fireware xtm log catalog - watchguard · 2019. 1. 7. · 30000027 info firewall / packet filter...

Fireware v12.2

Log Message Catalog

WatchGuard FireboxRevised November 2018

Copyright, Trademark, and Patent InformationInformation in this guide is subject to change without notice. No part of this guidemay be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the expresswritten permission of WatchGuard Technologies, Inc.

Copyright© 1998–2019WatchGuard Technologies, Inc. All rights reserved.

All trademarks or trade names mentioned herein, if any, are the property of their respective owners.

Complete copyright, trademark, patent, and licensing information can be found in theCopyright and Licensing Guide, available online at: http://www.watchguard.com/help/documentation/.

Revised: November 2018

About WatchGuard

WatchGuard® Technologies, Inc. is a global leader in network security, providing best-in-class Unified Threat Management, NextGeneration Firewall, secureWi-Fi, and network intelligence products and services tomore than 75,000 customers worldwide. Thecompany’s mission is to make enterprise-grade security accessible to companies of all types and sizes through simplicity, makingWatchGuard an ideal solution for Distributed Enterprises and SMBs. WatchGuard is headquartered in Seattle, Washington, withoffices throughout North America, Europe, Asia Pacific, and Latin America. To learnmore, visit WatchGuard.com.

For additional information, promotions and updates, follow WatchGuard on Twitter, @WatchGuard on Facebook, or on the LinkedInCompany page. Also, visit our InfoSec blog, Secplicity, for real-time information about the latest threats and how to cope with them atwww.secplicity.org.

Address505 Fifth Avenue South

Suite 500Seattle,WA98104

Supportwww.watchguard.com/support

U.S. and Canada +877.232.3531AllOther Countries+1.206.521.3575

SalesU.S. and Canada +1.800.734.9905

AllOther Countries+1.206.613.0895

Copyright, Trademark, and Patent Information

Log Catalog i

http://www.watchguard.com/help/documentation

ContentsCopyright, Trademark, and Patent Information i

Introduction to the Log Catalog 1

About Log Messages 1

Types of LogMessages 1

Traffic LogMessages 1

Alarm LogMessages 2

Event LogMessages 2

Debug (Diagnostic) LogMessages 2

Statistic LogMessages 3

Read a Log Message 3

Firewall Log Messages 6

Alarm 6

Diagnostic 10

Event 12

Traffic 14

Networking Log Messages 16

Diagnostic 16

Event 25

Proxy Policy Log Messages 35

Event 35

Traffic 36

Management Log Messages 73

Diagnostic 73

Log Catalog ii

Event 75

FireCluster Log Messages 84

Diagnostic 84

Event 87

Security Services Log Messages 91

Event 91

VPN Log Messages 94

Alarm 94

Diagnostic 94

Event 117

Mobile Security Log Messages 119

Event 119

Introduction to the Log CatalogYou can use the tools available inWatchGuard Dimension, WatchGuard SystemManager(WSM), and FirewareWebUI to review the logmessages and events that occur on yourWatchGuard Firebox devices, to examine the activity on your network. Logmessages give youimportant information about the flow of traffic through your network, and are a key component tohelp you troubleshoot problems on your network.

The Fireware Log Catalog describes many of the types of logmessages that your Firebox cangenerate. It includes examples of logmessages for Firebox devices that run Fireware OS,grouped by the product area.

All logmessages included in the Log Catalog are first organized into topics by product area andthen separated into sections in each topic by the logmessage type:

n ALARM— Alarm logmessagesn DIAG—Debug (Diagnostics) logmessagesn EVENT— Event logmessagesn STAT— Statistics logmessagesn TRAFFIC — Traffic logmessages

For more information about logmessage types, seeAbout LogMessages.

Only logmessages that are assigned amessage ID number are included inthe Log Catalog.

To review the logmessages that are defined in the Log Catalog, you can expand the LogMessages section and select a topic for a product area, expand the section for a logmessagetype, and review the logmessage lists to find a specific logmessage.

n To expand a single section, click .n To collapse a single section, click .

n To expand all the sections in a topic, at the top of the topic window, click .

n To collapse all the sections in a topic, at the top of the topic window, click .

Introduction to the Log Catalog

Log Catalog 1

You can also search the Log Catalog for the specific details included in a logmessage.

For more information about options to search the Log Catalog, see Search the Log Catalog.

About Log MessagesYour Firebox can send logmessages to an instance of Dimension, aWSM Log Server, or a syslogserver. You can also configure your Firebox to store logmessages locally on the Firebox. You canuse Traffic Monitor in FirewareWebUI or Firebox SystemManager (FSM) to review logmessages inreal-time. If you send logmessages to Dimension, you can use the Dimension LogManager to reviewthe logmessages from your Firebox devices. If you send logmessages to aWSM Log Server, youcan use LogManager inWatchGuardWebCenter to review logmessages after they are generatedand processed by the Log Server.

Types of Log MessagesFirebox devices can send several types of logmessages for events that occur on the Firebox. Eachmessage includes themessage type in the text of themessage. The logmessages types are:

n Trafficn Alarmn Eventn Debug (Diagnostic)n Statistic

Traffic and event logmessages, and some alarm logmessages, automatically appear in TrafficMonitor by default; you do not have to enable any settings on your Firebox to generate them. Themajority of the other logmessage types must be enabled in the device configuration file before theyappear in Traffic Monitor or LogManager.

Traffic Log MessagesMost of the logmessages that appear in Traffic Monitor are traffic logmessages. Traffic Monitorshows all of the logmessages that are generated by your Firebox and are recorded in your log file.Traffic logmessages show the traffic that moves through your Firebox and how the packet filter andproxy policies were applied. A traffic logmessage can include details that show how NAT (networkaddress translation) was handled for a packet.

The traffic logmessages for traffic managed by packet filter policies contain a set number offields. The information for the same traffic logmessage will look different in Traffic Monitor thanin LogManager.

For a traffic logmessage generated by traffic managed by a proxy policy, your Fireboxgenerates more than one logmessage. The first entry shows the same information as a packetfilter logmessage, but includes this additional information:

proxy_act

The name of the proxy action that handles this packet. A proxy action is a set of rules fora proxy that can be applied tomore than one policy.

rule_name

The name of the specific proxy rule that handles this packet.

content_type

The type of content in the packet that is filtered by the proxy rule.

Other proxy logmessages include a variable number of fields.

Alarm Log MessagesAlarm logmessages are sent when an event occurs that triggers the Firebox to run a command.When the alarm condition is matched, the Firebox generates an alarm logmessage that youcan see in Traffic Monitor, sends the logmessage to your Dimension server, WSM Log Server,or syslog server, and then it completes the specified action for the event.

You can configure your Firebox to send alarm logmessages for specific events that occur onyour device. For example, you can configure an alarm to occur when a specified valuematchesor exceeds a threshold. Other alarm logmessages are set by the Firebox OS, with values thatyou cannot change. For example, the Firebox sends an alarm logmessage when a networkconnection on one of the Firebox interfaces fails, or when a Denial of Service attack occurs.

There are eight categories of alarm logmessages:

n Systemn IPSn AV

Introduction to the Log Catalog

Log Catalog 2

n Policyn Proxyn Countern Denial of Servicen Traffic

The Firebox does not sendmore than 10 alarms in 15minutes for the same conditions.

Event Log MessagesEvent logmessages are generated for activity on your Firebox that is related to actions by the Fireboxand users. Actions that can cause the Firebox to send an event logmessage include:

n Firebox start up and shut downn Firebox and VPN authenticationn Process start up and shut downn Problems with Firebox hardware componentsn Any task completed by a device administrator

Debug (Diagnostic) Log MessagesDebug logmessages include detailed diagnostic information that you can use to help troubleshootproblems on your Firebox . There are 27 different product components that can send debug logmessages. When you configure the logging settings on your Firebox you can specify the level ofdiagnostic logging to see for each different product component enabled on your Firebox. The availablelevels are:

n Offn Errorn Warningn Informationn Debug

Statistic Log MessagesStatistic logmessages include information about the performance of your Firebox. You canconfigure your Firebox to generate logmessages about external interface performance, VPNbandwidth statistics, and Security Services statistics. You can review these logmessages todetermine what changes are necessary in your Firebox settings to improve performance. Tosee these logmessages, performance statistic loggingmust be enabled on the Firebox.

Read a Log MessageEach logmessage generated by your Firebox includes a string of data about the traffic on yourFirebox. If you review the logmessages in Traffic Monitor, the details in the data have differentcolors applied to them to help visually distinguish each detail.

Here is an example of one traffic logmessage from Traffic Monitor:

2014-07-02 17:38:43 Member2 Allow 192.168.228.202 10.0.1.1 webcache/tcp42973 8080 3-Trusted 1-WCI Allowed 60 63 (Outgoing-proxy-00) proc_id="firewall" rc="100" src_ip_nat="69.164.168.163" tcp_info="offset 10S 2982213793 win 2105" msg_id="3000-0148"

When you read logmessages, you can see details about when the connection for the trafficoccurred, the source and destination of the traffic, as well as the disposition of the connection,and other details.

Each logmessage includes these details:

Time Stamp

The logmessage line begins with a time stamp that includes the time and date that thelogmessage was created. The time stamp uses the time zone and current time from theFirebox.

This is the time stamp from the example logmessage above:

2014-07-02 17:38:43

Read a LogMessage

Log Catalog 3

FireCluster Member Information

If the logmessage is from a Firebox that is amember of a FireCluster, the logmessageincludes the cluster member number for the Firebox.

This is the FireCluster member information from the example logmessage above:

Member2

Disposition

Each logmessage indicates the disposition of the traffic: Allow or Deny. If the logmessage isfor traffic that was managed by a proxy policy instead of a packet filter policy, the traffic maybemarked Allow even though the packet body was stripped or altered by the proxy action.

This is the disposition from the example logmessage above:

Allow

Source and Destination Addresses

After the disposition, the logmessage shows the actual source and destination IP addressesof the traffic. If NAT was applied to the traffic, the NAT addresses appear later in the logmessage.

These are the source and destination addresses from the example logmessage above:

192.168.228.202 and 10.0.1.1

Service and Protocol

The next entries in the logmessage are the service and protocol that managed the traffic. Theservice is specified based on the protocol and port the traffic used, not the name of the policythat managed the traffic. If the service cannot be determined, the port number appears instead.

These are the service and protocol from the example logmessage above:

webcache/tcp

Source and Destination Ports

The next details in the logmessage are the source and destination ports. The source portidentifies the return traffic. The destination port determines the service used for the traffic.

These are the source and destination ports from the example logmessage above:

42973 and 8080

Source and Destination Interfaces

The source and destination interfaces appear after the destination port. These are thephysical or virtual interfaces that handle the connection for this traffic.

These are the source and destination interfaces from the example logmessage above:

3-Trusted and 1-WCI

Connection Action

This is the action applied to the traffic connection. For proxy actions, this indicateswhether the contents of the packet are allowed, dropped, or stripped.

This is the connection action from the example logmessage above:

Allowed

Packet Length

The two packet length numbers indicate the packet length (in bytes) and the TTL (TimeTo Live) value. TTL is ametric used to prevent network congestion by only allowing thepacket to pass through a specific number of routing devices before it is discarded.

These are the packet length numbers from the example logmessage above:

60 (packet length) and 63 (TTL)

Policy Name

This is the name of the policy on your Firebox that handles the traffic. The number (-00)is automatically appended to policy names, and is part of the internal reference systemon the Firebox.

This is the policy name from the example logmessage above:

(Outgoing-proxy-00)

Process

This section of the logmessage shows the process that handles the traffic.

This is the process from the example logmessage above:

Read a LogMessage

Log Catalog 4

proc_id="firewall"

Return Code

This is the return code for the packet, which is used in reports.

This is the return code from the example logmessage above:

rc="100"

NAT Address

This is the IP address that appears in place of the actual source IP address of the traffic after itleaves the Firebox interface and the NAT rules have been applied. A destination NAT IPaddress can also be included.

This is the NAT address from the example logmessage above:

src_ip_nat="69.164.168.163"

Packet Size

The tcp_info detail includes values for the offset, sequence, and window size for the packetthat initiates the connection. The packet size details that are included depend on the protocoltype.

This is the packet size from the example logmessage above:

tcp_info="offset 10 S 2982213793 win 2105"

Message Identification Number

Each type of logmessage includes a uniquemessage identification number. When you reviewa logmessage in Traffic Monitor, themessage ID number can appear as the value for eitherthe msg_id= detail or the id= detail. In LogManager, themessage ID number appears as thevalue for the id= detail.

Some logmessages do not include amessage ID number. Only logmessages that areassigned amessage ID number are included in the Log Catalog.

The is themessage ID number from the example logmessage above:

msg_id="3000-0148"

Themessage ID numbers included in the Log Catalog do not include the hyphens thatappear in themessage ID number in Traffic Monitor and LogManager. Tomake sure youcan locate themessage ID number in the Log Catalog, when you search the Log Catalogfor themessage ID, remove the hyphen from themessage ID number.

For example, to search for information about message ID number 3000-0148, in theSearch Log Catalog text box, type 300000148.

Read a LogMessage

Log Catalog 5

Firewall Log MessagesFirewall logmessages are generated by your Firebox for events that occur on the Firebox and for traffic managed by some packet filter policies. In addition to normal traffic, this can includemessages related tofeature keys, subscription services, server load balancing, and other features configured on your Firebox.

AlarmFirewall logmessages of theAlarm log type.

ID Level Area Name Log Message Example Description Format Message Variables

30000152 INFO Firewall/PacketFilter

IPv4sourcerouteattack

IPv4 source route attack from 10.0.1.34detected.

IPv4 source route attackwas detected.

IPv4 source route attack from%s detected.

IPv4 source route from ${src} detected.


IPv4 SYNfloodattack

SYN flood attack against 10.0.1.51 from216.3.21.4 detected.

IPv4 SYN flood attackwas detected.

SYN flood attack against %sfrom%s detected.

SYN flood attack against ${dst} from ${src}detected.


IPv4ICMPfloodattack

ICMP flood attack against 10.0.1.51 from216.3.21.4 detected.

IPv4 ICMP flood attackwas detected.

ICMP flood attack against $dstfrom $src detected.

ICMP flood attack against ${dst} from ${src}detected.


IPv4 UDPfloodattack

UDP flood attack against 32.21.56.8 from12.34.23.67 detected.

IPv4 UDP flood attackwas detected.

UDP flood attack against %sfrom%s detected.

UDP flood attack against ${dst} from ${src}detected.


IPv4IPSECfloodattack

IPSEC flood attack against 32.21.56.8 from12.34.23.67 detected.

IPv4 IPSEC flood attackwas detected.

IPSEC flood attack against %sfrom%s detected.

IPSEC flood attack against $dst from $srcdetected.

30000157 INFO Firewall IPv4 IKE IKE flood attack against 32.21.56.8 from12.34.23.67 detected.

IPv4 IKE flood attack wasdetected

IKE flood attack against %s from%s detected.

IKE flood attack against ${dst} from ${src}detected.

Firewall LogMessages

Log Catalog 6


/PacketFilter

floodattack


IPv4 scanattack

IP scan attack against 32.21.56.8 from12.34.23.67 detected.

IPv4 scan attack wasdetected.

IP scan attack against %s from%s detected.

IP scan attack against ${dst} from ${src}detected.


IPv4 portscanattack

PORT scan attack against 32.21.56.8 from12.34.23.67 detected.

IPv4 port scan attack wasdetected.

PORT scan attack against %sfrom%s detected.

Port scan attack against ${dst} from ${src}detected.


IPv4DDOSagainstserver

DDOS against server 10.0.1.34 detected. IPv4 DDOS attackagainst a server wasdetected.

DDOS against server%sdetected.

DDOS against server ${dst} detected.


IPv4DDOSattackfrom client

DDOS from client 10.0.1.34 detected. IPv4 DDOS attack from aclient was detected.

DDOS from client $src detected. DDOS from client ${src} detected.


IPv6 SYNfloodattack

SYN flood attack against2001:0db8:85a3:08d3:1319:8a2e:0370:7344from FF01::101 detected.

IPv6 SYN flood attackwas detected.

SYN flood attack against %sfrom%s detected.

SYN flood attack against ${dst} from ${src}detected.


IPv6ICMPfloodattack

ICMP flood attack against2001:0db8:85a3:08d3:1319:8a2e:0370:7344from FF01::101 detected.

IPv6 ICMP flood attackwas detected.

ICMP flood attack against %sfrom%s detected.

ICMP flood attack against ${dst} from ${src}detected.


Log Catalog 7



IPv6 UDPfloodattack

UDP flood attack against2001:0db8:85a3:08d3:1319:8a2e:0370:7344from FF01::101 detected.

IPv6 UDP flood attackwas detected.

UDP flood attack against %sfrom%s detected.

UDP flood attack against ${dst} from ${src}detected.



IPSEC flood attack against2001:0db8:85a3:08d3:1319:8a2e:0370:7344from FF01::101 detected.



IPSEC flood attack against ${dst} from${src} detected.



IPSEC flood attack against2001:0db8:85a3:08d3:1319:8a2e:0370:7344from FF01::101 detected.



IPSEC flood attack against ${dst} from${src} detected.


IPv6 IKEfloodattack

IKE flood attack against2001:0db8:85a3:08d3:1319:8a2e:0370:7344from FF01::101 detected.

IPv6 IKE flood attack wasdetected.

IKE flood attack against %s from%s detected.

IKE flood attack against ${dst} from ${src}detected.


AlarmTrafficmatchedpolicy

Policy Name: HTTP-00 Source IP Address:10.0.1.20 Source Port: 4107 Destination IPAddress: 61.135.169.125 Destination Port:80

An alarm logmessagewas sent for traffic thatmatched the specifiedpolicy.

Policy Name: %s Source IPAddress: %s Source Port: %dDestination IP Address: %sDestination Port: %d

Policy Name: ${pcy_name} Source IPAddress: ${src_ip} Source Port: ${src_port}Destination IP Address: ${dst_ip}Destination Port: ${dst_port}


AlarmTrafficmatchedpolicy

Policy Name: HTTP-00 Source IP Address:10.0.1.20 Source Port: 4107 Destination IPAddress: 61.135.169.125 Destination Port:80

An alarm logmessagewas sent for traffic thatmatched the specifiedpolicy.

Policy Name: %s Source IPAddress: %s Source Port: %dDestination IP Address: %sDestination Port: %d

Policy Name: ${pcy_name} Source IPAddress: ${src_ip} Source Port: ${src_port}Destination IP Address: ${dst_ip}Destination Port: ${dst_port}


Blockedsite

Blocked site: Traffic detected from 10.0.1.2to 61.231.45.165.

Traffic was detected to orfrom a blocked site.

Blocked site: Traffic detectedfrom%src to%dst.

Blocked site: Traffic detected from ${src} to${dst}.

30000169 INFO Firewall IP IP spoofing: Traffic detected from 10.0.1.2 IP spoofing was detected IP spoofing: Traffic detected IP spoofing: Traffic detected from ${src} to


Log Catalog 8


/PacketFilter

spoofing to 43.123.12.26. from the IP addressspecified in the logmessage.

from%src to%dst. ${dst}.


Conntracktable isfull

The number of connections (%u) hasreached the configured limit (%d).

The conntrack table isfull. The number ofconnections has reachedthe configured limit.

The number of connections(2048) has reached theconfigured limit (2048).

The number of connections (${value1}) hasreached the configured limit (${value2}).


Blockedport

Blocked port: Traffic detected from%src to%dst on port %port.

Traffic was detected on ablocked port.

Blocked port: Traffic detectedfrom 10.0.1.2 to 61.231.45.165on port 513.

Blocked port: Traffic detected from ${src} to${dst} on port ${port}.


Log Catalog 9

DiagnosticFirewall logmessages of theDebug (Diagnostic) log type.



Featuresettingsupdated

Application control settingsupdated

Firewall settings for the featurespecified in themessage have beenupdated

%s settings updated –


DNSforwardingdeferred

Deferred DNS forwardinguntil valid DNS server IPaddress is dynamicallylearned

DNS server IP address is not yetknown, device will enable DNS whena DNS server IP address is detected

Deferred DNS forwarding until valid DNSserver IP address is dynamically learned

–


Firewall isstarting up

Firewall is starting up Firewall is starting up – –


Firewall isshuttingdown

Firewall is shutting down Firewall is shutting down – –


Addressexemptedfromblockedsites

IP address 192.168.111.254will not be added to theblocked sites list because itis exempt

The particular IP address is anexemption and will not be added tothe blocked sites list

IP address %s will not be added to theblocked sites list because it is exempt

IP address ${ip} will not beadded to the blocked sites listbecause it is exempt


Blockedsite idletimeout

Idle timeout has occurred forblocked site 192.168.111.10

Idle timeout has occurred for thespecified blocked site, and it will beremoved from the blocked sites list.

Idle timeout has occurred for blocked site%s

–


Log Catalog 10



Quotaamountused bythespecifieduser

User James@Firebox-DBused 21MB of the bandwidthquota (100MB) and used 1minute of the time quota (3minutes).

– User%s used%s User {user} used {quota info}

3000002A INFO Firewall/PacketFilter

Addressalreadyblocked

IP address 192.168.111.10will not be added to theblocked sites list because italready exists.

– IP address %s will not be added to theblocked sites list because it already exists.

IP address ${ip} will not beadded to the blocked sites listbecause it already exists.

3000003A ERROR Firewall/PacketFilter

Unable toreadfeaturekeys

Unable to read the featurekeys, some features may beunavailable

Unable to read feature keys file or failto parse feature keys file. Featuresthat require a correct feature key willnot function.

Unable to read the feature keys, somefeatures may be unavailable

–

3000003C ERROR Firewall/PacketFilter

No routeto HTTPredirecthost

Route look up on HTTPredirect host 192.168.111.10for policy "FTP-00" failed,local redirect may not work

Route look up on HTTP redirect hostfor the specified policy failed, andlocal HTTP redirect may not work.

Route look up on HTTP redirect host%u.%u.%u.%u for policy "%s" failed, localredirect may not work

–

3000012D INFO Firewall/PacketFilter

VerifyARP entry

Verify ARP entry for host at192.168.111.10

The appliance sent an ARP requestto verify learned ARP entry for agiven host.

Verify ARP entry for host at%hu.%hu.%hu.%hu

3000012E ERROR Firewall/PacketFilter

Possibleloop orARPspoofingdetected

Cannot relearn systemMACaddress, possible loop orMAC spoofing,ip=192.168.111.10,mac=00:50:da:c7:90:5d,interface=5

The appliance received an ARPpacket sent from one of its ownMACaddresses. It is possibly a network orcabling loop, or another device isfaking this device's MAC address.

Cannot relearn systemMAC address,possible loop or MAC spoofing,ip=%hu.%hu.%hu.%hu,mac=%02x:%02x:%02x:%02x:%02x:%02x,interface=%u

Cannot relearn systemMACaddress, possible loop oranother device is faking thisdevice's MAC address, ip=${ip},mac=${mac},interface=${interface}


Log Catalog 11

EventFirewall logmessages of theEvent log type.



ApplicationControlfeatureexpired

The Application Controlfeature has expired.

The feature key for your Application Controlsubscription has expired.

The Application Control feature has expired. –


IPS featureexpired

The IPS feature hasexpired.

The feature key for your Intrusion PreventionServices subscription has expired.

The IPS feature has expired. –


Temporarilyblockinghost

Temporarily blocking host198.13.111.226

The host is blocked temporarily. Temporarily blocking host %s Temporarily blockinghost ${IP}

3000002F INFO Firewall/PacketFilter

Feature notsupportedby featurekey

Feature key does notsupport the feature Policybased routing.

The device feature key does not support thespecified feature.

Feature key does not support the feature%s.

No valid ${featurename} feature

300000C9 INFO Firewall/PacketFilter

LoadBalanceServer(TCPProbe)

TCP probe packets timeout,Load Balance Server10.10.10.100 port 3030 isoffline.

Load Balance Server status update due toresponse or lack of response to a TCP Probepacket. The logmessage specifies the serverIP address and port.

%s %s , Load Balance Server%hu.%hu.%hu.%hu port %d is %s.

${probemethod}${reason}, LoadBalance Server ${ip}port ${port} is ${status}


Log Catalog 12


300000CB INFO Firewall/PacketFilter

LoadBalanceServer(ICMPProbe)

ICMP probe packetstimeout, Load BalanceServer 10.10.10.100 isoffline.

Update to status of Load Balance Server dueto success or failure of ICMP Probe packet.The logmessage specifies the server IP andstatus.

%s %s , Load Balance Server%u.%u.%u.%u is %s.

${probemethod}${reason}, LoadBalance Server ${ip} is${status}

3000012C ERROR Firewall/PacketFilter

ARPspoofingattack

ARP spoofing attackdetected,ip=192.168.111.10,mac=00:50:da:c7:90:5d,interface=5

Detected an ARP spoofing attack. The logmessage specifies the source IP address,MAC address, and incoming interface of theARP packet.

ARP spoofing attack detected,ip=%u.%u.%u.%u,mac=%02x:%02x:%02x:%02x:%02x:%02x,interface=%u

ARP spoofing attackdetected, ip=${ip},mac=${mac},interface=${interface}


Log Catalog 13

TrafficFirewall logmessages of the Traffic log type.

ID Level Area Name Description Example Format Message Variables


Normaltraffic

Details ofnormal trafficeither allowedor denied bythe firewallpolicyspecified inthe logmessage.

Allow Firebox 0-External 52 tcp 20 12710.0.1.2 206.190.60.138 62443 80 offset 8 S832026162 win 8192 (HTTP-00)

%s %s %s %d%s %d%s %s%d%d offset %d%s %d%s%d(%s)

${disposition} ${inif} ${outif} ${ip_pkt_len} ${protocol}${iph_len} ${TTL} {${src_ip}|${src_user}} {${dst_ip|${dst_user}} [${tcp_info}] [${udp_info}] [${icmp_info}][${route_type}] ${policy_name}


ApplicationControlTrafficidentified

ApplicationControlidentifiedtraffic for anapplication.

Allow 1-Trusted 0-External 40 tcp 20 12710.0.1.2 206.190.60.138 53008 80 offset 5 AF3212213617 win 257 app_name="WorldWideWebHTTP" cat_name="Network Protocols"app_beh_name="connect" app_id="63" app_cat_id="18" app_ctl_disp="2"msg="Application identified" (HTTP-00)

%s %s %s %d%s %d%s %s%d%d offset %d%s %d%s%d app_name=\"%s\" cat_name=\"%s\" app_beh_name=\"%s\" appid=\"%d\"app_cat_id=\"%d\" app_ctl_disp=\"%d\" msg=\"%s\" (%s)

${disposition} ${inif} ${outif} ${ip_pkt_len} ${protocol}${iph_len} ${TTL} {${src_ip}|${src_user}} {${dst_ip|${dst_user}} [${tcp_info}] [${udp_info}] app_name=${app_name} cat_name=${cat_name} app_beh_name=${app_beh_name} appid=${appid} app_cat_id=${app_cat_id} app_ctl_disp=${app_ctl_disp}msg=${msg} [${route_type}] ${policy_name}


IPS Trafficdetected

IPS detectedtraffic thatmatches anIPSsignature.

Deny 1-Trusted 0-External 1440 tcp 20 6110.0.1.2 192.168.130.126 55810 80 offset 5 A447868619 win 54 signature_name="EXPLOITApple QuickTime FLIC Animation file bufferoverflow -1-2" signature_cat="Misc"signature_id="1112464" severity="4"msg="IPS detected" (HTTP-00)

%s %s %s %d%s %d%s %s%d%d offset %d%s %d%s%d signature_name=\"%s\"signature_cat=\"%s\"signature_id=\"%s\"severity=\"%d\" msg=\"%s\"(%s)

${disposition} ${inif} ${outif} ${ip_pkt_len} ${protocol}${iph_len} ${TTL} {${src_ip}|${src_user}} {${dst_ip|${dst_user}} [${tcp_info}] [${udp_info}] signature_name=${signature_name} signature_cat=${signature_cat} signature_id=${signature_id} severity=${severity}msg=${msg} [${route_type}] ${policy_name}


Trafficconnectionterminated

Record for aterminatedconnection

Allow 1-Trusted 0-External tcp 10.0.1.2220.181.90.24 53018 80 app_id="63" app_cat_id="18" app_ctl_disp="2" duration="80" sent_bytes="652" rcvd_bytes="423" (HTTP-00)

%s %s %s %d%s %d%s %s%d%d offset %d%s %d%s%d appid=\"%d\" app_cat_id=\"%d\" app_ctl_disp=\"%d\"duration=\"%d\" sent_

${disposition} ${inif} ${outif} ${ip_pkt_len} ${protocol}${iph_len} ${TTL} {${src_ip}|${src_user}} {${dst_ip|${dst_user}} [${tcp_info}] [${udp_info}]appid=${appid} app_cat_id=${app_cat_id} app_ctl_disp=${app_ctl_disp} duration=${duration} sent_


Log Catalog 14


bytes=\"%d\" rcvd_bytes=\"%d\" (%s)

bytes=${sent_bytes} rcvd_bytes=${rcvd_bytes}${policy_name}


Hostiletraffic

Details ofhostile trafficdenied by thefirewallinternalpolicy.

Deny 0-External Firebox 52 tcp 20 127206.190.60.138 10.0.0.1 62443 80 offset 8 S832026162 win 8192 blocked sites (InternalPolicy)

%s %s %s %d%s %d%s %s%d%d offset %d%s %d%s%d(%s)

${inif} ${outif} ${ip_pkt_len} ${protocol} ${iph_len} ${TTL}{${src_ip}|${src_user}} {${dst_ip|${dst_user}} [${tcp_info}] [${udp_info}] [${icmp_info}]


Log Catalog 15

Networking Log MessagesNetworking logmessages are generated for traffic related to the connections through your Firebox. This can include events related to interface activity, dynamic routing, PPPoE connections, DHCP serverrequests, FireCluster management, link monitoring, and wireless connections.

DiagnosticNetworking logmessages of theDebug (Diagnostic) log type.


5A000001 INFO Networking /DynamicDNS

Response fromDynamic DNSserver

Response from server: update succeededwith no change, abusive warning (1)

Receive thespecified responsefrom the dynamicDNS server.

Response from server: %s (%d) Response fromserver: ${response}(${ret_code})


Dynamic DNSDomain NameResolved

Resolved domainmembers.dyndns.org to204.13.248.111

Dynamic DNSserver domainname successfullyresolved to an IPaddress.

Resolved domain%s to%s Resolved domain${domain} to ${ip}


Connected to theserver

Connected to: members.dyndns.org /204.13.248.111

Connected to thespecified dynamicDNS server.

Connected to: %s / %s Connected to:${server_name} /${server_ip}


Connecting to theserver

Connecting to: members.dyndns.com /204.13.248.111

Connecting to thespecified dynamicDNS server.

Connecting to: %s / %s Connecting to:${server_name} /${server_ip}


Activate dynamicDNS

Activating DynDNS on interface: External Activate dynamicDNS on thespecified interface.

