fireware xtm log catalog - watchguard · 2019. 1. 7. · 30000027 info firewall / packet filter...
TRANSCRIPT
Fireware v12.2
Log Message Catalog
WatchGuard FireboxRevised November 2018
Copyright, Trademark, and Patent InformationInformation in this guide is subject to change without notice. No part of this guidemay be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the expresswritten permission of WatchGuard Technologies, Inc.
Copyright© 1998–2019WatchGuard Technologies, Inc. All rights reserved.
All trademarks or trade names mentioned herein, if any, are the property of their respective owners.
Complete copyright, trademark, patent, and licensing information can be found in theCopyright and Licensing Guide, available online at: http://www.watchguard.com/help/documentation/.
Revised: November 2018
About WatchGuard
WatchGuard® Technologies, Inc. is a global leader in network security, providing best-in-class Unified Threat Management, NextGeneration Firewall, secureWi-Fi, and network intelligence products and services tomore than 75,000 customers worldwide. Thecompany’s mission is to make enterprise-grade security accessible to companies of all types and sizes through simplicity, makingWatchGuard an ideal solution for Distributed Enterprises and SMBs. WatchGuard is headquartered in Seattle, Washington, withoffices throughout North America, Europe, Asia Pacific, and Latin America. To learnmore, visit WatchGuard.com.
For additional information, promotions and updates, follow WatchGuard on Twitter, @WatchGuard on Facebook, or on the LinkedInCompany page. Also, visit our InfoSec blog, Secplicity, for real-time information about the latest threats and how to cope with them atwww.secplicity.org.
Address505 Fifth Avenue South
Suite 500Seattle,WA98104
Supportwww.watchguard.com/support
U.S. and Canada +877.232.3531AllOther Countries+1.206.521.3575
SalesU.S. and Canada +1.800.734.9905
AllOther Countries+1.206.613.0895
Copyright, Trademark, and Patent Information
Log Catalog i
ContentsCopyright, Trademark, and Patent Information i
Introduction to the Log Catalog 1
About Log Messages 1
Types of LogMessages 1
Traffic LogMessages 1
Alarm LogMessages 2
Event LogMessages 2
Debug (Diagnostic) LogMessages 2
Statistic LogMessages 3
Read a Log Message 3
Firewall Log Messages 6
Alarm 6
Diagnostic 10
Event 12
Traffic 14
Networking Log Messages 16
Diagnostic 16
Event 25
Proxy Policy Log Messages 35
Event 35
Traffic 36
Management Log Messages 73
Diagnostic 73
Log Catalog ii
Event 75
FireCluster Log Messages 84
Diagnostic 84
Event 87
Security Services Log Messages 91
Event 91
VPN Log Messages 94
Alarm 94
Diagnostic 94
Event 117
Mobile Security Log Messages 119
Event 119
Introduction to the Log CatalogYou can use the tools available inWatchGuard Dimension, WatchGuard SystemManager(WSM), and FirewareWebUI to review the logmessages and events that occur on yourWatchGuard Firebox devices, to examine the activity on your network. Logmessages give youimportant information about the flow of traffic through your network, and are a key component tohelp you troubleshoot problems on your network.
The Fireware Log Catalog describes many of the types of logmessages that your Firebox cangenerate. It includes examples of logmessages for Firebox devices that run Fireware OS,grouped by the product area.
All logmessages included in the Log Catalog are first organized into topics by product area andthen separated into sections in each topic by the logmessage type:
n ALARM— Alarm logmessagesn DIAG—Debug (Diagnostics) logmessagesn EVENT— Event logmessagesn STAT— Statistics logmessagesn TRAFFIC — Traffic logmessages
For more information about logmessage types, seeAbout LogMessages.
Only logmessages that are assigned amessage ID number are included inthe Log Catalog.
To review the logmessages that are defined in the Log Catalog, you can expand the LogMessages section and select a topic for a product area, expand the section for a logmessagetype, and review the logmessage lists to find a specific logmessage.
n To expand a single section, click .n To collapse a single section, click .
n To expand all the sections in a topic, at the top of the topic window, click .
n To collapse all the sections in a topic, at the top of the topic window, click .
Introduction to the Log Catalog
Log Catalog 1
You can also search the Log Catalog for the specific details included in a logmessage.
For more information about options to search the Log Catalog, see Search the Log Catalog.
About Log MessagesYour Firebox can send logmessages to an instance of Dimension, aWSM Log Server, or a syslogserver. You can also configure your Firebox to store logmessages locally on the Firebox. You canuse Traffic Monitor in FirewareWebUI or Firebox SystemManager (FSM) to review logmessages inreal-time. If you send logmessages to Dimension, you can use the Dimension LogManager to reviewthe logmessages from your Firebox devices. If you send logmessages to aWSM Log Server, youcan use LogManager inWatchGuardWebCenter to review logmessages after they are generatedand processed by the Log Server.
Types of Log MessagesFirebox devices can send several types of logmessages for events that occur on the Firebox. Eachmessage includes themessage type in the text of themessage. The logmessages types are:
n Trafficn Alarmn Eventn Debug (Diagnostic)n Statistic
Traffic and event logmessages, and some alarm logmessages, automatically appear in TrafficMonitor by default; you do not have to enable any settings on your Firebox to generate them. Themajority of the other logmessage types must be enabled in the device configuration file before theyappear in Traffic Monitor or LogManager.
Traffic Log MessagesMost of the logmessages that appear in Traffic Monitor are traffic logmessages. Traffic Monitorshows all of the logmessages that are generated by your Firebox and are recorded in your log file.Traffic logmessages show the traffic that moves through your Firebox and how the packet filter andproxy policies were applied. A traffic logmessage can include details that show how NAT (networkaddress translation) was handled for a packet.
The traffic logmessages for traffic managed by packet filter policies contain a set number offields. The information for the same traffic logmessage will look different in Traffic Monitor thanin LogManager.
For a traffic logmessage generated by traffic managed by a proxy policy, your Fireboxgenerates more than one logmessage. The first entry shows the same information as a packetfilter logmessage, but includes this additional information:
proxy_act
The name of the proxy action that handles this packet. A proxy action is a set of rules fora proxy that can be applied tomore than one policy.
rule_name
The name of the specific proxy rule that handles this packet.
content_type
The type of content in the packet that is filtered by the proxy rule.
Other proxy logmessages include a variable number of fields.
Alarm Log MessagesAlarm logmessages are sent when an event occurs that triggers the Firebox to run a command.When the alarm condition is matched, the Firebox generates an alarm logmessage that youcan see in Traffic Monitor, sends the logmessage to your Dimension server, WSM Log Server,or syslog server, and then it completes the specified action for the event.
You can configure your Firebox to send alarm logmessages for specific events that occur onyour device. For example, you can configure an alarm to occur when a specified valuematchesor exceeds a threshold. Other alarm logmessages are set by the Firebox OS, with values thatyou cannot change. For example, the Firebox sends an alarm logmessage when a networkconnection on one of the Firebox interfaces fails, or when a Denial of Service attack occurs.
There are eight categories of alarm logmessages:
n Systemn IPSn AV
Introduction to the Log Catalog
Log Catalog 2
n Policyn Proxyn Countern Denial of Servicen Traffic
The Firebox does not sendmore than 10 alarms in 15minutes for the same conditions.
Event Log MessagesEvent logmessages are generated for activity on your Firebox that is related to actions by the Fireboxand users. Actions that can cause the Firebox to send an event logmessage include:
n Firebox start up and shut downn Firebox and VPN authenticationn Process start up and shut downn Problems with Firebox hardware componentsn Any task completed by a device administrator
Debug (Diagnostic) Log MessagesDebug logmessages include detailed diagnostic information that you can use to help troubleshootproblems on your Firebox . There are 27 different product components that can send debug logmessages. When you configure the logging settings on your Firebox you can specify the level ofdiagnostic logging to see for each different product component enabled on your Firebox. The availablelevels are:
n Offn Errorn Warningn Informationn Debug
Statistic Log MessagesStatistic logmessages include information about the performance of your Firebox. You canconfigure your Firebox to generate logmessages about external interface performance, VPNbandwidth statistics, and Security Services statistics. You can review these logmessages todetermine what changes are necessary in your Firebox settings to improve performance. Tosee these logmessages, performance statistic loggingmust be enabled on the Firebox.
Read a Log MessageEach logmessage generated by your Firebox includes a string of data about the traffic on yourFirebox. If you review the logmessages in Traffic Monitor, the details in the data have differentcolors applied to them to help visually distinguish each detail.
Here is an example of one traffic logmessage from Traffic Monitor:
2014-07-02 17:38:43 Member2 Allow 192.168.228.202 10.0.1.1 webcache/tcp42973 8080 3-Trusted 1-WCI Allowed 60 63 (Outgoing-proxy-00) proc_id="firewall" rc="100" src_ip_nat="69.164.168.163" tcp_info="offset 10S 2982213793 win 2105" msg_id="3000-0148"
When you read logmessages, you can see details about when the connection for the trafficoccurred, the source and destination of the traffic, as well as the disposition of the connection,and other details.
Each logmessage includes these details:
Time Stamp
The logmessage line begins with a time stamp that includes the time and date that thelogmessage was created. The time stamp uses the time zone and current time from theFirebox.
This is the time stamp from the example logmessage above:
2014-07-02 17:38:43
Read a LogMessage
Log Catalog 3
FireCluster Member Information
If the logmessage is from a Firebox that is amember of a FireCluster, the logmessageincludes the cluster member number for the Firebox.
This is the FireCluster member information from the example logmessage above:
Member2
Disposition
Each logmessage indicates the disposition of the traffic: Allow or Deny. If the logmessage isfor traffic that was managed by a proxy policy instead of a packet filter policy, the traffic maybemarked Allow even though the packet body was stripped or altered by the proxy action.
This is the disposition from the example logmessage above:
Allow
Source and Destination Addresses
After the disposition, the logmessage shows the actual source and destination IP addressesof the traffic. If NAT was applied to the traffic, the NAT addresses appear later in the logmessage.
These are the source and destination addresses from the example logmessage above:
192.168.228.202 and 10.0.1.1
Service and Protocol
The next entries in the logmessage are the service and protocol that managed the traffic. Theservice is specified based on the protocol and port the traffic used, not the name of the policythat managed the traffic. If the service cannot be determined, the port number appears instead.
These are the service and protocol from the example logmessage above:
webcache/tcp
Source and Destination Ports
The next details in the logmessage are the source and destination ports. The source portidentifies the return traffic. The destination port determines the service used for the traffic.
These are the source and destination ports from the example logmessage above:
42973 and 8080
Source and Destination Interfaces
The source and destination interfaces appear after the destination port. These are thephysical or virtual interfaces that handle the connection for this traffic.
These are the source and destination interfaces from the example logmessage above:
3-Trusted and 1-WCI
Connection Action
This is the action applied to the traffic connection. For proxy actions, this indicateswhether the contents of the packet are allowed, dropped, or stripped.
This is the connection action from the example logmessage above:
Allowed
Packet Length
The two packet length numbers indicate the packet length (in bytes) and the TTL (TimeTo Live) value. TTL is ametric used to prevent network congestion by only allowing thepacket to pass through a specific number of routing devices before it is discarded.
These are the packet length numbers from the example logmessage above:
60 (packet length) and 63 (TTL)
Policy Name
This is the name of the policy on your Firebox that handles the traffic. The number (-00)is automatically appended to policy names, and is part of the internal reference systemon the Firebox.
This is the policy name from the example logmessage above:
(Outgoing-proxy-00)
Process
This section of the logmessage shows the process that handles the traffic.
This is the process from the example logmessage above:
Read a LogMessage
Log Catalog 4
proc_id="firewall"
Return Code
This is the return code for the packet, which is used in reports.
This is the return code from the example logmessage above:
rc="100"
NAT Address
This is the IP address that appears in place of the actual source IP address of the traffic after itleaves the Firebox interface and the NAT rules have been applied. A destination NAT IPaddress can also be included.
This is the NAT address from the example logmessage above:
src_ip_nat="69.164.168.163"
Packet Size
The tcp_info detail includes values for the offset, sequence, and window size for the packetthat initiates the connection. The packet size details that are included depend on the protocoltype.
This is the packet size from the example logmessage above:
tcp_info="offset 10 S 2982213793 win 2105"
Message Identification Number
Each type of logmessage includes a uniquemessage identification number. When you reviewa logmessage in Traffic Monitor, themessage ID number can appear as the value for eitherthe msg_id= detail or the id= detail. In LogManager, themessage ID number appears as thevalue for the id= detail.
Some logmessages do not include amessage ID number. Only logmessages that areassigned amessage ID number are included in the Log Catalog.
The is themessage ID number from the example logmessage above:
msg_id="3000-0148"
Themessage ID numbers included in the Log Catalog do not include the hyphens thatappear in themessage ID number in Traffic Monitor and LogManager. Tomake sure youcan locate themessage ID number in the Log Catalog, when you search the Log Catalogfor themessage ID, remove the hyphen from themessage ID number.
For example, to search for information about message ID number 3000-0148, in theSearch Log Catalog text box, type 300000148.
Read a LogMessage
Log Catalog 5
Firewall Log MessagesFirewall logmessages are generated by your Firebox for events that occur on the Firebox and for traffic managed by some packet filter policies. In addition to normal traffic, this can includemessages related tofeature keys, subscription services, server load balancing, and other features configured on your Firebox.
AlarmFirewall logmessages of theAlarm log type.
ID Level Area Name Log Message Example Description Format Message Variables
30000152 INFO Firewall/PacketFilter
IPv4sourcerouteattack
IPv4 source route attack from 10.0.1.34detected.
IPv4 source route attackwas detected.
IPv4 source route attack from%s detected.
IPv4 source route from ${src} detected.
30000153 INFO Firewall/PacketFilter
IPv4 SYNfloodattack
SYN flood attack against 10.0.1.51 from216.3.21.4 detected.
IPv4 SYN flood attackwas detected.
SYN flood attack against %sfrom%s detected.
SYN flood attack against ${dst} from ${src}detected.
30000154 INFO Firewall/PacketFilter
IPv4ICMPfloodattack
ICMP flood attack against 10.0.1.51 from216.3.21.4 detected.
IPv4 ICMP flood attackwas detected.
ICMP flood attack against $dstfrom $src detected.
ICMP flood attack against ${dst} from ${src}detected.
30000155 INFO Firewall/PacketFilter
IPv4 UDPfloodattack
UDP flood attack against 32.21.56.8 from12.34.23.67 detected.
IPv4 UDP flood attackwas detected.
UDP flood attack against %sfrom%s detected.
UDP flood attack against ${dst} from ${src}detected.
30000156 INFO Firewall/PacketFilter
IPv4IPSECfloodattack
IPSEC flood attack against 32.21.56.8 from12.34.23.67 detected.
IPv4 IPSEC flood attackwas detected.
IPSEC flood attack against %sfrom%s detected.
IPSEC flood attack against $dst from $srcdetected.
30000157 INFO Firewall IPv4 IKE IKE flood attack against 32.21.56.8 from12.34.23.67 detected.
IPv4 IKE flood attack wasdetected
IKE flood attack against %s from%s detected.
IKE flood attack against ${dst} from ${src}detected.
Firewall LogMessages
Log Catalog 6
ID Level Area Name Log Message Example Description Format Message Variables
/PacketFilter
floodattack
30000158 INFO Firewall/PacketFilter
IPv4 scanattack
IP scan attack against 32.21.56.8 from12.34.23.67 detected.
IPv4 scan attack wasdetected.
IP scan attack against %s from%s detected.
IP scan attack against ${dst} from ${src}detected.
30000159 INFO Firewall/PacketFilter
IPv4 portscanattack
PORT scan attack against 32.21.56.8 from12.34.23.67 detected.
IPv4 port scan attack wasdetected.
PORT scan attack against %sfrom%s detected.
Port scan attack against ${dst} from ${src}detected.
30000160 INFO Firewall/PacketFilter
IPv4DDOSagainstserver
DDOS against server 10.0.1.34 detected. IPv4 DDOS attackagainst a server wasdetected.
DDOS against server%sdetected.
DDOS against server ${dst} detected.
30000161 INFO Firewall/PacketFilter
IPv4DDOSattackfrom client
DDOS from client 10.0.1.34 detected. IPv4 DDOS attack from aclient was detected.
DDOS from client $src detected. DDOS from client ${src} detected.
30000162 INFO Firewall/PacketFilter
IPv6 SYNfloodattack
SYN flood attack against2001:0db8:85a3:08d3:1319:8a2e:0370:7344from FF01::101 detected.
IPv6 SYN flood attackwas detected.
SYN flood attack against %sfrom%s detected.
SYN flood attack against ${dst} from ${src}detected.
30000163 INFO Firewall/PacketFilter
IPv6ICMPfloodattack
ICMP flood attack against2001:0db8:85a3:08d3:1319:8a2e:0370:7344from FF01::101 detected.
IPv6 ICMP flood attackwas detected.
ICMP flood attack against %sfrom%s detected.
ICMP flood attack against ${dst} from ${src}detected.
Firewall LogMessages
Log Catalog 7
ID Level Area Name Log Message Example Description Format Message Variables
30000164 INFO Firewall/PacketFilter
IPv6 UDPfloodattack
UDP flood attack against2001:0db8:85a3:08d3:1319:8a2e:0370:7344from FF01::101 detected.
IPv6 UDP flood attackwas detected.
UDP flood attack against %sfrom%s detected.
UDP flood attack against ${dst} from ${src}detected.
30000165 INFO Firewall/PacketFilter
IPv6IPSECfloodattack
IPSEC flood attack against2001:0db8:85a3:08d3:1319:8a2e:0370:7344from FF01::101 detected.
IPv6 IPSEC flood attackwas detected.
IPSEC flood attack against %sfrom%s detected.
IPSEC flood attack against ${dst} from${src} detected.
30000165 INFO Firewall/PacketFilter
IPv6IPSECfloodattack
IPSEC flood attack against2001:0db8:85a3:08d3:1319:8a2e:0370:7344from FF01::101 detected.
IPv6 IPSEC flood attackwas detected.
IPSEC flood attack against %sfrom%s detected.
IPSEC flood attack against ${dst} from${src} detected.
30000166 INFO Firewall/PacketFilter
IPv6 IKEfloodattack
IKE flood attack against2001:0db8:85a3:08d3:1319:8a2e:0370:7344from FF01::101 detected.
IPv6 IKE flood attack wasdetected.
IKE flood attack against %s from%s detected.
IKE flood attack against ${dst} from ${src}detected.
30000167 INFO Firewall/PacketFilter
AlarmTrafficmatchedpolicy
Policy Name: HTTP-00 Source IP Address:10.0.1.20 Source Port: 4107 Destination IPAddress: 61.135.169.125 Destination Port:80
An alarm logmessagewas sent for traffic thatmatched the specifiedpolicy.
Policy Name: %s Source IPAddress: %s Source Port: %dDestination IP Address: %sDestination Port: %d
Policy Name: ${pcy_name} Source IPAddress: ${src_ip} Source Port: ${src_port}Destination IP Address: ${dst_ip}Destination Port: ${dst_port}
30000167 INFO Firewall/PacketFilter
AlarmTrafficmatchedpolicy
Policy Name: HTTP-00 Source IP Address:10.0.1.20 Source Port: 4107 Destination IPAddress: 61.135.169.125 Destination Port:80
An alarm logmessagewas sent for traffic thatmatched the specifiedpolicy.
Policy Name: %s Source IPAddress: %s Source Port: %dDestination IP Address: %sDestination Port: %d
Policy Name: ${pcy_name} Source IPAddress: ${src_ip} Source Port: ${src_port}Destination IP Address: ${dst_ip}Destination Port: ${dst_port}
30000168 INFO Firewall/PacketFilter
Blockedsite
Blocked site: Traffic detected from 10.0.1.2to 61.231.45.165.
Traffic was detected to orfrom a blocked site.
Blocked site: Traffic detectedfrom%src to%dst.
Blocked site: Traffic detected from ${src} to${dst}.
30000169 INFO Firewall IP IP spoofing: Traffic detected from 10.0.1.2 IP spoofing was detected IP spoofing: Traffic detected IP spoofing: Traffic detected from ${src} to
Firewall LogMessages
Log Catalog 8
ID Level Area Name Log Message Example Description Format Message Variables
/PacketFilter
spoofing to 43.123.12.26. from the IP addressspecified in the logmessage.
from%src to%dst. ${dst}.
30000171 INFO Firewall/PacketFilter
Conntracktable isfull
The number of connections (%u) hasreached the configured limit (%d).
The conntrack table isfull. The number ofconnections has reachedthe configured limit.
The number of connections(2048) has reached theconfigured limit (2048).
The number of connections (${value1}) hasreached the configured limit (${value2}).
30000172 INFO Firewall/PacketFilter
Blockedport
Blocked port: Traffic detected from%src to%dst on port %port.
Traffic was detected on ablocked port.
Blocked port: Traffic detectedfrom 10.0.1.2 to 61.231.45.165on port 513.
Blocked port: Traffic detected from ${src} to${dst} on port ${port}.
Firewall LogMessages
Log Catalog 9
DiagnosticFirewall logmessages of theDebug (Diagnostic) log type.
ID Level Area Name Log Message Example Description Format Message Variables
30000006 INFO Firewall/PacketFilter
Featuresettingsupdated
Application control settingsupdated
Firewall settings for the featurespecified in themessage have beenupdated
%s settings updated –
30000007 INFO Firewall/PacketFilter
DNSforwardingdeferred
Deferred DNS forwardinguntil valid DNS server IPaddress is dynamicallylearned
DNS server IP address is not yetknown, device will enable DNS whena DNS server IP address is detected
Deferred DNS forwarding until valid DNSserver IP address is dynamically learned
–
30000027 INFO Firewall/PacketFilter
Firewall isstarting up
Firewall is starting up Firewall is starting up – –
30000028 INFO Firewall/PacketFilter
Firewall isshuttingdown
Firewall is shutting down Firewall is shutting down – –
30000029 INFO Firewall/PacketFilter
Addressexemptedfromblockedsites
IP address 192.168.111.254will not be added to theblocked sites list because itis exempt
The particular IP address is anexemption and will not be added tothe blocked sites list
IP address %s will not be added to theblocked sites list because it is exempt
IP address ${ip} will not beadded to the blocked sites listbecause it is exempt
30000040 INFO Firewall/PacketFilter
Blockedsite idletimeout
Idle timeout has occurred forblocked site 192.168.111.10
Idle timeout has occurred for thespecified blocked site, and it will beremoved from the blocked sites list.
Idle timeout has occurred for blocked site%s
–
Firewall LogMessages
Log Catalog 10
ID Level Area Name Log Message Example Description Format Message Variables
30000065 INFO Firewall/PacketFilter
Quotaamountused bythespecifieduser
User James@Firebox-DBused 21MB of the bandwidthquota (100MB) and used 1minute of the time quota (3minutes).
– User%s used%s User {user} used {quota info}
3000002A INFO Firewall/PacketFilter
Addressalreadyblocked
IP address 192.168.111.10will not be added to theblocked sites list because italready exists.
– IP address %s will not be added to theblocked sites list because it already exists.
IP address ${ip} will not beadded to the blocked sites listbecause it already exists.
3000003A ERROR Firewall/PacketFilter
Unable toreadfeaturekeys
Unable to read the featurekeys, some features may beunavailable
Unable to read feature keys file or failto parse feature keys file. Featuresthat require a correct feature key willnot function.
Unable to read the feature keys, somefeatures may be unavailable
–
3000003C ERROR Firewall/PacketFilter
No routeto HTTPredirecthost
Route look up on HTTPredirect host 192.168.111.10for policy "FTP-00" failed,local redirect may not work
Route look up on HTTP redirect hostfor the specified policy failed, andlocal HTTP redirect may not work.
Route look up on HTTP redirect host%u.%u.%u.%u for policy "%s" failed, localredirect may not work
–
3000012D INFO Firewall/PacketFilter
VerifyARP entry
Verify ARP entry for host at192.168.111.10
The appliance sent an ARP requestto verify learned ARP entry for agiven host.
Verify ARP entry for host at%hu.%hu.%hu.%hu
3000012E ERROR Firewall/PacketFilter
Possibleloop orARPspoofingdetected
Cannot relearn systemMACaddress, possible loop orMAC spoofing,ip=192.168.111.10,mac=00:50:da:c7:90:5d,interface=5
The appliance received an ARPpacket sent from one of its ownMACaddresses. It is possibly a network orcabling loop, or another device isfaking this device's MAC address.
Cannot relearn systemMAC address,possible loop or MAC spoofing,ip=%hu.%hu.%hu.%hu,mac=%02x:%02x:%02x:%02x:%02x:%02x,interface=%u
Cannot relearn systemMACaddress, possible loop oranother device is faking thisdevice's MAC address, ip=${ip},mac=${mac},interface=${interface}
Firewall LogMessages
Log Catalog 11
EventFirewall logmessages of theEvent log type.
ID Level Area Name Log Message Example Description Format Message Variables
30000004 INFO Firewall/PacketFilter
ApplicationControlfeatureexpired
The Application Controlfeature has expired.
The feature key for your Application Controlsubscription has expired.
The Application Control feature has expired. –
30000005 INFO Firewall/PacketFilter
IPS featureexpired
The IPS feature hasexpired.
The feature key for your Intrusion PreventionServices subscription has expired.
The IPS feature has expired. –
30011001 INFO Firewall/PacketFilter
Temporarilyblockinghost
Temporarily blocking host198.13.111.226
The host is blocked temporarily. Temporarily blocking host %s Temporarily blockinghost ${IP}
3000002F INFO Firewall/PacketFilter
Feature notsupportedby featurekey
Feature key does notsupport the feature Policybased routing.
The device feature key does not support thespecified feature.
Feature key does not support the feature%s.
No valid ${featurename} feature
300000C9 INFO Firewall/PacketFilter
LoadBalanceServer(TCPProbe)
TCP probe packets timeout,Load Balance Server10.10.10.100 port 3030 isoffline.
Load Balance Server status update due toresponse or lack of response to a TCP Probepacket. The logmessage specifies the serverIP address and port.
%s %s , Load Balance Server%hu.%hu.%hu.%hu port %d is %s.
${probemethod}${reason}, LoadBalance Server ${ip}port ${port} is ${status}
Firewall LogMessages
Log Catalog 12
ID Level Area Name Log Message Example Description Format Message Variables
300000CB INFO Firewall/PacketFilter
LoadBalanceServer(ICMPProbe)
ICMP probe packetstimeout, Load BalanceServer 10.10.10.100 isoffline.
Update to status of Load Balance Server dueto success or failure of ICMP Probe packet.The logmessage specifies the server IP andstatus.
%s %s , Load Balance Server%u.%u.%u.%u is %s.
${probemethod}${reason}, LoadBalance Server ${ip} is${status}
3000012C ERROR Firewall/PacketFilter
ARPspoofingattack
ARP spoofing attackdetected,ip=192.168.111.10,mac=00:50:da:c7:90:5d,interface=5
Detected an ARP spoofing attack. The logmessage specifies the source IP address,MAC address, and incoming interface of theARP packet.
