo long
The user name exceeds themaximum length specified in theFTP proxy. The default is 64characters.
Deny 1-Trusted 0-External tcp 10.0.1.49 11.11.11.2 60774 21msg="ProxyDeny:FTP user name too long" proxy_act="FTP-Client.1" user="testusertestuser1"length="17" (FTP-proxy-00)
—
1CFF0001 INFO Proxy /FTP
FTP userpasswordtoo long
Password toolong
The password specified for theuser exceeds themaximum lengthconfigured in the FTP proxy. Thedefault maximum length is 32characters.
Deny 1-Trusted 0-External tcp 10.0.1.49 11.11.11.2 60776 21msg="ProxyDeny:FTP user password too long" proxy_act="FTP-Client.1" length="17" (FTP-proxy-00)
—
1CFF0002 INFO Proxy /FTP
FTP file ordirectoryname toolong
File ordirectoryname too long
The file or directory name exceedsthemaximum length configured inthe FTP proxy. The defaultmaximum length is 1,024 bytes.
Deny 1-Trusted 0-External tcp 10.0.1.49 11.11.11.2 60782 21msg="ProxyDeny:FTP file or directory name too long" proxy_act="FTP-Client.1" length="5" (FTP-proxy-00)
—
1CFF0003 INFO Proxy /FTP
FTPcommandline too long
Command linetoo long
The command exceeded themaximum length configured in theFTP proxy. The default maximumlength is 1,030 characters.
Deny 1-Trusted 0-External tcp 10.0.1.49 11.11.11.2 60784 21msg="ProxyDeny:FTP command line too long" proxy_act="FTP-Client.1" length="12" (FTP-proxy-00)
—
1CFF0004 INFO Proxy /FTP
FTPexceededmaximumpermittedloginattempts
Exceededmaximumallowed loginattempts
The user exceeded the configuredmaximum number of allowed failedlog in attepmts per connection. Thedefault limit is 6.
Deny 1-Trusted 0-External tcp 10.0.1.49 11.11.11.2 49162 21msg="ProxyDrop:FTP exceededmaximum permitted login attempts" (FTP-proxy-00)
—
Proxy Policy LogMessages
Log Catalog 41
ID Level Area NameLog MessageExample Log Message Example Description
MessageVariables
1CFF0005 INFO Proxy /FTP
FTPcommandmatch
Commandmatch
The commandmatched aconfigured rule, or the default of nomatch. For the FTP-server proxyaction, the default is to deny anycommand that does not appear onthe list. For the FTP-client proxyaction, there is no defaultrestriction on commands. The logmessage specifies the proxyaction, action taken, and thecommand.
Deny 1-Trusted 0-External tcp 10.0.1.49 11.11.11.2 49196 21msg="ProxyDeny:FTP commandmatch" proxy_act="FTP-Client.2" rule_name="LIST"command="ls" (FTP-proxy-00)
—
1CFF0006 INFO Proxy /FTP
FTPdownloadmatch
Downloadmatch
The file typematched a configureddownload rule, or the default rule ofnomatch. The logmessagespecifies the proxy action, actiontaken, and file type.
Deny 1-Trusted 0-External tcp 10.0.1.49 11.11.11.2 49208 21msg="ProxyDeny:FTP downloadmatch" proxy_act="FTP-Client.2" rule_name="*.zip" file_name="hostname.zip" (FTP-proxy-00)
—
1CFF0007 INFO Proxy /FTP
FTP uploadmatch
Uploadmatch The file typematched a configuredupload rule, or the default rule of nomatch. The logmessage specifiesthe proxy action, action taken, andfile type.
Deny 1-Trusted 0-External tcp 10.0.1.49 11.11.11.2 49228 21msg="ProxyDeny:FTP uploadmatch" proxy_act="FTP-Client.2" rule_name="ISO" file_name="test.iso" (FTP-proxy-00)
—
1CFF0008 INFO Proxy /FTP
FTP timeout Timeout The connection exceeded theconfigured idle time value. Thedefault is 180 seconds.
Deny 1-Trusted 0-External tcp 10.0.1.49 11.11.11.2 49561 21msg="ProxyDrop:FTP timeout" (FTP-proxy-00)
—
1CFF0009 INFO Proxy /FTP
FTP invalidrequest
Invalidrequest
The FTP proxy rejected thecommand because of a lack ofrequired arguments, such as a username. The logmessage specifiesthe proxy action and command.
Deny 1-Trusted 0-External tcp 10.0.1.49 11.11.11.2 49579 21msg="ProxyDeny:FTP invalid request" proxy_act="FTP-Client.2" reason="No username valueprovided for USER command" (FTP-proxy-00)
—
Proxy Policy LogMessages
Log Catalog 42
ID Level Area NameLog MessageExample Log Message Example Description
MessageVariables
1CFF000C INFO Proxy /FTP
FTP request Request This logmessage for the FTPrequest transaction includes thesource and destination IPaddresses for the initialconnections.
Allow 1-Trusted 0-External tcp 10.0.1.49 11.11.11.2 49590 21msg="FTPrequest" proxy_act="FTP-Client.2" ctl_src="10.0.1.49:47553" ctl_dst="11.11.11.2:5120" file="test.exe" rcvd_bytes="1084" sent_bytes="0"user="testuser" type="download" (FTP-proxy-00)
—
1CFF000D INFO Proxy /FTP
FTP IPSmatch
IPS match Intrusion Prevention Service (IPS)detected a threat. The actionconfigured for an IPS Match will beapplied to the traffic. The logmessage includes the signatureID, threat severity, signaturename, and signature category.
Deny 0-External 1-Trusted tcp 11.11.11.2 11.11.11.5 1024 21msg="ProxyDrop:FTP IPS match" proxy_act="FTP-Client.3" signature_id="1110297" severity="4"signature_name="EXPLOIT FlashGet FTP PWD Command Stack bufferoverflow -1" signature_cat="Buffer Over Flow" (FTP-proxy-00)
—
1CFF000E INFO Proxy /FTP
FTP Virusfound
GAV Virusfound
Gateway AntiVirus (GAV) detecteda virus or malware in theattachment. The logmessagespecifies the detected virus nameand the file name of theattachment.
Deny 0-External 1-Trusted tcp 11.11.11.2 11.11.11.5 20 56528msg="ProxyDrop:FTP Virus found" proxy_act="FTP-Client.3" ctl_src="11.11.11.2:5120" ctl_dst="10.0.1.49:47553" virus="EICAR_Test" file="eicar.com" (FTP-proxy-00)
—
1CFF000F INFO Proxy /FTP
FTP AVscanningerror
GAV scanerror
Gateway AntiVirus (GAV) failed toscan due to the error specified inthe logmessage.
Deny 0-External 1-Trusted tcp 11.11.11.2 11.11.11.5 20 44485msg="ProxyDrop:FTP AV scanning error" proxy_act="FTP-Client.3" ctl_src="11.11.11.2:5120" ctl_dst="10.0.1.49:47553" error="avg scanner is not created" file="eicar.com" (FTP-proxy-00)
—
1CFF0010 INFO Proxy /FTP
FTP Appmatch
Applicationmatch
Application Control identified anapplication in the FTP clientrequest or server response. The logmessage specifies the proxyaction, application control action,action taken, application name andID, application category and ID,and application behavior name and
Allow 1-Trusted 0-External tcp 10.0.1.49 11.11.11.2 49843 21msg="ProxyAllow:FTP Appmatch" proxy_act="FTP-Client.3" app_cat_name="File Transfer" app_cat_id="3" app_name="FTP Applications" app_id="1" app_beh_name="authority"app_beh_id="1" (FTP-proxy-00)
—
Proxy Policy LogMessages
Log Catalog 43
ID Level Area NameLog MessageExample Log Message Example Description
MessageVariables
ID.
1CFF0011 INFO Proxy /FTP
FTP DLPviolationfound
DLP violationfound
Data Loss Prevention (DLP)detected a rule violation. The logmessage specifies the proxyaction, the DLP sensor name, DLPrule name, the authenticated user,and the file name. The logmessage also specifies the sourceand destination IP addresses andport for the control channel of theFTP session.
Deny 0-External 1-Trusted tcp 11.11.11.2 11.11.11.5 20 37611msg="ProxyDrop:FTP DLP violation found" proxy_act="FTP-Client.3" ctl_src="10.0.1.49:47553"ctl_dst="11.11.11.2:5120" dlp_sensor="test" dlp_rule="SocialsecuritynumberswithqualifyingtermsUSA" authenticated_user="testuser" file="test.docx" (FTP-proxy-00)
—
1CFF0012 INFO Proxy /FTP
FTP cannotperform DLPscan
DLP cannotperform scan
Data Loss Prevention (DLP) failedto scan because of the errorspecified in the logmessage.
Allow 0-External 1-Trusted tcp 11.11.11.2 11.11.11.5 20 52217msg="ProxyAllow: FTP cannot perform DLP scan" proxy_act="FTP-Client.3"ctl_src="11.11.11.2:5120" ctl_dst="10.0.1.49:47553" error="Error: DLP notinitialized" file="ssn.docx" (FTP-proxy-00)
—
1CFF0013 INFO Proxy /FTP
FTP DLPobjectunscannable
DLP cannotscan object
Data Loss Prevention (DLP) couldnot scan and analyze theattachment because it isencrypted. The logmessagespecifies the DLP sensor name,error message, the authenticateduser, and the file name.
Allow 0-External 1-Trusted tcp 11.11.11.2 11.11.11.5 20 43974msg="ProxyAllow: FTP DLP object unscannable" proxy_act="FTP-Client.3" ctl_src="11.11.11.2:5120" ctl_dst="10.0.1.49:47553" dlp_sensor="test"error="unscannable object (File was encrypted)" authenticated_user="testuser"file="test.zip" (FTP-proxy-00)
—
1CFF0014 INFO Proxy /FTP
FTP DLPobject toolarge
DLP objecttoo large
Data Loss Prevention (DLP) couldnot analyze the attachmentbecause the file was larger than theconfigured limit. The limit varies byplatform, from one to fiveMB. Thelogmessage specifies the DLPsensor name and error message.
Allow 0-External 1-Trusted tcp 11.11.11.2 11.11.11.5 20 43813msg="ProxyAllow: FTP DLP object too large" proxy_act="FTP-Client.3"error="DLP scan limit (5242880) exceeded" (FTP-proxy-00)
—
Proxy Policy LogMessages
Log Catalog 44
ID Level Area NameLog MessageExample Log Message Example Description
MessageVariables
1CFF0015 INFO Proxy /FTP
FTP APTdetected
APT threatdetected
APT Blocker identified a threat.The logmessage specifies thethreat level, threat name, threatclass, malicious activities, and filenamewhere the threat waslocated.
Deny 0-External 1-Trusted tcp 11.11.11.2 11.11.11.5 20 58661msg="ProxyDrop:FTP APT detected" proxy_act="FTP-Client.3" ctl_src="11.11.11.2:5120" ctl_dst="10.0.1.49:47553" md5="03e7ef270a157090e2f68079603b10fc" task_uuid="d21914d5a2bc4b618fae72da3b1c137e" threat_level="low" file="apt.txt"(FTP-proxy-00)
—
1CFF0017 INFO Proxy /FTP
FTP Filesubmitted toAPTanalysisserver
File submittedto APTanalysisserver
File submitted to APT analysisserver for deep threat analysis. Aseparate logmessage will appearwhen the result is retrieved fromthe APT analysis server.
Allow 0-External 1-Trusted tcp 11.11.11.2 11.11.11.5 20 43490msg="ProxyAllow: FTP File submitted to APT analysis server" proxy_act="FTP-Client.3" ctl_src="11.11.11.2:5120" ctl_dst="10.0.1.49:47553"md5="03e7ef270a157090e2f68079603b10fc" task_uuid="d21914d5a2bc4b618fae72da3b1c137e" file="apt.txt"
—
1CFF0018 INFO Proxy /FTP
FTP Filereported safefrom APThash check
File reportedsafe from APThash check
APT hash check did not report athreat from the object
Allow 0-External 1-Trusted tcp 11.11.11.2 11.11.11.5 20 43490msg="ProxyAllow: FTP File reported safe from APT hash check" proxy_act="FTP-Client.3" ctl_src="11.11.11.2:5120" ctl_dst="10.0.1.49:47553"md5="03e7ef270a157090e2f68079603b10fc" task_uuid="d21914d5a2bc4b618fae72da3b1c137e" file="apt.txt"
—
2AFF0000 INFO Proxy /H.323
H323timeout
Timeout The connection was idle longerthan the configured timeout value.The default value is 180 seconds.
Deny 1-Trusted 0-External tcp 10.0.1.5 192.168.53.143 1720 1720msg="ProxyDrop: H323 timeout" (H323-ALG-00)
—
2AFF0001 INFO Proxy /H.323
H323request
Request This logmessage specifies the IPaddresses for the completed H323call.
Allow 1-Trusted 0-External tcp 10.0.1.2 192.168.53.167 3233 1720msg="H323request" proxy_act="H.323-Client.1" call_from="10.0.1.2" call_to="192.168.53.167" rcvd_bytes="171444" sent_bytes="256488" (H323-ALG-00)
—
2AFF0002 INFO Proxy /H.323
H323 codec Codec Themedia codec is deniedbecause it matched a configuredDenied Codec. The logmessagespecifies the codec.
Deny 1-Trusted 0-External tcp 10.0.1.2 192.168.53.167 3230 1720msg="ProxyDeny: H323 codec" proxy_act="H.323-Client.1" codec="(unknown)"(H323-ALG-00)
—
Proxy Policy LogMessages
Log Catalog 45
ID Level Area NameLog MessageExample Log Message Example Description
MessageVariables
2AFF0003 INFO Proxy /H.323
H323Accesscontrol
Accesscontrol
The header address is allowed ordenied because it matches anAccess Control rule configured inthe H323 policy. The logmessagespecifies the address.
Allow 1-Trusted 0-External tcp 10.0.1.2 192.168.53.167 3232 1720msg="ProxyAllow: H323 Access control" proxy_act="H.323-Client.1" From-header="10.0.1.2" (H323-ALG-00)
—
2AFF0006 INFO Proxy /H.323
H323 IPSmatch
IPS match Intrusion Prevention Service (IPS)detected an intrusion threat. Thelogmessage specifies thesignature ID, threat severity,signature name, signaturecategory, destination host name,and URI path.
Deny 0-External 1-Trusted tcp 10.0.1.5 192.168.53.143 3234 3230msg="ProxyDrop: H323 IPS match" proxy_act="H.323-Client.1" signature_id="1112506" severity="4" signature_name="EXPLOIT Digium Asterisk InvalidRTP Payload Type NumberMemory Corruption" signature_cat="Access Control"(H323-ALG-00)
—
2AFF0007 INFO Proxy /H.323
H323 Appmatch
Applicationmatch
Application Control detected anapplication type from thetransaction. The logmessagespecifies the action taken, theapplication name and ID,application category name and ID,and the application behavior nameand ID.
Deny 1-Trusted 0-External tcp 10.0.1.6 192.168.53.167 3234 3230msg="ProxyDrop: H323 Appmatch" proxy_act="H.323-Client.1" app_cat_name="Voice over IP" app_cat_id="6" app_name="H.323" app_id="2" app_beh_name="access" app_beh_id="6" (H323-ALG-00)
—
1AFF0001 INFO Proxy /HTTP
HTTP serverresponsetimeout
Sessiontimeout withserver idle
The HTTP session has timed outbecause no traffic has beenreceived from the server for thespecified amount of time. (Default:10minutes)
Deny 1-Trusted 6-Ext-access tcp 10.0.1.2 192.168.53.82 60654 80msg="ProxyDeny: HTTP server response timeout" (HTTP-proxy-00)
—
1AFF0002 INFO Proxy /HTTP
HTTP clientrequesttimeout
Sessiontimeout withclient idle
The HTTP session has timed outbecause no traffic has beenreceived from the client for thespecified amount of time. (Default:10minutes)
Deny 1-Trusted 6-Ext-access tcp 10.0.1.2 23.3.105.139 60680 80msg="ProxyDeny: HTTP client request timeout" (HTTP-proxy-00)
—
Proxy Policy LogMessages
Log Catalog 46
ID Level Area NameLog MessageExample Log Message Example Description
MessageVariables
1AFF0003 INFO Proxy /HTTP
HTTP closecompletetimeout
Sessiontimeout withclosecompletecommandtimeout
The Close HTTP Sessioncommand timed out because noresponse to the FIN packet wasreceived within the response timelimit (3 minutes).
Deny 1-Trusted 6-Ext-access tcp 10.0.1.2 182.168.53.82 60654 80msg="ProxyDeny: HTTP close complete timeout" (HTTP-proxy-00)
—
1AFF0004 INFO Proxy /HTTP
HTTP Start-Line oversize
OversizeStart-Line
The first line of the client request orserver response is longer than theconfiguredmaximum line length.The default maximum length is4,096 bytes.
Deny 1-Trusted 6-Ext-access tcp 10.0.1.2 134.170.188.84 52662 80msg="ProxyDeny: HTTP Start-Line oversize" (HTTP-proxy-00)
—
1AFF0005 INFO Proxy /HTTP
HTTP InvalidRequest-Line Format
InvalidRequest-Lineformat
The request line from the clientdoes not match the standardformat of [Method][SP][Request-URI][SP][HTTP/Version]. Theincorrect status-line is specified inthe logmessage.
Deny 1-Trusted 0-External tcp 10.0.1.2 192.168.53.92 52668 80msg="ProxyDeny: HTTP invalid Request-Line Format" proxy_act="HTTP-Client.5" line="\x03\x03\x0d\x0a" (HTTP-proxy-00)
—
1AFF0006 INFO Proxy /HTTP
HTTP invalidStatus-Lineformat
Invalid Status-Line format
The status line from the serverdoes not match the standardformat of [HTTP/Version][SP][Status Code][SP][Reason]. Theincorrect status-line is specified inthe logmessage.
Deny 1-Trusted 6-Ext-access tcp 10.0.1.2 194.219.221.195 64610 80msg="ProxyDeny: HTTP invalid Status-Line format" proxy_act="HTTP-Client.2"line="\x03\x00\x00Kh\x80\x00\x07\x02,\x97\x02\xcc\x18M\xe4\xbe\xff\xa8\x87_a\x07\xb1\xa3d\x9f\x82\xc2\xea\xa2\xe17\x9f\xc8@+\xde\x7f\x7f\x0a" (HTTP-proxy-00)
—
1AFF0007 INFO Proxy /HTTP
HTTPheader lineoversize
Header lineoversize
A single client request or serverresponse line is longer than theconfiguredmaximum line length.The default maximum length is4,096 bytes.
Deny 1-Trusted 6-Ext-access tcp 10.0.1.2 74.125.25.105 64152 80msg="ProxyDeny: HTTP header line oversize" proxy_act="HTTP-Client.4"line="X-Frame-Options: " (HTTP-proxy-00)
—
Proxy Policy LogMessages
Log Catalog 47
ID Level Area NameLog MessageExample Log Message Example Description
MessageVariables
1AFF0008 INFO Proxy /HTTP
HTTPheader blockoversize
Header blockoversize
The client request or serverresponse header block length islonger than the configured limit. Ifmaximum total length is enabled,the default limit is 16,384 bytes.
Deny 1-Trusted 0-External tcp 10.0.1.2 77.237.248.69 50019 80msg="ProxyDeny: HTTP header block oversize" proxy_act="HTTP-Client.1"line="Date: Fri, 30May 2014 16:50:51 GMT\x0d\x0a" (HTTP-proxy-00)
—
1AFF0009 INFO Proxy /HTTP
HTTPheader blockparse error
Header blockparse error
The HTTP proxy cannot processthe header line because the formatis incorrect. The required format is[Name]:[Value].
Deny 1-Trusted 0-External tcp 10.0.1.2 54.230.68.99 58900 80msg="ProxyDeny:header block parse error" (HTTP-proxy-00)
—
1AFF000A INFO Proxy /HTTP
HTTPrequest URLpathmissing
Requestmissing URLpath
The HTTP proxy cannot completethe URL because the host or URIvalue is missing. The HTTPrequest is denied.
Deny 1-Trusted 0-External tcp 10.0.1.2 54.230.68.99 58900 80msg="ProxyDeny:HTTP request URL pathmissing" proxy_act="HTTP-Client.1" line="Date: Fri, 30May 2014 18:50:51 GMT\x0d\x0a"
—
1AFF000B INFO Proxy /HTTP
HTTPrequest URLmatch
Request URLmatch
The requested URLmatched aconfigured URL path in the HTTPproxy. By default, all URL pathsare allowed.
Allow 1-Trusted 0-External tcp 10.0.1.2 173.194.33.185 60351 80msg="ProxyAllow: HTTP request URLmatch" proxy_act="HTTP-Client.1" rule_name="Default" dstname="pagead2.googlesyndication.com"arg="/pagead/osd.js" (HTTP-proxy-00)
—
1AFF000C INFO Proxy /HTTP
HTTP chunksize lineoversize
Chunk sizeline oversize
The HTTP chunk size line does notterminate correctly with a carriagereturn and line-feed (CRLF). Theinvalid line is specified in the logmessage.
Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 40656 80msg="ProxyDeny: HTTP chunk size line oversize" proxy_act="HTTP-Client.2"line="\x03\x00\x00Kh\x80\x00\x07\x02,\x97\x02\xcc\x18M\xe4\xbe\xff\xa8\x87_a\x07\xb1\xa3d\x9f\x82\xc2\xea\xa2\xe17\x9f\xc8@+\xde\x7f\x7f\x0a" (HTTP-proxy-00)
—
1AFF000D INFO Proxy /HTTP
HTTP chunksize invalid
Chunk sizeline invalid
The HTTP chunk size line has aninvalid hexadecimal value. Theinvalid line is specified in the logmessage.
Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 40722 80msg="ProxyDeny: HTTP chunk size invalid" proxy_act="HTTP-Client.2"line="k7\x0d\x0a" (HTTP-proxy-00)
—
Proxy Policy LogMessages
Log Catalog 48
ID Level Area NameLog MessageExample Log Message Example Description
MessageVariables
1AFF000E INFO Proxy /HTTP
HTTP chunkCRLF tailmissing
Chunk noCRLF tail
The HTTP chunk does not closewith a carriage return and line feed(CRLF) because the chunk block ismissing the closing characters.This is required for each chunkwhen chunked transfer-encoding isin use. The logmessage includesthe invalid chunk tail line.
Deny 1-Trusted 0-External tcp 10.0.1.2 77.237.248.69 50019 80msg="ProxyDeny: HTTP chunk CRLF tail missing" proxy_act="HTTP-Client.1"line="This stringmissing the Carriage Return in the terminating CF-LF pair\x0a"(HTTP-proxy-00)
—
1AFF000F INFO Proxy /HTTP
HTTP footerline oversize
Footer lineoversize
One line of the HTTP footer, anadditional header sent at the end ofamessage is larger than theconfigured line limit. The defaultline limit is 4,096 bytes.
Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 40662 80msg="ProxyDeny: HTTP footer line oversize" proxy_act="HTTP-Client.2"line="\x03\x00\x00Kh\x80\x00\x07\x02,\x97\x02\xcc\x18M\xe4\xbe\xff\xa8\x87_a\x07\xb1\xa3d\x9f\x82\xc2\xea\xa2\xe17\x9f\xc8@+\xde\x7f\x7f\x0a" (HTTP-proxy-00)
—
1AFF0010 INFO Proxy /HTTP
HTTP footerblockoversize
Footer blockoversize
The HTTP footer includesadditional header information thatis larger than the configured blocklimit size. The default totalmessage limit, if enabled, is 16,384bytes. The logmessage includesinformation about the invalid line.
Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 40688 80msg="ProxyDeny: HTTP footer block oversize" proxy_act="HTTP-Client.2"line="\x03\x00\x00Kh\x80\x00\x07\x02,\x97\x02\xcc\x18M\xe4\xbe\xff\xa8\x87_a\x07\xb1\xa3d\x9f\x82\xc2\xea\xa2\xe17\x9f\xc8@+\xde\x7f\x7f\x0a" (HTTP-proxy-00)
—
1AFF0011 INFO Proxy /HTTP
HTTP footerblock parseerror
Footer blockparse error
The HTTP footer includes anadditional header field with syntaxthat violates the header formatrestrictions.
Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 40705 80msg="ProxyDeny: HTTP footer block parse error" (HTTP-proxy-00)
—
1AFF0012 INFO Proxy /HTTP
HTTP BodyContentTypematch
Body contenttypematch
The HTTP content either matchesa configured Body Content Type orno Body Content Type is defined(only the default rule is in use).
Allow 1-Trusted 0-External tcp 10.0.1.2 192.168.53.92 52089 80msg="ProxyAllow: HTTP Body Content Typematch" proxy_act="HTTP-Client.1" rule_name="Default" (HTTP-proxy-00)
—
1AFF0013 INFO Proxy /HTTP
HTTPheader
Headercontent
The HTTP header line does not Allow 1-Trusted 0-External tcp 10.0.1.2 192.168.53.92 41048 80msg="ProxyStrip: HTTP header malformed" proxy_act="393296"
—
Proxy Policy LogMessages
Log Catalog 49
ID Level Area NameLog MessageExample Log Message Example Description
MessageVariables
malformed malformed follow the correct syntax for aclient request or server responseheader. The logmessage containsthe header line with the syntaxerror.
header="WWW-Authenticate: \x0d\x0a"
1AFF0016 INFO Proxy /HTTP
HTTPheadertransferencodingmatch
HeaderTransfer-Encodingmatch
The Transfer-Encoding in theHTTP header matches aconfigured rule, or the default ruleof nomatch. The logmessagespecifies thematching rule nameand header value.
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 40719 80msg="ProxyAllow: HTTP header Transfer-Encodingmatch" proxy_act="HTTP-Client.2" rule_name="chunked" encoding="chunked" (HTTP-proxy-00)
—
1AFF0018 INFO Proxy /HTTP
HTTPheaderContentTypematch
Headercontent typematch
The HTTP header Content Typematches a configured rule, or thedefault rule of nomatch. The logmessage specifies thematchingrule name and header value.
Allow 1-Trusted 0-External tcp 10.0.1.2 198.252.206.140 52047 80msg="ProxyAllow: HTTP header Content Typematch" proxy_act="HTTP-Client.1" rule_name="text/*" content_type="text/html" (HTTP-proxy-00)
—
1AFF0019 INFO Proxy /HTTP
HTTPrequestversionmatch
Requestversionmatch
The HTTP version specified in theHTTP request linematches aconfigured rule, or the default ruleof nomatch. The log specifies thematched rule name and the requestline.
Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 40627 80msg="ProxyDeny: HTTP request versionmatch" proxy_act="HTTP-Client.2"rule_name="Default" line="GET /index.html HTTP/1.8\x0d\x0a" (HTTP-proxy-00)
—
1AFF001A INFO Proxy /HTTP
HTTPrequestmethodmatch
Requestmethodmatch
The HTTP request methodspecified in the Request-Linematches a configured rule, or thedefault rule of nomatch. The logmessage specifies thematchedrule name and themethod.
Allow 1-Trusted 0-External tcp 10.0.1.2 50.16.229.215 52301 80msg="ProxyAllow: HTTP request methodmatch" proxy_act="HTTP-Client.1"rule_name="GET" method="GET" (HTTP-proxy-00)
—
Proxy Policy LogMessages
Log Catalog 50
ID Level Area NameLog MessageExample Log Message Example Description
MessageVariables
1AFF001B INFO Proxy /HTTP
HTTPheadermatch
Header match The HTTP header linematches aconfigured rule, or the default ruleof nomatch. The logmessagespecifies thematched rule nameand header line.
Allow 1-Trusted 0-External tcp 10.0.1.2 50.16.229.215 52301 80msg="ProxyAllow: HTTP header match" proxy_act="HTTP-Client.1" rule_name="Default" header="Host: www.walkscore.com\x0d\x0a" (HTTP-proxy-00)
—
1AFF001C INFO Proxy /HTTP
HTTPheadercookiedomainmatch
Header cookiedomainmatch
The cookie domain headermatches a configured rule, or thedefault rule of nomatch. The logmessage includes thematchedrule name and the cookie domain.
Deny 1-Trusted 0-External tcp 10.0.1.2 50.16.229.215 52466 80msg="ProxyDeny: HTTP header cookie domainmatch" proxy_act="HTTP-Client.1" rule_name="DoubleClick.com" domain=".doubleclick.com" (HTTP-proxy-00)
—
1AFF001D INFO Proxy /HTTP
HTTPrequest hostmissing
Request hostmissing
The HTTP request header ismissing the host value.
Deny 1-Trusted 6-Ext-access tcp 10.0.1.2 192.168.53.82 60654 80msg="ProxyDeny: HTTP request host missing" (HTTP-proxy-00)
—
1AFF001E INFO Proxy /HTTP
HTTPheader authschemematch
Headerauthenticationschemematch
The authentication scheme in theHTTP header server responsematches one of the configuredrules, or the default rule of nomatch. The logmessage specifiesthematched rule name and theauthentication scheme.
Allow 1-Trusted 6-Ext-access tcp 10.0.1.2 192.168.53.92 4910 80msg="ProxyAllow: HTTP Header auth schemematch" proxy_act="HTTP-Client.1" rule_name="Basic" scheme="Basic" (HTTP-proxy-00)
—
1AFF001F INFO Proxy /HTTP
HTTPrequestmethodunsupported
Requestmethod notsupported
The HTTP request method doesnot match a configured rule. Thelogmessage specifies themethodin use.
Deny 1-Trusted 6-Ext-access tcp 10.0.1.2 192.168.53.92 64152 80msg="ProxyDeny: HTTP request method unsupported" proxy_act="HTTP-Client.1" method="OPTIONS" (HTTP-proxy-00)
—
1AFF0020 INFO Proxy /HTTP
HTTPrequest portmismatch
Request portmismatch
Relative-URI is in use and the portspecified in the HTTP request hostheader does not match the portused for the connection.
Deny 1-Trusted 6-Ext-access tcp 10.0.1.2 192.168.53.92 64152 80msg="ProxyDeny: HTTP request port mismatch" proxy_act="HTTP-Client.1"(HTTP-proxy-00)
—
Proxy Policy LogMessages
Log Catalog 51
ID Level Area NameLog MessageExample Log Message Example Description
MessageVariables
1AFF0021 INFO Proxy /HTTP
HTTPRequestcategories
Requestcategories
The HTTP request is sent to a webaddress that matched a selectedWebBlocker category. The logmessage specifies the actiontaken by the proxy, the URL, andthe category matched.
Allow 1-Trusted 0-External tcp 10.0.1.2 50.16.210.117 50790 80msg="ProxyAllow: HTTP Request categories" proxy_act="HTTP-Client.2"cats="ReferenceMaterials" op="GET" dstname="www.walkscore.com" arg="/"(HTTP-proxy-00)
—
1AFF0022 INFO Proxy /HTTP
HTTPserviceunavailable
Serviceunavailable
WebBlocker categorization failedbecause the configuredWebBlocker server is notavailable. The logmessagespecifies the profile name and amore detailed error message.
Deny 2-Internal-traffic 4-External-traffic tcp 192.168.2.23 23.21.224.150 60921 80msg="ProxyDeny: HTTP service unavailable" proxy_act="HTTP-Client.1"service="WebBlocker.1" details="Webblocker server is not available" (HTTP-proxy-00)
—
1AFF0023 INFO Proxy /HTTP
HTTPrequest URLpathoversize
Request URLpath oversize
The URI in the HTTP Request-Lineis longer than the configured limit.The default limit is 2,048 bytes.The logmessage specifies theoversize URI.
Deny 1-Trusted 6-Ext-access tcp 10.0.1.2 173.194.33.167 64279 80msg="ProxyDeny: HTTP request URL path oversize" proxy_act="HTTP-Client.1" path="/crx/blobs/QwAAAHF3InbmK-wFIemaY3I3BCMqOfjjbz3ZPr0OdvcXp8cUu10k48t_h-qsRfYvKPciETPh6ZMAQTV8WL-Rx-lfADpBbs0T0xmHzDv3tYNK4R4eAMZSmuX1YAUWVQlL6kSI-xpS-vSmdvbuQg/extension_0_1_0_12919.crx" (HTTP-proxy-00)
—
1AFF0024 INFO Proxy /HTTP
HTTPrequest
Request A detailed summary of the lastHTTP proxy transaction.
Allow 1-Trusted 6-Ext-access tcp 10.0.1.2 192.168.53.92 64425 80msg="HTTPrequest" proxy_act="HTTP-Client.1" op="GET" dstname="192.168.53.92"arg="/" sent_bytes="339" rcvd_bytes="2" elapsed_time="5.037750 sec(s)"(HTTP-proxy-00)
—
Proxy Policy LogMessages
Log Catalog 52
ID Level Area NameLog MessageExample Log Message Example Description
MessageVariables
1AFF0025 INFO Proxy /HTTP
HTTPheader IPSmatch
Header IPSrule match
Intrusion Prevention Service (IPS)detected an intrusion in the clientrequest or server response header.The logmessage specifies theaction taken, signature ID, threatseverity, signature name, signaturecategory, destination host name,and URI path.
Deny 1-Trusted 0-External tcp 10.0.1.2 107.20.162.187 55531 80msg="ProxyDeny: HTTP header IPS match" proxy_act="HTTP-Client.1"signature_id="1055396" severity="5" signature_name="WEB Cross-siteScripting -9" signature_cat="Web Attack" host="intext.nav-links.com"path="/util/intexteval.pl?action=startup" (HTTP-proxy-00)
—
1AFF0026 INFO Proxy /HTTP
HTTP bodyIPS match
Body IPS rulematch
Intrusion Prevention Service (IPS)detected an intrusion in the clientrequest or server response contentbody. The logmessage specifiesthe action taken, signature ID,threat severity, signature name,signature category, destinationhost name, and URI path.
Deny 4-Trusted-1 0-External tcp 192.168.53.92 188.40.238.252 45617 443msg="ProxyDeny: HTTP body IPS match" proxy_act="HTTP-Client.4"signature_id="1051723" severity="5" signature_name="Virus Eicar test string"signature_cat="Virus/Worm" host="secure.eicar.org" path="/eicar.com.txt" src_user="[email protected]" (HTTPS-proxy-00)
—
1AFF0028 INFO Proxy /HTTP
HTTP Virusfound
GAV Virusfound
Gateway AntiVirus (GAV) detecteda virus or malware. The logmessage specifies the virus name,destination host name, and URIpath.
Deny 2-Internal-traffic 4-External-traffic tcp 10.0.1.8 192.168.53.92 57525 80msg="ProxyDrop: HTTP Virus found" proxy_act="HTTP-Client.1"virus="EICAR_Test" host="192.168.53.92" path="/viruses/eicar.com" (HTTP-proxy-00)
—
1AFF0029 INFO Proxy /HTTP
HTTP AVscanningerror
GAV scanerror
Gateway AntiVirus (GAV) failed toscan because of an error. The logmessage specifies the errormessage, the destination hostname, and URI path.
Allow 1-Trusted 0-External tcp 10.0.1.2 8.25.35.115 51859 80msg="ProxyAllow:HTTP AV scanning error" proxy_act="HTTP-Client.3" error="avg scanner is notcreated" host="api.yontoo.com" path="/LoadJS.ashx" (HTTP-proxy-00)
—
1AFF002B INFO Proxy /HTTP
HTTPTrusted host
Trusted host The destination host namematches a proxy exceptionconfigured in the HTTP proxy.
Allow 1-Trusted 0-External tcp 10.0.1.2 134.170.51.254 51941 80msg="ProxyAllow: HTTP Trusted host" proxy_act="HTTP-Client.3" rule_name="*.windowsupdate.com" (HTTP-proxy-00)
—
Proxy Policy LogMessages
Log Catalog 53
ID Level Area NameLog MessageExample Log Message Example Description
MessageVariables
1AFF002C INFO Proxy /HTTP
HTTP badreputation
Bad reputation The HTTP proxy blocked accessto the destination address becauseof a bad reputation score for theURL.
Deny 1-Trusted 0-External tcp 172.16.1.101 188.40.238.250 36834 80msg="ProxyDeny: HTTP bad reputation" proxy_act="HTTP-ACT-OUT"reputation="100" host="www.eicar.org" path="/download/eicar_com.zip" (HTTP-OUT-00)
—
1AFF002D INFO Proxy /HTTP
HTTP goodreputation
Goodreputation
The HTTP proxy did not completea Gateway AntiVirus (GAV) scanfor traffic to the destination addressbecause the URL received a goodreputation score.
Allow 4-Trusted-1 0-External tcp 192.168.53.92 198.35.26.96 45365 80msg="ProxyAllow: HTTP good reputation" proxy_act="HTTP-Client.4"reputation="1" host="en.wikipedia.org" path="/favicon.ico" src_user="[email protected]" (HTTP-00)
—
1AFF002E INFO Proxy /HTTP
HTTP Appmatch
Applicationmatch
Application Control identified theapplication type from the HTTPclient request or server responsestream.
Allow 4-Trusted-1 0-External tcp 192.168.53.92 198.35.26.96 45365 80msg="ProxyAllow: HTTP Appmatch" proxy_act="HTTP-Client.4" app_cat_name="Web" app_cat_id="13" app_name="Mozilla Firefox" app_id="12" app_beh_name="access" app_beh_id="6" src_user="[email protected]" (HTTP-00)
—
1AFF002F INFO Proxy /HTTP
HTTP DLPviolationfound
DLP violationfound
Data Loss Prevention (DLP)detected a violation of DLP rules.The logmessage only includesinformation about the first rulematched.
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.3 59568 80msg="ProxyAllow: HTTP DLP violation found" proxy_act="HTTP-Client.1" dlp_sensor="sample_dlp_test" dlp_rule="BankaccountdetailsnearpersonallyidentifiableinformationUSA"host="100.100.100.3" path="/cgi-bin/upload.cgi" (HTTP-OUT.1-00)
—
1AFF0030 INFO Proxy /HTTP
HTTPcannotperform DLPScan
DLP cannotperform scan
Data Loss Prevention (DLP) failedto scan the traffic because of theerror specified in the logmessage.
Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 62398 80msg="ProxyAllow: HTTP cannot perform DLP scan" proxy_act="HTTP-Client.1"dlp_sensor="sample_dlp_test" error="Cannot Perform DLP scanning" (HTTP-proxy-00)
—
1AFF0031 INFO Proxy /HTTP
HTTP DLPobjectunscannable
DLP objectunscannable
Data Loss Prevention (DLP)cannot extract data from an objectbecause it is encrypted.
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 40608 80msg="ProxyAllow: HTTP DLP object unscannable" proxy_act="HTTP-Client.2"dlp_sensor="PCI Audit Sensor.1" error="unscannable object (File wasencrypted)" host="100.100.100.11" path="/password-protected.zip" (HTTP-proxy-00)
—
1AFF0032 INFO Proxy /HTTP
HTTP DLPobject too
HTTP objecttoo large
Data Loss Prevention (DLP)cannot scan the object because it
Allow 2-optional 0-External tcp 192.168.53.92 172.16.10.14 8902 80msg="ProxyAllow: HTTP DLP object too large" proxy_act="HTTP-Client.1" dlp_
—
Proxy Policy LogMessages
Log Catalog 54
ID Level Area NameLog MessageExample Log Message Example Description
MessageVariables
large is larger than the configured limit.The default value varies by devicetype and ranges between 1 and 5MB.
sensor="DLPSensor.1" error="DLP scan limit exceeded" (HTTP-proxy-00)
1AFF0033 INFO Proxy /HTTP
HTTP Rangeheader
Range header This is the configured action (allowor strip) for the HTTP proxy Rangeheader. The default action is strip.The HTTP proxy Range headercan allow partial file transfers thatimpact content scans because thefull content is not presented.
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.15 40535 80msg="ProxyStrip: HTTP Range header" proxy_act="HTTP-Client.1"header="Accept-Ranges: bytes\x0d\x0a" (HTTP-proxy-00)
—
1AFF0034 INFO Proxy /HTTP
HTTP APTdetected
APT threatdetected
APT Blocker detected a threat. Thelogmessage specifies the thethreat level, threat name, threatclass, malicious activities,destination host name, and URIpath.
Deny 2-Internal-traffic 4-External-traffic tcp 192.168.2.20 192.168.3.30 48120 80msg="ProxyDrop: HTTP APT detected" proxy_act="HTTP-Client.1"host="192.168.3.30" path="/apt_sample.exe"md5="2e77cadb722944a3979571b444ed5183"
—
1AFF0036 INFO Proxy /HTTP
HTTP Filesubmitted toAPTanalysisserver
File submittedto APTanalysisserver
File submitted to APT analysisserver for deep threat analysis. Theanalysis result will be notified whenthe analysis result is fetched fromAPT analysis server.
Allow 2-Internal-traffic 4-External-traffic tcp 192.168.2.20 192.168.3.30 34063 80msg="ProxyAllow: HTTP File submitted to APT analysis server" proxy_act="HTTP-Client.1" host="192.168.3.30" path="/test/sample.exe"md5="dd0af53fec2267757cd90d633acd549a" task_uuid="35c8ac1aaeee4e5186d584318deb397b" (HTTP-proxy-00)
—
1AFF0037 INFO Proxy /HTTP
HTTPconnecttunnel portmatch
Connecttunnel portmatch
The HTTP CONNECT tunnelrequest port matches a configuredrule, or the default rule of nomatch.The logmessage specifies thematched rule name and port.
Allow 1-Trusted Firebox tcp 10.0.1.3 100.100.100.16 53531 3128msg="ProxyReplace: HTTP connect tunnel port match" proxy_act="Explicit-Web.Standard.1" rule_name="Redirect-HTTPS" port="443" (Explicit-proxy-00)
—
Proxy Policy LogMessages
Log Catalog 55
ID Level Area NameLog MessageExample Log Message Example Description
MessageVariables
1AFF0038 INFO Proxy /HTTP
HTTPwebproxyredirect
Webproxyredirect
The HTTPWebproxy connectionwas redirected to a different proxyaction because of the configurationsetting in explicit proxy. The logmessage specifies the new proxyaction used.
Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.16 53532 3128msg="ProxyReplace: HTTP webproxy redirect" proxy_act="Explicit-Web.Standard.1" redirect_action="HTTPS-Client.Standard" (Explicit-proxy-00)
—
1AFF0039 INFO Proxy /HTTP
HTTP Filereported safefrom APThash check
File reportedsafe from APThash check
APT hash check did not report athreat from the object
Allow 2-Internal-traffic 4-External-traffic tcp 192.168.2.20 192.168.3.30 34063 80msg="ProxyAllow: HTTP File reported safe from APT hash check" proxy_act="HTTP-Client.1" host="192.168.3.30" path="/test/sample.exe"md5="dd0af53fec2267757cd90d633acd549a" task_uuid="35c8ac1aaeee4e5186d584318deb397b" (HTTP-proxy-00)
—
1AFF003A INFO Proxy /HTTP
HTTPContentredirect
Contentredirect
The HTTP content actionconnection was redirected to adifferent proxy action because ofthe configuration. The logmessagespecifies the new proxy actionused as well as the current sslstatus.
Allow 0-External 3-Optional-2 tcp 203.0.113.2 203.0.113.3 50560 80msg="ProxyReplace: HTTP Content Action redirect" proxy_act="HTTP-Content.Standard.1" redirect_action="HTTP-Server.Standard.2" srv_ip="10.0.2.8" srv_port="80" ssl_offload="0" client_ssl="NONE" server_ssl="NONE" (HTTP-proxy-00)
—
1AFF003B INFO Proxy /HTTP
HTTPRequestcontentmatch
RequestContentmatch
The request contained contentwhichmatched a configuredcontent rule in the HTTP proxy.The logmessage specifies thecontent whichmatched the rule aswell as rule details.
Allow 0-External 1-Trusted tcp 203.0.113.2 203.0.113.2 50428 80msg="ProxyReplace: HTTP Request content match" proxy_act="HTTP-Content.Standard.1" rule_name="forums" content_type="URN"dstname="203.0.113.2" arg="/forums/index.html" srv_ip="10.0.2.8" srv_port="80" ssl_offload="1" redirect_action="HTTP-Server.Standard.1" (HTTP-proxy-00)
—
2CFF0000 INFO Proxy /HTTPS
HTTPSRequest
Request HTTPS transaction log includesserver name, certificate details andaction taken.
Allow 1-Trusted 0-External tcp 10.0.1.2 173.194.33.184 59277 443msg="HTTPSRequest" proxy_act="HTTPS-Client.Standard.3" sni="www.gstatic.com"cn="*.google.com" cert_issuer="CN=olympus.wgti.net,OU=QA,O=WGTI,L=Seattle,ST=WA,C=US"cert_subject="CN=*.google.com,O=Google Inc,L=MountainView,ST=California,C=US" action="allow" (HTTPS-proxy-00)
—
Proxy Policy LogMessages
Log Catalog 56
ID Level Area NameLog MessageExample Log Message Example Description
MessageVariables
2CFF0001 INFO Proxy /HTTPS
HTTPSRequestcategories
WebBlockerRequestcategories
WebBlocker identified the categoryfor a web request. The logmessage specifies the categoryand host name.
Allow 1-Trusted 0-External tcp 10.0.1.2 74.125.25.104 44773 443msg="ProxyAllow: HTTPS Request categories" proxy_act="HTTPS-Client.1"service="Def" cats="Search Engines and Portals" dstname="www.google.com"(HTTPS-proxy-00)
—
2CFF0002 INFO Proxy /HTTPS
HTTPSserviceunavailable
WebBlockerserviceunavailable
WebBlocker failed because aWebBlocker Server was notavailable.
Allow 1-Trusted 0-External tcp 10.0.1.2 74.125.25.147 51566 443msg="ProxyAllow: HTTPS service unavailable" proxy_act="HTTPS-Client.1"error="Webblocker server is not available" service="Def" cats=""dstname="www.google.com" (HTTPS-proxy-00)
—
2CFF0003 INFO Proxy /HTTPS
HTTPSdomainnamematch
Domain namematch
This rule log includes thematchedrule name or default rule of nomatch and the patterns its beenmatched against.
Allow 1-Trusted 0-External tcp 10.0.1.2 173.194.33.176 59545 443msg="ProxyAllow: HTTPS domain namematch" proxy_act="HTTPS-Client.Standard.3" rule_name="*.google.com" sni="www.google.com" cn=""ipaddress="173.194.33.176" (HTTPS-proxy-00)
—
2CFF0007 INFO Proxy /HTTPS
HTTPSinvalidprotocol
Protocolinvalid
The HTTPS proxy detected aninvalid SSL version.
Deny 1-Trusted 0-External tcp 10.0.1.2 192.168.53.143 41551 443msg="ProxyDrop: HTTPS invalid protocol" proxy_act="HTTPS-Client.1"version="0x9999" length="123" data="\x16\x03\x01\x00{\x01\x00\x00w\x99\x99"(HTTPS-proxy-00)
—
2CFF0008 INFO Proxy /HTTPS
HTTPStimeout
Timeout The HTTPS connection was idlelonger than the timeout valueconfigured in the HTTPS policy.The default is 180 seconds.
Deny 1-Trusted 0-External tcp 10.0.1.5 192.168.53.143 54707 443msg="ProxyDrop: HTTPS timeout" (HTTPS-proxy-00)
—
2CFF0009 INFO Proxy /HTTPS
HTTPScontentinspection
Contentinspection
The HTTPS traffic was directed toa different proxy action because ofthe Content Inspection settings inthe HTTPS proxy. The logmessage specifies the new proxyaction used for content inspection,as well as the TLS ciphers used forthe server and client.
Allow 1-Trusted 0-External tcp 10.0.1.2 173.194.33.180 59276 443msg="ProxyInspect: HTTPS content inspection" proxy_act="HTTPS-Client.Standard.3" inspect_action="HTTP-Client.Standard" server_ssl="ECDHE-RSA-AES256-SHA384" client_ssl="ECDHE-RSA-AES256-GCM-SHA384" (HTTPS-proxy-00)
—
22FF0000 INFO Proxy / IMAP Request This audit logmessage specifies Allow 1-Trusted 0-External tcp 10.0.1.70 10.148.22.60 53589 143msg="IMAP —
Proxy Policy LogMessages
Log Catalog 57
ID Level Area NameLog MessageExample Log Message Example Description
MessageVariables
IMAP Request the email message transactionresult.
Request" proxy_act="IMAP-Client.Standard.1" email_len="652" action="allow"reason="" mbx="INBOX" user="wg" auth_method="plain" (IMAP-proxy-00)
22FF0001 INFO Proxy /IMAP
IMAPTimeout
Timeout The connection was idle for longerthan the configured timeout limit.The default limit is 1minute.