Activating Dynamic DNS on interface: %s ActivatingDynDNS oninterface: ${if_name}

5A000006 DEBUG Networking /DynamicDNS

Received replyfrom the server

Received reply: HTTP/1.1 200OK Date: Tue,27 Nov 2012 17:14:57 GMT Server: Apache

Received thespecified reply

%s: Buffer Overflow. buf start[%p], buf end[%p], current pointer[%p]

Received reply:${reply}

Networking LogMessages

Log Catalog 16


Content-Type: text/plain Connection: closegood 192.168.53.88

from the dynamicDNS server.

5A000007 ERROR Networking /DynamicDNS

Unable to resolvedomain name

Could not resolve server:members.dyndns.org

Could not resolvedomain fordynamic DNSserver.

Could not resolve server: %s Could not resolveserver: ${server}


Failed to connectto the server

Could not connect to members.dyndns.org /204.13.248.111, connection refused

Could not connectto the dynamicDNS server due tospecified reason.

Could not connect to%s / %s, %m Could not connectto ${server_name} /${server_ip},${reason}


Unable to connectto server

Unable to connect to server:members.dyndns.org / 204.13.248.111

Unable to connectto the specifieddynamic DNSserver.

Unable to connect to server: %s / %s Unable to connectto server: ${server_name} / ${server_ip}

5A00000A ERROR Networking /DynamicDNS

No response fromserver

No response from servermembers.dyndns.org / 204.13.248.111

Not able to getresponse fromspecified dynamicDNS server.

No response from server%s / %s No response fromserver ${server_name} / ${server_ip}

5A00000B ERROR Networking /DynamicDNS

Invalid responsefrom server

Invalid response from server (-2) The dynamic DNSserver returned aninvalid responsecode. The logmessage specifiesthat code.

Invalid response from server (%d) Invalid responsefrom server (${ret_code})

5A00000C INFO Networking /DynamicDNS

The time for nextupdate

Next update is on Tue, 27 Nov 2012 17:14:57 The logmessagespecifies the nextupdate time fordynamic DNS.

Next update is on%s Next update is on${time}


Log Catalog 17


5A00000D DEBUG Networking /DynamicDNS

Send updaterequest

Sending update request (138 bytes): GET/nic/update?system=dyndns

Sending dynamicDNS updaterequest. The logmessage specifiesthe size andcontent of therequest.

Sending update request (%zu bytes): %s Sending updaterequest (${size}bytes): ${content}

56000001 INFO Networking /DynamicRouting

Update IPv4Dynamic Routes

Sync add an IPv4 dynamic route (10.0.1.2/24gw 10.0.1.254 ifindex 1metric 10)

Updated an IPv4dynamic route. Thelogmessagespecifies the routethat is changed.

%s %s an IPv4 dynamic route (%s/%d gw%s ifindex %dmetric %d)

${event} ${action}an IPv4 dynamicroute(${ip}/${mask} gw${gw} ifindex${ifindex} metric${metric}

56010002 ERROR Networking /DynamicRouting

Failed to retrievelicense

Failed to retrieve active license features Failed to retrievelicense features fordynamic routing.

Failed to retrieve active license features –


Failed to parselicense

Failed to parse the active license features Failed to parselicense features fordynamic routing.

Failed to parse the active license features –


Not able to getlicense

Could not get license for dynamic routingfeatures

Not able to getlicense for dynamicrouting features.

Could not get license for dynamic routingfeatures

–

56020001 DEBUG Networking /DynamicRouting

Receivedinterface event

Received interface status event Received aninterface statusevent.

Received interface status event –


Received clusterevent

Received cluster ready event Received clusterready event.

Received cluster ready event –


Log Catalog 18



Received clusterevent

Received cluster role change event Received clusterrole change event.

Received cluster role change event –


Received licenseevent

Received License Update event Received a licenseupdate event.

Received License Update event –


RCSunresponsive

RCS(10.10.10.10) is unresponsive, and isconsidered stopped

The RCS at thespecified IPaddress hasbecomeunresponsive

RCS(%s) is unresponsive, and is consideredstopped

RCS(${ip}) isunresponsive, andis consideredstopped


Not able toforward request toRCS

Could not forward request to RCS, notconnected

Not able to forwardrequest to RCSdue to noconnection.

Could not forward request to RCS, notconnected

–


An error wasdetected in theconfiguration. Thelogmessagespecifies the linenumber of theerror.

Configuration error detected in ripd.conf, line12: 'network 192.168.53.0/24 area 0'

An error wasdetected in theconfiguration. Thelogmessagespecifies the linenumber of the error.

Configuration error detected in%s, line%d:'%s'

Configuration errordetected in${config}, line${lineno}: '${line}'


Not able toconnect to RCS

Could not connect to RCS, 10.0.1.10 Not able to connectto RCS with thespecified IPaddress.

Could not connect to RCS, %s Could not connectto RCS, ${ip}


Connection toRCS closed

Connection to RCS was closed Connection toRCS closed.

Connection to RCS was closed –


Log Catalog 19


45000001 ERROR Networking /Modem

Duplicatemodeminstance running

Another instance of Modem is running System loadedModem process,but anotherinstance is alreadyactive.

Another instance of Modem is running –

31000003 INFO Networking /NetworkManagement

Initiate gratuitousARP

Initiating GARP for eth0 Initiate gratuitousARP for thespecified interface.

Initiating GARP for%s Initiating GARP for${dev_name}


Initiate gratuitousARP

Initiating GARP for all interfaces Initiate gratuitousARP for all theinterfaces.

Initiating GARP for all interfaces –


Send interfacelogical link statusevent

[eth0] Sending interface status event,logical=up link=up ip=10.0.0.1mask=255.255.255.0

Interface statusevent is sent forlogical link statuschange.

[%s] Sending interface status event%s,logical=%s link=%s ip=%u.%u.%u.%umask=%u.%u.%u.%u

[${dev_name}]Sending interfacestatus event,logical=${logical}link=${link} ip=${ip}mask=${mask}


Send interfacelink status event

[eth0] Sending interface status event for linkup

Interface statusevent is sent forlink change.

[%s] Sending interface status event%s forlink %s

[${dev_name}]Sending interfacestatus event forlink ${link}


A change wasmade to the IPaddress of theexternal interface

[eth0 (External)] External Interface set IPaddress

Handle IP addressfor the specifiedexternal interface.

[%s (%s)] External Interface%s IP address [${dev_name} (${if_name})] ExternalInterface${operation} IPaddress


Log Catalog 20


31000035 ERROR Networking /NetworkManagement

Ignore unknownaddress operation

[eth0 (External)] Ignoring unknown addressoperation sss

Ignore unknownaddress operationon the specifiedinterface.

[%s (%s)] Ignoring unknown addressoperation%s

[${dev_name} (${if_name})] Ignoringunknown addressoperation${operation}


Layer 2 trafficgate is closed

[Cluster] The traffic gate of layer2 is closeddue to cluster role backup

Layer 2 traffic gateis closed due to thespecified reason.

[Cluster] The traffic gate of layer2 is closeddue to cluster role%s

[Cluster] The trafficgate of layer2 isclosed due tocluster role ${role}


Layer 2 trafficgate is opened

[Cluster] The traffic gate of layer2 is openeddue to cluster role master

Layer 2 traffic gateis opened due tothe specifiedreason.

[Cluster] The traffic gate of layer2 is openeddue to cluster role%s

[Cluster] The trafficgate of layer2 isopened due tocluster role ${role}


Traffic signalchanged

[Cluster] Traffic signal become%s Traffic signal ischanged to thespecified status.

[Cluster] Traffic signal become%s [Cluster] Trafficsignal become${status}


Starting wirelessAP

Starting wireless AP ath1 Starting specifiedwireless AP.

Starting wireless AP %s –


Stopping wirelessAP

Stopping wireless AP ath1 Stopping thespecified wirelessAccess Point.

Stopping wireless AP %s –


Start processingconfiguration

Starts processing a configuration setting Started to processconfigurationsettings.

Starts processing a configuration setting –


Update bridgemode settings

Updating global bridgemode setting Update globalbridgemodesettings.

Updating global bridgemode setting –


Log Catalog 21



Update drop-inmode settings

Updating global drop-in mode setting Update global drop-in mode settings.

Updating global drop-in mode setting –


Clean up staleconnections

Cluster] Clean up stale IP connections withexpired address 192.168.1.22 for PPPoEinterface eth0

Clean up staleconnections for theexpired IP addresson dynamicinterface.

[Cluster] Clean up stale IP connections withexpired address %s for%s interface%s

[Cluster] Clean upstale IPconnections withexpired address${ip} for dynamicinterface ${dev_name}


DNSWatch is expired or was disabled. YourFirebox does not have a configured DNSserver. Tomake sure your Firebox does notuse the DNSWatch servers, youmustspecify a DNS server in the networkDNS/WINS settings.

DNSWatch is expired or was disabled. YourFirebox does not have a configured DNSserver. Tomake sure your Firebox does notuse the DNSWatch servers, youmustspecify a DNS server in the networkDNS/WINS settings.


Capture stopped Capture stopped, insufficient space Capture stoppeddue to the specifiedreason.

Capture stopped, %s Capture stopped,${reason}

3100000F INFO Networking /NetworkManagement

Add bridgeinterface

Adding bridge tbr0 Add bridgeinterface in bridgemode.

Adding bridge%s Adding bridge${dev_name}

3100003D INFO Networking /NetworkManagement

Update ARP rules [Cluster] Update arp rules for cluster rolebackup

Update ARP rulesfor the specifiedcluster role.

[Cluster] Update arp rules for cluster role%s [Cluster] Updatearp rules for clusterrole ${role}


Fix upmultipathgateways

[ECMP] Fixup 2multipath gatewaysuccessfully

Fix upmultipathgateways of thespecified numbersuccessfully.

[ECMP] Fixup%dmultipath gatewaysuccessfully

[ECMP] Fixup${num}multipathgatewaysuccessfully


Log Catalog 22


3100005A INFO Networking /NetworkManagement

Update wirelesssettings

Updating wireless setting Update wirelesssettings

Updating wireless setting –

3100005B INFO Networking /NetworkManagement

Update secondaryIP settings

Updating Trust-1 secondary IP(s) setting Update secondaryIP address settingsfor the specifiedinterface.

Updating%s secondary IP(s) setting Updating ${if_name} secondaryIP(s) setting

3100005C INFO Networking /NetworkManagement

Update routesettings

Updating route setting Update routesettings.

Updating route setting –


Update 1to1 NATsettings

Updating 1to1 NAT setting Update 1-to-1 NATsettings.

Updating 1to1 NAT setting –

3100005E INFO Networking /NetworkManagement

Update DNSsettings

Updating DNS setting Update DNSsettings.

Updating DNS setting –

9000001 ERROR Networking /PPPoE

Duplicate PPPoEInstance Error

Another instance of PPPoE is running Another instance ofthe PPPoEprocess is alreadyactive in thesystem.

Another instance of PPPoE is running –


Invalid PPPoEautomatic restartsettings

PPPoE automatic restart settings are invalid,automatic restart will not be used

Automatic restartof PPPoE isdisabled due toinvalid settings.

PPPoE automatic restart settings are invalid,automatic restart will not be used

–


Log Catalog 23


9000006 INFO Networking /PPPoE

Initiate PPPoEautomatic restart

Initiating PPPoE automatic restart PPPoE instancewill restartautomatically.

Initiating PPPoE automatic restart –

9000007 WARN Networking /PPPoE

Skip PPPoEautomatic restart

Skipped PPPoE automatic restart becausethe link was not up

PPPoE instancewill not restartautomatically dueto no link.

Skipped PPPoE automatic restart becausethe link was not up

–


Log Catalog 24

EventNetworking logmessages of theEvent log type.


16000001 ERROR Networking /DHCPServer

DHCPdiscover

DHCPDISCOVER from00:50:04:ce:c6:3d via eth1:network 192.168.111.0/24: nofree leases

Received DHCPdiscover from theclient, but there are nofree leases available.

%s –

16000002 INFO Networking /DHCPServer

DHCP offer DHCPOFFER on192.168.111.20 to84:2b:2b:a6:02:3f (client) viaeth1

The DHCP serveroffered an IP addressto the specified clientdevice.

%s –

16000003 INFO Networking /DHCPServer

DHCPrequest

DHCPREQUEST for192.168.111.20 from84:2b:2b:a6:02:3f (client) viaeth1

Received DHCPrequest for specified IPaddress from thespecified client.

%s –

68000001 INFO Networking /Discovery

Network scancompleted

On demand scan completed Specified type of scancompleted

%s scan completed ${scan_type} scancompleted


Network scanstarted

On demand scan - stage 2started

Specified type andstage of scan started

%s scan%s started ${scan_type}scan${scan_stage}started


On demandscan - stage 1completed

On demand scan - stage 1completed

On demand scan -stage 1 completed

On demand scan - stage 1 completed On demand scan - stage 1completed


Cluster rolefailed over tobackup

Failed over frommaster tobackup

Cluster role failed overfrommaster to backup

Failed over frommaster to backup –


Cluster rolefailed over tomaster

Failed over from backup tomaster

Cluster role failed overfrom backup tomaster

Failed over from backup tomaster –


Log Catalog 25


56010001 WARN Networking /DynamicRouting

No validfeature key

Invalid or missing feature keyfor dynamic routing protocolOSPF

No valid feature key forthe specified dynamicrouting protocol.

Invalid or missing feature key for dynamic routingprotocol %s

–


Licensestatus

License for dynamic routingprotocol BGP is valid

Specifies the licensestatus for a dynamicrouting protocol.

License for dynamic routing protocol %s is %s License for dynamicrouting protocol ${proto} is${status}

45000003 INFO Networking /Modem

Modemdisconnected

modem0 disconnected Specifiedmodem isdisconnected.

%s disconnected –

45000004 ERROR Networking /Modem

Modemauthenticationfailed

Modem authentication failed,check your modemconfiguration

Modem authenticationfailed.

Modem authentication failed, check your modemconfiguration

–


Interfaceinitializing

[eth1 (Trusted)] Interfaceinitializing

Initializing the specifiedinterface.

[%s (%s)] Interface initializing [${dev_name} (${if_name})] Interfaceinitializing


Failed to addbridge

Failed to add bridge tbr0 VLANID 1

Failed to add bridge Failed to add bridge%s VLAN ID %d –


Failed to addinterface IPaddress

[eth1 (Trusted)] Failed to addaddress 198.51.100.0

Failed to add thespecified IP address tothe specified interface.

[%s (%s)] Failed to%s address %s –


Clustermanagementinterfacechange

[Cluster] Managementinterface setting is changed:interface from eth1 to eth2,IPv4 address from 10.0.1.3 to10.0.2.3, IPv4mask from 24 to24, IPv6 CIDR from 2000::1/64to 2001::2/64

The configuration forthe clustermanagement interfacechanged. The logmessage specifieschanges to theinterface, IP address,mask and IPv6address.

[Cluster] Management interface setting is changed:interface from%s to%s, IPv4 address from%u.%u.%u.%u to%u.%u.%u.%u IPv4mask from%d to%d IPv6 CIDR from%s to%s%s

[Cluster] Managementinterface setting ischanged: interface from${pre_if} to ${new_if}, IPv4address from ${pre_ip} to${new_ip} IPv4mask from${pre_mask} to ${new_mask} IPv6 CIDR from${pre_ipv6} to%{new_


Log Catalog 26


ipv6}%s


Activatingexternalinterface

[eth0 (External)] Activatingexternal interface

Activating specifiedexternal interface.

[%s (%s)] Activating external interface [${dev_name} (${if_name})] Activatingexternal interface


Deactivatingexternalinterface

[eth0 (External)] Deactivatingexternal interface

Deactivating thespecified externalinterface.

[%s (%s)] Deactivating external interface [${dev_name} (${if_name})] Deactivatingexternal interface


Startingwireless APservice

Starting wireless AP service Starting wireless APservice.

Starting wireless AP service –


Detect roguewireless AP

Starting the scan for roguewireless AP detection

Starting rogue wirelessAP detection scan.

Starting the scan for rogue wireless AP detection –


Stop detectingrogue wirelessAP

Stopping the scan for roguewireless AP detection

Stopping roguewireless AP detectionscan.

Stopping the scan for rogue wireless AP detection –


Restartdetectingrogue wirelessAP

Restart the scan for roguewireless AP detection

Restart rogue wirelessAP detection scan.

Restart the scan for rogue wireless AP detection –


IPv6 interfaceactivated.

[eth0 (External)] IPv6 interfaceis activated.

An IPv6 interface wasactivated. The logmessage specifies theinterface.

[%s (%s)] IPv6 interface is activated. –


PPPoE IPaddresschange duringclusterfailover

[eth0 (External)] PPPoE IPaddress changed during clusterfailover, from 192.168.1.22 to192.168.1.23

The cluster completeda failover. During thefailover, the PPPoE IPaddress changed.

[%s (%s)] PPPoE IP address changed during clusterfailover, from%s to%s

[${dev_name} (${if_name})] PPPoE IPaddress changes duringcluster failover, from${pre_ip} to ${new_ip}


Log Catalog 27



No change forPPPoE IPaddressduring clusterfailover

[eth0 (External)] PPPoE IPaddress 192.168.1.22 did notchange during cluster failover

PPPoE IP address didnot change duringcluster failover.

[%s (%s)] PPPoE IP address %u.%u.%u.%u did notchange during cluster failover

–


DHCP IPaddresschange duringclusterfailover

[eth0 (External)] DHCP IPaddress changed during clusterfailover, from 192.168.1.22 to192.168.1.23

The cluster completeda failover. During thefailover, the DHCP IPaddress changed.

[%s (%s)] DHCP IP address changed during clusterfailover, from%s to%s

[${dev_name} (${if_name})] DHCP IP addresschanges during clusterfailover, from ${pre_ip} to${new_ip}


No change forDHCP IPaddressduring clusterfailover

[eth0 (External)] DHCP IPaddress 192.168.1.22 did notchange during cluster failover

DHCP IP address didnot change duringcluster failover.

[%s (%s)] DHCP IP address %u.%u.%u.%u did notchange during cluster failover

–

3100000A INFO Networking /NetworkManagement

Interfaceshutting down

[eth1 (Trusted)] Interfaceshutting down

Shutting down thespecified interface.

[%s (%s)] Interface shutting down [${dev_name} (${if_name})] Interface shuttingdown

3100000B INFO Networking /NetworkManagement

Multi-WANinterfaceactivated.

[eth1 (Trusted)] Interface isactivated due to link-monitorsuccess.

Interface is activateddue to link-monitorsuccess. The logmessage specifies theinterface.

[%s (%s)] Interface is activated due to link-monitorsuccess.

–

3100000D WARN Networking /NetworkManagement

Multi-WANinterfacedeactivated

[eth1 (Trusted)] Interface isdeactivated due to link-monitorfailure.

Interface is deactivateddue to link-monitorfailure. The logmessage specifies theinterface.

[%s (%s)] Interface is deactivated due to link-monitorfailure.

–


Log Catalog 28


3100002B ERROR Networking /NetworkManagement

Interface isdisabled

[eth1 (Trusted)] Interface isdisabled because it does notexist

Specified interfacedoes not exist, Theinterface status is setto disabled.

[%s (%s)] Interface is disabled because it does notexist

[${dev_name} (${if_name})] Interface isdisabled because it doesnot exist

3100002C WARN Networking /NetworkManagement

Interface linkstatuschanged

[eth1 (Trusted)] Interface linkstatus changed to UP

The interface linkstatus has changed.The logmessagespecifies the newstatus.

[%s (%s)] Interface link status changed to%s –

3100003A WARN Networking /NetworkManagement

Cluster isenabled

Cluster is enabled and isforming

Cluster is enabled andis forming.

Cluster is enabled and is forming –

3100003B WARN Networking /NetworkManagement

Clustersettingchanged todisabled

Cluster setting changed fromenabled to disabled

The cluster setting waschanged from enabledto disabled.

Cluster setting changed from enabled to disabled –

3100003E INFO Networking /NetworkManagement

Cluster A/Prole changed

[Cluster] Cluster A/P rolesuccessfully changed frommaster to idle.

The role of this devicein the active/passive(A/P) cluster changed.The logmessagespecifies the old andnew roles.

[Cluster] Cluster A/P role successfully changed from%s to%s.

–


Cluster A/Arole changed

[Cluster] Cluster A/A rolesuccessfully changed frommaster to idle.

The Clusteractive/active (A/A) rolechanged. The logmessage specifies theold and new roles.

[Cluster] Cluster A/A role successfully changed from%s to%s.

–


Log Catalog 29


3100006A WARN Networking /NetworkManagement

IPv6 interfacedeactivated.

[eth0 (External)] IPv6 interfaceis deactivated.

IPv6 interface wasdeactivated. The logmessage specifies theinterface.

[%s (%s)] IPv6 interface is deactivated. –

3100006C INFO Networking /NetworkManagement

IPv6 interfaceshutting down

[eth0 (External)] IPv6 interfaceshutting down

Shutting downspecified IPv6interface.

[%s (%s)] IPv6 interface shutting down [${dev_name} (${if_name})] IPv6 interfaceshutting down


IPv6 interfaceinitializing

[eth0 (External)] IPv6 interfaceinitializing

Initializing specifiedIPv6 interface.

[%s (%s)] IPv6 interface initializing [${dev_name} (${if_name})] IPv6 interfaceinitializing


Authenticationfailure

PPPoE authentication failed The Firebox or XTMdevice failed toauthenticate forPPPoE.

PPPoE authentication failed –


PPPoEstopped

PPPoE stopped unexpectedly(unknown error)

PPPoE stoppedunexpectedly due to anunknown error.

PPPoE stopped unexpectedly (unknown error) –


Enforce staticIP address

[eth2 (External)] EnforcedPPPoE static IP address:192.168.3.48 is replaced with192.168.3.29

Replaced the assignedPPPoE IP addresswith the configuredstatic IP address. Theassigned IP address isretained as asecondary IP addressfor the interface.

[%s (%s)] Enforced PPPoE static IP address: %s isreplaced with%s

[${dev_name} (${if_name})] Enforced PPPoEstatic IP address: ${nego_ip} is replaced with${static_ip}


Log Catalog 30



Sessionestablished

[eth0 (External)] PPPoEsession[11] is established,acquired IP address192.168.3.48, peer192.168.3.254

The specified interfaceestablished a PPPoEsession. The logmessage alsospecifies the sessionID, acquired IPaddress, and peer IPaddress.

[%s (%s)] PPPoE session[%d] is established,acquired IP address %s, peer%s

[${physical_name}(${ifname})] PPPoEsession[${session_id}] isestablished, acquired IPaddress ${ipaddr}, peer${peer_addr}

0900000A INFO Networking /PPPoE

Disconnect [eth0 (External)] PPPoEsession[11] is disconnected.

The PPPoE session forthe specified interfaceis disconnected.

[%s (%s)]PPPoE session[%d] is disconnected. –

54000001 INFO Networking /RogueAccessPointDetection

Scan started Scan=0-34 started Scan started, it will lastabout 30 seconds,wireless traffic will beinterrupted in themeantime

Scan=%u-%llu started –


Scan ended%zd%zd

Scan=0-34 ended 0 0 Scan ended [Rogue APCount] [Trusted APCount]

Scan=%u-%llu ended%zd%zd –

54000003 WARN Networking /RogueAccessPointDetection

DetectedRogue AP

Scan=0-34 detected Rogue APwith mac_address='00:90:0b:1b:34:30'

Scan detected RogueAP, this AP is not inthe list of 'TrustedAccess PointConfiguration'

Scan=%u-%llu detected Rogue AP with%s –


DetectedTrusted AP

Scan=0-34 detected TrustedAP with mac_address='00:90:0b:1b:35:40'

Scan detected TrustedAP, this AP is in the listof 'Trusted AccessPoint Configuration'

Scan=%u-%llu detected Trusted AP with%s –


Log Catalog 31


61000002 WARN Networking /WirelessController

Modelmismatch

Model mismatch for configuredWireless Access Point[123456789ABCD]: configuredas AP100, but appears to beAP200.

TheWireless AccessPoint appears to be adifferent model thanwhat is configured inthe Gateway WirelessController.

Model mismatch for configuredWireless AccessPoint [%.13s]: configured as %s, but appears to be%s.

Model mismatch forconfiguredWirelessAccess Point [${serial_no}]: configured as${configured_model}, butappears to be ${actual_model}.


WirelessAccess Pointactivationfailure

LiveSecurity Service activationfailed for [20AP0275FF17A];will try again later.

TheGateway WirelessController is unable tocontact theWatchGuardLiveSecurity Service toactivate the serviceand support contractfor theWirelessAccess Point.

LiveSecurity Service activation failed for [%.13s]; willtry again later.

LiveSecurity Serviceactivation failed for[${serial_no}]; will tryagain later.

61000004 INFO Networking /WirelessController

New WirelessAccess Pointdiscovered

Discovered new WirelessAccess Point model AP102[123456789ABCD] at10.0.42.15.

A new WirelessAccess Point has beendiscovered by theGateway WirelessController.

Discovered new Wireless Access Point model %s[%.13s] at %s.

Discovered new WirelessAccess Point model${actual_model} [${serial_no}] at ${ip_address}.


WirelessAccess Pointreboot

Wireless Access Point[123456789ABCD] rebooted 92seconds ago.

A Wireless AccessPoint has rebooted.

Wireless Access Point [%.13s] rebooted%luseconds ago.

Wireless Access Point[${serial_no}] rebooted${seconds} ago.


WirelessAccess Pointwent offline

Wireless Access Point 'South'[123456789ABCD] wentoffline.

A Wireless AccessPoint has gone offline.

Wireless Access Point '%s' [%.13s] went offline. Wireless Access Point'${name}' [${serial_no}]went offline.


WirelessAccess Pointnow online

Wireless Access Point[123456789ABCD] now online.

A Wireless AccessPoint is now online.

Wireless Access Point [%.13s] now online. Wireless Access Point[${serial_no}] is nowonline.


Log Catalog 32



WirelessAccess Pointfirmwareversionchange

Wireless Access Point[123456789ABCD] firmwareversion changed from 1.2.8.2to 1.2.9.1.

TheWireless AccessPoint firmware versionhas changed.

Wireless Access Point [%.13s] firmware versionchanged from%s to%s.

Wireless Access Point[${serial_no}] firmwareversion changed from${old_firmware_ver} to${current_firmware_ver}.


WirelessAccess Pointconfigurationupdated

Configuration updated onWireless Access Point[123456789ABCD].

TheWireless AccessPoint has beenreconfigured.

Configuration updated onWireless Access Point[%.13s].

Configuration updated onWireless Access Point[${serial_no}].


AutomaticDeploymentEvent

Automatically deployingWireless Access Point[ABC1234567890].

This log is generatedwhenever an unpairedWireless Access Pointis automaticallydeployed due to theAutomatic Deploymentsetting being enabled.

Automatically deployingWireless Access Point[%.13s].

Automatically deployingWireless Access Point[${serial_no}].


WirelessAccess PointTrust Failure

Wireless Access Point 'BreakRoom' [ABC1234567890] hasfailed trust validation for192.168.1.2.

This log is generatedwhenever a deployedWireless Access Pointfails its trust validationcheck (digitalcertificate or host keyfailure).

Wireless Access Point '%s' [%.13s] has failed trustvalidation for%s.

Wireless Access Point'${name}' [${serial_no}]has failed trust validationfor ${ip_address}.


WirelessAccess PointTrustValidationRestored

Wireless Access Point 'Lobby'[ABC1234567890] restored itstrust validation for 192.168.1.2.

This log is generatedwhenever a deployedWireless Access Pointsuccessfully restoresits trust validationcheck (digitalcertificate or host keyvalidation).

Wireless Access Point '%s' [%.13s] restored its trustvalidation for%s.

Wireless Access Point'${name}' [${serial_no}]restored its trust validationfor ${ip_address}.


Log Catalog 33


6100000A INFO Networking /WirelessController

WirelessAccess Pointpaired

Wireless Access Point[123456789ABCD] has beenpaired.

TheWireless AccessPoint has been pairedwith the GatewayWireless Controller.

Wireless Access Point [%.13s] has been paired. Wireless Access Point[${serial_no}] has beenpaired.

6100000B INFO Networking /WirelessController

WirelessAccess Pointunpaired

Wireless Access Point[123456789ABCD] has beenunpaired.

TheWireless AccessPoint has beenunpaired with theGateway WirelessController, and will bereset to the factorydefault configuration.

Wireless Access Point [%.13s] has been unpaired. Wireless Access Point[${serial_no}] has beenunpaired.

6100000C WARN Networking /WirelessController

RogueAccess Pointdetected

Rogue Access Point detectedat 00:90:7f:00:00:00,broadcasting SSID 'MyCorpPub".

TheGateway WirelessController has detecteda Rogue Access Pointat the given BSSID,broadcasting theindicated SSID.

Rogue Access Point detected at%02hhx:%02hhx:%02hhx:%02hhx:%02hhx:%02hhx,broadcasting SSID "%s".

Rogue Access Pointdetected at ${bssid},broadcasting SSID"${ssid}".

6100000F INFO Networking /WirelessController

ScheduledRestart Event

Initating scheduled automaticwireless reboot onWirelessAccess Point[ABC1234567890].

If scheduled restartsare enabled, this logmessage will appearprior to the restartaction taking place onthe specifiedWirelessAccess Point.

Initiating scheduled automatic reboot onWirelessAccess Point [%.13s].

Initiating scheduledautomatic reboot onWireless Access Point[${serial_no}].


Log Catalog 34

Proxy Policy Log MessagesProxy policy logmessages are generated for traffic managed by the proxy policies configured on your Firebox. This can include events related to traffic through the proxy, proxy actions, authentication, SubscriptionServices, and Security Services. For information about logmessages from Security Services processes, seeSecurity Services LogMessages on page 91.

EventProxy Policy logmessages of theEvent log type.

ID Level Area Name

LogMessageExample Description Format

MessageVariables

0F000001 INFO Proxy /ConnectionFrameworkManager

HTTPScontentinspectionlist imported

HTTPScontentinspectionexceptionlist imported

When a pre-defined HTTPSexception list is imported, this eventlog is generated to inform the user.

HTTPS content inspection exception list imported —

0F010015 WARN Proxy /ConnectionFrameworkManager

APT threatnotified

APT threatnotified.Details='%s'

When APT server analysis resultreturned and identified as certainlevel threat, this event log will begenerated to inform that the APTnotification has been sent withdetailed information.