ARP spoofing attack detected,ip=%u.%u.%u.%u,mac=%02x:%02x:%02x:%02x:%02x:%02x,interface=%u
ARP spoofing attackdetected, ip=${ip},mac=${mac},interface=${interface}
Firewall LogMessages
Log Catalog 13
TrafficFirewall logmessages of the Traffic log type.
ID Level Area Name Description Example Format Message Variables
30000148 INFO Firewall/PacketFilter
Normaltraffic
Details ofnormal trafficeither allowedor denied bythe firewallpolicyspecified inthe logmessage.
Allow Firebox 0-External 52 tcp 20 12710.0.1.2 206.190.60.138 62443 80 offset 8 S832026162 win 8192 (HTTP-00)
%s %s %s %d%s %d%s %s%d%d offset %d%s %d%s%d(%s)
${disposition} ${inif} ${outif} ${ip_pkt_len} ${protocol}${iph_len} ${TTL} {${src_ip}|${src_user}} {${dst_ip|${dst_user}} [${tcp_info}] [${udp_info}] [${icmp_info}][${route_type}] ${policy_name}
30000149 INFO Firewall/PacketFilter
ApplicationControlTrafficidentified
ApplicationControlidentifiedtraffic for anapplication.
Allow 1-Trusted 0-External 40 tcp 20 12710.0.1.2 206.190.60.138 53008 80 offset 5 AF3212213617 win 257 app_name="WorldWideWebHTTP" cat_name="Network Protocols"app_beh_name="connect" app_id="63" app_cat_id="18" app_ctl_disp="2"msg="Application identified" (HTTP-00)
%s %s %s %d%s %d%s %s%d%d offset %d%s %d%s%d app_name=\"%s\" cat_name=\"%s\" app_beh_name=\"%s\" appid=\"%d\"app_cat_id=\"%d\" app_ctl_disp=\"%d\" msg=\"%s\" (%s)
${disposition} ${inif} ${outif} ${ip_pkt_len} ${protocol}${iph_len} ${TTL} {${src_ip}|${src_user}} {${dst_ip|${dst_user}} [${tcp_info}] [${udp_info}] app_name=${app_name} cat_name=${cat_name} app_beh_name=${app_beh_name} appid=${appid} app_cat_id=${app_cat_id} app_ctl_disp=${app_ctl_disp}msg=${msg} [${route_type}] ${policy_name}
30000150 INFO Firewall/PacketFilter
IPS Trafficdetected
IPS detectedtraffic thatmatches anIPSsignature.
Deny 1-Trusted 0-External 1440 tcp 20 6110.0.1.2 192.168.130.126 55810 80 offset 5 A447868619 win 54 signature_name="EXPLOITApple QuickTime FLIC Animation file bufferoverflow -1-2" signature_cat="Misc"signature_id="1112464" severity="4"msg="IPS detected" (HTTP-00)
%s %s %s %d%s %d%s %s%d%d offset %d%s %d%s%d signature_name=\"%s\"signature_cat=\"%s\"signature_id=\"%s\"severity=\"%d\" msg=\"%s\"(%s)
${disposition} ${inif} ${outif} ${ip_pkt_len} ${protocol}${iph_len} ${TTL} {${src_ip}|${src_user}} {${dst_ip|${dst_user}} [${tcp_info}] [${udp_info}] signature_name=${signature_name} signature_cat=${signature_cat} signature_id=${signature_id} severity=${severity}msg=${msg} [${route_type}] ${policy_name}
30000151 INFO Firewall/PacketFilter
Trafficconnectionterminated
Record for aterminatedconnection
Allow 1-Trusted 0-External tcp 10.0.1.2220.181.90.24 53018 80 app_id="63" app_cat_id="18" app_ctl_disp="2" duration="80" sent_bytes="652" rcvd_bytes="423" (HTTP-00)
%s %s %s %d%s %d%s %s%d%d offset %d%s %d%s%d appid=\"%d\" app_cat_id=\"%d\" app_ctl_disp=\"%d\"duration=\"%d\" sent_
${disposition} ${inif} ${outif} ${ip_pkt_len} ${protocol}${iph_len} ${TTL} {${src_ip}|${src_user}} {${dst_ip|${dst_user}} [${tcp_info}] [${udp_info}]appid=${appid} app_cat_id=${app_cat_id} app_ctl_disp=${app_ctl_disp} duration=${duration} sent_
Firewall LogMessages
Log Catalog 14
ID Level Area Name Description Example Format Message Variables
bytes=\"%d\" rcvd_bytes=\"%d\" (%s)
bytes=${sent_bytes} rcvd_bytes=${rcvd_bytes}${policy_name}
30000173 INFO Firewall/PacketFilter
Hostiletraffic
Details ofhostile trafficdenied by thefirewallinternalpolicy.
Deny 0-External Firebox 52 tcp 20 127206.190.60.138 10.0.0.1 62443 80 offset 8 S832026162 win 8192 blocked sites (InternalPolicy)
%s %s %s %d%s %d%s %s%d%d offset %d%s %d%s%d(%s)
${inif} ${outif} ${ip_pkt_len} ${protocol} ${iph_len} ${TTL}{${src_ip}|${src_user}} {${dst_ip|${dst_user}} [${tcp_info}] [${udp_info}] [${icmp_info}]
Firewall LogMessages
Log Catalog 15
Networking Log MessagesNetworking logmessages are generated for traffic related to the connections through your Firebox. This can include events related to interface activity, dynamic routing, PPPoE connections, DHCP serverrequests, FireCluster management, link monitoring, and wireless connections.
DiagnosticNetworking logmessages of theDebug (Diagnostic) log type.
ID Level Area Name Log Message Example Description Format Message Variables
5A000001 INFO Networking /DynamicDNS
Response fromDynamic DNSserver
Response from server: update succeededwith no change, abusive warning (1)
Receive thespecified responsefrom the dynamicDNS server.
Response from server: %s (%d) Response fromserver: ${response}(${ret_code})
5A000002 INFO Networking /DynamicDNS
Dynamic DNSDomain NameResolved
Resolved domainmembers.dyndns.org to204.13.248.111
Dynamic DNSserver domainname successfullyresolved to an IPaddress.
Resolved domain%s to%s Resolved domain${domain} to ${ip}
5A000003 INFO Networking /DynamicDNS
Connected to theserver
Connected to: members.dyndns.org /204.13.248.111
Connected to thespecified dynamicDNS server.
Connected to: %s / %s Connected to:${server_name} /${server_ip}
5A000004 INFO Networking /DynamicDNS
Connecting to theserver
Connecting to: members.dyndns.com /204.13.248.111
Connecting to thespecified dynamicDNS server.
Connecting to: %s / %s Connecting to:${server_name} /${server_ip}
5A000005 INFO Networking /DynamicDNS
Activate dynamicDNS
Activating DynDNS on interface: External Activate dynamicDNS on thespecified interface.
Activating Dynamic DNS on interface: %s ActivatingDynDNS oninterface: ${if_name}
5A000006 DEBUG Networking /DynamicDNS
Received replyfrom the server
Received reply: HTTP/1.1 200OK Date: Tue,27 Nov 2012 17:14:57 GMT Server: Apache
Received thespecified reply
%s: Buffer Overflow. buf start[%p], buf end[%p], current pointer[%p]
Received reply:${reply}
Networking LogMessages
Log Catalog 16
ID Level Area Name Log Message Example Description Format Message Variables
Content-Type: text/plain Connection: closegood 192.168.53.88
from the dynamicDNS server.
5A000007 ERROR Networking /DynamicDNS
Unable to resolvedomain name
Could not resolve server:members.dyndns.org
Could not resolvedomain fordynamic DNSserver.
Could not resolve server: %s Could not resolveserver: ${server}
5A000008 ERROR Networking /DynamicDNS
Failed to connectto the server
Could not connect to members.dyndns.org /204.13.248.111, connection refused
Could not connectto the dynamicDNS server due tospecified reason.
Could not connect to%s / %s, %m Could not connectto ${server_name} /${server_ip},${reason}
5A000009 ERROR Networking /DynamicDNS
Unable to connectto server
Unable to connect to server:members.dyndns.org / 204.13.248.111
Unable to connectto the specifieddynamic DNSserver.
Unable to connect to server: %s / %s Unable to connectto server: ${server_name} / ${server_ip}
5A00000A ERROR Networking /DynamicDNS
No response fromserver
No response from servermembers.dyndns.org / 204.13.248.111
Not able to getresponse fromspecified dynamicDNS server.
No response from server%s / %s No response fromserver ${server_name} / ${server_ip}
5A00000B ERROR Networking /DynamicDNS
Invalid responsefrom server
Invalid response from server (-2) The dynamic DNSserver returned aninvalid responsecode. The logmessage specifiesthat code.
Invalid response from server (%d) Invalid responsefrom server (${ret_code})
5A00000C INFO Networking /DynamicDNS
The time for nextupdate
Next update is on Tue, 27 Nov 2012 17:14:57 The logmessagespecifies the nextupdate time fordynamic DNS.
Next update is on%s Next update is on${time}
Networking LogMessages
Log Catalog 17
ID Level Area Name Log Message Example Description Format Message Variables
5A00000D DEBUG Networking /DynamicDNS
Send updaterequest
Sending update request (138 bytes): GET/nic/update?system=dyndns
Sending dynamicDNS updaterequest. The logmessage specifiesthe size andcontent of therequest.
Sending update request (%zu bytes): %s Sending updaterequest (${size}bytes): ${content}
56000001 INFO Networking /DynamicRouting
Update IPv4Dynamic Routes
Sync add an IPv4 dynamic route (10.0.1.2/24gw 10.0.1.254 ifindex 1metric 10)
Updated an IPv4dynamic route. Thelogmessagespecifies the routethat is changed.
%s %s an IPv4 dynamic route (%s/%d gw%s ifindex %dmetric %d)
${event} ${action}an IPv4 dynamicroute(${ip}/${mask} gw${gw} ifindex${ifindex} metric${metric}
56010002 ERROR Networking /DynamicRouting
Failed to retrievelicense
Failed to retrieve active license features Failed to retrievelicense features fordynamic routing.
Failed to retrieve active license features –
56010003 ERROR Networking /DynamicRouting
Failed to parselicense
Failed to parse the active license features Failed to parselicense features fordynamic routing.
Failed to parse the active license features –
56010004 ERROR Networking /DynamicRouting
Not able to getlicense
Could not get license for dynamic routingfeatures
Not able to getlicense for dynamicrouting features.
Could not get license for dynamic routingfeatures
–
56020001 DEBUG Networking /DynamicRouting
Receivedinterface event
Received interface status event Received aninterface statusevent.
Received interface status event –
56020002 DEBUG Networking /DynamicRouting
Received clusterevent
Received cluster ready event Received clusterready event.
Received cluster ready event –
Networking LogMessages
Log Catalog 18
ID Level Area Name Log Message Example Description Format Message Variables
56020003 DEBUG Networking /DynamicRouting
Received clusterevent
Received cluster role change event Received clusterrole change event.
Received cluster role change event –
56020004 DEBUG Networking /DynamicRouting
Received licenseevent
Received License Update event Received a licenseupdate event.
Received License Update event –
56020005 ERROR Networking /DynamicRouting
RCSunresponsive
RCS(10.10.10.10) is unresponsive, and isconsidered stopped
The RCS at thespecified IPaddress hasbecomeunresponsive
RCS(%s) is unresponsive, and is consideredstopped
RCS(${ip}) isunresponsive, andis consideredstopped
56020006 INFO Networking /DynamicRouting
Not able toforward request toRCS
Could not forward request to RCS, notconnected
Not able to forwardrequest to RCSdue to noconnection.
Could not forward request to RCS, notconnected
–
56030001 ERROR Networking /DynamicRouting
An error wasdetected in theconfiguration. Thelogmessagespecifies the linenumber of theerror.
Configuration error detected in ripd.conf, line12: 'network 192.168.53.0/24 area 0'
An error wasdetected in theconfiguration. Thelogmessagespecifies the linenumber of the error.
Configuration error detected in%s, line%d:'%s'
Configuration errordetected in${config}, line${lineno}: '${line}'
56040001 ERROR Networking /DynamicRouting
Not able toconnect to RCS
Could not connect to RCS, 10.0.1.10 Not able to connectto RCS with thespecified IPaddress.
Could not connect to RCS, %s Could not connectto RCS, ${ip}
56040002 ERROR Networking /DynamicRouting
Connection toRCS closed
Connection to RCS was closed Connection toRCS closed.
Connection to RCS was closed –
Networking LogMessages
Log Catalog 19
ID Level Area Name Log Message Example Description Format Message Variables
45000001 ERROR Networking /Modem
Duplicatemodeminstance running
Another instance of Modem is running System loadedModem process,but anotherinstance is alreadyactive.
Another instance of Modem is running –
31000003 INFO Networking /NetworkManagement
Initiate gratuitousARP
Initiating GARP for eth0 Initiate gratuitousARP for thespecified interface.
Initiating GARP for%s Initiating GARP for${dev_name}
31000004 INFO Networking /NetworkManagement
Initiate gratuitousARP
Initiating GARP for all interfaces Initiate gratuitousARP for all theinterfaces.
Initiating GARP for all interfaces –
31000030 INFO Networking /NetworkManagement
Send interfacelogical link statusevent
[eth0] Sending interface status event,logical=up link=up ip=10.0.0.1mask=255.255.255.0
Interface statusevent is sent forlogical link statuschange.
[%s] Sending interface status event%s,logical=%s link=%s ip=%u.%u.%u.%umask=%u.%u.%u.%u
[${dev_name}]Sending interfacestatus event,logical=${logical}link=${link} ip=${ip}mask=${mask}
31000031 INFO Networking /NetworkManagement
Send interfacelink status event
[eth0] Sending interface status event for linkup
Interface statusevent is sent forlink change.
[%s] Sending interface status event%s forlink %s
[${dev_name}]Sending interfacestatus event forlink ${link}
31000034 INFO Networking /NetworkManagement
A change wasmade to the IPaddress of theexternal interface
[eth0 (External)] External Interface set IPaddress
Handle IP addressfor the specifiedexternal interface.
[%s (%s)] External Interface%s IP address [${dev_name} (${if_name})] ExternalInterface${operation} IPaddress
Networking LogMessages
Log Catalog 20
ID Level Area Name Log Message Example Description Format Message Variables
31000035 ERROR Networking /NetworkManagement
Ignore unknownaddress operation
[eth0 (External)] Ignoring unknown addressoperation sss
Ignore unknownaddress operationon the specifiedinterface.
[%s (%s)] Ignoring unknown addressoperation%s
[${dev_name} (${if_name})] Ignoringunknown addressoperation${operation}
31000036 INFO Networking /NetworkManagement
Layer 2 trafficgate is closed
[Cluster] The traffic gate of layer2 is closeddue to cluster role backup
Layer 2 traffic gateis closed due to thespecified reason.
[Cluster] The traffic gate of layer2 is closeddue to cluster role%s
[Cluster] The trafficgate of layer2 isclosed due tocluster role ${role}
31000037 INFO Networking /NetworkManagement
Layer 2 trafficgate is opened
[Cluster] The traffic gate of layer2 is openeddue to cluster role master
Layer 2 traffic gateis opened due tothe specifiedreason.
[Cluster] The traffic gate of layer2 is openeddue to cluster role%s
[Cluster] The trafficgate of layer2 isopened due tocluster role ${role}
31000038 INFO Networking /NetworkManagement
Traffic signalchanged
[Cluster] Traffic signal become%s Traffic signal ischanged to thespecified status.
[Cluster] Traffic signal become%s [Cluster] Trafficsignal become${status}
31000050 INFO Networking /NetworkManagement
Starting wirelessAP
Starting wireless AP ath1 Starting specifiedwireless AP.
Starting wireless AP %s –
31000051 INFO Networking /NetworkManagement
Stopping wirelessAP
Stopping wireless AP ath1 Stopping thespecified wirelessAccess Point.
Stopping wireless AP %s –
31000057 INFO Networking /NetworkManagement
Start processingconfiguration
Starts processing a configuration setting Started to processconfigurationsettings.
Starts processing a configuration setting –
31000058 INFO Networking /NetworkManagement
Update bridgemode settings
Updating global bridgemode setting Update globalbridgemodesettings.
Updating global bridgemode setting –
Networking LogMessages
Log Catalog 21
ID Level Area Name Log Message Example Description Format Message Variables
31000059 INFO Networking /NetworkManagement
Update drop-inmode settings
Updating global drop-in mode setting Update global drop-in mode settings.
Updating global drop-in mode setting –
31000070 INFO Networking /NetworkManagement
Clean up staleconnections
Cluster] Clean up stale IP connections withexpired address 192.168.1.22 for PPPoEinterface eth0
Clean up staleconnections for theexpired IP addresson dynamicinterface.
[Cluster] Clean up stale IP connections withexpired address %s for%s interface%s
[Cluster] Clean upstale IPconnections withexpired address${ip} for dynamicinterface ${dev_name}
31000075 ERROR Networking /NetworkManagement
DNSWatch is expired or was disabled. YourFirebox does not have a configured DNSserver. Tomake sure your Firebox does notuse the DNSWatch servers, youmustspecify a DNS server in the networkDNS/WINS settings.
DNSWatch is expired or was disabled. YourFirebox does not have a configured DNSserver. Tomake sure your Firebox does notuse the DNSWatch servers, youmustspecify a DNS server in the networkDNS/WINS settings.
31130001 ERROR Networking /NetworkManagement
Capture stopped Capture stopped, insufficient space Capture stoppeddue to the specifiedreason.
Capture stopped, %s Capture stopped,${reason}
3100000F INFO Networking /NetworkManagement
Add bridgeinterface
Adding bridge tbr0 Add bridgeinterface in bridgemode.
Adding bridge%s Adding bridge${dev_name}
3100003D INFO Networking /NetworkManagement
Update ARP rules [Cluster] Update arp rules for cluster rolebackup
Update ARP rulesfor the specifiedcluster role.
[Cluster] Update arp rules for cluster role%s [Cluster] Updatearp rules for clusterrole ${role}
3100004F INFO Networking /NetworkManagement
Fix upmultipathgateways
[ECMP] Fixup 2multipath gatewaysuccessfully
Fix upmultipathgateways of thespecified numbersuccessfully.
[ECMP] Fixup%dmultipath gatewaysuccessfully
[ECMP] Fixup${num}multipathgatewaysuccessfully
Networking LogMessages
Log Catalog 22
ID Level Area Name Log Message Example Description Format Message Variables
3100005A INFO Networking /NetworkManagement
Update wirelesssettings
Updating wireless setting Update wirelesssettings
Updating wireless setting –
3100005B INFO Networking /NetworkManagement
Update secondaryIP settings
Updating Trust-1 secondary IP(s) setting Update secondaryIP address settingsfor the specifiedinterface.
Updating%s secondary IP(s) setting Updating ${if_name} secondaryIP(s) setting
3100005C INFO Networking /NetworkManagement
Update routesettings
Updating route setting Update routesettings.
Updating route setting –
3100005D INFO Networking /NetworkManagement
Update 1to1 NATsettings
Updating 1to1 NAT setting Update 1-to-1 NATsettings.
Updating 1to1 NAT setting –
3100005E INFO Networking /NetworkManagement
Update DNSsettings
Updating DNS setting Update DNSsettings.
Updating DNS setting –
9000001 ERROR Networking /PPPoE
Duplicate PPPoEInstance Error
Another instance of PPPoE is running Another instance ofthe PPPoEprocess is alreadyactive in thesystem.
Another instance of PPPoE is running –
9000002 ERROR Networking /PPPoE
Invalid PPPoEautomatic restartsettings
PPPoE automatic restart settings are invalid,automatic restart will not be used
Automatic restartof PPPoE isdisabled due toinvalid settings.
PPPoE automatic restart settings are invalid,automatic restart will not be used
–
Networking LogMessages
Log Catalog 23
ID Level Area Name Log Message Example Description Format Message Variables
9000006 INFO Networking /PPPoE
Initiate PPPoEautomatic restart
Initiating PPPoE automatic restart PPPoE instancewill restartautomatically.
Initiating PPPoE automatic restart –
9000007 WARN Networking /PPPoE
Skip PPPoEautomatic restart
Skipped PPPoE automatic restart becausethe link was not up
PPPoE instancewill not restartautomatically dueto no link.
Skipped PPPoE automatic restart becausethe link was not up
–
Networking LogMessages
Log Catalog 24
EventNetworking logmessages of theEvent log type.
ID Level Area Name Log Message Example Description Format Message Variables
16000001 ERROR Networking /DHCPServer
DHCPdiscover
DHCPDISCOVER from00:50:04:ce:c6:3d via eth1:network 192.168.111.0/24: nofree leases
Received DHCPdiscover from theclient, but there are nofree leases available.
%s –
16000002 INFO Networking /DHCPServer
DHCP offer DHCPOFFER on192.168.111.20 to84:2b:2b:a6:02:3f (client) viaeth1
The DHCP serveroffered an IP addressto the specified clientdevice.
%s –
16000003 INFO Networking /DHCPServer
DHCPrequest
DHCPREQUEST for192.168.111.20 from84:2b:2b:a6:02:3f (client) viaeth1
Received DHCPrequest for specified IPaddress from thespecified client.
%s –
68000001 INFO Networking /Discovery
Network scancompleted
On demand scan completed Specified type of scancompleted
%s scan completed ${scan_type} scancompleted
68000002 INFO Networking /Discovery
Network scanstarted
On demand scan - stage 2started
Specified type andstage of scan started
%s scan%s started ${scan_type}scan${scan_stage}started
68000003 INFO Networking /Discovery
On demandscan - stage 1completed
On demand scan - stage 1completed
On demand scan -stage 1 completed
On demand scan - stage 1 completed On demand scan - stage 1completed
56000002 INFO Networking /DynamicRouting
Cluster rolefailed over tobackup
Failed over frommaster tobackup
Cluster role failed overfrommaster to backup
Failed over frommaster to backup –
56000003 INFO Networking /DynamicRouting
Cluster rolefailed over tomaster
Failed over from backup tomaster
Cluster role failed overfrom backup tomaster
Failed over from backup tomaster –
Networking LogMessages
Log Catalog 25
ID Level Area Name Log Message Example Description Format Message Variables
56010001 WARN Networking /DynamicRouting
No validfeature key
Invalid or missing feature keyfor dynamic routing protocolOSPF
No valid feature key forthe specified dynamicrouting protocol.
Invalid or missing feature key for dynamic routingprotocol %s
–
56010005 INFO Networking /DynamicRouting
Licensestatus
License for dynamic routingprotocol BGP is valid
Specifies the licensestatus for a dynamicrouting protocol.
License for dynamic routing protocol %s is %s License for dynamicrouting protocol ${proto} is${status}
45000003 INFO Networking /Modem
Modemdisconnected
modem0 disconnected Specifiedmodem isdisconnected.
%s disconnected –
45000004 ERROR Networking /Modem
Modemauthenticationfailed
Modem authentication failed,check your modemconfiguration
Modem authenticationfailed.
Modem authentication failed, check your modemconfiguration
–
31000009 INFO Networking /NetworkManagement
Interfaceinitializing
[eth1 (Trusted)] Interfaceinitializing
Initializing the specifiedinterface.
[%s (%s)] Interface initializing [${dev_name} (${if_name})] Interfaceinitializing
31000010 ERROR Networking /NetworkManagement
Failed to addbridge
Failed to add bridge tbr0 VLANID 1
Failed to add bridge Failed to add bridge%s VLAN ID %d –
31000029 ERROR Networking /NetworkManagement
Failed to addinterface IPaddress
[eth1 (Trusted)] Failed to addaddress 198.51.100.0
Failed to add thespecified IP address tothe specified interface.
[%s (%s)] Failed to%s address %s –
31000039 INFO Networking /NetworkManagement
Clustermanagementinterfacechange
[Cluster] Managementinterface setting is changed:interface from eth1 to eth2,IPv4 address from 10.0.1.3 to10.0.2.3, IPv4mask from 24 to24, IPv6 CIDR from 2000::1/64to 2001::2/64
The configuration forthe clustermanagement interfacechanged. The logmessage specifieschanges to theinterface, IP address,mask and IPv6address.
[Cluster] Management interface setting is changed:interface from%s to%s, IPv4 address from%u.%u.%u.%u to%u.%u.%u.%u IPv4mask from%d to%d IPv6 CIDR from%s to%s%s
[Cluster] Managementinterface setting ischanged: interface from${pre_if} to ${new_if}, IPv4address from ${pre_ip} to${new_ip} IPv4mask from${pre_mask} to ${new_mask} IPv6 CIDR from${pre_ipv6} to%{new_
Networking LogMessages
Log Catalog 26
ID Level Area Name Log Message Example Description Format Message Variables
ipv6}%s
31000046 INFO Networking /NetworkManagement
Activatingexternalinterface
[eth0 (External)] Activatingexternal interface
Activating specifiedexternal interface.
[%s (%s)] Activating external interface [${dev_name} (${if_name})] Activatingexternal interface
31000047 INFO Networking /NetworkManagement
Deactivatingexternalinterface
[eth0 (External)] Deactivatingexternal interface
Deactivating thespecified externalinterface.
[%s (%s)] Deactivating external interface [${dev_name} (${if_name})] Deactivatingexternal interface
31000052 INFO Networking /NetworkManagement
Startingwireless APservice
Starting wireless AP service Starting wireless APservice.
Starting wireless AP service –
31000054 INFO Networking /NetworkManagement
Detect roguewireless AP
Starting the scan for roguewireless AP detection
Starting rogue wirelessAP detection scan.
Starting the scan for rogue wireless AP detection –
31000055 INFO Networking /NetworkManagement
Stop detectingrogue wirelessAP
Stopping the scan for roguewireless AP detection
Stopping roguewireless AP detectionscan.
Stopping the scan for rogue wireless AP detection –
31000056 INFO Networking /NetworkManagement
Restartdetectingrogue wirelessAP
Restart the scan for roguewireless AP detection
Restart rogue wirelessAP detection scan.
Restart the scan for rogue wireless AP detection –
31000069 INFO Networking /NetworkManagement
IPv6 interfaceactivated.
[eth0 (External)] IPv6 interfaceis activated.
An IPv6 interface wasactivated. The logmessage specifies theinterface.
[%s (%s)] IPv6 interface is activated. –
31000071 INFO Networking /NetworkManagement
PPPoE IPaddresschange duringclusterfailover
[eth0 (External)] PPPoE IPaddress changed during clusterfailover, from 192.168.1.22 to192.168.1.23
The cluster completeda failover. During thefailover, the PPPoE IPaddress changed.
[%s (%s)] PPPoE IP address changed during clusterfailover, from%s to%s
[${dev_name} (${if_name})] PPPoE IPaddress changes duringcluster failover, from${pre_ip} to ${new_ip}
Networking LogMessages
Log Catalog 27
ID Level Area Name Log Message Example Description Format Message Variables
31000072 INFO Networking /NetworkManagement
No change forPPPoE IPaddressduring clusterfailover
[eth0 (External)] PPPoE IPaddress 192.168.1.22 did notchange during cluster failover
PPPoE IP address didnot change duringcluster failover.