Deny 1-Trusted 0-External tcp 10.0.1.70 10.148.22.60 53589 143msg="IMAPTimeout" proxy_act="IMAP-Client.Standard.1" timeout="120" (IMAP-proxy-00)
—
22FF0002 INFO Proxy /IMAP
IMAPMalformedCommand
MalformedCommand
The IMAP client sentmalformed/unsupported command
Deny 1-Trusted 0-External tcp 10.0.1.70 10.148.22.60 53589 143msg="IMAPMalformed Command" proxy_act="IMAP-Client.Standard.1"command="CONDSTORE" mbx="INBOX" user="wg" auth_method="plain"(IMAP-proxy-00)
—
22FF0004 INFO Proxy /IMAP
IMAPMalformedResponse
MalformedResponse
The IMAP server sentmalformed/unsupported response
Deny 1-Trusted 0-External tcp 10.0.1.70 10.148.22.60 53589 143msg="IMAPMalformed Response" proxy_act="IMAP-Client.Standard.1" response="* 3597EXISTS" mbx="INBOX" user="wg" auth_method="plain" (IMAP-proxy-00)
—
22FF0005 INFO Proxy /IMAP
IMAPContentType
Content Type A MIME-typematched aconfigured content type rule, or thedefault rule of nomatch. The logmessage specifies the rule, MIME-type, and user-related information.
Allow 1-Trusted 0-External tcp 10.0.1.73 10.148.22.60 54116 143msg="ProxyAvScan: IMAP Content Type" proxy_act="IMAP-Client.Standard.1"rule_name="All text types" content_type="text/plain" mbx="inbox" user="wg"auth_method="plain" (IMAP-proxy-00)
—
22FF0006 INFO Proxy /IMAP
IMAPFilename
Filename The attachment matches aconfigured file name rule, or thedefault rule of nomatch. The logmessage specifies the rule, filename, and user-relatedinformation.
Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 56079 143msg="ProxyStrip: IMAP Filename" proxy_act="IMAP-Client.Standard.1" rule_name="Word documents" filename="bug92408.doc"attachment="bug92408.zip.zip" mbx="inbox" user="wg" auth_method="plain"(IMAP-proxy-00)
—
22FF0008 INFO Proxy /IMAP
IMAP VirusFound
Virus Found Gateway AntiVirus detected avirus or malware in the file. The logmessage specifies the virus name,file name, and user-relatedinformation.
Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 50633 143msg="ProxyAllow: IMAP Virus Found" proxy_act="IMAP-Client.Standard.1"virus="Eicar" mbx="INBOX" user="wg" (IMAP-proxy-00)
—
Proxy Policy LogMessages
Log Catalog 58
ID Level Area NameLog MessageExample Log Message Example Description
MessageVariables
22FF0009 INFO Proxy /IMAP
IMAPCannotPerformGateway AVScan
CannotPerformGateway AVScan
Gateway AntiVirus (GAV) failed toscan because of the error specifiedin the logmessage
Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 50633 143msg="ProxyLock: IMAP Cannot Perform Gateway AV Scan" proxy_act="IMAP-Client.Standard.1" error="unable to scan" mbx="INBOX" user="wg" (IMAP-proxy-00)
—
22FF000A INFO Proxy /IMAP
IMAP APTdetected
APT detected APT Blocker found the threatspecified in the logmessage in anattached file.
Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 60275 143msg="ProxyStrip: IMAP APT detected" proxy_act="IMAP-Client.Standard.1"filename="lastline-demo-sample.exe"md5="7abebcf53e97b586c92a9ce5b9985cd4" task_uuid="e8a3730d1f88491c8821712e85d94929" threat_level="high" mbx="INBOX"user="wg" (IMAP-proxy-00)
—
22FF000C INFO Proxy /IMAP
IMAP FileSubmitted toAPTanalysisserver
File Submittedto APTanalysisserver
File submitted to APT analysisserver for deep threat analysis. Theanalysis result will be notified whenthe analysis result is fetched fromAPT analysis server.
Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 60275 143msg="ProxyStrip: IMAP File submitted to APT analysis server" proxy_act="IMAP-Client.Standard.1"filename="971d3aa1c683c69f425cc6ddf66833d3d172f0fd.apk"md5="7abebcf53e97b586c92a9ce5b9985cd4" task_uuid="e8a3730d1f88491c8821712e85d94929"APT detected" mbx="INBOX"user="wg" (IMAP-proxy-00)
—
22FF000D INFO Proxy /IMAP
IMAP Filereported safefrom APThash check
File reportedsafe from APThash check
APT hash check did not report athreat from the object.
Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 60275 143msg="ProxyStrip: IMAP File reported safe from APT hash check" proxy_act="IMAP-Client.Standard.1"filename="971d3aa1c683c69f425cc6ddf66833d3d172f0fd.apk"md5="7abebcf53e97b586c92a9ce5b9985cd4" task_uuid="e8a3730d1f88491c8821712e85d94929"APT detected" mbx="INBOX"user="wg" (IMAP-proxy-00)
—
22FF000E INFO Proxy /IMAP
IMAPClassified asconfirmedSPAM
spamBlockerconfirmedspam
spamBlocker classified themessage as confirmed SPAM. Thelogmessage specifies the user-related information
Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 60275 143msg="ProxyReplace: IMAP Classified as confirmed SPAM" proxy_act="IMAP-Client.Standard.1" mbx="INBOX" user="wg" (IMAP-proxy-00)
—
Proxy Policy LogMessages
Log Catalog 59
ID Level Area NameLog MessageExample Log Message Example Description
MessageVariables
22FF000F INFO Proxy /IMAP
IMAPClassified asbulk mail
spamBlockerbulk mail
spamBlocker classified themessage as bulk mail. The logmessage specifies the user-relatedinformation
Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 60275 143msg="ProxyReplace: IMAP Classified as bulk mail" proxy_act="IMAP-Client.Standard.1" mbx="INBOX" user="wg" (IMAP-proxy-00)
—
22FF0010 INFO Proxy /IMAP
IMAPClassified assuspectSPAM
spamBlockersuspect spam
spamBlocker classified themessage as suspect SPAM. Thelogmessage specifies the user-related information
Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 60275 143msg="ProxyReplace: IMAP Classified as suspect SPAM" proxy_act="IMAP-Client.Standard.1" mbx="INBOX" user="wg" (IMAP-proxy-00)
—
22FF0011 INFO Proxy /IMAP
IMAPMessagecould not bescored
spamBlockernot scored
spamBlocker cannot score themessage. The logmessagespecifies the user-relatedinformation
Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 60275 143msg="ProxyAllow: IMAP Message could not be scored" proxy_act="IMAP-Client.Standard.1" mbx="INBOX" user="wg" (IMAP-proxy-00)
—
22FF0012 INFO Proxy /IMAP
IMAPspamBlockerexceptionwasmatched
spamBlockerexceptionmatched
The sender for the email matched aspamBlocker exception rule. Thelogmessage specifies the rule anduser-related information.
Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 60275 143msg="ProxyAllow: IMAP spamBlocker exception was matched" proxy_act="IMAP-Client.Standard.1" mbx="INBOX" user="wg" (IMAP-proxy-00)
—
22FF0013 INFO Proxy /IMAP
IMAPClassified asnot SPAM
spamBlockernot spam
spamBlocker classified themessage as not SPAM. The logmessage specifies the user-relatedinformation.
Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 60275 143msg="ProxyAllow: IMAP Classified as not SPAM" proxy_act="IMAP-Client.Standard.1" mbx="INBOX" user="wg" (IMAP-proxy-00)
—
Proxy Policy LogMessages
Log Catalog 60
ID Level Area NameLog MessageExample Log Message Example Description
MessageVariables
22FF0014 INFO Proxy /IMAP
IMAPMessageclassificationis unknownbecause anerroroccurredwhileclassifying
spamBlockernot spam
spamBlocker was unable toclassify themessage because ofthe error specified in the logmessage. The logmessagespecifies the user-relatedinformation.
Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 60275 143msg="ProxyAllow: IMAP Message classification is unknown because an erroroccurred while classifying" proxy_act="IMAP-Client.Standard.1" mbx="INBOX"user="wg" (IMAP-proxy-00)
—
22FF0015 INFO Proxy /IMAP
IMAPGateway AVobject toolarge
GAV file toolarge
The attachment file size exceedsthe Gateway AV scan size limit.
Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 50698 143msg="ProxyAllow: IMAP Gateway AV object too large" proxy_act="IMAP-Client.OUT" attachment="large_file.doc" error="File exceeding the scan sizelimit" mbx="INBOX" user="wg" (IMAP-proxy-00)
—
22FF0016 INFO Proxy /IMAP
Gateway AVobjectencrypted(password-protected)
GAV fileencrypted
The attachment file is encrypted orpassword-protected.
Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 50698 143msg="ProxyAllow: IMAP Gateway AV object enrcypted (password-protected)"proxy_act="IMAP-Client.OUT" attachment="password-protected.zip"error="Object Encrypted" mbx="INBOX" user="wg" (IMAP-proxy-00)
—
22FF1017 INFO Proxy /IMAP
IMAP invalidTLS protocol
Protocolinvalid
The IMAP proxy detected invalidTLS protocol.
Deny 1-Trusted 0-External tcp 10.0.1.2 192.168.53.143 41551 993msg="ProxyDrop: IMAP invalid TLS protocol" proxy_act="IMAP-Client.1" (IMAP-proxy-00)
—
22FF1018 INFO Proxy /IMAP
IMAP TLScontentinspection
ContentInspection
The IMAP proxy decrypted asecure connection for contentinspection.
Deny 1-Trusted 0-External tcp 10.0.1.2 192.168.53.143 41551 993msg="ProxyInspect: IMAP TLS content inspection" proxy_act="IMAP-Client.1"server_ssl="ECDHE-RSA-AES256-SHA384" client_ssl="ECDHE-RSA-AES256-GCM-SHA384" (IMAP-proxy-00)
—
21FF0000 INFO Proxy /POP3
POP3CAPA CAPA TheCAPA response contained theunknown or blocked capability thatis specified in the logmessage.
Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 43924 110msg="ProxyDeny: POP3CAPA" keyword="VERF": (POP3-proxy-00)
—
Proxy Policy LogMessages
Log Catalog 61
ID Level Area NameLog MessageExample Log Message Example Description
MessageVariables
21FF0001 INFO Proxy /POP3
POP3 AUTH Authentication The authentication typematched arule, or the default rule of nomatch.The logmessage specifies the rulename and authentication type.
Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 44047 110msg="ProxyDeny: POP3 AUTH" proxy_act="POP3-Client.2" rule_name="Default" authtype="KERBOSE_V12" (POP3-proxy-00)
—
21FF0002 INFO Proxy /POP3
POP3command
Command The client sent an authenticationcommandwhen it was not allowed.
Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 44225 110msg="ProxyDeny: POP3 command" proxy_act="POP3-Client.2"keyword="AUTH KERBEROS_V12\x0d\x0a" (POP3-proxy-00)
—
21FF0005 INFO Proxy /POP3
POP3header
Header A POP3 header matched aconfigured Header rule, or thedefault rule of nomatch. The logmessage specifies the rule andheader.
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 43909 110msg="ProxyStrip: POP3 header" proxy_act="POP3-Client.1" rule_name="Default" header="Delivered-To: wg@localhost" (POP3-proxy-00)
—
21FF0006 INFO Proxy /POP3
POP3content type
Content type A MIME-typematched aconfigured content type rule, or thedefault rule of nomatch. The logmessage specifies the rule, MIME-type, and user name.
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 43909 110msg="ProxyAllow: POP3 content type" proxy_act="POP3-Client.1" rule_name="All text types" content_type="text/plain" user="wg" (POP3-proxy-00)
—
21FF0007 INFO Proxy /POP3
POP3filename
File name The attachment matches aconfigured file name rule, or thedefault rule of nomatch. The logmessage specifies the rule, filename, and user name.
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 44035 110msg="ProxyAvScan: POP3 filename" proxy_act="POP3-Client.1" rule_name="Text files" file_name="high-triggerme.txt" user="wg" (POP3-proxy-00)
—
21FF0009 INFO Proxy /POP3
POP3timeout
Timeout The connection was idle for longerthan the configured timeout limit.The default limit is 1minute.
Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 44042 110msg="ProxyDeny: POP3 timeout" proxy_act="POP3-Client.1" timeout="180"(POP3-proxy-00)
—
21FF000A INFO Proxy /POP3
POP3request
Request This audit logmessage specifiesthe bytes sent, bytes received, anduser.
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 43909 110msg="POP3request" proxy_act="POP3-Client.1" rcvd_bytes="625052" sent_bytes="1433"user="wg" (POP3-proxy-00)
—
Proxy Policy LogMessages
Log Catalog 62
ID Level Area NameLog MessageExample Log Message Example Description
MessageVariables
21FF000C INFO Proxy /POP3
POP3 IPSmatch
IPS match Intrusion Prevention Service (IPS)detected an intrusion threat. Thelogmessage specifies the actiontaken, the signature ID, threatseverity, signature name, andsignature category.
Deny 0-External 1-Trusted tcp 172.16.180.2 172.16.181.2 1024 25msg="ProxyDrop: POP3 IPS match" proxy_act="POP3-Incoming.1" signature_id="1110401" severity="4" signature_name="EXPLOIT IBM Lotus Notes Lotus 1-2-3Work Sheet File Viewer Buffer Overflow (CVE-2007-6593)" signature_cat="Buffer Over Flow" (POP3-proxy-00)
—
21FF000F INFO Proxy /POP3
POP3 Virusfound
GAV Virusfound
Gateway AntiVirus detected avirus or malware in the file. The logmessage specifies the virus name,user, and file name.
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 44042 110msg="ProxyAllow: POP3 Virus found" proxy_act="POP3-Client.1" user="wg"filename="sample.apt" virus="Generic34.EFX" (POP3-proxy-00)
—
21FF0010 INFO Proxy /POP3
POP3cannotperformGateway AV
GAV cannotperform scan
Gateway AntiVirus (GAV) failed toscan because of the error specifiedin the logmessage.
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39589 25msg="ProxyLock: POP3Cannot perform Gateway AV scan" proxy_act="POP3-Client.1" user="wg" filename="message.scr" error="scan request failed" (POP3-proxy-00)
—
21FF0012 INFO Proxy /POP3
POP3 linelength toolong
Line length toolong
A line exceeds the configured limit.The default is 1,000 bytes. The logmessage specifies the line length.
Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39457 25msg="ProxyDeny: POP3 line length too long" proxy_act="POP3-Client.1" line_length="22121" (POP3-proxy-00)
—
21FF0014 INFO Proxy /POP3
POP3messageformat
Messageformat
Themessage is not in an allowedformat. The logmessage specifiesthe error and the user.
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 44061 110msg="ProxyStrip: POP3message format" proxy_act="POP3-Client.2" file_name="sm_conns.txt" type="uuencode" (POP3-proxy-00)
—
21FF0015 INFO Proxy /POP3
POP3encodingerror
Encoding error The proxy was unable to decodeand encode themessage becauseof the error specified in the logmessage.
Allow 0-External 1-Trusted tcp 100.100.106.253 100.100.106.55 51064 110msg="ProxyStrip: POP3 encoding error" proxy_act="POP3-Server.1"message="invalid b64 characters in input" (POP3-IN-00)
—
21FF0016 INFO Proxy /POP3
POP3Classified asconfirmedSPAM
spamBlockerconfirmedspam
spamBlocker classified themessage as confirmed SPAM. Thelogmessage specifies the senderand recipients.
Allow 1-Trusted 0-External tcp 10.0.55.253 100.100.100.155 45551 110msg="ProxyReplace: POP3Classified as confirmed SPAM" (POP3-OUT-00)
—
Proxy Policy LogMessages
Log Catalog 63
ID Level Area NameLog MessageExample Log Message Example Description
MessageVariables
21FF0017 INFO Proxy /POP3
POP3Classified assuspectSPAM
spamBlockerBULK spam
spamBlocker classified themessage as bulk SPAM. The logmessage specifies the sender andrecipients.
Allow 0-External 1-Trusted tcp 100.100.106.253 100.100.106.55 46177 110msg="ProxyReplace: POP3Classified as suspect SPAM" (POP3-IN-00)
—
21FF0018 INFO Proxy /POP3
POP3Classified assuspectSPAM
spamBlockersuspect spam
spamBlocker classified themessage as suspect SPAM. Thelogmessage specifies the senderand recipients.
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 44249 110msg="ProxyReplace: POP3Classified as suspect SPAM" (POP3-proxy-00)
—
21FF001A INFO Proxy /POP3
POP3spamBlockerexceptionwasmatched
spamBlockerexceptionmatched
The sender for the email matched aspamBlocker exception rule. Thelogmessage specifies the sender,recipient, and subject.
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 43913 110msg="ProxyAllow: POP3 spamBlocker exception was matched" proxy_act="POP3-Client.1" from="[email protected]" to="wg@localhost" subj_tag="(none)" (POP3-proxy-00)
—
21FF001B INFO Proxy /POP3
POP3Classified asnot SPAM
spamBlockernot spam
spamBlocker classified themessage as not SPAM. The logmessage specifies the sender andrecipients.
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 43924 110msg="ProxyAllow: POP3Classified as not SPAM" (POP3-proxy-00)
—
21FF001C INFO Proxy /POP3
POP3messageclassificationis unknownbecause anerroroccurredwhileclassifying
spamBlockerclassificationunknown
spamBlocker was unable toclassify themessage because ofthe error specified in the logmessage.
Allow 1-Trusted 0-External tcp 10.0.55.253 100.100.100.155 53776 110msg="ProxyAllow: POP3message classification is unknown because an erroroccurred while classifying" (POP3-OUT-00)
—
21FF001D INFO Proxy /POP3
POP3 extrapadcharacters inbase64 input
Extra padcharacters
The POP3 proxy encountered extrapad characters in the body of abase64-encodedmessage.
Allow 0-External 1-Trusted tcp 100.100.106.253 100.100.106.55 46177 110msg="ProxyStrip: POP3 Extra pad characters in base64 input" proxy_act="POP3-Server.1" pad_error="1" (POP3-IN-00)
—
Proxy Policy LogMessages
Log Catalog 64
ID Level Area NameLog MessageExample Log Message Example Description
MessageVariables
21FF001E INFO Proxy /POP3
POP3 Appmatch
Applicationmatch
Application Control identified theapplication from the emailmessage. The log specifies theapplication name and ID,application category and ID, andthe application behavior name andID.
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 44042 110msg="ProxyAllow: POP3 Appmatch" proxy_act="POP3-Client.1" app_cat_name="Mail and Collaboration" app_cat_id="5" app_name="POP3" app_id="2"app_beh_name="communicate" app_beh_id="2" (POP3-proxy-00)
—
21FF001F INFO Proxy /POP3
POP3 APTdetected
APT threatdetected
APT Blocker found the threatspecified in the logmessage in anattached file.
Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.3 47193 110msg="ProxyDrop: POP3 APT detected" proxy_act="POP3-Client.Standard.1"user="wg" filename="971d3aa1c683c69f425cc6ddf66833d3d172f0fd.apk"md5="7abebcf53e97b586c92a9ce5b9985cd4" task_uuid="e8a3730d1f88491c8821712e85d94929" threat_level="high" (POP3-proxy-00)
—
21FF0021 INFO Proxy /POP3
POP3 Filesubmitted toAPTanalysisserver
File submittedto APTanalysisserver
File submitted to APT analysisserver for deep threat analysis. Theanalysis result will be notified whenthe analysis result is fetched fromAPT analysis server.
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.3 47187 110msg="ProxyAllow: POP3 File submitted to APT analysis server" proxy_act="POP3-Client.Standard.1" user="wg"filename="971d3aa1c683c69f425cc6ddf66833d3d172f0fd.apk"md5="7abebcf53e97b586c92a9ce5b9985cd4" task_uuid="e8a3730d1f88491c8821712e85d94929" (POP3-proxy-00)
—
21FF0022 INFO Proxy /POP3
POP3 Filereported safefrom APThash check
File reportedsafe from APThash check
APT hash check did not report athreat from the object
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.3 47187 110msg="ProxyAllow: POP3 File reported safe from APT hash check" proxy_act="POP3-Client.Standard.1" user="wg"filename="971d3aa1c683c69f425cc6ddf66833d3d172f0fd.apk"md5="7abebcf53e97b586c92a9ce5b9985cd4" task_uuid="e8a3730d1f88491c8821712e85d94929" (POP3-proxy-00)
—
28FF0000 INFO Proxy /SIP
SIP timeout Timeout The connection was idle for longerthan the configured timeout value.The default value is 180 seconds.
Deny 1-Trusted 0-External udp 10.0.1.5 192.168.53.143 5060 5060msg="ProxyDrop: SIP timeout" (SIP-ALG-00)
—
28FF0004 INFO Proxy /SIP
SIP request Request The logmessage specifies thesource and destination of the
Allow 1-Trusted 0-External udp 10.0.1.3 192.168.53.143 5060 5060msg="SIPrequest" proxy_act="SIP-Client.1" call_from="10.0.1.3" call_
—
Proxy Policy LogMessages
Log Catalog 65
ID Level Area NameLog MessageExample Log Message Example Description
MessageVariables
allowed call. to="192.168.53.143" (SIP-ALG-00)
28FF0005 INFO Proxy /SIP
SIP codec Codec The codec is allowed or deniedbased on the setting for DeniedCodecs in the SIP policy.
Deny 1-Trusted 0-External udp 10.0.1.3 192.168.53.143 5060 5060msg="ProxyDeny: SIP codec" proxy_act="SIP-Client.1" codec="speex" (SIP-ALG-00)
—
28FF0006 INFO Proxy /SIP
SIP Accesscontrol
Accesscontrol
The header address is allowed ordenied based on the AccessControl settings. The logmessagespecifies the action taken, headerandmessage ID.
Allow 1-Trusted 0-External udp 10.0.1.3 192.168.53.143 5060 5060msg="ProxyAllow: SIP Access control" proxy_act="SIP-Client.1" To-header="[email protected]" (SIP-ALG-00)
—
28FF0008 INFO Proxy /SIP
SIP IPSmatch
IPS match Intrusion Prevention Service (IPS)detected an intrusion threat. Thelogmessage specifies thesignature ID, threat severity,signature name, signaturecategory, destination host nameand URI path.
Deny 0-External 1-Trusted udp 10.0.1.5 192.168.53.143 5060 5060msg="ProxyDrop: SIP IPS match" proxy_act="SIP-Client.1" signature_id="1057422" severity="4" signature_name="SIP Digium Asterisk SIP SDPHeader Parsing Stack Buffer Overflow -1" signature_cat="Buffer Over Flow"(SIP-ALG-00)
—
28FF0009 INFO Proxy /SIP
SIP Appmatch
Applicationmatch
Application Control identified anapplication from the transaction.The logmessage specifies theaction taken, the application nameand ID, application category nameand ID, and the applicationbehavior name and ID.
Deny 1-Trusted 0-External udp 10.0.1.4 192.168.53.143 5060 5060msg="ProxyDrop: SIP Appmatch" proxy_act="SIP-Client.1" signature_id="12"app_name="SIP" beh_name="communicate" app_msg="Applicationmatched.application name: SIP; behavior name:communicate" (SIP-ALG-00)
—
1BFF0000 INFO Proxy /SMTP
SMTPgreeting
Greeting The host name in the SMTP proxyHELO or EHLO commandmatched one of the GreetingRules, or the default rule of nomatch.
Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39366 25msg="ProxyDeny: SMTP greeting" proxy_act="SMTP-Outgoing.1" rule_name="*.test.net" hostname="testbox.test.net" (SMTP-proxy-00)
—
1BFF0001 INFO Proxy / SMTP ESMTP The EHLO response from the Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39371 25 —
Proxy Policy LogMessages
Log Catalog 66
ID Level Area NameLog MessageExample Log Message Example Description
MessageVariables
SMTP ESMTPoption
option SMTP server includes an ESMTPoption that is disabled or unknown.
msg="ProxyStrip: SMTP ESMTP option" proxy_act="SMTP-Outgoing.1"keyword="VRFY" (SMTP-proxy-00)
1BFF0002 INFO Proxy /SMTP
SMTPAUTH
Authentication(AUTH)
The EHLO response from theSMTP server included anauthentication type that matches aconfigured authentication rule. Thelogmessage specifies the proxyaction, the rule name, the actiontaken, and the authentication type.
Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39374 25msg="ProxyDeny: SMTP AUTH" proxy_act="SMTP-Outgoing.1" rule_name="PLAIN" authtype="PLAIN" (SMTP-proxy-00)
—
1BFF0003 INFO Proxy /SMTP
SMTPheader
Header A MIME header matched aconfigured rule, or the default ruleof nomatch.
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39379 25msg="ProxyStrip: SMTP header" proxy_act="SMTP-Outgoing.1" rule_name="Default" header="X-MimeOLE: Produced By Microsoft ExchangeV6.0.6603.0" (SMTP-proxy-00)
—
1BFF0004 INFO Proxy /SMTP
SMTP Fromaddress
From address The sender address matched a rulespecified in theMail From rules.
Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39383 25msg="ProxyDeny: SMTP From address" proxy_act="SMTP-Outgoing.1" rule_name="jsmith@*.com->ex-employee" address="[email protected]" (SMTP-proxy-00)
—
1BFF0005 INFO Proxy /SMTP
SMTP Toaddress
To address The recipient address matched arule specified in the Rcpt To rules.
Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39384 25msg="ProxyDeny: SMTP To address" proxy_act="SMTP-Outgoing.1" rule_name="Default" address="[email protected]" (SMTP-proxy-00)
—
1BFF0006 INFO Proxy /SMTP
SMTPcontent type
Content type Some of themessage contentmatched a content filter rule.
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39391 25msg="ProxyAvScan: SMTP content type" proxy_act="SMTP-Outgoing.1" rule_name="Default" content_type="application/x-gzip" sender="[email protected]"recipients="wg@localhost" (SMTP-proxy-00)
—
1BFF0007 INFO Proxy /SMTP
SMTPfilename
Filename An email attachment matched a filename rule, or the attachment isuuencoded and the SMTP proxyallows uuencoded attachments.
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39436 25msg="ProxyStrip: SMTP filename" proxy_act="SMTP-Outgoing.1" rule_name="*.exe" file_name="app.exe" sender="[email protected]"recipients="wg@localhost" (SMTP-proxy-00)
—
Proxy Policy LogMessages
Log Catalog 67
ID Level Area NameLog MessageExample Log Message Example Description
MessageVariables
1BFF000A INFO Proxy /SMTP
SMTPtimeout
Timeout The SMTP connection was idle forlonger than the configured idletimeout limit. The default is 10minutes.
Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39402 25msg="ProxyDeny: SMTP timeout" proxy_act="SMTP-Outgoing.1" timeout="60"(SMTP-proxy-00)
—
1BFF000C INFO Proxy /SMTP
SMTP Virusfound
GAV Virusfound
Gateway AntiVirus (GAV) detecteda virus or malware in an emailattachment.
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39445 25msg="ProxyStrip: SMTP Virus found" proxy_act="SMTP-Outgoing.1"sender="[email protected]" recipients="wg@localhost" virus="I-Worm/Netsky.CORRUPTED" filename="message.scr" (SMTP-proxy-00)
—
1BFF000E INFO Proxy /SMTP
SMTPcannotperformGateway AVscan
GAV cannotperform scan
Gateway AntiVirus (GAV) couldnot complete the scan because ofthe error that is specified in the logmessage.
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39589 25msg="ProxyLock: SMTP cannot perform Gateway AV scan" proxy_act="SMTP-Outgoing.1" sender="[email protected]" recipients="wg@localhost"error="scan request failed" filename="message.scr" (SMTP-proxy-00)
—
1BFF000F INFO Proxy /SMTP
SMTPrequest
Request This SMTP audit log specifies thebytes sent, bytes received, thesender and recipient addresses,and the sender and recipient TLScipher.
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39398 25msg="SMTPrequest" proxy_act="SMTP-Outgoing.1" rcvd_bytes="272" sent_bytes="282"sender="[email protected]" recipients="wg@localhost" server_ssl="ECDHE-RSA-AES256-GCM-SHA384" client_ssl="AES128-SHA256" tls_profile="TLS-Client.Standard"(SMTP-proxy-00)
—
1BFF0010 INFO Proxy /SMTP
SMTPmessageformat
Messageformat
The email message formatmatched amessage format rulespecified in the SMTP proxy. Thelogmessage includes the errormessage.
Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39452 25msg="ProxyDeny: SMTP message format" proxy_act="SMTP-Outgoing.1" file_name="sm_conns.txt" type="uuencode" sender="[email protected]"recipients="wg@localhost" (SMTP-proxy-00)
—
1BFF0011 INFO Proxy /SMTP
SMTP IPSmatch
IPS match Intrusion Prevention Service (IPS)detected a threat. The logmessagespecifies the signature name andID, threat severity, and signaturecategory.
Deny 0-External 1-Trusted tcp 172.16.180.2 172.16.181.2 1024 25msg="ProxyDrop: SMTP IPS match" proxy_act="SMTP-Incoming.1" signature_id="1110401" severity="4" signature_name="EXPLOIT IBM Lotus Notes Lotus 1-2-3Work Sheet File Viewer Buffer Overflow (CVE-2007-6593)" signature_cat="Buffer Over Flow" (SMTP-proxy-00)
—
Proxy Policy LogMessages
Log Catalog 68
ID Level Area NameLog MessageExample Log Message Example Description
MessageVariables
1BFF0013 INFO Proxy /SMTP
SMTP toomanyrecipients
Toomanyrecipients
The number of email recipientsspecified in the email messageexceeds the configured limit. Thedefault limit is 99 for inboundmessages and unlimited foroutboundmessages. The logmessage specifies the proxyaction and number of recipients.
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39404 25msg="ProxyDeny: toomany recipients" proxy_act="SMTP-Outgoing.1" rule_name="Default" content_type="" sender="[email protected]"recipients="[email protected];[email protected]" (SMTP-proxy-00)
—
1BFF0014 INFO Proxy /SMTP
SMTPresponsesize too long
Responsesize too long
The SMTP server responseexceeds the configured limit. Thedefault limit is 10,000 KB. The logmessage specifies the size of theresponse.
Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39973 25msg="ProxyDeny: SMTP response size too long" proxy_act="SMTP-Outgoing.1"response_size="5030" (SMTP-proxy-00)
—
1BFF0015 INFO Proxy /SMTP
SMTP linelength toolong
Line too long The email message contains a linethat exceeds the configured limit.The default is 1,000 bytes. The logmessage specifies the line length.
Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39457 25msg="ProxyDeny: SMTP line length too long" proxy_act="SMTP-Outgoing.1"line_length="32110" (SMTP-proxy-00)
—
1BFF0016 INFO Proxy /SMTP
SMTPmessagesize too long
Message toolong
The SMTP message lengthexceeds the configured limit. Thedefault limit is 10,000 kb.
Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39466 25msg="ProxyDeny: SMTP message size too long" proxy_act="SMTP-Outgoing.1"size="16384" (SMTP-proxy-00)
—
1BFF0017 INFO Proxy /SMTP
SMTPheader sizetoo long
Header toolong
The SMTP message contains aheader that exceeds the configuredMaximum Header Length. Thedefault is 20,000 bytes.
Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39473 25msg="ProxyDeny: SMTP header size too long" proxy_act="SMTP-Outgoing.1"headers_size="12157" (SMTP-proxy-00)
—
1BFF0018 INFO Proxy /SMTP
SMTPcommand
Command The SMTP request contains acommand that is not supported oris not valid for the emailtransaction. The logmessagespecifies the proxy action, actiontaken, SMTP command, and the
Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39474 25msg="ProxyDeny: SMTP command" proxy_act="SMTP-Outgoing.1"keyword="VERIFY\x0d\x0a" response="500" (SMTP-proxy-00)
—
Proxy Policy LogMessages
Log Catalog 69
ID Level Area NameLog MessageExample Log Message Example Description
MessageVariables
response code.
1BFF0019 INFO Proxy /SMTP
SMTPClassified asconfirmedSPAM
spamBlockerconfirmedspam
spamBlocker has classified themessage as confirmed SPAM. Thelogmessage specifies the proxyaction, the action taken, and thesender and recipient addresses.
Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39446 25msg="ProxyDeny: SMTP Classified as confirmed SPAM" proxy_act="SMTP-Outgoing.1" sender="[email protected]" recipients="wg@localhost" (SMTP-proxy-00)
—
1BFF001A INFO Proxy /SMTP
SMTPClassified asbulk mail
spamBlockerbulk spam
spamBlocker has classified themessage as bulk SPAM. The logmessage specifies the proxyaction, the action taken, and thesender and recipient addresses.
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39499 25msg="ProxyReplace: SMTP Classified as bulk mail" proxy_act="SMTP-Outgoing.1" sender="[email protected]" recipients="wg@localhost" (SMTP-proxy-00)
—
1BFF001B INFO Proxy /SMTP
SMTPClassified assuspectSPAM
spamBlockersuspect spam
spamBlocker has classified themessage as suspect SPAM. Thelogmessage specifies the proxyaction, the action taken, and thesender and recipient addresses.
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39999 25msg="ProxyAllow: SMTP Classified as suspect SPAM" proxy_act="SMTP-Outgoing.1" sender="[email protected]" recipients="wg@localhost" (SMTP-proxy-00)
—
1BFF001C INFO Proxy /SMTP
SMTPClassified asnot SPAM
spamBlockernot SPAM
spamBlocker has classified themessage as not SPAM. The logmessage specifies the proxyaction, the action taken, and thesender and recipient addresses.
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39487 25msg="ProxyAllow: SMTP Classified as not SPAM" proxy_act="SMTP-Outgoing.1" sender="[email protected]" recipients="wg@localhost" (SMTP-proxy-00)
—
Proxy Policy LogMessages
Log Catalog 70
ID Level Area NameLog MessageExample Log Message Example Description
MessageVariables
1BFF001D INFO Proxy /SMTP
SMTPmessageclassificationis unknownbecause anerroroccurredwhileclassifying
spamBlockerclassificationunknown
spamBlocker was unable toclassify the email messagebecause of an error. The logmessage specifies the sender andrecipient addresses.
Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39524 25msg="ProxyDeny: SMTP message classification is unknown because an erroroccurred while classifying" proxy_act="SMTP-Outgoing.1"sender="[email protected]" recipients="wg@localhost" (SMTP-proxy-00)
—
1BFF001E INFO Proxy /SMTP
SMTPspamBlockerexceptionwasmatched
spamBlockerexceptionmatched
The sender or recipient of the emailmessagematches a spamBlockerexception specified in the SMTPproxy.
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39476 25msg="ProxyAvScan: SMTP spamBlocker exception" proxy_act="SMTP-Outgoing.1" rule_name="Default" content_type=""sender="[email protected]" recipients="wg@localhost" (SMTP-proxy-00)
—
1BFF001F INFO Proxy /SMTP
SMTP Anerror wasfound by ourdecoder
Decoder error The SMTP proxy was unable todecode the email message due tothe error specified in the logmessage.
Allow 1-Trusted 0-External tcp 10.0.55.253 100.100.100.155 36921 25msg="ProxyStrip: SMTP An error was found by our decoder" proxy_act="SMTP-Outgoing.1" message="invalid b64 characters in input" (SMTP-OUT-00)
—
1BFF0021 INFO Proxy /SMTP
SMTP extrapadcharacters inbase64 input
Extra padcharacters inbase64encoding
The SMTP proxy encounteredextra pad characters when thebody of the base64-encodedmessage was processed.
Allow 1-Trusted 0-External tcp 10.0.55.253 100.100.100.155 36664 25msg="ProxyStrip: SMTP extra pad characters in base64 input" proxy_act="SMTP-Outgoing.1" pad_error="1" (SMTP-OUT-00)
—
1BFF0022 INFO Proxy /SMTP
SMTP MailFromaddress toolong
Mail fromaddress toolong
A sender email address exceededthe configuredmaximum addresslength. The address length isunlimited by default.
Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39497 25msg="ProxyDeny: SMTP Mail From address too long" proxy_act="SMTP-Outgoing.1"address="[email protected]"length="56" response="553" (SMTP-proxy-00)
—
1BFF0023 INFO Proxy /SMTP
SMTP Appmatch
Applicationmatch
Application Control identified theapplication in themail messagethat is specified in the log
Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39913 25msg="ProxyDrop: SMTP Appmatch" proxy_act="SMTP-Outgoing.1" app_cat_name="Mail and Collaboration" app_cat_id="5" app_name="SMTP" app_id="1"
—
Proxy Policy LogMessages
Log Catalog 71
ID Level Area NameLog MessageExample Log Message Example Description
MessageVariables
message. app_beh_name="access" app_beh_id="6" (SMTP-proxy-00)
1BFF0024 INFO Proxy /SMTP
SMTP DLPviolationFound
DLP violationfound
Data Loss Prevention (DLP)detected the rule violation that isspecified in the logmessage.
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39510 25msg="ProxyAllow: SMTP DLP violation Found" proxy_act="SMTP-Outgoing.1"dlp_sensor="PCI Audit Sensor.1" dlp_rule="SocialsecuritynumbersUSA"sender="[email protected]" recipients="wg@localhost" filename="ssn.docx"(SMTP-proxy-00)
—
1BFF0025 INFO Proxy /SMTP
SMTPcannotperform DLPScan
DLP cannotperform scan
Data Loss Prevention (DLP) isunable to scan because of the errorspecified in the logmessage.
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39589 25msg="ProxyLock: SMTP cannot perform DLP scan" proxy_act="SMTP-Outgoing.1" sender="[email protected]" recipients="wg@localhost"error="scan request failed" filename="message.scr" (SMTP-proxy-00)
—
1BFF0026 INFO Proxy /SMTP
SMTP DLPobjectunscannable
DLP cannotscan object
Data Loss Prevention (DLP) isunable to extract data from anobject because the object isencrypted.
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39900 25msg="ProxyAllow: SMTP DLP object unscannable" proxy_act="SMTP-Outgoing.1" dlp_sensor="PCI Audit Sensor.1" error="unscannable object (Filewas encrypted)" sender="[email protected]" recipients="wg@localhost" (SMTP-proxy-00)
—
1BFF0027 INFO Proxy /SMTP
SMTP DLPobject toolarge
DLP objecttoo large
The file requested for Data LossPrevention (DLP) analysis is largerthan the configured limit. Thedefault value varies by platform,from one to fiveMB. The logspecifies the DLP sensor nameand error message.
May 30 06:36:45 2014 gary_xtmv local1.info smtp-proxy[2861]: msg_id="1BFF-0027" Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.3 50976 25msg="ProxyAllow: SMTP DLP oject too large" proxy_act="SMTP-Outgoing.1"sender="[email protected]" recipients="wg@localhost" error="DLP scanlimit (524288) exceeded" filename="2M-dlp-violates-end.txt" (SMTP-proxy-00)
—
1BFF0028 INFO Proxy /SMTP
SMTP APTdetected
APT threatdetected
APT Blocker found the threatspecified in the logmessage in anattached file.
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39771 25msg="ProxyAllow: SMTP APT detected" proxy_act="SMTP-Outgoing.1"sender="[email protected]" recipients="wg@localhost"filename="ecc59a46b439bdf63b058964e29ace0c"md5="ecc59a46b439bdf63b058964e29ace0c" task_uuid="b239bc669b534fcfa61bd78e156c9b19" threat_level="high" (SMTP-proxy-00)
—
Proxy Policy LogMessages
Log Catalog 72
ID Level Area NameLog MessageExample Log Message Example Description
MessageVariables
1BFF002A INFO Proxy /SMTP
SMTP Filesubmitted toAPTanalysisserver
File submittedto APTanalysisserver
File submitted to APT analysisserver for deep threat analysis. Theanalysis result will be notified whenthe analysis result is fetched fromAPT analysis server.
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39965 25msg="ProxyAllow: SMTP File submitted to APT analysis server" proxy_act="SMTP-Outgoing.1" sender="[email protected]" recipients="wg@localhost"filename="regex2.dll" md5="547c43567ab8c08eb30f6c6bacb479a3" task_uuid="b8517202826a43fc93dba00f9e8c30ed" (SMTP-proxy-00)
—
1BFF002B INFO Proxy /SMTP
SMTP Filereported safefrom APThash check
File reportedsafe from APThash check
APT hash check did not report athreat from the object
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39965 25msg="ProxyAllow: SMTP File reported safe from APT hash check" proxy_act="SMTP-Outgoing.1" sender="[email protected]" recipients="wg@localhost"filename="regex2.dll" md5="547c43567ab8c08eb30f6c6bacb479a3" task_uuid="b8517202826a43fc93dba00f9e8c30ed" (SMTP-proxy-00)
—
1BFF002C INFO Proxy /SMTP
SMTPinvalid TLSprotocol
Protocolinvalid
The SMTP proxy detected invalidTLS protocol.
Deny 1-Trusted 0-External tcp 10.0.1.2 192.168.53.143 41551 465msg="ProxyDrop: SMTP invalid TLS protocol" proxy_act="SMTP-Outgoing.1"(SMTP-proxy-00)
—
2DFF0000 INFO Proxy /TCP-UDP
IP Request Request TCP-UDP transaction log for thetraffic that is configured to allow ordeny.
Allow ppp0 0-External tcp 10.0.1.46 206.191.171.104 49391 80msg="IPRequest" proxy_act="TCP-UDP-Proxy.Standard.1" sent_bytes="72271" rcvd_bytes="72271" src_user="testuser@Firebox-DB" (TCP-UDP-proxy-00)
—
2DFF0001 INFO Proxy /TCP-UDP
IP IPSmatch
IPS match Intrusion Prevention Service (IPS)detected an intrusion threat inTCP-UDP proxy traffic. The logmessage specifies the actiontaken, signature ID, threatseverity, signature name, andsignature category.
Deny 0-External 1-Trusted udp 10.0.1.5 192.168.53.143 1025 80msg="ProxyDrop: TCP-UDP IPS match" proxy_act="TCP-UDP-Proxy.1"signature_id="1110070" severity="4" signature_name="DOS Apachemod_sslHTTPS Request DOS -1" signature_cat="Dos/DDoS" (TCP-UDP-proxy-00)
—
Proxy Policy LogMessages
Log Catalog 73
ID Level Area NameLog MessageExample Log Message Example Description
MessageVariables
2DFF0004 INFO Proxy /TCP-UDP
IP protocol Protocol The TCP-UDP proxy recognizedthe protocol. The logmessagespecifies the action taken, and therule name.
Allow 1-Trusted 0-External tcp 10.0.1.2 91.189.95.36 53246 80msg="ProxyReplace: IP protocol" proxy_act="TCP-UDP-Proxy.1" rule_name="HTTP-Client.1" new_action="HTTP-Client.1" (TCP-UDP-proxy-00)
—
2DFF0005 INFO Proxy /TCP-UDP
IP Appmatch
Applicationmatch
Application Control identified theapplication type from the TCP-UDP proxy traffic. The logmessage specifies the actiontaken, the application name andID, the application category nameand ID, and the applicationbehavior and ID.
Allow 1-Trusted 0-External udp 10.0.1.3 4.2.2.1 63690 53msg="ProxyAllow: IPAppmatch" proxy_act="TCP-UDP-Proxy.1" app_cat_name="NetworkManagement" app_cat_id="9" app_name="DNS" app_id="61" app_beh_name="access" app_beh_id="6" (TCP-UDP-proxy-00)
—
Proxy Policy LogMessages
Log Catalog 74
Management Log MessagesManagement logmessages are generated for activity on your Firebox. This includes when changes aremade to the device configuration and DeviceManagement user accounts, for user authentication to theFirebox, and actions related to LiveSecurity and system settings.
DiagnosticManagement logmessages of theDebug (Diagnostic) log type.
ID Level Area Name Log Message Example Description Format Message Variables
55010010 INFO Management/ System
USB driveformat
— USB drive format operationwas %s
USB drive format operationwas successful
USB drive format ${result}
55010014 INFO Management/ System
Generatesystemdiagnostic filefailed
— Generate system diagnosticfile to%s failed
Generate system diagnosticfile to USB drive failed
Generate system diagnostic fileto ${device} failed
55010015 INFO Management/ System
Periodic supportsnapshot isenabled
— System periodic supportsnapshot is enabled
System periodic supportsnapshot is enabled
—
55010017 INFO Management/ System
Generatesystemdiagnosticsuccessfully
— Exported system diagnosticfile to%s successfully
Exported system diagnosticfile to server successfully
Generate system diagnostic fileto ${device} successfully
55010018 INFO Management/ System
Reset to thedefaultconfigurationfailed
The default configuration settings were notrestored after a system reset.
Reset to the defaultconfiguration failed when thedevice was rebooted.
Reset to the defaultconfiguration failed when thedevice was rebooted.
5501000C INFO Management/ System
Device restorefailed
Device auto restore from a specific image ina USB drive disc or normal restore from anormal image failed
Device%s restore from%simage failed due to%s
Device auto restore from USBdrive image failed due to USBdrive not found
Device ${restore_type} restorefrom ${image_source} imagefailed for ${reason}
Management LogMessages
Log Catalog 75
ID Level Area Name Log Message Example Description Format Message Variables
5501000D INFO Management/ System
Creating USBauto restoreimage failed
— Creation of USB auto restoreimage failed due to%s
Creation of USB auto restoreimage failed due to no USBdrive
Creation of USB auto restoreimage failed: ${reason}
5501001B INFO Management/ System
System backupfailed
— System backup%s faileddue to%s.
System backup to USB drivefailed due to write file to USBdrive error
System backup ${dest device}failed: ${reason}
5501001C INFO Management/ System
USB autorestore failedreason
— USB auto restore failed dueto%s
USB auto restore failed due tonot detect the USB drive
USB auto restore failed for${reason}
Management LogMessages
Log Catalog 76
EventManagement logmessages of theEvent log type.
ID Level Area Name Log Message Example Description Format Message Variables
3E000002 INFO Management /Accounting
User loginsucceeded
Management user admin from 10.0.1.2logged in
A user successfully logged in. The logmessage specifies the user type, user name,and IP address.
%s %s%s%s from%slogged in%s%s%s%s
${user_type}${user_name}${auth_server} from{ipaddr} logged in${virtual_ip} ${msg}
3E000004 INFO Management /Accounting
User logout Management user admin from 10.0.1.2logged out
A user successfully logged out. The logmessage specifies the user type, user name,and IP address.
%s %s%s%s from%slogged out%s%s%s%s
${user_type}${user_name}${auth_server} from{ipaddr} logged out${virtual_ip} ${msg}
3E000003 WARN Management /Accounting
User login failed Management user admin from 10.0.1.2log in attempt was rejected.
A user log in attempt failed. The logmessagespecifies the user type, user name, IPaddress, and the failure reason, if available.
%s %s%s%s from%slog in attempt wasrejected%s%s%s%s
${user_type}${user_name}${auth_server} from{ipaddr} rejected${virtual_ip} ${msg}
11000003 INFO Management /Authentication
Authenticationserverunavailable
Authentication server 192.168.1.1:389is not responding
The external authentication server is notavailable.
Authentication server%s:%d is notresponding
—
Management LogMessages
Log Catalog 77
ID Level Area Name Log Message Example Description Format Message Variables
11000004 INFO Management /Authentication
Userauthenticationsucceeded
Authentication of firewall user[user1@Firebox-DB] from 198.51.100.2was accepted
The user successfully authenticated. The logmessage specifies whether this is anadministrative user, a firewall user, or anothertype of user.
Authentication of %suser [%s@%s] from%swas accepted
Authentication of${user_type} user[${user_name}@${auth_server}] from${ipaddr} wasaccepted.
11000006 INFO Management /Authentication
User unlock User test is unlocked automatically It indicates a user unlock and how he/she isunlocked
User%s is unlocked%s User ${name} isunlocked ${how}
11000010 INFO Management /Authentication
Fireboxconnected toSSO agent
Firebox connected to the SSO agent at10.0.1.25 successfully.
Firebox connected to the SSO agentsuccessfully
Firebox connected to theSSO agent at %ssuccessfully.
—
11000011 INFO Management /Authentication
Firebox closedthe connection
Firebox closed the connection to theSSO agent at 10.0.1.25.
Firebox closed the connection to the SSOagent.
Firebox closed theconnection to the SSOagent at %s.
—
11000012 INFO Management /Authentication
Firebox failed toconnect to theSSO agent
Firebox failed to connect to the SSOagent at 10.0.1.25. Reason: timeout.