APT threat notified. Details='Policy Name: HTTPS-proxy-00 Reason: highAPT threat detected Task_UUID: d09445005c3f4a9a9bb78c8cb34edc2aSource IP: 10.0.1.2 Source Port: 43130 Destination IP: 67.228.175.200Destination Port: 443 Proxy Type: HTTP Proxy Host: analysis.lastline.comPath: /docs/lastline-demo-sample.exe'

—

0F010016 INFO Proxy /ConnectionFrameworkManager

APT saferesult fromfilesubmission.Details='%s'

APT saferesult fromfilesubmission.Details='%s'

— APT safe result from file submission. Details='Policy Name: HTTP-OUT-00Reason: cleanMessage: APT safe object Task_UUID:7a1e1500e92a410fa44d907f96b9209eMD5:d2723ba60dc88ec1ea449be9eee601cc Source IP: 10.0.1.2 Source Port:50293 Destination IP: 100.100.100.3 Destination Port: 80 Proxy Type: HTTPProxy Host: 100.100.100.3 Path: /test.exe'

—

Proxy Policy LogMessages

Log Catalog 35

ID Level Area Name


MessageVariables

1C0200CD ERROR Proxy /FTP

Rulesetlookup failed

Cannot getthe rule fromruleset '%s'

FTP proxy -- Failed to check thespecified ruleset

Cannot get the rule from ruleset 'request/download' —

1B0400CE ERROR Proxy /SMTP

Rulesetlookup failed

Ruleset '%s'lookup failed

SMTP proxy -- Failed to check thespecified ruleset

Ruleset 'envelope/greeting' lookup failed —

TrafficProxy Policy logmessages of the Traffic log type.

ID Level Area Name


MessageVariables

1DFF0000 INFO Proxy /DNS

Invalidnumber ofquestions

DNS invalidnumber ofquestions

The traffic was blocked becausethemessage included an invalidnumber of questions.

Deny 1-Trusted 0-External udp 10.0.1.5 192.168.53.143 56701 53msg="ProxyDeny: DNS invalid number of questions" (DNS-proxy-00)

—


Query nameoversized

DNSoversizedquery name

The DNS query was blockedbecause the DNS query nameexceeded the allowed buffer size,which varies from 0 kilobytes to 64kilobytes.

Deny 1-Trusted 0-External udp 10.0.1.5 192.168.53.143 56702 53msg="ProxyDeny: DNS oversized query name" (DNS-proxy-00)

—


Query namecompressed

DNScompressedquery name

The DNS query was blockedbecause the domain namewascompressed.

Deny 1-Trusted 0-External udp 10.0.1.5 192.168.53.143 56703 53msg="ProxyDeny: DNS compressed query name" (DNS-proxy-00)

—


Parse error DNS Parseerror

The DNS request was blockedbecause the proxy failed to parsethe domain name.

Deny 1-Trusted 0-External udp 10.0.1.5 192.168.53.143 56704 53msg="ProxyDeny: DNS parse error" (DNS-proxy-00)

—


Log Catalog 36

ID Level Area Name


MessageVariables


Not InternetCLASS

DNS NotInternetCLASS

TheDNS query was not InternetCLASS. The logmessagespecifies the action taken and theCLASS.

Deny 1-Trusted 0-External udp 10.0.1.5 192.168.53.143 46828 53msg="ProxyDeny: DNS Not Internet CLASS" proxy_act="DNS-Outgoing.1"query_class="ANY" (DNS-proxy-00)

—


OPcodematch

DNSOpCodematch

TheOpCodematched a configuredrule, or the default rule of nomatch.The logmessage specifies theaction taken, the rule, and theOpCode.

Deny 1-Trusted 0-External udp 10.0.1.3 192.168.130.81 36755 53msg="ProxyDeny: DNS OpCodematch" proxy_act="DNS-Outgoing.1" rule_name="Query" query_opcode="QUERY" (DNS-proxy-00)

—


Query typematch

DNS querytypematch

The query typematched aconfigured rule, or the default ruleof nomatch. The logmessagespecifies the action taken, the rulematched, and the query type.

Deny 2-Optional-1 0-External udp 10.0.2.2 192.168.130.245 53710 53msg="ProxyDeny: DNS query typematch" proxy_act="DNS-Outgoing.1" rule_name="PTR record" query_type="PTR" (DNS-proxy-00)

—


Questionundersized

DNSundersizedquestion

The DNS query was blockedbecause the query size was lessthan theminimum valid size of 17bytes.

Deny 1-Trusted 0-External udp 10.0.1.5 192.168.53.143 56704 53msg="ProxyDeny: DNS undersized question" (DNS-proxy-00)

—


Questionoversized

DNSoversizedquestion

The DNS query was blockedbecause the query size exceedsthemaximum allowed size of 271bytes.

Deny 1-Trusted 0-External udp 10.0.1.5 192.168.53.143 56705 53msg="ProxyDeny: DNS oversized question" (DNS-proxy-00)

—


Timeout DNS timeout The DNS connection was idlelonger than the configured timeoutvalue in the DNS policy.

Deny 1-Trusted 0-External udp 10.0.1.5 192.168.53.143 54807 53msg="ProxyDrop: DNS timeout" (DNS-proxy-00)

—


Log Catalog 37

ID Level Area Name


MessageVariables

1DFF000A INFO Proxy /DNS

Responseanswerundersized

DNSundersizedanswer

The DNS response was blockedbecause the response size wasless than theminimum value of 17bytes.

Deny 1-Trusted 0-External udp 10.0.1.5 192.168.53.143 56706 53msg="ProxyDeny: DNS undersized answer" (DNS-proxy-00)

—

1DFF000C INFO Proxy /DNS

Response IDInvalid

DNS invalidresponse

The DNS response was blockedbecause the response ID did notmatch the current or previousrequest ID.

Deny 1-Trusted 0-External udp 10.0.1.5 192.168.53.143 56706 53msg="ProxyDeny: DNS invalid response" (DNS-proxy-00)

—

1DFF000E INFO Proxy /DNS

Queryquestionmatch

DNSquestionmatch

The DNS query namematched aconfigured rule, or the default ruleof nomatch. The logmessagespecifies the rule matched, actiontaken, and query name.

Deny 1-Trusted 0-External udp 10.0.1.3 192.168.130.81 59806 53msg="ProxyDeny: DNS questionmatch" proxy_act="DNS-Outgoing.1" rule_name="GStatic" query_type="A" question="ssl.gstatic.com" (DNS-proxy-00)

—

1DFF000F INFO Proxy /DNS

Request DNS request The DNS request audit logspecifies the query type and name.

Allow 2-Optional-1 0-External udp 10.0.2.2 192.168.130.245 61758 53msg="DNSrequest" proxy_act="DNS-Outgoing.1" query_type="PTR"question="1.0.0.127.dnsbugtest.1.0.0.127.in-addr.arpa" (DNS-proxy-00)

—


IPS match DNS IPSmatch

Intrusion Prevention Service (IPS)detected an intrusion threat. Thelogmessage specifies thesignature ID, threat severity,signature name, and signaturecategory.

Deny 0-External 1-Trusted udp 10.0.1.5 192.168.53.143 1024 53msg="ProxyDrop: DNS IPS match" proxy_act="DNS-Outgoing.1" signature_id="1056125" severity="4" signature_name="EXPLOIT Tftpd32 DNS ServerBuffer Overflow" signature_cat="Buffer Over Flow" (DNS-proxy-00)

—


Applicationmatch

DNS Appmatch

Application Control identified theapplication type from the DNSclient query and server response.The logmessage specifies theapplication name and ID, theapplication category name and ID,and the behavior name and ID.

Allow 1-Trusted 0-External udp 10.0.1.3 192.168.130.81 36755 53msg="ProxyAllow: DNS Appmatch" proxy_act="DNS-Outgoing.1" app_cat_name="Network Management" app_cat_id="9" app_name="DNS" app_id="61"app_beh_name="access" app_beh_id="6" (DNS-proxy-00)

—


Log Catalog 38

ID Level Area Name


MessageVariables

1CFF0000 INFO Proxy /FTP

User nametoo long

FTP username toolong

The user name exceeds themaximum length specified in theFTP proxy. The default is 64characters.

Deny 1-Trusted 0-External tcp 10.0.1.49 11.11.11.2 60774 21msg="ProxyDeny:FTP user name too long" proxy_act="FTP-Client.1" user="testusertestuser1"length="17" (FTP-proxy-00)

—


Password toolong

FTP userpasswordtoo long

The password specified for theuser exceeds themaximum lengthconfigured in the FTP proxy. Thedefault maximum length is 32characters.

Deny 1-Trusted 0-External tcp 10.0.1.49 11.11.11.2 60776 21msg="ProxyDeny:FTP user password too long" proxy_act="FTP-Client.1" length="17" (FTP-proxy-00)

—


File ordirectoryname too long

FTP file ordirectoryname toolong

The file or directory name exceedsthemaximum length configured inthe FTP proxy. The defaultmaximum length is 1,024 bytes.

Deny 1-Trusted 0-External tcp 10.0.1.49 11.11.11.2 60782 21msg="ProxyDeny:FTP file or directory name too long" proxy_act="FTP-Client.1" length="5" (FTP-proxy-00)

—


Command linetoo long

FTPcommandline too long

The command exceeded themaximum length configured in theFTP proxy. The default maximumlength is 1,030 characters.

Deny 1-Trusted 0-External tcp 10.0.1.49 11.11.11.2 60784 21msg="ProxyDeny:FTP command line too long" proxy_act="FTP-Client.1" length="12" (FTP-proxy-00)

—


Exceededmaximumallowed loginattempts

FTPexceededmaximumpermittedloginattempts

The user exceeded the configuredmaximum number of allowed failedlog in attepmts per connection. Thedefault limit is 6.

Deny 1-Trusted 0-External tcp 10.0.1.49 11.11.11.2 49162 21msg="ProxyDrop:FTP exceededmaximum permitted login attempts" (FTP-proxy-00)

—


Commandmatch

FTPcommandmatch

The commandmatched aconfigured rule, or the default of nomatch. For the FTP-server proxyaction, the default is to deny anycommand that does not appear on

Deny 1-Trusted 0-External tcp 10.0.1.49 11.11.11.2 49196 21msg="ProxyDeny:FTP commandmatch" proxy_act="FTP-Client.2" rule_name="LIST"command="ls" (FTP-proxy-00)

—


Log Catalog 39

ID Level Area Name


MessageVariables

the list. For the FTP-client proxyaction, there is no defaultrestriction on commands. The logmessage specifies the proxyaction, action taken, and thecommand.


Downloadmatch

FTPdownloadmatch

The file typematched a configureddownload rule, or the default rule ofnomatch. The logmessagespecifies the proxy action, actiontaken, and file type.

Deny 1-Trusted 0-External tcp 10.0.1.49 11.11.11.2 49208 21msg="ProxyDeny:FTP downloadmatch" proxy_act="FTP-Client.2" rule_name="*.zip" file_name="hostname.zip" (FTP-proxy-00)

—


Uploadmatch FTP uploadmatch

The file typematched a configuredupload rule, or the default rule of nomatch. The logmessage specifiesthe proxy action, action taken, andfile type.

Deny 1-Trusted 0-External tcp 10.0.1.49 11.11.11.2 49228 21msg="ProxyDeny:FTP uploadmatch" proxy_act="FTP-Client.2" rule_name="ISO" file_name="test.iso" (FTP-proxy-00)

—


Timeout FTP timeout The connection exceeded theconfigured idle time value. Thedefault is 180 seconds.

Deny 1-Trusted 0-External tcp 10.0.1.49 11.11.11.2 49561 21msg="ProxyDrop:FTP timeout" (FTP-proxy-00)

—


Invalidrequest

FTP invalidrequest

The FTP proxy rejected thecommand because of a lack ofrequired arguments, such as a username. The logmessage specifiesthe proxy action and command.

Deny 1-Trusted 0-External tcp 10.0.1.49 11.11.11.2 49579 21msg="ProxyDeny:FTP invalid request" proxy_act="FTP-Client.2" reason="No username valueprovided for USER command" (FTP-proxy-00)

—


Log Catalog 40

ID Level Area Name


MessageVariables

1CFF000C INFO Proxy /FTP

Request FTP request This logmessage for the FTPrequest transaction includes thesource and destination IPaddresses for the initialconnections.

Allow 1-Trusted 0-External tcp 10.0.1.49 11.11.11.2 49590 21msg="FTPrequest" proxy_act="FTP-Client.2" ctl_src="10.0.1.49:47553" ctl_dst="11.11.11.2:5120" file="test.exe" rcvd_bytes="1084" sent_bytes="0"user="testuser" type="download" (FTP-proxy-00)

—

1CFF000D INFO Proxy /FTP

IPS match FTP IPSmatch

Intrusion Prevention Service (IPS)detected a threat. The actionconfigured for an IPS Match will beapplied to the traffic. The logmessage includes the signature ID,threat severity, signature name,and signature category.

Deny 0-External 1-Trusted tcp 11.11.11.2 11.11.11.5 1024 21msg="ProxyDrop:FTP IPS match" proxy_act="FTP-Client.3" signature_id="1110297" severity="4"signature_name="EXPLOIT FlashGet FTP PWD Command Stack bufferoverflow -1" signature_cat="Buffer Over Flow" (FTP-proxy-00)

—

1CFF000E INFO Proxy /FTP

GAV Virusfound

FTP Virusfound

Gateway AntiVirus (GAV) detecteda virus or malware in theattachment. The logmessagespecifies the detected virus nameand the file name of theattachment.

Deny 0-External 1-Trusted tcp 11.11.11.2 11.11.11.5 20 56528msg="ProxyDrop:FTP Virus found" proxy_act="FTP-Client.3" ctl_src="11.11.11.2:5120" ctl_dst="10.0.1.49:47553" virus="EICAR_Test" file="eicar.com" (FTP-proxy-00)

—

1CFF000F INFO Proxy /FTP

GAV scanerror

FTP AVscanningerror

Gateway AntiVirus (GAV) failed toscan due to the error specified inthe logmessage.

Deny 0-External 1-Trusted tcp 11.11.11.2 11.11.11.5 20 44485msg="ProxyDrop:FTP AV scanning error" proxy_act="FTP-Client.3" ctl_src="11.11.11.2:5120" ctl_dst="10.0.1.49:47553" error="avg scanner is not created" file="eicar.com" (FTP-proxy-00)

—


Log Catalog 41

ID Level Area Name


MessageVariables


Applicationmatch

FTP Appmatch

Application Control identified anapplication in the FTP clientrequest or server response. The logmessage specifies the proxyaction, application control action,action taken, application name andID, application category and ID,and application behavior name andID.

Allow 1-Trusted 0-External tcp 10.0.1.49 11.11.11.2 49843 21msg="ProxyAllow:FTP Appmatch" proxy_act="FTP-Client.3" app_cat_name="File Transfer" app_cat_id="3" app_name="FTP Applications" app_id="1" app_beh_name="authority"app_beh_id="1" (FTP-proxy-00)

—


DLP violationfound

FTP DLPviolationfound

Data Loss Prevention (DLP)detected a rule violation. The logmessage specifies the proxyaction, the DLP sensor name, DLPrule name, the authenticated user,and the file name. The logmessagealso specifies the source anddestination IP addresses and portfor the control channel of the FTPsession.

Deny 0-External 1-Trusted tcp 11.11.11.2 11.11.11.5 20 37611msg="ProxyDrop:FTP DLP violation found" proxy_act="FTP-Client.3" ctl_src="10.0.1.49:47553"ctl_dst="11.11.11.2:5120" dlp_sensor="test" dlp_rule="SocialsecuritynumberswithqualifyingtermsUSA" authenticated_user="testuser" file="test.docx" (FTP-proxy-00)

—


DLP cannotperform scan

FTP cannotperform DLPscan

Data Loss Prevention (DLP) failedto scan because of the errorspecified in the logmessage.

Allow 0-External 1-Trusted tcp 11.11.11.2 11.11.11.5 20 52217msg="ProxyAllow: FTP cannot perform DLP scan" proxy_act="FTP-Client.3"ctl_src="11.11.11.2:5120" ctl_dst="10.0.1.49:47553" error="Error: DLP notinitialized" file="ssn.docx" (FTP-proxy-00)

—


DLP cannotscan object

FTP DLPobjectunscannable

Data Loss Prevention (DLP) couldnot scan and analyze theattachment because it isencrypted. The logmessagespecifies the DLP sensor name,error message, the authenticateduser, and the file name.

Allow 0-External 1-Trusted tcp 11.11.11.2 11.11.11.5 20 43974msg="ProxyAllow: FTP DLP object unscannable" proxy_act="FTP-Client.3" ctl_src="11.11.11.2:5120" ctl_dst="10.0.1.49:47553" dlp_sensor="test"error="unscannable object (File was encrypted)" authenticated_user="testuser"file="test.zip" (FTP-proxy-00)

—


Log Catalog 42

ID Level Area Name


MessageVariables


DLP objecttoo large

FTP DLPobject toolarge

Data Loss Prevention (DLP) couldnot analyze the attachmentbecause the file was larger than theconfigured limit. The limit varies byplatform, from one to fiveMB. Thelogmessage specifies the DLPsensor name and error message.

Allow 0-External 1-Trusted tcp 11.11.11.2 11.11.11.5 20 43813msg="ProxyAllow: FTP DLP object too large" proxy_act="FTP-Client.3"error="DLP scan limit (5242880) exceeded" (FTP-proxy-00)

—


APT threatdetected

FTP APTdetected

APT Blocker identified a threat.The logmessage specifies thethreat level, threat name, threatclass, malicious activities, and filenamewhere the threat waslocated.

Deny 0-External 1-Trusted tcp 11.11.11.2 11.11.11.5 20 58661msg="ProxyDrop:FTP APT detected" proxy_act="FTP-Client.3" ctl_src="11.11.11.2:5120" ctl_dst="10.0.1.49:47553" md5="03e7ef270a157090e2f68079603b10fc" task_uuid="d21914d5a2bc4b618fae72da3b1c137e" threat_level="low" file="apt.txt"(FTP-proxy-00)

—


File submittedto APTanalysisserver

FTP Filesubmitted toAPTanalysisserver

File submitted to APT analysisserver for deep threat analysis. Aseparate logmessage will appearwhen the result is retrieved fromthe APT analysis server.

Allow 0-External 1-Trusted tcp 11.11.11.2 11.11.11.5 20 43490msg="ProxyAllow: FTP File submitted to APT analysis server" proxy_act="FTP-Client.3" ctl_src="11.11.11.2:5120" ctl_dst="10.0.1.49:47553"md5="03e7ef270a157090e2f68079603b10fc" task_uuid="d21914d5a2bc4b618fae72da3b1c137e" file="apt.txt"

—


File reportedsafe from APThash check

FTP Filereported safefrom APThash check

APT hash check did not report athreat from the object

Allow 0-External 1-Trusted tcp 11.11.11.2 11.11.11.5 20 43490msg="ProxyAllow: FTP File reported safe from APT hash check" proxy_act="FTP-Client.3" ctl_src="11.11.11.2:5120" ctl_dst="10.0.1.49:47553"md5="03e7ef270a157090e2f68079603b10fc" task_uuid="d21914d5a2bc4b618fae72da3b1c137e" file="apt.txt"

—

1CFF0019 ERROR Proxy /FTP

FTP BounceAttempt

FTP BounceAttempt

FTP proxy -- User attempted FTPbounce

Deny 1-Trusted 0-External tcp 10.0.1.2 192.168.53.164 37989 21msg="ProxyBlock: FTP Bounce Attempt" proxy_act="FTP-Client.Standard"bounce ip="10.0.1.101"

—

2AFF0000 INFO Proxy /H.323

Timeout H323timeout

The connection was idle longerthan the configured timeout value.The default value is 180 seconds.

Deny 1-Trusted 0-External tcp 10.0.1.5 192.168.53.143 1720 1720msg="ProxyDrop: H323 timeout" (H323-ALG-00)

—


Log Catalog 43

ID Level Area Name


MessageVariables


Request H323request

This logmessage specifies the IPaddresses for the completed H323call.

Allow 1-Trusted 0-External tcp 10.0.1.2 192.168.53.167 3233 1720msg="H323request" proxy_act="H.323-Client.1" call_from="10.0.1.2" call_to="192.168.53.167" rcvd_bytes="171444" sent_bytes="256488" (H323-ALG-00)

—


Codec H323 codec Themedia codec is deniedbecause it matched a configuredDenied Codec. The logmessagespecifies the codec.

Deny 1-Trusted 0-External tcp 10.0.1.2 192.168.53.167 3230 1720msg="ProxyDeny: H323 codec" proxy_act="H.323-Client.1" codec="(unknown)"(H323-ALG-00)

—


Accesscontrol

H323Accesscontrol

The header address is allowed ordenied because it matches anAccess Control rule configured inthe H323 policy. The logmessagespecifies the address.

Allow 1-Trusted 0-External tcp 10.0.1.2 192.168.53.167 3232 1720msg="ProxyAllow: H323 Access control" proxy_act="H.323-Client.1" From-header="10.0.1.2" (H323-ALG-00)

—


IPS match H323 IPSmatch

Intrusion Prevention Service (IPS)detected an intrusion threat. Thelogmessage specifies thesignature ID, threat severity,signature name, signaturecategory, destination host name,and URI path.

Deny 0-External 1-Trusted tcp 10.0.1.5 192.168.53.143 3234 3230msg="ProxyDrop: H323 IPS match" proxy_act="H.323-Client.1" signature_id="1112506" severity="4" signature_name="EXPLOIT Digium Asterisk InvalidRTP Payload Type NumberMemory Corruption" signature_cat="Access Control"(H323-ALG-00)

—


Applicationmatch

H323 Appmatch

Application Control detected anapplication type from thetransaction. The logmessagespecifies the action taken, theapplication name and ID,application category name and ID,and the application behavior nameand ID.

Deny 1-Trusted 0-External tcp 10.0.1.6 192.168.53.167 3234 3230msg="ProxyDrop: H323 Appmatch" proxy_act="H.323-Client.1" app_cat_name="Voice over IP" app_cat_id="6" app_name="H.323" app_id="2" app_beh_name="access" app_beh_id="6" (H323-ALG-00)

—

1AFF0001 INFO Proxy /HTTP

Sessiontimeout with

HTTP serverresponse

The HTTP session has timed out Deny 1-Trusted 6-Ext-access tcp 10.0.1.2 192.168.53.82 60654 80msg="ProxyDeny: HTTP server response timeout" (HTTP-proxy-00)

—


Log Catalog 44

ID Level Area Name


MessageVariables

server idle timeout because no traffic has beenreceived from the server for thespecified amount of time. (Default:10minutes)


Sessiontimeout withclient idle

HTTP clientrequesttimeout

The HTTP session has timed outbecause no traffic has beenreceived from the client for thespecified amount of time. (Default:10minutes)

Deny 1-Trusted 6-Ext-access tcp 10.0.1.2 23.3.105.139 60680 80msg="ProxyDeny: HTTP client request timeout" (HTTP-proxy-00)

—


Sessiontimeout withclosecompletecommandtimeout

HTTP closecompletetimeout

The Close HTTP Sessioncommand timed out because noresponse to the FIN packet wasreceived within the response timelimit (3 minutes).

Deny 1-Trusted 6-Ext-access tcp 10.0.1.2 182.168.53.82 60654 80msg="ProxyDeny: HTTP close complete timeout" (HTTP-proxy-00)

—


OversizeStart-Line

HTTP Start-Line oversize

The first line of the client request orserver response is longer than theconfiguredmaximum line length.The default maximum length is4,096 bytes.

Deny 1-Trusted 6-Ext-access tcp 10.0.1.2 134.170.188.84 52662 80msg="ProxyDeny: HTTP Start-Line oversize" (HTTP-proxy-00)

—


InvalidRequest-Lineformat

HTTP InvalidRequest-Line Format

The request line from the clientdoes not match the standard formatof [Method][SP][Request-URI][SP][HTTP/Version]. The incorrectstatus-line is specified in the logmessage.

Deny 1-Trusted 0-External tcp 10.0.1.2 192.168.53.92 52668 80msg="ProxyDeny: HTTP invalid Request-Line Format" proxy_act="HTTP-Client.5" line="\x03\x03\x0d\x0a" (HTTP-proxy-00)

—


Log Catalog 45

ID Level Area Name


MessageVariables


Invalid Status-Line format

HTTP invalidStatus-Lineformat

The status line from the serverdoes not match the standard formatof [HTTP/Version][SP][StatusCode][SP][Reason]. The incorrectstatus-line is specified in the logmessage.

Deny 1-Trusted 6-Ext-access tcp 10.0.1.2 194.219.221.195 64610 80msg="ProxyDeny: HTTP invalid Status-Line format" proxy_act="HTTP-Client.2"line="\x03\x00\x00Kh\x80\x00\x07\x02,\x97\x02\xcc\x18M\xe4\xbe\xff\xa8\x87_a\x07\xb1\xa3d\x9f\x82\xc2\xea\xa2\xe17\x9f\xc8@+\xde\x7f\x7f\x0a" (HTTP-proxy-00)

—


Header lineoversize

HTTPheader lineoversize

A single client request or serverresponse line is longer than theconfiguredmaximum line length.The default maximum length is4,096 bytes.

Deny 1-Trusted 6-Ext-access tcp 10.0.1.2 74.125.25.105 64152 80msg="ProxyDeny: HTTP header line oversize" proxy_act="HTTP-Client.4"line="X-Frame-Options: " (HTTP-proxy-00)

—


Header blockoversize

HTTPheader blockoversize

The client request or serverresponse header block length islonger than the configured limit. Ifmaximum total length is enabled,the default limit is 16,384 bytes.

Deny 1-Trusted 0-External tcp 10.0.1.2 77.237.248.69 50019 80msg="ProxyDeny: HTTP header block oversize" proxy_act="HTTP-Client.1"line="Date: Fri, 30May 2014 16:50:51 GMT\x0d\x0a" (HTTP-proxy-00)

—


header blockparse error

HTTPheader blockparse error

The HTTP proxy cannot processthe header line because the formatis incorrect. The required format is[Name]:[Value].

Deny 1-Trusted 0-External tcp 10.0.1.2 54.230.68.99 58900 80msg="ProxyDeny:header block parse error" (HTTP-proxy-00)

—

1AFF000A INFO Proxy /HTTP

Requestmissing URLpath

HTTPrequest URLpathmissing

The HTTP proxy cannot completethe URL because the host or URIvalue is missing. The HTTPrequest is denied.

Deny 1-Trusted 0-External tcp 10.0.1.2 54.230.68.99 58900 80msg="ProxyDeny:HTTP request URL pathmissing" proxy_act="HTTP-Client.1" line="Date: Fri, 30May 2014 18:50:51 GMT\x0d\x0a"

—

1AFF000B INFO Proxy /HTTP

Request URLmatch

HTTPrequest URLmatch

The requested URLmatched aconfigured URL path in the HTTPproxy. By default, all URL pathsare allowed.

Allow 1-Trusted 0-External tcp 10.0.1.2 173.194.33.185 60351 80msg="ProxyAllow: HTTP request URLmatch" proxy_act="HTTP-Client.1" rule_name="Default" dstname="pagead2.googlesyndication.com"arg="/pagead/osd.js" (HTTP-proxy-00)

—


Log Catalog 46

ID Level Area Name


MessageVariables

1AFF000C INFO Proxy /HTTP

Chunk sizeline oversize

HTTP chunksize lineoversize

The HTTP chunk size line does notterminate correctly with a carriagereturn and line-feed (CRLF). Theinvalid line is specified in the logmessage.

Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 40656 80msg="ProxyDeny: HTTP chunk size line oversize" proxy_act="HTTP-Client.2"line="\x03\x00\x00Kh\x80\x00\x07\x02,\x97\x02\xcc\x18M\xe4\xbe\xff\xa8\x87_a\x07\xb1\xa3d\x9f\x82\xc2\xea\xa2\xe17\x9f\xc8@+\xde\x7f\x7f\x0a" (HTTP-proxy-00)

—

1AFF000D INFO Proxy /HTTP

Chunk sizeline invalid

HTTP chunksize invalid

The HTTP chunk size line has aninvalid hexadecimal value. Theinvalid line is specified in the logmessage.

Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 40722 80msg="ProxyDeny: HTTP chunk size invalid" proxy_act="HTTP-Client.2"line="k7\x0d\x0a" (HTTP-proxy-00)

—

1AFF000E INFO Proxy /HTTP

Chunk noCRLF tail

HTTP chunkCRLF tailmissing

The HTTP chunk does not closewith a carriage return and line feed(CRLF) because the chunk block ismissing the closing characters.This is required for each chunkwhen chunked transfer-encoding isin use. The logmessage includesthe invalid chunk tail line.

Deny 1-Trusted 0-External tcp 10.0.1.2 77.237.248.69 50019 80msg="ProxyDeny: HTTP chunk CRLF tail missing" proxy_act="HTTP-Client.1"line="This stringmissing the Carriage Return in the terminating CF-LF pair\x0a"(HTTP-proxy-00)

—

1AFF000F INFO Proxy /HTTP

Footer lineoversize

HTTP footerline oversize

One line of the HTTP footer, anadditional header sent at the end ofamessage is larger than theconfigured line limit. The defaultline limit is 4,096 bytes.

Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 40662 80msg="ProxyDeny: HTTP footer line oversize" proxy_act="HTTP-Client.2"line="\x03\x00\x00Kh\x80\x00\x07\x02,\x97\x02\xcc\x18M\xe4\xbe\xff\xa8\x87_a\x07\xb1\xa3d\x9f\x82\xc2\xea\xa2\xe17\x9f\xc8@+\xde\x7f\x7f\x0a" (HTTP-proxy-00)

—


Footer blockoversize

HTTP footerblockoversize

The HTTP footer includesadditional header information that islarger than the configured blocklimit size. The default totalmessage limit, if enabled, is 16,384bytes. The logmessage includesinformation about the invalid line.

Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 40688 80msg="ProxyDeny: HTTP footer block oversize" proxy_act="HTTP-Client.2"line="\x03\x00\x00Kh\x80\x00\x07\x02,\x97\x02\xcc\x18M\xe4\xbe\xff\xa8\x87_a\x07\xb1\xa3d\x9f\x82\xc2\xea\xa2\xe17\x9f\xc8@+\xde\x7f\x7f\x0a" (HTTP-proxy-00)

—


Log Catalog 47

ID Level Area Name


MessageVariables


Footer blockparse error

HTTP footerblock parseerror

The HTTP footer includes anadditional header field with syntaxthat violates the header formatrestrictions.

Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 40705 80msg="ProxyDeny: HTTP footer block parse error" (HTTP-proxy-00)

—


Body contenttypematch

HTTP BodyContentTypematch

The HTTP content either matchesa configured Body Content Type orno Body Content Type is defined(only the default rule is in use).

Allow 1-Trusted 0-External tcp 10.0.1.2 192.168.53.92 52089 80msg="ProxyAllow: HTTP Body Content Typematch" proxy_act="HTTP-Client.1" rule_name="Default" (HTTP-proxy-00)

—


Headercontentmalformed

HTTPheadermalformed

The HTTP header line does notfollow the correct syntax for a clientrequest or server response header.The logmessage contains theheader line with the syntax error.