[%s (%s)] PPPoE IP address %u.%u.%u.%u did notchange during cluster failover
–
31000073 INFO Networking /NetworkManagement
DHCP IPaddresschange duringclusterfailover
[eth0 (External)] DHCP IPaddress changed during clusterfailover, from 192.168.1.22 to192.168.1.23
The cluster completeda failover. During thefailover, the DHCP IPaddress changed.
[%s (%s)] DHCP IP address changed during clusterfailover, from%s to%s
[${dev_name} (${if_name})] DHCP IP addresschanges during clusterfailover, from ${pre_ip} to${new_ip}
31000074 INFO Networking /NetworkManagement
No change forDHCP IPaddressduring clusterfailover
[eth0 (External)] DHCP IPaddress 192.168.1.22 did notchange during cluster failover
DHCP IP address didnot change duringcluster failover.
[%s (%s)] DHCP IP address %u.%u.%u.%u did notchange during cluster failover
–
3100000A INFO Networking /NetworkManagement
Interfaceshutting down
[eth1 (Trusted)] Interfaceshutting down
Shutting down thespecified interface.
[%s (%s)] Interface shutting down [${dev_name} (${if_name})] Interface shuttingdown
3100000B INFO Networking /NetworkManagement
Multi-WANinterfaceactivated.
[eth1 (Trusted)] Interface isactivated due to link-monitorsuccess.
Interface is activateddue to link-monitorsuccess. The logmessage specifies theinterface.
[%s (%s)] Interface is activated due to link-monitorsuccess.
–
3100000D WARN Networking /NetworkManagement
Multi-WANinterfacedeactivated
[eth1 (Trusted)] Interface isdeactivated due to link-monitorfailure.
Interface is deactivateddue to link-monitorfailure. The logmessage specifies theinterface.
[%s (%s)] Interface is deactivated due to link-monitorfailure.
–
Networking LogMessages
Log Catalog 28
ID Level Area Name Log Message Example Description Format Message Variables
3100002B ERROR Networking /NetworkManagement
Interface isdisabled
[eth1 (Trusted)] Interface isdisabled because it does notexist
Specified interfacedoes not exist, Theinterface status is setto disabled.
[%s (%s)] Interface is disabled because it does notexist
[${dev_name} (${if_name})] Interface isdisabled because it doesnot exist
3100002C WARN Networking /NetworkManagement
Interface linkstatuschanged
[eth1 (Trusted)] Interface linkstatus changed to UP
The interface linkstatus has changed.The logmessagespecifies the newstatus.
[%s (%s)] Interface link status changed to%s –
3100003A WARN Networking /NetworkManagement
Cluster isenabled
Cluster is enabled and isforming
Cluster is enabled andis forming.
Cluster is enabled and is forming –
3100003B WARN Networking /NetworkManagement
Clustersettingchanged todisabled
Cluster setting changed fromenabled to disabled
The cluster setting waschanged from enabledto disabled.
Cluster setting changed from enabled to disabled –
3100003E INFO Networking /NetworkManagement
Cluster A/Prole changed
[Cluster] Cluster A/P rolesuccessfully changed frommaster to idle.
The role of this devicein the active/passive(A/P) cluster changed.The logmessagespecifies the old andnew roles.
[Cluster] Cluster A/P role successfully changed from%s to%s.
–
3100003F INFO Networking /NetworkManagement
Cluster A/Arole changed
[Cluster] Cluster A/A rolesuccessfully changed frommaster to idle.
The Clusteractive/active (A/A) rolechanged. The logmessage specifies theold and new roles.
[Cluster] Cluster A/A role successfully changed from%s to%s.
–
Networking LogMessages
Log Catalog 29
ID Level Area Name Log Message Example Description Format Message Variables
3100006A WARN Networking /NetworkManagement
IPv6 interfacedeactivated.
[eth0 (External)] IPv6 interfaceis deactivated.
IPv6 interface wasdeactivated. The logmessage specifies theinterface.
[%s (%s)] IPv6 interface is deactivated. –
3100006C INFO Networking /NetworkManagement
IPv6 interfaceshutting down
[eth0 (External)] IPv6 interfaceshutting down
Shutting downspecified IPv6interface.
[%s (%s)] IPv6 interface shutting down [${dev_name} (${if_name})] IPv6 interfaceshutting down
3100006D INFO Networking /NetworkManagement
IPv6 interfaceinitializing
[eth0 (External)] IPv6 interfaceinitializing
Initializing specifiedIPv6 interface.
[%s (%s)] IPv6 interface initializing [${dev_name} (${if_name})] IPv6 interfaceinitializing
9000004 ERROR Networking /PPPoE
Authenticationfailure
PPPoE authentication failed The Firebox or XTMdevice failed toauthenticate forPPPoE.
PPPoE authentication failed –
09000005 ERROR Networking /PPPoE
PPPoEstopped
PPPoE stopped unexpectedly(unknown error)
PPPoE stoppedunexpectedly due to anunknown error.
PPPoE stopped unexpectedly (unknown error) –
09000008 INFO Networking /PPPoE
Enforce staticIP address
[eth2 (External)] EnforcedPPPoE static IP address:192.168.3.48 is replaced with192.168.3.29
Replaced the assignedPPPoE IP addresswith the configuredstatic IP address. Theassigned IP address isretained as asecondary IP addressfor the interface.
[%s (%s)] Enforced PPPoE static IP address: %s isreplaced with%s
[${dev_name} (${if_name})] Enforced PPPoEstatic IP address: ${nego_ip} is replaced with${static_ip}
Networking LogMessages
Log Catalog 30
ID Level Area Name Log Message Example Description Format Message Variables
9000009 INFO Networking /PPPoE
Sessionestablished
[eth0 (External)] PPPoEsession[11] is established,acquired IP address192.168.3.48, peer192.168.3.254
The specified interfaceestablished a PPPoEsession. The logmessage alsospecifies the sessionID, acquired IPaddress, and peer IPaddress.
[%s (%s)] PPPoE session[%d] is established,acquired IP address %s, peer%s
[${physical_name}(${ifname})] PPPoEsession[${session_id}] isestablished, acquired IPaddress ${ipaddr}, peer${peer_addr}
0900000A INFO Networking /PPPoE
Disconnect [eth0 (External)] PPPoEsession[11] is disconnected.
The PPPoE session forthe specified interfaceis disconnected.
[%s (%s)]PPPoE session[%d] is disconnected. –
54000001 INFO Networking /RogueAccessPointDetection
Scan started Scan=0-34 started Scan started, it will lastabout 30 seconds,wireless traffic will beinterrupted in themeantime
Scan=%u-%llu started –
54000002 INFO Networking /RogueAccessPointDetection
Scan ended%zd%zd
Scan=0-34 ended 0 0 Scan ended [Rogue APCount] [Trusted APCount]
Scan=%u-%llu ended%zd%zd –
54000003 WARN Networking /RogueAccessPointDetection
DetectedRogue AP
Scan=0-34 detected Rogue APwith mac_address='00:90:0b:1b:34:30'
Scan detected RogueAP, this AP is not inthe list of 'TrustedAccess PointConfiguration'
Scan=%u-%llu detected Rogue AP with%s –
54000004 INFO Networking /RogueAccessPointDetection
DetectedTrusted AP
Scan=0-34 detected TrustedAP with mac_address='00:90:0b:1b:35:40'
Scan detected TrustedAP, this AP is in the listof 'Trusted AccessPoint Configuration'
Scan=%u-%llu detected Trusted AP with%s –
Networking LogMessages
Log Catalog 31
ID Level Area Name Log Message Example Description Format Message Variables
61000002 WARN Networking /WirelessController
Modelmismatch
Model mismatch for configuredWireless Access Point[123456789ABCD]: configuredas AP100, but appears to beAP200.
TheWireless AccessPoint appears to be adifferent model thanwhat is configured inthe Gateway WirelessController.
Model mismatch for configuredWireless AccessPoint [%.13s]: configured as %s, but appears to be%s.
Model mismatch forconfiguredWirelessAccess Point [${serial_no}]: configured as${configured_model}, butappears to be ${actual_model}.
61000003 WARN Networking /WirelessController
WirelessAccess Pointactivationfailure
LiveSecurity Service activationfailed for [20AP0275FF17A];will try again later.
TheGateway WirelessController is unable tocontact theWatchGuardLiveSecurity Service toactivate the serviceand support contractfor theWirelessAccess Point.
LiveSecurity Service activation failed for [%.13s]; willtry again later.
LiveSecurity Serviceactivation failed for[${serial_no}]; will tryagain later.
61000004 INFO Networking /WirelessController
New WirelessAccess Pointdiscovered
Discovered new WirelessAccess Point model AP102[123456789ABCD] at10.0.42.15.
A new WirelessAccess Point has beendiscovered by theGateway WirelessController.
Discovered new Wireless Access Point model %s[%.13s] at %s.
Discovered new WirelessAccess Point model${actual_model} [${serial_no}] at ${ip_address}.
61000005 INFO Networking /WirelessController
WirelessAccess Pointreboot
Wireless Access Point[123456789ABCD] rebooted 92seconds ago.
A Wireless AccessPoint has rebooted.
Wireless Access Point [%.13s] rebooted%luseconds ago.
Wireless Access Point[${serial_no}] rebooted${seconds} ago.
61000006 WARN Networking /WirelessController
WirelessAccess Pointwent offline
Wireless Access Point 'South'[123456789ABCD] wentoffline.
A Wireless AccessPoint has gone offline.
Wireless Access Point '%s' [%.13s] went offline. Wireless Access Point'${name}' [${serial_no}]went offline.
61000007 INFO Networking /WirelessController
WirelessAccess Pointnow online
Wireless Access Point[123456789ABCD] now online.
A Wireless AccessPoint is now online.
Wireless Access Point [%.13s] now online. Wireless Access Point[${serial_no}] is nowonline.
Networking LogMessages
Log Catalog 32
ID Level Area Name Log Message Example Description Format Message Variables
61000008 INFO Networking /WirelessController
WirelessAccess Pointfirmwareversionchange
Wireless Access Point[123456789ABCD] firmwareversion changed from 1.2.8.2to 1.2.9.1.
TheWireless AccessPoint firmware versionhas changed.
Wireless Access Point [%.13s] firmware versionchanged from%s to%s.
Wireless Access Point[${serial_no}] firmwareversion changed from${old_firmware_ver} to${current_firmware_ver}.
61000009 INFO Networking /WirelessController
WirelessAccess Pointconfigurationupdated
Configuration updated onWireless Access Point[123456789ABCD].
TheWireless AccessPoint has beenreconfigured.
Configuration updated onWireless Access Point[%.13s].
Configuration updated onWireless Access Point[${serial_no}].
61000010 INFO Networking /WirelessController
AutomaticDeploymentEvent
Automatically deployingWireless Access Point[ABC1234567890].
This log is generatedwhenever an unpairedWireless Access Pointis automaticallydeployed due to theAutomatic Deploymentsetting being enabled.
Automatically deployingWireless Access Point[%.13s].
Automatically deployingWireless Access Point[${serial_no}].
61000012 WARN Networking /WirelessController
WirelessAccess PointTrust Failure
Wireless Access Point 'BreakRoom' [ABC1234567890] hasfailed trust validation for192.168.1.2.
This log is generatedwhenever a deployedWireless Access Pointfails its trust validationcheck (digitalcertificate or host keyfailure).
Wireless Access Point '%s' [%.13s] has failed trustvalidation for%s.
Wireless Access Point'${name}' [${serial_no}]has failed trust validationfor ${ip_address}.
61000013 INFO Networking /WirelessController
WirelessAccess PointTrustValidationRestored
Wireless Access Point 'Lobby'[ABC1234567890] restored itstrust validation for 192.168.1.2.
This log is generatedwhenever a deployedWireless Access Pointsuccessfully restoresits trust validationcheck (digitalcertificate or host keyvalidation).
Wireless Access Point '%s' [%.13s] restored its trustvalidation for%s.
Wireless Access Point'${name}' [${serial_no}]restored its trust validationfor ${ip_address}.
Networking LogMessages
Log Catalog 33
ID Level Area Name Log Message Example Description Format Message Variables
6100000A INFO Networking /WirelessController
WirelessAccess Pointpaired
Wireless Access Point[123456789ABCD] has beenpaired.
TheWireless AccessPoint has been pairedwith the GatewayWireless Controller.
Wireless Access Point [%.13s] has been paired. Wireless Access Point[${serial_no}] has beenpaired.
6100000B INFO Networking /WirelessController
WirelessAccess Pointunpaired
Wireless Access Point[123456789ABCD] has beenunpaired.
TheWireless AccessPoint has beenunpaired with theGateway WirelessController, and will bereset to the factorydefault configuration.
Wireless Access Point [%.13s] has been unpaired. Wireless Access Point[${serial_no}] has beenunpaired.
6100000C WARN Networking /WirelessController
RogueAccess Pointdetected
Rogue Access Point detectedat 00:90:7f:00:00:00,broadcasting SSID 'MyCorpPub".
TheGateway WirelessController has detecteda Rogue Access Pointat the given BSSID,broadcasting theindicated SSID.
Rogue Access Point detected at%02hhx:%02hhx:%02hhx:%02hhx:%02hhx:%02hhx,broadcasting SSID "%s".
Rogue Access Pointdetected at ${bssid},broadcasting SSID"${ssid}".
6100000F INFO Networking /WirelessController
ScheduledRestart Event
Initating scheduled automaticwireless reboot onWirelessAccess Point[ABC1234567890].
If scheduled restartsare enabled, this logmessage will appearprior to the restartaction taking place onthe specifiedWirelessAccess Point.
Initiating scheduled automatic reboot onWirelessAccess Point [%.13s].
Initiating scheduledautomatic reboot onWireless Access Point[${serial_no}].
Networking LogMessages
Log Catalog 34
Proxy Policy Log MessagesProxy policy logmessages are generated for traffic managed by the proxy policies configured on your Firebox. This can include events related to traffic through the proxy, proxy actions, authentication, SubscriptionServices, and Security Services. For information about logmessages from Security Services processes, seeSecurity Services LogMessages on page 91.
EventProxy Policy logmessages of theEvent log type.
ID Level Area Name
LogMessageExample Description Format
MessageVariables
0F000001 INFO Proxy /ConnectionFrameworkManager
HTTPScontentinspectionlist imported
HTTPScontentinspectionexceptionlist imported
When a pre-defined HTTPSexception list is imported, this eventlog is generated to inform the user.
HTTPS content inspection exception list imported —
0F010015 WARN Proxy /ConnectionFrameworkManager
APT threatnotified
APT threatnotified.Details='%s'
When APT server analysis resultreturned and identified as certainlevel threat, this event log will begenerated to inform that the APTnotification has been sent withdetailed information.
APT threat notified. Details='Policy Name: HTTPS-proxy-00 Reason: highAPT threat detected Task_UUID: d09445005c3f4a9a9bb78c8cb34edc2aSource IP: 10.0.1.2 Source Port: 43130 Destination IP: 67.228.175.200Destination Port: 443 Proxy Type: HTTP Proxy Host: analysis.lastline.comPath: /docs/lastline-demo-sample.exe'
—
0F010016 INFO Proxy /ConnectionFrameworkManager
APT saferesult fromfilesubmission.Details='%s'
APT saferesult fromfilesubmission.Details='%s'
— APT safe result from file submission. Details='Policy Name: HTTP-OUT-00Reason: cleanMessage: APT safe object Task_UUID:7a1e1500e92a410fa44d907f96b9209eMD5:d2723ba60dc88ec1ea449be9eee601cc Source IP: 10.0.1.2 Source Port:50293 Destination IP: 100.100.100.3 Destination Port: 80 Proxy Type: HTTPProxy Host: 100.100.100.3 Path: /test.exe'
—
Proxy Policy LogMessages
Log Catalog 35
ID Level Area Name
LogMessageExample Description Format
MessageVariables
1C0200CD ERROR Proxy /FTP
Rulesetlookup failed
Cannot getthe rule fromruleset '%s'
FTP proxy -- Failed to check thespecified ruleset
Cannot get the rule from ruleset 'request/download' —
1B0400CE ERROR Proxy /SMTP
Rulesetlookup failed
Ruleset '%s'lookup failed
SMTP proxy -- Failed to check thespecified ruleset
Ruleset 'envelope/greeting' lookup failed —
TrafficProxy Policy logmessages of the Traffic log type.
ID Level Area Name
LogMessageExample Description Format
MessageVariables
1DFF0000 INFO Proxy /DNS
Invalidnumber ofquestions
DNS invalidnumber ofquestions
The traffic was blocked becausethemessage included an invalidnumber of questions.
Deny 1-Trusted 0-External udp 10.0.1.5 192.168.53.143 56701 53msg="ProxyDeny: DNS invalid number of questions" (DNS-proxy-00)
—
1DFF0001 INFO Proxy /DNS
Query nameoversized
DNSoversizedquery name
The DNS query was blockedbecause the DNS query nameexceeded the allowed buffer size,which varies from 0 kilobytes to 64kilobytes.
Deny 1-Trusted 0-External udp 10.0.1.5 192.168.53.143 56702 53msg="ProxyDeny: DNS oversized query name" (DNS-proxy-00)
—
1DFF0002 INFO Proxy /DNS
Query namecompressed
DNScompressedquery name
The DNS query was blockedbecause the domain namewascompressed.
Deny 1-Trusted 0-External udp 10.0.1.5 192.168.53.143 56703 53msg="ProxyDeny: DNS compressed query name" (DNS-proxy-00)
—
1DFF0003 INFO Proxy /DNS
Parse error DNS Parseerror
The DNS request was blockedbecause the proxy failed to parsethe domain name.
Deny 1-Trusted 0-External udp 10.0.1.5 192.168.53.143 56704 53msg="ProxyDeny: DNS parse error" (DNS-proxy-00)
—
Proxy Policy LogMessages
Log Catalog 36
ID Level Area Name
LogMessageExample Description Format
MessageVariables
1DFF0004 INFO Proxy /DNS
Not InternetCLASS
DNS NotInternetCLASS
TheDNS query was not InternetCLASS. The logmessagespecifies the action taken and theCLASS.
Deny 1-Trusted 0-External udp 10.0.1.5 192.168.53.143 46828 53msg="ProxyDeny: DNS Not Internet CLASS" proxy_act="DNS-Outgoing.1"query_class="ANY" (DNS-proxy-00)
—
1DFF0005 INFO Proxy /DNS
OPcodematch
DNSOpCodematch
TheOpCodematched a configuredrule, or the default rule of nomatch.The logmessage specifies theaction taken, the rule, and theOpCode.
Deny 1-Trusted 0-External udp 10.0.1.3 192.168.130.81 36755 53msg="ProxyDeny: DNS OpCodematch" proxy_act="DNS-Outgoing.1" rule_name="Query" query_opcode="QUERY" (DNS-proxy-00)
—
1DFF0006 INFO Proxy /DNS
Query typematch
DNS querytypematch
The query typematched aconfigured rule, or the default ruleof nomatch. The logmessagespecifies the action taken, the rulematched, and the query type.
Deny 2-Optional-1 0-External udp 10.0.2.2 192.168.130.245 53710 53msg="ProxyDeny: DNS query typematch" proxy_act="DNS-Outgoing.1" rule_name="PTR record" query_type="PTR" (DNS-proxy-00)
—
1DFF0007 INFO Proxy /DNS
Questionundersized
DNSundersizedquestion
The DNS query was blockedbecause the query size was lessthan theminimum valid size of 17bytes.
Deny 1-Trusted 0-External udp 10.0.1.5 192.168.53.143 56704 53msg="ProxyDeny: DNS undersized question" (DNS-proxy-00)
—
1DFF0008 INFO Proxy /DNS
Questionoversized
DNSoversizedquestion
The DNS query was blockedbecause the query size exceedsthemaximum allowed size of 271bytes.
Deny 1-Trusted 0-External udp 10.0.1.5 192.168.53.143 56705 53msg="ProxyDeny: DNS oversized question" (DNS-proxy-00)
—
1DFF0009 INFO Proxy /DNS
Timeout DNS timeout The DNS connection was idlelonger than the configured timeoutvalue in the DNS policy.
Deny 1-Trusted 0-External udp 10.0.1.5 192.168.53.143 54807 53msg="ProxyDrop: DNS timeout" (DNS-proxy-00)
—
Proxy Policy LogMessages
Log Catalog 37
ID Level Area Name
LogMessageExample Description Format
MessageVariables
1DFF000A INFO Proxy /DNS
Responseanswerundersized
DNSundersizedanswer
The DNS response was blockedbecause the response size wasless than theminimum value of 17bytes.
Deny 1-Trusted 0-External udp 10.0.1.5 192.168.53.143 56706 53msg="ProxyDeny: DNS undersized answer" (DNS-proxy-00)
—
1DFF000C INFO Proxy /DNS
Response IDInvalid
DNS invalidresponse
The DNS response was blockedbecause the response ID did notmatch the current or previousrequest ID.
Deny 1-Trusted 0-External udp 10.0.1.5 192.168.53.143 56706 53msg="ProxyDeny: DNS invalid response" (DNS-proxy-00)
—
1DFF000E INFO Proxy /DNS
Queryquestionmatch
DNSquestionmatch
The DNS query namematched aconfigured rule, or the default ruleof nomatch. The logmessagespecifies the rule matched, actiontaken, and query name.
Deny 1-Trusted 0-External udp 10.0.1.3 192.168.130.81 59806 53msg="ProxyDeny: DNS questionmatch" proxy_act="DNS-Outgoing.1" rule_name="GStatic" query_type="A" question="ssl.gstatic.com" (DNS-proxy-00)
—
1DFF000F INFO Proxy /DNS
Request DNS request The DNS request audit logspecifies the query type and name.
Allow 2-Optional-1 0-External udp 10.0.2.2 192.168.130.245 61758 53msg="DNSrequest" proxy_act="DNS-Outgoing.1" query_type="PTR"question="1.0.0.127.dnsbugtest.1.0.0.127.in-addr.arpa" (DNS-proxy-00)
—
1DFF0010 INFO Proxy /DNS
IPS match DNS IPSmatch
Intrusion Prevention Service (IPS)detected an intrusion threat. Thelogmessage specifies thesignature ID, threat severity,signature name, and signaturecategory.
Deny 0-External 1-Trusted udp 10.0.1.5 192.168.53.143 1024 53msg="ProxyDrop: DNS IPS match" proxy_act="DNS-Outgoing.1" signature_id="1056125" severity="4" signature_name="EXPLOIT Tftpd32 DNS ServerBuffer Overflow" signature_cat="Buffer Over Flow" (DNS-proxy-00)
—
1DFF0012 INFO Proxy /DNS
Applicationmatch
DNS Appmatch
Application Control identified theapplication type from the DNSclient query and server response.The logmessage specifies theapplication name and ID, theapplication category name and ID,and the behavior name and ID.
Allow 1-Trusted 0-External udp 10.0.1.3 192.168.130.81 36755 53msg="ProxyAllow: DNS Appmatch" proxy_act="DNS-Outgoing.1" app_cat_name="Network Management" app_cat_id="9" app_name="DNS" app_id="61"app_beh_name="access" app_beh_id="6" (DNS-proxy-00)
—
Proxy Policy LogMessages
Log Catalog 38
ID Level Area Name
LogMessageExample Description Format
MessageVariables
1CFF0000 INFO Proxy /FTP
User nametoo long
FTP username toolong
The user name exceeds themaximum length specified in theFTP proxy. The default is 64characters.
Deny 1-Trusted 0-External tcp 10.0.1.49 11.11.11.2 60774 21msg="ProxyDeny:FTP user name too long" proxy_act="FTP-Client.1" user="testusertestuser1"length="17" (FTP-proxy-00)
—
1CFF0001 INFO Proxy /FTP
Password toolong
FTP userpasswordtoo long
The password specified for theuser exceeds themaximum lengthconfigured in the FTP proxy. Thedefault maximum length is 32characters.
Deny 1-Trusted 0-External tcp 10.0.1.49 11.11.11.2 60776 21msg="ProxyDeny:FTP user password too long" proxy_act="FTP-Client.1" length="17" (FTP-proxy-00)
—
1CFF0002 INFO Proxy /FTP
File ordirectoryname too long
FTP file ordirectoryname toolong
The file or directory name exceedsthemaximum length configured inthe FTP proxy. The defaultmaximum length is 1,024 bytes.
Deny 1-Trusted 0-External tcp 10.0.1.49 11.11.11.2 60782 21msg="ProxyDeny:FTP file or directory name too long" proxy_act="FTP-Client.1" length="5" (FTP-proxy-00)
—
1CFF0003 INFO Proxy /FTP
Command linetoo long
FTPcommandline too long
The command exceeded themaximum length configured in theFTP proxy. The default maximumlength is 1,030 characters.
Deny 1-Trusted 0-External tcp 10.0.1.49 11.11.11.2 60784 21msg="ProxyDeny:FTP command line too long" proxy_act="FTP-Client.1" length="12" (FTP-proxy-00)
—
1CFF0004 INFO Proxy /FTP
Exceededmaximumallowed loginattempts
FTPexceededmaximumpermittedloginattempts
The user exceeded the configuredmaximum number of allowed failedlog in attepmts per connection. Thedefault limit is 6.
Deny 1-Trusted 0-External tcp 10.0.1.49 11.11.11.2 49162 21msg="ProxyDrop:FTP exceededmaximum permitted login attempts" (FTP-proxy-00)
—
1CFF0005 INFO Proxy /FTP
Commandmatch
FTPcommandmatch
The commandmatched aconfigured rule, or the default of nomatch. For the FTP-server proxyaction, the default is to deny anycommand that does not appear on
Deny 1-Trusted 0-External tcp 10.0.1.49 11.11.11.2 49196 21msg="ProxyDeny:FTP commandmatch" proxy_act="FTP-Client.2" rule_name="LIST"command="ls" (FTP-proxy-00)
—
Proxy Policy LogMessages
Log Catalog 39
ID Level Area Name
LogMessageExample Description Format
MessageVariables
the list. For the FTP-client proxyaction, there is no defaultrestriction on commands. The logmessage specifies the proxyaction, action taken, and thecommand.
1CFF0006 INFO Proxy /FTP
Downloadmatch
FTPdownloadmatch
The file typematched a configureddownload rule, or the default rule ofnomatch. The logmessagespecifies the proxy action, actiontaken, and file type.
Deny 1-Trusted 0-External tcp 10.0.1.49 11.11.11.2 49208 21msg="ProxyDeny:FTP downloadmatch" proxy_act="FTP-Client.2" rule_name="*.zip" file_name="hostname.zip" (FTP-proxy-00)
—
1CFF0007 INFO Proxy /FTP
Uploadmatch FTP uploadmatch
The file typematched a configuredupload rule, or the default rule of nomatch. The logmessage specifiesthe proxy action, action taken, andfile type.
Deny 1-Trusted 0-External tcp 10.0.1.49 11.11.11.2 49228 21msg="ProxyDeny:FTP uploadmatch" proxy_act="FTP-Client.2" rule_name="ISO" file_name="test.iso" (FTP-proxy-00)
—
1CFF0008 INFO Proxy /FTP
Timeout FTP timeout The connection exceeded theconfigured idle time value. Thedefault is 180 seconds.