Firebox failed to connect to the SSO agent. Firebox failed to connectto the SSO agent at %s.Reason: %s.
—
11000013 INFO Management /Authentication
Successful SSOagent failover
SSOAgent failover from 10.0.1.25 to10.0.1.26 was successful.
Successful SSO agent failover. SSOAgent failover from%s to%s wassuccessful.
—
11000014 INFO Management /Authentication
UnsuccessfulSSO failover
SSO agent failover from 10.0.1.25 to10.0.1.26 failed. Reason: incompatibleSSO agent version.
Unsuccessful SSO failover. SSO agent failover from%s to%s failed.Reason: %s.
—
11000005 WARN Management /Authentication
Userauthenticationfailed
Authentication of Firewall user[test@RADIUS] from 10.0.1.2 wasrejected, received an Access-Rejectresponse from the RADIUS server
User authentication failed. The logmessagespecifies the reason.
Authentication of %suser [%s@%s] from%swas rejected, %s
Authentication of${user_type} user[${user_name}@${auth_server}] from ${ip_
Management LogMessages
Log Catalog 78
ID Level Area Name Log Message Example Description Format Message Variables
addr} was rejected,${reason}
11000007 WARN Management /Authentication
user lock User test is locked out briefly after 3login failures
It indicates a user lockout and how and whyhe/she is locked out
User%s is locked out%s after %d loginfailures
User ${name} islocked out${lockout_type}after ${failure_count} login failures
11000008 WARN Management /Authentication
BOVPN TLSclientauthenticationfailed
Authentication of BOVPN TLS client[EasternOffice] from 198.51.100.2 wasrejected, pre-shared key is incorrect
BOVPN TLS client authentication failed. Thelogmessage specifies the reason.
Authentication ofBOVPN TLS client [%s]from%s was rejected,%s
Authentication ofBOVPN TLS client[${client_name}]from ${ip_addr}was rejected,${reason}
1100000C WARN Management /Authentication
Authenticationerror
Authentication error. Domain not foundfor user1.
Authentication failed. The logmessagespecifies the reason.
Authentication error. %sfor%s.
Authenticationerror. ${error} for${user_name}.
1100000D WARN Management /Authentication
Authenticationserverunavailable
Authentication of user[[email protected]] failed. Bothprimary and secondary servers areunavailable.
Authentication failed because both the primaryand secondary authentication servers areunavailable.
Authentication of user[%s@%s] failed. Bothprimary and secondaryservers are unavailable.
—
1100000E WARN Management /Authentication
UnsupportedRADIUS method
Authentication of firewall user[user1@RADIUS] failed. RADIUSauthenticationmethodMSCHAP_V1 isnot supported.
Authentication failed because the specifiedRADIUS method is not supported.
Authentication of %suser [%s@%s] failed.RADIUS authenticationmethod%s is notsupported.
—
1100000F WARN Management /Authentication
Groupsmaximumreached
Themaximum number of groups (31)has been reached
Authentication failed because themaximumnumber of groups has been reached.
Themaximum numberof groups (%d) has beenreached
—
Management LogMessages
Log Catalog 79
ID Level Area Name Log Message Example Description Format Message Variables
40010002 ERROR Management /Certificate
CA certificateupdated failed
CA certificate update failed. Current CAcertificate version: 1.2.
CA certificate updated failed. CA certificate updatefailed. Current CAcertificate version: %s.
CA certificateupdate failed.Current CAcertificate version:${current CAversion number}.
40010001 INFO Management /Certificate
CA certificateupdatedsuccessfully
CA certificate updated successfully toversion 1.3.
The CA certificate updated successfully to thespecified new version.
CA certificate updatedsuccessfully to version%s.
CA certificateupdatedsuccessfully toversion ${new CAversion number}.
01010001 INFO Management /Configuration
Deviceconfigurationchange
Management user admin@Firebox-DBfrom 10.139.36.22 {modified | added |deleted } Blocked Sites Exceptions
The device configuration has been changed. Management user%s@%s from%s %s%s %s
Management user${user}@${domain}from ${ipaddr}${operation}${subsystem}${object}
01010002 INFO Management /Configuration
Administrativeaccounts resetto default
Administrative accounts were reset tothe default settings
The administrative accounts were returned tothe default settings. This could be because thesystem is in safemode, or because of acorrupted administrative account file.
Administrative accountswere reset to the defaultsettings
—
01020001 INFO Management /Configuration
Feature keyadded
admin added feature key'883B25CCF32949EE'
An administrator added a feature key. The logmessage specifies the feature key ID.
%s added feature key'%s'
—
01020002 INFO Management /Configuration
Feature keyremoved
admin removed feature key'883B25CCF32949EE'
An administrator has removed a feature key.The logmessage specifies the feature key ID.
%s removed feature key'%s'
—
01020005 INFO Management /Configuration
Featureexpirationreminder
'LIVESECURITY' feature will expire in90 days.
A feature will soon expire. The logmessagespecifies the feature and the number of daysuntil it expires.
'%s' feature will expire in%d days.
—
01040001 INFO Management / Default device Device default configuration was The device configuration was reset to the Device default —
Management LogMessages
Log Catalog 80
ID Level Area Name Log Message Example Description Format Message Variables
Configuration settings in usefor safemode
loaded in safemode default settings because the device is in safemode.
configuration wasloaded in safemode
01020003 WARN Management /Configuration
Feature expired — '%s' feature expired. Contact WatchGuard torenew your subscription.
'LIVESECURITY'feature expired. ContactWatchGuard to renewyour subscription.
5D000001 ERROR Management /DeviceFeedback
Cloud upgradefailed
Failed to finish system upgraderequested by cloud
Firebox failed to upgrade firmware requestedby WatchGuard cloud.
Failed to finish systemupgrade requested bycloud
—
5D000002 INFO Management /DeviceFeedback
Cloud upgradesuccess
System upgraded from 12.2.1 to 12.3requested by cloud
Firebox successfully upgraded firmwarerequested by WatchGuard cloud.
System upgraded from%s to%s requested bycloud
—
41000002 ERROR Management /LiveSecurity
RapidDeployfailed
RapidDeploy package was not applied:Cannot find result.xml
The RapidDeploy package was not applied tothe device. The logmessage specifies thereason.
RapidDeploy packagewas not applied: %s
RapidDeployfailed: ${reason}
41000004 ERROR Management /LiveSecurity
New RSS feedupdate failed
New RSS feed from LiveSecurityService was not updated: errorretrieving response from server
New RSS feed from the LiveSecurity Servicefailed to update.
New RSS feed fromLiveSecurity Servicewas not updated: %s
—
41000006 ERROR Management /LiveSecurity
Feature keydownload failed
Feature key from LiveSecurity Servicewas not received: error parsingresponse from LiveSecurity service
The feature key could not be downloaded fromthe LiveSecurity Service. The logmessagespecifies the reason.
Feature key fromLiveSecurity Servicewas not received: %s
—
41000008 ERROR Management /LiveSecurity
Wireless countryspecificationupdate failed
Wireless country specification fromLiveSecurity Service was not received:received error code <n> from LSS
Thewireless country specification could not bedownloaded from the LiveSecurity service. Thelogmessage specifies the failure reason andthe number of retries.
Wireless countryspecification fromLiveSecurity Servicewas not received: %s,(retry_count=%d)
—
41010002 ERROR Management /LiveSecurity
RapidDeployconfigurationfrom USB failed
RapidDeploy configuration from aUSBdrive was not applied: config linemissing
The RapidDeploy configuration was notsuccessfully applied from aUSB drive. The logmessage specifies the reason.
RapidDeployconfiguration from a
—
Management LogMessages
Log Catalog 81
ID Level Area Name Log Message Example Description Format Message Variables
USB drive was notapplied: %s
41000001 INFO Management /LiveSecurity
RapidDeploysucceeded
RapidDeploy package was appliedsuccessfully
The RapidDeploy package from theLiveSecurity service was successfully appliedto the device.
RapidDeploy packagewas appliedsuccessfully
—
41000003 INFO Management /LiveSecurity
New RSS feedupdatesucceeded
New RSS feed from LiveSecurityService was updated
New RSS feed from the LiveSecurity Servicewas updated.
New RSS feed fromLiveSecurity Servicewas updated
—
41000005 INFO Management /LiveSecurity
Feature keydownloadsucceeded
Feature key from LiveSecurity Servicewas received
The feature key for the device wassuccessfully downloaded from theLiveSecurity Service.
Feature key fromLiveSecurity Servicewas received
—
41000007 INFO Management /LiveSecurity
Wireless countryspecificationupdatesucceeded
Wireless country specification wasupdated
The wireless country specification wassuccessfully updated from the LiveSecurityservice.
Wireless countryspecification wasupdated
—
41010001 INFO Management /LiveSecurity
RapidDeployconfigurationfrom USBsucceeded
RapidDeploy configuration from aUSBdrive was applied successfully
The RapidDeploy configuration wassuccessfully applied from aUSB drive.
RapidDeployconfiguration from aUSB drive was appliedsuccessfully
—
3D040001 INFO Management /Logging
Primary LogServerconnected
Connected to the primary Log Server at198.51.100.0
The device successfully connected to theWatchGuard Log Server designated as theprimary server.
Connected to theprimary Log Server at%s
—
3D040002 INFO Management /Logging
Backup LogServerconnected
Connected to the backup Log Server at198.51.100.0
The device successfully connected to theWatchGuard Log Server designated as thebackup server.
Connected to thebackup Log Server at%s
—
15000000 INFO Management /ManagementClient
Deviceconfigurationupdate with audittrail
The configuration file and feature keyfor the device were successfullyupdated after a request from admin from
The updated configuration file wassuccessfully sent to the device from thespecifiedManagement Server. The log
The configuration file%sfor the device%ssuccessfully updated
—
Management LogMessages
Log Catalog 82
ID Level Area Name Log Message Example Description Format Message Variables
theManagement Server at10.139.44.88. Revision: dummy_config_rev_id. Comments: update tcpsegment.
message indicates if the feature key wasupdated. The logmessagemight also specifythe revision ID and includes comments aboutthe update.
after a request from%sfrom theManagementServer at%s.%s%s%s%s.
15000001 INFO Management /ManagementClient
Deviceconfigurationupdate
Device configuration file wassuccessfully updated. Configuration fileretrieved from theManagement Serverat 10.139.44.88.
The device retrieved an updated configurationfile from the specifiedManagement Server.The logmessage also indicates if deviceretrieved a feature key.
Device configuration file%s successfullyupdated. Configurationfile retrieved from theManagement Server at%s.
—
15010000 INFO Management /ManagementClient
IPSec certificateimport
The IPSec certificate was successfullyimported from theManagement Serverat 10.139.44.88.
The IPsec certificate was successfullyimported from the specifiedManagementServer.
The IPSec certificatewas successfullyimported from theManagement Server at%s.
—
15010001 INFO Management /ManagementClient
ManagementServer CAcertificate import
TheManagement Server CA certificatewas successfully imported from theManagement Server at 10.139.44.88.
TheManagement Server CA certificate wassuccessfully imported from the specifiedManagement Server.
TheManagement ServerCA certificate wassuccessfully importedfrom theManagementServer at %s.
—
58000001 INFO Management /NTP
System timechanged
System time changed to 2012-08-2908:20:00 by NTP
The system time was changed by the NTPprocess.
System time changed to%s by NTP
—
55010002 ERROR Management /System
LIVESECURITYfeature not found
Valid 'LIVESECURITY' feature notfound
— Valid 'LIVESECURITY'feature not found
—
55010003 ERROR Management /System
LIVESECURITYexpired
'LIVESECURITY' feature expired (TueMay 14 12:25:00 2013) prior to packagerelease date (WedMay 15 01:00:002013 )
— 'LIVESECURITY'feature expired (%s)prior to package releasedate (%s)
'LIVESECURITY'feature expired(${expiration time})prior to packagerelease date(${package release
Management LogMessages
Log Catalog 83
ID Level Area Name Log Message Example Description Format Message Variables
time})
55010000 INFO Management /System
Bootup time System boot up at 2000-01-01 00:00:01 — System boot up at %s System boot up at${time}
55010004 INFO Management /System
Shutdown Shutdown requested by system — Shutdown requested bysystem
—
55010005 INFO Management /System
Reboot System is rebooting — System is rebooting —
55010006 INFO Management /System
Upgradesucceeded
System upgrade to 11.9 successful,system needs to reboot
— System upgrade to%ssuccessful, %s
System upgrade to${software version}successful ${boxneed reboot or not}
55010007 INFO Management /System
Automatic reboot System is automatically rebooting at12:09
— System is automaticallyrebooting at %d:%d
System isautomaticallyrebooting at${hour}:${second}
55010008 INFO Management /System
Time change System time changed from 2012-10-512:30:15 to 2012-10-6 14:10:00
— System time changedfrom%s to%s
System timechanged from ${oldvalue} to ${newvalue}
55010013 INFO Management /System
USB autorestore started
USB auto restore started — USB auto restorestarted
—
55010016 INFO Management /System
Featureexpirationreminder
'LIVESECURITY' feature will expire onSat., Jan 5, 11:27:23 CST 2013.
— 'LIVESECURITY'feature will expire on%s
'LIVESECURITY'feature will expireon ${expirationtime}
55010020 INFO Management /System
Backupsucceeded
System backup succeeded — System backupsucceeded
—
Management LogMessages
Log Catalog 84
ID Level Area Name Log Message Example Description Format Message Variables
55010021 INFO Management /System
Device restoresuccess
Device auto restore from USB drivesucceeded
Device auto restore from a specific image inUSB drive or normal restore from a normalimage
Device%s restore from%s image succeeded
Device ${restore_type} restore from${image_source}image succeeded
55010022 INFO Management /System
USB autorestore imagecreated
USB auto restore image successfullycreated
— USB auto restore imagesuccessfully created
—
5501000B INFO Management /System
Device restore Device auto restore from USB driveimage initiated, reboot needed
Device was restored from a saved backupimage. The backup image was either autorestored from aUSB drive or restored fromanother location.
Device%s restore from%s image initiated%s
Device ${restore_type} restore from${image_source}imageinitiated${reboot_option}
5501001D INFO Management /System
Logo uploadsucceeded
Upload of logo succeeded — Upload of logosucceeded
—
55010019 WARN Management /System
Configurationreset failedduring adowngrade
During a system downgrade, theconfiguration reset failed
— During a systemdowngrade, theconfiguration reset failed
—
5501001A WARN Management /System
Upgrade failed System upgrade failed:'LIVESECURITY' feature expired
— System upgrade failed:%s
System upgradefailed: ${reason}
50000001 WARN Management /Web Service
User login failed(wgagent)
WSMUser status from 10.0.1.2 log inattempt was rejected - Invalidcredentials.
A user log in attempt failed. The logmessagespecifies the UI type, User Name, IP address,and (if available) the failure reason.
%s %s@%s from%slog in attempt wasrejected -%s.
%{ui_type} ${user_name}@${auth_server} from${ipaddr} log inattempt wasrejected ${msg}.
Management LogMessages
Log Catalog 85
FireCluster Log MessagesFireCluster logmessages are for events related to your Fireboxes that aremembers of a FireCluster. This includes actions related tomanagement of the FireCluster, operational errors of cluster members, eventsthat occur on cluster members, and changes to the status of a cluster member.
DiagnosticFireCluster logmessages of theDebug (Diagnostic) log type.
ID Level Area Name Log Message Example Description Format Message Variables
3A00000C ERROR Cluster /EventMonitoring
VRRPinitializationfailed
Initialization of Virtual Router Redundancy Protocol(VRRP) failed.
Cluster VRRPinitialization failed
Cluster VRRP initializationfailed
—
3A000002 INFO Cluster /EventMonitoring
VRRP enabled Virtual Router Redundancy Protocol (VRRP) is nowenabled for this Active/Passive Cluster.
VRRP is now enabledfor Cluster.
VRRP is now enabled forCluster.
—
3A000004 INFO Cluster /EventMonitoring
VRRP startmaster
VRRP started in master state. Virtual Router withcluster ID %d started inmaster state.
Virtual Router with clusterID 1 started in masterstate.
3A000005 INFO Cluster /EventMonitoring
VR shutdown Virtual Router returned to initial state. Virtual Router withcluster ID %d returnedto initial state.
Virtual Router with clusterID 1 returned to initialstate.
Virtual Router with clusterID ${id} returned to initialstate
3A000006 INFO Cluster /EventMonitoring
VR pause Virtual Router becomes backup due to a pause event. Virtual Router withcluster ID %d becomesbackup on pause event
Virtual Router with clusterID 1 becomes backup onpause event
Virtual Router with clusterID ${id} becomes backupon pause event
3A000007 INFO Cluster /EventMonitoring
VR resume Virtual Router becomes master due to a resume event. Virtual Router withcluster ID %d becomesmaster on resume event
Virtual Router with clusterID 1 becomes master onresume event
Virtual Router with clusterID ${id} becomes masteron resume event
FireCluster LogMessages
Log Catalog 86
ID Level Area Name Log Message Example Description Format Message Variables
3A000008 INFO Cluster /EventMonitoring
VR backupstate
Virtual Router state changed frommaster to backup Virtual Router withcluster ID %d statechanged frommaster tobackup
Virtual Router with clusterID 1 state changed frommaster to backup
Virtual Router with clusterID ${id} state changedfrommaster to backup
3A00000A INFO Cluster /EventMonitoring
VR notificationgap
Member Virtual Router changed state tomaster due tonotification gap from current master
Member%s VirtualRouter with cluster ID%d changed state tomaster due to%dsecond notification gapfrom current masterwith IP %s
Member 80B20002E5BCDVirtual Router with clusterID 1 changed state tomaster due to 3 secondnotification gap fromcurrent master with IP10.0.4.1
Member ${member} VirtualRouter with cluster ID ${id}changed state tomasterdue to ${value} secondnotification gap fromcurrent master with IP${ip}
3A00000B INFO Cluster /EventMonitoring
VRRP masterstate
Virtual Router state changed tomaster Virtual Router withcluster ID %d statechanged tomaster
Virtual Router with clusterID 1 state changed tomaster
Virtual Router with clusterID ${id} state changed tomaster
38000002 ERROR Cluster /Management
DHCPoverwrite
A DHCP server has attempted to assign an IP addressto cluster member on the Cluster Interface. This logmessage recommends the admin isolate the Clusterinterface network from the DHCP server, and specifiesthe interface number and IP address the clusterattempted to assign to themember.
A DHCP server isinterfering with staticaddress assignment ofcluster IP address %son eth%d. DisableDHCP server access toeth%d.
A DHCP server isinterfering with staticaddress assignment ofcluster IP address 10.0.0.1on eth0. Disable DHCPserver access to eth5.
A DHCP server isinterfering with staticaddress assignment ofcluster IP ${ip} oneth${port}. Please disableDHCP server access toeth${port}.
38000003 INFO Cluster /Management
Clusterinterface up
Cluster interface link status changed to up. Cluster interface%s isup.
Cluster interface eth5 isup.
Cluster interface ${ifname}is up.
3800025C INFO Cluster /Management
Configurationupdate
Cluster member received an updated configurationfrom themaster. The logmessage specifies themember serial number and configuration versionnumber.
Cluster member%sreceived updatedconfiguration; version%d.
Cluster member80B20002E5BCDreceived updatedconfiguration; version 3.
Cluster member${member} receivedupdated configuration;version ${version}.
38000004 WARN Cluster /Management
Clusterinterface down
Cluster interface link status changed to down. Cluster interface%s isdown.
Cluster interface eth5 isdown.
Cluster interface ${ifname}is down
FireCluster LogMessages
Log Catalog 87
ID Level Area Name Log Message Example Description Format Message Variables
38000264 WARN Cluster /Management
Timesynchronizationfailure
The cluster master's attempt to synchronize time to acluster member failed
Cluster timesynchronization failed.
Cluster timesynchronization failed.
—
3B000001 INFO Cluster /Transport
Channel statuschange
The cluster communication channel between thespecifiedmembers changed state.
Cluster channel frommember%s tomasteris %s.
Cluster channel frommember 80B20002E5BCDtomaster is up
Cluster channel frommember ${member} tomaster is ${state}.
EventFireCluster logmessages of theEvent log type.
ID Level Area Name Log Message Example Description Format Message Variables
3A00000E INFO Cluster /EventMonitoring
VR enabled The Virtual Router representing thecluster is now enabled
Virtual Router withcluster ID %d isnow enabled
Virtual Router withcluster ID 1 is nowenabled
Virtual Router withcluster ID ${id} is nowenabled
3A00000F INFO Cluster /EventMonitoring
VR disabled The Virtual Router representing thecluster is now disabled
Virtual Router withcluster ID %d isnow disabled
Virtual Router withcluster ID 1 is nowdisabled
Virtual Router withcluster ID ${id} is nowdisabled
38000280 ERROR Cluster /Management
Device discoveryfailed
The cluster master was unable toissue a device discovery message.
Cluster master%swas unable to issuea device discoverymessage.
Cluster master80B20002E5BCD wasunable to issue a devicediscovery message.
Cluster master${master} was unableto issue a devicediscovery message.
3800027E ERROR Cluster /Management
Factory-default resetfailed
Failed to reset to factory-defaultsettings.
Failed to resetcluster member%sto factory-defaultsettings.
Failed to reset clustermember80B20002E5BCD tofactory-default settings.
Failed to resetmember ${member} tofactory-defaultsettings.
38000282 INFO Cluster /Management
Member ready to join Local member has FireClusterenabled and is ready to join.
Member%s isready to join thecluster.
Member80B20002E5BCD isready to join the cluster.
Member ${member} isready to join thecluster.
FireCluster LogMessages
Log Catalog 88
ID Level Area Name Log Message Example Description Format Message Variables
3800025A INFO Cluster /Management
Cluster enabled Cluster was enabled on thespecifiedmember.
Cluster enabled onmember%s.
Cluster enabled onmember80B20002E5BCD.
Cluster enabled onmember ${member}.
3800025B INFO Cluster /Management
Cluster disabled onmaster
Cluster disabled on the clustermember while it was the clustermaster.
Cluster disabled oncluster master%s.
Cluster disabled oncluster master80B20002E5BCD.
Cluster disabled oncluster master${master}.
38000278 WARN Cluster /Management
Cluster disabled The non-master member of thecluster will be reset to factorydefault-settings because FireClusteris disabled.
Cluster disabled.Non-mastermember%s will bereset to factory-default settings.
Cluster disabled. Non-master member80B20002E5BCD will bereset to factory-defaultsettings.
Cluster disabled. Non-master member%swill be reset tofactory-defaultsettings.
38000279 WARN Cluster /Management
Critical configurationchange
The non-master member of thecluster will be reset to factory-default settings due to a criticalconfiguration change. Aconfiguration change is critical if itwould cause themaster and backupmaster to lose the TCP connectionon the cluster interface.
Non-mastermember%s will bereset to factory-default settings dueto a critical clusterconfigurationchange.
Non-master member80B20002E5BCD will bereset to factory-defaultsettings due to a criticalcluster configurationchange.
Non-master member${member} will bereset to factorydefault-settings due toa critical clusterconfiguration change.
3800027A WARN Cluster /Management
Non-master memberremoved
The non-master member of theCluster will be reset to factory-default settings because it wasremoved from the cluster.
Non-master clustermember%s wasremoved fromcluster, and will bereset to factory-default settings.
Non-master clustermember80B20002E5BCD wasremoved from cluster,and will be reset tofactory-default settings.
Non-master clustermember%s wasremoved from cluster,and will be reset tofactory-defaultsettings.
FireCluster LogMessages
Log Catalog 89
ID Level Area Name Log Message Example Description Format Message Variables
39000007 ERROR Cluster /Operations
Failover due toWAI Themaster failed over to thespecifiedmember because thatmember has a higher health scorethan themaster.
Master%s failedover to member%s,which has a greaterWeighted AverageIndex.
Master80B20002E5BCD failedover to member80B20002E5BFE, whichhas a greaterWeightedAverage Index.
Master ${master}failover to member${member} withgreaterWeightedAverage Index.
39000019 ERROR Cluster /Operations
Failover due tointerface state change
A cluster failover event occurred dueto a change of interface state.
Cluster failover dueto interface%s link%s event.
Cluster failover due tointerface eth4 link downevent.
Cluster failover due tointerface ${ifname}link ${state} event.