Allow 1-Trusted 0-External tcp 10.0.1.2 192.168.53.92 41048 80msg="ProxyStrip: HTTP header malformed" proxy_act="393296"header="WWW-Authenticate: \x0d\x0a"

—


HeaderTransfer-Encodingmatch

HTTPheadertransferencodingmatch

The Transfer-Encoding in theHTTP header matches aconfigured rule, or the default ruleof nomatch. The logmessagespecifies thematching rule nameand header value.

Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 40719 80msg="ProxyAllow: HTTP header Transfer-Encodingmatch" proxy_act="HTTP-Client.2" rule_name="chunked" encoding="chunked" (HTTP-proxy-00)

—


Headercontent typematch

HTTPheaderContentTypematch

The HTTP header Content Typematches a configured rule, or thedefault rule of nomatch. The logmessage specifies thematchingrule name and header value.

Allow 1-Trusted 0-External tcp 10.0.1.2 198.252.206.140 52047 80msg="ProxyAllow: HTTP header Content Typematch" proxy_act="HTTP-Client.1" rule_name="text/*" content_type="text/html" (HTTP-proxy-00)

—


Log Catalog 48

ID Level Area Name


MessageVariables


Requestversionmatch

HTTPrequestversionmatch

The HTTP version specified in theHTTP request linematches aconfigured rule, or the default ruleof nomatch. The log specifies thematched rule name and the requestline.

Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 40627 80msg="ProxyDeny: HTTP request versionmatch" proxy_act="HTTP-Client.2"rule_name="Default" line="GET /index.html HTTP/1.8\x0d\x0a" (HTTP-proxy-00)

—


Requestmethodmatch

HTTPrequestmethodmatch

The HTTP request methodspecified in the Request-Linematches a configured rule, or thedefault rule of nomatch. The logmessage specifies thematchedrule name and themethod.

Allow 1-Trusted 0-External tcp 10.0.1.2 50.16.229.215 52301 80msg="ProxyAllow: HTTP request methodmatch" proxy_act="HTTP-Client.1"rule_name="GET" method="GET" (HTTP-proxy-00)

—


Header match HTTPheadermatch

The HTTP header linematches aconfigured rule, or the default ruleof nomatch. The logmessagespecifies thematched rule nameand header line.

Allow 1-Trusted 0-External tcp 10.0.1.2 50.16.229.215 52301 80msg="ProxyAllow: HTTP header match" proxy_act="HTTP-Client.1" rule_name="Default" header="Host: www.walkscore.com\x0d\x0a" (HTTP-proxy-00)

—


Header cookiedomainmatch

HTTPheadercookiedomainmatch

The cookie domain headermatches a configured rule, or thedefault rule of nomatch. The logmessage includes thematched rulename and the cookie domain.

Deny 1-Trusted 0-External tcp 10.0.1.2 50.16.229.215 52466 80msg="ProxyDeny: HTTP header cookie domainmatch" proxy_act="HTTP-Client.1" rule_name="DoubleClick.com" domain=".doubleclick.com" (HTTP-proxy-00)

—


Request hostmissing

HTTPrequest hostmissing

The HTTP request header ismissing the host value.

Deny 1-Trusted 6-Ext-access tcp 10.0.1.2 192.168.53.82 60654 80msg="ProxyDeny: HTTP request host missing" (HTTP-proxy-00)

—


Headerauthenticationschemematch

HTTPheader authschemematch

The authentication scheme in theHTTP header server responsematches one of the configured

Allow 1-Trusted 6-Ext-access tcp 10.0.1.2 192.168.53.92 4910 80msg="ProxyAllow: HTTP Header auth schemematch" proxy_act="HTTP-Client.1" rule_name="Basic" scheme="Basic" (HTTP-proxy-00)

—


Log Catalog 49

ID Level Area Name


MessageVariables

rules, or the default rule of nomatch. The logmessage specifiesthematched rule name and theauthentication scheme.


Requestmethod notsupported

HTTPrequestmethodunsupported

The HTTP request method doesnot match a configured rule. Thelogmessage specifies themethodin use.

Deny 1-Trusted 6-Ext-access tcp 10.0.1.2 192.168.53.92 64152 80msg="ProxyDeny: HTTP request method unsupported" proxy_act="HTTP-Client.1" method="OPTIONS" (HTTP-proxy-00)

—


Request portmismatch

HTTPrequest portmismatch

Relative-URI is in use and the portspecified in the HTTP request hostheader does not match the portused for the connection.

Deny 1-Trusted 6-Ext-access tcp 10.0.1.2 192.168.53.92 64152 80msg="ProxyDeny: HTTP request port mismatch" proxy_act="HTTP-Client.1"(HTTP-proxy-00)

—


Requestcategories

HTTPRequestcategories

The HTTP request is sent to a webaddress that matched a selectedWebBlocker category. The logmessage specifies the action takenby the proxy, the URL, and thecategory matched.

Allow 1-Trusted 0-External tcp 10.0.1.2 50.16.210.117 50790 80msg="ProxyAllow: HTTP Request categories" proxy_act="HTTP-Client.2"cats="ReferenceMaterials" op="GET" dstname="www.walkscore.com" arg="/"(HTTP-proxy-00)

—


Serviceunavailable

HTTPserviceunavailable

WebBlocker categorization failedbecause the configuredWebBlocker server is not available.The logmessage specifies theprofile name and amore detailederror message.

Deny 2-Internal-traffic 4-External-traffic tcp 192.168.2.23 23.21.224.150 60921 80msg="ProxyDeny: HTTP service unavailable" proxy_act="HTTP-Client.1"service="WebBlocker.1" details="Webblocker server is not available" (HTTP-proxy-00)

—


Log Catalog 50

ID Level Area Name


MessageVariables


Request URLpath oversize

HTTPrequest URLpathoversize

The URI in the HTTP Request-Lineis longer than the configured limit.The default limit is 2,048 bytes.The logmessage specifies theoversize URI.

Deny 1-Trusted 6-Ext-access tcp 10.0.1.2 173.194.33.167 64279 80msg="ProxyDeny: HTTP request URL path oversize" proxy_act="HTTP-Client.1" path="/crx/blobs/QwAAAHF3InbmK-wFIemaY3I3BCMqOfjjbz3ZPr0OdvcXp8cUu10k48t_h-qsRfYvKPciETPh6ZMAQTV8WL-Rx-lfADpBbs0T0xmHzDv3tYNK4R4eAMZSmuX1YAUWVQlL6kSI-xpS-vSmdvbuQg/extension_0_1_0_12919.crx" (HTTP-proxy-00)

—


Request HTTPrequest

A detailed summary of the lastHTTP proxy transaction.

Allow 1-Trusted 6-Ext-access tcp 10.0.1.2 192.168.53.92 64425 80msg="HTTPrequest" proxy_act="HTTP-Client.1" op="GET" dstname="192.168.53.92"arg="/" sent_bytes="339" rcvd_bytes="2" elapsed_time="5.037750 sec(s)"(HTTP-proxy-00)

—


Header IPSrule match

HTTPheader IPSmatch

Intrusion Prevention Service (IPS)detected an intrusion in the clientrequest or server response header.The logmessage specifies theaction taken, signature ID, threatseverity, signature name, signaturecategory, destination host name,and URI path.

Deny 1-Trusted 0-External tcp 10.0.1.2 107.20.162.187 55531 80msg="ProxyDeny: HTTP header IPS match" proxy_act="HTTP-Client.1"signature_id="1055396" severity="5" signature_name="WEB Cross-siteScripting -9" signature_cat="Web Attack" host="intext.nav-links.com"path="/util/intexteval.pl?action=startup" (HTTP-proxy-00)

—


Body IPS rulematch

HTTP bodyIPS match

Intrusion Prevention Service (IPS)detected an intrusion in the clientrequest or server response contentbody. The logmessage specifiesthe action taken, signature ID,threat severity, signature name,signature category, destinationhost name, and URI path.

Deny 4-Trusted-1 0-External tcp 192.168.53.92 188.40.238.252 45617 443msg="ProxyDeny: HTTP body IPS match" proxy_act="HTTP-Client.4"signature_id="1051723" severity="5" signature_name="Virus Eicar test string"signature_cat="Virus/Worm" host="secure.eicar.org" path="/eicar.com.txt" src_user="[email protected]" (HTTPS-proxy-00)

—


Log Catalog 51

ID Level Area Name


MessageVariables


GAV Virusfound

HTTP Virusfound

Gateway AntiVirus (GAV) detecteda virus or malware. The logmessage specifies the virus name,destination host name, and URIpath.

Deny 2-Internal-traffic 4-External-traffic tcp 10.0.1.8 192.168.53.92 57525 80msg="ProxyDrop: HTTP Virus found" proxy_act="HTTP-Client.1"virus="EICAR_Test" host="192.168.53.92" path="/viruses/eicar.com" (HTTP-proxy-00)

—


GAV scanerror

HTTP AVscanningerror

Gateway AntiVirus (GAV) failed toscan because of an error. The logmessage specifies the errormessage, the destination hostname, and URI path.

Allow 1-Trusted 0-External tcp 10.0.1.2 8.25.35.115 51859 80msg="ProxyAllow:HTTP AV scanning error" proxy_act="HTTP-Client.3" error="avg scanner is notcreated" host="api.yontoo.com" path="/LoadJS.ashx" (HTTP-proxy-00)

—


Trusted host HTTPTrusted host

The destination host namematches a proxy exceptionconfigured in the HTTP proxy.

Allow 1-Trusted 0-External tcp 10.0.1.2 134.170.51.254 51941 80msg="ProxyAllow: HTTP Trusted host" proxy_act="HTTP-Client.3" rule_name="*.windowsupdate.com" (HTTP-proxy-00)

—


Bad reputation HTTP badreputation

The HTTP proxy blocked access tothe destination address because ofa bad reputation score for the URL.

Deny 1-Trusted 0-External tcp 172.16.1.101 188.40.238.250 36834 80msg="ProxyDeny: HTTP bad reputation" proxy_act="HTTP-ACT-OUT"reputation="100" host="www.eicar.org" path="/download/eicar_com.zip" (HTTP-OUT-00)

—


Goodreputation

HTTP goodreputation

The HTTP proxy did not complete aGateway AntiVirus (GAV) scan fortraffic to the destination addressbecause the URL received a goodreputation score.

Allow 4-Trusted-1 0-External tcp 192.168.53.92 198.35.26.96 45365 80msg="ProxyAllow: HTTP good reputation" proxy_act="HTTP-Client.4"reputation="1" host="en.wikipedia.org" path="/favicon.ico" src_user="[email protected]" (HTTP-00)

—


Applicationmatch

HTTP Appmatch

Application Control identified theapplication type from the HTTPclient request or server responsestream.

Allow 4-Trusted-1 0-External tcp 192.168.53.92 198.35.26.96 45365 80msg="ProxyAllow: HTTP Appmatch" proxy_act="HTTP-Client.4" app_cat_name="Web" app_cat_id="13" app_name="Mozilla Firefox" app_id="12" app_beh_name="access" app_beh_id="6" src_user="[email protected]" (HTTP-00)

—


Log Catalog 52

ID Level Area Name


MessageVariables


DLP violationfound

HTTP DLPviolationfound

Data Loss Prevention (DLP)detected a violation of DLP rules.The logmessage only includesinformation about the first rulematched.

Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.3 59568 80msg="ProxyAllow: HTTP DLP violation found" proxy_act="HTTP-Client.1" dlp_sensor="sample_dlp_test" dlp_rule="BankaccountdetailsnearpersonallyidentifiableinformationUSA"host="100.100.100.3" path="/cgi-bin/upload.cgi" (HTTP-OUT.1-00)

—



HTTPcannotperform DLPScan

Data Loss Prevention (DLP) failedto scan the traffic because of theerror specified in the logmessage.

Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 62398 80msg="ProxyAllow: HTTP cannot perform DLP scan" proxy_act="HTTP-Client.1"dlp_sensor="sample_dlp_test" error="Cannot Perform DLP scanning" (HTTP-proxy-00)

—


DLP objectunscannable

HTTP DLPobjectunscannable

Data Loss Prevention (DLP)cannot extract data from an objectbecause it is encrypted.

Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 40608 80msg="ProxyAllow: HTTP DLP object unscannable" proxy_act="HTTP-Client.2"dlp_sensor="PCI Audit Sensor.1" error="unscannable object (File wasencrypted)" host="100.100.100.11" path="/password-protected.zip" (HTTP-proxy-00)

—


HTTP objecttoo large

HTTP DLPobject toolarge

Data Loss Prevention (DLP)cannot scan the object because itis larger than the configured limit.The default value varies by devicetype and ranges between 1 and 5MB.

Allow 2-optional 0-External tcp 192.168.53.92 172.16.10.14 8902 80msg="ProxyAllow: HTTP DLP object too large" proxy_act="HTTP-Client.1" dlp_sensor="DLPSensor.1" error="DLP scan limit exceeded" (HTTP-proxy-00)

—


Range header HTTP Rangeheader

This is the configured action (allowor strip) for the HTTP proxy Rangeheader. The default action is strip.The HTTP proxy Range header canallow partial file transfers thatimpact content scans because thefull content is not presented.

Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.15 40535 80msg="ProxyStrip: HTTP Range header" proxy_act="HTTP-Client.1"header="Accept-Ranges: bytes\x0d\x0a" (HTTP-proxy-00)

—


APT threatdetected

HTTP APTdetected

APT Blocker detected a threat. The Deny 2-Internal-traffic 4-External-traffic tcp 192.168.2.20 192.168.3.30 48120 80msg="ProxyDrop: HTTP APT detected" proxy_act="HTTP-Client.1"

—


Log Catalog 53

ID Level Area Name


MessageVariables

logmessage specifies the thethreat level, threat name, threatclass, malicious activities,destination host name, and URIpath.

host="192.168.3.30" path="/apt_sample.exe"md5="2e77cadb722944a3979571b444ed5183"



HTTP Filesubmitted toAPTanalysisserver

File submitted to APT analysisserver for deep threat analysis. Theanalysis result will be notified whenthe analysis result is fetched fromAPT analysis server.

Allow 2-Internal-traffic 4-External-traffic tcp 192.168.2.20 192.168.3.30 34063 80msg="ProxyAllow: HTTP File submitted to APT analysis server" proxy_act="HTTP-Client.1" host="192.168.3.30" path="/test/sample.exe"md5="dd0af53fec2267757cd90d633acd549a" task_uuid="35c8ac1aaeee4e5186d584318deb397b" (HTTP-proxy-00)

—


Connecttunnel portmatch

HTTPconnecttunnel portmatch

The HTTP CONNECT tunnelrequest port matches a configuredrule, or the default rule of nomatch.The logmessage specifies thematched rule name and port.

Allow 1-Trusted Firebox tcp 10.0.1.3 100.100.100.16 53531 3128msg="ProxyReplace: HTTP connect tunnel port match" proxy_act="Explicit-Web.Standard.1" rule_name="Redirect-HTTPS" port="443" (Explicit-proxy-00)

—


Webproxyredirect

HTTPwebproxyredirect

The HTTPWebproxy connectionwas redirected to a different proxyaction because of the configurationsetting in explicit proxy. The logmessage specifies the new proxyaction used.

Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.16 53532 3128msg="ProxyReplace: HTTP webproxy redirect" proxy_act="Explicit-Web.Standard.1" redirect_action="HTTPS-Client.Standard" (Explicit-proxy-00)

—



HTTP Filereported safefrom APThash check


Allow 2-Internal-traffic 4-External-traffic tcp 192.168.2.20 192.168.3.30 34063 80msg="ProxyAllow: HTTP File reported safe from APT hash check" proxy_act="HTTP-Client.1" host="192.168.3.30" path="/test/sample.exe"md5="dd0af53fec2267757cd90d633acd549a" task_uuid="35c8ac1aaeee4e5186d584318deb397b" (HTTP-proxy-00)

—


Log Catalog 54

ID Level Area Name


MessageVariables


Contentredirect

HTTPContentredirect

The HTTP content actionconnection was redirected to adifferent proxy action because ofthe configuration. The logmessagespecifies the new proxy actionused as well as the current sslstatus.

Allow 0-External 3-Optional-2 tcp 203.0.113.2 203.0.113.3 50560 80msg="ProxyReplace: HTTP Content Action redirect" proxy_act="HTTP-Content.Standard.1" redirect_action="HTTP-Server.Standard.2" srv_ip="10.0.2.8" srv_port="80" ssl_offload="0" client_ssl="NONE" server_ssl="NONE" (HTTP-proxy-00)

—


RequestContentmatch

HTTPRequestcontentmatch

The request contained contentwhichmatched a configuredcontent rule in the HTTP proxy.The logmessage specifies thecontent whichmatched the rule aswell as rule details.

Allow 0-External 1-Trusted tcp 203.0.113.2 203.0.113.2 50428 80msg="ProxyReplace: HTTP Request content match" proxy_act="HTTP-Content.Standard.1" rule_name="forums" content_type="URN"dstname="203.0.113.2" arg="/forums/index.html" srv_ip="10.0.2.8" srv_port="80" ssl_offload="1" redirect_action="HTTP-Server.Standard.1" (HTTP-proxy-00)

—

2CFF0000 INFO Proxy /HTTPS

Request HTTPSRequest

HTTPS transaction log includesserver name, certificate details andaction taken.

Allow 1-Trusted 0-External tcp 10.0.1.2 173.194.33.184 59277 443msg="HTTPSRequest" proxy_act="HTTPS-Client.Standard.3" sni="www.gstatic.com"cn="*.google.com" cert_issuer="CN=olympus.wgti.net,OU=QA,O=WGTI,L=Seattle,ST=WA,C=US"cert_subject="CN=*.google.com,O=Google Inc,L=MountainView,ST=California,C=US" action="allow" (HTTPS-proxy-00)

—


WebBlockerRequestcategories

HTTPSRequestcategories

WebBlocker identified the categoryfor a web request. The logmessage specifies the categoryand host name.

Allow 1-Trusted 0-External tcp 10.0.1.2 74.125.25.104 44773 443msg="ProxyAllow: HTTPS Request categories" proxy_act="HTTPS-Client.1"service="Def" cats="Search Engines and Portals" dstname="www.google.com"(HTTPS-proxy-00)

—


WebBlockerserviceunavailable

HTTPSserviceunavailable

WebBlocker failed because aWebBlocker Server was notavailable.

Allow 1-Trusted 0-External tcp 10.0.1.2 74.125.25.147 51566 443msg="ProxyAllow: HTTPS service unavailable" proxy_act="HTTPS-Client.1"error="Webblocker server is not available" service="Def" cats=""dstname="www.google.com" (HTTPS-proxy-00)

—


Domain namematch

HTTPSdomain

This rule log includes thematchedrule name or default rule of no

Allow 1-Trusted 0-External tcp 10.0.1.2 173.194.33.176 59545 443msg="ProxyAllow: HTTPS domain namematch" proxy_act="HTTPS-

—


Log Catalog 55

ID Level Area Name


MessageVariables

namematch match and the patterns its beenmatched against.

Client.Standard.3" rule_name="*.google.com" sni="www.google.com" cn=""ipaddress="173.194.33.176" (HTTPS-proxy-00)


Protocolinvalid

HTTPSinvalidprotocol

The HTTPS proxy detected aninvalid SSL version.

Deny 1-Trusted 0-External tcp 10.0.1.2 192.168.53.143 41551 443msg="ProxyDrop: HTTPS invalid protocol" proxy_act="HTTPS-Client.1"version="0x9999" length="123" data="\x16\x03\x01\x00{\x01\x00\x00w\x99\x99"(HTTPS-proxy-00)

—


Timeout HTTPStimeout

The HTTPS connection was idlelonger than the timeout valueconfigured in the HTTPS policy.The default is 180 seconds.

Deny 1-Trusted 0-External tcp 10.0.1.5 192.168.53.143 54707 443msg="ProxyDrop: HTTPS timeout" (HTTPS-proxy-00)

—


Contentinspection

HTTPScontentinspection

The HTTPS traffic was directed toa different proxy action because ofthe Content Inspection settings inthe HTTPS proxy. The logmessage specifies the new proxyaction used for content inspection,as well as the TLS ciphers used forthe server and client.

Allow 1-Trusted 0-External tcp 10.0.1.2 173.194.33.180 59276 443msg="ProxyInspect: HTTPS content inspection" proxy_act="HTTPS-Client.Standard.3" inspect_action="HTTP-Client.Standard" server_ssl="ECDHE-RSA-AES256-SHA384" client_ssl="ECDHE-RSA-AES256-GCM-SHA384" (HTTPS-proxy-00)

—

22FF0000 INFO Proxy /IMAP

Request IMAPRequest

This audit logmessage specifiesthe email message transactionresult.

Allow 1-Trusted 0-External tcp 10.0.1.70 10.148.22.60 53589 143msg="IMAPRequest" proxy_act="IMAP-Client.Standard.1" email_len="652" action="allow"reason="" mbx="INBOX" user="wg" auth_method="plain" (IMAP-proxy-00)

—


Timeout IMAPTimeout

The connection was idle for longerthan the configured timeout limit.The default limit is 1minute.

Deny 1-Trusted 0-External tcp 10.0.1.70 10.148.22.60 53589 143msg="IMAPTimeout" proxy_act="IMAP-Client.Standard.1" timeout="120" (IMAP-proxy-00)

—


MalformedCommand

IMAPMalformedCommand

The IMAP client sentmalformed/unsupported command

Deny 1-Trusted 0-External tcp 10.0.1.70 10.148.22.60 53589 143msg="IMAPMalformed Command" proxy_act="IMAP-Client.Standard.1"command="CONDSTORE" mbx="INBOX" user="wg" auth_method="plain"(IMAP-proxy-00)

—


Log Catalog 56

ID Level Area Name


MessageVariables


MalformedResponse

IMAPMalformedResponse

The IMAP server sentmalformed/unsupported response

Deny 1-Trusted 0-External tcp 10.0.1.70 10.148.22.60 53589 143msg="IMAPMalformed Response" proxy_act="IMAP-Client.Standard.1" response="* 3597EXISTS" mbx="INBOX" user="wg" auth_method="plain" (IMAP-proxy-00)

—


Content Type IMAPContentType

A MIME-typematched a configuredcontent type rule, or the default ruleof nomatch. The logmessagespecifies the rule, MIME-type, anduser-related information.

Allow 1-Trusted 0-External tcp 10.0.1.73 10.148.22.60 54116 143msg="ProxyAvScan: IMAP Content Type" proxy_act="IMAP-Client.Standard.1"rule_name="All text types" content_type="text/plain" mbx="inbox" user="wg"auth_method="plain" (IMAP-proxy-00)

—


Filename IMAPFilename

The attachment matches aconfigured file name rule, or thedefault rule of nomatch. The logmessage specifies the rule, filename, and user-related information.

Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 56079 143msg="ProxyStrip: IMAP Filename" proxy_act="IMAP-Client.Standard.1" rule_name="Word documents" filename="bug92408.doc"attachment="bug92408.zip.zip" mbx="inbox" user="wg" auth_method="plain"(IMAP-proxy-00)

—


Virus Found IMAP VirusFound

Gateway AntiVirus detected a virusor malware in the file. The logmessage specifies the virus name,file name, and user-relatedinformation.

Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 50633 143msg="ProxyAllow: IMAP Virus Found" proxy_act="IMAP-Client.Standard.1"virus="Eicar" mbx="INBOX" user="wg" (IMAP-proxy-00)

—


CannotPerformGateway AVScan

IMAPCannotPerformGateway AVScan

Gateway AntiVirus (GAV) failed toscan because of the error specifiedin the logmessage

Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 50633 143msg="ProxyLock: IMAP Cannot Perform Gateway AV Scan" proxy_act="IMAP-Client.Standard.1" error="unable to scan" mbx="INBOX" user="wg" (IMAP-proxy-00)

—

22FF000A INFO Proxy /IMAP

APT detected IMAP APTdetected

APT Blocker found the threatspecified in the logmessage in anattached file.

Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 60275 143msg="ProxyStrip: IMAP APT detected" proxy_act="IMAP-Client.Standard.1"filename="lastline-demo-sample.exe"md5="7abebcf53e97b586c92a9ce5b9985cd4" task_uuid="e8a3730d1f88491c8821712e85d94929" threat_level="high" mbx="INBOX"user="wg" (IMAP-proxy-00)

—


Log Catalog 57

ID Level Area Name


MessageVariables

22FF000C INFO Proxy /IMAP

File Submittedto APTanalysisserver

IMAP FileSubmitted toAPTanalysisserver


Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 60275 143msg="ProxyStrip: IMAP File submitted to APT analysis server" proxy_act="IMAP-Client.Standard.1"filename="971d3aa1c683c69f425cc6ddf66833d3d172f0fd.apk"md5="7abebcf53e97b586c92a9ce5b9985cd4" task_uuid="e8a3730d1f88491c8821712e85d94929"APT detected" mbx="INBOX"user="wg" (IMAP-proxy-00)

—

22FF000D INFO Proxy /IMAP


IMAP Filereported safefrom APThash check

APT hash check did not report athreat from the object.

Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 60275 143msg="ProxyStrip: IMAP File reported safe from APT hash check" proxy_act="IMAP-Client.Standard.1"filename="971d3aa1c683c69f425cc6ddf66833d3d172f0fd.apk"md5="7abebcf53e97b586c92a9ce5b9985cd4" task_uuid="e8a3730d1f88491c8821712e85d94929"APT detected" mbx="INBOX"user="wg" (IMAP-proxy-00)

—

22FF000E INFO Proxy /IMAP

spamBlockerconfirmedspam

IMAPClassified asconfirmedSPAM

spamBlocker classified themessage as confirmed SPAM. Thelogmessage specifies the user-related information

Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 60275 143msg="ProxyReplace: IMAP Classified as confirmed SPAM" proxy_act="IMAP-Client.Standard.1" mbx="INBOX" user="wg" (IMAP-proxy-00)

—

22FF000F INFO Proxy /IMAP

spamBlockerbulk mail

IMAPClassified asbulk mail

spamBlocker classified themessage as bulk mail. The logmessage specifies the user-relatedinformation

Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 60275 143msg="ProxyReplace: IMAP Classified as bulk mail" proxy_act="IMAP-Client.Standard.1" mbx="INBOX" user="wg" (IMAP-proxy-00)

—


spamBlockersuspect spam

IMAPClassified assuspectSPAM

spamBlocker classified themessage as suspect SPAM. Thelogmessage specifies the user-related information

Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 60275 143msg="ProxyReplace: IMAP Classified as suspect SPAM" proxy_act="IMAP-Client.Standard.1" mbx="INBOX" user="wg" (IMAP-proxy-00)

—


spamBlockernot scored

IMAPMessagecould not be

spamBlocker cannot score themessage. The logmessagespecifies the user-related

Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 60275 143msg="ProxyAllow: IMAP Message could not be scored" proxy_act="IMAP-Client.Standard.1" mbx="INBOX" user="wg" (IMAP-proxy-00)

—


Log Catalog 58

ID Level Area Name


MessageVariables

scored information


spamBlockerexceptionmatched

IMAPspamBlockerexceptionwasmatched

The sender for the email matched aspamBlocker exception rule. Thelogmessage specifies the rule anduser-related information.

Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 60275 143msg="ProxyAllow: IMAP spamBlocker exception was matched" proxy_act="IMAP-Client.Standard.1" mbx="INBOX" user="wg" (IMAP-proxy-00)

—


spamBlockernot spam

IMAPClassified asnot SPAM

spamBlocker classified themessage as not SPAM. The logmessage specifies the user-relatedinformation.

Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 60275 143msg="ProxyAllow: IMAP Classified as not SPAM" proxy_act="IMAP-Client.Standard.1" mbx="INBOX" user="wg" (IMAP-proxy-00)

—


spamBlockernot spam

IMAPMessageclassificationis unknownbecause anerroroccurredwhileclassifying

spamBlocker was unable toclassify themessage because ofthe error specified in the logmessage. The logmessagespecifies the user-relatedinformation.

Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 60275 143msg="ProxyAllow: IMAP Message classification is unknown because an erroroccurred while classifying" proxy_act="IMAP-Client.Standard.1" mbx="INBOX"user="wg" (IMAP-proxy-00)

—


GAV file toolarge

IMAPGateway AVobject toolarge

The attachment file size exceedsthe Gateway AV scan size limit.

Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 50698 143msg="ProxyAllow: IMAP Gateway AV object too large" proxy_act="IMAP-Client.OUT" attachment="large_file.doc" error="File exceeding the scan sizelimit" mbx="INBOX" user="wg" (IMAP-proxy-00)

—


GAV fileencrypted

Gateway AVobjectencrypted(password-protected)

The attachment file is encrypted orpassword-protected.

Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 50698 143msg="ProxyAllow: IMAP Gateway AV object enrcypted (password-protected)"proxy_act="IMAP-Client.OUT" attachment="password-protected.zip"error="Object Encrypted" mbx="INBOX" user="wg" (IMAP-proxy-00)

—


Log Catalog 59

ID Level Area Name


MessageVariables


Protocolinvalid

IMAP invalidTLS protocol

The IMAP proxy detected invalidTLS protocol.

Deny 1-Trusted 0-External tcp 10.0.1.2 192.168.53.143 41551 993msg="ProxyDrop: IMAP invalid TLS protocol" proxy_act="IMAP-Client.1" (IMAP-proxy-00)

—


ContentInspection

IMAP TLScontentinspection

The IMAP proxy decrypted asecure connection for contentinspection.

Deny 1-Trusted 0-External tcp 10.0.1.2 192.168.53.143 41551 993msg="ProxyInspect: IMAP TLS content inspection" proxy_act="IMAP-Client.1"server_ssl="ECDHE-RSA-AES256-SHA384" client_ssl="ECDHE-RSA-AES256-GCM-SHA384" (IMAP-proxy-00)

—

21FF0000 INFO Proxy /POP3

CAPA POP3CAPA TheCAPA response contained theunknown or blocked capability thatis specified in the logmessage.

Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 43924 110msg="ProxyDeny: POP3CAPA" keyword="VERF": (POP3-proxy-00)

—


Authentication POP3 AUTH The authentication typematched arule, or the default rule of nomatch.The logmessage specifies the rulename and authentication type.

Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 44047 110msg="ProxyDeny: POP3 AUTH" proxy_act="POP3-Client.2" rule_name="Default" authtype="KERBOSE_V12" (POP3-proxy-00)

—


Command POP3command

The client sent an authenticationcommandwhen it was not allowed.

Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 44225 110msg="ProxyDeny: POP3 command" proxy_act="POP3-Client.2"keyword="AUTH KERBEROS_V12\x0d\x0a" (POP3-proxy-00)

—


Header POP3header

A POP3 header matched aconfigured Header rule, or thedefault rule of nomatch. The logmessage specifies the rule andheader.

Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 43909 110msg="ProxyStrip: POP3 header" proxy_act="POP3-Client.1" rule_name="Default" header="Delivered-To: wg@localhost" (POP3-proxy-00)

—


Content type POP3content type

A MIME-typematched a configuredcontent type rule, or the default ruleof nomatch. The logmessagespecifies the rule, MIME-type, anduser name.

Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 43909 110msg="ProxyAllow: POP3 content type" proxy_act="POP3-Client.1" rule_name="All text types" content_type="text/plain" user="wg" (POP3-proxy-00)

—


Log Catalog 60

ID Level Area Name


MessageVariables


File name POP3filename

The attachment matches aconfigured file name rule, or thedefault rule of nomatch. The logmessage specifies the rule, filename, and user name.

Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 44035 110msg="ProxyAvScan: POP3 filename" proxy_act="POP3-Client.1" rule_name="Text files" file_name="high-triggerme.txt" user="wg" (POP3-proxy-00)

—


Timeout POP3timeout

The connection was idle for longerthan the configured timeout limit.The default limit is 1minute.

Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 44042 110msg="ProxyDeny: POP3 timeout" proxy_act="POP3-Client.1" timeout="180"(POP3-proxy-00)

—

21FF000A INFO Proxy /POP3

Request POP3request

This audit logmessage specifiesthe bytes sent, bytes received, anduser.

Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 43909 110msg="POP3request" proxy_act="POP3-Client.1" rcvd_bytes="625052" sent_bytes="1433"user="wg" (POP3-proxy-00)

—

21FF000C INFO Proxy /POP3

IPS match POP3 IPSmatch

Intrusion Prevention Service (IPS)detected an intrusion threat. Thelogmessage specifies the actiontaken, the signature ID, threatseverity, signature name, andsignature category.

Deny 0-External 1-Trusted tcp 172.16.180.2 172.16.181.2 1024 25msg="ProxyDrop: POP3 IPS match" proxy_act="POP3-Incoming.1" signature_id="1110401" severity="4" signature_name="EXPLOIT IBM Lotus Notes Lotus 1-2-3Work Sheet File Viewer Buffer Overflow (CVE-2007-6593)" signature_cat="Buffer Over Flow" (POP3-proxy-00)

—

21FF000F INFO Proxy /POP3

GAV Virusfound

POP3 Virusfound

Gateway AntiVirus detected a virusor malware in the file. The logmessage specifies the virus name,user, and file name.

Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 44042 110msg="ProxyAllow: POP3 Virus found" proxy_act="POP3-Client.1" user="wg"filename="sample.apt" virus="Generic34.EFX" (POP3-proxy-00)

—


GAV cannotperform scan

POP3cannotperformGateway AV

Gateway AntiVirus (GAV) failed toscan because of the error specifiedin the logmessage.

Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39589 25msg="ProxyLock: POP3Cannot perform Gateway AV scan" proxy_act="POP3-Client.1" user="wg" filename="message.scr" error="scan request failed" (POP3-proxy-00)

—


Log Catalog 61

ID Level Area Name


MessageVariables


Line length toolong

POP3 linelength toolong

A line exceeds the configured limit.The default is 1,000 bytes. The logmessage specifies the line length.

Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39457 25msg="ProxyDeny: POP3 line length too long" proxy_act="POP3-Client.1" line_length="22121" (POP3-proxy-00)

—


Messageformat

POP3messageformat

Themessage is not in an allowedformat. The logmessage specifiesthe error and the user.

Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 44061 110msg="ProxyStrip: POP3message format" proxy_act="POP3-Client.2" file_name="sm_conns.txt" type="uuencode" (POP3-proxy-00)

—


Encoding error POP3encodingerror

The proxy was unable to decodeand encode themessage becauseof the error specified in the logmessage.

Allow 0-External 1-Trusted tcp 100.100.106.253 100.100.106.55 51064 110msg="ProxyStrip: POP3 encoding error" proxy_act="POP3-Server.1"message="invalid b64 characters in input" (POP3-IN-00)

—



POP3Classified asconfirmedSPAM

spamBlocker classified themessage as confirmed SPAM. Thelogmessage specifies the senderand recipients.

Allow 1-Trusted 0-External tcp 10.0.55.253 100.100.100.155 45551 110msg="ProxyReplace: POP3Classified as confirmed SPAM" (POP3-OUT-00)

—


spamBlockerBULK spam

POP3Classified assuspectSPAM

spamBlocker classified themessage as bulk SPAM. The logmessage specifies the sender andrecipients.

Allow 0-External 1-Trusted tcp 100.100.106.253 100.100.106.55 46177 110msg="ProxyReplace: POP3Classified as suspect SPAM" (POP3-IN-00)

—



POP3Classified assuspectSPAM

spamBlocker classified themessage as suspect SPAM. Thelogmessage specifies the senderand recipients.

Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 44249 110msg="ProxyReplace: POP3Classified as suspect SPAM" (POP3-proxy-00)

—

21FF001A INFO Proxy /POP3


POP3spamBlockerexceptionwasmatched

The sender for the email matched aspamBlocker exception rule. Thelogmessage specifies the sender,recipient, and subject.

Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 43913 110msg="ProxyAllow: POP3 spamBlocker exception was matched" proxy_act="POP3-Client.1" from="[email protected]" to="wg@localhost" subj_tag="(none)" (POP3-proxy-00)

—


Log Catalog 62

ID Level Area Name


MessageVariables

21FF001B INFO Proxy /POP3

spamBlockernot spam

POP3Classified asnot SPAM

spamBlocker classified themessage as not SPAM. The logmessage specifies the sender andrecipients.

Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 43924 110msg="ProxyAllow: POP3Classified as not SPAM" (POP3-proxy-00)

—

21FF001C INFO Proxy /POP3

spamBlockerclassificationunknown

POP3messageclassificationis unknownbecause anerroroccurredwhileclassifying

spamBlocker was unable toclassify themessage because ofthe error specified in the logmessage.

Allow 1-Trusted 0-External tcp 10.0.55.253 100.100.100.155 53776 110msg="ProxyAllow: POP3message classification is unknown because an erroroccurred while classifying" (POP3-OUT-00)

—

21FF001D INFO Proxy /POP3

Extra padcharacters

POP3 extrapadcharacters inbase64 input

The POP3 proxy encountered extrapad characters in the body of abase64-encodedmessage.

Allow 0-External 1-Trusted tcp 100.100.106.253 100.100.106.55 46177 110msg="ProxyStrip: POP3 Extra pad characters in base64 input" proxy_act="POP3-Server.1" pad_error="1" (POP3-IN-00)

—

21FF001E INFO Proxy /POP3

Applicationmatch

POP3 Appmatch

Application Control identified theapplication from the emailmessage. The log specifies theapplication name and ID,application category and ID, andthe application behavior name andID.

Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 44042 110msg="ProxyAllow: POP3 Appmatch" proxy_act="POP3-Client.1" app_cat_name="Mail and Collaboration" app_cat_id="5" app_name="POP3" app_id="2"app_beh_name="communicate" app_beh_id="2" (POP3-proxy-00)

—

21FF001F INFO Proxy /POP3

APT threatdetected

POP3 APTdetected


Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.3 47193 110msg="ProxyDrop: POP3 APT detected" proxy_act="POP3-Client.Standard.1"user="wg" filename="971d3aa1c683c69f425cc6ddf66833d3d172f0fd.apk"md5="7abebcf53e97b586c92a9ce5b9985cd4" task_uuid="e8a3730d1f88491c8821712e85d94929" threat_level="high" (POP3-proxy-

—


Log Catalog 63

ID Level Area Name


MessageVariables

00)



POP3 Filesubmitted toAPTanalysisserver


Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.3 47187 110msg="ProxyAllow: POP3 File submitted to APT analysis server" proxy_act="POP3-Client.Standard.1" user="wg"filename="971d3aa1c683c69f425cc6ddf66833d3d172f0fd.apk"md5="7abebcf53e97b586c92a9ce5b9985cd4" task_uuid="e8a3730d1f88491c8821712e85d94929" (POP3-proxy-00)

—



POP3 Filereported safefrom APThash check


Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.3 47187 110msg="ProxyAllow: POP3 File reported safe from APT hash check" proxy_act="POP3-Client.Standard.1" user="wg"filename="971d3aa1c683c69f425cc6ddf66833d3d172f0fd.apk"md5="7abebcf53e97b586c92a9ce5b9985cd4" task_uuid="e8a3730d1f88491c8821712e85d94929" (POP3-proxy-00)

—

28FF0000 INFO Proxy /SIP

Timeout SIP timeout The connection was idle for longerthan the configured timeout value.The default value is 180 seconds.

Deny 1-Trusted 0-External udp 10.0.1.5 192.168.53.143 5060 5060msg="ProxyDrop: SIP timeout" (SIP-ALG-00)

—


Request SIP request The logmessage specifies thesource and destination of theallowed call.

Allow 1-Trusted 0-External udp 10.0.1.3 192.168.53.143 5060 5060msg="SIPrequest" proxy_act="SIP-Client.1" call_from="10.0.1.3" call_to="192.168.53.143" (SIP-ALG-00)

—


Codec SIP codec The codec is allowed or deniedbased on the setting for DeniedCodecs in the SIP policy.

Deny 1-Trusted 0-External udp 10.0.1.3 192.168.53.143 5060 5060msg="ProxyDeny: SIP codec" proxy_act="SIP-Client.1" codec="speex" (SIP-ALG-00)

—


Accesscontrol

SIP Accesscontrol

The header address is allowed ordenied based on the AccessControl settings. The logmessagespecifies the action taken, headerandmessage ID.

Allow 1-Trusted 0-External udp 10.0.1.3 192.168.53.143 5060 5060msg="ProxyAllow: SIP Access control" proxy_act="SIP-Client.1" To-header="[email protected]" (SIP-ALG-00)

—


Log Catalog 64

ID Level Area Name


MessageVariables


IPS match SIP IPSmatch

Intrusion Prevention Service (IPS)detected an intrusion threat. Thelogmessage specifies thesignature ID, threat severity,signature name, signaturecategory, destination host nameand URI path.

Deny 0-External 1-Trusted udp 10.0.1.5 192.168.53.143 5060 5060msg="ProxyDrop: SIP IPS match" proxy_act="SIP-Client.1" signature_id="1057422" severity="4" signature_name="SIP Digium Asterisk SIP SDPHeader Parsing Stack Buffer Overflow -1" signature_cat="Buffer Over Flow"(SIP-ALG-00)

—


Applicationmatch

SIP Appmatch

Application Control identified anapplication from the transaction.The logmessage specifies theaction taken, the application nameand ID, application category nameand ID, and the applicationbehavior name and ID.

Deny 1-Trusted 0-External udp 10.0.1.4 192.168.53.143 5060 5060msg="ProxyDrop: SIP Appmatch" proxy_act="SIP-Client.1" signature_id="12"app_name="SIP" beh_name="communicate" app_msg="Applicationmatched.application name: SIP; behavior name:communicate" (SIP-ALG-00)

—

1BFF0000 INFO Proxy /SMTP

Greeting SMTPgreeting

The host name in the SMTP proxyHELO or EHLO commandmatchedone of the Greeting Rules, or thedefault rule of nomatch.

Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39366 25msg="ProxyDeny: SMTP greeting" proxy_act="SMTP-Outgoing.1" rule_name="*.test.net" hostname="testbox.test.net" (SMTP-proxy-00)

—


ESMTPoption

SMTPESMTPoption

The EHLO response from theSMTP server includes an ESMTPoption that is disabled or unknown.

Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39371 25msg="ProxyStrip: SMTP ESMTP option" proxy_act="SMTP-Outgoing.1"keyword="VRFY" (SMTP-proxy-00)

—


Authentication(AUTH)

SMTPAUTH

The EHLO response from theSMTP server included anauthentication type that matches aconfigured authentication rule. Thelogmessage specifies the proxyaction, the rule name, the actiontaken, and the authentication type.

Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39374 25msg="ProxyDeny: SMTP AUTH" proxy_act="SMTP-Outgoing.1" rule_name="PLAIN" authtype="PLAIN" (SMTP-proxy-00)

—


Log Catalog 65

ID Level Area Name


MessageVariables


Header SMTPheader

A MIME header matched aconfigured rule, or the default ruleof nomatch.

Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39379 25msg="ProxyStrip: SMTP header" proxy_act="SMTP-Outgoing.1" rule_name="Default" header="X-MimeOLE: Produced By Microsoft ExchangeV6.0.6603.0" (SMTP-proxy-00)

—


From address SMTP Fromaddress

The sender address matched a rulespecified in theMail From rules.

Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39383 25msg="ProxyDeny: SMTP From address" proxy_act="SMTP-Outgoing.1" rule_name="jsmith@*.com->ex-employee" address="[email protected]" (SMTP-proxy-00)

—


To address SMTP Toaddress

The recipient address matched arule specified in the Rcpt To rules.

Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39384 25msg="ProxyDeny: SMTP To address" proxy_act="SMTP-Outgoing.1" rule_name="Default" address="[email protected]" (SMTP-proxy-00)

—


Content type SMTPcontent type

Some of themessage contentmatched a content filter rule.

Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39391 25msg="ProxyAvScan: SMTP content type" proxy_act="SMTP-Outgoing.1" rule_name="Default" content_type="application/x-gzip" sender="[email protected]"recipients="wg@localhost" (SMTP-proxy-00)

—


Filename SMTPfilename

An email attachment matched a filename rule, or the attachment isuuencoded and the SMTP proxyallows uuencoded attachments.

Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39436 25msg="ProxyStrip: SMTP filename" proxy_act="SMTP-Outgoing.1" rule_name="*.exe" file_name="app.exe" sender="[email protected]"recipients="wg@localhost" (SMTP-proxy-00)

—

1BFF000A INFO Proxy /SMTP

Timeout SMTPtimeout

The SMTP connection was idle forlonger than the configured idletimeout limit. The default is 10minutes.

Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39402 25msg="ProxyDeny: SMTP timeout" proxy_act="SMTP-Outgoing.1" timeout="60"(SMTP-proxy-00)

—

1BFF000C INFO Proxy /SMTP

GAV Virusfound

SMTP Virusfound

Gateway AntiVirus (GAV) detecteda virus or malware in an emailattachment.

Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39445 25msg="ProxyStrip: SMTP Virus found" proxy_act="SMTP-Outgoing.1"sender="[email protected]" recipients="wg@localhost" virus="I-Worm/Netsky.CORRUPTED" filename="message.scr" (SMTP-proxy-00)

—


Log Catalog 66

ID Level Area Name


MessageVariables

1BFF000E INFO Proxy /SMTP

GAV cannotperform scan

SMTPcannotperformGateway AVscan

Gateway AntiVirus (GAV) could notcomplete the scan because of theerror that is specified in the logmessage.

Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39589 25msg="ProxyLock: SMTP cannot perform Gateway AV scan" proxy_act="SMTP-Outgoing.1" sender="[email protected]" recipients="wg@localhost"error="scan request failed" filename="message.scr" (SMTP-proxy-00)

—

1BFF000F INFO Proxy /SMTP

Request SMTPrequest

This SMTP audit log specifies thebytes sent, bytes received, thesender and recipient addresses,and the sender and recipient TLScipher.

Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39398 25msg="SMTPrequest" proxy_act="SMTP-Outgoing.1" rcvd_bytes="272" sent_bytes="282"sender="[email protected]" recipients="wg@localhost" server_ssl="ECDHE-RSA-AES256-GCM-SHA384" client_ssl="AES128-SHA256" tls_profile="TLS-Client.Standard"(SMTP-proxy-00)

—


Messageformat

SMTPmessageformat

The email message formatmatched amessage format rulespecified in the SMTP proxy. Thelogmessage includes the errormessage.

Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39452 25msg="ProxyDeny: SMTP message format" proxy_act="SMTP-Outgoing.1" file_name="sm_conns.txt" type="uuencode" sender="[email protected]"recipients="wg@localhost" (SMTP-proxy-00)

—


IPS match SMTP IPSmatch

Intrusion Prevention Service (IPS)detected a threat. The logmessagespecifies the signature name andID, threat severity, and signaturecategory.

Deny 0-External 1-Trusted tcp 172.16.180.2 172.16.181.2 1024 25msg="ProxyDrop: SMTP IPS match" proxy_act="SMTP-Incoming.1" signature_id="1110401" severity="4" signature_name="EXPLOIT IBM Lotus Notes Lotus 1-2-3Work Sheet File Viewer Buffer Overflow (CVE-2007-6593)" signature_cat="Buffer Over Flow" (SMTP-proxy-00)

—


Toomanyrecipients

SMTP toomanyrecipients

The number of email recipientsspecified in the email messageexceeds the configured limit. Thedefault limit is 99 for inboundmessages and unlimited foroutboundmessages. The logmessage specifies the proxy actionand number of recipients.

Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39404 25msg="ProxyDeny: toomany recipients" proxy_act="SMTP-Outgoing.1" rule_name="Default" content_type="" sender="[email protected]"recipients="[email protected];[email protected]" (SMTP-proxy-00)

—


Log Catalog 67

ID Level Area Name


MessageVariables


Responsesize too long

SMTPresponsesize too long

The SMTP server responseexceeds the configured limit. Thedefault limit is 10,000 KB. The logmessage specifies the size of theresponse.

Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39973 25msg="ProxyDeny: SMTP response size too long" proxy_act="SMTP-Outgoing.1"response_size="5030" (SMTP-proxy-00)

—


Line too long SMTP linelength toolong

The email message contains a linethat exceeds the configured limit.The default is 1,000 bytes. The logmessage specifies the line length.

Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39457 25msg="ProxyDeny: SMTP line length too long" proxy_act="SMTP-Outgoing.1"line_length="32110" (SMTP-proxy-00)

—


Message toolong

SMTPmessagesize too long

The SMTP message lengthexceeds the configured limit. Thedefault limit is 10,000 kb.

Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39466 25msg="ProxyDeny: SMTP message size too long" proxy_act="SMTP-Outgoing.1"size="16384" (SMTP-proxy-00)

—


Header toolong

SMTPheader sizetoo long

The SMTP message contains aheader that exceeds the configuredMaximum Header Length. Thedefault is 20,000 bytes.

Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39473 25msg="ProxyDeny: SMTP header size too long" proxy_act="SMTP-Outgoing.1"headers_size="12157" (SMTP-proxy-00)

—


Command SMTPcommand

The SMTP request contains acommand that is not supported oris not valid for the emailtransaction. The logmessagespecifies the proxy action, actiontaken, SMTP command, and theresponse code.

Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39474 25msg="ProxyDeny: SMTP command" proxy_act="SMTP-Outgoing.1"keyword="VERIFY\x0d\x0a" response="500" (SMTP-proxy-00)

—



SMTPClassified asconfirmedSPAM

spamBlocker has classified themessage as confirmed SPAM. Thelogmessage specifies the proxyaction, the action taken, and thesender and recipient addresses.

Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39446 25msg="ProxyDeny: SMTP Classified as confirmed SPAM" proxy_act="SMTP-Outgoing.1" sender="[email protected]" recipients="wg@localhost" (SMTP-proxy-00)

—


Log Catalog 68

ID Level Area Name


MessageVariables


spamBlockerbulk spam

SMTPClassified asbulk mail

spamBlocker has classified themessage as bulk SPAM. The logmessage specifies the proxyaction, the action taken, and thesender and recipient addresses.

Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39499 25msg="ProxyReplace: SMTP Classified as bulk mail" proxy_act="SMTP-Outgoing.1" sender="[email protected]" recipients="wg@localhost" (SMTP-proxy-00)

—

1BFF001B INFO Proxy /SMTP


SMTPClassified assuspectSPAM

spamBlocker has classified themessage as suspect SPAM. Thelogmessage specifies the proxyaction, the action taken, and thesender and recipient addresses.

Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39999 25msg="ProxyAllow: SMTP Classified as suspect SPAM" proxy_act="SMTP-Outgoing.1" sender="[email protected]" recipients="wg@localhost" (SMTP-proxy-00)

—


spamBlockernot SPAM

SMTPClassified asnot SPAM

spamBlocker has classified themessage as not SPAM. The logmessage specifies the proxyaction, the action taken, and thesender and recipient addresses.

Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39487 25msg="ProxyAllow: SMTP Classified as not SPAM" proxy_act="SMTP-Outgoing.1" sender="[email protected]" recipients="wg@localhost" (SMTP-proxy-00)

—

1BFF001D INFO Proxy /SMTP

spamBlockerclassificationunknown

SMTPmessageclassificationis unknownbecause anerroroccurredwhileclassifying

spamBlocker was unable toclassify the email messagebecause of an error. The logmessage specifies the sender andrecipient addresses.

Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39524 25msg="ProxyDeny: SMTP message classification is unknown because an erroroccurred while classifying" proxy_act="SMTP-Outgoing.1"sender="[email protected]" recipients="wg@localhost" (SMTP-proxy-00)

—

1BFF001E INFO Proxy /SMTP


SMTPspamBlockerexceptionwasmatched

The sender or recipient of the emailmessagematches a spamBlockerexception specified in the SMTPproxy.

Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39476 25msg="ProxyAvScan: SMTP spamBlocker exception" proxy_act="SMTP-Outgoing.1" rule_name="Default" content_type=""sender="[email protected]" recipients="wg@localhost" (SMTP-proxy-00)

—


Log Catalog 69

ID Level Area Name


MessageVariables

1BFF001F INFO Proxy /SMTP

Decoder error SMTP Anerror wasfound by ourdecoder

The SMTP proxy was unable todecode the email message due tothe error specified in the logmessage.

Allow 1-Trusted 0-External tcp 10.0.55.253 100.100.100.155 36921 25msg="ProxyStrip: SMTP An error was found by our decoder" proxy_act="SMTP-Outgoing.1" message="invalid b64 characters in input" (SMTP-OUT-00)

—


Extra padcharacters inbase64encoding

SMTP extrapadcharacters inbase64 input

The SMTP proxy encounteredextra pad characters when thebody of the base64-encodedmessage was processed.

Allow 1-Trusted 0-External tcp 10.0.55.253 100.100.100.155 36664 25msg="ProxyStrip: SMTP extra pad characters in base64 input" proxy_act="SMTP-Outgoing.1" pad_error="1" (SMTP-OUT-00)

—


Mail fromaddress toolong

SMTP MailFromaddress toolong

A sender email address exceededthe configuredmaximum addresslength. The address length isunlimited by default.

Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39497 25msg="ProxyDeny: SMTP Mail From address too long" proxy_act="SMTP-Outgoing.1"address="[email protected]"length="56" response="553" (SMTP-proxy-00)

—


Applicationmatch

SMTP Appmatch

Application Control identified theapplication in themail messagethat is specified in the logmessage.

Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39913 25msg="ProxyDrop: SMTP Appmatch" proxy_act="SMTP-Outgoing.1" app_cat_name="Mail and Collaboration" app_cat_id="5" app_name="SMTP" app_id="1"app_beh_name="access" app_beh_id="6" (SMTP-proxy-00)

—


DLP violationfound

SMTP DLPviolationFound

Data Loss Prevention (DLP)detected the rule violation that isspecified in the logmessage.

Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39510 25msg="ProxyAllow: SMTP DLP violation Found" proxy_act="SMTP-Outgoing.1"dlp_sensor="PCI Audit Sensor.1" dlp_rule="SocialsecuritynumbersUSA"sender="[email protected]" recipients="wg@localhost" filename="ssn.docx"(SMTP-proxy-00)

—



SMTPcannotperform DLPScan

Data Loss Prevention (DLP) isunable to scan because of the errorspecified in the logmessage.

Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39589 25msg="ProxyLock: SMTP cannot perform DLP scan" proxy_act="SMTP-Outgoing.1" sender="[email protected]" recipients="wg@localhost"error="scan request failed" filename="message.scr" (SMTP-proxy-00)

—


Log Catalog 70

ID Level Area Name


MessageVariables


DLP cannotscan object

SMTP DLPobjectunscannable

Data Loss Prevention (DLP) isunable to extract data from anobject because the object isencrypted.

Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39900 25msg="ProxyAllow: SMTP DLP object unscannable" proxy_act="SMTP-Outgoing.1" dlp_sensor="PCI Audit Sensor.1" error="unscannable object (Filewas encrypted)" sender="[email protected]" recipients="wg@localhost" (SMTP-proxy-00)

—


DLP objecttoo large

SMTP DLPobject toolarge

The file requested for Data LossPrevention (DLP) analysis is largerthan the configured limit. Thedefault value varies by platform,from one to fiveMB. The logspecifies the DLP sensor nameand error message.

May 30 06:36:45 2014 gary_xtmv local1.info smtp-proxy[2861]: msg_id="1BFF-0027" Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.3 50976 25msg="ProxyAllow: SMTP DLP oject too large" proxy_act="SMTP-Outgoing.1"sender="[email protected]" recipients="wg@localhost" error="DLP scanlimit (524288) exceeded" filename="2M-dlp-violates-end.txt" (SMTP-proxy-00)

—


APT threatdetected

SMTP APTdetected


Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39771 25msg="ProxyAllow: SMTP APT detected" proxy_act="SMTP-Outgoing.1"sender="[email protected]" recipients="wg@localhost"filename="ecc59a46b439bdf63b058964e29ace0c"md5="ecc59a46b439bdf63b058964e29ace0c" task_uuid="b239bc669b534fcfa61bd78e156c9b19" threat_level="high" (SMTP-proxy-00)

—



SMTP Filesubmitted toAPTanalysisserver


Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39965 25msg="ProxyAllow: SMTP File submitted to APT analysis server" proxy_act="SMTP-Outgoing.1" sender="[email protected]" recipients="wg@localhost"filename="regex2.dll" md5="547c43567ab8c08eb30f6c6bacb479a3" task_uuid="b8517202826a43fc93dba00f9e8c30ed" (SMTP-proxy-00)

—

1BFF002B INFO Proxy /SMTP


SMTP Filereported safefrom APThash check


Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39965 25msg="ProxyAllow: SMTP File reported safe from APT hash check" proxy_act="SMTP-Outgoing.1" sender="[email protected]" recipients="wg@localhost"filename="regex2.dll" md5="547c43567ab8c08eb30f6c6bacb479a3" task_uuid="b8517202826a43fc93dba00f9e8c30ed" (SMTP-proxy-00)

—


Log Catalog 71

ID Level Area Name


MessageVariables


Protocolinvalid

SMTPinvalid TLSprotocol

The SMTP proxy detected invalidTLS protocol.

Deny 1-Trusted 0-External tcp 10.0.1.2 192.168.53.143 41551 465msg="ProxyDrop: SMTP invalid TLS protocol" proxy_act="SMTP-Outgoing.1"(SMTP-proxy-00)

—

2DFF0000 INFO Proxy /TCP-UDP

Request IP Request TCP-UDP transaction log for thetraffic that is configured to allow ordeny.

Allow ppp0 0-External tcp 10.0.1.46 206.191.171.104 49391 80msg="IPRequest" proxy_act="TCP-UDP-Proxy.Standard.1" sent_bytes="72271" rcvd_bytes="72271" src_user="testuser@Firebox-DB" (TCP-UDP-proxy-00)

—


IPS match IP IPSmatch

Intrusion Prevention Service (IPS)detected an intrusion threat in TCP-UDP proxy traffic. The logmessage specifies the actiontaken, signature ID, threat severity,signature name, and signaturecategory.

Deny 0-External 1-Trusted udp 10.0.1.5 192.168.53.143 1025 80msg="ProxyDrop: TCP-UDP IPS match" proxy_act="TCP-UDP-Proxy.1"signature_id="1110070" severity="4" signature_name="DOS Apachemod_sslHTTPS Request DOS -1" signature_cat="Dos/DDoS" (TCP-UDP-proxy-00)

—


Protocol IP protocol The TCP-UDP proxy recognizedthe protocol. The logmessagespecifies the action taken, and therule name.

Allow 1-Trusted 0-External tcp 10.0.1.2 91.189.95.36 53246 80msg="ProxyReplace: IP protocol" proxy_act="TCP-UDP-Proxy.1" rule_name="HTTP-Client.1" new_action="HTTP-Client.1" (TCP-UDP-proxy-00)

—


Applicationmatch

IP Appmatch

Application Control identified theapplication type from the TCP-UDP proxy traffic. The logmessage specifies the actiontaken, the application name and ID,the application category name andID, and the application behaviorand ID.

Allow 1-Trusted 0-External udp 10.0.1.3 4.2.2.1 63690 53msg="ProxyAllow: IPAppmatch" proxy_act="TCP-UDP-Proxy.1" app_cat_name="NetworkManagement" app_cat_id="9" app_name="DNS" app_id="61" app_beh_name="access" app_beh_id="6" (TCP-UDP-proxy-00)

—


Log Catalog 72

Management Log MessagesManagement logmessages are generated for activity on your Firebox. This includes when changes aremade to the device configuration and DeviceManagement user accounts, for user authentication to theFirebox, and actions related to LiveSecurity and system settings.

DiagnosticManagement logmessages of theDebug (Diagnostic) log type.


55010010 INFO Management/ System

USB driveformat

USB drive format operationwas successful

USB drive format operation was %s USB drive format operationwas %s

USB drive format ${result}


Generatesystemdiagnostic filefailed

Generate system diagnosticfile to USB drive failed

Generate system diagnostic file to%sfailed

Generate system diagnosticfile to%s failed

Generate system diagnostic fileto ${device} failed


Periodic supportsnapshot isenabled

System periodic supportsnapshot is enabled

System periodic support snapshot isenabled

System periodic supportsnapshot is enabled

–


Generatesystemdiagnosticsuccessfully

Exported system diagnosticfile to server successfully

Exported system diagnostic file to%ssuccessfully

Exported system diagnosticfile to%s successfully

Generate system diagnostic fileto ${device} successfully


Reset to thedefaultconfigurationfailed

Reset to the defaultconfiguration failed when thedevice was rebooted.

The default configuration settings were notrestored after a system reset.

Reset to the defaultconfiguration failed when thedevice was rebooted.

–

5501000C INFO Management/ System

Device restorefailed

Device auto restore from USBdrive image failed due to USBdrive not found

Device auto restore from a specific image ina USB drive disc or normal restore from anormal image failed

Device%s restore from%simage failed due to%s

Device ${restore_type} restorefrom ${image_source} imagefailed for ${reason}

Management LogMessages

Log Catalog 73


5501000D INFO Management/ System

Creating USBauto restoreimage failed

Creation of USB auto restoreimage failed due to no USBdrive

Creation of USB auto restore image faileddue to%s

Creation of USB auto restoreimage failed due to%s

Creation of USB auto restoreimage failed: ${reason}

5501001B INFO Management/ System

System backupfailed

System backup to USB drivefailed due to write file to USBdrive error

System backup%s%s failed due to%s. System backup%s%s faileddue to%s.

System backup ${dest device}failed: ${reason}

5501001C INFO Management/ System

USB autorestore failedreason

USB auto restore failed due tonot detect the USB drive

USB auto restore failed due to%s USB auto restore failed dueto%s

USB auto restore failed for${reason}


Log Catalog 74

EventManagement logmessages of theEvent log type.


3E000002 INFO Management /Accounting

User loginsucceeded

Management user admin from 10.0.1.2logged in

A user successfully logged in. The logmessage specifies the user type, user name,and IP address.

%s %s%s%s from%slogged in%s%s%s%s

${user_type}${user_name}${auth_server} from{ipaddr} logged in${virtual_ip} ${msg}

3E000003 WARN Management /Accounting

User login failed Management user admin from 10.0.1.2log in attempt was rejected.

A user log in attempt failed. The logmessagespecifies the user type, user name, IPaddress, and the failure reason, if available.