Deny 1-Trusted 0-External tcp 10.0.1.49 11.11.11.2 49561 21msg="ProxyDrop:FTP timeout" (FTP-proxy-00)
—
1CFF0009 INFO Proxy /FTP
Invalidrequest
FTP invalidrequest
The FTP proxy rejected thecommand because of a lack ofrequired arguments, such as a username. The logmessage specifiesthe proxy action and command.
Deny 1-Trusted 0-External tcp 10.0.1.49 11.11.11.2 49579 21msg="ProxyDeny:FTP invalid request" proxy_act="FTP-Client.2" reason="No username valueprovided for USER command" (FTP-proxy-00)
—
Proxy Policy LogMessages
Log Catalog 40
ID Level Area Name
LogMessageExample Description Format
MessageVariables
1CFF000C INFO Proxy /FTP
Request FTP request This logmessage for the FTPrequest transaction includes thesource and destination IPaddresses for the initialconnections.
Allow 1-Trusted 0-External tcp 10.0.1.49 11.11.11.2 49590 21msg="FTPrequest" proxy_act="FTP-Client.2" ctl_src="10.0.1.49:47553" ctl_dst="11.11.11.2:5120" file="test.exe" rcvd_bytes="1084" sent_bytes="0"user="testuser" type="download" (FTP-proxy-00)
—
1CFF000D INFO Proxy /FTP
IPS match FTP IPSmatch
Intrusion Prevention Service (IPS)detected a threat. The actionconfigured for an IPS Match will beapplied to the traffic. The logmessage includes the signature ID,threat severity, signature name,and signature category.
Deny 0-External 1-Trusted tcp 11.11.11.2 11.11.11.5 1024 21msg="ProxyDrop:FTP IPS match" proxy_act="FTP-Client.3" signature_id="1110297" severity="4"signature_name="EXPLOIT FlashGet FTP PWD Command Stack bufferoverflow -1" signature_cat="Buffer Over Flow" (FTP-proxy-00)
—
1CFF000E INFO Proxy /FTP
GAV Virusfound
FTP Virusfound
Gateway AntiVirus (GAV) detecteda virus or malware in theattachment. The logmessagespecifies the detected virus nameand the file name of theattachment.
Deny 0-External 1-Trusted tcp 11.11.11.2 11.11.11.5 20 56528msg="ProxyDrop:FTP Virus found" proxy_act="FTP-Client.3" ctl_src="11.11.11.2:5120" ctl_dst="10.0.1.49:47553" virus="EICAR_Test" file="eicar.com" (FTP-proxy-00)
—
1CFF000F INFO Proxy /FTP
GAV scanerror
FTP AVscanningerror
Gateway AntiVirus (GAV) failed toscan due to the error specified inthe logmessage.
Deny 0-External 1-Trusted tcp 11.11.11.2 11.11.11.5 20 44485msg="ProxyDrop:FTP AV scanning error" proxy_act="FTP-Client.3" ctl_src="11.11.11.2:5120" ctl_dst="10.0.1.49:47553" error="avg scanner is not created" file="eicar.com" (FTP-proxy-00)
—
Proxy Policy LogMessages
Log Catalog 41
ID Level Area Name
LogMessageExample Description Format
MessageVariables
1CFF0010 INFO Proxy /FTP
Applicationmatch
FTP Appmatch
Application Control identified anapplication in the FTP clientrequest or server response. The logmessage specifies the proxyaction, application control action,action taken, application name andID, application category and ID,and application behavior name andID.
Allow 1-Trusted 0-External tcp 10.0.1.49 11.11.11.2 49843 21msg="ProxyAllow:FTP Appmatch" proxy_act="FTP-Client.3" app_cat_name="File Transfer" app_cat_id="3" app_name="FTP Applications" app_id="1" app_beh_name="authority"app_beh_id="1" (FTP-proxy-00)
—
1CFF0011 INFO Proxy /FTP
DLP violationfound
FTP DLPviolationfound
Data Loss Prevention (DLP)detected a rule violation. The logmessage specifies the proxyaction, the DLP sensor name, DLPrule name, the authenticated user,and the file name. The logmessagealso specifies the source anddestination IP addresses and portfor the control channel of the FTPsession.
Deny 0-External 1-Trusted tcp 11.11.11.2 11.11.11.5 20 37611msg="ProxyDrop:FTP DLP violation found" proxy_act="FTP-Client.3" ctl_src="10.0.1.49:47553"ctl_dst="11.11.11.2:5120" dlp_sensor="test" dlp_rule="SocialsecuritynumberswithqualifyingtermsUSA" authenticated_user="testuser" file="test.docx" (FTP-proxy-00)
—
1CFF0012 INFO Proxy /FTP
DLP cannotperform scan
FTP cannotperform DLPscan
Data Loss Prevention (DLP) failedto scan because of the errorspecified in the logmessage.
Allow 0-External 1-Trusted tcp 11.11.11.2 11.11.11.5 20 52217msg="ProxyAllow: FTP cannot perform DLP scan" proxy_act="FTP-Client.3"ctl_src="11.11.11.2:5120" ctl_dst="10.0.1.49:47553" error="Error: DLP notinitialized" file="ssn.docx" (FTP-proxy-00)
—
1CFF0013 INFO Proxy /FTP
DLP cannotscan object
FTP DLPobjectunscannable
Data Loss Prevention (DLP) couldnot scan and analyze theattachment because it isencrypted. The logmessagespecifies the DLP sensor name,error message, the authenticateduser, and the file name.
Allow 0-External 1-Trusted tcp 11.11.11.2 11.11.11.5 20 43974msg="ProxyAllow: FTP DLP object unscannable" proxy_act="FTP-Client.3" ctl_src="11.11.11.2:5120" ctl_dst="10.0.1.49:47553" dlp_sensor="test"error="unscannable object (File was encrypted)" authenticated_user="testuser"file="test.zip" (FTP-proxy-00)
—
Proxy Policy LogMessages
Log Catalog 42
ID Level Area Name
LogMessageExample Description Format
MessageVariables
1CFF0014 INFO Proxy /FTP
DLP objecttoo large
FTP DLPobject toolarge
Data Loss Prevention (DLP) couldnot analyze the attachmentbecause the file was larger than theconfigured limit. The limit varies byplatform, from one to fiveMB. Thelogmessage specifies the DLPsensor name and error message.
Allow 0-External 1-Trusted tcp 11.11.11.2 11.11.11.5 20 43813msg="ProxyAllow: FTP DLP object too large" proxy_act="FTP-Client.3"error="DLP scan limit (5242880) exceeded" (FTP-proxy-00)
—
1CFF0015 INFO Proxy /FTP
APT threatdetected
FTP APTdetected
APT Blocker identified a threat.The logmessage specifies thethreat level, threat name, threatclass, malicious activities, and filenamewhere the threat waslocated.
Deny 0-External 1-Trusted tcp 11.11.11.2 11.11.11.5 20 58661msg="ProxyDrop:FTP APT detected" proxy_act="FTP-Client.3" ctl_src="11.11.11.2:5120" ctl_dst="10.0.1.49:47553" md5="03e7ef270a157090e2f68079603b10fc" task_uuid="d21914d5a2bc4b618fae72da3b1c137e" threat_level="low" file="apt.txt"(FTP-proxy-00)
—
1CFF0017 INFO Proxy /FTP
File submittedto APTanalysisserver
FTP Filesubmitted toAPTanalysisserver
File submitted to APT analysisserver for deep threat analysis. Aseparate logmessage will appearwhen the result is retrieved fromthe APT analysis server.
Allow 0-External 1-Trusted tcp 11.11.11.2 11.11.11.5 20 43490msg="ProxyAllow: FTP File submitted to APT analysis server" proxy_act="FTP-Client.3" ctl_src="11.11.11.2:5120" ctl_dst="10.0.1.49:47553"md5="03e7ef270a157090e2f68079603b10fc" task_uuid="d21914d5a2bc4b618fae72da3b1c137e" file="apt.txt"
—
1CFF0018 INFO Proxy /FTP
File reportedsafe from APThash check
FTP Filereported safefrom APThash check
APT hash check did not report athreat from the object
Allow 0-External 1-Trusted tcp 11.11.11.2 11.11.11.5 20 43490msg="ProxyAllow: FTP File reported safe from APT hash check" proxy_act="FTP-Client.3" ctl_src="11.11.11.2:5120" ctl_dst="10.0.1.49:47553"md5="03e7ef270a157090e2f68079603b10fc" task_uuid="d21914d5a2bc4b618fae72da3b1c137e" file="apt.txt"
—
1CFF0019 ERROR Proxy /FTP
FTP BounceAttempt
FTP BounceAttempt
FTP proxy -- User attempted FTPbounce
Deny 1-Trusted 0-External tcp 10.0.1.2 192.168.53.164 37989 21msg="ProxyBlock: FTP Bounce Attempt" proxy_act="FTP-Client.Standard"bounce ip="10.0.1.101"
—
2AFF0000 INFO Proxy /H.323
Timeout H323timeout
The connection was idle longerthan the configured timeout value.The default value is 180 seconds.
Deny 1-Trusted 0-External tcp 10.0.1.5 192.168.53.143 1720 1720msg="ProxyDrop: H323 timeout" (H323-ALG-00)
—
Proxy Policy LogMessages
Log Catalog 43
ID Level Area Name
LogMessageExample Description Format
MessageVariables
2AFF0001 INFO Proxy /H.323
Request H323request
This logmessage specifies the IPaddresses for the completed H323call.
Allow 1-Trusted 0-External tcp 10.0.1.2 192.168.53.167 3233 1720msg="H323request" proxy_act="H.323-Client.1" call_from="10.0.1.2" call_to="192.168.53.167" rcvd_bytes="171444" sent_bytes="256488" (H323-ALG-00)
—
2AFF0002 INFO Proxy /H.323
Codec H323 codec Themedia codec is deniedbecause it matched a configuredDenied Codec. The logmessagespecifies the codec.
Deny 1-Trusted 0-External tcp 10.0.1.2 192.168.53.167 3230 1720msg="ProxyDeny: H323 codec" proxy_act="H.323-Client.1" codec="(unknown)"(H323-ALG-00)
—
2AFF0003 INFO Proxy /H.323
Accesscontrol
H323Accesscontrol
The header address is allowed ordenied because it matches anAccess Control rule configured inthe H323 policy. The logmessagespecifies the address.
Allow 1-Trusted 0-External tcp 10.0.1.2 192.168.53.167 3232 1720msg="ProxyAllow: H323 Access control" proxy_act="H.323-Client.1" From-header="10.0.1.2" (H323-ALG-00)
—
2AFF0006 INFO Proxy /H.323
IPS match H323 IPSmatch
Intrusion Prevention Service (IPS)detected an intrusion threat. Thelogmessage specifies thesignature ID, threat severity,signature name, signaturecategory, destination host name,and URI path.
Deny 0-External 1-Trusted tcp 10.0.1.5 192.168.53.143 3234 3230msg="ProxyDrop: H323 IPS match" proxy_act="H.323-Client.1" signature_id="1112506" severity="4" signature_name="EXPLOIT Digium Asterisk InvalidRTP Payload Type NumberMemory Corruption" signature_cat="Access Control"(H323-ALG-00)
—
2AFF0007 INFO Proxy /H.323
Applicationmatch
H323 Appmatch
Application Control detected anapplication type from thetransaction. The logmessagespecifies the action taken, theapplication name and ID,application category name and ID,and the application behavior nameand ID.
Deny 1-Trusted 0-External tcp 10.0.1.6 192.168.53.167 3234 3230msg="ProxyDrop: H323 Appmatch" proxy_act="H.323-Client.1" app_cat_name="Voice over IP" app_cat_id="6" app_name="H.323" app_id="2" app_beh_name="access" app_beh_id="6" (H323-ALG-00)
—
1AFF0001 INFO Proxy /HTTP
Sessiontimeout with
HTTP serverresponse
The HTTP session has timed out Deny 1-Trusted 6-Ext-access tcp 10.0.1.2 192.168.53.82 60654 80msg="ProxyDeny: HTTP server response timeout" (HTTP-proxy-00)
—
Proxy Policy LogMessages
Log Catalog 44
ID Level Area Name
LogMessageExample Description Format
MessageVariables
server idle timeout because no traffic has beenreceived from the server for thespecified amount of time. (Default:10minutes)
1AFF0002 INFO Proxy /HTTP
Sessiontimeout withclient idle
HTTP clientrequesttimeout
The HTTP session has timed outbecause no traffic has beenreceived from the client for thespecified amount of time. (Default:10minutes)
Deny 1-Trusted 6-Ext-access tcp 10.0.1.2 23.3.105.139 60680 80msg="ProxyDeny: HTTP client request timeout" (HTTP-proxy-00)
—
1AFF0003 INFO Proxy /HTTP
Sessiontimeout withclosecompletecommandtimeout
HTTP closecompletetimeout
The Close HTTP Sessioncommand timed out because noresponse to the FIN packet wasreceived within the response timelimit (3 minutes).
Deny 1-Trusted 6-Ext-access tcp 10.0.1.2 182.168.53.82 60654 80msg="ProxyDeny: HTTP close complete timeout" (HTTP-proxy-00)
—
1AFF0004 INFO Proxy /HTTP
OversizeStart-Line
HTTP Start-Line oversize
The first line of the client request orserver response is longer than theconfiguredmaximum line length.The default maximum length is4,096 bytes.
Deny 1-Trusted 6-Ext-access tcp 10.0.1.2 134.170.188.84 52662 80msg="ProxyDeny: HTTP Start-Line oversize" (HTTP-proxy-00)
—
1AFF0005 INFO Proxy /HTTP
InvalidRequest-Lineformat
HTTP InvalidRequest-Line Format
The request line from the clientdoes not match the standard formatof [Method][SP][Request-URI][SP][HTTP/Version]. The incorrectstatus-line is specified in the logmessage.
Deny 1-Trusted 0-External tcp 10.0.1.2 192.168.53.92 52668 80msg="ProxyDeny: HTTP invalid Request-Line Format" proxy_act="HTTP-Client.5" line="\x03\x03\x0d\x0a" (HTTP-proxy-00)
—
Proxy Policy LogMessages
Log Catalog 45
ID Level Area Name
LogMessageExample Description Format
MessageVariables
1AFF0006 INFO Proxy /HTTP
Invalid Status-Line format
HTTP invalidStatus-Lineformat
The status line from the serverdoes not match the standard formatof [HTTP/Version][SP][StatusCode][SP][Reason]. The incorrectstatus-line is specified in the logmessage.
Deny 1-Trusted 6-Ext-access tcp 10.0.1.2 194.219.221.195 64610 80msg="ProxyDeny: HTTP invalid Status-Line format" proxy_act="HTTP-Client.2"line="\x03\x00\x00Kh\x80\x00\x07\x02,\x97\x02\xcc\x18M\xe4\xbe\xff\xa8\x87_a\x07\xb1\xa3d\x9f\x82\xc2\xea\xa2\xe17\x9f\xc8@+\xde\x7f\x7f\x0a" (HTTP-proxy-00)
—
1AFF0007 INFO Proxy /HTTP
Header lineoversize
HTTPheader lineoversize
A single client request or serverresponse line is longer than theconfiguredmaximum line length.The default maximum length is4,096 bytes.
Deny 1-Trusted 6-Ext-access tcp 10.0.1.2 74.125.25.105 64152 80msg="ProxyDeny: HTTP header line oversize" proxy_act="HTTP-Client.4"line="X-Frame-Options: " (HTTP-proxy-00)
—
1AFF0008 INFO Proxy /HTTP
Header blockoversize
HTTPheader blockoversize
The client request or serverresponse header block length islonger than the configured limit. Ifmaximum total length is enabled,the default limit is 16,384 bytes.
Deny 1-Trusted 0-External tcp 10.0.1.2 77.237.248.69 50019 80msg="ProxyDeny: HTTP header block oversize" proxy_act="HTTP-Client.1"line="Date: Fri, 30May 2014 16:50:51 GMT\x0d\x0a" (HTTP-proxy-00)
—
1AFF0009 INFO Proxy /HTTP
header blockparse error
HTTPheader blockparse error
The HTTP proxy cannot processthe header line because the formatis incorrect. The required format is[Name]:[Value].
Deny 1-Trusted 0-External tcp 10.0.1.2 54.230.68.99 58900 80msg="ProxyDeny:header block parse error" (HTTP-proxy-00)
—
1AFF000A INFO Proxy /HTTP
Requestmissing URLpath
HTTPrequest URLpathmissing
The HTTP proxy cannot completethe URL because the host or URIvalue is missing. The HTTPrequest is denied.
Deny 1-Trusted 0-External tcp 10.0.1.2 54.230.68.99 58900 80msg="ProxyDeny:HTTP request URL pathmissing" proxy_act="HTTP-Client.1" line="Date: Fri, 30May 2014 18:50:51 GMT\x0d\x0a"
—
1AFF000B INFO Proxy /HTTP
Request URLmatch
HTTPrequest URLmatch
The requested URLmatched aconfigured URL path in the HTTPproxy. By default, all URL pathsare allowed.
Allow 1-Trusted 0-External tcp 10.0.1.2 173.194.33.185 60351 80msg="ProxyAllow: HTTP request URLmatch" proxy_act="HTTP-Client.1" rule_name="Default" dstname="pagead2.googlesyndication.com"arg="/pagead/osd.js" (HTTP-proxy-00)
—
Proxy Policy LogMessages
Log Catalog 46
ID Level Area Name
LogMessageExample Description Format
MessageVariables
1AFF000C INFO Proxy /HTTP
Chunk sizeline oversize
HTTP chunksize lineoversize
The HTTP chunk size line does notterminate correctly with a carriagereturn and line-feed (CRLF). Theinvalid line is specified in the logmessage.
Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 40656 80msg="ProxyDeny: HTTP chunk size line oversize" proxy_act="HTTP-Client.2"line="\x03\x00\x00Kh\x80\x00\x07\x02,\x97\x02\xcc\x18M\xe4\xbe\xff\xa8\x87_a\x07\xb1\xa3d\x9f\x82\xc2\xea\xa2\xe17\x9f\xc8@+\xde\x7f\x7f\x0a" (HTTP-proxy-00)
—
1AFF000D INFO Proxy /HTTP
Chunk sizeline invalid
HTTP chunksize invalid
The HTTP chunk size line has aninvalid hexadecimal value. Theinvalid line is specified in the logmessage.
Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 40722 80msg="ProxyDeny: HTTP chunk size invalid" proxy_act="HTTP-Client.2"line="k7\x0d\x0a" (HTTP-proxy-00)
—
1AFF000E INFO Proxy /HTTP
Chunk noCRLF tail
HTTP chunkCRLF tailmissing
The HTTP chunk does not closewith a carriage return and line feed(CRLF) because the chunk block ismissing the closing characters.This is required for each chunkwhen chunked transfer-encoding isin use. The logmessage includesthe invalid chunk tail line.
Deny 1-Trusted 0-External tcp 10.0.1.2 77.237.248.69 50019 80msg="ProxyDeny: HTTP chunk CRLF tail missing" proxy_act="HTTP-Client.1"line="This stringmissing the Carriage Return in the terminating CF-LF pair\x0a"(HTTP-proxy-00)
—
1AFF000F INFO Proxy /HTTP
Footer lineoversize
HTTP footerline oversize
One line of the HTTP footer, anadditional header sent at the end ofamessage is larger than theconfigured line limit. The defaultline limit is 4,096 bytes.
Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 40662 80msg="ProxyDeny: HTTP footer line oversize" proxy_act="HTTP-Client.2"line="\x03\x00\x00Kh\x80\x00\x07\x02,\x97\x02\xcc\x18M\xe4\xbe\xff\xa8\x87_a\x07\xb1\xa3d\x9f\x82\xc2\xea\xa2\xe17\x9f\xc8@+\xde\x7f\x7f\x0a" (HTTP-proxy-00)
—
1AFF0010 INFO Proxy /HTTP
Footer blockoversize
HTTP footerblockoversize
The HTTP footer includesadditional header information that islarger than the configured blocklimit size. The default totalmessage limit, if enabled, is 16,384bytes. The logmessage includesinformation about the invalid line.
Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 40688 80msg="ProxyDeny: HTTP footer block oversize" proxy_act="HTTP-Client.2"line="\x03\x00\x00Kh\x80\x00\x07\x02,\x97\x02\xcc\x18M\xe4\xbe\xff\xa8\x87_a\x07\xb1\xa3d\x9f\x82\xc2\xea\xa2\xe17\x9f\xc8@+\xde\x7f\x7f\x0a" (HTTP-proxy-00)
—
Proxy Policy LogMessages
Log Catalog 47
ID Level Area Name
LogMessageExample Description Format
MessageVariables
1AFF0011 INFO Proxy /HTTP
Footer blockparse error
HTTP footerblock parseerror
The HTTP footer includes anadditional header field with syntaxthat violates the header formatrestrictions.
Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 40705 80msg="ProxyDeny: HTTP footer block parse error" (HTTP-proxy-00)
—
1AFF0012 INFO Proxy /HTTP
Body contenttypematch
HTTP BodyContentTypematch
The HTTP content either matchesa configured Body Content Type orno Body Content Type is defined(only the default rule is in use).
Allow 1-Trusted 0-External tcp 10.0.1.2 192.168.53.92 52089 80msg="ProxyAllow: HTTP Body Content Typematch" proxy_act="HTTP-Client.1" rule_name="Default" (HTTP-proxy-00)
—
1AFF0013 INFO Proxy /HTTP
Headercontentmalformed
HTTPheadermalformed
The HTTP header line does notfollow the correct syntax for a clientrequest or server response header.The logmessage contains theheader line with the syntax error.
Allow 1-Trusted 0-External tcp 10.0.1.2 192.168.53.92 41048 80msg="ProxyStrip: HTTP header malformed" proxy_act="393296"header="WWW-Authenticate: \x0d\x0a"
—
1AFF0016 INFO Proxy /HTTP
HeaderTransfer-Encodingmatch
HTTPheadertransferencodingmatch
The Transfer-Encoding in theHTTP header matches aconfigured rule, or the default ruleof nomatch. The logmessagespecifies thematching rule nameand header value.
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 40719 80msg="ProxyAllow: HTTP header Transfer-Encodingmatch" proxy_act="HTTP-Client.2" rule_name="chunked" encoding="chunked" (HTTP-proxy-00)
—
1AFF0018 INFO Proxy /HTTP
Headercontent typematch
HTTPheaderContentTypematch
The HTTP header Content Typematches a configured rule, or thedefault rule of nomatch. The logmessage specifies thematchingrule name and header value.
Allow 1-Trusted 0-External tcp 10.0.1.2 198.252.206.140 52047 80msg="ProxyAllow: HTTP header Content Typematch" proxy_act="HTTP-Client.1" rule_name="text/*" content_type="text/html" (HTTP-proxy-00)
—
Proxy Policy LogMessages
Log Catalog 48
ID Level Area Name
LogMessageExample Description Format
MessageVariables
1AFF0019 INFO Proxy /HTTP
Requestversionmatch
HTTPrequestversionmatch
The HTTP version specified in theHTTP request linematches aconfigured rule, or the default ruleof nomatch. The log specifies thematched rule name and the requestline.
Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 40627 80msg="ProxyDeny: HTTP request versionmatch" proxy_act="HTTP-Client.2"rule_name="Default" line="GET /index.html HTTP/1.8\x0d\x0a" (HTTP-proxy-00)
—
1AFF001A INFO Proxy /HTTP
Requestmethodmatch
HTTPrequestmethodmatch
The HTTP request methodspecified in the Request-Linematches a configured rule, or thedefault rule of nomatch. The logmessage specifies thematchedrule name and themethod.
Allow 1-Trusted 0-External tcp 10.0.1.2 50.16.229.215 52301 80msg="ProxyAllow: HTTP request methodmatch" proxy_act="HTTP-Client.1"rule_name="GET" method="GET" (HTTP-proxy-00)
—
1AFF001B INFO Proxy /HTTP
Header match HTTPheadermatch
The HTTP header linematches aconfigured rule, or the default ruleof nomatch. The logmessagespecifies thematched rule nameand header line.
Allow 1-Trusted 0-External tcp 10.0.1.2 50.16.229.215 52301 80msg="ProxyAllow: HTTP header match" proxy_act="HTTP-Client.1" rule_name="Default" header="Host: www.walkscore.com\x0d\x0a" (HTTP-proxy-00)
—
1AFF001C INFO Proxy /HTTP
Header cookiedomainmatch
HTTPheadercookiedomainmatch
The cookie domain headermatches a configured rule, or thedefault rule of nomatch. The logmessage includes thematched rulename and the cookie domain.
Deny 1-Trusted 0-External tcp 10.0.1.2 50.16.229.215 52466 80msg="ProxyDeny: HTTP header cookie domainmatch" proxy_act="HTTP-Client.1" rule_name="DoubleClick.com" domain=".doubleclick.com" (HTTP-proxy-00)
—
1AFF001D INFO Proxy /HTTP
Request hostmissing
HTTPrequest hostmissing
The HTTP request header ismissing the host value.
Deny 1-Trusted 6-Ext-access tcp 10.0.1.2 192.168.53.82 60654 80msg="ProxyDeny: HTTP request host missing" (HTTP-proxy-00)
—
1AFF001E INFO Proxy /HTTP
Headerauthenticationschemematch
HTTPheader authschemematch
The authentication scheme in theHTTP header server responsematches one of the configured
Allow 1-Trusted 6-Ext-access tcp 10.0.1.2 192.168.53.92 4910 80msg="ProxyAllow: HTTP Header auth schemematch" proxy_act="HTTP-Client.1" rule_name="Basic" scheme="Basic" (HTTP-proxy-00)
—
Proxy Policy LogMessages
Log Catalog 49
ID Level Area Name
LogMessageExample Description Format
MessageVariables
rules, or the default rule of nomatch. The logmessage specifiesthematched rule name and theauthentication scheme.
1AFF001F INFO Proxy /HTTP
Requestmethod notsupported
HTTPrequestmethodunsupported
The HTTP request method doesnot match a configured rule. Thelogmessage specifies themethodin use.
Deny 1-Trusted 6-Ext-access tcp 10.0.1.2 192.168.53.92 64152 80msg="ProxyDeny: HTTP request method unsupported" proxy_act="HTTP-Client.1" method="OPTIONS" (HTTP-proxy-00)
—
1AFF0020 INFO Proxy /HTTP
Request portmismatch
HTTPrequest portmismatch
Relative-URI is in use and the portspecified in the HTTP request hostheader does not match the portused for the connection.
Deny 1-Trusted 6-Ext-access tcp 10.0.1.2 192.168.53.92 64152 80msg="ProxyDeny: HTTP request port mismatch" proxy_act="HTTP-Client.1"(HTTP-proxy-00)
—
1AFF0021 INFO Proxy /HTTP
Requestcategories
HTTPRequestcategories
The HTTP request is sent to a webaddress that matched a selectedWebBlocker category. The logmessage specifies the action takenby the proxy, the URL, and thecategory matched.