3900000C ERROR Cluster /Operations
Synchronization failed Full state synchronization from themaster to the specifiedmemberfailed. Member state will not changeto BackupMaster.
Full statesynchronizationfrommaster%s tobackupmaster%sfailed.
Full statesynchronization frommaster80B20002E5BCD tobackupmaster80B20002E5BFE failed.
Full statesynchronization frommaster ${master} tobackupmaster${member} failed.
3900000D ERROR Cluster /Operations
Synchronizationtimeout
Full state synchronization from themaster to the specifiedmembertimed out. Member state will notchange to BackupMaster.
Full statesynchronizationfrommaster%s tobackupmaster%stimed out.
Full statesynchronization frommaster80B20002E5BCD tobackupmaster80B20002E5BFE timedout.
Full statesynchronization frommaster ${master} tobackupmaster${member} timed out.
3900000F ERROR Cluster /Operations
Failover due to link-down
Cluster failover due to a link failureon the current master, which nowhas a health index lower than thebackupmaster. The logmessagespecifies which interface has thelink down.
Master%s failed-over to member%sdue to a link-downevent on interface%s.
Master80B20002E5BCD failed-over to member80B20002E5BFE due toa link-down event oninterface eth3.
Master ${master}failed-over to member${member} due to alink-down event oninterface ${ifname}.
39000005 INFO Cluster /Operations
Member promoted tomaster
The specifiedmember has becomemaster.
Member%s is nowmaster.
Member80B20002E5BCD isnow master.
Member ${member} isnow master.
FireCluster LogMessages
Log Catalog 90
ID Level Area Name Log Message Example Description Format Message Variables
39000010 INFO Cluster /Operations
Member role change The cluster member changed to thespecified role.
Member%schanged role to%s.
Member80B20002E5BCDchanged role to master
Member ${member}role changed to${role}.
39000011 INFO Cluster /Operations
Interface link statuschange
Specifiedmonitored interface linkstatus changed, which will changethe health index for themember.
Monitored interface%s link is %s.
Monitored interface eth0link is down.
Monitored interface${ifname} link is${state}.
39000012 INFO Cluster /Operations
New master The specifiedmember has takenover as master..
Member%s tookover as master frommember%s.
Member80B20002E5BCD tookover as master frommember80B20002E5BFE.
Member ${member}took over as masterfrommember${member}.
39000015 INFO Cluster /Operations
Failover initiated byadministrator
The administrator has initiated afailover.
Master%s initiatedfailover byadministratorrequest.
Master80B20002E5BCDinitiated failover byadministrator request.
Master ${master}initiated failover byadministratorrequest..
39000058 INFO Cluster /Operations
Member Role Change The role of the specified Clustermember changed.
Cluster member%schanged role from%s to%s.
Cluster member80B20002E5BCDchanged role from idle tobackupmaster
Cluster member${member} changedrole from ${role} to${role}.
3900000E INFO Cluster /Operations
Synchronizationsuccessful
Full state synchronization to thespecifiedmember was successful.Member status changed to backupmaster.
Full statesynchronizationfrommaster%s tobackupmaster%scompletedsuccessfully.
Full statesynchronization frommaster80B20002E5BCD tobackupmaster80B20002E5BFEcompleted successfully.
Full statesynchronization frommaster ${master} tobackupmaster${member} completedsuccessfully
FireCluster LogMessages
Log Catalog 91
ID Level Area Name Log Message Example Description Format Message Variables
39000003 WARN Cluster /Operations
Heartbeat lost The specified Cluster failed toreceive a heartbeat message.
Master%s detectedloss of heartbeatfrommember%s,cluster channel isup.
Master80B20002E5BFEdetected loss ofheartbeat frommember80B20002E5BCD,cluster channel is up.
Master ${master}detected loss ofheartbeat frommember ${member},cluster channel is up.
39000016 WARN Cluster /Operations
Cannot initiate failover The failover requested byadministrator cannot proceedbecause themaster has a higherhealth index, or the backupmaster isunreachable.
Cannot initiatefailover frommaster%s tomember%sdue to higherWeighted AverageIndex on currentmaster or backupmaster isunreachable.
Cannot initiate failoverfrommaster80B20002E5BCD tomember80B20002E5BFE due tohigherWeightedAverage Index oncurrent master or backupmaster is unreachable.
Cannot initiate failoverfrommaster ${master}to member ${member}due to higherWeighted AverageIndex on currentmaster or othermember isunreachable.
FireCluster LogMessages
Log Catalog 92
Security Services Log MessagesSecurity Services logmessages are generated for processes related to the Security Services configured on your Firebox. For the logmessages from Security Services traffic and events, review the proxy logmessages for the proxy policies where the Security Services are enabled. For more information, seeProxy Policy LogMessages on page 37.
EventSecurity Services logmessages of theEvent log type.
ID Level Area Name Log Message Example Description FormatMessageVariables
1F000001 ERROR Security Services /Gateway Anti-Virus
Process failed to start Cannot start ScanD ScanD -- Process failed to start Cannot start ScanD —
1F010015 INFO Security Services /Gateway Anti-Virus
Ready for service ScanD ready ScanD -- Ready for service ScanD ready —
2E000005 ERROR Security Services /Signature Update
Process exiting SIGD shutting down SIGD -- Process exiting SIGD shutting down —
2E000006 ERROR Security Services /Signature Update
Process crashed SIGD crashed SIGD -- Process crashed SIGD crashed —
2E010018 ERROR Security Services /Signature Update
Failed to start the signatureupdate for the specifiedservices
Cannot start the signature update for'IPS'
SIGD -- Failed to the startsignature update for the specifiedservices
Cannot start the signatureupdate for '%s'
—
2E010019 ERROR Security Services /Signature Update
Failed to check the availablesignature version on the server
Cannot complete the version check SIGD -- Failed to check theavailable signature version on theserver
Cannot complete theversion check
—
2E01001A ERROR Security Services /Signature Update
Signature update process failedto start
Cannot start the signature updateprocess
SIGD -- Signature update processfailed to start
Cannot start the signatureupdate process
—
2E01001B ERROR Security Services /Signature Update
Signature update processcrashed
SIGD Worker crashed SIGD -- Signature update processcrashed
SIGD Worker crashed —
Security Services LogMessages
Log Catalog 93
ID Level Area Name Log Message Example Description FormatMessageVariables
2E020067 ERROR Security Services /Signature Update
Signature update process forthe specified version failed
Manual DLP update for version(4.94)failed (Valid feature key not available)
SIGD -- Signature update processfor the specified version failed
%s %s update for version(%s) failed (%s)
—
2E020065 INFO Security Services /Signature Update
Signature update processstarted
Scheduled DLP update started SIGD -- Signature update processstarted
%s %s update started —
2E020066 INFO Security Services /Signature Update
Signature update processcompleted
Scheduled DLP update for version(4.94) completed
SIGD -- Signature update processcompleted
%s %s update for version(%s) completed
—
2E020069 INFO Security Services /Signature Update
Device has the latest signatureversion for the specified service
Device already has the latest DLPsignature version (4.94)
SIGD -- Device has the latestsignature version for specifiedservice
Device already has thelatest %s signature version(%s)
—
2E010017 WARN Security Services /Signature Update
License failed to load Cannot load the license SIGD -- License failed to load Cannot load the license —
23000001 ERROR Security Services /spamBlocker
Failed to start Cannot start spamD spamD -- Failed to start Cannot start spamD —
23000002 INFO Security Services /spamBlocker
Ready for service spamD ready spamD -- Ready for service spamD ready —
Security Services LogMessages
Log Catalog 94
VPN Log MessagesVPN logmessages are generated for processes related to the all VPNs configured on your Firebox. This includes changes to the VPN configuration, tunnel status, and daemon activity.
AlarmVPN logmessages of theAlarm log type.
ID Level Area Name Log Message Example Description Format Message Variables
020B0001 INFO VPN /IPSEC
Tunnelstatuschanged
BOVPN tunnel 'tunnel.2' local172.16.12.81/255.255.255.255 remote172.16.13.204/255.255.255.255 under gateway'gateway.1' is down.
The status of theIPSec tunnel changedto up or down.
%s tunnel '%s' local %sremote%s undergateway '%s' is %s
${tunnel_type} tunnel '${tunnel}' local${local} remote ${remote} under gateway'$(gateway}' is ${status}
DiagnosticVPN logmessages of theDebug (Diagnostic) log type.
ID Level Area Name Log Message Example Description Format Message Variables
02000001 ERROR VPN /IPSEC
Defaultcertificate notfound
The default IPSec certificate is notinstalled on the device
The IPSec tunnel could not benegotiated because the defaultIPSec certificate is not installed oris not valid.
The default IPSeccertificate is not installed onthe device
—
02000002 ERROR VPN /IPSEC
Failed to readcertificate
Could not read [DSA | RSA]certificate with [n] ID
The IPSec tunnel could not benegotiated because the IPSeccertificate is not valid.
Could not read%scertificate with%d ID
Could not read ${cert_type} certificatewith ${id} ID
VPN LogMessages
Log Catalog 95
ID Level Area Name Log Message Example Description Format Message Variables
02030002 ERROR VPN /IPSEC
IKE Phase 1expectingmainmode
IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'Reason=Received 'Aggressivemode' exchange type. Expectingmainmode.
IKE Phase 1 negotiation failedbecause of incorrect exchangetype in proposal from remotegateway. The logmessagespecifies the expected andreceived exchange type.
IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Received '%s'exchange type. Expectingmainmode.
IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Received '${exchange_type}' exchange type. Expectingmainmode.
02030003 ERROR VPN /IPSEC
IKE Phase 1expectingaggressivemode
IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'Reason=Received 'Mainmode'exchange type. Expectingaggressivemode.
IKE Phase 1 negotiation failedbecause of incorrect exchangetype in proposal from remotegateway. The logmessagespecifies the expected andreceived exchange type.
IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Received '%s'exchange type. Expectingaggressivemode.
IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Received '${exchange_type}' exchange type. Expectingaggressivemode.
02030004 ERROR VPN /IPSEC
IKE Phase 1DH groupmismatch
IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'Reason=Received DH group 2,expecting 14
IKE Phase 1 negotiation failedbecause of incorrect Diffe-Hellman group in proposal fromremote gateway. The logmessagespecifies the received andexpected group number.
IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Received DHgroup%d, expecting%d
IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Received DH group${received}, expecting ${expected}
02030005 ERROR VPN /IPSEC
IKE Phase 1hashmismatch
IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'Reason=Received hash SHA1,expectingMD5
IKE Phase 1 negotiation failedbecause of incorrect hash type inproposal from remote gateway.The logmessage specifies thereceived and expected hash type.
IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Received hash%s, expecting%s
IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Received hash ${received},expecting ${expected}
VPN LogMessages
Log Catalog 96
ID Level Area Name Log Message Example Description Format Message Variables
02030006 ERROR VPN /IPSEC
IKE Phase 1encryptionmismatch
IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'Reason=Received encryption3DES, expecting AES
IKE Phase 1 negotiation failedbecause of incorrect encryptiontype in proposal from remotegateway. The logmessagespecifies the received andexpected encryption type.
IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Receivedencryption%s, expecting%s
IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Received encryption${received}, expecting ${expected}
02030007 ERROR VPN /IPSEC
IKE Phase 1authenticationmethodmismatch
IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'Reason=Received authenticationmethod PSK, expecting RSAcertificate
IKE Phase 1 negotiation failedbecause of incorrectauthenticationmethod in proposalfrom remote gateway. The logmessage specifies the receivedand expected authenticationmethods.
IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Receivedauthenticationmethod%s,expecting%s
IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Received authenticationmethod ${received}, expecting${expected}
02030008 ERROR VPN /IPSEC
IKE Phase 1AES keylengthmismatch
IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'Reason=Received AES key length128, expecting 256
IKE Phase 1 negotiation failedbecause of incorrect AES keylength in proposal from remotegateway. The logmessagespecifies the received andexpected AES key length.
IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Received AES keylength%d, expecting%d
IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Received AES key length${received}, expecting ${expected}
02030009 ERROR VPN /IPSEC
IKE Phase 1invalid firstmessage
IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'Reason=Received invalidmain/aggressivemode firstmessage. Check VPN IKEdiagnostic logmessages for moreinformation.
IKE Phase 1 negotiation failedbecause of invalid first messagereceived by local gateway. The logmessage specifies the reason.
IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Received invalidmain/aggressivemode firstmessage. Check VPN IKEdiagnostic logmessages formore information.
IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Received invalidmain/aggressivemode first message.Check VPN IKE diagnostic logmessages for more information.
VPN LogMessages
Log Catalog 97
ID Level Area Name Log Message Example Description Format Message Variables
02030011 ERROR VPN /IPSEC
IKE Phase 1remotegateway IDmismatch
IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'Reason=Authentication failure duetomismatched ID setting
IKE Phase 1 negotiation failedbecause remote ID in gatewayconfiguration did not matchproposal from remote gateway.
IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Authenticationfailure due tomismatchedID setting
IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Authentication failure due tomismatched ID setting
02030012 ERROR VPN /IPSEC
IKE Phase 1pre-shared keyauthenticationfailure
IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1' Reason=Pre-shared key authentication failure
IKE Phase 1 negotiation failedbecause pre-shared key inproposal did not match gatewayconfiguration.
IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Pre-shared keyauthentication failure
IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}' Reason=Pre-shared key authentication failure
02030015 ERROR VPN /IPSEC
IKE Phase 1retry timeout
IKE phase-1 negotiation from172.16.12.81:500 to172.16.12.82:500 failed. Gateway-Endpoint='gateway.1'Reason=Message retry timeout.Check the connection between localand remote gateway endpoints.
IKE Phase 1 negotiation failedbecause of no response fromremote site.
IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Message retrytimeout. Check theconnection between localand remote gatewayendpoints.
IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Message retry timeout.Check the connection between localand remote gateway endpoints.
02030017 ERROR VPN /IPSEC
CA certificatenot available
IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1' Reason=NoCA certificate available
IKE phase-1 negotiation failedbecause no Certificate Authority(CA) certificate is available.
IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=%s
IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=${reason}
02030018 ERROR VPN /IPSEC
IKE Phase 1peer certificateCA is notsupported
IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1' Reason=Peercertificate is not issued by knowntrusted CA
IKE Phase 1 negotiation failedbecause peer certificate is notissued by a known and trustedCertificate Authority(CA).
IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=%s
IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=${reason}
VPN LogMessages
Log Catalog 98
ID Level Area Name Log Message Example Description Format Message Variables
02030019 ERROR VPN /IPSEC
IKE Phase 1receivedcertificate withinvalid CAname
IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'Reason=Received certificate withinvalid CA name
IKE Phase 1 negotiation failedbecause of invalid CertificateAuthority (CA) name in certificatefor remote gateway.
IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=%s
IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=${reason}
02030020 ERROR VPN /IPSEC
IKE Phase 1possibleshared secretmismatch
IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'Reason=Message decryption faileddue to possible shared secretmismatch
IKE Phase 1 negotiation failedbecause of possible shared keymismatch.
IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Messagedecryption failed due topossible shared secretmismatch
IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Message decryption faileddue to possible shared secretmismatch
02030026 ERROR VPN /IPSEC
DSScertificate IDmismatch
IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'Reason=Authentication failure duetomismatched DSS certificate IDsetting
IKE Phase 1 negotiation failedbecause of mismatched DSScertificate ID setting.
IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Authenticationfailure due tomismatchedDSS certificate ID setting
IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Authentication failure due tomismatched DSS certificate IDsetting
02030027 ERROR VPN /IPSEC
Failed to getID informationfromcertificate
IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'Reason=Failed to get ID informationfrom certificate 20001
IKE phase-1 negotiation failedbecause failed to get IDinformation from certificate.
IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Failed to get IDinformation from certificate%d
IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}' Reason=Failedto get ID information from certificate${certificate_id}
02030029 ERROR VPN /IPSEC
IKE Phase 1invalidaggressivemode ID
IKE phase-1 negotiation from198.51.100.2:500 to 203.0.113.2:500failed. Gateway-Endpoint='gateway.1'Reason=Received ID did not match
IKE Phase 1 negotiation failedbecause received ID did not matchwith configured ID on localgateway. Check aggressivemodeID information in gateway endpoint
IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Received ID didnot match with configured
IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Received ID did not matchwith configured aggressivemode ID.
VPN LogMessages
Log Catalog 99
ID Level Area Name Log Message Example Description Format Message Variables
with configured aggressivemode ID. configuration on both local andremote gateways.
aggressivemode ID.
02050002 ERROR VPN /IPSEC
IKE Phase 2PFSmismatch
IKE phase-2 negotiation from172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1' Reason=Receivedproposal without PFS, ExpectingPFS enabled
The IPSec tunnel negotiationfailed because the PerfectForward Secrecy (PFS) value didnot match the Phase 2configuration.
IKE phase-2 negotiationfrom%s to%s failed.Tunnel='%s'Reason=Received proposalwithout PFS, ExpectingPFS enabled
IKE phase-2 negotiation from ${local_addr} to ${peer_addr} failed.Tunnel='${tunnel}' Reason=Receivedproposal without PFS, Expecting PFSenabled
02050003 ERROR VPN /IPSEC
IKE Phase-2proposal typemismatch
IKE phase-2 negotiation from172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1' Reason=Receivedprotocol 'AH'. Expecting 'ESP' inphase-2 proposal.
The IPSec tunnel negotiationfailed because the proposal did notmatch the Phase 2 configuration.The logmessage specifies thereceived and expected proposals.
IKE phase-2 negotiationfrom%s to%s failed.Tunnel='%s'Reason=Received protocol'%s'. Expecting '%s' inphase-2 proposal.
IKE phase-2 negotiation from ${local_addr} to ${peer_addr} failed.Tunnel='${tunnel}' Reason=Receivedprotocol '${received_proto}'.Expecting '${expected_proto}' inphase-2 proposal.
02050004 ERROR VPN /IPSEC
IKE Phase 2AHauthenticationmethodmismatch
IKE phase-2 negotiation from172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1' Reason=ReceivedAH authenticationMD5, expectingSHA1
The IPSec tunnel negotiationfailed because the proposed AHauthenticationmethod did notmatch the Phase 2 configuration.The logmessage specifies thereceived and expected AHauthenticationmethod.
IKE phase-2 negotiationfrom%s to%s failed.Tunnel='%s'Reason=Received AHauthentication%s,expecting%s
IKE phase-2 negotiation from ${local_addr} to ${peer_addr} failed.Tunnel='${tunnel}' Reason=ReceivedAH authentication ${received},expecting ${expected}
02050005 ERROR VPN /IPSEC
IKE Phase 2ESPencryptionmethodmismatch
IKE phase-2 negotiation from172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1' Reason=ReceivedESP encryption DES, expectingAES
The IPSec tunnel negotiationfailed because the proposed ESPencryptionmethod did not matchthe Phase 2 configuration. The logmessage specifies the receivedand expected ESP encryptionmethod.
IKE phase-2 negotiationfrom%s to%s failed.Tunnel='%s'Reason=Received ESPencryption%s, expecting%s
IKE phase-2 negotiation from ${local_addr} to ${peer_addr} failed.Tunnel='${tunnel}' Reason=ReceivedESP encryption ${received},expecting ${expected}
VPN LogMessages
Log Catalog 100
ID Level Area Name Log Message Example Description Format Message Variables
02050006 ERROR VPN /IPSEC
IKE Phase 2PFS DH groupmismatch
IKE phase-2 negotiation from172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1' Reason=ReceivedPFS DH group 2, expecting 5
The IPSec tunnel negotiationfailed because the proposedPerfect Forward Secrecy Diffe-Hellman (PFS DH) group numberdid not match the Phase 2configuration. The logmessagespecifies the received andexpected PFS DH group numbers.
IKE phase-2 negotiationfrom%s to%s failed.Tunnel='%s'Reason=Received PFS DHgroup%d, expecting%d
IKE phase-2 negotiation from ${local_addr} to ${peer_addr} failed.Tunnel='${tunnel}' Reason=ReceivedPFS DH group ${received}, expecting${expected}
02050007 ERROR VPN /IPSEC
IKE Phase 2ESPauthenticationmethodmismatch
IKE phase-2 negotiation from172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1' Reason=ReceivedESP authenticationMD5-HMAC,expecting SHA1-HMAC
The IPSec tunnel negotiationfailed because the proposed ESPauthenticationmethod did notmatch the Phase 2 configuration.The logmessage specifies thereceived and expected ESPauthenticationmethod.
IKE phase-2 negotiationfrom%s to%s failed.Tunnel='%s'Reason=Received ESPauthentication%s,expecting%s
IKE phase-2 negotiation from ${local_addr} to ${peer_addr} failed.Tunnel='${tunnel}' Reason=ReceivedESP authentication ${received},expecting ${expected}
02050008 ERROR VPN /IPSEC
IKE Phase 2AES keylengthmismatch
IKE phase-2 negotiation from172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1' Reason=ReceivedAES key length 128, expecting 256
The IPSec tunnel negotiationfailed because the proposed AESencryption key length did notmatch the Phase 2 configuration.The logmessage specifies thereceived and expected AES keylength.
IKE phase-2 negotiationfrom%s to%s failed.Tunnel='%s'Reason=Received AES keylength%d, expecting%d
IKE phase-2 negotiation from ${local_addr} to ${peer_addr} failed.Tunnel='${tunnel}' Reason=ReceivedAES key length ${received},expecting ${expected}
0203000A ERROR VPN /IPSEC
IKE Phase 1invalid MainMode secondmessage
IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'Reason=Received invalid mainmode secondmessage. Check VPNIKE diagnostic logmessages formore information.
IKE Phase 1 negotiation failedbecause of invalid secondmessage received by localgateway.
IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Received invalidmainmode secondmessage. Check VPN IKEdiagnostic logmessages formore information.
IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Received invalid mainmodesecondmessage. Check VPN IKEdiagnostic logmessages for moreinformation.
VPN LogMessages
Log Catalog 101
ID Level Area Name Log Message Example Description Format Message Variables
0203000B ERROR VPN /IPSEC
IKE Phase 1invalid MainMode KeyExchangepayload
IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'Reason=Received invalid mainmode KE payload. Check VPN IKEdiagnostic logmessages for moreinformation.
IKE Phase 1 negotiation failedbecause local gateway receivedinvalid MainMode Key Exchange(KE) payload
IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Received invalidmainmode KE payload.Check VPN IKE diagnosticlogmessages for moreinformation.
IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Received invalid mainmodeKE payload. Check VPN IKEdiagnostic logmessages for moreinformation.
0203000C ERROR VPN /IPSEC
IKE Phase 1invalid mainmode ID
IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'Reason=Received invalid mainmode ID payload. Check VPN IKEdiagnostic logmessages for moreinformation.
IKE Phase 1 negotiation failedbecause of invalid MainMode IDpayload received by localgateway.
IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Received invalidmainmode ID payload.Check VPN IKE diagnosticlogmessages for moreinformation.
IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Received invalid mainmodeID payload. Check VPN IKEdiagnostic logmessages for moreinformation.
0203000D ERROR VPN /IPSEC
IKE Phase 1invalidaggressivemode hash
IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'Reason=Received invalidaggressivemode hash payload.Check VPN IKE diagnostic logmessages for more information.
IKE Phase 1 negotiation failedbecause invalid aggressivemodehash payload received byspecified local gateway.
IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Received invalidaggressivemode hashpayload. Check VPN IKEdiagnostic logmessages formore information.
IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Received invalid aggressivemode hash payload. Check VPN IKEdiagnostic logmessages for moreinformation.
0203000E ERROR VPN /IPSEC
IKE Phase 1invalidAggressivemode SApayload
IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'Reason=Received invalidaggressivemode SA payload.Check VPN IKE diagnostic logmessages for more information.
IKE Phase 1 negotiation failedbecause of invalid Aggressivemode security association (SA)payload received by specifiedlocal gateway.
IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Received invalidaggressivemode SApayload. Check VPN IKEdiagnostic logmessages formore information.
IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Received invalid aggressivemode SA payload. Check VPN IKEdiagnostic logmessages for moreinformation.
VPN LogMessages
Log Catalog 102
ID Level Area Name Log Message Example Description Format Message Variables
0203002A ERROR VPN /IPSEC
IKE Phase 1IKE versionmismatch
IKE phase-1 negotiation from198.51.100.2:500 to 203.0.113.2:500failed. Gateway-Endpoint='gateway.1'Reason=Received IKE version didnot match the configured IKEversion.