%s %s%s%s from%slog in attempt wasrejected%s%s%s%s

${user_type}${user_name}${auth_server} from{ipaddr} rejected${virtual_ip} ${msg}

3E000004 INFO Management /Accounting

User logout Management user admin from 10.0.1.2logged out

A user successfully logged out. The logmessage specifies the user type, user name,and IP address.

%s %s%s%s from%slogged out%s%s%s%s

${user_type}${user_name}${auth_server} from{ipaddr} logged out${virtual_ip} ${msg}

11000003 INFO Management /Authentication

Authenticationserverunavailable

Authentication server 192.168.1.1:389is not responding

The external authentication server is notavailable.

Authentication server%s:%d is notresponding

–


Log Catalog 75



Userauthenticationsucceeded

Authentication of firewall user[user1@Firebox-DB] from 198.51.100.2was accepted

The user successfully authenticated. The logmessage specifies whether this is anadministrative user, a firewall user, or anothertype of user.

Authentication of %suser [%s@%s] from%swas accepted

Authentication of${user_type} user[${user_name}@${auth_server}] from${ipaddr} wasaccepted.

11000005 WARN Management /Authentication

Userauthenticationfailed

Authentication of MUVPN user[user1@Firebox-DB] from 198.51.100.2was rejected, password is incorrect

User authentication failed. The logmessagespecifies the reason.

Authentication of %suser [%s@%s] from%swas rejected, %s

Authentication of${user_type} user[${user_name}@${auth_server}] from ${ip_addr} was rejected,${reason}


User unlock User test is unlocked automatically It indicates a user unlock and how he/she isunlocked

User%s is unlocked%s User ${name} isunlocked ${how}


user lock User test is locked out briefly after 3login failures

It indicates a user lockout and how and whyhe/she is locked out

User%s is locked out%s after %d loginfailures

User ${name} islocked out${lockout_type}after ${failure_count} login failures


BOVPN TLSclientauthenticationfailed

Authentication of BOVPN TLS client[EasternOffice] from 198.51.100.2 wasrejected, pre-shared key is incorrect

BOVPN TLS client authentication failed. Thelogmessage specifies the reason.

Authentication ofBOVPN TLS client [%s]from%s was rejected,%s

Authentication ofBOVPN TLS client[${client_name}]from ${ip_addr}was rejected,${reason}


Fireboxconnected toSSO agent

Firebox connected to the SSO agent at10.0.1.25 successfully.

Firebox connected to the SSO agentsuccessfully

Firebox connected to theSSO agent at %ssuccessfully.

–


Log Catalog 76



Firebox closedthe connection

Firebox closed the connection to theSSO agent at 10.0.1.25.

Firebox closed the connection to the SSOagent.

Firebox closed theconnection to the SSOagent at %s.

–


Firebox failed toconnect to theSSO agent

Firebox failed to connect to the SSOagent at 10.0.1.25. Reason: timeout.

Firebox failed to connect to the SSO agent. Firebox failed to connectto the SSO agent at %s.Reason: %s.

–


Successful SSOagent failover

SSOAgent failover from 10.0.1.25 to10.0.1.26 was successful.

Successful SSO agent failover. SSOAgent failover from%s to%s wassuccessful.

–


UnsuccessfulSSO failover

SSO agent failover from 10.0.1.25 to10.0.1.26 failed. Reason: incompatibleSSO agent version.

Unsuccessful SSO failover. SSO agent failover from%s to%s failed.Reason: %s.

–

1100000C WARN Management /Authentication

Authenticationerror

Authentication error. Domain not foundfor user1.

Authentication failed. The logmessagespecifies the reason.

Authentication error. %sfor%s.

Authenticationerror. ${error} for${user_name}.

1100000D WARN Management /Authentication

Authenticationserverunavailable

Authentication of user[[email protected]] failed. Bothprimary and secondary servers areunavailable.

Authentication failed because both the primaryand secondary authentication servers areunavailable.

Authentication of user[%s@%s] failed. Bothprimary and secondaryservers are unavailable.

–

1100000E WARN Management /Authentication

UnsupportedRADIUS method

Authentication of firewall user[user1@RADIUS] failed. RADIUSauthenticationmethodMSCHAP_V1 isnot supported.

Authentication failed because the specifiedRADIUS method is not supported.

Authentication of %suser [%s@%s] failed.RADIUS authenticationmethod%s is notsupported.

–

1100000F WARN Management /Authentication

Groupsmaximumreached

Themaximum number of groups (31)has been reached

Authentication failed because themaximumnumber of groups has been reached.

Themaximum numberof groups (%d) has beenreached

–


Log Catalog 77


40010001 INFO Management /Certificate

CA certificateupdatedsuccessfully

CA certificate updated successfully toversion 1.3.

The CA certificate updated successfully to thespecified new version.

CA certificate updatedsuccessfully to version%s.

CA certificateupdatedsuccessfully toversion ${new CAversion number}.

40010002 ERROR Management /Certificate

CA certificateupdated failed

CA certificate update failed. Current CAcertificate version: 1.2.

CA certificate updated failed. CA certificate updatefailed. Current CAcertificate version: %s.

CA certificateupdate failed.Current CAcertificate version:${current CAversion number}.

01010001 INFO Management /Configuration

Deviceconfigurationchange

Management user admin@Firebox-DBfrom 10.139.36.22 {modified | added |deleted } Blocked Sites Exceptions

The device configuration has been changed. Management user%s@%s from%s %s%s %s

Management user${user}@${domain}from ${ipaddr}${operation}${subsystem}${object}


Administrativeaccounts resetto default

Administrative accounts were reset tothe default settings

The administrative accounts were returned tothe default settings. This could be because thesystem is in safemode, or because of acorrupted administrative account file.

Administrative accountswere reset to the defaultsettings

–


Feature keyadded

admin added feature key'883B25CCF32949EE'

An administrator added a feature key. The logmessage specifies the feature key ID.

%s added feature key'%s'

–


Feature keyremoved

admin removed feature key'883B25CCF32949EE'

An administrator has removed a feature key.The logmessage specifies the feature key ID.

%s removed feature key'%s'

–

01020003 WARN Management /Configuration

Feature expired 'LIVESECURITY' feature expired.Contact WatchGuard to renew yoursubscription.

'%s' feature expired.Contact WatchGuard torenew your subscription.

–

01020005 INFO Management / Feature 'LIVESECURITY' feature will expire in A feature will soon expire. The logmessage '%s' feature will expire in –


Log Catalog 78


Configuration expirationreminder

90 days. specifies the feature and the number of daysuntil it expires.

%d days.


Default devicesettings in usefor safemode

Device default configuration wasloaded in safemode

The device configuration was reset to thedefault settings because the device is in safemode.

Device defaultconfiguration wasloaded in safemode

–

41000001 INFO Management /LiveSecurity

RapidDeploysucceeded

RapidDeploy package was appliedsuccessfully

The RapidDeploy package from theLiveSecurity service was successfully appliedto the device.

RapidDeploy packagewas appliedsuccessfully

–

41000002 ERROR Management /LiveSecurity

RapidDeployfailed

RapidDeploy package was not applied:Cannot find result.xml

The RapidDeploy package was not applied tothe device. The logmessage specifies thereason.

RapidDeploy packagewas not applied: %s

RapidDeployfailed: ${reason}


New RSS feedupdatesucceeded

New RSS feed from LiveSecurityService was updated

New RSS feed from the LiveSecurity Servicewas updated.

New RSS feed fromLiveSecurity Servicewas updated

–


New RSS feedupdate failed

New RSS feed from LiveSecurityService was not updated: errorretrieving response from server

New RSS feed from the LiveSecurity Servicefailed to update.

New RSS feed fromLiveSecurity Servicewas not updated: %s

–


Feature keydownloadsucceeded

Feature key from LiveSecurity Servicewas received

The feature key for the device wassuccessfully downloaded from theLiveSecurity Service.

Feature key fromLiveSecurity Servicewas received

–


Feature keydownload failed

Feature key from LiveSecurity Servicewas not received: error parsingresponse from LiveSecurity service

The feature key could not be downloaded fromthe LiveSecurity Service. The logmessagespecifies the reason.

Feature key fromLiveSecurity Servicewas not received: %s

–


Wireless countryspecificationupdatesucceeded

Wireless country specification wasupdated

The wireless country specification wassuccessfully updated from the LiveSecurityservice.

Wireless countryspecification wasupdated

–


Log Catalog 79



Wireless countryspecificationupdate failed

Wireless country specification fromLiveSecurity Service was not received:received error code <n> from LSS

Thewireless country specification could not bedownloaded from the LiveSecurity service. Thelogmessage specifies the failure reason andthe number of retries.

Wireless countryspecification fromLiveSecurity Servicewas not received: %s,(retry_count=%d)

–


RapidDeployconfigurationfrom USBsucceeded

RapidDeploy configuration from aUSBdrive was applied successfully

The RapidDeploy configuration wassuccessfully applied from aUSB drive.

RapidDeployconfiguration from aUSB drive was appliedsuccessfully

–


RapidDeployconfigurationfrom USB failed

RapidDeploy configuration from aUSBdrive was not applied: config linemissing

The RapidDeploy configuration was notsuccessfully applied from aUSB drive. The logmessage specifies the reason.

RapidDeployconfiguration from aUSB drive was notapplied: %s

–

3D040001 INFO Management /Logging

Primary LogServerconnected

Connected to the primary Log Server at198.51.100.0

The device successfully connected to theWatchGuard Log Server designated as theprimary server.

Connected to theprimary Log Server at%s

–

3D040002 INFO Management /Logging

Backup LogServerconnected

Connected to the backup Log Server at198.51.100.0

The device successfully connected to theWatchGuard Log Server designated as thebackup server.

Connected to thebackup Log Server at%s

–

15000000 INFO Management /ManagementClient

Deviceconfigurationupdate with audittrail

The configuration file and feature keyfor the device were successfullyupdated after a request from admin fromtheManagement Server at10.139.44.88. Revision: dummy_config_rev_id. Comments: update tcpsegment.

The updated configuration file wassuccessfully sent to the device from thespecifiedManagement Server. The logmessage indicates if the feature key wasupdated. The logmessagemight also specifythe revision ID and includes comments aboutthe update.

The configuration file%sfor the device%ssuccessfully updatedafter a request from%sfrom theManagementServer at%s.%s%s%s%s.

–


Log Catalog 80



Deviceconfigurationupdate

Device configuration file wassuccessfully updated. Configuration fileretrieved from theManagement Serverat 10.139.44.88.

The device retrieved an updated configurationfile from the specifiedManagement Server.The logmessage also indicates if deviceretrieved a feature key.

Device configuration file%s successfullyupdated. Configurationfile retrieved from theManagement Server at%s.

–


IPSec certificateimport

The IPSec certificate was successfullyimported from theManagement Serverat 10.139.44.88.

The IPsec certificate was successfullyimported from the specifiedManagementServer.

The IPSec certificatewas successfullyimported from theManagement Server at%s.

–


ManagementServer CAcertificate import

TheManagement Server CA certificatewas successfully imported from theManagement Server at 10.139.44.88.

TheManagement Server CA certificate wassuccessfully imported from the specifiedManagement Server.

TheManagement ServerCA certificate wassuccessfully importedfrom theManagementServer at %s.

–

58000001 INFO Management /NTP

System timechanged

System time changed to 2012-08-2908:20:00 by NTP

The system time was changed by the NTPprocess.

System time changed to%s by NTP

–

55010000 INFO Management /System

Bootup time System boot up at 2000-01-01 00:00:01 System boot up at %s System boot up at %s System boot up at${time}

55010002 ERROR Management /System

LIVESECURITYfeature not found

Valid 'LIVESECURITY' feature notfound

Valid 'LIVESECURITY' feature not found Valid 'LIVESECURITY'feature not found

55010003 ERROR Management /System

LIVESECURITYexpired

'LIVESECURITY' feature expired (TueMay 14 12:25:00 2013) prior to packagerelease date (WedMay 15 01:00:002013 )

'LIVESECURITY' feature expired (%s) prior topackage release date (%s)

'LIVESECURITY'feature expired (%s)prior to package releasedate (%s)

'LIVESECURITY'feature expired(${expiration time})prior to packagerelease date(${package releasetime})


Log Catalog 81



Shutdown Shutdown requested by system Shutdown requested by system Shutdown requested bysystem


Reboot System is rebooting System is rebooting System is rebooting


Upgradesucceeded

System upgrade to 11.9 successful,system needs to reboot

System upgrade to%s successful, %s System upgrade to%ssuccessful, %s

System upgrade to${software version}successful ${boxneed reboot or not}


Automatic reboot System is automatically rebooting at12:09

System is automatically rebooting at %d:%d System is automaticallyrebooting at %d:%d

System isautomaticallyrebooting at${hour}:${second}


Time change System time changed from 2012-10-512:30:15 to 2012-10-6 14:10:00

System time changed from%s to%s System time changedfrom%s to%s

System timechanged from ${oldvalue} to ${newvalue}


USB autorestore started

USB auto restore started USB auto restore started USB auto restorestarted

–


Featureexpirationreminder

'LIVESECURITY' feature will expire onSat., Jan 5, 11:27:23 CST 2013.

'LIVESECURITY' feature will expire on%s 'LIVESECURITY'feature will expire on%s

'LIVESECURITY'feature will expireon ${expirationtime}

55010019 WARN Management /System

Configurationreset failedduring adowngrade

During a system downgrade, theconfiguration reset failed

During a system downgrade, the configurationreset failed

During a systemdowngrade, theconfiguration reset failed

–


Backupsucceeded

System backup succeeded System backup succeeded System backupsucceeded

–


Log Catalog 82



Device restoresuccess

Device auto restore from USB drivesucceeded

Device auto restore from a specific image inUSB drive or normal restore from a normalimage

Device%s restore from%s image succeeded

Device ${restore_type} restore from${image_source}image succeeded


USB autorestore imagecreated

USB auto restore image successfullycreated

USB auto restore image successfully created USB auto restore imagesuccessfully created

–

5501000B INFO Management /System

Device restore Device auto restore from USB driveimage initiated, reboot needed

Device was restored from a saved backupimage. The backup image was either autorestored from aUSB drive or restored fromanother location.

Device%s restore from%s image initiated%s

Device ${restore_type} restore from${image_source}imageinitiated${reboot_option}

5501000B INFO Management /System

Device restore Device auto restore from USB driveimage initiated, reboot needed

Device was restored from a saved backupimage. The backup image was either autorestored from aUSB drive or restored fromanother location.

Device%s restore from%s image initiated%s

Device ${restore_type} restore from${image_source}imageinitiated${reboot_option}

5501001A WARN Management /System

Upgrade failed System upgrade failed:'LIVESECURITY' feature expired

System upgrade failed: %s System upgrade failed:%s

System upgradefailed: ${reason}

5501001D INFO Management /System

Logo uploadsucceeded

Upload of logo succeeded Upload of logo succeeded Upload of logosucceeded

–

50000001 WARN Management /Web Service

User login failed(wgagent)

WSMUser status from 10.0.1.2 log inattempt was rejected - Invalidcredentials.

A user log in attempt failed. The logmessagespecifies the UI type, User Name, IP address,and (if available) the failure reason.

%s %s@%s from%slog in attempt wasrejected -%s.

%{ui_type} ${user_name}@${auth_server} from${ipaddr} log inattempt wasrejected ${msg}.


Log Catalog 83

FireCluster Log MessagesFireCluster logmessages are for events related to your Fireboxes that aremembers of a FireCluster. This includes actions related tomanagement of the FireCluster, operational errors of cluster members, eventsthat occur on cluster members, and changes to the status of a cluster member.

DiagnosticFireCluster logmessages of theDebug (Diagnostic) log type.

ID Level Area Name Log Message Example Description Format ID

3A000002 INFO Cluster /EventMonitoring

VRRP enabled VRRP is now enabled forCluster.

Virtual Router Redundancy Protocol (VRRP) is nowenabled for this Active/Passive Cluster.

VRRP is now enabledfor Cluster.

–


VRRP startmaster

Virtual Router with clusterID 1 started in masterstate.

VRRP started in master state. Virtual Router withcluster ID %d started inmaster state.

Virtual Router with clusterID ${value} started inmaster state.


VR shutdown Virtual Router with clusterID 1 returned to initialstate.

Virtual Router returned to initial state. Virtual Router withcluster ID %d returnedto initial state.

Virtual Router with clusterID ${id} returned to initialstate


VR pause Virtual Router with clusterID 1 becomes backup onpause event

Virtual Router becomes backup due to a pause event. Virtual Router withcluster ID %d becomesbackup on pause event

Virtual Router with clusterID ${id} becomes backupon pause event


VR resume Virtual Router with clusterID 1 becomes master onresume event

Virtual Router becomes master due to a resume event. Virtual Router withcluster ID %d becomesmaster on resume event

Virtual Router with clusterID ${id} becomes masteron resume event


VR backupstate

Virtual Router with clusterID 1 state changed frommaster to backup

Virtual Router state changed frommaster to backup Virtual Router withcluster ID %d statechanged frommaster tobackup

Virtual Router with clusterID ${id} state changedfrommaster to backup

FireCluster LogMessages

Log Catalog 84


3A00000A INFO Cluster /EventMonitoring

VR notificationgap

Member 80B20002E5BCDVirtual Router with clusterID 1 changed state tomaster due to 3 secondnotification gap fromcurrent master with IP10.0.4.1

Member Virtual Router changed state tomaster due tonotification gap from current master

Member%s VirtualRouter with cluster ID%d changed state tomaster due to%dsecond notification gapfrom current masterwith IP %s

Member ${member} VirtualRouter with cluster ID ${id}changed state tomasterdue to ${value} secondnotification gap fromcurrent master with IP${ip}

3A00000B INFO Cluster /EventMonitoring

VRRP masterstate

Virtual Router with clusterID 1 state changed tomaster

Virtual Router state changed tomaster Virtual Router withcluster ID %d statechanged tomaster

Virtual Router with clusterID ${id} state changed tomaster

3A00000C ERROR Cluster /EventMonitoring

VRRPinitializationfailed

Cluster VRRP initializationfailed

Initialization of Virtual Router Redundancy Protocol(VRRP) failed.

Cluster VRRPinitialization failed

–

38000002 ERROR Cluster /Management

DHCPoverwrite

A DHCP server isinterfering with staticaddress assignment ofcluster IP address 10.0.0.1on eth0. Disable DHCPserver access to eth5.

A DHCP server has attempted to assign an IP addressto cluster member on the Cluster Interface. This logmessage recommends the admin isolate the Clusterinterface network from the DHCP server, and specifiesthe interface number and IP address the clusterattempted to assign to themember.

A DHCP server isinterfering with staticaddress assignment ofcluster IP address %son eth%d. DisableDHCP server access toeth%d.

A DHCP server isinterfering with staticaddress assignment ofcluster IP ${ip} oneth${port}. Please disableDHCP server access toeth${port}.

38000003 INFO Cluster /Management

Clusterinterface up

Cluster interface eth5 isup.

Cluster interface link status changed to up. Cluster interface%s isup.

Cluster interface ${ifname}is up.

38000004 WARN Cluster /Management

Clusterinterface down

Cluster interface eth5 isdown.

Cluster interface link status changed to down. Cluster interface%s isdown.

Cluster interface ${ifname}is down


Timesynchronizationfailure

Cluster timesynchronization failed.

The cluster master's attempt to synchronize time to acluster member failed

Cluster timesynchronization failed.

–

3800025C INFO Cluster /Management

Configurationupdate

Cluster member80B20002E5BCD

Cluster member received an updated configurationfrom themaster. The logmessage specifies the

Cluster member%sreceived updated

Cluster member${member} received


Log Catalog 85


received updatedconfiguration; version 3.

member serial number and configuration versionnumber.

configuration; version%d.

updated configuration;version ${version}.

3B000001 INFO Cluster /Transport

Channel statuschange

Cluster channel frommember 80B20002E5BCDtomaster is up

The cluster communication channel between thespecifiedmembers changed state.

Cluster channel frommember%s tomasteris %s.

Cluster channel frommember ${member} tomaster is ${state}.

3B000002 INFO Cluster /Transport

Clusterinterface down

Cluster interface eth5 isdown.

The specified Cluster interface is down. Cluster interface%s isdown.

Cluster interface ${ifname}is down.


Log Catalog 86

EventFireCluster logmessages of theEvent log type.


3A00000E INFO Cluster /EventMonitoring

VR enabled Virtual Router with cluster ID 1is now enabled

The Virtual Router representing the cluster isnow enabled

Virtual Router with clusterID %d is now enabled

Virtual Router with clusterID ${id} is now enabled

3A00000F INFO Cluster /EventMonitoring

VR disabled Virtual Router with cluster ID 1is now disabled

The Virtual Router representing the cluster isnow disabled

Virtual Router with clusterID %d is now disabled

Virtual Router with clusterID ${id} is now disabled


Cluster disabled Cluster disabled. Non-mastermember 80B20002E5BCD willbe reset to factory-defaultsettings.

The non-master member of the cluster will bereset to factory default-settings becauseFireCluster is disabled.

Cluster disabled. Non-master member%s willbe reset to factory-defaultsettings.

Cluster disabled. Non-master member%s will bereset to factory-defaultsettings.


Criticalconfigurationchange

Non-master member80B20002E5BCD will be resetto factory-default settings dueto a critical cluster configurationchange.

The non-master member of the cluster will bereset to factory-default settings due to acritical configuration change. A configurationchange is critical if it would cause themasterand backupmaster to lose the TCPconnection on the cluster interface.

Non-master member%swill be reset to factory-default settings due to acritical clusterconfiguration change.

Non-master member${member} will be reset tofactory default-settings dueto a critical clusterconfiguration change.

38000280 ERROR Cluster /Management

Devicediscovery failed

Cluster master80B20002E5BCD was unableto issue a device discoverymessage.

The cluster master was unable to issue adevice discovery message.

Cluster master%s wasunable to issue a devicediscovery message.

Cluster master ${master}was unable to issue a devicediscovery message.

38000282 INFO Cluster /Management

Member readyto join

Member 80B20002E5BCD isready to join the cluster.

Local member has FireCluster enabled and isready to join.

Member%s is ready tojoin the cluster.

Member ${member} is readyto join the cluster.

3800025A INFO Cluster /Management

Cluster enabled Cluster enabled onmember80B20002E5BCD.

Cluster was enabled on the specifiedmember. Cluster enabled onmember%s.

Cluster enabled onmember${member}.

3800025B INFO Cluster /Management

Cluster disabledonmaster

Cluster disabled on clustermaster 80B20002E5BCD.

Cluster disabled on the cluster member whileit was the cluster master.

Cluster disabled oncluster master%s.

Cluster disabled on clustermaster ${master}.


Log Catalog 87


3800027A WARN Cluster /Management

Non-mastermemberremoved

Non-master cluster member80B20002E5BCD wasremoved from cluster, and willbe reset to factory-defaultsettings.

The non-master member of the Cluster will bereset to factory-default settings because itwas removed from the cluster.

Non-master clustermember%s was removedfrom cluster, and will bereset to factory-defaultsettings.

Non-master cluster member%s was removed fromcluster, and will be reset tofactory-default settings.

3800027E ERROR Cluster /Management

Factory-defaultreset failed

Failed to reset cluster member80B20002E5BCD to factory-default settings.

Failed to reset to factory-default settings. Failed to reset clustermember%s to factory-default settings.

Failed to reset member${member} to factory-defaultsettings.

39000003 WARN Cluster /Operations

Heartbeat lost Master 80B20002E5BFEdetected loss of heartbeat frommember 80B20002E5BCD,cluster channel is up.

The specified Cluster failed to receive aheartbeat message.

Master%s detected lossof heartbeat frommember%s, cluster channel is up.

Master ${master} detectedloss of heartbeat frommember ${member}, clusterchannel is up.

39000005 INFO Cluster /Operations

Memberpromoted tomaster

Member 80B20002E5BCD isnow master.

The specifiedmember has becomemaster. Member%s is nowmaster.

Member ${member} is nowmaster.

39000007 ERROR Cluster /Operations

Failover due toWAI

Master 80B20002E5BCD failedover to member80B20002E5BFE, which has agreaterWeighted AverageIndex.

Themaster failed over to the specifiedmember because that member has a higherhealth score than themaster.

Master%s failed over tomember%s, which has agreaterWeighted AverageIndex.

Master ${master} failover tomember ${member} withgreaterWeighted AverageIndex.


Member rolechange

Member 80B20002E5BCDchanged role to master

The cluster member changed to the specifiedrole.

Member%s changed roleto%s.

Member ${member} rolechanged to ${role}.


Interface linkstatus change

Monitored interface eth0 link isdown.

Specifiedmonitored interface link statuschanged, which will change the health indexfor themember.

Monitored interface%slink is %s.

Monitored interface${ifname} link is ${state}.


New master Member 80B20002E5BCD tookover as master frommember80B20002E5BFE.

The specifiedmember has taken over asmaster..

Member%s took over asmaster frommember%s.

Member ${member} tookover as master frommember${member}.


Log Catalog 88



Failoverinitiated byadministrator

Master 80B20002E5BCDinitiated failover byadministrator request.

The administrator has initiated a failover. Master%s initiatedfailover by administratorrequest.

Master ${master} initiatedfailover by administratorrequest..

39000016 WARN Cluster /Operations

Cannot initiatefailover

Cannot initiate failover frommaster 80B20002E5BCD tomember 80B20002E5BFE dueto higherWeighted AverageIndex on current master orbackupmaster is unreachable.

The failover requested by administrator cannotproceed because themaster has a higherhealth index, or the backupmaster isunreachable.

Cannot initiate failoverfrommaster%s tomember%s due to higherWeighted Average Indexon current master orbackupmaster isunreachable.

Cannot initiate failover frommaster ${master} to member${member} due to higherWeighted Average Index oncurrent master or othermember is unreachable.

39000019 ERROR Cluster /Operations

Failover due tointerface statechange

Cluster failover due to interfaceeth4 link down event.

A cluster failover event occurred due to achange of interface state.

Cluster failover due tointerface%s link %sevent.

Cluster failover due tointerface ${ifname} link${state} event.


Member RoleChange

Cluster member80B20002E5BCD changed rolefrom idle to backupmaster

The role of the specified Cluster memberchanged.

Cluster member%schanged role from%s to%s.

Cluster member ${member}changed role from ${role} to${role}.

3900000C ERROR Cluster /Operations

Synchronizationfailed

Full state synchronization frommaster 80B20002E5BCD tobackupmaster80B20002E5BFE failed.

Full state synchronization from themaster tothe specifiedmember failed. Member statewill not change to BackupMaster.

Full state synchronizationfrommaster%s to backupmaster%s failed.

Full state synchronizationfrommaster ${master} tobackupmaster ${member}failed.

3900000D ERROR Cluster /Operations

Synchronizationtimeout

Full state synchronization frommaster 80B20002E5BCD tobackupmaster80B20002E5BFE timed out.

Full state synchronization from themaster tothe specifiedmember timed out. Memberstate will not change to BackupMaster.

Full state synchronizationfrommaster%s to backupmaster%s timed out.

Full state synchronizationfrommaster ${master} tobackupmaster ${member}timed out.


Log Catalog 89


3900000E INFO Cluster /Operations

Synchronizationsuccessful

Full state synchronization frommaster 80B20002E5BCD tobackupmaster80B20002E5BFE completedsuccessfully.

Full state synchronization to the specifiedmember was successful. Member statuschanged to backupmaster.

Full state synchronizationfrommaster%s to backupmaster%s completedsuccessfully.

Full state synchronizationfrommaster ${master} tobackupmaster ${member}completed successfully

3900000F ERROR Cluster /Operations

Failover due tolink-down

Master 80B20002E5BCDfailed-over to member80B20002E5BFE due to a link-down event on interface eth3.

Cluster failover due to a link failure on thecurrent master, which now has a health indexlower than the backupmaster. The logmessage specifies which interface has thelink down.

Master%s failed-over tomember%s due to a link-down event on interface%s.

Master ${master} failed-overto member ${member} due toa link-down event oninterface ${ifname}.


Log Catalog 90

Security Services Log MessagesSecurity Services logmessages are generated for processes related to the Security Services configured on your Firebox. For the logmessages from Security Services traffic and events, review the proxy logmessages for the proxy policies where the Security Services are enabled. For more information, seeProxy Policy LogMessages on page 35.

EventSecurity Services logmessages of theEvent log type.

ID Level Area Name Log Message Example Description FormatMessageVariables

1F000001 ERROR SecurityServices /Gateway Anti-Virus

Process failed to start Cannot start ScanD ScanD -- Process failed to start Cannot start ScanD –

1F010015 INFO SecurityServices /Gateway Anti-Virus

Ready for service ScanD ready ScanD -- Ready for service ScanD ready –

2E000005 ERROR SecurityServices /SignatureUpdate

Process exiting SIGD shutting down SIGD -- Process exiting SIGD shutting down –


Process crashed SIGD crashed SIGD -- Process crashed SIGD crashed –

2E010017 WARN SecurityServices /SignatureUpdate

License failed to load Cannot load the license SIGD -- License failed to load Cannot load the license –

Security Services LogMessages

Log Catalog 91



Failed to start the signatureupdate for the specifiedservices

Cannot start the signature updatefor 'IPS'

SIGD -- Failed to the start signatureupdate for the specified services

Cannot start the signature updatefor '%s'

–


Failed to check theavailable signature versionon the server

Cannot complete the versioncheck

SIGD -- Failed to check the availablesignature version on the server

Cannot complete the versioncheck

–

2E01001A ERROR SecurityServices /SignatureUpdate

Signature update processfailed to start

Cannot start the signature updateprocess

SIGD -- Signature update process failed tostart

Cannot start the signature updateprocess

–

2E01001B ERROR SecurityServices /SignatureUpdate

Signature update processcrashed

SIGD Worker crashed SIGD -- Signature update process crashed SIGD Worker crashed –

2E020065 INFO SecurityServices /SignatureUpdate

Signature update processstarted

Scheduled DLP update started SIGD -- Signature update process started %s %s update started –


Signature update processcompleted

Scheduled DLP update forversion (4.94) completed

SIGD -- Signature update processcompleted

%s %s update for version (%s)completed

–


Signature update processfor the specified versionfailed

Manual DLP update for version(4.94) failed (Valid feature keynot available)

SIGD -- Signature update process for thespecified version failed

%s %s update for version (%s)failed (%s)

–


Log Catalog 92



Device has the latestsignature version for thespecified service

Device already has the latestDLP signature version (4.94)

SIGD -- Device has the latest signatureversion for specified service

Device already has the latest %ssignature version (%s)

–

23000001 ERROR SecurityServices /spamBlocker

Failed to start Cannot start spamD spamD -- Failed to start Cannot start spamD –

23000002 INFO SecurityServices /spamBlocker

Ready for service spamD ready spamD -- Ready for service spamD ready –

76000000 INFO Access Portal /Portal Wrapper

SAML certificate changes Certificate for SAML is changed,please update SP certificate onIdP server.