Allow 1-Trusted 0-External tcp 10.0.1.2 50.16.210.117 50790 80msg="ProxyAllow: HTTP Request categories" proxy_act="HTTP-Client.2"cats="ReferenceMaterials" op="GET" dstname="www.walkscore.com" arg="/"(HTTP-proxy-00)
—
1AFF0022 INFO Proxy /HTTP
Serviceunavailable
HTTPserviceunavailable
WebBlocker categorization failedbecause the configuredWebBlocker server is not available.The logmessage specifies theprofile name and amore detailederror message.
Deny 2-Internal-traffic 4-External-traffic tcp 192.168.2.23 23.21.224.150 60921 80msg="ProxyDeny: HTTP service unavailable" proxy_act="HTTP-Client.1"service="WebBlocker.1" details="Webblocker server is not available" (HTTP-proxy-00)
—
Proxy Policy LogMessages
Log Catalog 50
ID Level Area Name
LogMessageExample Description Format
MessageVariables
1AFF0023 INFO Proxy /HTTP
Request URLpath oversize
HTTPrequest URLpathoversize
The URI in the HTTP Request-Lineis longer than the configured limit.The default limit is 2,048 bytes.The logmessage specifies theoversize URI.
Deny 1-Trusted 6-Ext-access tcp 10.0.1.2 173.194.33.167 64279 80msg="ProxyDeny: HTTP request URL path oversize" proxy_act="HTTP-Client.1" path="/crx/blobs/QwAAAHF3InbmK-wFIemaY3I3BCMqOfjjbz3ZPr0OdvcXp8cUu10k48t_h-qsRfYvKPciETPh6ZMAQTV8WL-Rx-lfADpBbs0T0xmHzDv3tYNK4R4eAMZSmuX1YAUWVQlL6kSI-xpS-vSmdvbuQg/extension_0_1_0_12919.crx" (HTTP-proxy-00)
—
1AFF0024 INFO Proxy /HTTP
Request HTTPrequest
A detailed summary of the lastHTTP proxy transaction.
Allow 1-Trusted 6-Ext-access tcp 10.0.1.2 192.168.53.92 64425 80msg="HTTPrequest" proxy_act="HTTP-Client.1" op="GET" dstname="192.168.53.92"arg="/" sent_bytes="339" rcvd_bytes="2" elapsed_time="5.037750 sec(s)"(HTTP-proxy-00)
—
1AFF0025 INFO Proxy /HTTP
Header IPSrule match
HTTPheader IPSmatch
Intrusion Prevention Service (IPS)detected an intrusion in the clientrequest or server response header.The logmessage specifies theaction taken, signature ID, threatseverity, signature name, signaturecategory, destination host name,and URI path.
Deny 1-Trusted 0-External tcp 10.0.1.2 107.20.162.187 55531 80msg="ProxyDeny: HTTP header IPS match" proxy_act="HTTP-Client.1"signature_id="1055396" severity="5" signature_name="WEB Cross-siteScripting -9" signature_cat="Web Attack" host="intext.nav-links.com"path="/util/intexteval.pl?action=startup" (HTTP-proxy-00)
—
1AFF0026 INFO Proxy /HTTP
Body IPS rulematch
HTTP bodyIPS match
Intrusion Prevention Service (IPS)detected an intrusion in the clientrequest or server response contentbody. The logmessage specifiesthe action taken, signature ID,threat severity, signature name,signature category, destinationhost name, and URI path.
Deny 4-Trusted-1 0-External tcp 192.168.53.92 188.40.238.252 45617 443msg="ProxyDeny: HTTP body IPS match" proxy_act="HTTP-Client.4"signature_id="1051723" severity="5" signature_name="Virus Eicar test string"signature_cat="Virus/Worm" host="secure.eicar.org" path="/eicar.com.txt" src_user="[email protected]" (HTTPS-proxy-00)
—
Proxy Policy LogMessages
Log Catalog 51
ID Level Area Name
LogMessageExample Description Format
MessageVariables
1AFF0028 INFO Proxy /HTTP
GAV Virusfound
HTTP Virusfound
Gateway AntiVirus (GAV) detecteda virus or malware. The logmessage specifies the virus name,destination host name, and URIpath.
Deny 2-Internal-traffic 4-External-traffic tcp 10.0.1.8 192.168.53.92 57525 80msg="ProxyDrop: HTTP Virus found" proxy_act="HTTP-Client.1"virus="EICAR_Test" host="192.168.53.92" path="/viruses/eicar.com" (HTTP-proxy-00)
—
1AFF0029 INFO Proxy /HTTP
GAV scanerror
HTTP AVscanningerror
Gateway AntiVirus (GAV) failed toscan because of an error. The logmessage specifies the errormessage, the destination hostname, and URI path.
Allow 1-Trusted 0-External tcp 10.0.1.2 8.25.35.115 51859 80msg="ProxyAllow:HTTP AV scanning error" proxy_act="HTTP-Client.3" error="avg scanner is notcreated" host="api.yontoo.com" path="/LoadJS.ashx" (HTTP-proxy-00)
—
1AFF002B INFO Proxy /HTTP
Trusted host HTTPTrusted host
The destination host namematches a proxy exceptionconfigured in the HTTP proxy.
Allow 1-Trusted 0-External tcp 10.0.1.2 134.170.51.254 51941 80msg="ProxyAllow: HTTP Trusted host" proxy_act="HTTP-Client.3" rule_name="*.windowsupdate.com" (HTTP-proxy-00)
—
1AFF002C INFO Proxy /HTTP
Bad reputation HTTP badreputation
The HTTP proxy blocked access tothe destination address because ofa bad reputation score for the URL.
Deny 1-Trusted 0-External tcp 172.16.1.101 188.40.238.250 36834 80msg="ProxyDeny: HTTP bad reputation" proxy_act="HTTP-ACT-OUT"reputation="100" host="www.eicar.org" path="/download/eicar_com.zip" (HTTP-OUT-00)
—
1AFF002D INFO Proxy /HTTP
Goodreputation
HTTP goodreputation
The HTTP proxy did not complete aGateway AntiVirus (GAV) scan fortraffic to the destination addressbecause the URL received a goodreputation score.
Allow 4-Trusted-1 0-External tcp 192.168.53.92 198.35.26.96 45365 80msg="ProxyAllow: HTTP good reputation" proxy_act="HTTP-Client.4"reputation="1" host="en.wikipedia.org" path="/favicon.ico" src_user="[email protected]" (HTTP-00)
—
1AFF002E INFO Proxy /HTTP
Applicationmatch
HTTP Appmatch
Application Control identified theapplication type from the HTTPclient request or server responsestream.
Allow 4-Trusted-1 0-External tcp 192.168.53.92 198.35.26.96 45365 80msg="ProxyAllow: HTTP Appmatch" proxy_act="HTTP-Client.4" app_cat_name="Web" app_cat_id="13" app_name="Mozilla Firefox" app_id="12" app_beh_name="access" app_beh_id="6" src_user="[email protected]" (HTTP-00)
—
Proxy Policy LogMessages
Log Catalog 52
ID Level Area Name
LogMessageExample Description Format
MessageVariables
1AFF002F INFO Proxy /HTTP
DLP violationfound
HTTP DLPviolationfound
Data Loss Prevention (DLP)detected a violation of DLP rules.The logmessage only includesinformation about the first rulematched.
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.3 59568 80msg="ProxyAllow: HTTP DLP violation found" proxy_act="HTTP-Client.1" dlp_sensor="sample_dlp_test" dlp_rule="BankaccountdetailsnearpersonallyidentifiableinformationUSA"host="100.100.100.3" path="/cgi-bin/upload.cgi" (HTTP-OUT.1-00)
—
1AFF0030 INFO Proxy /HTTP
DLP cannotperform scan
HTTPcannotperform DLPScan
Data Loss Prevention (DLP) failedto scan the traffic because of theerror specified in the logmessage.
Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 62398 80msg="ProxyAllow: HTTP cannot perform DLP scan" proxy_act="HTTP-Client.1"dlp_sensor="sample_dlp_test" error="Cannot Perform DLP scanning" (HTTP-proxy-00)
—
1AFF0031 INFO Proxy /HTTP
DLP objectunscannable
HTTP DLPobjectunscannable
Data Loss Prevention (DLP)cannot extract data from an objectbecause it is encrypted.
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 40608 80msg="ProxyAllow: HTTP DLP object unscannable" proxy_act="HTTP-Client.2"dlp_sensor="PCI Audit Sensor.1" error="unscannable object (File wasencrypted)" host="100.100.100.11" path="/password-protected.zip" (HTTP-proxy-00)
—
1AFF0032 INFO Proxy /HTTP
HTTP objecttoo large
HTTP DLPobject toolarge
Data Loss Prevention (DLP)cannot scan the object because itis larger than the configured limit.The default value varies by devicetype and ranges between 1 and 5MB.
Allow 2-optional 0-External tcp 192.168.53.92 172.16.10.14 8902 80msg="ProxyAllow: HTTP DLP object too large" proxy_act="HTTP-Client.1" dlp_sensor="DLPSensor.1" error="DLP scan limit exceeded" (HTTP-proxy-00)
—
1AFF0033 INFO Proxy /HTTP
Range header HTTP Rangeheader
This is the configured action (allowor strip) for the HTTP proxy Rangeheader. The default action is strip.The HTTP proxy Range header canallow partial file transfers thatimpact content scans because thefull content is not presented.
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.15 40535 80msg="ProxyStrip: HTTP Range header" proxy_act="HTTP-Client.1"header="Accept-Ranges: bytes\x0d\x0a" (HTTP-proxy-00)
—
1AFF0034 INFO Proxy /HTTP
APT threatdetected
HTTP APTdetected
APT Blocker detected a threat. The Deny 2-Internal-traffic 4-External-traffic tcp 192.168.2.20 192.168.3.30 48120 80msg="ProxyDrop: HTTP APT detected" proxy_act="HTTP-Client.1"
—
Proxy Policy LogMessages
Log Catalog 53
ID Level Area Name
LogMessageExample Description Format
MessageVariables
logmessage specifies the thethreat level, threat name, threatclass, malicious activities,destination host name, and URIpath.
host="192.168.3.30" path="/apt_sample.exe"md5="2e77cadb722944a3979571b444ed5183"
1AFF0036 INFO Proxy /HTTP
File submittedto APTanalysisserver
HTTP Filesubmitted toAPTanalysisserver
File submitted to APT analysisserver for deep threat analysis. Theanalysis result will be notified whenthe analysis result is fetched fromAPT analysis server.
Allow 2-Internal-traffic 4-External-traffic tcp 192.168.2.20 192.168.3.30 34063 80msg="ProxyAllow: HTTP File submitted to APT analysis server" proxy_act="HTTP-Client.1" host="192.168.3.30" path="/test/sample.exe"md5="dd0af53fec2267757cd90d633acd549a" task_uuid="35c8ac1aaeee4e5186d584318deb397b" (HTTP-proxy-00)
—
1AFF0037 INFO Proxy /HTTP
Connecttunnel portmatch
HTTPconnecttunnel portmatch
The HTTP CONNECT tunnelrequest port matches a configuredrule, or the default rule of nomatch.The logmessage specifies thematched rule name and port.
Allow 1-Trusted Firebox tcp 10.0.1.3 100.100.100.16 53531 3128msg="ProxyReplace: HTTP connect tunnel port match" proxy_act="Explicit-Web.Standard.1" rule_name="Redirect-HTTPS" port="443" (Explicit-proxy-00)
—
1AFF0038 INFO Proxy /HTTP
Webproxyredirect
HTTPwebproxyredirect
The HTTPWebproxy connectionwas redirected to a different proxyaction because of the configurationsetting in explicit proxy. The logmessage specifies the new proxyaction used.
Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.16 53532 3128msg="ProxyReplace: HTTP webproxy redirect" proxy_act="Explicit-Web.Standard.1" redirect_action="HTTPS-Client.Standard" (Explicit-proxy-00)
—
1AFF0039 INFO Proxy /HTTP
File reportedsafe from APThash check
HTTP Filereported safefrom APThash check
APT hash check did not report athreat from the object
Allow 2-Internal-traffic 4-External-traffic tcp 192.168.2.20 192.168.3.30 34063 80msg="ProxyAllow: HTTP File reported safe from APT hash check" proxy_act="HTTP-Client.1" host="192.168.3.30" path="/test/sample.exe"md5="dd0af53fec2267757cd90d633acd549a" task_uuid="35c8ac1aaeee4e5186d584318deb397b" (HTTP-proxy-00)
—
Proxy Policy LogMessages
Log Catalog 54
ID Level Area Name
LogMessageExample Description Format
MessageVariables
1AFF003A INFO Proxy /HTTP
Contentredirect
HTTPContentredirect
The HTTP content actionconnection was redirected to adifferent proxy action because ofthe configuration. The logmessagespecifies the new proxy actionused as well as the current sslstatus.
Allow 0-External 3-Optional-2 tcp 203.0.113.2 203.0.113.3 50560 80msg="ProxyReplace: HTTP Content Action redirect" proxy_act="HTTP-Content.Standard.1" redirect_action="HTTP-Server.Standard.2" srv_ip="10.0.2.8" srv_port="80" ssl_offload="0" client_ssl="NONE" server_ssl="NONE" (HTTP-proxy-00)
—
1AFF003B INFO Proxy /HTTP
RequestContentmatch
HTTPRequestcontentmatch
The request contained contentwhichmatched a configuredcontent rule in the HTTP proxy.The logmessage specifies thecontent whichmatched the rule aswell as rule details.
Allow 0-External 1-Trusted tcp 203.0.113.2 203.0.113.2 50428 80msg="ProxyReplace: HTTP Request content match" proxy_act="HTTP-Content.Standard.1" rule_name="forums" content_type="URN"dstname="203.0.113.2" arg="/forums/index.html" srv_ip="10.0.2.8" srv_port="80" ssl_offload="1" redirect_action="HTTP-Server.Standard.1" (HTTP-proxy-00)
—
2CFF0000 INFO Proxy /HTTPS
Request HTTPSRequest
HTTPS transaction log includesserver name, certificate details andaction taken.
Allow 1-Trusted 0-External tcp 10.0.1.2 173.194.33.184 59277 443msg="HTTPSRequest" proxy_act="HTTPS-Client.Standard.3" sni="www.gstatic.com"cn="*.google.com" cert_issuer="CN=olympus.wgti.net,OU=QA,O=WGTI,L=Seattle,ST=WA,C=US"cert_subject="CN=*.google.com,O=Google Inc,L=MountainView,ST=California,C=US" action="allow" (HTTPS-proxy-00)
—
2CFF0001 INFO Proxy /HTTPS
WebBlockerRequestcategories
HTTPSRequestcategories
WebBlocker identified the categoryfor a web request. The logmessage specifies the categoryand host name.
Allow 1-Trusted 0-External tcp 10.0.1.2 74.125.25.104 44773 443msg="ProxyAllow: HTTPS Request categories" proxy_act="HTTPS-Client.1"service="Def" cats="Search Engines and Portals" dstname="www.google.com"(HTTPS-proxy-00)
—
2CFF0002 INFO Proxy /HTTPS
WebBlockerserviceunavailable
HTTPSserviceunavailable
WebBlocker failed because aWebBlocker Server was notavailable.
Allow 1-Trusted 0-External tcp 10.0.1.2 74.125.25.147 51566 443msg="ProxyAllow: HTTPS service unavailable" proxy_act="HTTPS-Client.1"error="Webblocker server is not available" service="Def" cats=""dstname="www.google.com" (HTTPS-proxy-00)
—
2CFF0003 INFO Proxy /HTTPS
Domain namematch
HTTPSdomain
This rule log includes thematchedrule name or default rule of no
Allow 1-Trusted 0-External tcp 10.0.1.2 173.194.33.176 59545 443msg="ProxyAllow: HTTPS domain namematch" proxy_act="HTTPS-
—
Proxy Policy LogMessages
Log Catalog 55
ID Level Area Name
LogMessageExample Description Format
MessageVariables
namematch match and the patterns its beenmatched against.
Client.Standard.3" rule_name="*.google.com" sni="www.google.com" cn=""ipaddress="173.194.33.176" (HTTPS-proxy-00)
2CFF0007 INFO Proxy /HTTPS
Protocolinvalid
HTTPSinvalidprotocol
The HTTPS proxy detected aninvalid SSL version.
Deny 1-Trusted 0-External tcp 10.0.1.2 192.168.53.143 41551 443msg="ProxyDrop: HTTPS invalid protocol" proxy_act="HTTPS-Client.1"version="0x9999" length="123" data="\x16\x03\x01\x00{\x01\x00\x00w\x99\x99"(HTTPS-proxy-00)
—
2CFF0008 INFO Proxy /HTTPS
Timeout HTTPStimeout
The HTTPS connection was idlelonger than the timeout valueconfigured in the HTTPS policy.The default is 180 seconds.
Deny 1-Trusted 0-External tcp 10.0.1.5 192.168.53.143 54707 443msg="ProxyDrop: HTTPS timeout" (HTTPS-proxy-00)
—
2CFF0009 INFO Proxy /HTTPS
Contentinspection
HTTPScontentinspection
The HTTPS traffic was directed toa different proxy action because ofthe Content Inspection settings inthe HTTPS proxy. The logmessage specifies the new proxyaction used for content inspection,as well as the TLS ciphers used forthe server and client.
Allow 1-Trusted 0-External tcp 10.0.1.2 173.194.33.180 59276 443msg="ProxyInspect: HTTPS content inspection" proxy_act="HTTPS-Client.Standard.3" inspect_action="HTTP-Client.Standard" server_ssl="ECDHE-RSA-AES256-SHA384" client_ssl="ECDHE-RSA-AES256-GCM-SHA384" (HTTPS-proxy-00)
—
22FF0000 INFO Proxy /IMAP
Request IMAPRequest
This audit logmessage specifiesthe email message transactionresult.
Allow 1-Trusted 0-External tcp 10.0.1.70 10.148.22.60 53589 143msg="IMAPRequest" proxy_act="IMAP-Client.Standard.1" email_len="652" action="allow"reason="" mbx="INBOX" user="wg" auth_method="plain" (IMAP-proxy-00)
—
22FF0001 INFO Proxy /IMAP
Timeout IMAPTimeout
The connection was idle for longerthan the configured timeout limit.The default limit is 1minute.
Deny 1-Trusted 0-External tcp 10.0.1.70 10.148.22.60 53589 143msg="IMAPTimeout" proxy_act="IMAP-Client.Standard.1" timeout="120" (IMAP-proxy-00)
—
22FF0002 INFO Proxy /IMAP
MalformedCommand
IMAPMalformedCommand
The IMAP client sentmalformed/unsupported command
Deny 1-Trusted 0-External tcp 10.0.1.70 10.148.22.60 53589 143msg="IMAPMalformed Command" proxy_act="IMAP-Client.Standard.1"command="CONDSTORE" mbx="INBOX" user="wg" auth_method="plain"(IMAP-proxy-00)
—
Proxy Policy LogMessages
Log Catalog 56
ID Level Area Name
LogMessageExample Description Format
MessageVariables
22FF0004 INFO Proxy /IMAP
MalformedResponse
IMAPMalformedResponse
The IMAP server sentmalformed/unsupported response
Deny 1-Trusted 0-External tcp 10.0.1.70 10.148.22.60 53589 143msg="IMAPMalformed Response" proxy_act="IMAP-Client.Standard.1" response="* 3597EXISTS" mbx="INBOX" user="wg" auth_method="plain" (IMAP-proxy-00)
—
22FF0005 INFO Proxy /IMAP
Content Type IMAPContentType
A MIME-typematched a configuredcontent type rule, or the default ruleof nomatch. The logmessagespecifies the rule, MIME-type, anduser-related information.
Allow 1-Trusted 0-External tcp 10.0.1.73 10.148.22.60 54116 143msg="ProxyAvScan: IMAP Content Type" proxy_act="IMAP-Client.Standard.1"rule_name="All text types" content_type="text/plain" mbx="inbox" user="wg"auth_method="plain" (IMAP-proxy-00)
—
22FF0006 INFO Proxy /IMAP
Filename IMAPFilename
The attachment matches aconfigured file name rule, or thedefault rule of nomatch. The logmessage specifies the rule, filename, and user-related information.
Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 56079 143msg="ProxyStrip: IMAP Filename" proxy_act="IMAP-Client.Standard.1" rule_name="Word documents" filename="bug92408.doc"attachment="bug92408.zip.zip" mbx="inbox" user="wg" auth_method="plain"(IMAP-proxy-00)
—
22FF0008 INFO Proxy /IMAP
Virus Found IMAP VirusFound
Gateway AntiVirus detected a virusor malware in the file. The logmessage specifies the virus name,file name, and user-relatedinformation.
Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 50633 143msg="ProxyAllow: IMAP Virus Found" proxy_act="IMAP-Client.Standard.1"virus="Eicar" mbx="INBOX" user="wg" (IMAP-proxy-00)
—
22FF0009 INFO Proxy /IMAP
CannotPerformGateway AVScan
IMAPCannotPerformGateway AVScan
Gateway AntiVirus (GAV) failed toscan because of the error specifiedin the logmessage
Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 50633 143msg="ProxyLock: IMAP Cannot Perform Gateway AV Scan" proxy_act="IMAP-Client.Standard.1" error="unable to scan" mbx="INBOX" user="wg" (IMAP-proxy-00)
—
22FF000A INFO Proxy /IMAP
APT detected IMAP APTdetected
APT Blocker found the threatspecified in the logmessage in anattached file.
Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 60275 143msg="ProxyStrip: IMAP APT detected" proxy_act="IMAP-Client.Standard.1"filename="lastline-demo-sample.exe"md5="7abebcf53e97b586c92a9ce5b9985cd4" task_uuid="e8a3730d1f88491c8821712e85d94929" threat_level="high" mbx="INBOX"user="wg" (IMAP-proxy-00)
—
Proxy Policy LogMessages
Log Catalog 57
ID Level Area Name
LogMessageExample Description Format
MessageVariables
22FF000C INFO Proxy /IMAP
File Submittedto APTanalysisserver
IMAP FileSubmitted toAPTanalysisserver
File submitted to APT analysisserver for deep threat analysis. Theanalysis result will be notified whenthe analysis result is fetched fromAPT analysis server.
Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 60275 143msg="ProxyStrip: IMAP File submitted to APT analysis server" proxy_act="IMAP-Client.Standard.1"filename="971d3aa1c683c69f425cc6ddf66833d3d172f0fd.apk"md5="7abebcf53e97b586c92a9ce5b9985cd4" task_uuid="e8a3730d1f88491c8821712e85d94929"APT detected" mbx="INBOX"user="wg" (IMAP-proxy-00)
—
22FF000D INFO Proxy /IMAP
File reportedsafe from APThash check
IMAP Filereported safefrom APThash check
APT hash check did not report athreat from the object.
Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 60275 143msg="ProxyStrip: IMAP File reported safe from APT hash check" proxy_act="IMAP-Client.Standard.1"filename="971d3aa1c683c69f425cc6ddf66833d3d172f0fd.apk"md5="7abebcf53e97b586c92a9ce5b9985cd4" task_uuid="e8a3730d1f88491c8821712e85d94929"APT detected" mbx="INBOX"user="wg" (IMAP-proxy-00)
—
22FF000E INFO Proxy /IMAP
spamBlockerconfirmedspam
IMAPClassified asconfirmedSPAM
spamBlocker classified themessage as confirmed SPAM. Thelogmessage specifies the user-related information
Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 60275 143msg="ProxyReplace: IMAP Classified as confirmed SPAM" proxy_act="IMAP-Client.Standard.1" mbx="INBOX" user="wg" (IMAP-proxy-00)
—
22FF000F INFO Proxy /IMAP
spamBlockerbulk mail
IMAPClassified asbulk mail
spamBlocker classified themessage as bulk mail. The logmessage specifies the user-relatedinformation
Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 60275 143msg="ProxyReplace: IMAP Classified as bulk mail" proxy_act="IMAP-Client.Standard.1" mbx="INBOX" user="wg" (IMAP-proxy-00)
—
22FF0010 INFO Proxy /IMAP
spamBlockersuspect spam
IMAPClassified assuspectSPAM
spamBlocker classified themessage as suspect SPAM. Thelogmessage specifies the user-related information
Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 60275 143msg="ProxyReplace: IMAP Classified as suspect SPAM" proxy_act="IMAP-Client.Standard.1" mbx="INBOX" user="wg" (IMAP-proxy-00)
—
22FF0011 INFO Proxy /IMAP
spamBlockernot scored
IMAPMessagecould not be
spamBlocker cannot score themessage. The logmessagespecifies the user-related
Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 60275 143msg="ProxyAllow: IMAP Message could not be scored" proxy_act="IMAP-Client.Standard.1" mbx="INBOX" user="wg" (IMAP-proxy-00)
—
Proxy Policy LogMessages
Log Catalog 58
ID Level Area Name
LogMessageExample Description Format
MessageVariables
scored information
22FF0012 INFO Proxy /IMAP
spamBlockerexceptionmatched
IMAPspamBlockerexceptionwasmatched
The sender for the email matched aspamBlocker exception rule. Thelogmessage specifies the rule anduser-related information.
Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 60275 143msg="ProxyAllow: IMAP spamBlocker exception was matched" proxy_act="IMAP-Client.Standard.1" mbx="INBOX" user="wg" (IMAP-proxy-00)
—
22FF0013 INFO Proxy /IMAP
spamBlockernot spam
IMAPClassified asnot SPAM
spamBlocker classified themessage as not SPAM. The logmessage specifies the user-relatedinformation.
Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 60275 143msg="ProxyAllow: IMAP Classified as not SPAM" proxy_act="IMAP-Client.Standard.1" mbx="INBOX" user="wg" (IMAP-proxy-00)
—
22FF0014 INFO Proxy /IMAP
spamBlockernot spam
IMAPMessageclassificationis unknownbecause anerroroccurredwhileclassifying
spamBlocker was unable toclassify themessage because ofthe error specified in the logmessage. The logmessagespecifies the user-relatedinformation.
Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 60275 143msg="ProxyAllow: IMAP Message classification is unknown because an erroroccurred while classifying" proxy_act="IMAP-Client.Standard.1" mbx="INBOX"user="wg" (IMAP-proxy-00)
—
22FF0015 INFO Proxy /IMAP
GAV file toolarge
IMAPGateway AVobject toolarge
The attachment file size exceedsthe Gateway AV scan size limit.
Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 50698 143msg="ProxyAllow: IMAP Gateway AV object too large" proxy_act="IMAP-Client.OUT" attachment="large_file.doc" error="File exceeding the scan sizelimit" mbx="INBOX" user="wg" (IMAP-proxy-00)
—
22FF0016 INFO Proxy /IMAP
GAV fileencrypted
Gateway AVobjectencrypted(password-protected)
The attachment file is encrypted orpassword-protected.
Allow 1-Trusted 0-External tcp 10.0.1.3 100.100.100.3 50698 143msg="ProxyAllow: IMAP Gateway AV object enrcypted (password-protected)"proxy_act="IMAP-Client.OUT" attachment="password-protected.zip"error="Object Encrypted" mbx="INBOX" user="wg" (IMAP-proxy-00)
—
Proxy Policy LogMessages
Log Catalog 59
ID Level Area Name
LogMessageExample Description Format
MessageVariables
22FF1017 INFO Proxy /IMAP
Protocolinvalid
IMAP invalidTLS protocol
The IMAP proxy detected invalidTLS protocol.