IKE Phase 1 negotiation failedbecause the received IKE versiondid not match the IKE versionconfigured on the local gateway.Check the IKE version in thegateway endpoint configuration onboth the local and remotegateways.
IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Received IKEversion did not match theconfigured IKE version.
IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Received IKE version didnot match the configured IKE version.
0203002B ERROR VPN /IPSEC
IKE Phase 1messagereceived onwronginterface IP
IKE phase-1 negotiation from198.51.100.2:500 to 192.0.2.2:500failed. Gateway-Endpoint='gateway.1'Reason=Receivedmessage withwrong interface IP address192.0.2.2. Expecting peer to useremote gateway endpoint IP address203.0.113.2.
IKE Phase 1 negotiation failedbecause IKE message from thepeer was received on the wronginterface IP address. Check thelocal and remote gateway IPaddress in the gateway endpointconfiguration on both the local andremote gateways.
IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Receivedmessage with wronginterface IP address %s.Expecting peer to useremote gateway endpoint IPaddress %s.
IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Receivedmessage withwrong interface IP address${received_ip}. Expecting peer to useremote gateway endpoint IP address${expected_ip}.
0205000A ERROR VPN /IPSEC
IKE Phase 2tunnel routemismatch
IKE phase-2 negotiation from172.16.12.82:500 to172.16.12.81:500 failed.Gateway='gateway.1' Reason=Nomatching tunnel route for peerproposed local:192.168.81.0/24remote:192.168.82.0/28
The IPSec tunnel negotiationfailed because the proposed tunnelroutes did not match the tunnelconfiguration. The logmessagespecifies the received andexpected tunnel routes.
IKE phase-2 negotiationfrom%s to%s failed.Gateway='%s' Reason=Nomatching tunnel route forpeer proposed local:%s/%dremote:%s/%d
IKE phase-2 negotiation from ${local_addr} to ${peer_addr} failed.Gateway='${gateway}' Reason=Nomatching tunnel route for peerproposed local:${tr_local} remote:${tr_remote}
0205000B ERROR VPN /IPSEC
IKE Phase 2message retrytimeout
IKE phase-2 negotiation from172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1' Reason=Messageretry timeout. Check VPN IKEdiagnostic logmessages for moreinformation.
The IPSec tunnel negotiationfailed because an expectedresponse was not received beforethemessage retry timeout.
IKE phase-2 negotiationfrom%s to%s failed.Tunnel='%s'Reason=Message retrytimeout. Check VPN IKEdiagnostic logmessages formore information.
IKE phase-2 negotiation from ${local_addr} to ${peer_addr} failed.Tunnel='${tunnel}' Reason=Messageretry timeout. Check VPN IKEdiagnostic logmessages for moreinformation.
VPN LogMessages
Log Catalog 103
ID Level Area Name Log Message Example Description Format Message Variables
0205000C ERROR VPN /IPSEC
IKE Phase2message retrytimeoutbecausePhase 1 SAexpired
IKE phase-2 negotiation from172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1' Reason=Messageretry timeout because phase-1 SAexpired
The IPSec tunnel negotiationfailed because the Phase 1Security Association (SA) expired.
IKE phase-2 negotiationfrom%s to%s failed.Tunnel='%s'Reason=Message retrytimeout because phase-1SA expired
IKE phase-2 negotiation from ${local_addr} to ${peer_addr} failed.Tunnel='${tunnel}' Reason=Messageretry timeout because phase-1 SAexpired
0205000D ERROR VPN /IPSEC
IKE Phase 2PFS notenabled
IKE phase-2 negotiation from172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1' Reason=Receivedproposal with PFS. PFS notenabled.
The IPSec tunnel negotiationfailed because the PerfectForward Secrecy (PFS) value didnot match the Phase 2configuration.
IKE phase-2 negotiationfrom%s to%s failed.Tunnel='%s'Reason=Received proposalwith PFS. PFS not enabled.
IKE phase-2 negotiation from ${local_addr} to ${peer_addr} failed.Tunnel='${tunnel}' Reason=Receivedproposal with PFS. PFS not enabled.
0205000E ERROR VPN /IPSEC
IKE Phase 2wait timeout
IKE phase-2 negotiation from172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1' Reason=Messagewas not received in expected time.Check the connection between localand remote gateway endpoints.
The IPSec tunnel negotiationfailed because an expectedresponse was not received beforethe expected time.
IKE phase-2 negotiationfrom%s to%s failed.Tunnel='%s'Reason=Message was notreceived in expected time.Check the connectionbetween local and remotegateway endpoints.
IKE phase-2 negotiation from ${local_addr} to ${peer_addr} failed.Tunnel='${tunnel}' Reason=Messagewas not received in expected time.Check the connection between localand remote gateway endpoints.
021A0001 ERROR VPN /IPSEC
DroppedreceivedIKEv2message
Dropped IKEv2 IKE_SA_INITmessage from 172.16.12.82:500.Reason=message has invalidinitiator SPI (all zeros)
Dropped received invalid IKEv2message.
Dropped IKEv2%smessage from%s.Reason=%s
Dropped IKEv2 ${exchange_type}message from ${peer_addr}.Reason=${reason}
021A0002 ERROR VPN /IPSEC
IKE SA notfound tohandle IKE_SA_INIT_Rmessage
Dropped IKEv2 IKE_SA_INITmessage from 172.16.12.82:500.Reason=IKE SA not found to handlemessage with message ID 0x0.
IKE SA was not found to handlethe received IKE_SA_INIT_Rmessage.
Dropped IKEv2%smessage from%s.Reason=IKE SA not foundto handlemessage withmessage ID 0x%x.
Dropped IKEv2 ${exchange_type}message from ${peer_addr}.Reason=IKE SA not found to handlemessage with message ID ${recvd_message_id}.
021A0003 ERROR VPN /IPSEC
Gateway Dropped IKEv2 IKE_SA_INIT Gateway endpoint was not foundto handle the received IKE_SA_
Dropped IKEv2%s Dropped IKEv2 ${exchange_type}
VPN LogMessages
Log Catalog 104
ID Level Area Name Log Message Example Description Format Message Variables
endpoint notfound tohandle IKE_SA_INIT_Rmessage
message from 172.16.12.82:500.Reason='gateway.1' gatewayendpoint not found to handlemessage with message ID 0x0.
INIT_R message message from%s.Reason='%s' gatewayendpoint not found to handlemessage with message ID0x%x.
message from ${peer_addr}.Reason='${gw-ep}' gateway endpointnot found to handle IKE_SA_INITmessage with message ID ${recvd_message_id}.
021A0005 ERROR VPN /IPSEC
Invalidmessage ID inIKEv2exchange
Dropped IKEv2 IKE_SA_INITmessage from 172.16.12.82:500.Gateway-Endpoint='gateway.1'.Reason=Invalid message ID inrequest message.
Received IKEv2message wasdropped because it has invalidmessage ID.
Dropped IKEv2%smessage from%s.Gateway-Endpoint='%s'.Reason=Invalid messageID in%s message.
Dropped IKEv2 ${exchange_type}message from ${peer_addr}.Gateway-Endpoint='${gw-ep}'.Reason=Invalid message ID in ${req_or_resp} message.
021A0006 ERROR VPN /IPSEC
IKEv2gatewayendpoint wasnot found tohandle thereceivedmessage
IKEv2 IKE_SA_INIT exchange from172.16.12.82:500 to172.16.12.81:500 failed.Reason=Matching gateway endpointnot found.
IKEv2 gateway endpoint was notfound to handle the receivedmessage.
IKEv2%s exchange from%s to%s failed.Reason=Matching gatewayendpoint not found.
IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Reason=Matching gatewayendpoint not found.
021A0007 ERROR VPN /IPSEC
IKEv2gatewayendpointversion notmatched
IKEv2 IKE_SA_INIT exchange from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'.Reason=Received IKE version didnot match the configured IKEversion.
IKEv2message exchange failedbecause the received IKE versiondid not match the IKE versionconfigured on the local gateway.Check the IKE version in thegateway endpoint configuration onboth local and remote gateways.
IKEv2%s exchange from%s to%s failed. Gateway-Endpoint='%s'.Reason=Received IKEversion did not match theconfigured IKE version.
IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}'.Reason=Received IKE version didnot match the configured IKE version.
021A0008 ERROR VPN /IPSEC
IKEv2gatewayendpoint isdisabled
IKEv2 IKE_SA_INIT exchange from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'.Reason=gateway endpoint isdisabled.
The IKEv2 gateway endpoint isdisabled. It cannot be used intunnel negotiation.
IKEv2%s exchange from%s to%s failed. Gateway-Endpoint='%s'.Reason=gateway endpointis disabled.
IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}'.Reason=gateway endpoint isdisabled.
VPN LogMessages
Log Catalog 105
ID Level Area Name Log Message Example Description Format Message Variables
021A0009 ERROR VPN /IPSEC
IKEv2gateway IDmismatch
IKEv2 IKE_AUTH exchange from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'.Reason=Gateway endpoint withmatching ID was not found.
IKEv2 IKE_AUTH negotiationfailed because the remote IDconfigured in the gateway endpointdid not match proposed IDreceived from the remote gateway.
IKEv2%s exchange from%s to%s failed. Gateway-Endpoint='%s'.Reason=Gateway endpointwith matching ID was notfound.
IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}'Reason=Gateway endpoint withmatching ID was not found.
021A000A ERROR VPN /IPSEC
IKEv2 IKE_SA_INITmessagereceived onwronginterface
IKEv2 IKE_SA_INIT exchange from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'.Reason=Receivedmessage onwrong interface 'eth0'(index:3).Expecting it to be received on 'eth6'.
IKEv2 IKE_SA_INIT negotiationfailed because IKE message frompeer was received on the wronginterface.
IKEv2%s exchange from%s to%s failed. Gateway-Endpoint='%s'.Reason=Receivedmessage on wrong interface'%s'(index:%d). Expecting itto be received on '%s'.
IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}'.Reason=Receivedmessage onwrong interface. '${received_if}'(index:${received_ifindex}). Expectingit to be received on '${expected_if}'.
021A000B ERROR VPN /IPSEC
IKEv2 remotegatewayendpoint IDmismatch
IKEv2 IKE_AUTH exchange from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'.Reason=Received ID did not matchthe configured remote gatewayendpoint ID.
IKEv2 IKE_AUTH negotiationfailed because the remote ID in thegateway endpoint configuration didnot match the proposed IDreceived from the remote gateway.
IKEv2%s exchange from%s to%s failed. Gateway-Endpoint='%s'.Reason=Received ID didnot match the configuredremote gateway endpointID.
IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}'.Reason=Received ID did not matchthe configured remote gatewayendpoint ID.
021A000C ERROR VPN /IPSEC
IKEv2 localgatewayendpoint IDmismatch
IKEv2 IKE_AUTH exchange from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'.Reason=Received ID did not matchthe configured local gatewayendpoint ID.
IKEv2 IKE_AUTH negotiationfailed because the local ID in thegateway endpoint configuration didnot match the proposed IDreceived from the remote gateway.
IKEv2%s exchange from%s to%s failed. Gateway-Endpoint='%s'.Reason=Received ID didnot match the configuredlocal gateway endpoint ID.
IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}'.Reason=Received ID did not matchthe configured local gateway endpointID.
VPN LogMessages
Log Catalog 106
ID Level Area Name Log Message Example Description Format Message Variables
021A000D ERROR VPN /IPSEC
ReceivedIKEv2message doesnot haveexpectedpayloads
IKEv2 IKE_AUTH exchange from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'.Reason=Received IKE_AUTHresponsemessage does not havethe expected payloads.
IKEv2message exchange failedbecause the receivedmessagefrom the peer does not have theexpected payloads
IKEv2%s exchange from%s to%s failed. Gateway-Endpoint='%s'.Reason=Received%smessage does not have theexpected payloads.
IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}'.Reason=Received ${msg_info}message does not have the expectedpayloads.
021A000E ERROR VPN /IPSEC
IKEv2 IKEproposalmismatch
IKEv2 IKE_SA_INIT exchange from198.51.100.2:500 to 203.0.113.2:500failed. Gateway-Endpoint='gateway.1'. Reason=IKEproposal did not match. Receivedencryption 3DES, expected AES.
The IKEv2message exchangefailed because the IKE proposal inthe receivedmessage did notmatch the expected proposal.
IKEv2%s exchange from%s to%s failed. Gateway-Endpoint='%s'.Reason=%s
IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}'Reason=${msg_info}
021A000F ERROR VPN /IPSEC
IKEv2 KE DH-Groupmismatch
IKEv2 IKE_SA_INIT exchange from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'. Reason=DH-Group 14 in the KE payload does notmatch DH-Group 5 selected in theIKE_SA_INIT response proposal.
IKEv2message exchange failedbecause the DH group in thereceived Key Exchange (KE)payload does not match the DH-Group in the selected proposal.
IKEv2%s exchange from%s to%s failed. Gateway-Endpoint='%s'.Reason=DH-Group%d inthe KE payload does notmatch DH-Group%dselected in the%s proposal.
IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}'.Reason=DH-Group ${recvd_dh_group} in the KE payload does notmatch the DH-Group ${selected_dh_group} selected in the ${msg_info}proposal.
021A0010 ERROR VPN /IPSEC
IKEv2 IPSecKE DH-Groupmismatch
IKEv2 CREATE_CHILD_SAexchange from 172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1'. Reason=DH-Group 14 in the KE payload does notmatch DH-Group 5 selected in theCREATE_CHILD_SA requestproposal.
IKEv2message exchange failedbecause the DH group in thereceived Key Exchange (KE)payload does not match the DH-Group in the selected proposal.
IKEv2%s exchange from%s to%s failed.Tunnel='%s'. Reason=DH-Group%d in the KE payloaddoes not match DH-Group%d selected in the%sproposal.
IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}'.Reason=DH-Group ${recvd_dh_group} in the KE payload does notmatch the DH-Group ${selected_dh_group} selected in the ${msg_info}proposal.
VPN LogMessages
Log Catalog 107
ID Level Area Name Log Message Example Description Format Message Variables
021A0011 ERROR VPN /IPSEC
Receivedunacceptabletraffic selectorduring firstCHILD SAnegotiation.
IKEv2 IKE_AUTH exchange from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'.Reason=Received unacceptabletraffic selector in IKE_AUTHrequest.
IKEv2 first CHILD SA creationfailed because the peer sent anunacceptable traffic selector.
IKEv2%s exchange from%s to%s failed. Gateway-Endpoint='%s'.Reason=Receivedunacceptable traffic selectorin%s.
IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}'.Reason=Received unacceptabletraffic selector in ${msg_info}.
021A0012 ERROR VPN /IPSEC
IKEv2 peerauthenticationmethodmismatch.
IKEv2 IKE_AUTH exchange from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'.Reason=Received authenticationmethod PSK, expecting RSAcertificate.
IKEv2 tunnel negotiation failedbecause the incorrect authenticatemethod was proposed by theremote gateway.
IKEv2%s exchange from%s to%s failed. Gateway-Endpoint='%s'.Reason=Receivedauthenticationmethod%s,expecting%s.
IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Reason=Receivedauthenticationmethod ${received},expecting ${expected}.
021A0013 ERROR VPN /IPSEC
IKEv2 peerauthenticationfailed
IKEv2 IKE_AUTH exchange from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'.Reason=Remote gateway endpointRSA certificate authentication failed.
IKEv2 tunnel negotiation failedbecause the local gateway couldnot authenticate the remotegateway.
IKEv2%s exchange from%s to%s failed. Gateway-Endpoint='%s'.Reason=Remote gatewayendpoint %s authenticationfailed.
IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Reason=Remote gatewayendpoint ${auth_method}authentication failed.
021A0014 ERROR VPN /IPSEC
IKEv2 PSKmismatch
IKEv2 IKE_AUTH exchange from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'.Reason=Remote gateway endpointauthentication failed due to apossible shared secret mismatch.
IKEv2 tunnel negotiation failedbecause of possible PSKmismatch.
IKEv2%s exchange from%s to%s failed. Gateway-Endpoint='%s'.Reason=Remote gatewayendpoint authenticationfailed due to a possibleshared secret mismatch.
IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Reason=Remote gatewayendpoint authentication failed due to apossible shared secret mismatch.
VPN LogMessages
Log Catalog 108
ID Level Area Name Log Message Example Description Format Message Variables
021A0015 ERROR VPN /IPSEC
ReceivedIKEv2 IKE_SA_INITnotificationerrormessage.
IKEv2 IKE_SA_INIT exchange from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'.Reason=Received N(NO_PROPOSAL_CHOSEN)message.
IKEv2 IKE_SA_INIT negotiationfailed because the peer sent anotification error message.
IKEv2%s exchange from%s to%s failed. Gateway-Endpoint='%s'.Reason=Received%smessage.
IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}'.Reason=Received ${notify_msg}message.
021A0016 ERROR VPN /IPSEC
ReceivedIKEv2CREATE_CHILD_SA/IKE_AUTHnotificationerrormessage.
IKEv2 IKE_AUTH exchange from10.139.36.185:500 to10.139.36.195:500 failed.Tunnel='tunnel.1'.Reason=Received N(NO_PROPOSAL_CHOSEN)message.
IKEv2 CREATE_CHILD_SA/IKE_AUTH negotiation failedbecause peer sent a notificationerror message.
IKEv2%s exchange from%s to%s failed.Tunnel='%s'.Reason=Received%smessage.
IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Tunnel='${tunnel_name}'.Reason=Received ${notify_msg}message.
021A0018 ERROR VPN /IPSEC
IKEv2 tunnelproposalmismatch.
IKEv2 CREATE_CHILD_SAexchange from 198.51.100.2:500 to203.0.113.2:500 failed.Tunnel='tunnel.1'. Reason=IPSecproposal did not match. Receivedencryption 3DES, expected AES.
The IKEv2message exchangefailed because the IPSec proposalin the receivedmessage did notmatch the expected proposal.
IKEv2%s exchange from%s to%s failed.Tunnel='%s'. Reason=%s
IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Tunnel='${tunnel}'.Reason=${msg_info}
021A0019 ERROR VPN /IPSEC
Receivedinvalid SPIduring firstCHILD SAnegotiation.
IKEv2 IKE_AUTH exchange from172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1'. Reason=Peerproposed invalid SPI in IKE_AUTHrequest.
IKEv2 first CHILD SA creationfailed because the peer sent aninvalid SPI.
IKEv2%s exchange from%s to%s failed.Tunnel='%s'. Reason=Peerproposed invalid SPI in%s.
IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Tunnel='${tunnel}'.Reason=Peer proposed invalid SPI in${msg_info}.
VPN LogMessages
Log Catalog 109
ID Level Area Name Log Message Example Description Format Message Variables
021A001A ERROR VPN /IPSEC
Receivedinvalid SPIduring IKEv2IPSec SArekey
IKEv2 CREATE_CHILD_SAexchange from 172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1'. Reason=Couldnot find child SA by received SPI0xbaba1509 in CREATE_CHILD_SA(REKEY[CHILD SA]) request.
IKEv2 IPSec SA rekey failedbecause the peer sent an invalidSPI.
IKEv2%s exchange from%s to%s failed.Tunnel='%s'.Reason=Could not find childSA by received SPI %0x in%s.
IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Tunnel='${tunnel}'.Reason=Could not find child SA byreceived SPI ${spi} in ${msg_info}.
021A001B ERROR VPN /IPSEC
No responsefrom remotegateway
IKEv2 exchange from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'. Reason=Noresponse for IKE_AUTH requestmessage. Check the connectionbetween the local and remotegateway endpoints.
IKEv2 connection was terminatedbecause there was no responsefrom the remote site.
IKEv2 exchange from%s to%s failed. Gateway-Endpoint='%s'. Reason=Noresponse for%s message.Check the connectionbetween the local andremote gateway endpoints.
IKEv2 exchange from ${local_addr} to${peer_addr} failed. Gateway-Endpoint='${gw-ep}'. Reason=Noresponse for ${msg_info} message.Check the connection between thelocal and remote gateway endpoints.
021A001D ERROR VPN /IPSEC
IKEv2gateway IDmismatch
IKEv2 IKE_AUTH exchange from198.51.100.2 to 203.0.113.2:500failed. Gateway-Endpoint='ikev2_mobileuser'. Reason=TheMobileVPN with IKEv2 profile is notenabled.
IKEv2 IKE_AUTH negotiationfailed becauseMobile VPN forIKEv2 is not enabled on thisgateway.
IKEv2%s exchange from%s to%s failed. Gateway-Endpoint='%s'.Reason=TheMobile VPNwith IKEv2 profile is notenabled.
IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}'Reason=Mobile VPN with IKEv2profile is not enabled.
021A001E ERROR VPN /IPSEC
IKEv2receivedinvalid EAPinformation
IKEv2 IKE_AUTH EAP exchangefrom 198.51.100.2:4500 to203.0.113.2:4500 failed. Gateway-Endpoint='WG IKEv2MVPN'.Reason='example' authenticationdomain is not configured.
IKEv2 IKE_AUTH EAPnegotiation failed because IKEv2Mobile VPN client sent invalidinformation.
IKEv2%s EAP exchangefrom%s to%s failed.Gateway-Endpoint='%s'.Reason=%s
IKEv2 ${exchange_type} EAPexchange from ${local_addr} to${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=${reason}
VPN LogMessages
Log Catalog 110
ID Level Area Name Log Message Example Description Format Message Variables
021A001F ERROR VPN /IPSEC
IKEv2 IKE_SA_INITmessagereceived onwronginterface IP
IKEv2 IKE_SA_INIT exchange from198.51.100.2:500 to 192.0.2.2:500failed. Gateway-Endpoint='gateway.1'.Reason=Receivedmessage withwrong interface IP address192.0.2.2. Expecting peer to useremote gateway endpoint IP address203.0.113.2.
IKEv2message exchange failedbecause IKE message from thepeer was received on the wronginterface IP address. Check thelocal and remote gateway IPaddress in the gateway endpointconfiguration on both the local andremote gateways.
IKEv2%s exchange from%s to%s failed. Gateway-Endpoint='%s'.Reason=Receivedmessage with wronginterface IP address %s.Expecting peer to useremote gateway endpoint IPaddress %s.
IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}'Reason=Receivedmessage with thewrong interface IP address${received_ip}. Expecting peer to useremote gateway endpoint IP address${expected_ip}.
021A0020 ERROR VPN /IPSEC
IKEv2 IKE_AUTHmessagereceived onwronginterface IP
IKEv2 IKE_AUTH exchange from198.51.100.2:500 to 192.0.2.2:500failed. Gateway-Endpoint='m500-197'. Reason=Receivedmessagewith the wrong interface IP address192.0.2.2. Expecting peer to useremote gateway endpoint IP address203.0.113.2.
IKEv2message exchange failedbecause IKE message from thepeer was received on the wronginterface IP address. Check thelocal and remote gateway IPaddress in the gateway endpointconfiguration on both the local andremote gateways.
IKEv2%s exchange from%s to%s failed. Gateway-Endpoint='%s'.Reason=Receivedmessage with wronginterface IP address %s.Expecting peer to useremote gateway endpoint IPaddress %s.
IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}'Reason=Receivedmessage withwrong interface IP address${received_ip}. Expecting peer to useremote gateway endpoint IP address${expected_ip}.
02030010 INFO VPN /IPSEC
IKE Phase 1matchingMainMode policynot found
IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed.Reason=Mainmodematching policynot found
IKE Phase 1 negotiation becauselocal gateway did not find amatching Aggressivemode policy.
IKE phase-1 negotiationfrom%s to%s failed.Reason=Mainmodematching policy not found
IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed.Reason=Mainmodematching policynot found
02030013 INFO VPN /IPSEC
IKE Phase 1negotiationfailed
IKE phase-1 negotiation from2.2.2.2:500 to 1.1.1.1:500 failed.Reason=Received invalid message
IKE Phase 1 negotiation failedbecause of the reason specified inthe log
IKE phase-1 negotiationfrom%s:%d to%s:%dfailed. Reason=%s
IKE phase-1 negotiation from${src}:${sport} to ${dst}:${dport} failed- ${reason}
VPN LogMessages
Log Catalog 111
ID Level Area Name Log Message Example Description Format Message Variables
02030014 INFO VPN /IPSEC
Receivedinformationalerror message
Received 'Invalid Exchange Type'message from 172.16.12.81:500 for'gateway.1' gateway endpoint.Check VPN IKE diagnostic logmessages on the remote gatewayendpoint for more information.