The certificate used by SAML is changedand admin need to update this certificateto IDP server

Certificate for SAML is changed,please update SP certificate onIdP server.


Log Catalog 93

VPN Log MessagesVPN logmessages are generated for processes related to the all VPNs configured on your Firebox. This includes changes to the VPN configuration, tunnel status, and daemon activity.

AlarmVPN logmessages of theAlarm log type.


020B0001 INFO VPN /IPSEC

Tunnelstatuschanged

BOVPN tunnel 'tunnel.2' local172.16.12.81/255.255.255.255 remote172.16.13.204/255.255.255.255 under gateway'gateway.1' is down

The status of theIPSec tunnel changedto up or down.

%s tunnel '%s' local %sremote%s undergateway '%s' is %s

${tunnel_type} tunnel '${tunnel}' local${local} remote ${remote} under gateway'$(gateway}' is ${status}

DiagnosticVPN logmessages of theDebug (Diagnostic) log type.


02000001 ERROR VPN /IPSEC

Defaultcertificate notfound

The default IPSec certificate is notinstalled on the device

The IPSec tunnel could not benegotiated because the defaultIPSec certificate is not installed oris not valid.

The default IPSeccertificate is not installed onthe device

–


Failed to readcertificate

Could not read [DSA | RSA]certificate with [n] ID

The IPSec tunnel could not benegotiated because the IPSeccertificate is not valid.

Could not read%scertificate with%d ID

Could not read ${cert_type} certificatewith ${id} ID

02020001 WARN VPN /IPSEC

IP address notavailable forMobile VPNwith IPSecuser

Virtual IP address from 'abcd'address pool is not available forMobile VPN with IPSec user 'Bob'

All virtual IP addresses allocatedto this Mobile VPN with IPSecgroup are already assigned. NewMobile VPN with IPSec tunnelscannot be established unlessexisting tunnels are deleted.

Virtual IP address from '%s'address pool is not availablefor Mobile VPN with IPSecuser '%s'

Virtual IP address from ${pool_name}address pool is not available forMobile VPN with IPSec user ${user}

VPN LogMessages

Log Catalog 94



IKE Phase 1expectingmainmode

IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'Reason=Received 'Aggressivemode' exchange type. Expectingmainmode.

IKE Phase 1 negotiation failedbecause of incorrect exchangetype in proposal from remotegateway. The logmessagespecifies the expected andreceived exchange type.

IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Received '%s'exchange type. Expectingmainmode.

IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Received '${exchange_type}' exchange type. Expectingmainmode.


IKE Phase 1expectingaggressivemode

IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'Reason=Received 'Mainmode'exchange type. Expectingaggressivemode.

IKE Phase 1 negotiation failedbecause of incorrect exchangetype in proposal from remotegateway. The logmessagespecifies the expected andreceived exchange type.

IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Received '%s'exchange type. Expectingaggressivemode.

IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Received '${exchange_type}' exchange type. Expectingaggressivemode.


IKE Phase 1DH groupmismatch

IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'Reason=Received DH group 2,expecting 14

IKE Phase 1 negotiation failedbecause of incorrect Diffe-Hellman group in proposal fromremote gateway. The logmessagespecifies the received andexpected group number.

IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Received DHgroup%d, expecting%d

IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Received DH group${received}, expecting ${expected}


IKE Phase 1hashmismatch

IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'Reason=Received hash SHA1,expectingMD5

IKE Phase 1 negotiation failedbecause of incorrect hash type inproposal from remote gateway.The logmessage specifies thereceived and expected hash type.

IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Received hash%s, expecting%s

IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Received hash ${received},expecting ${expected}


IKE Phase 1encryptionmismatch

IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'Reason=Received encryption

IKE Phase 1 negotiation failedbecause of incorrect encryptiontype in proposal from remotegateway. The logmessagespecifies the received and

IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Receivedencryption%s, expecting

IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Received encryption${received}, expecting ${expected}

VPN LogMessages

Log Catalog 95


3DES, expecting AES expected encryption type. %s


IKE Phase 1authenticationmethodmismatch

IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'Reason=Received authenticationmethod PSK, expecting RSAcertificate

IKE Phase 1 negotiation failedbecause of incorrectauthenticationmethod in proposalfrom remote gateway. The logmessage specifies the receivedand expected authenticationmethods.

IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Receivedauthenticationmethod%s,expecting%s

IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Received authenticationmethod ${received}, expecting${expected}


IKE Phase 1AES keylengthmismatch

IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'Reason=Received AES key length128, expecting 256

IKE Phase 1 negotiation failedbecause of incorrect AES keylength in proposal from remotegateway. The logmessagespecifies the received andexpected AES key length.

IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Received AES keylength%d, expecting%d

IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Received AES key length${received}, expecting ${expected}


IKE Phase 1invalid firstmessage

IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'Reason=Received invalidmain/aggressivemode firstmessage. Check VPN IKEdiagnostic logmessages for moreinformation.

IKE Phase 1 negotiation failedbecause of invalid first messagereceived by local gateway. The logmessage specifies the reason.

IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Received invalidmain/aggressivemode firstmessage. Check VPN IKEdiagnostic logmessages formore information.

IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Received invalidmain/aggressivemode first message.Check VPN IKE diagnostic logmessages for more information.

02030010 INFO VPN /IPSEC

IKE Phase 1matchingMainMode policynot found

IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed.Reason=Mainmodematching policynot found

IKE Phase 1 negotiation becauselocal gateway did not find amatching Aggressivemode policy.

IKE phase-1 negotiationfrom%s to%s failed.Reason=Mainmodematching policy not found

IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed.Reason=Mainmodematching policynot found

VPN LogMessages

Log Catalog 96



IKE Phase 1remotegateway IDmismatch

IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'Reason=Authentication failure duetomismatched ID setting

IKE Phase 1 negotiation failedbecause remote ID in gatewayconfiguration did not matchproposal from remote gateway.

IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Authenticationfailure due tomismatchedID setting

IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Authentication failure due tomismatched ID setting


IKE Phase 1pre-shared keyauthenticationfailure

IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1' Reason=Pre-shared key authentication failure

IKE Phase 1 negotiation failedbecause pre-shared key inproposal did not match gatewayconfiguration.

IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Pre-shared keyauthentication failure

IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}' Reason=Pre-shared key authentication failure


IKE Phase 1negotiationfailed

IKE phase-1 negotiation from2.2.2.2:500 to 1.1.1.1:500 failed.Reason=Received invalid message

IKE Phase 1 negotiation failedbecause of the reason specified inthe log

IKE phase-1 negotiationfrom%s:%d to%s:%dfailed. Reason=%s

IKE phase-1 negotiation from${src}:${sport} to ${dst}:${dport} failed- ${reason}


Receivedinformationalerror message

Received 'Invalid Exchange Type'message from 172.16.12.81:500 for'gateway.1' gateway endpoint.Check VPN IKE diagnostic logmessages on the remote gatewayendpoint for more information.

Received the specified informationor error message from remotegateway.

Received '%s' messagefrom%s for '%s' gatewayendpoint. Check VPN IKEdiagnostic logmessages onthe remote gatewayendpoint for moreinformation.

Received '${info_msg}' message from${peer_addr} for '${gw-ep}' gatewayendpoint. Check VPN IKE diagnosticlogmessages on the remote gatewayendpoint for more information.


IKE Phase 1retry timeout

IKE phase-1 negotiation from172.16.12.81:500 to172.16.12.82:500 failed. Gateway-Endpoint='gateway.1'Reason=Message retry timeout.Check the connection between localand remote gateway endpoints.

IKE Phase 1 negotiation failedbecause of no response fromremote site.

IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Message retrytimeout. Check theconnection between localand remote gatewayendpoints.

IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Message retry timeout.Check the connection between localand remote gateway endpoints.


Mobile user RejectedMUVPN IPSec user from2.2.2.2 becausemaximum allowed

SpecifiedMobile VPN with IPSec RejectedMUVPN IPSec RejectedMUVPN IPSec user from${peer_addr} becausemaximum

VPN LogMessages

Log Catalog 97


rejected -maximum userconnectionsreached

user connections has been reached.Maximum:50

user connection rejected becausethe specified concurrent userconnections limit has beenreached. The logmessagespecifies the concurrent userconnections limit.

user from%s becausemaximum allowed userconnections has beenreached. Maximum:%d

allowed user connections has beenreached. Maximum:${max_value}


CA certificatenot available

IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1' Reason=NoCA certificate available

IKE phase-1 negotiation failedbecause no Certificate Authority(CA) certificate is available.

IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=%s

IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=${reason}


CA certificatenot available

IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1' Reason=NoCA certificate available

IKE phase-1 negotiation failedbecause no Certificate Authority(CA) certificate is available.




IKE Phase 1peer certificateCA is notsupported

IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1' Reason=Peercertificate is not issued by knowntrusted CA

IKE Phase 1 negotiation failedbecause peer certificate is notissued by a known and trustedCertificate Authority(CA).




IKE Phase 1receivedcertificate withinvalid CAname

IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'Reason=Received certificate withinvalid CA name

IKE Phase 1 negotiation failedbecause of invalid CertificateAuthority (CA) name in certificatefor remote gateway.



VPN LogMessages

Log Catalog 98



IKE Phase 1possibleshared secretmismatch

IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'Reason=Message decryption faileddue to possible shared secretmismatch

IKE Phase 1 negotiation failedbecause of possible shared keymismatch.

IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Messagedecryption failed due topossible shared secretmismatch

IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Message decryption faileddue to possible shared secretmismatch


DPD R_U_THERE_ACKnot received

Remote gateway 'gateway.1' with IP172.16.13.204:500 did not sendDPD R_U_THERE_ACK message.2 retries left

Firebox or XTM device sent aDPD_R_U_THERE request toremote gateway, but did notreceive DPD R_U_THERE_ACKresponse. The logmessagespecifies the number of retriesbefore it will delete the VPNtunnel.

Remote gateway '%s' withIP %s did not send DPD R_U_THERE_ACK message.%d retries left

Remote gateway '${gw-ep}' with IP${peer_addr} did not send DPD R_U_THERE_ACK message. ${n} retriesleft.


DPD maxfailure

Remote gateway 'gateway.1' with IP172.16.13.204:500 presumed deaddue to DPD failure. Deleted alltunnels that use this gateway.Check the connection between localand remote gateway endpoints.

The Firebox or XTM devicedeleted a VPN tunnel because theremote gateway did not respond toDPD R_U_THERE requests.

Remote gateway '%s' withIP %s presumed dead dueto DPD failure.%s

Remote gateway '${gw-ep}' with IP${peer_addr} presumed dead due toDPD failure. ${action}


Did notreceiveKEEP_ALIVE_ACKresponse

Remote gateway 'gateway.1' with IP172.16.13.204:500 did not sendKEEP_ALIVE_ACK message. 2retries left.

Firebox or XTM device sent aKEEP_ALIVE request to remotegateway, but did not receiveKEEP_ALIVE_ACK response.The logmessage specifies thenumber of retries before it willdelete the VPN tunnel.

Remote gateway '%s' withIP %s did not send KEEP_ALIVE_ACK message. %dretries left.

Remote gateway '${gw-ep}' with IP${peer_addr} did not send KEEP_ALIVE_ACK message. ${n} retriesleft.

VPN LogMessages

Log Catalog 99



Deleted VPNtunnels due tokeep-alivefailure

Remote gateway 'gateway.1' with IP172.16.13.204:500 presumed deaddue to keep-alive negotiation failure.Deleted all tunnels that use thisgateway. Check the connectionbetween local and remote gatewayendpoints.

Firebox or XTM device deleted oneor more VPN tunnels because theremote gateway did not respond tokeep-alive requests.

Remote gateway '%s' withIP %s presumed dead dueto keep-alive negotiationfailure.%s

Remote gateway '${gw-ep}' with IP${peer_addr} presumed dead due tokeep-alive negotiation failure.${action}


Received IKEmessage forunknownPhase 1 SA

Received IKE message from172.16.13.204:500 for unknown P1SA. Sending delete message toremote gateway 'gateway.1'.

Received IKE message forunknown P1 SA. Sending deletemessage to remote gateway

Received IKE messagefrom%s for unknown P1SA. Sending deletemessage to remote gateway'%s'.

Received IKE message from ${peer_addr} for unknown P1 SA. Sendingdelete message to remote gateway'${gateway}'.


DSScertificate IDmismatch

IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'Reason=Authentication failure duetomismatched DSS certificate IDsetting

IKE Phase 1 negotiation failedbecause of mismatched DSScertificate ID setting.

IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Authenticationfailure due tomismatchedDSS certificate ID setting

IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Authentication failure due tomismatched DSS certificate IDsetting


Failed to getID informationfromcertificate

IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'Reason=Failed to get ID informationfrom certificate 20001

IKE phase-1 negotiation failedbecause failed to get IDinformation from certificate.

IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Failed to get IDinformation from certificate%d

IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}' Reason=Failedto get ID information from certificate${certificate_id}


IKE Phase 1messagereceived onwronginterface

IKE phase-1 negotiation from198.51.100.2:500 to 203.0.113.2:500failed. Reason=Received IKEmessage on wrong interface 'eth0'(index:3). Expecting it to be receivedon 'eth6'.

IKE Phase 1 negotiation failedbecause of IKE message peerwas received on wrong interface.

IKE phase-1 negotiationfrom%s to%s failed.Reason=Received IKEmessage on wrong interface'%s'(index:%d). Expecting itto be received on '%s'.

IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed.Reason=Received IKE message onwrong interface '${received_if}'(index:${received_ifindex}). Expectingit to be received on '${expected_if}'

VPN LogMessages

Log Catalog 100



IKE Phase 1invalidaggressivemode ID

IKE phase-1 negotiation from198.51.100.2:500 to 203.0.113.2:500failed. Gateway-Endpoint='gateway.1'Reason=Received ID did not matchwith configured aggressivemode ID.

IKE Phase 1 negotiation failedbecause received ID did not matchwith configured ID on localgateway. Check aggressivemodeID information in gateway endpointconfiguration on both local andremote gateways.

IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Received ID didnot match with configuredaggressivemode ID.

IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Received ID did not matchwith configured aggressivemode ID.


IKE Phase 2PFSmismatch

IKE phase-2 negotiation from172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1' Reason=Receivedproposal without PFS, ExpectingPFS enabled

The IPSec tunnel negotiationfailed because the PerfectForward Secrecy (PFS) value didnot match the Phase 2configuration.

IKE phase-2 negotiationfrom%s to%s failed.Tunnel='%s'Reason=Received proposalwithout PFS, ExpectingPFS enabled

IKE phase-2 negotiation from ${local_addr} to ${peer_addr} failed.Tunnel='${tunnel}' Reason=Receivedproposal without PFS, Expecting PFSenabled


IKE Phase-2proposal typemismatch

IKE phase-2 negotiation from172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1' Reason=Receivedprotocol 'AH'. Expecting 'ESP' inphase-2 proposal.

The IPSec tunnel negotiationfailed because the proposal did notmatch the Phase 2 configuration.The logmessage specifies thereceived and expected proposals.

IKE phase-2 negotiationfrom%s to%s failed.Tunnel='%s'Reason=Received protocol'%s'. Expecting '%s' inphase-2 proposal.

IKE phase-2 negotiation from ${local_addr} to ${peer_addr} failed.Tunnel='${tunnel}' Reason=Receivedprotocol '${received_proto}'.Expecting '${expected_proto}' inphase-2 proposal.


IKE Phase-2proposal typemismatch

IKE phase-2 negotiation from172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1' Reason=Receivedprotocol 'AH'. Expecting 'ESP' inphase-2 proposal.

The IPSec tunnel negotiationfailed because the proposal did notmatch the Phase 2 configuration.The logmessage specifies thereceived and expected proposals.

IKE phase-2 negotiationfrom%s to%s failed.Tunnel='%s'Reason=Received protocol'%s'. Expecting '%s' inphase-2 proposal.

IKE phase-2 negotiation from ${local_addr} to ${peer_addr} failed.Tunnel='${tunnel}' Reason=Receivedprotocol '${received_proto}'.Expecting '${expected_proto}' inphase-2 proposal.


IKE Phase 2AHauthenticationmethodmismatch

IKE phase-2 negotiation from172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1' Reason=ReceivedAH authenticationMD5, expectingSHA1

The IPSec tunnel negotiationfailed because the proposed AHauthenticationmethod did notmatch the Phase 2 configuration.The logmessage specifies thereceived and expected AH

IKE phase-2 negotiationfrom%s to%s failed.Tunnel='%s'Reason=Received AHauthentication%s,expecting%s

IKE phase-2 negotiation from ${local_addr} to ${peer_addr} failed.Tunnel='${tunnel}' Reason=ReceivedAH authentication ${received},expecting ${expected}

VPN LogMessages

Log Catalog 101


authenticationmethod.


IKE Phase 2ESPencryptionmethodmismatch

IKE phase-2 negotiation from172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1' Reason=ReceivedESP encryption DES, expectingAES

The IPSec tunnel negotiationfailed because the proposed ESPencryptionmethod did not matchthe Phase 2 configuration. The logmessage specifies the receivedand expected ESP encryptionmethod.

IKE phase-2 negotiationfrom%s to%s failed.Tunnel='%s'Reason=Received ESPencryption%s, expecting%s

IKE phase-2 negotiation from ${local_addr} to ${peer_addr} failed.Tunnel='${tunnel}' Reason=ReceivedESP encryption ${received},expecting ${expected}


IKE Phase 2PFS DH groupmismatch

IKE phase-2 negotiation from172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1' Reason=ReceivedPFS DH group 2, expecting 5

The IPSec tunnel negotiationfailed because the proposedPerfect Forward Secrecy Diffe-Hellman (PFS DH) group numberdid not match the Phase 2configuration. The logmessagespecifies the received andexpected PFS DH group numbers.

IKE phase-2 negotiationfrom%s to%s failed.Tunnel='%s'Reason=Received PFS DHgroup%d, expecting%d

IKE phase-2 negotiation from ${local_addr} to ${peer_addr} failed.Tunnel='${tunnel}' Reason=ReceivedPFS DH group ${received}, expecting${expected}


IKE Phase 2ESPauthenticationmethodmismatch

IKE phase-2 negotiation from172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1' Reason=ReceivedESP authenticationMD5-HMAC,expecting SHA1-HMAC

The IPSec tunnel negotiationfailed because the proposed ESPauthenticationmethod did notmatch the Phase 2 configuration.The logmessage specifies thereceived and expected ESPauthenticationmethod.

IKE phase-2 negotiationfrom%s to%s failed.Tunnel='%s'Reason=Received ESPauthentication%s,expecting%s

IKE phase-2 negotiation from ${local_addr} to ${peer_addr} failed.Tunnel='${tunnel}' Reason=ReceivedESP authentication ${received},expecting ${expected}



IKE phase-2 negotiation from172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1' Reason=ReceivedAES key length 128, expecting 256

The IPSec tunnel negotiationfailed because the proposed AESencryption key length did notmatch the Phase 2 configuration.The logmessage specifies thereceived and expected AES keylength.

IKE phase-2 negotiationfrom%s to%s failed.Tunnel='%s'Reason=Received AES keylength%d, expecting%d

IKE phase-2 negotiation from ${local_addr} to ${peer_addr} failed.Tunnel='${tunnel}' Reason=ReceivedAES key length ${received},expecting ${expected}

VPN LogMessages

Log Catalog 102




IKE phase-2 negotiation from172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1' Reason=ReceivedAES key length 128, expecting 256

The IPSec tunnel negotiationfailed because the proposed AESencryption key length did notmatch the Phase 2 configuration.The logmessage specifies thereceived and expected AES keylength.

IKE phase-2 negotiationfrom%s to%s failed.Tunnel='%s'Reason=Received AES keylength%d, expecting%d

IKE phase-2 negotiation from ${local_addr} to ${peer_addr} failed.Tunnel='${tunnel}' Reason=ReceivedAES key length ${received},expecting ${expected}


Receivedquick modeinformationalerror message

Received 'No Proposal Chosen'message from 172.16.12.81:500 for'tunnel.1' tunnel. Check VPN IKEdiagnostic logmessages on theremote gateway endpoint for moreinformation.

Remote gateway sent aninformation error message inresponse to VPN tunnel proposal.

Received '%s' messagefrom%s for '%s' tunnel.Check VPN IKE diagnosticlogmessages on the remotegateway endpoint for moreinformation.

Received '${info_msg}' message from${peer_addr} for '${tunnel}' tunnel.Check VPN IKE diagnostic logmessages on the remote gatewayendpoint for more information.


DroppedsimultaneousPhase 2negotiation

Dropped a simultaneous phase-2negotiation from the peer172.16.13.204:500

Firebox or XTM device droppedphase-2 negotiation because ofanother Phase 2 negotiation inprogress.

Dropped a simultaneousphase-2 negotiation from thepeer%s

Dropped a simultaneous IPSecnegotiation from the peer ${peer_addr}


ReceivedXAuth failnotification

Received XAuth failed notificationfrom 172.16.24.1:4500.Group:'ToFirebox_mu'

Received notification thatExtended Authentication(XAuth)failed. Aborting XAuth negotiation.

Received XAuth failednotification from%s.Group:'%s'

Received XAuth failed notificationfrom ${peer_addr}. Group:'${gateway}'


Rejected PSKauthentication,Expect clientXAUTHenabled.

Rejected phase-1 authenticationmethod PSK from 172.16.24.1:4500,expecting client XAUTH enabled.

Rejected proposed Phase 1authenticationmethod becauseFirebox or XTM Device expectsclient Extended Authentication(XAuth) enabled.

Rejected phase-1authenticationmethod%sfrom%s, expecting clientXAUTH enabled.

Rejected phase 1 authenticationmethod ${auth_method} from ${peer_addr}, expecting client XAUTHenabled.


Rejected PSKauthentication,Expect serverXAUTHenabled.

Rejected phase-1 authenticationmethod PSK from 172.16.24.1:4500,expecting server XAUTH enabled.

Rejected proposed Phase 1authenticationmethod becauseFirebox or XTM Device expectsserver Extended Authentication(XAuth) enabled.

Rejected phase-1authenticationmethod%sfrom%s, expecting serverXAUTH enabled.

Rejected phase 1 authenticationmethod ${auth_method} from ${peer_addr}, expecting server XAUTHenabled.

VPN LogMessages

Log Catalog 103



XAuthnegotiationfailed due tomismatchedmode

XAuth negotiation from172.16.24.1:4500 failed due to amismatched XAuthMode.

Mobile VPN with IPSec ExtendedAuthentication(XAuth) negotiationfailed because of mismatchedauthenticationmode.

XAuth negotiation from%sfailed due to amismatchedXAuthMode.

XAuth negotiation from ${peer_addr}failed due to amismatchedXAuthMode


Mobile VPNwith IPSecauthenticationfailed becauseofunresponsivepeer

MUVPN user authentication faileddue to unresponsive peer at172.16.24.1:4500

Mobile VPN with IPSec userauthentication failed because thepeer did not respond.

MUVPN user authenticationfailed due to unresponsivepeer at %s

MUVPN user authentication faileddue to unresponsive peer at %s


Mobile VPNwith IPSecuserconnectedwith no group

MUVPN user 'user.1' isauthenticated without groupinformation.

SpecifiedMobile VPN with IPSecuser successfully authenticated,but is not amember of any group.

MUVPN user '%s' isauthenticated without groupinformation.

MUVPN user '${user_name}' isauthenticated without groupinformation


Mobile usergroupinformation

MUVPN user 'user.1' is amember of'muvpn' group.

SpecifiedMobile VPN with IPSecuser belongs to the specifiedgroup.

MUVPN user '%s' is amember of '%s' group.

MUVPN user '${user_name}' is amember of '${group_name}' group.


IKE phase-1negotiatedsuccessful

BOVPN phase-1main-modecompleted successfully as initiatorfor 'gateway.1' gateway endpoint.local-gw:172.16.12.81:500 remote-gw:172.16.13.204:500 SAID:0x9d5e7809

IKE phase-1 negotiation wassuccessfully completed.

%s phase-1%s completedsuccessfully as %s for '%s'gateway endpoint. local-gw:%s:%d remote-gw:%s:%d SA ID:0x%08x

${tunnel_type} phase-1 ${nego_mode}completed successfully as ${nego_role} for '${gateway}' gatewayendpoint. local-gw:${src}:${sport}remote-gw:${dst}:${dport} SAID:${p1said}

0203000A ERROR VPN /IPSEC

IKE Phase 1invalid MainMode secondmessage

IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'

IKE Phase 1 negotiation failedbecause of invalid secondmessage received by localgateway.

IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Received invalid

IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Received invalid mainmodesecondmessage. Check VPN IKE

VPN LogMessages

Log Catalog 104


Reason=Received invalid mainmode secondmessage. Check VPNIKE diagnostic logmessages formore information.

mainmode secondmessage. Check VPN IKEdiagnostic logmessages formore information.

diagnostic logmessages for moreinformation.

0203000B ERROR VPN /IPSEC

IKE Phase 1invalid MainMode KeyExchangepayload

IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'Reason=Received invalid mainmode KE payload. Check VPN IKEdiagnostic logmessages for moreinformation.

IKE Phase 1 negotiation failedbecause local gateway receivedinvalid MainMode Key Exchange(KE) payload

IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Received invalidmainmode KE payload.Check VPN IKE diagnosticlogmessages for moreinformation.

IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Received invalid mainmodeKE payload. Check VPN IKEdiagnostic logmessages for moreinformation.

0203000C ERROR VPN /IPSEC

IKE Phase 1invalid mainmode ID

IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'Reason=Received invalid mainmode ID payload. Check VPN IKEdiagnostic logmessages for moreinformation.

IKE Phase 1 negotiation failedbecause of invalid MainMode IDpayload received by localgateway.

IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Received invalidmainmode ID payload.Check VPN IKE diagnosticlogmessages for moreinformation.

IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Received invalid mainmodeID payload. Check VPN IKEdiagnostic logmessages for moreinformation.

0203000D ERROR VPN /IPSEC

IKE Phase 1invalidaggressivemode hash

IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'Reason=Received invalidaggressivemode hash payload.Check VPN IKE diagnostic logmessages for more information.

IKE Phase 1 negotiation failedbecause invalid aggressivemodehash payload received byspecified local gateway.

IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Received invalidaggressivemode hashpayload. Check VPN IKEdiagnostic logmessages formore information.

IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Received invalid aggressivemode hash payload. Check VPN IKEdiagnostic logmessages for moreinformation.

0203000E ERROR VPN /IPSEC

IKE Phase 1invalidAggressive

IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-

IKE Phase 1 negotiation failedbecause of invalid Aggressivemode security association (SA)

IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'

IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'

VPN LogMessages

Log Catalog 105


mode SApayload

Endpoint='gateway.1'Reason=Received invalidaggressivemode SA payload.Check VPN IKE diagnostic logmessages for more information.

payload received by specifiedlocal gateway.

Reason=Received invalidaggressivemode SApayload. Check VPN IKEdiagnostic logmessages formore information.

Reason=Received invalid aggressivemode SA payload. Check VPN IKEdiagnostic logmessages for moreinformation.

0203000F INFO VPN /IPSEC

IKE Phase 1matchingaggressivemode policynot found

IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed.Reason=Aggressivemodematchingpolicy not found

IKE Phase 1 negotiation becauselocal gateway did not find amatching aggressivemode policy.

IKE phase-1 negotiationfrom%s to%s failed.Reason=Aggressivemodematching policy not found

IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed.Reason=Aggressivemodematchingpolicy not found


IKE Phase 1IKE versionmismatch

IKE phase-1 negotiation from198.51.100.2:500 to 203.0.113.2:500failed. Gateway-Endpoint='gateway.1'Reason=Received IKE version didnot match the configured IKEversion.

IKE Phase 1 negotiation failedbecause the received IKE versiondid not match the IKE versionconfigured on the local gateway.Check the IKE version in thegateway endpoint configuration onboth the local and remotegateways.

IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Received IKEversion did not match theconfigured IKE version.

IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Received IKE version didnot match the configured IKE version.


IKE Phase 1messagereceived onwronginterface IP

IKE phase-1 negotiation from198.51.100.2:500 to 192.0.2.2:500failed. Gateway-Endpoint='gateway.1'Reason=Receivedmessage withwrong interface IP address192.0.2.2. Expecting peer to useremote gateway endpoint IP address203.0.113.2.

IKE Phase 1 negotiation failedbecause IKE message from thepeer was received on the wronginterface IP address. Check thelocal and remote gateway IPaddress in the gateway endpointconfiguration on both the local andremote gateways.

IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Receivedmessage with wronginterface IP address %s.Expecting peer to useremote gateway endpoint IPaddress %s.

IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Receivedmessage withwrong interface IP address${received_ip}. Expecting peer to useremote gateway endpoint IP address${expected_ip}.


IKE Phase 2tunnel routemismatch

IKE phase-2 negotiation from172.16.12.82:500 to172.16.12.81:500 failed.Gateway='gateway.1' Reason=No

The IPSec tunnel negotiationfailed because the proposed tunnelroutes did not match the tunnelconfiguration. The logmessage

IKE phase-2 negotiationfrom%s to%s failed.Gateway='%s' Reason=Nomatching tunnel route for

IKE phase-2 negotiation from ${local_addr} to ${peer_addr} failed.Gateway='${gateway}' Reason=Nomatching tunnel route for peer

VPN LogMessages

Log Catalog 106


matching tunnel route for peerproposed local:192.168.81.0/24remote:192.168.82.0/28

specifies the received andexpected tunnel routes.

peer proposed local:%s/%dremote:%s/%d

proposed local:${tr_local} remote:${tr_remote}


IKE Phase 2message retrytimeout

IKE phase-2 negotiation from172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1' Reason=Messageretry timeout. Check VPN IKEdiagnostic logmessages for moreinformation.

The IPSec tunnel negotiationfailed because an expectedresponse was not received beforethemessage retry timeout.

IKE phase-2 negotiationfrom%s to%s failed.Tunnel='%s'Reason=Message retrytimeout. Check VPN IKEdiagnostic logmessages formore information.

IKE phase-2 negotiation from ${local_addr} to ${peer_addr} failed.Tunnel='${tunnel}' Reason=Messageretry timeout. Check VPN IKEdiagnostic logmessages for moreinformation.

0205000C ERROR VPN /IPSEC

IKE Phase2message retrytimeoutbecausePhase 1 SAexpired

IKE phase-2 negotiation from172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1' Reason=Messageretry timeout because phase-1 SAexpired

The IPSec tunnel negotiationfailed because the Phase 1Security Association (SA) expired.

IKE phase-2 negotiationfrom%s to%s failed.Tunnel='%s'Reason=Message retrytimeout because phase-1SA expired

IKE phase-2 negotiation from ${local_addr} to ${peer_addr} failed.Tunnel='${tunnel}' Reason=Messageretry timeout because phase-1 SAexpired

0205000D ERROR VPN /IPSEC

IKE Phase 2PFS notenabled

IKE phase-2 negotiation from172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1' Reason=Receivedproposal with PFS. PFS notenabled.