Deny 1-Trusted 0-External tcp 10.0.1.2 192.168.53.143 41551 993msg="ProxyDrop: IMAP invalid TLS protocol" proxy_act="IMAP-Client.1" (IMAP-proxy-00)
—
22FF1018 INFO Proxy /IMAP
ContentInspection
IMAP TLScontentinspection
The IMAP proxy decrypted asecure connection for contentinspection.
Deny 1-Trusted 0-External tcp 10.0.1.2 192.168.53.143 41551 993msg="ProxyInspect: IMAP TLS content inspection" proxy_act="IMAP-Client.1"server_ssl="ECDHE-RSA-AES256-SHA384" client_ssl="ECDHE-RSA-AES256-GCM-SHA384" (IMAP-proxy-00)
—
21FF0000 INFO Proxy /POP3
CAPA POP3CAPA TheCAPA response contained theunknown or blocked capability thatis specified in the logmessage.
Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 43924 110msg="ProxyDeny: POP3CAPA" keyword="VERF": (POP3-proxy-00)
—
21FF0001 INFO Proxy /POP3
Authentication POP3 AUTH The authentication typematched arule, or the default rule of nomatch.The logmessage specifies the rulename and authentication type.
Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 44047 110msg="ProxyDeny: POP3 AUTH" proxy_act="POP3-Client.2" rule_name="Default" authtype="KERBOSE_V12" (POP3-proxy-00)
—
21FF0002 INFO Proxy /POP3
Command POP3command
The client sent an authenticationcommandwhen it was not allowed.
Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 44225 110msg="ProxyDeny: POP3 command" proxy_act="POP3-Client.2"keyword="AUTH KERBEROS_V12\x0d\x0a" (POP3-proxy-00)
—
21FF0005 INFO Proxy /POP3
Header POP3header
A POP3 header matched aconfigured Header rule, or thedefault rule of nomatch. The logmessage specifies the rule andheader.
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 43909 110msg="ProxyStrip: POP3 header" proxy_act="POP3-Client.1" rule_name="Default" header="Delivered-To: wg@localhost" (POP3-proxy-00)
—
21FF0006 INFO Proxy /POP3
Content type POP3content type
A MIME-typematched a configuredcontent type rule, or the default ruleof nomatch. The logmessagespecifies the rule, MIME-type, anduser name.
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 43909 110msg="ProxyAllow: POP3 content type" proxy_act="POP3-Client.1" rule_name="All text types" content_type="text/plain" user="wg" (POP3-proxy-00)
—
Proxy Policy LogMessages
Log Catalog 60
ID Level Area Name
LogMessageExample Description Format
MessageVariables
21FF0007 INFO Proxy /POP3
File name POP3filename
The attachment matches aconfigured file name rule, or thedefault rule of nomatch. The logmessage specifies the rule, filename, and user name.
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 44035 110msg="ProxyAvScan: POP3 filename" proxy_act="POP3-Client.1" rule_name="Text files" file_name="high-triggerme.txt" user="wg" (POP3-proxy-00)
—
21FF0009 INFO Proxy /POP3
Timeout POP3timeout
The connection was idle for longerthan the configured timeout limit.The default limit is 1minute.
Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 44042 110msg="ProxyDeny: POP3 timeout" proxy_act="POP3-Client.1" timeout="180"(POP3-proxy-00)
—
21FF000A INFO Proxy /POP3
Request POP3request
This audit logmessage specifiesthe bytes sent, bytes received, anduser.
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 43909 110msg="POP3request" proxy_act="POP3-Client.1" rcvd_bytes="625052" sent_bytes="1433"user="wg" (POP3-proxy-00)
—
21FF000C INFO Proxy /POP3
IPS match POP3 IPSmatch
Intrusion Prevention Service (IPS)detected an intrusion threat. Thelogmessage specifies the actiontaken, the signature ID, threatseverity, signature name, andsignature category.
Deny 0-External 1-Trusted tcp 172.16.180.2 172.16.181.2 1024 25msg="ProxyDrop: POP3 IPS match" proxy_act="POP3-Incoming.1" signature_id="1110401" severity="4" signature_name="EXPLOIT IBM Lotus Notes Lotus 1-2-3Work Sheet File Viewer Buffer Overflow (CVE-2007-6593)" signature_cat="Buffer Over Flow" (POP3-proxy-00)
—
21FF000F INFO Proxy /POP3
GAV Virusfound
POP3 Virusfound
Gateway AntiVirus detected a virusor malware in the file. The logmessage specifies the virus name,user, and file name.
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 44042 110msg="ProxyAllow: POP3 Virus found" proxy_act="POP3-Client.1" user="wg"filename="sample.apt" virus="Generic34.EFX" (POP3-proxy-00)
—
21FF0010 INFO Proxy /POP3
GAV cannotperform scan
POP3cannotperformGateway AV
Gateway AntiVirus (GAV) failed toscan because of the error specifiedin the logmessage.
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39589 25msg="ProxyLock: POP3Cannot perform Gateway AV scan" proxy_act="POP3-Client.1" user="wg" filename="message.scr" error="scan request failed" (POP3-proxy-00)
—
Proxy Policy LogMessages
Log Catalog 61
ID Level Area Name
LogMessageExample Description Format
MessageVariables
21FF0012 INFO Proxy /POP3
Line length toolong
POP3 linelength toolong
A line exceeds the configured limit.The default is 1,000 bytes. The logmessage specifies the line length.
Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39457 25msg="ProxyDeny: POP3 line length too long" proxy_act="POP3-Client.1" line_length="22121" (POP3-proxy-00)
—
21FF0014 INFO Proxy /POP3
Messageformat
POP3messageformat
Themessage is not in an allowedformat. The logmessage specifiesthe error and the user.
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 44061 110msg="ProxyStrip: POP3message format" proxy_act="POP3-Client.2" file_name="sm_conns.txt" type="uuencode" (POP3-proxy-00)
—
21FF0015 INFO Proxy /POP3
Encoding error POP3encodingerror
The proxy was unable to decodeand encode themessage becauseof the error specified in the logmessage.
Allow 0-External 1-Trusted tcp 100.100.106.253 100.100.106.55 51064 110msg="ProxyStrip: POP3 encoding error" proxy_act="POP3-Server.1"message="invalid b64 characters in input" (POP3-IN-00)
—
21FF0016 INFO Proxy /POP3
spamBlockerconfirmedspam
POP3Classified asconfirmedSPAM
spamBlocker classified themessage as confirmed SPAM. Thelogmessage specifies the senderand recipients.
Allow 1-Trusted 0-External tcp 10.0.55.253 100.100.100.155 45551 110msg="ProxyReplace: POP3Classified as confirmed SPAM" (POP3-OUT-00)
—
21FF0017 INFO Proxy /POP3
spamBlockerBULK spam
POP3Classified assuspectSPAM
spamBlocker classified themessage as bulk SPAM. The logmessage specifies the sender andrecipients.
Allow 0-External 1-Trusted tcp 100.100.106.253 100.100.106.55 46177 110msg="ProxyReplace: POP3Classified as suspect SPAM" (POP3-IN-00)
—
21FF0018 INFO Proxy /POP3
spamBlockersuspect spam
POP3Classified assuspectSPAM
spamBlocker classified themessage as suspect SPAM. Thelogmessage specifies the senderand recipients.
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 44249 110msg="ProxyReplace: POP3Classified as suspect SPAM" (POP3-proxy-00)
—
21FF001A INFO Proxy /POP3
spamBlockerexceptionmatched
POP3spamBlockerexceptionwasmatched
The sender for the email matched aspamBlocker exception rule. Thelogmessage specifies the sender,recipient, and subject.
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 43913 110msg="ProxyAllow: POP3 spamBlocker exception was matched" proxy_act="POP3-Client.1" from="[email protected]" to="wg@localhost" subj_tag="(none)" (POP3-proxy-00)
—
Proxy Policy LogMessages
Log Catalog 62
ID Level Area Name
LogMessageExample Description Format
MessageVariables
21FF001B INFO Proxy /POP3
spamBlockernot spam
POP3Classified asnot SPAM
spamBlocker classified themessage as not SPAM. The logmessage specifies the sender andrecipients.
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 43924 110msg="ProxyAllow: POP3Classified as not SPAM" (POP3-proxy-00)
—
21FF001C INFO Proxy /POP3
spamBlockerclassificationunknown
POP3messageclassificationis unknownbecause anerroroccurredwhileclassifying
spamBlocker was unable toclassify themessage because ofthe error specified in the logmessage.
Allow 1-Trusted 0-External tcp 10.0.55.253 100.100.100.155 53776 110msg="ProxyAllow: POP3message classification is unknown because an erroroccurred while classifying" (POP3-OUT-00)
—
21FF001D INFO Proxy /POP3
Extra padcharacters
POP3 extrapadcharacters inbase64 input
The POP3 proxy encountered extrapad characters in the body of abase64-encodedmessage.
Allow 0-External 1-Trusted tcp 100.100.106.253 100.100.106.55 46177 110msg="ProxyStrip: POP3 Extra pad characters in base64 input" proxy_act="POP3-Server.1" pad_error="1" (POP3-IN-00)
—
21FF001E INFO Proxy /POP3
Applicationmatch
POP3 Appmatch
Application Control identified theapplication from the emailmessage. The log specifies theapplication name and ID,application category and ID, andthe application behavior name andID.
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 44042 110msg="ProxyAllow: POP3 Appmatch" proxy_act="POP3-Client.1" app_cat_name="Mail and Collaboration" app_cat_id="5" app_name="POP3" app_id="2"app_beh_name="communicate" app_beh_id="2" (POP3-proxy-00)
—
21FF001F INFO Proxy /POP3
APT threatdetected
POP3 APTdetected
APT Blocker found the threatspecified in the logmessage in anattached file.
Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.3 47193 110msg="ProxyDrop: POP3 APT detected" proxy_act="POP3-Client.Standard.1"user="wg" filename="971d3aa1c683c69f425cc6ddf66833d3d172f0fd.apk"md5="7abebcf53e97b586c92a9ce5b9985cd4" task_uuid="e8a3730d1f88491c8821712e85d94929" threat_level="high" (POP3-proxy-
—
Proxy Policy LogMessages
Log Catalog 63
ID Level Area Name
LogMessageExample Description Format
MessageVariables
00)
21FF0021 INFO Proxy /POP3
File submittedto APTanalysisserver
POP3 Filesubmitted toAPTanalysisserver
File submitted to APT analysisserver for deep threat analysis. Theanalysis result will be notified whenthe analysis result is fetched fromAPT analysis server.
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.3 47187 110msg="ProxyAllow: POP3 File submitted to APT analysis server" proxy_act="POP3-Client.Standard.1" user="wg"filename="971d3aa1c683c69f425cc6ddf66833d3d172f0fd.apk"md5="7abebcf53e97b586c92a9ce5b9985cd4" task_uuid="e8a3730d1f88491c8821712e85d94929" (POP3-proxy-00)
—
21FF0022 INFO Proxy /POP3
File reportedsafe from APThash check
POP3 Filereported safefrom APThash check
APT hash check did not report athreat from the object
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.3 47187 110msg="ProxyAllow: POP3 File reported safe from APT hash check" proxy_act="POP3-Client.Standard.1" user="wg"filename="971d3aa1c683c69f425cc6ddf66833d3d172f0fd.apk"md5="7abebcf53e97b586c92a9ce5b9985cd4" task_uuid="e8a3730d1f88491c8821712e85d94929" (POP3-proxy-00)
—
28FF0000 INFO Proxy /SIP
Timeout SIP timeout The connection was idle for longerthan the configured timeout value.The default value is 180 seconds.
Deny 1-Trusted 0-External udp 10.0.1.5 192.168.53.143 5060 5060msg="ProxyDrop: SIP timeout" (SIP-ALG-00)
—
28FF0004 INFO Proxy /SIP
Request SIP request The logmessage specifies thesource and destination of theallowed call.
Allow 1-Trusted 0-External udp 10.0.1.3 192.168.53.143 5060 5060msg="SIPrequest" proxy_act="SIP-Client.1" call_from="10.0.1.3" call_to="192.168.53.143" (SIP-ALG-00)
—
28FF0005 INFO Proxy /SIP
Codec SIP codec The codec is allowed or deniedbased on the setting for DeniedCodecs in the SIP policy.
Deny 1-Trusted 0-External udp 10.0.1.3 192.168.53.143 5060 5060msg="ProxyDeny: SIP codec" proxy_act="SIP-Client.1" codec="speex" (SIP-ALG-00)
—
28FF0006 INFO Proxy /SIP
Accesscontrol
SIP Accesscontrol
The header address is allowed ordenied based on the AccessControl settings. The logmessagespecifies the action taken, headerandmessage ID.
Allow 1-Trusted 0-External udp 10.0.1.3 192.168.53.143 5060 5060msg="ProxyAllow: SIP Access control" proxy_act="SIP-Client.1" To-header="[email protected]" (SIP-ALG-00)
—
Proxy Policy LogMessages
Log Catalog 64
ID Level Area Name
LogMessageExample Description Format
MessageVariables
28FF0008 INFO Proxy /SIP
IPS match SIP IPSmatch
Intrusion Prevention Service (IPS)detected an intrusion threat. Thelogmessage specifies thesignature ID, threat severity,signature name, signaturecategory, destination host nameand URI path.
Deny 0-External 1-Trusted udp 10.0.1.5 192.168.53.143 5060 5060msg="ProxyDrop: SIP IPS match" proxy_act="SIP-Client.1" signature_id="1057422" severity="4" signature_name="SIP Digium Asterisk SIP SDPHeader Parsing Stack Buffer Overflow -1" signature_cat="Buffer Over Flow"(SIP-ALG-00)
—
28FF0009 INFO Proxy /SIP
Applicationmatch
SIP Appmatch
Application Control identified anapplication from the transaction.The logmessage specifies theaction taken, the application nameand ID, application category nameand ID, and the applicationbehavior name and ID.
Deny 1-Trusted 0-External udp 10.0.1.4 192.168.53.143 5060 5060msg="ProxyDrop: SIP Appmatch" proxy_act="SIP-Client.1" signature_id="12"app_name="SIP" beh_name="communicate" app_msg="Applicationmatched.application name: SIP; behavior name:communicate" (SIP-ALG-00)
—
1BFF0000 INFO Proxy /SMTP
Greeting SMTPgreeting
The host name in the SMTP proxyHELO or EHLO commandmatchedone of the Greeting Rules, or thedefault rule of nomatch.
Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39366 25msg="ProxyDeny: SMTP greeting" proxy_act="SMTP-Outgoing.1" rule_name="*.test.net" hostname="testbox.test.net" (SMTP-proxy-00)
—
1BFF0001 INFO Proxy /SMTP
ESMTPoption
SMTPESMTPoption
The EHLO response from theSMTP server includes an ESMTPoption that is disabled or unknown.
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39371 25msg="ProxyStrip: SMTP ESMTP option" proxy_act="SMTP-Outgoing.1"keyword="VRFY" (SMTP-proxy-00)
—
1BFF0002 INFO Proxy /SMTP
Authentication(AUTH)
SMTPAUTH
The EHLO response from theSMTP server included anauthentication type that matches aconfigured authentication rule. Thelogmessage specifies the proxyaction, the rule name, the actiontaken, and the authentication type.
Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39374 25msg="ProxyDeny: SMTP AUTH" proxy_act="SMTP-Outgoing.1" rule_name="PLAIN" authtype="PLAIN" (SMTP-proxy-00)
—
Proxy Policy LogMessages
Log Catalog 65
ID Level Area Name
LogMessageExample Description Format
MessageVariables
1BFF0003 INFO Proxy /SMTP
Header SMTPheader
A MIME header matched aconfigured rule, or the default ruleof nomatch.
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39379 25msg="ProxyStrip: SMTP header" proxy_act="SMTP-Outgoing.1" rule_name="Default" header="X-MimeOLE: Produced By Microsoft ExchangeV6.0.6603.0" (SMTP-proxy-00)
—
1BFF0004 INFO Proxy /SMTP
From address SMTP Fromaddress
The sender address matched a rulespecified in theMail From rules.
Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39383 25msg="ProxyDeny: SMTP From address" proxy_act="SMTP-Outgoing.1" rule_name="jsmith@*.com->ex-employee" address="[email protected]" (SMTP-proxy-00)
—
1BFF0005 INFO Proxy /SMTP
To address SMTP Toaddress
The recipient address matched arule specified in the Rcpt To rules.
Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39384 25msg="ProxyDeny: SMTP To address" proxy_act="SMTP-Outgoing.1" rule_name="Default" address="[email protected]" (SMTP-proxy-00)
—
1BFF0006 INFO Proxy /SMTP
Content type SMTPcontent type
Some of themessage contentmatched a content filter rule.
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39391 25msg="ProxyAvScan: SMTP content type" proxy_act="SMTP-Outgoing.1" rule_name="Default" content_type="application/x-gzip" sender="[email protected]"recipients="wg@localhost" (SMTP-proxy-00)
—
1BFF0007 INFO Proxy /SMTP
Filename SMTPfilename
An email attachment matched a filename rule, or the attachment isuuencoded and the SMTP proxyallows uuencoded attachments.
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39436 25msg="ProxyStrip: SMTP filename" proxy_act="SMTP-Outgoing.1" rule_name="*.exe" file_name="app.exe" sender="[email protected]"recipients="wg@localhost" (SMTP-proxy-00)
—
1BFF000A INFO Proxy /SMTP
Timeout SMTPtimeout
The SMTP connection was idle forlonger than the configured idletimeout limit. The default is 10minutes.
Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39402 25msg="ProxyDeny: SMTP timeout" proxy_act="SMTP-Outgoing.1" timeout="60"(SMTP-proxy-00)
—
1BFF000C INFO Proxy /SMTP
GAV Virusfound
SMTP Virusfound
Gateway AntiVirus (GAV) detecteda virus or malware in an emailattachment.
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39445 25msg="ProxyStrip: SMTP Virus found" proxy_act="SMTP-Outgoing.1"sender="[email protected]" recipients="wg@localhost" virus="I-Worm/Netsky.CORRUPTED" filename="message.scr" (SMTP-proxy-00)
—
Proxy Policy LogMessages
Log Catalog 66
ID Level Area Name
LogMessageExample Description Format
MessageVariables
1BFF000E INFO Proxy /SMTP
GAV cannotperform scan
SMTPcannotperformGateway AVscan
Gateway AntiVirus (GAV) could notcomplete the scan because of theerror that is specified in the logmessage.
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39589 25msg="ProxyLock: SMTP cannot perform Gateway AV scan" proxy_act="SMTP-Outgoing.1" sender="[email protected]" recipients="wg@localhost"error="scan request failed" filename="message.scr" (SMTP-proxy-00)
—
1BFF000F INFO Proxy /SMTP
Request SMTPrequest
This SMTP audit log specifies thebytes sent, bytes received, thesender and recipient addresses,and the sender and recipient TLScipher.
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39398 25msg="SMTPrequest" proxy_act="SMTP-Outgoing.1" rcvd_bytes="272" sent_bytes="282"sender="[email protected]" recipients="wg@localhost" server_ssl="ECDHE-RSA-AES256-GCM-SHA384" client_ssl="AES128-SHA256" tls_profile="TLS-Client.Standard"(SMTP-proxy-00)
—
1BFF0010 INFO Proxy /SMTP
Messageformat
SMTPmessageformat
The email message formatmatched amessage format rulespecified in the SMTP proxy. Thelogmessage includes the errormessage.
Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39452 25msg="ProxyDeny: SMTP message format" proxy_act="SMTP-Outgoing.1" file_name="sm_conns.txt" type="uuencode" sender="[email protected]"recipients="wg@localhost" (SMTP-proxy-00)
—
1BFF0011 INFO Proxy /SMTP
IPS match SMTP IPSmatch
Intrusion Prevention Service (IPS)detected a threat. The logmessagespecifies the signature name andID, threat severity, and signaturecategory.
Deny 0-External 1-Trusted tcp 172.16.180.2 172.16.181.2 1024 25msg="ProxyDrop: SMTP IPS match" proxy_act="SMTP-Incoming.1" signature_id="1110401" severity="4" signature_name="EXPLOIT IBM Lotus Notes Lotus 1-2-3Work Sheet File Viewer Buffer Overflow (CVE-2007-6593)" signature_cat="Buffer Over Flow" (SMTP-proxy-00)
—
1BFF0013 INFO Proxy /SMTP
Toomanyrecipients
SMTP toomanyrecipients
The number of email recipientsspecified in the email messageexceeds the configured limit. Thedefault limit is 99 for inboundmessages and unlimited foroutboundmessages. The logmessage specifies the proxy actionand number of recipients.
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39404 25msg="ProxyDeny: toomany recipients" proxy_act="SMTP-Outgoing.1" rule_name="Default" content_type="" sender="[email protected]"recipients="[email protected];[email protected]" (SMTP-proxy-00)
—
Proxy Policy LogMessages
Log Catalog 67
ID Level Area Name
LogMessageExample Description Format
MessageVariables
1BFF0014 INFO Proxy /SMTP
Responsesize too long
SMTPresponsesize too long
The SMTP server responseexceeds the configured limit. Thedefault limit is 10,000 KB. The logmessage specifies the size of theresponse.
Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39973 25msg="ProxyDeny: SMTP response size too long" proxy_act="SMTP-Outgoing.1"response_size="5030" (SMTP-proxy-00)
—
1BFF0015 INFO Proxy /SMTP
Line too long SMTP linelength toolong
The email message contains a linethat exceeds the configured limit.The default is 1,000 bytes. The logmessage specifies the line length.
Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39457 25msg="ProxyDeny: SMTP line length too long" proxy_act="SMTP-Outgoing.1"line_length="32110" (SMTP-proxy-00)
—
1BFF0016 INFO Proxy /SMTP
Message toolong
SMTPmessagesize too long
The SMTP message lengthexceeds the configured limit. Thedefault limit is 10,000 kb.
Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39466 25msg="ProxyDeny: SMTP message size too long" proxy_act="SMTP-Outgoing.1"size="16384" (SMTP-proxy-00)
—
1BFF0017 INFO Proxy /SMTP
Header toolong
SMTPheader sizetoo long
The SMTP message contains aheader that exceeds the configuredMaximum Header Length. Thedefault is 20,000 bytes.
Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39473 25msg="ProxyDeny: SMTP header size too long" proxy_act="SMTP-Outgoing.1"headers_size="12157" (SMTP-proxy-00)
—
1BFF0018 INFO Proxy /SMTP
Command SMTPcommand
The SMTP request contains acommand that is not supported oris not valid for the emailtransaction. The logmessagespecifies the proxy action, actiontaken, SMTP command, and theresponse code.
Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39474 25msg="ProxyDeny: SMTP command" proxy_act="SMTP-Outgoing.1"keyword="VERIFY\x0d\x0a" response="500" (SMTP-proxy-00)
—
1BFF0019 INFO Proxy /SMTP
spamBlockerconfirmedspam
SMTPClassified asconfirmedSPAM
spamBlocker has classified themessage as confirmed SPAM. Thelogmessage specifies the proxyaction, the action taken, and thesender and recipient addresses.
Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39446 25msg="ProxyDeny: SMTP Classified as confirmed SPAM" proxy_act="SMTP-Outgoing.1" sender="[email protected]" recipients="wg@localhost" (SMTP-proxy-00)
—
Proxy Policy LogMessages
Log Catalog 68
ID Level Area Name
LogMessageExample Description Format
MessageVariables
1BFF001A INFO Proxy /SMTP
spamBlockerbulk spam
SMTPClassified asbulk mail
spamBlocker has classified themessage as bulk SPAM. The logmessage specifies the proxyaction, the action taken, and thesender and recipient addresses.
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39499 25msg="ProxyReplace: SMTP Classified as bulk mail" proxy_act="SMTP-Outgoing.1" sender="[email protected]" recipients="wg@localhost" (SMTP-proxy-00)
—
1BFF001B INFO Proxy /SMTP
spamBlockersuspect spam
SMTPClassified assuspectSPAM
spamBlocker has classified themessage as suspect SPAM. Thelogmessage specifies the proxyaction, the action taken, and thesender and recipient addresses.
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39999 25msg="ProxyAllow: SMTP Classified as suspect SPAM" proxy_act="SMTP-Outgoing.1" sender="[email protected]" recipients="wg@localhost" (SMTP-proxy-00)
—
1BFF001C INFO Proxy /SMTP
spamBlockernot SPAM
SMTPClassified asnot SPAM
spamBlocker has classified themessage as not SPAM. The logmessage specifies the proxyaction, the action taken, and thesender and recipient addresses.
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39487 25msg="ProxyAllow: SMTP Classified as not SPAM" proxy_act="SMTP-Outgoing.1" sender="[email protected]" recipients="wg@localhost" (SMTP-proxy-00)
—
1BFF001D INFO Proxy /SMTP
spamBlockerclassificationunknown
SMTPmessageclassificationis unknownbecause anerroroccurredwhileclassifying
spamBlocker was unable toclassify the email messagebecause of an error. The logmessage specifies the sender andrecipient addresses.
Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39524 25msg="ProxyDeny: SMTP message classification is unknown because an erroroccurred while classifying" proxy_act="SMTP-Outgoing.1"sender="[email protected]" recipients="wg@localhost" (SMTP-proxy-00)
—
1BFF001E INFO Proxy /SMTP
spamBlockerexceptionmatched
SMTPspamBlockerexceptionwasmatched
The sender or recipient of the emailmessagematches a spamBlockerexception specified in the SMTPproxy.
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39476 25msg="ProxyAvScan: SMTP spamBlocker exception" proxy_act="SMTP-Outgoing.1" rule_name="Default" content_type=""sender="[email protected]" recipients="wg@localhost" (SMTP-proxy-00)
—
Proxy Policy LogMessages
Log Catalog 69
ID Level Area Name
LogMessageExample Description Format
MessageVariables
1BFF001F INFO Proxy /SMTP
Decoder error SMTP Anerror wasfound by ourdecoder
The SMTP proxy was unable todecode the email message due tothe error specified in the logmessage.
Allow 1-Trusted 0-External tcp 10.0.55.253 100.100.100.155 36921 25msg="ProxyStrip: SMTP An error was found by our decoder" proxy_act="SMTP-Outgoing.1" message="invalid b64 characters in input" (SMTP-OUT-00)
—
1BFF0021 INFO Proxy /SMTP
Extra padcharacters inbase64encoding
SMTP extrapadcharacters inbase64 input
The SMTP proxy encounteredextra pad characters when thebody of the base64-encodedmessage was processed.
Allow 1-Trusted 0-External tcp 10.0.55.253 100.100.100.155 36664 25msg="ProxyStrip: SMTP extra pad characters in base64 input" proxy_act="SMTP-Outgoing.1" pad_error="1" (SMTP-OUT-00)
—
1BFF0022 INFO Proxy /SMTP
Mail fromaddress toolong
SMTP MailFromaddress toolong
A sender email address exceededthe configuredmaximum addresslength. The address length isunlimited by default.
Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39497 25msg="ProxyDeny: SMTP Mail From address too long" proxy_act="SMTP-Outgoing.1"address="[email protected]"length="56" response="553" (SMTP-proxy-00)
—
1BFF0023 INFO Proxy /SMTP
Applicationmatch
SMTP Appmatch
Application Control identified theapplication in themail messagethat is specified in the logmessage.
Deny 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39913 25msg="ProxyDrop: SMTP Appmatch" proxy_act="SMTP-Outgoing.1" app_cat_name="Mail and Collaboration" app_cat_id="5" app_name="SMTP" app_id="1"app_beh_name="access" app_beh_id="6" (SMTP-proxy-00)
—
1BFF0024 INFO Proxy /SMTP
DLP violationfound
SMTP DLPviolationFound
Data Loss Prevention (DLP)detected the rule violation that isspecified in the logmessage.
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39510 25msg="ProxyAllow: SMTP DLP violation Found" proxy_act="SMTP-Outgoing.1"dlp_sensor="PCI Audit Sensor.1" dlp_rule="SocialsecuritynumbersUSA"sender="[email protected]" recipients="wg@localhost" filename="ssn.docx"(SMTP-proxy-00)
—
1BFF0025 INFO Proxy /SMTP
DLP cannotperform scan
SMTPcannotperform DLPScan
Data Loss Prevention (DLP) isunable to scan because of the errorspecified in the logmessage.
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39589 25msg="ProxyLock: SMTP cannot perform DLP scan" proxy_act="SMTP-Outgoing.1" sender="[email protected]" recipients="wg@localhost"error="scan request failed" filename="message.scr" (SMTP-proxy-00)
—
Proxy Policy LogMessages
Log Catalog 70
ID Level Area Name
LogMessageExample Description Format
MessageVariables
1BFF0026 INFO Proxy /SMTP
DLP cannotscan object
SMTP DLPobjectunscannable
Data Loss Prevention (DLP) isunable to extract data from anobject because the object isencrypted.
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39900 25msg="ProxyAllow: SMTP DLP object unscannable" proxy_act="SMTP-Outgoing.1" dlp_sensor="PCI Audit Sensor.1" error="unscannable object (Filewas encrypted)" sender="[email protected]" recipients="wg@localhost" (SMTP-proxy-00)
—
1BFF0027 INFO Proxy /SMTP
DLP objecttoo large
SMTP DLPobject toolarge
The file requested for Data LossPrevention (DLP) analysis is largerthan the configured limit. Thedefault value varies by platform,from one to fiveMB. The logspecifies the DLP sensor nameand error message.
May 30 06:36:45 2014 gary_xtmv local1.info smtp-proxy[2861]: msg_id="1BFF-0027" Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.3 50976 25msg="ProxyAllow: SMTP DLP oject too large" proxy_act="SMTP-Outgoing.1"sender="[email protected]" recipients="wg@localhost" error="DLP scanlimit (524288) exceeded" filename="2M-dlp-violates-end.txt" (SMTP-proxy-00)
—
1BFF0028 INFO Proxy /SMTP
APT threatdetected
SMTP APTdetected
APT Blocker found the threatspecified in the logmessage in anattached file.
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39771 25msg="ProxyAllow: SMTP APT detected" proxy_act="SMTP-Outgoing.1"sender="[email protected]" recipients="wg@localhost"filename="ecc59a46b439bdf63b058964e29ace0c"md5="ecc59a46b439bdf63b058964e29ace0c" task_uuid="b239bc669b534fcfa61bd78e156c9b19" threat_level="high" (SMTP-proxy-00)
—
1BFF002A INFO Proxy /SMTP
File submittedto APTanalysisserver
SMTP Filesubmitted toAPTanalysisserver
File submitted to APT analysisserver for deep threat analysis. Theanalysis result will be notified whenthe analysis result is fetched fromAPT analysis server.
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39965 25msg="ProxyAllow: SMTP File submitted to APT analysis server" proxy_act="SMTP-Outgoing.1" sender="[email protected]" recipients="wg@localhost"filename="regex2.dll" md5="547c43567ab8c08eb30f6c6bacb479a3" task_uuid="b8517202826a43fc93dba00f9e8c30ed" (SMTP-proxy-00)
—
1BFF002B INFO Proxy /SMTP
File reportedsafe from APThash check
SMTP Filereported safefrom APThash check
APT hash check did not report athreat from the object
Allow 1-Trusted 0-External tcp 10.0.1.2 100.100.100.11 39965 25msg="ProxyAllow: SMTP File reported safe from APT hash check" proxy_act="SMTP-Outgoing.1" sender="[email protected]" recipients="wg@localhost"filename="regex2.dll" md5="547c43567ab8c08eb30f6c6bacb479a3" task_uuid="b8517202826a43fc93dba00f9e8c30ed" (SMTP-proxy-00)
—
Proxy Policy LogMessages
Log Catalog 71
ID Level Area Name
LogMessageExample Description Format
MessageVariables
1BFF002C INFO Proxy /SMTP
Protocolinvalid
SMTPinvalid TLSprotocol
The SMTP proxy detected invalidTLS protocol.
Deny 1-Trusted 0-External tcp 10.0.1.2 192.168.53.143 41551 465msg="ProxyDrop: SMTP invalid TLS protocol" proxy_act="SMTP-Outgoing.1"(SMTP-proxy-00)
—
2DFF0000 INFO Proxy /TCP-UDP
Request IP Request TCP-UDP transaction log for thetraffic that is configured to allow ordeny.
Allow ppp0 0-External tcp 10.0.1.46 206.191.171.104 49391 80msg="IPRequest" proxy_act="TCP-UDP-Proxy.Standard.1" sent_bytes="72271" rcvd_bytes="72271" src_user="testuser@Firebox-DB" (TCP-UDP-proxy-00)
—
2DFF0001 INFO Proxy /TCP-UDP
IPS match IP IPSmatch
Intrusion Prevention Service (IPS)detected an intrusion threat in TCP-UDP proxy traffic. The logmessage specifies the actiontaken, signature ID, threat severity,signature name, and signaturecategory.
Deny 0-External 1-Trusted udp 10.0.1.5 192.168.53.143 1025 80msg="ProxyDrop: TCP-UDP IPS match" proxy_act="TCP-UDP-Proxy.1"signature_id="1110070" severity="4" signature_name="DOS Apachemod_sslHTTPS Request DOS -1" signature_cat="Dos/DDoS" (TCP-UDP-proxy-00)
—
2DFF0004 INFO Proxy /TCP-UDP
Protocol IP protocol The TCP-UDP proxy recognizedthe protocol. The logmessagespecifies the action taken, and therule name.
Allow 1-Trusted 0-External tcp 10.0.1.2 91.189.95.36 53246 80msg="ProxyReplace: IP protocol" proxy_act="TCP-UDP-Proxy.1" rule_name="HTTP-Client.1" new_action="HTTP-Client.1" (TCP-UDP-proxy-00)
—
2DFF0005 INFO Proxy /TCP-UDP
Applicationmatch
IP Appmatch
Application Control identified theapplication type from the TCP-UDP proxy traffic. The logmessage specifies the actiontaken, the application name and ID,the application category name andID, and the application behaviorand ID.
Allow 1-Trusted 0-External udp 10.0.1.3 4.2.2.1 63690 53msg="ProxyAllow: IPAppmatch" proxy_act="TCP-UDP-Proxy.1" app_cat_name="NetworkManagement" app_cat_id="9" app_name="DNS" app_id="61" app_beh_name="access" app_beh_id="6" (TCP-UDP-proxy-00)
—
Proxy Policy LogMessages
Log Catalog 72
Management Log MessagesManagement logmessages are generated for activity on your Firebox. This includes when changes aremade to the device configuration and DeviceManagement user accounts, for user authentication to theFirebox, and actions related to LiveSecurity and system settings.
DiagnosticManagement logmessages of theDebug (Diagnostic) log type.
ID Level Area Name Log Message Example Description Format Message Variables
55010010 INFO Management/ System
USB driveformat
USB drive format operationwas successful
USB drive format operation was %s USB drive format operationwas %s
USB drive format ${result}
55010014 INFO Management/ System
Generatesystemdiagnostic filefailed
Generate system diagnosticfile to USB drive failed
Generate system diagnostic file to%sfailed
Generate system diagnosticfile to%s failed
Generate system diagnostic fileto ${device} failed
55010015 INFO Management/ System
Periodic supportsnapshot isenabled
System periodic supportsnapshot is enabled
System periodic support snapshot isenabled
System periodic supportsnapshot is enabled
–
55010017 INFO Management/ System
Generatesystemdiagnosticsuccessfully
Exported system diagnosticfile to server successfully
Exported system diagnostic file to%ssuccessfully
Exported system diagnosticfile to%s successfully
Generate system diagnostic fileto ${device} successfully
55010018 INFO Management/ System
Reset to thedefaultconfigurationfailed
Reset to the defaultconfiguration failed when thedevice was rebooted.
The default configuration settings were notrestored after a system reset.
Reset to the defaultconfiguration failed when thedevice was rebooted.
–
5501000C INFO Management/ System
Device restorefailed
Device auto restore from USBdrive image failed due to USBdrive not found
Device auto restore from a specific image ina USB drive disc or normal restore from anormal image failed
Device%s restore from%simage failed due to%s
Device ${restore_type} restorefrom ${image_source} imagefailed for ${reason}
Management LogMessages
Log Catalog 73
ID Level Area Name Log Message Example Description Format Message Variables
5501000D INFO Management/ System
Creating USBauto restoreimage failed
Creation of USB auto restoreimage failed due to no USBdrive
Creation of USB auto restore image faileddue to%s
Creation of USB auto restoreimage failed due to%s
Creation of USB auto restoreimage failed: ${reason}
5501001B INFO Management/ System
System backupfailed
System backup to USB drivefailed due to write file to USBdrive error
System backup%s%s failed due to%s. System backup%s%s faileddue to%s.
System backup ${dest device}failed: ${reason}
5501001C INFO Management/ System
USB autorestore failedreason
USB auto restore failed due tonot detect the USB drive
USB auto restore failed due to%s USB auto restore failed dueto%s
USB auto restore failed for${reason}
Management LogMessages
Log Catalog 74
EventManagement logmessages of theEvent log type.
ID Level Area Name Log Message Example Description Format Message Variables
3E000002 INFO Management /Accounting
User loginsucceeded
Management user admin from 10.0.1.2logged in
A user successfully logged in. The logmessage specifies the user type, user name,and IP address.
%s %s%s%s from%slogged in%s%s%s%s
${user_type}${user_name}${auth_server} from{ipaddr} logged in${virtual_ip} ${msg}
3E000003 WARN Management /Accounting
User login failed Management user admin from 10.0.1.2log in attempt was rejected.
A user log in attempt failed. The logmessagespecifies the user type, user name, IPaddress, and the failure reason, if available.
%s %s%s%s from%slog in attempt wasrejected%s%s%s%s
${user_type}${user_name}${auth_server} from{ipaddr} rejected${virtual_ip} ${msg}
3E000004 INFO Management /Accounting
User logout Management user admin from 10.0.1.2logged out
A user successfully logged out. The logmessage specifies the user type, user name,and IP address.
%s %s%s%s from%slogged out%s%s%s%s
${user_type}${user_name}${auth_server} from{ipaddr} logged out${virtual_ip} ${msg}
11000003 INFO Management /Authentication
Authenticationserverunavailable
Authentication server 192.168.1.1:389is not responding
The external authentication server is notavailable.
Authentication server%s:%d is notresponding
–
Management LogMessages
Log Catalog 75
ID Level Area Name Log Message Example Description Format Message Variables
11000004 INFO Management /Authentication
Userauthenticationsucceeded
Authentication of firewall user[user1@Firebox-DB] from 198.51.100.2was accepted
The user successfully authenticated. The logmessage specifies whether this is anadministrative user, a firewall user, or anothertype of user.
Authentication of %suser [%s@%s] from%swas accepted
Authentication of${user_type} user[${user_name}@${auth_server}] from${ipaddr} wasaccepted.
11000005 WARN Management /Authentication
Userauthenticationfailed
Authentication of MUVPN user[user1@Firebox-DB] from 198.51.100.2was rejected, password is incorrect
User authentication failed. The logmessagespecifies the reason.
Authentication of %suser [%s@%s] from%swas rejected, %s
Authentication of${user_type} user[${user_name}@${auth_server}] from ${ip_addr} was rejected,${reason}
11000006 INFO Management /Authentication
User unlock User test is unlocked automatically It indicates a user unlock and how he/she isunlocked
User%s is unlocked%s User ${name} isunlocked ${how}
11000007 WARN Management /Authentication
user lock User test is locked out briefly after 3login failures
It indicates a user lockout and how and whyhe/she is locked out
User%s is locked out%s after %d loginfailures
User ${name} islocked out${lockout_type}after ${failure_count} login failures
11000008 WARN Management /Authentication
BOVPN TLSclientauthenticationfailed
Authentication of BOVPN TLS client[EasternOffice] from 198.51.100.2 wasrejected, pre-shared key is incorrect
BOVPN TLS client authentication failed. Thelogmessage specifies the reason.
Authentication ofBOVPN TLS client [%s]from%s was rejected,%s
Authentication ofBOVPN TLS client[${client_name}]from ${ip_addr}was rejected,${reason}
11000010 INFO Management /Authentication
Fireboxconnected toSSO agent
Firebox connected to the SSO agent at10.0.1.25 successfully.
Firebox connected to the SSO agentsuccessfully
Firebox connected to theSSO agent at %ssuccessfully.
–
Management LogMessages
Log Catalog 76
ID Level Area Name Log Message Example Description Format Message Variables
11000011 INFO Management /Authentication
Firebox closedthe connection
Firebox closed the connection to theSSO agent at 10.0.1.25.
Firebox closed the connection to the SSOagent.
Firebox closed theconnection to the SSOagent at %s.
–
11000012 INFO Management /Authentication
Firebox failed toconnect to theSSO agent
Firebox failed to connect to the SSOagent at 10.0.1.25. Reason: timeout.
Firebox failed to connect to the SSO agent. Firebox failed to connectto the SSO agent at %s.Reason: %s.
–
11000013 INFO Management /Authentication
Successful SSOagent failover
SSOAgent failover from 10.0.1.25 to10.0.1.26 was successful.
Successful SSO agent failover. SSOAgent failover from%s to%s wassuccessful.
–
11000014 INFO Management /Authentication
UnsuccessfulSSO failover
SSO agent failover from 10.0.1.25 to10.0.1.26 failed. Reason: incompatibleSSO agent version.
Unsuccessful SSO failover. SSO agent failover from%s to%s failed.Reason: %s.
–
1100000C WARN Management /Authentication
Authenticationerror
Authentication error. Domain not foundfor user1.
Authentication failed. The logmessagespecifies the reason.
Authentication error. %sfor%s.
Authenticationerror. ${error} for${user_name}.
1100000D WARN Management /Authentication
Authenticationserverunavailable
Authentication of user[[email protected]] failed. Bothprimary and secondary servers areunavailable.
Authentication failed because both the primaryand secondary authentication servers areunavailable.
Authentication of user[%s@%s] failed. Bothprimary and secondaryservers are unavailable.
–
1100000E WARN Management /Authentication
UnsupportedRADIUS method
Authentication of firewall user[user1@RADIUS] failed. RADIUSauthenticationmethodMSCHAP_V1 isnot supported.
Authentication failed because the specifiedRADIUS method is not supported.
Authentication of %suser [%s@%s] failed.RADIUS authenticationmethod%s is notsupported.
–
1100000F WARN Management /Authentication
Groupsmaximumreached
Themaximum number of groups (31)has been reached
Authentication failed because themaximumnumber of groups has been reached.
Themaximum numberof groups (%d) has beenreached
–
Management LogMessages
Log Catalog 77
ID Level Area Name Log Message Example Description Format Message Variables
40010001 INFO Management /Certificate
CA certificateupdatedsuccessfully
CA certificate updated successfully toversion 1.3.
The CA certificate updated successfully to thespecified new version.
CA certificate updatedsuccessfully to version%s.
CA certificateupdatedsuccessfully toversion ${new CAversion number}.
40010002 ERROR Management /Certificate
CA certificateupdated failed
CA certificate update failed. Current CAcertificate version: 1.2.
CA certificate updated failed. CA certificate updatefailed. Current CAcertificate version: %s.
CA certificateupdate failed.Current CAcertificate version:${current CAversion number}.
01010001 INFO Management /Configuration
Deviceconfigurationchange
Management user admin@Firebox-DBfrom 10.139.36.22 {modified | added |deleted } Blocked Sites Exceptions
The device configuration has been changed. Management user%s@%s from%s %s%s %s
Management user${user}@${domain}from ${ipaddr}${operation}${subsystem}${object}
01010002 INFO Management /Configuration
Administrativeaccounts resetto default
Administrative accounts were reset tothe default settings
The administrative accounts were returned tothe default settings. This could be because thesystem is in safemode, or because of acorrupted administrative account file.
Administrative accountswere reset to the defaultsettings
–
01020001 INFO Management /Configuration
Feature keyadded
admin added feature key'883B25CCF32949EE'
An administrator added a feature key. The logmessage specifies the feature key ID.
%s added feature key'%s'
–
01020002 INFO Management /Configuration
Feature keyremoved
admin removed feature key'883B25CCF32949EE'
An administrator has removed a feature key.The logmessage specifies the feature key ID.
%s removed feature key'%s'
–
01020003 WARN Management /Configuration
Feature expired 'LIVESECURITY' feature expired.Contact WatchGuard to renew yoursubscription.
'%s' feature expired.Contact WatchGuard torenew your subscription.
–
01020005 INFO Management / Feature 'LIVESECURITY' feature will expire in A feature will soon expire. The logmessage '%s' feature will expire in –
Management LogMessages
Log Catalog 78
ID Level Area Name Log Message Example Description Format Message Variables
Configuration expirationreminder
90 days. specifies the feature and the number of daysuntil it expires.
%d days.
01040001 INFO Management /Configuration
Default devicesettings in usefor safemode
Device default configuration wasloaded in safemode
The device configuration was reset to thedefault settings because the device is in safemode.
Device defaultconfiguration wasloaded in safemode
–
41000001 INFO Management /LiveSecurity
RapidDeploysucceeded
RapidDeploy package was appliedsuccessfully
The RapidDeploy package from theLiveSecurity service was successfully appliedto the device.
RapidDeploy packagewas appliedsuccessfully
–
41000002 ERROR Management /LiveSecurity
RapidDeployfailed
RapidDeploy package was not applied:Cannot find result.xml
The RapidDeploy package was not applied tothe device. The logmessage specifies thereason.
RapidDeploy packagewas not applied: %s
RapidDeployfailed: ${reason}
41000003 INFO Management /LiveSecurity
New RSS feedupdatesucceeded
New RSS feed from LiveSecurityService was updated
New RSS feed from the LiveSecurity Servicewas updated.
New RSS feed fromLiveSecurity Servicewas updated
–
41000004 ERROR Management /LiveSecurity
New RSS feedupdate failed
New RSS feed from LiveSecurityService was not updated: errorretrieving response from server
New RSS feed from the LiveSecurity Servicefailed to update.
New RSS feed fromLiveSecurity Servicewas not updated: %s
–
41000005 INFO Management /LiveSecurity
Feature keydownloadsucceeded
Feature key from LiveSecurity Servicewas received
The feature key for the device wassuccessfully downloaded from theLiveSecurity Service.
Feature key fromLiveSecurity Servicewas received
–
41000006 ERROR Management /LiveSecurity
Feature keydownload failed
Feature key from LiveSecurity Servicewas not received: error parsingresponse from LiveSecurity service
The feature key could not be downloaded fromthe LiveSecurity Service. The logmessagespecifies the reason.
Feature key fromLiveSecurity Servicewas not received: %s
–
41000007 INFO Management /LiveSecurity
Wireless countryspecificationupdatesucceeded
Wireless country specification wasupdated
The wireless country specification wassuccessfully updated from the LiveSecurityservice.
Wireless countryspecification wasupdated
–
Management LogMessages
Log Catalog 79
ID Level Area Name Log Message Example Description Format Message Variables
41000008 ERROR Management /LiveSecurity
Wireless countryspecificationupdate failed
Wireless country specification fromLiveSecurity Service was not received:received error code <n> from LSS
Thewireless country specification could not bedownloaded from the LiveSecurity service. Thelogmessage specifies the failure reason andthe number of retries.
Wireless countryspecification fromLiveSecurity Servicewas not received: %s,(retry_count=%d)
–
41010001 INFO Management /LiveSecurity
RapidDeployconfigurationfrom USBsucceeded
RapidDeploy configuration from aUSBdrive was applied successfully
The RapidDeploy configuration wassuccessfully applied from aUSB drive.
RapidDeployconfiguration from aUSB drive was appliedsuccessfully
–
41010002 ERROR Management /LiveSecurity
RapidDeployconfigurationfrom USB failed
RapidDeploy configuration from aUSBdrive was not applied: config linemissing
The RapidDeploy configuration was notsuccessfully applied from aUSB drive. The logmessage specifies the reason.
RapidDeployconfiguration from aUSB drive was notapplied: %s
–
3D040001 INFO Management /Logging
Primary LogServerconnected
Connected to the primary Log Server at198.51.100.0
The device successfully connected to theWatchGuard Log Server designated as theprimary server.
Connected to theprimary Log Server at%s
–
3D040002 INFO Management /Logging
Backup LogServerconnected
Connected to the backup Log Server at198.51.100.0
The device successfully connected to theWatchGuard Log Server designated as thebackup server.
Connected to thebackup Log Server at%s
–
15000000 INFO Management /ManagementClient
Deviceconfigurationupdate with audittrail
The configuration file and feature keyfor the device were successfullyupdated after a request from admin fromtheManagement Server at10.139.44.88. Revision: dummy_config_rev_id. Comments: update tcpsegment.
The updated configuration file wassuccessfully sent to the device from thespecifiedManagement Server. The logmessage indicates if the feature key wasupdated. The logmessagemight also specifythe revision ID and includes comments aboutthe update.
The configuration file%sfor the device%ssuccessfully updatedafter a request from%sfrom theManagementServer at%s.%s%s%s%s.
–
Management LogMessages
Log Catalog 80
ID Level Area Name Log Message Example Description Format Message Variables
15000001 INFO Management /ManagementClient
Deviceconfigurationupdate
Device configuration file wassuccessfully updated. Configuration fileretrieved from theManagement Serverat 10.139.44.88.
The device retrieved an updated configurationfile from the specifiedManagement Server.The logmessage also indicates if deviceretrieved a feature key.
Device configuration file%s successfullyupdated. Configurationfile retrieved from theManagement Server at%s.
–
15010000 INFO Management /ManagementClient
IPSec certificateimport
The IPSec certificate was successfullyimported from theManagement Serverat 10.139.44.88.
The IPsec certificate was successfullyimported from the specifiedManagementServer.
The IPSec certificatewas successfullyimported from theManagement Server at%s.
–
15010001 INFO Management /ManagementClient
ManagementServer CAcertificate import
TheManagement Server CA certificatewas successfully imported from theManagement Server at 10.139.44.88.
TheManagement Server CA certificate wassuccessfully imported from the specifiedManagement Server.
TheManagement ServerCA certificate wassuccessfully importedfrom theManagementServer at %s.
–
58000001 INFO Management /NTP
System timechanged
System time changed to 2012-08-2908:20:00 by NTP
The system time was changed by the NTPprocess.
System time changed to%s by NTP
–
55010000 INFO Management /System
Bootup time System boot up at 2000-01-01 00:00:01 System boot up at %s System boot up at %s System boot up at${time}
55010002 ERROR Management /System
LIVESECURITYfeature not found
Valid 'LIVESECURITY' feature notfound
Valid 'LIVESECURITY' feature not found Valid 'LIVESECURITY'feature not found
55010003 ERROR Management /System
LIVESECURITYexpired
'LIVESECURITY' feature expired (TueMay 14 12:25:00 2013) prior to packagerelease date (WedMay 15 01:00:002013 )
'LIVESECURITY' feature expired (%s) prior topackage release date (%s)
'LIVESECURITY'feature expired (%s)prior to package releasedate (%s)
'LIVESECURITY'feature expired(${expiration time})prior to packagerelease date(${package releasetime})
Management LogMessages
Log Catalog 81
ID Level Area Name Log Message Example Description Format Message Variables
55010004 INFO Management /System
Shutdown Shutdown requested by system Shutdown requested by system Shutdown requested bysystem
55010005 INFO Management /System
Reboot System is rebooting System is rebooting System is rebooting
55010006 INFO Management /System
Upgradesucceeded
System upgrade to 11.9 successful,system needs to reboot
System upgrade to%s successful, %s System upgrade to%ssuccessful, %s
System upgrade to${software version}successful ${boxneed reboot or not}
55010007 INFO Management /System
Automatic reboot System is automatically rebooting at12:09
System is automatically rebooting at %d:%d System is automaticallyrebooting at %d:%d
System isautomaticallyrebooting at${hour}:${second}
55010008 INFO Management /System
Time change System time changed from 2012-10-512:30:15 to 2012-10-6 14:10:00
System time changed from%s to%s System time changedfrom%s to%s
System timechanged from ${oldvalue} to ${newvalue}
55010013 INFO Management /System
USB autorestore started
USB auto restore started USB auto restore started USB auto restorestarted
–
55010016 INFO Management /System
Featureexpirationreminder
'LIVESECURITY' feature will expire onSat., Jan 5, 11:27:23 CST 2013.
'LIVESECURITY' feature will expire on%s 'LIVESECURITY'feature will expire on%s
'LIVESECURITY'feature will expireon ${expirationtime}
55010019 WARN Management /System
Configurationreset failedduring adowngrade
During a system downgrade, theconfiguration reset failed
During a system downgrade, the configurationreset failed
During a systemdowngrade, theconfiguration reset failed
–
55010020 INFO Management /System
Backupsucceeded
System backup succeeded System backup succeeded System backupsucceeded
–
Management LogMessages
Log Catalog 82
ID Level Area Name Log Message Example Description Format Message Variables
55010021 INFO Management /System
Device restoresuccess
Device auto restore from USB drivesucceeded
Device auto restore from a specific image inUSB drive or normal restore from a normalimage
Device%s restore from%s image succeeded
Device ${restore_type} restore from${image_source}image succeeded
55010022 INFO Management /System
USB autorestore imagecreated
USB auto restore image successfullycreated
USB auto restore image successfully created USB auto restore imagesuccessfully created
–
5501000B INFO Management /System
Device restore Device auto restore from USB driveimage initiated, reboot needed
Device was restored from a saved backupimage. The backup image was either autorestored from aUSB drive or restored fromanother location.
Device%s restore from%s image initiated%s
Device ${restore_type} restore from${image_source}imageinitiated${reboot_option}
5501000B INFO Management /System
Device restore Device auto restore from USB driveimage initiated, reboot needed
Device was restored from a saved backupimage. The backup image was either autorestored from aUSB drive or restored fromanother location.