Received the specified informationor error message from remotegateway.
Received '%s' messagefrom%s for '%s' gatewayendpoint. Check VPN IKEdiagnostic logmessages onthe remote gatewayendpoint for moreinformation.
Received '${info_msg}' message from${peer_addr} for '${gw-ep}' gatewayendpoint. Check VPN IKE diagnosticlogmessages on the remote gatewayendpoint for more information.
02030025 INFO VPN /IPSEC
Received IKEmessage forunknownPhase 1 SA
Received IKE message from172.16.13.204:500 for unknown P1SA. Sending delete message toremote gateway 'gateway.1'.
Received IKE message forunknown P1 SA. Sending deletemessage to remote gateway
Received IKE messagefrom%s for unknown P1SA. Sending deletemessage to remote gateway'%s'.
Received IKE message from ${peer_addr} for unknown P1 SA. Sendingdelete message to remote gateway'${gateway}'.
02030028 INFO VPN /IPSEC
IKE Phase 1messagereceived onwronginterface
IKE phase-1 negotiation from198.51.100.2:500 to 203.0.113.2:500failed. Reason=Received IKEmessage on wrong interface 'eth0'(index:3). Expecting it to be receivedon 'eth6'.
IKE Phase 1 negotiation failedbecause of IKE message peerwas received on wrong interface.
IKE phase-1 negotiationfrom%s to%s failed.Reason=Received IKEmessage on wrong interface'%s'(index:%d). Expecting itto be received on '%s'.
IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed.Reason=Received IKE message onwrong interface '${received_if}'(index:${received_ifindex}). Expectingit to be received on '${expected_if}'
02050010 INFO VPN /IPSEC
Receivedquick modeinformationalerror message
Received 'No Proposal Chosen'message from 172.16.12.81:500 for'tunnel.1' tunnel. Check VPN IKEdiagnostic logmessages on theremote gateway endpoint for moreinformation.
Remote gateway sent aninformation error message inresponse to VPN tunnel proposal.
Received '%s' messagefrom%s for '%s' tunnel.Check VPN IKE diagnosticlogmessages on the remotegateway endpoint for moreinformation.
Received '${info_msg}' message from${peer_addr} for '${tunnel}' tunnel.Check VPN IKE diagnostic logmessages on the remote gatewayendpoint for more information.
02050011 INFO VPN /IPSEC
DroppedsimultaneousPhase 2negotiation
Dropped a simultaneous phase-2negotiation from the peer172.16.13.204:500
Firebox or XTM device droppedphase-2 negotiation because ofanother Phase 2 negotiation inprogress.
Dropped a simultaneousphase-2 negotiation from thepeer%s
Dropped a simultaneous IPSecnegotiation from the peer ${peer_addr}
02060006 INFO VPN /IPSEC
Mobile VPNwith IPSecuser
MUVPN user 'user.1' isauthenticated without groupinformation.
SpecifiedMobile VPN with IPSecuser successfully authenticated,but is not amember of any group.
MUVPN user '%s' isauthenticated without groupinformation.
MUVPN user '${user_name}' isauthenticated without groupinformation
VPN LogMessages
Log Catalog 112
ID Level Area Name Log Message Example Description Format Message Variables
connectedwith no group
02060007 INFO VPN /IPSEC
Mobile usergroupinformation
MUVPN user 'user.1' is amember of'muvpn' group.
SpecifiedMobile VPN with IPSecuser belongs to the specifiedgroup.
MUVPN user '%s' is amember of '%s' group.
MUVPN user '${user_name}' is amember of '${group_name}' group.
02080001 INFO VPN /IPSEC
IKE phase-1negotiatedsuccessful
BOVPN phase-1main-modecompleted successfully as initiatorfor 'gateway.1' gateway endpoint.local-gw:172.16.12.81:500 remote-gw:172.16.13.204:500 SAID:0x9d5e7809
IKE phase-1 negotiation wassuccessfully completed.
%s phase-1%s completedsuccessfully as %s for '%s'gateway endpoint. local-gw:%s:%d remote-gw:%s:%d SA ID:0x%08x
${tunnel_type} phase-1 ${nego_mode}completed successfully as ${nego_role} for '${gateway}' gatewayendpoint. local-gw:${src}:${sport}remote-gw:${dst}:${dport} SAID:${p1said}
0203000F INFO VPN /IPSEC
IKE Phase 1matchingaggressivemode policynot found
IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed.Reason=Aggressivemodematchingpolicy not found
IKE Phase 1 negotiation becauselocal gateway did not find amatching aggressivemode policy.
IKE phase-1 negotiationfrom%s to%s failed.Reason=Aggressivemodematching policy not found
IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed.Reason=Aggressivemodematchingpolicy not found
021A0004 INFO VPN /IPSEC
IKEv2 IKE SAis in deletingstate
Dropped IKEv2 IKE_SA_INITmessage from 172.16.12.82:500.Gateway-Endpoint='gateway.1'.Reason=IKE SA is in DELETINGstate.
Received IKEv2message wasignored because thecorresponding IKE SA to handlethemessage was in DELETINGstate.
Dropped IKEv2%smessage from%s.Gateway-Endpoint='%s'.Reason=IKE SA is in%sstate.
Dropped IKEv2 ${exchange_type}message from ${peer_addr}.Gateway-Endpoint='${gw-ep}'Reason=IKE SA is in ${ikev2_ikesa_state} state.
021A0017 INFO VPN /IPSEC
IKEv2 IKE SAestablished
IKEv2 IKE SA establishedsuccessfully as initiator for'gateway.1' gateway endpoint. local-gw:10.139.36.185:500 remote-gw:10.139.36.195:500 SAID:0xbc2188a5.
IKEv2 IKE SA is establishedbecause IKE_AUTH negotiation isfinished or IKE SA is rekeyed.
IKEv2 IKE SA establishedsuccessfully as %s for '%s'gateway endpoint. local-gw:%s remote-gw:%s SAID:0x%08x.
IKEv2 IKE SA establishedsuccessfully as ${exchange_role} for'${gw-ep}' gateway endpoint. local-gw:${local_addr} remote-gw:${peer_addr} SA ID:${sa_id}.
021A001C INFO VPN /IPSEC
IKEv2 IKE SAis waiting forthe user
Dropped IKEv2 IKE_AUTHmessage from 198.51.100.2:4500.Gateway-Endpoint='ikev2_
The Firebox ignored an IKEv2message because thecorresponding IKE SA is waiting
Dropped IKEv2%smessage from%s.Gateway-Endpoint='%s'.
Dropped IKEv2 ${exchange_type}message from ${peer_addr}.Gateway-Endpoint='${gw-ep}'
VPN LogMessages
Log Catalog 113
ID Level Area Name Log Message Example Description Format Message Variables
authenticationresult
mobileuser'. Reason=Waiting for theEAP_MSCHAPv2 userauthentication result.
for the user authentication resultfrom the authenticationmodule.
Reason=Waiting for the%suser authentication result.
Reason=Waiting for the ${user-auth-protocol} user authentication result.
021A001C INFO VPN /IPSEC
IKEv2 IKE SAis waiting forthe userauthenticationresult
Dropped IKEv2 IKE_AUTHmessage from 198.51.100.2:4500.Gateway-Endpoint='ikev2_mobileuser'. Reason=Waiting for theEAP_MSCHAPv2 userauthentication result.
The Firebox ignored an IKEv2message because thecorresponding IKE SA is waitingfor the user authentication resultfrom the authenticationmodule.
Dropped IKEv2%smessage from%s.Gateway-Endpoint='%s'.Reason=Waiting for the%suser authentication result.
Dropped IKEv2 ${exchange_type}message from ${peer_addr}.Gateway-Endpoint='${gw-ep}'Reason=Waiting for the ${user-auth-protocol} user authentication result.
02020001 WARN VPN /IPSEC
IP address notavailable forMobile VPNwith IPSecuser
Virtual IP address from 'abcd'address pool is not available forMobile VPN with IPSec user 'Bob'
All virtual IP addresses allocatedto this Mobile VPN with IPSecgroup are already assigned. NewMobile VPN with IPSec tunnelscannot be established unlessexisting tunnels are deleted.
Virtual IP address from '%s'address pool is not availablefor Mobile VPN with IPSecuser '%s'
Virtual IP address from ${pool_name}address pool is not available forMobile VPN with IPSec user ${user}
02030016 WARN VPN /IPSEC
Mobile userrejected -maximum userconnectionsreached
RejectedMUVPN IPSec user from2.2.2.2 becausemaximum alloweduser connections has been reached.Maximum:50
SpecifiedMobile VPN with IPSecuser connection rejected becausethe specified concurrent userconnections limit has beenreached. The logmessagespecifies the concurrent userconnections limit.
RejectedMUVPN IPSecuser from%s becausemaximum allowed userconnections has beenreached. Maximum:%d
RejectedMUVPN IPSec user from${peer_addr} becausemaximumallowed user connections has beenreached. Maximum:${max_value}
02030021 WARN VPN /IPSEC
DPD R_U_THERE_ACKnot received
Remote gateway 'gateway.1' with IP172.16.13.204:500 did not sendDPD R_U_THERE_ACK message.2 retries left
Firebox or XTM device sent aDPD_R_U_THERE request toremote gateway, but did notreceive DPD R_U_THERE_ACKresponse. The logmessagespecifies the number of retriesbefore it will delete the VPNtunnel.
Remote gateway '%s' withIP %s did not send DPD R_U_THERE_ACK message.%d retries left
Remote gateway '${gw-ep}' with IP${peer_addr} did not send DPD R_U_THERE_ACK message. ${n} retriesleft.
VPN LogMessages
Log Catalog 114
ID Level Area Name Log Message Example Description Format Message Variables
02030022 WARN VPN /IPSEC
DPD maxfailure
Remote gateway 'gateway.1' with IP172.16.13.204:500 presumed deaddue to DPD failure. Deleted alltunnels that use this gateway.Check the connection between localand remote gateway endpoints.
The Firebox or XTM devicedeleted a VPN tunnel because theremote gateway did not respond toDPD R_U_THERE requests.
Remote gateway '%s' withIP %s presumed dead dueto DPD failure.%s
Remote gateway '${gw-ep}' with IP${peer_addr} presumed dead due toDPD failure. ${action}
02030023 WARN VPN /IPSEC
Did notreceiveKEEP_ALIVE_ACKresponse
Remote gateway 'gateway.1' with IP172.16.13.204:500 did not sendKEEP_ALIVE_ACK message. 2retries left.
Firebox or XTM device sent aKEEP_ALIVE request to remotegateway, but did not receiveKEEP_ALIVE_ACK response.The logmessage specifies thenumber of retries before it willdelete the VPN tunnel.
Remote gateway '%s' withIP %s did not send KEEP_ALIVE_ACK message. %dretries left.
Remote gateway '${gw-ep}' with IP${peer_addr} did not send KEEP_ALIVE_ACK message. ${n} retriesleft.
02030024 WARN VPN /IPSEC
Deleted VPNtunnels due tokeep-alivefailure
Remote gateway 'gateway.1' with IP172.16.13.204:500 presumed deaddue to keep-alive negotiation failure.Deleted all tunnels that use thisgateway. Check the connectionbetween local and remote gatewayendpoints.
Firebox or XTM device deleted oneor more VPN tunnels because theremote gateway did not respond tokeep-alive requests.
Remote gateway '%s' withIP %s presumed dead dueto keep-alive negotiationfailure.%s
Remote gateway '${gw-ep}' with IP${peer_addr} presumed dead due tokeep-alive negotiation failure.${action}
02060001 WARN VPN /IPSEC
ReceivedXAuth failnotification
Received XAuth failed notificationfrom 172.16.24.1:4500.Group:'ToFirebox_mu'
Received notification thatExtended Authentication(XAuth)failed. Aborting XAuth negotiation.
Received XAuth failednotification from%s.Group:'%s'
Received XAuth failed notificationfrom ${peer_addr}. Group:'${gateway}'
02060002 WARN VPN /IPSEC
Rejected PSKauthentication,Expect clientXAUTHenabled.
Rejected phase-1 authenticationmethod PSK from 172.16.24.1:4500,expecting client XAUTH enabled.
Rejected proposed Phase 1authenticationmethod becauseFirebox or XTM Device expectsclient Extended Authentication(XAuth) enabled.
Rejected phase-1authenticationmethod%sfrom%s, expecting clientXAUTH enabled.
Rejected phase 1 authenticationmethod ${auth_method} from ${peer_addr}, expecting client XAUTHenabled.
02060003 WARN VPN /IPSEC
Rejected PSKauthentication,Expect server
Rejected phase-1 authenticationmethod PSK from 172.16.24.1:4500,expecting server XAUTH enabled.
Rejected proposed Phase 1authenticationmethod becauseFirebox or XTM Device expects
Rejected phase-1authenticationmethod%sfrom%s, expecting server
Rejected phase 1 authenticationmethod ${auth_method} from ${peer_addr}, expecting server XAUTH
VPN LogMessages
Log Catalog 115
ID Level Area Name Log Message Example Description Format Message Variables
XAUTHenabled.
server Extended Authentication(XAuth) enabled.
XAUTH enabled. enabled.
02060004 WARN VPN /IPSEC
XAuthnegotiationfailed due tomismatchedmode
XAuth negotiation from172.16.24.1:4500 failed due to amismatched XAuthMode.
Mobile VPN with IPSec ExtendedAuthentication(XAuth) negotiationfailed because of mismatchedauthenticationmode.
XAuth negotiation from%sfailed due to amismatchedXAuthMode.
XAuth negotiation from ${peer_addr}failed due to amismatchedXAuthMode
02060005 WARN VPN /IPSEC
Mobile VPNwith IPSecauthenticationfailed becauseofunresponsivepeer
MUVPN user authentication faileddue to unresponsive peer at172.16.24.1:4500
Mobile VPN with IPSec userauthentication failed because thepeer did not respond.
MUVPN user authenticationfailed due to unresponsivepeer at %s
MUVPN user authentication faileddue to unresponsive peer at %s
0205000F WARN VPN /IPSEC
RejectedPhase 2negotiationdue toincorrectgateway
Rejected phase-2 negotiation from172.16.12.82:500 because'gateway.1*1' is not the preferredIKE gateway endpoint.
Rejected Phase 2 negotiation theproposal did not use the preferredIKE gateway endpoint.
Rejected phase-2negotiation from%sbecause '%s' is not thepreferred IKE gatewayendpoint.
Rejected quick mode negotiation from${peer_addr} because '${gw-ep}' is notthe preferred IKE gateway endpoint.
5B010004 INFO VPN /L2TP
Update usersession
UpdatedMobile VPN with L2TPsession for user 'Firebox-DB\test',virtual IP address '192.168.113.2'.
Mobile VPN with L2TP updatedthe session for the specified user.The logmessage specifies theassigned virtual IP address.
UpdatedMobile VPN withL2TP session for user'%s\%s', virtual IP address'%s'.
—
5B010005 INFO VPN /L2TP
Delete usersession
DeletedMobile VPN with L2TPsession for user 'Firebox-DB\test',virtual IP address '192.168.113.2'.
Deleted aMobile VPN with L2TPsession with the specified virtualIP address.
DeletedMobile VPN withL2TP session for user'%s\%s', virtual IP address'%s'.
—
25000000 INFO VPN /SSLVPN
User login Mobile VPN with SSL user tsmithlogged in. Virtual IP address is
A user logged in to VPN with SSL.The logmessage specifies the
%s %s logged in. Virtual IPaddress is %s. Real IP
${vpn_user_type} ${user_name}logged in. Virtual IP address is
VPN LogMessages
Log Catalog 116
ID Level Area Name Log Message Example Description Format Message Variables
192.168.113.2. Real IP address is192.51.100.2.
VPN user type,and the user'sname, virtual IP address, and realIP address.
address is %s. ${virtual_ipaddr}. Real IP address is${real_ipaddr}.
25000001 INFO VPN /SSLVPN
User log off Mobile VPN with SSL user tsmithlogged off. Virtual IP address is192.168.113.2.
The VPN with SSL user with thespecified virtual IP address loggedout.
%s %s logged off. Virtual IPaddress is %s.
${vpn_user_type} ${user_name}logged off. Virtual IP address was${virtual_ipaddr}.
VPN LogMessages
Log Catalog 117
EventVPN logmessages of theEvent log type.
ID Level Area Name Log Message Example Description Format Message Variables
02010001 INFO VPN /IPSEC
IKE processstarts
WatchGuard iked v11.6.B341909 (C)1996-2012WatchGuardTechnologies Inc. starts at Wed Jun30 21:49:08 2012
The IPSec IKE process started. WatchGuard iked v%s %s startsat %s
—
02010002 INFO VPN /IPSEC
Configurationupdatestarted
Started processing a configurationsetting
An IPSec configuration update started. Started to process aconfiguration setting
—
02010003 INFO VPN /IPSEC
Configurationupdatecompleted
A configuration setting has beenprocessed successfully
An IPSec configuration update wassuccessfully completed.
A configuration setting has beenprocessed successfully
—
02070001 INFO VPN /IPSEC
Tunnelestablishedor re-keyed
'gateway.1' BOVPN IPSec tunnel isestablished. local:192.168.81.0/28remote:192.168.25.0/28 in-SA:0x445e72b7 out-SA:0x5f9f256frole:responder
The IPSec tunnel was established or re-keyed successfully. The logmessageincludes the security associationidentifiers.
'%s' %s IPSec tunnel is %s.local:%s remote:%s in-SA:0x%08x out-SA:0x%08xrole:%s
${gateway} ${tunnel_type} IPSectunnel is ${action}. local:${local}remote:${remote} in-spi:${in_spi}out-spi:${out_spi} role:${nego_role}
02090002 INFO VPN /IPSEC
IKE process-- FireClusterrole changed
A FireCluster failover occurred. Thecluster master has changed.
The cluster master has changedbecause of a FireCluster failover. Thelocal device will not handle IKEnegotiation.
A FireCluster failover occurred.The cluster master has changed.
—
02010004 WARN VPN /IPSEC
Device notactivated
WARNING! Tunnel negotiation isNOT allowed because the local boxis not activated yet(no"LIVESECURITY" feature key isfound)!!
The device is not activated. IPSectunnels cannot be established.
WARNING! Tunnel negotiationis NOT allowed because thelocal box is not activated yet(no"LIVESECURITY" feature key isfound)!!
—
VPN LogMessages
Log Catalog 118
ID Level Area Name Log Message Example Description Format Message Variables
02090001 WARN VPN /IPSEC
BOVPNtunnel limitreached
Themaximum number of allowedactive BOVPN tunnels has beenreached (Maximum: 500 Current:500).
Themaximum allowed number ofBOVPN tunnel routes have beenestablished. No new tunnel routes canbe created until active tunnel routesexpire or are deleted.
Themaximum number of activeallowed BOVPN tunnels hasbeen reached (Maximum: %dCurrent: %d)
—
5B010002 INFO VPN /L2TP
Configurationupdated
Updating configuration for MobileVPN with L2TP.
TheMobile VPN with L2TP daemonreceived a configuration update.
Updating configuration for MobileVPN with L2TP.
—
5B010003 INFO VPN /L2TP
Daemonstopped
StoppedMobile VPN with L2TPdaemon.
TheMobile VPN with L2TP daemonstopped.
StoppedMobile VPN with L2TPdaemon.
—
VPN LogMessages
Log Catalog 119
Mobile Security Log MessagesMobile Security logmessages are generated for activity related to traffic through your Firebox frommobile devices. This includes traffic related to FireClient and Endpoint Manager.
EventMobile Security logmessages of theEvent log type.
ID Level Area Name Log Message Example Description Format Message Variables
70000001 ERROR MobileSecurity/EndpointManager
Mobilesecuritylicense limitreached
Rejected a FireClient user loginbecause the licensedmaximum number ofconcurrent Mobile Securityusers has been reached.Maximum: 50
A user login from FireClient was rejected because thenumber of concurrently connectedMobile Security usershas reached the limit supported by theMobile Securitylicense. The logmessage specifies themaximumallowed number of concurrent Mobile Security users.
Rejected a FireClient userlogin because the licensedmaximum number ofconcurrent Mobile Securityusers has been reached.Maximum: %d
—
70010000 INFO MobileSecurity/EndpointManager
Mobiledeviceconnect
Mobile device eee66f78-3d74-4002-8161-95938dca4390 isconnected.
FireClient on the device has connected to the Firebox. Mobile device%s isconnected.
—
70010001 INFO MobileSecurity/EndpointManager
Mobiledevice useralready login
Mobile device eee66f78-3d74-4002-8161-95938dca4390: userjoe has already logged in.
User has logged in to Firebox from the device prior to theconnection request.
Mobile device%s: user%shas already logged in.
—
70010002 INFO MobileSecurity/EndpointManager
Mobiledevice userlogin
Mobile device eee66f78-3d74-4002-8161-95938dca4390: userjoe logged in.
User has logged in to Firebox through FireClient on thedevice.
Mobile device%s: user%slogged in.
—
Mobile Security LogMessages
Log Catalog 120
ID Level Area Name Log Message Example Description Format Message Variables
70010003 INFO MobileSecurity/EndpointManager
Mobiledevice userlogout
Mobile device eee66f78-3d74-4002-8161-95938dca4390: userjoe logged out.
User has logged out of Firebox from FireClient on thedevice.
Mobile device%s: user%slogged out.
—
70010004 INFO MobileSecurity/EndpointManager
Mobiledevice idledisconnected
Mobile device eee66f78-3d74-4002-8161-95938dca4390 isdisconnected due to FireClientinactivity.
FireClient on the device is considered disconnected dueto inactivity.
Mobile device%s isdisconnected due toFireClient inactivity.
—
70010005 INFO MobileSecurity/EndpointManager
Mobiledevicedisconneted
Mobile device eee66f78-3d74-4002-8161-95938dca4390 isdisconnected.
FireClient on the device has disconnected. Mobile device%s isdisconnected.
—
70010006 INFO MobileSecurity/EndpointManager
MobiledeviceUnknowncompliance
Mobile device eee66f78-3d74-4002-8161-95938dca4390compliance status is Unknown.
Mobile device compliance status is Unknown. Thiscould be because the compliance check is in progress,or because FireClient on the device is not responding.
Mobile device%scompliance status isUnknown.
—
70010007 INFO MobileSecurity/EndpointManager
MobiledeviceCompliant
Mobile device eee66f78-3d74-4002-8161-95938dca4390compliance status isCompliant.
Mobile device compliance status is Compliant, becauseit meets the compliance requirements.
Mobile device%scompliance status isCompliant.
—
70010008 INFO MobileSecurity/EndpointManager
Mobiledevice NotCompliant
Mobile device eee66f78-3d74-4002-8161-95938dca4390compliance status is NotCompliant.
Mobile device compliance status is Not Compliant,because it does not meet the compliance requirements.
Mobile device%scompliance status is NotCompliant.
—
Mobile Security LogMessages
Log Catalog 121
ID Level Area Name Log Message Example Description Format Message Variables
70010009 INFO MobileSecurity/EndpointManager
Mobiledevice usersessionrecreated
Mobile device eee66f78-3d74-4002-8161-95938dca4390:session for user joe isrecreated.
User session is recreated because themobile device IPaddress changed. .
Mobile device%s: sessionfor user%s is recreated.
—
70020000 INFO MobileSecurity/EndpointManager
MobiledeviceAuthorizationAgreementsign action
Mobile device eee66f78-3d74-4002-8161-95938dca4390:device authorization agreement(version 1) is accepted by userjoe on 2015-09-01 09:10:12+0800.
The Device Authorization Agreement is either acceptedor declined by a user at the specified local time.
Mobile device%s: deviceauthorization agreement(version%d) is %s by user%s on%s.
device ${device id}:device authorizationagreement (version${ver_number}) is${action} by user${user} on ${local_time}
70000002 WARN MobileSecurity/EndpointManager
Mobilesecuritylicense highwatermarkreached
The number of connectedMobile Security users hasreached 90 percent of thelicensed capacity. Maximum:50
The number of concurrently connectedMobile Securityusers has reached 90 percent of the capacity supportedby theMobile Security license. The logmessagespecifies the supportedmaximum number of concurrentMobile Security users.
The number of connectedMobile Security users hasreached 90 percent of thelicensed capacity.Maximum: %d
—
Mobile Security LogMessages
Log Catalog 122