The IPSec tunnel negotiationfailed because the PerfectForward Secrecy (PFS) value didnot match the Phase 2configuration.

IKE phase-2 negotiationfrom%s to%s failed.Tunnel='%s'Reason=Received proposalwith PFS. PFS not enabled.

IKE phase-2 negotiation from ${local_addr} to ${peer_addr} failed.Tunnel='${tunnel}' Reason=Receivedproposal with PFS. PFS not enabled.

0205000E ERROR VPN /IPSEC

IKE Phase 2wait timeout

IKE phase-2 negotiation from172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1' Reason=Messagewas not received in expected time.Check the connection between localand remote gateway endpoints.

The IPSec tunnel negotiationfailed because an expectedresponse was not received beforethe expected time.

IKE phase-2 negotiationfrom%s to%s failed.Tunnel='%s'Reason=Message was notreceived in expected time.Check the connectionbetween local and remotegateway endpoints.

IKE phase-2 negotiation from ${local_addr} to ${peer_addr} failed.Tunnel='${tunnel}' Reason=Messagewas not received in expected time.Check the connection between localand remote gateway endpoints.

VPN LogMessages

Log Catalog 107


0205000F WARN VPN /IPSEC

RejectedPhase 2negotiationdue toincorrectgateway

Rejected phase-2 negotiation from172.16.12.82:500 because'gateway.1*1' is not the preferredIKE gateway endpoint.

Rejected Phase 2 negotiation theproposal did not use the preferredIKE gateway endpoint.

Rejected phase-2negotiation from%sbecause '%s' is not thepreferred IKE gatewayendpoint.

Rejected quick mode negotiation from${peer_addr} because '${gw-ep}' is notthe preferred IKE gateway endpoint.

021A0001 ERROR VPN /IPSEC

DroppedreceivedIKEv2message

Dropped IKEv2 IKE_SA_INITmessage from 172.16.12.82:500.Reason=message has invalidinitiator SPI (all zeros)

Dropped received invalid IKEv2message.

Dropped IKEv2%smessage from%s.Reason=%s

Dropped IKEv2 ${exchange_type}message from ${peer_addr}.Reason=${reason}


IKE SA notfound tohandle IKE_SA_INIT_Rmessage

Dropped IKEv2 IKE_SA_INITmessage from 172.16.12.82:500.Reason=IKE SA not found to handlemessage with message ID 0x0.

IKE SA was not found to handlethe received IKE_SA_INIT_Rmessage.

Dropped IKEv2%smessage from%s.Reason=IKE SA not foundto handlemessage withmessage ID 0x%x.

Dropped IKEv2 ${exchange_type}message from ${peer_addr}.Reason=IKE SA not found to handlemessage with message ID ${recvd_message_id}.


Gatewayendpoint notfound tohandle IKE_SA_INIT_Rmessage

Dropped IKEv2 IKE_SA_INITmessage from 172.16.12.82:500.Reason='gateway.1' gatewayendpoint not found to handlemessage with message ID 0x0.

Gateway endpoint was not foundto handle the received IKE_SA_INIT_R message

Dropped IKEv2%smessage from%s.Reason='%s' gatewayendpoint not found to handlemessage with message ID0x%x.

Dropped IKEv2 ${exchange_type}message from ${peer_addr}.Reason='${gw-ep}' gateway endpointnot found to handle IKE_SA_INITmessage with message ID ${recvd_message_id}.

021A0004 INFO VPN /IPSEC

IKEv2 IKE SAis in deletingstate

Dropped IKEv2 IKE_SA_INITmessage from 172.16.12.82:500.Gateway-Endpoint='gateway.1'.Reason=IKE SA is in DELETINGstate.

Received IKEv2message wasignored because thecorresponding IKE SA to handlethemessage was in DELETINGstate.

Dropped IKEv2%smessage from%s.Gateway-Endpoint='%s'.Reason=IKE SA is in%sstate.

Dropped IKEv2 ${exchange_type}message from ${peer_addr}.Gateway-Endpoint='${gw-ep}'Reason=IKE SA is in ${ikev2_ikesa_state} state.


Invalidmessage ID inIKEv2exchange

Dropped IKEv2 IKE_SA_INITmessage from 172.16.12.82:500.Gateway-Endpoint='gateway.1'.Reason=Invalid message ID inrequest message.

Received IKEv2message wasdropped because it has invalidmessage ID.

Dropped IKEv2%smessage from%s.Gateway-Endpoint='%s'.Reason=Invalid messageID in%s message.

Dropped IKEv2 ${exchange_type}message from ${peer_addr}.Gateway-Endpoint='${gw-ep}'.Reason=Invalid message ID in ${req_or_resp} message.

VPN LogMessages

Log Catalog 108



IKEv2gatewayendpoint wasnot found tohandle thereceivedmessage

IKEv2 IKE_SA_INIT exchange from172.16.12.82:500 to172.16.12.81:500 failed.Reason=Matching gateway endpointnot found.

IKEv2 gateway endpoint was notfound to handle the receivedmessage.

IKEv2%s exchange from%s to%s failed.Reason=Matching gatewayendpoint not found.

IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Reason=Matching gatewayendpoint not found.


IKEv2gatewayendpointversion notmatched

IKEv2 IKE_SA_INIT exchange from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'.Reason=Received IKE version didnot match the configured IKEversion.

IKEv2message exchange failedbecause the received IKE versiondid not match the IKE versionconfigured on the local gateway.Check the IKE version in thegateway endpoint configuration onboth local and remote gateways.

IKEv2%s exchange from%s to%s failed. Gateway-Endpoint='%s'.Reason=Received IKEversion did not match theconfigured IKE version.

IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}'.Reason=Received IKE version didnot match the configured IKE version.


IKEv2gatewayendpoint isdisabled

IKEv2 IKE_SA_INIT exchange from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'.Reason=gateway endpoint isdisabled.

The IKEv2 gateway endpoint isdisabled. It cannot be used intunnel negotiation.

IKEv2%s exchange from%s to%s failed. Gateway-Endpoint='%s'.Reason=gateway endpointis disabled.

IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}'.Reason=gateway endpoint isdisabled.


IKEv2gateway IDmismatch

IKEv2 IKE_AUTH exchange from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'.Reason=Gateway endpoint withmatching ID was not found.

IKEv2 IKE_AUTH negotiationfailed because the remote IDconfigured in the gateway endpointdid not match proposed IDreceived from the remote gateway.

IKEv2%s exchange from%s to%s failed. Gateway-Endpoint='%s'.Reason=Gateway endpointwith matching ID was notfound.

IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}'Reason=Gateway endpoint withmatching ID was not found.

VPN LogMessages

Log Catalog 109


021A000A ERROR VPN /IPSEC

IKEv2 IKE_SA_INITmessagereceived onwronginterface

IKEv2 IKE_SA_INIT exchange from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'.Reason=Receivedmessage onwrong interface 'eth0'(index:3).Expecting it to be received on 'eth6'.

IKEv2 IKE_SA_INIT negotiationfailed because IKE message frompeer was received on the wronginterface.

IKEv2%s exchange from%s to%s failed. Gateway-Endpoint='%s'.Reason=Receivedmessage on wrong interface'%s'(index:%d). Expecting itto be received on '%s'.

IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}'.Reason=Receivedmessage onwrong interface. '${received_if}'(index:${received_ifindex}). Expectingit to be received on '${expected_if}'.

021A000B ERROR VPN /IPSEC

IKEv2 remotegatewayendpoint IDmismatch

IKEv2 IKE_AUTH exchange from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'.Reason=Received ID did not matchthe configured remote gatewayendpoint ID.

IKEv2 IKE_AUTH negotiationfailed because the remote ID in thegateway endpoint configuration didnot match the proposed IDreceived from the remote gateway.

IKEv2%s exchange from%s to%s failed. Gateway-Endpoint='%s'.Reason=Received ID didnot match the configuredremote gateway endpointID.

IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}'.Reason=Received ID did not matchthe configured remote gatewayendpoint ID.

021A000C ERROR VPN /IPSEC

IKEv2 localgatewayendpoint IDmismatch

IKEv2 IKE_AUTH exchange from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'.Reason=Received ID did not matchthe configured local gatewayendpoint ID.

IKEv2 IKE_AUTH negotiationfailed because the local ID in thegateway endpoint configuration didnot match the proposed IDreceived from the remote gateway.

IKEv2%s exchange from%s to%s failed. Gateway-Endpoint='%s'.Reason=Received ID didnot match the configuredlocal gateway endpoint ID.

IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}'.Reason=Received ID did not matchthe configured local gateway endpointID.

021A000D ERROR VPN /IPSEC

ReceivedIKEv2message doesnot haveexpectedpayloads

IKEv2 IKE_AUTH exchange from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'.Reason=Received IKE_AUTHresponsemessage does not havethe expected payloads.

IKEv2message exchange failedbecause the receivedmessagefrom the peer does not have theexpected payloads

IKEv2%s exchange from%s to%s failed. Gateway-Endpoint='%s'.Reason=Received%smessage does not have theexpected payloads.

IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}'.Reason=Received ${msg_info}message does not have the expectedpayloads.

VPN LogMessages

Log Catalog 110


021A000E ERROR VPN /IPSEC

IKEv2 IKEproposalmismatch

IKEv2 IKE_SA_INIT exchange from198.51.100.2:500 to 203.0.113.2:500failed. Gateway-Endpoint='gateway.1'. Reason=IKEproposal did not match. Receivedencryption 3DES, expected AES.

The IKEv2message exchangefailed because the IKE proposal inthe receivedmessage did notmatch the expected proposal.

IKEv2%s exchange from%s to%s failed. Gateway-Endpoint='%s'.Reason=%s

IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}'Reason=${msg_info}


IKEv2 IKEproposalmismatch

IKEv2 IKE_SA_INIT exchange from198.51.100.2:500 to 203.0.113.2:500failed. Gateway-Endpoint='gateway.1'. Reason=IKEproposal did not match. Receivedencryption 3DES, expected AES.

The IKEv2message exchangefailed because the IKE proposal inthe receivedmessage did notmatch the expected proposal.

IKEv2%s exchange from%s to%s failed. Gateway-Endpoint='%s'.Reason=%s

IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}'Reason=${msg_info}

021A000F ERROR VPN /IPSEC

IKEv2 KE DH-Groupmismatch

IKEv2 IKE_SA_INIT exchange from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'. Reason=DH-Group 14 in the KE payload does notmatch DH-Group 5 selected in theIKE_SA_INIT response proposal.

IKEv2message exchange failedbecause the DH group in thereceived Key Exchange (KE)payload does not match the DH-Group in the selected proposal.

IKEv2%s exchange from%s to%s failed. Gateway-Endpoint='%s'.Reason=DH-Group%d inthe KE payload does notmatch DH-Group%dselected in the%s proposal.

IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}'.Reason=DH-Group ${recvd_dh_group} in the KE payload does notmatch the DH-Group ${selected_dh_group} selected in the ${msg_info}proposal.


IKEv2 IPSecKE DH-Groupmismatch

IKEv2 CREATE_CHILD_SAexchange from 172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1'. Reason=DH-Group 14 in the KE payload does notmatch DH-Group 5 selected in theCREATE_CHILD_SA requestproposal.

IKEv2message exchange failedbecause the DH group in thereceived Key Exchange (KE)payload does not match the DH-Group in the selected proposal.

IKEv2%s exchange from%s to%s failed.Tunnel='%s'. Reason=DH-Group%d in the KE payloaddoes not match DH-Group%d selected in the%sproposal.

IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}'.Reason=DH-Group ${recvd_dh_group} in the KE payload does notmatch the DH-Group ${selected_dh_group} selected in the ${msg_info}proposal.

VPN LogMessages

Log Catalog 111



Receivedunacceptabletraffic selectorduring firstCHILD SAnegotiation.

IKEv2 IKE_AUTH exchange from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'.Reason=Received unacceptabletraffic selector in IKE_AUTHrequest.

IKEv2 first CHILD SA creationfailed because the peer sent anunacceptable traffic selector.

IKEv2%s exchange from%s to%s failed. Gateway-Endpoint='%s'.Reason=Receivedunacceptable traffic selectorin%s.

IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}'.Reason=Received unacceptabletraffic selector in ${msg_info}.


IKEv2 peerauthenticationmethodmismatch.

IKEv2 IKE_AUTH exchange from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'.Reason=Received authenticationmethod PSK, expecting RSAcertificate.

IKEv2 tunnel negotiation failedbecause the incorrect authenticatemethod was proposed by theremote gateway.

IKEv2%s exchange from%s to%s failed. Gateway-Endpoint='%s'.Reason=Receivedauthenticationmethod%s,expecting%s.

IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Reason=Receivedauthenticationmethod ${received},expecting ${expected}.


IKEv2 peerauthenticationfailed

IKEv2 IKE_AUTH exchange from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'.Reason=Remote gateway endpointRSA certificate authentication failed.

IKEv2 tunnel negotiation failedbecause the local gateway couldnot authenticate the remotegateway.

IKEv2%s exchange from%s to%s failed. Gateway-Endpoint='%s'.Reason=Remote gatewayendpoint %s authenticationfailed.

IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Reason=Remote gatewayendpoint ${auth_method}authentication failed.


IKEv2 PSKmismatch

IKEv2 IKE_AUTH exchange from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'.Reason=Remote gateway endpointauthentication failed due to apossible shared secret mismatch.

IKEv2 tunnel negotiation failedbecause of possible PSKmismatch.

IKEv2%s exchange from%s to%s failed. Gateway-Endpoint='%s'.Reason=Remote gatewayendpoint authenticationfailed due to a possibleshared secret mismatch.

IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Reason=Remote gatewayendpoint authentication failed due to apossible shared secret mismatch.

VPN LogMessages

Log Catalog 112



ReceivedIKEv2 IKE_SA_INITnotificationerrormessage.

IKEv2 IKE_SA_INIT exchange from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'.Reason=Received N(NO_PROPOSAL_CHOSEN)message.

IKEv2 IKE_SA_INIT negotiationfailed because the peer sent anotification error message.

IKEv2%s exchange from%s to%s failed. Gateway-Endpoint='%s'.Reason=Received%smessage.

IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}'.Reason=Received ${notify_msg}message.


ReceivedIKEv2CREATE_CHILD_SA/IKE_AUTHnotificationerrormessage.

IKEv2 IKE_AUTH exchange from10.139.36.185:500 to10.139.36.195:500 failed.Tunnel='tunnel.1'.Reason=Received N(NO_PROPOSAL_CHOSEN)message.

IKEv2 CREATE_CHILD_SA/IKE_AUTH negotiation failedbecause peer sent a notificationerror message.

IKEv2%s exchange from%s to%s failed.Tunnel='%s'.Reason=Received%smessage.

IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Tunnel='${tunnel_name}'.Reason=Received ${notify_msg}message.

021A0017 INFO VPN /IPSEC

IKEv2 IKE SAestablished

IKEv2 IKE SA establishedsuccessfully as initiator for'gateway.1' gateway endpoint. local-gw:10.139.36.185:500 remote-gw:10.139.36.195:500 SAID:0xbc2188a5.

IKEv2 IKE SA is establishedbecause IKE_AUTH negotiation isfinished or IKE SA is rekeyed.

IKEv2 IKE SA establishedsuccessfully as %s for '%s'gateway endpoint. local-gw:%s remote-gw:%s SAID:0x%08x.

IKEv2 IKE SA establishedsuccessfully as ${exchange_role} for'${gw-ep}' gateway endpoint. local-gw:${local_addr} remote-gw:${peer_addr} SA ID:${sa_id}.


IKEv2 tunnelproposalmismatch.

IKEv2 CREATE_CHILD_SAexchange from 198.51.100.2:500 to203.0.113.2:500 failed.Tunnel='tunnel.1'. Reason=IPSecproposal did not match. Receivedencryption 3DES, expected AES.

The IKEv2message exchangefailed because the IPSec proposalin the receivedmessage did notmatch the expected proposal.

IKEv2%s exchange from%s to%s failed.Tunnel='%s'. Reason=%s

IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Tunnel='${tunnel}'.Reason=${msg_info}

VPN LogMessages

Log Catalog 113



Receivedinvalid SPIduring firstCHILD SAnegotiation.

IKEv2 IKE_AUTH exchange from172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1'. Reason=Peerproposed invalid SPI in IKE_AUTHrequest.

IKEv2 first CHILD SA creationfailed because the peer sent aninvalid SPI.

IKEv2%s exchange from%s to%s failed.Tunnel='%s'. Reason=Peerproposed invalid SPI in%s.

IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Tunnel='${tunnel}'.Reason=Peer proposed invalid SPI in${msg_info}.

021A001A ERROR VPN /IPSEC

Receivedinvalid SPIduring IKEv2IPSec SArekey

IKEv2 CREATE_CHILD_SAexchange from 172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1'. Reason=Couldnot find child SA by received SPI0xbaba1509 in CREATE_CHILD_SA(REKEY[CHILD SA]) request.

IKEv2 IPSec SA rekey failedbecause the peer sent an invalidSPI.

IKEv2%s exchange from%s to%s failed.Tunnel='%s'.Reason=Could not find childSA by received SPI %0x in%s.

IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Tunnel='${tunnel}'.Reason=Could not find child SA byreceived SPI ${spi} in ${msg_info}.

021A001B ERROR VPN /IPSEC

No responsefrom remotegateway

IKEv2 exchange from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'. Reason=Noresponse for IKE_AUTH requestmessage. Check the connectionbetween the local and remotegateway endpoints.

IKEv2 connection was terminatedbecause there was no responsefrom the remote site.

IKEv2 exchange from%s to%s failed. Gateway-Endpoint='%s'. Reason=Noresponse for%s message.Check the connectionbetween the local andremote gateway endpoints.

IKEv2 exchange from ${local_addr} to${peer_addr} failed. Gateway-Endpoint='${gw-ep}'. Reason=Noresponse for ${msg_info} message.Check the connection between thelocal and remote gateway endpoints.

021A001C INFO VPN /IPSEC

IKEv2 IKE SAis waiting forthe userauthenticationresult

Dropped IKEv2 IKE_AUTHmessage from 198.51.100.2:4500.Gateway-Endpoint='ikev2_mobileuser'. Reason=Waiting for theEAP_MSCHAPv2 userauthentication result.

The Firebox ignored an IKEv2message because thecorresponding IKE SA is waitingfor the user authentication resultfrom the authenticationmodule.

Dropped IKEv2%smessage from%s.Gateway-Endpoint='%s'.Reason=Waiting for the%suser authentication result.

Dropped IKEv2 ${exchange_type}message from ${peer_addr}.Gateway-Endpoint='${gw-ep}'Reason=Waiting for the ${user-auth-protocol} user authentication result.

VPN LogMessages

Log Catalog 114


021A001D ERROR VPN /IPSEC

IKEv2gateway IDmismatch

IKEv2 IKE_AUTH exchange from198.51.100.2 to 203.0.113.2:500failed. Gateway-Endpoint='ikev2_mobileuser'. Reason=TheMobileVPN with IKEv2 profile is notenabled.

IKEv2 IKE_AUTH negotiationfailed becauseMobile VPN forIKEv2 is not enabled on thisgateway.

IKEv2%s exchange from%s to%s failed. Gateway-Endpoint='%s'.Reason=TheMobile VPNwith IKEv2 profile is notenabled.

IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}'Reason=Mobile VPN with IKEv2profile is not enabled.


IKEv2receivedinvalid EAPinformation

IKEv2 IKE_AUTH EAP exchangefrom 198.51.100.2:4500 to203.0.113.2:4500 failed. Gateway-Endpoint='WG IKEv2MVPN'.Reason='example' authenticationdomain is not configured.

IKEv2 IKE_AUTH EAPnegotiation failed because IKEv2Mobile VPN client sent invalidinformation.

IKEv2%s EAP exchangefrom%s to%s failed.Gateway-Endpoint='%s'.Reason=%s

IKEv2 ${exchange_type} EAPexchange from ${local_addr} to${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=${reason}

021A001F ERROR VPN /IPSEC

IKEv2 IKE_SA_INITmessagereceived onwronginterface IP

IKEv2 IKE_SA_INIT exchange from198.51.100.2:500 to 192.0.2.2:500failed. Gateway-Endpoint='gateway.1'.Reason=Receivedmessage withwrong interface IP address192.0.2.2. Expecting peer to useremote gateway endpoint IP address203.0.113.2.

IKEv2message exchange failedbecause IKE message from thepeer was received on the wronginterface IP address. Check thelocal and remote gateway IPaddress in the gateway endpointconfiguration on both the local andremote gateways.

IKEv2%s exchange from%s to%s failed. Gateway-Endpoint='%s'.Reason=Receivedmessage with wronginterface IP address %s.Expecting peer to useremote gateway endpoint IPaddress %s.

IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}'Reason=Receivedmessage with thewrong interface IP address${received_ip}. Expecting peer to useremote gateway endpoint IP address${expected_ip}.


IKEv2 IKE_AUTHmessagereceived onwronginterface IP

IKEv2 IKE_AUTH exchange from198.51.100.2:500 to 192.0.2.2:500failed. Gateway-Endpoint='m500-197'. Reason=Receivedmessagewith the wrong interface IP address192.0.2.2. Expecting peer to useremote gateway endpoint IP address203.0.113.2.

IKEv2message exchange failedbecause IKE message from thepeer was received on the wronginterface IP address. Check thelocal and remote gateway IPaddress in the gateway endpointconfiguration on both the local andremote gateways.

IKEv2%s exchange from%s to%s failed. Gateway-Endpoint='%s'.Reason=Receivedmessage with wronginterface IP address %s.Expecting peer to useremote gateway endpoint IPaddress %s.

IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}'Reason=Receivedmessage withwrong interface IP address${received_ip}. Expecting peer to useremote gateway endpoint IP address${expected_ip}.

VPN LogMessages

Log Catalog 115


5B010004 INFO VPN /L2TP

Update usersession

UpdatedMobile VPN with L2TPsession for user 'Firebox-DB\test',virtual IP address '192.168.113.2'.

Mobile VPN with L2TP updatedthe session for the specified user.The logmessage specifies theassigned virtual IP address.

UpdatedMobile VPN withL2TP session for user'%s\%s', virtual IP address'%s'.

–


Delete usersession

DeletedMobile VPN with L2TPsession for user 'Firebox-DB\test',virtual IP address '192.168.113.2'.

Deleted aMobile VPN with L2TPsession with the specified virtualIP address.

DeletedMobile VPN withL2TP session for user'%s\%s', virtual IP address'%s'.

–

25000000 INFO VPN /SSLVPN

User login Mobile VPN with SSL user tsmithlogged in. Virtual IP address is192.168.113.2. Real IP address is192.51.100.2.

A user logged in to VPN with SSL.The logmessage specifies theVPN user type,and the user'sname, virtual IP address, and realIP address.

%s %s logged in. Virtual IPaddress is %s. Real IPaddress is %s.

${vpn_user_type} ${user_name}logged in. Virtual IP address is${virtual_ipaddr}. Real IP address is${real_ipaddr}.

25000001 INFO VPN /SSLVPN

User log off Mobile VPN with SSL user tsmithlogged off. Virtual IP address is192.168.113.2.

The VPN with SSL user with thespecified virtual IP address loggedout.

%s %s logged off. Virtual IPaddress is %s.

${vpn_user_type} ${user_name}logged off. Virtual IP address was${virtual_ipaddr}.

VPN LogMessages

Log Catalog 116

EventVPN logmessages of theEvent log type.



IKE processstarts

The IPSec IKE process started. WatchGuard iked v11.6.B341909 (C)1996-2012WatchGuardTechnologies Inc. starts at Wed Jun30 21:49:08 2012

WatchGuard iked v%s %s startsat %s

–


Configurationupdatestarted

An IPSec configuration update started. Started processing a configurationsetting

Started to process aconfiguration setting

–


Configurationupdatecompleted

An IPSec configuration update wassuccessfully completed.

A configuration setting has beenprocessed successfully

A configuration setting has beenprocessed successfully

–


Device notactivated

The device is not activated. IPSectunnels cannot be established.

WARNING! Tunnel negotiation isNOT allowed because the local boxis not activated yet(no"LIVESECURITY" feature key isfound)!!

WARNING! Tunnel negotiationis NOT allowed because thelocal box is not activated yet(no"LIVESECURITY" feature key isfound)!!

–


Tunnelestablishedor re-keyed

The IPSec tunnel was established or re-keyed successfully. The logmessageincludes the security associationidentifiers.

'gateway.1' BOVPN IPSec tunnel isestablished. local:192.168.81.0/28remote:192.168.25.0/28 in-SA:0x445e72b7 out-SA:0x5f9f256frole:responder

'%s' %s IPSec tunnel is %s.local:%s remote:%s in-SA:0x%08x out-SA:0x%08xrole:%s

${gateway} ${tunnel_type} IPSectunnel is ${action}. local:${local}remote:${remote} in-spi:${in_spi}out-spi:${out_spi} role:${nego_role}


BOVPNtunnel limitreached

Themaximum allowed number ofBOVPN tunnel routes have beenestablished. No new tunnel routes canbe created until active tunnel routesexpire or are deleted.

Themaximum number of allowedactive BOVPN tunnels has beenreached (Maximum: 500 Current:500).

Themaximum number of activeallowed BOVPN tunnels hasbeen reached (Maximum: %dCurrent: %d)

–

VPN LogMessages

Log Catalog 117



BOVPNtunnel limitreached

Themaximum allowed number ofBOVPN tunnel routes have beenestablished. No new tunnel routes canbe created until active tunnel routesexpire or are deleted.

Themaximum number of allowedactive BOVPN tunnels has beenreached (Maximum: 500 Current:500).

Themaximum number of activeallowed BOVPN tunnels hasbeen reached (Maximum: %dCurrent: %d)

–


IKE process-- FireClusterrole changed

The cluster master has changedbecause of a FireCluster failover. Thelocal device will not handle IKEnegotiation.

A FireCluster failover occurred. Thecluster master has changed.

A FireCluster failover occurred.The cluster master has changed.

–


Daemonstarted

TheMobile VPN with L2TP daemonstarted.

TheMobile VPN with L2TP daemonstarted successfully.

TheMobile VPN with L2TPdaemon started successfully.

–


Configurationupdated

TheMobile VPN with L2TP daemonreceived a configuration update.

Updating configuration for MobileVPN with L2TP.

Updating configuration for MobileVPN with L2TP.

–


Daemonstopped

TheMobile VPN with L2TP daemonstopped.

StoppedMobile VPN with L2TPdaemon.

StoppedMobile VPN with L2TPdaemon.

–

VPN LogMessages

Log Catalog 118

Mobile Security Log MessagesMobile Security logmessages are generated for activity related to traffic through your Firebox frommobile devices. This includes traffic related to FireClient and Endpoint Manager.

EventMobile Security logmessages of theEvent log type.


70000001 ERROR MobileSecurity/EndpointManager

Mobilesecuritylicense limitreached

Rejected a FireClient user loginbecause the licensedmaximum number ofconcurrent Mobile Securityusers has been reached.Maximum: 50

A user login from FireClient was rejected because thenumber of concurrently connectedMobile Security usershas reached the limit supported by theMobile Securitylicense. The logmessage specifies themaximumallowed number of concurrent Mobile Security users.

Rejected a FireClient userlogin because the licensedmaximum number ofconcurrent Mobile Securityusers has been reached.Maximum: %d

–

70000002 WARN MobileSecurity/EndpointManager

Mobilesecuritylicense highwatermarkreached

The number of connectedMobile Security users hasreached 90 percent of thelicensed capacity. Maximum:50

The number of concurrently connectedMobile Securityusers has reached 90 percent of the capacity supportedby theMobile Security license. The logmessagespecifies the supportedmaximum number of concurrentMobile Security users.

The number of connectedMobile Security users hasreached 90 percent of thelicensed capacity.Maximum: %d

–

70010000 INFO MobileSecurity/EndpointManager

Mobiledeviceconnect

Mobile device eee66f78-3d74-4002-8161-95938dca4390 isconnected.

FireClient on the device has connected to the Firebox. Mobile device%s isconnected.

–


Mobiledevice useralready login

Mobile device eee66f78-3d74-4002-8161-95938dca4390: userjoe has already logged in.

User has logged in to Firebox from the device prior to theconnection request.

Mobile device%s: user%shas already logged in.

–

Mobile Security LogMessages

Log Catalog 119



Mobiledevice userlogin

Mobile device eee66f78-3d74-4002-8161-95938dca4390: userjoe logged in.

User has logged in to Firebox through FireClient on thedevice.

Mobile device%s: user%slogged in.

–


Mobiledevice userlogout

Mobile device eee66f78-3d74-4002-8161-95938dca4390: userjoe logged out.

User has logged out of Firebox from FireClient on thedevice.

Mobile device%s: user%slogged out.

–


Mobiledevice idledisconnected

Mobile device eee66f78-3d74-4002-8161-95938dca4390 isdisconnected due to FireClientinactivity.

FireClient on the device is considered disconnected dueto inactivity.

Mobile device%s isdisconnected due toFireClient inactivity.

–


Mobiledevicedisconneted

Mobile device eee66f78-3d74-4002-8161-95938dca4390 isdisconnected.

FireClient on the device has disconnected. Mobile device%s isdisconnected.

–


MobiledeviceUnknowncompliance

Mobile device eee66f78-3d74-4002-8161-95938dca4390compliance status is Unknown.

Mobile device compliance status is Unknown. Thiscould be because the compliance check is in progress,or because FireClient on the device is not responding.

Mobile device%scompliance status isUnknown.

–


MobiledeviceCompliant

Mobile device eee66f78-3d74-4002-8161-95938dca4390compliance status isCompliant.

Mobile device compliance status is Compliant, becauseit meets the compliance requirements.

Mobile device%scompliance status isCompliant.

–


Log Catalog 120



Mobiledevice NotCompliant

Mobile device eee66f78-3d74-4002-8161-95938dca4390compliance status is NotCompliant.

Mobile device compliance status is Not Compliant,because it does not meet the compliance requirements.

Mobile device%scompliance status is NotCompliant.

–


Mobiledevice usersessionrecreated

Mobile device eee66f78-3d74-4002-8161-95938dca4390:session for user joe isrecreated.

User session is recreated because themobile device IPaddress changed. .

Mobile device%s: sessionfor user%s is recreated.

–


MobiledeviceAuthorizationAgreementsign action

Mobile device eee66f78-3d74-4002-8161-95938dca4390:device authorization agreement(version 1) is accepted by userjoe on 2015-09-01 09:10:12+0800.

The Device Authorization Agreement is either acceptedor declined by a user at the specified local time.

Mobile device%s: deviceauthorization agreement(version%d) is %s by user%s on%s.

device ${device id}:device authorizationagreement (version${ver_number}) is${action} by user${user} on ${local_time}


Log Catalog 121

fireware xtm log catalog - watchguard · 2019. 1. 7. · 30000027 info firewall / packet filter...

Documents