Device%s restore from%s image initiated%s
Device ${restore_type} restore from${image_source}imageinitiated${reboot_option}
5501001A WARN Management /System
Upgrade failed System upgrade failed:'LIVESECURITY' feature expired
System upgrade failed: %s System upgrade failed:%s
System upgradefailed: ${reason}
5501001D INFO Management /System
Logo uploadsucceeded
Upload of logo succeeded Upload of logo succeeded Upload of logosucceeded
–
50000001 WARN Management /Web Service
User login failed(wgagent)
WSMUser status from 10.0.1.2 log inattempt was rejected - Invalidcredentials.
A user log in attempt failed. The logmessagespecifies the UI type, User Name, IP address,and (if available) the failure reason.
%s %s@%s from%slog in attempt wasrejected -%s.
%{ui_type} ${user_name}@${auth_server} from${ipaddr} log inattempt wasrejected ${msg}.
Management LogMessages
Log Catalog 83
FireCluster Log MessagesFireCluster logmessages are for events related to your Fireboxes that aremembers of a FireCluster. This includes actions related tomanagement of the FireCluster, operational errors of cluster members, eventsthat occur on cluster members, and changes to the status of a cluster member.
DiagnosticFireCluster logmessages of theDebug (Diagnostic) log type.
ID Level Area Name Log Message Example Description Format ID
3A000002 INFO Cluster /EventMonitoring
VRRP enabled VRRP is now enabled forCluster.
Virtual Router Redundancy Protocol (VRRP) is nowenabled for this Active/Passive Cluster.
VRRP is now enabledfor Cluster.
–
3A000004 INFO Cluster /EventMonitoring
VRRP startmaster
Virtual Router with clusterID 1 started in masterstate.
VRRP started in master state. Virtual Router withcluster ID %d started inmaster state.
Virtual Router with clusterID ${value} started inmaster state.
3A000005 INFO Cluster /EventMonitoring
VR shutdown Virtual Router with clusterID 1 returned to initialstate.
Virtual Router returned to initial state. Virtual Router withcluster ID %d returnedto initial state.
Virtual Router with clusterID ${id} returned to initialstate
3A000006 INFO Cluster /EventMonitoring
VR pause Virtual Router with clusterID 1 becomes backup onpause event
Virtual Router becomes backup due to a pause event. Virtual Router withcluster ID %d becomesbackup on pause event
Virtual Router with clusterID ${id} becomes backupon pause event
3A000007 INFO Cluster /EventMonitoring
VR resume Virtual Router with clusterID 1 becomes master onresume event
Virtual Router becomes master due to a resume event. Virtual Router withcluster ID %d becomesmaster on resume event
Virtual Router with clusterID ${id} becomes masteron resume event
3A000008 INFO Cluster /EventMonitoring
VR backupstate
Virtual Router with clusterID 1 state changed frommaster to backup
Virtual Router state changed frommaster to backup Virtual Router withcluster ID %d statechanged frommaster tobackup
Virtual Router with clusterID ${id} state changedfrommaster to backup
FireCluster LogMessages
Log Catalog 84
ID Level Area Name Log Message Example Description Format ID
3A00000A INFO Cluster /EventMonitoring
VR notificationgap
Member 80B20002E5BCDVirtual Router with clusterID 1 changed state tomaster due to 3 secondnotification gap fromcurrent master with IP10.0.4.1
Member Virtual Router changed state tomaster due tonotification gap from current master
Member%s VirtualRouter with cluster ID%d changed state tomaster due to%dsecond notification gapfrom current masterwith IP %s
Member ${member} VirtualRouter with cluster ID ${id}changed state tomasterdue to ${value} secondnotification gap fromcurrent master with IP${ip}
3A00000B INFO Cluster /EventMonitoring
VRRP masterstate
Virtual Router with clusterID 1 state changed tomaster
Virtual Router state changed tomaster Virtual Router withcluster ID %d statechanged tomaster
Virtual Router with clusterID ${id} state changed tomaster
3A00000C ERROR Cluster /EventMonitoring
VRRPinitializationfailed
Cluster VRRP initializationfailed
Initialization of Virtual Router Redundancy Protocol(VRRP) failed.
Cluster VRRPinitialization failed
–
38000002 ERROR Cluster /Management
DHCPoverwrite
A DHCP server isinterfering with staticaddress assignment ofcluster IP address 10.0.0.1on eth0. Disable DHCPserver access to eth5.
A DHCP server has attempted to assign an IP addressto cluster member on the Cluster Interface. This logmessage recommends the admin isolate the Clusterinterface network from the DHCP server, and specifiesthe interface number and IP address the clusterattempted to assign to themember.
A DHCP server isinterfering with staticaddress assignment ofcluster IP address %son eth%d. DisableDHCP server access toeth%d.
A DHCP server isinterfering with staticaddress assignment ofcluster IP ${ip} oneth${port}. Please disableDHCP server access toeth${port}.
38000003 INFO Cluster /Management
Clusterinterface up
Cluster interface eth5 isup.
Cluster interface link status changed to up. Cluster interface%s isup.
Cluster interface ${ifname}is up.
38000004 WARN Cluster /Management
Clusterinterface down
Cluster interface eth5 isdown.
Cluster interface link status changed to down. Cluster interface%s isdown.
Cluster interface ${ifname}is down
38000264 WARN Cluster /Management
Timesynchronizationfailure
Cluster timesynchronization failed.
The cluster master's attempt to synchronize time to acluster member failed
Cluster timesynchronization failed.
–
3800025C INFO Cluster /Management
Configurationupdate
Cluster member80B20002E5BCD
Cluster member received an updated configurationfrom themaster. The logmessage specifies the
Cluster member%sreceived updated
Cluster member${member} received
FireCluster LogMessages
Log Catalog 85
ID Level Area Name Log Message Example Description Format ID
received updatedconfiguration; version 3.
member serial number and configuration versionnumber.
configuration; version%d.
updated configuration;version ${version}.
3B000001 INFO Cluster /Transport
Channel statuschange
Cluster channel frommember 80B20002E5BCDtomaster is up
The cluster communication channel between thespecifiedmembers changed state.
Cluster channel frommember%s tomasteris %s.
Cluster channel frommember ${member} tomaster is ${state}.
3B000002 INFO Cluster /Transport
Clusterinterface down
Cluster interface eth5 isdown.
The specified Cluster interface is down. Cluster interface%s isdown.
Cluster interface ${ifname}is down.
FireCluster LogMessages
Log Catalog 86
EventFireCluster logmessages of theEvent log type.
ID Level Area Name Log Message Example Description Format ID
3A00000E INFO Cluster /EventMonitoring
VR enabled Virtual Router with cluster ID 1is now enabled
The Virtual Router representing the cluster isnow enabled
Virtual Router with clusterID %d is now enabled
Virtual Router with clusterID ${id} is now enabled
3A00000F INFO Cluster /EventMonitoring
VR disabled Virtual Router with cluster ID 1is now disabled
The Virtual Router representing the cluster isnow disabled
Virtual Router with clusterID %d is now disabled
Virtual Router with clusterID ${id} is now disabled
38000278 WARN Cluster /Management
Cluster disabled Cluster disabled. Non-mastermember 80B20002E5BCD willbe reset to factory-defaultsettings.
The non-master member of the cluster will bereset to factory default-settings becauseFireCluster is disabled.
Cluster disabled. Non-master member%s willbe reset to factory-defaultsettings.
Cluster disabled. Non-master member%s will bereset to factory-defaultsettings.
38000279 WARN Cluster /Management
Criticalconfigurationchange
Non-master member80B20002E5BCD will be resetto factory-default settings dueto a critical cluster configurationchange.
The non-master member of the cluster will bereset to factory-default settings due to acritical configuration change. A configurationchange is critical if it would cause themasterand backupmaster to lose the TCPconnection on the cluster interface.
Non-master member%swill be reset to factory-default settings due to acritical clusterconfiguration change.
Non-master member${member} will be reset tofactory default-settings dueto a critical clusterconfiguration change.
38000280 ERROR Cluster /Management
Devicediscovery failed
Cluster master80B20002E5BCD was unableto issue a device discoverymessage.
The cluster master was unable to issue adevice discovery message.
Cluster master%s wasunable to issue a devicediscovery message.
Cluster master ${master}was unable to issue a devicediscovery message.
38000282 INFO Cluster /Management
Member readyto join
Member 80B20002E5BCD isready to join the cluster.
Local member has FireCluster enabled and isready to join.
Member%s is ready tojoin the cluster.
Member ${member} is readyto join the cluster.
3800025A INFO Cluster /Management
Cluster enabled Cluster enabled onmember80B20002E5BCD.
Cluster was enabled on the specifiedmember. Cluster enabled onmember%s.
Cluster enabled onmember${member}.
3800025B INFO Cluster /Management
Cluster disabledonmaster
Cluster disabled on clustermaster 80B20002E5BCD.
Cluster disabled on the cluster member whileit was the cluster master.
Cluster disabled oncluster master%s.
Cluster disabled on clustermaster ${master}.
FireCluster LogMessages
Log Catalog 87
ID Level Area Name Log Message Example Description Format ID
3800027A WARN Cluster /Management
Non-mastermemberremoved
Non-master cluster member80B20002E5BCD wasremoved from cluster, and willbe reset to factory-defaultsettings.
The non-master member of the Cluster will bereset to factory-default settings because itwas removed from the cluster.
Non-master clustermember%s was removedfrom cluster, and will bereset to factory-defaultsettings.
Non-master cluster member%s was removed fromcluster, and will be reset tofactory-default settings.
3800027E ERROR Cluster /Management
Factory-defaultreset failed
Failed to reset cluster member80B20002E5BCD to factory-default settings.
Failed to reset to factory-default settings. Failed to reset clustermember%s to factory-default settings.
Failed to reset member${member} to factory-defaultsettings.
39000003 WARN Cluster /Operations
Heartbeat lost Master 80B20002E5BFEdetected loss of heartbeat frommember 80B20002E5BCD,cluster channel is up.
The specified Cluster failed to receive aheartbeat message.
Master%s detected lossof heartbeat frommember%s, cluster channel is up.
Master ${master} detectedloss of heartbeat frommember ${member}, clusterchannel is up.
39000005 INFO Cluster /Operations
Memberpromoted tomaster
Member 80B20002E5BCD isnow master.
The specifiedmember has becomemaster. Member%s is nowmaster.
Member ${member} is nowmaster.
39000007 ERROR Cluster /Operations
Failover due toWAI
Master 80B20002E5BCD failedover to member80B20002E5BFE, which has agreaterWeighted AverageIndex.
Themaster failed over to the specifiedmember because that member has a higherhealth score than themaster.
Master%s failed over tomember%s, which has agreaterWeighted AverageIndex.
Master ${master} failover tomember ${member} withgreaterWeighted AverageIndex.
39000010 INFO Cluster /Operations
Member rolechange
Member 80B20002E5BCDchanged role to master
The cluster member changed to the specifiedrole.
Member%s changed roleto%s.
Member ${member} rolechanged to ${role}.
39000011 INFO Cluster /Operations
Interface linkstatus change
Monitored interface eth0 link isdown.
Specifiedmonitored interface link statuschanged, which will change the health indexfor themember.
Monitored interface%slink is %s.
Monitored interface${ifname} link is ${state}.
39000012 INFO Cluster /Operations
New master Member 80B20002E5BCD tookover as master frommember80B20002E5BFE.
The specifiedmember has taken over asmaster..
Member%s took over asmaster frommember%s.
Member ${member} tookover as master frommember${member}.
FireCluster LogMessages
Log Catalog 88
ID Level Area Name Log Message Example Description Format ID
39000015 INFO Cluster /Operations
Failoverinitiated byadministrator
Master 80B20002E5BCDinitiated failover byadministrator request.
The administrator has initiated a failover. Master%s initiatedfailover by administratorrequest.
Master ${master} initiatedfailover by administratorrequest..
39000016 WARN Cluster /Operations
Cannot initiatefailover
Cannot initiate failover frommaster 80B20002E5BCD tomember 80B20002E5BFE dueto higherWeighted AverageIndex on current master orbackupmaster is unreachable.
The failover requested by administrator cannotproceed because themaster has a higherhealth index, or the backupmaster isunreachable.
Cannot initiate failoverfrommaster%s tomember%s due to higherWeighted Average Indexon current master orbackupmaster isunreachable.
Cannot initiate failover frommaster ${master} to member${member} due to higherWeighted Average Index oncurrent master or othermember is unreachable.
39000019 ERROR Cluster /Operations
Failover due tointerface statechange
Cluster failover due to interfaceeth4 link down event.
A cluster failover event occurred due to achange of interface state.
Cluster failover due tointerface%s link %sevent.
Cluster failover due tointerface ${ifname} link${state} event.
39000058 INFO Cluster /Operations
Member RoleChange
Cluster member80B20002E5BCD changed rolefrom idle to backupmaster
The role of the specified Cluster memberchanged.
Cluster member%schanged role from%s to%s.
Cluster member ${member}changed role from ${role} to${role}.
3900000C ERROR Cluster /Operations
Synchronizationfailed
Full state synchronization frommaster 80B20002E5BCD tobackupmaster80B20002E5BFE failed.
Full state synchronization from themaster tothe specifiedmember failed. Member statewill not change to BackupMaster.
Full state synchronizationfrommaster%s to backupmaster%s failed.
Full state synchronizationfrommaster ${master} tobackupmaster ${member}failed.
3900000D ERROR Cluster /Operations
Synchronizationtimeout
Full state synchronization frommaster 80B20002E5BCD tobackupmaster80B20002E5BFE timed out.
Full state synchronization from themaster tothe specifiedmember timed out. Memberstate will not change to BackupMaster.
Full state synchronizationfrommaster%s to backupmaster%s timed out.
Full state synchronizationfrommaster ${master} tobackupmaster ${member}timed out.
FireCluster LogMessages
Log Catalog 89
ID Level Area Name Log Message Example Description Format ID
3900000E INFO Cluster /Operations
Synchronizationsuccessful
Full state synchronization frommaster 80B20002E5BCD tobackupmaster80B20002E5BFE completedsuccessfully.
Full state synchronization to the specifiedmember was successful. Member statuschanged to backupmaster.
Full state synchronizationfrommaster%s to backupmaster%s completedsuccessfully.
Full state synchronizationfrommaster ${master} tobackupmaster ${member}completed successfully
3900000F ERROR Cluster /Operations
Failover due tolink-down
Master 80B20002E5BCDfailed-over to member80B20002E5BFE due to a link-down event on interface eth3.
Cluster failover due to a link failure on thecurrent master, which now has a health indexlower than the backupmaster. The logmessage specifies which interface has thelink down.
Master%s failed-over tomember%s due to a link-down event on interface%s.
Master ${master} failed-overto member ${member} due toa link-down event oninterface ${ifname}.
FireCluster LogMessages
Log Catalog 90
Security Services Log MessagesSecurity Services logmessages are generated for processes related to the Security Services configured on your Firebox. For the logmessages from Security Services traffic and events, review the proxy logmessages for the proxy policies where the Security Services are enabled. For more information, seeProxy Policy LogMessages on page 35.
EventSecurity Services logmessages of theEvent log type.
ID Level Area Name Log Message Example Description FormatMessageVariables
1F000001 ERROR SecurityServices /Gateway Anti-Virus
Process failed to start Cannot start ScanD ScanD -- Process failed to start Cannot start ScanD –
1F010015 INFO SecurityServices /Gateway Anti-Virus
Ready for service ScanD ready ScanD -- Ready for service ScanD ready –
2E000005 ERROR SecurityServices /SignatureUpdate
Process exiting SIGD shutting down SIGD -- Process exiting SIGD shutting down –
2E000006 ERROR SecurityServices /SignatureUpdate
Process crashed SIGD crashed SIGD -- Process crashed SIGD crashed –
2E010017 WARN SecurityServices /SignatureUpdate
License failed to load Cannot load the license SIGD -- License failed to load Cannot load the license –
Security Services LogMessages
Log Catalog 91
ID Level Area Name Log Message Example Description FormatMessageVariables
2E010018 ERROR SecurityServices /SignatureUpdate
Failed to start the signatureupdate for the specifiedservices
Cannot start the signature updatefor 'IPS'
SIGD -- Failed to the start signatureupdate for the specified services
Cannot start the signature updatefor '%s'
–
2E010019 ERROR SecurityServices /SignatureUpdate
Failed to check theavailable signature versionon the server
Cannot complete the versioncheck
SIGD -- Failed to check the availablesignature version on the server
Cannot complete the versioncheck
–
2E01001A ERROR SecurityServices /SignatureUpdate
Signature update processfailed to start
Cannot start the signature updateprocess
SIGD -- Signature update process failed tostart
Cannot start the signature updateprocess
–
2E01001B ERROR SecurityServices /SignatureUpdate
Signature update processcrashed
SIGD Worker crashed SIGD -- Signature update process crashed SIGD Worker crashed –
2E020065 INFO SecurityServices /SignatureUpdate
Signature update processstarted
Scheduled DLP update started SIGD -- Signature update process started %s %s update started –
2E020066 INFO SecurityServices /SignatureUpdate
Signature update processcompleted
Scheduled DLP update forversion (4.94) completed
SIGD -- Signature update processcompleted
%s %s update for version (%s)completed
–
2E020067 ERROR SecurityServices /SignatureUpdate
Signature update processfor the specified versionfailed
Manual DLP update for version(4.94) failed (Valid feature keynot available)
SIGD -- Signature update process for thespecified version failed
%s %s update for version (%s)failed (%s)
–
Security Services LogMessages
Log Catalog 92
ID Level Area Name Log Message Example Description FormatMessageVariables
2E020069 INFO SecurityServices /SignatureUpdate
Device has the latestsignature version for thespecified service
Device already has the latestDLP signature version (4.94)
SIGD -- Device has the latest signatureversion for specified service
Device already has the latest %ssignature version (%s)
–
23000001 ERROR SecurityServices /spamBlocker
Failed to start Cannot start spamD spamD -- Failed to start Cannot start spamD –
23000002 INFO SecurityServices /spamBlocker
Ready for service spamD ready spamD -- Ready for service spamD ready –
76000000 INFO Access Portal /Portal Wrapper
SAML certificate changes Certificate for SAML is changed,please update SP certificate onIdP server.
The certificate used by SAML is changedand admin need to update this certificateto IDP server
Certificate for SAML is changed,please update SP certificate onIdP server.
Security Services LogMessages
Log Catalog 93
VPN Log MessagesVPN logmessages are generated for processes related to the all VPNs configured on your Firebox. This includes changes to the VPN configuration, tunnel status, and daemon activity.
AlarmVPN logmessages of theAlarm log type.
ID Level Area Name Log Message Example Description Format Message Variables
020B0001 INFO VPN /IPSEC
Tunnelstatuschanged
BOVPN tunnel 'tunnel.2' local172.16.12.81/255.255.255.255 remote172.16.13.204/255.255.255.255 under gateway'gateway.1' is down
The status of theIPSec tunnel changedto up or down.
%s tunnel '%s' local %sremote%s undergateway '%s' is %s
${tunnel_type} tunnel '${tunnel}' local${local} remote ${remote} under gateway'$(gateway}' is ${status}
DiagnosticVPN logmessages of theDebug (Diagnostic) log type.
ID Level Area Name Log Message Example Description Format Message Variables
02000001 ERROR VPN /IPSEC
Defaultcertificate notfound
The default IPSec certificate is notinstalled on the device
The IPSec tunnel could not benegotiated because the defaultIPSec certificate is not installed oris not valid.
The default IPSeccertificate is not installed onthe device
–
02000002 ERROR VPN /IPSEC
Failed to readcertificate
Could not read [DSA | RSA]certificate with [n] ID
The IPSec tunnel could not benegotiated because the IPSeccertificate is not valid.
Could not read%scertificate with%d ID
Could not read ${cert_type} certificatewith ${id} ID
02020001 WARN VPN /IPSEC
IP address notavailable forMobile VPNwith IPSecuser
Virtual IP address from 'abcd'address pool is not available forMobile VPN with IPSec user 'Bob'
All virtual IP addresses allocatedto this Mobile VPN with IPSecgroup are already assigned. NewMobile VPN with IPSec tunnelscannot be established unlessexisting tunnels are deleted.
Virtual IP address from '%s'address pool is not availablefor Mobile VPN with IPSecuser '%s'
Virtual IP address from ${pool_name}address pool is not available forMobile VPN with IPSec user ${user}
VPN LogMessages
Log Catalog 94
ID Level Area Name Log Message Example Description Format Message Variables
02030002 ERROR VPN /IPSEC
IKE Phase 1expectingmainmode
IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'Reason=Received 'Aggressivemode' exchange type. Expectingmainmode.
IKE Phase 1 negotiation failedbecause of incorrect exchangetype in proposal from remotegateway. The logmessagespecifies the expected andreceived exchange type.
IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Received '%s'exchange type. Expectingmainmode.
IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Received '${exchange_type}' exchange type. Expectingmainmode.
02030003 ERROR VPN /IPSEC
IKE Phase 1expectingaggressivemode
IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'Reason=Received 'Mainmode'exchange type. Expectingaggressivemode.
IKE Phase 1 negotiation failedbecause of incorrect exchangetype in proposal from remotegateway. The logmessagespecifies the expected andreceived exchange type.
IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Received '%s'exchange type. Expectingaggressivemode.
IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Received '${exchange_type}' exchange type. Expectingaggressivemode.
02030004 ERROR VPN /IPSEC
IKE Phase 1DH groupmismatch
IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'Reason=Received DH group 2,expecting 14
IKE Phase 1 negotiation failedbecause of incorrect Diffe-Hellman group in proposal fromremote gateway. The logmessagespecifies the received andexpected group number.
IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Received DHgroup%d, expecting%d
IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Received DH group${received}, expecting ${expected}
02030005 ERROR VPN /IPSEC
IKE Phase 1hashmismatch
IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'Reason=Received hash SHA1,expectingMD5
IKE Phase 1 negotiation failedbecause of incorrect hash type inproposal from remote gateway.The logmessage specifies thereceived and expected hash type.
IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Received hash%s, expecting%s
IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Received hash ${received},expecting ${expected}
02030006 ERROR VPN /IPSEC
IKE Phase 1encryptionmismatch
IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'Reason=Received encryption
IKE Phase 1 negotiation failedbecause of incorrect encryptiontype in proposal from remotegateway. The logmessagespecifies the received and
IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Receivedencryption%s, expecting
IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Received encryption${received}, expecting ${expected}
VPN LogMessages
Log Catalog 95
ID Level Area Name Log Message Example Description Format Message Variables
3DES, expecting AES expected encryption type. %s
02030007 ERROR VPN /IPSEC
IKE Phase 1authenticationmethodmismatch
IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'Reason=Received authenticationmethod PSK, expecting RSAcertificate
IKE Phase 1 negotiation failedbecause of incorrectauthenticationmethod in proposalfrom remote gateway. The logmessage specifies the receivedand expected authenticationmethods.
IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Receivedauthenticationmethod%s,expecting%s
IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Received authenticationmethod ${received}, expecting${expected}
02030008 ERROR VPN /IPSEC
IKE Phase 1AES keylengthmismatch
IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'Reason=Received AES key length128, expecting 256
IKE Phase 1 negotiation failedbecause of incorrect AES keylength in proposal from remotegateway. The logmessagespecifies the received andexpected AES key length.
IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Received AES keylength%d, expecting%d
IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Received AES key length${received}, expecting ${expected}
02030009 ERROR VPN /IPSEC
IKE Phase 1invalid firstmessage
IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'Reason=Received invalidmain/aggressivemode firstmessage. Check VPN IKEdiagnostic logmessages for moreinformation.
IKE Phase 1 negotiation failedbecause of invalid first messagereceived by local gateway. The logmessage specifies the reason.
IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Received invalidmain/aggressivemode firstmessage. Check VPN IKEdiagnostic logmessages formore information.
IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Received invalidmain/aggressivemode first message.Check VPN IKE diagnostic logmessages for more information.
02030010 INFO VPN /IPSEC
IKE Phase 1matchingMainMode policynot found
IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed.Reason=Mainmodematching policynot found
IKE Phase 1 negotiation becauselocal gateway did not find amatching Aggressivemode policy.
IKE phase-1 negotiationfrom%s to%s failed.Reason=Mainmodematching policy not found
IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed.Reason=Mainmodematching policynot found
VPN LogMessages
Log Catalog 96
ID Level Area Name Log Message Example Description Format Message Variables
02030011 ERROR VPN /IPSEC
IKE Phase 1remotegateway IDmismatch
IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'Reason=Authentication failure duetomismatched ID setting
IKE Phase 1 negotiation failedbecause remote ID in gatewayconfiguration did not matchproposal from remote gateway.
IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Authenticationfailure due tomismatchedID setting
IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Authentication failure due tomismatched ID setting
02030012 ERROR VPN /IPSEC
IKE Phase 1pre-shared keyauthenticationfailure
IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1' Reason=Pre-shared key authentication failure
IKE Phase 1 negotiation failedbecause pre-shared key inproposal did not match gatewayconfiguration.
IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Pre-shared keyauthentication failure
IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}' Reason=Pre-shared key authentication failure
02030013 INFO VPN /IPSEC
IKE Phase 1negotiationfailed
IKE phase-1 negotiation from2.2.2.2:500 to 1.1.1.1:500 failed.Reason=Received invalid message
IKE Phase 1 negotiation failedbecause of the reason specified inthe log
IKE phase-1 negotiationfrom%s:%d to%s:%dfailed. Reason=%s
IKE phase-1 negotiation from${src}:${sport} to ${dst}:${dport} failed- ${reason}
02030014 INFO VPN /IPSEC
Receivedinformationalerror message
Received 'Invalid Exchange Type'message from 172.16.12.81:500 for'gateway.1' gateway endpoint.Check VPN IKE diagnostic logmessages on the remote gatewayendpoint for more information.
Received the specified informationor error message from remotegateway.
Received '%s' messagefrom%s for '%s' gatewayendpoint. Check VPN IKEdiagnostic logmessages onthe remote gatewayendpoint for moreinformation.
Received '${info_msg}' message from${peer_addr} for '${gw-ep}' gatewayendpoint. Check VPN IKE diagnosticlogmessages on the remote gatewayendpoint for more information.
02030015 ERROR VPN /IPSEC
IKE Phase 1retry timeout
IKE phase-1 negotiation from172.16.12.81:500 to172.16.12.82:500 failed. Gateway-Endpoint='gateway.1'Reason=Message retry timeout.Check the connection between localand remote gateway endpoints.
IKE Phase 1 negotiation failedbecause of no response fromremote site.
IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Message retrytimeout. Check theconnection between localand remote gatewayendpoints.
IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Message retry timeout.Check the connection between localand remote gateway endpoints.
02030016 WARN VPN /IPSEC
Mobile user RejectedMUVPN IPSec user from2.2.2.2 becausemaximum allowed
SpecifiedMobile VPN with IPSec RejectedMUVPN IPSec RejectedMUVPN IPSec user from${peer_addr} becausemaximum
VPN LogMessages
Log Catalog 97
ID Level Area Name Log Message Example Description Format Message Variables
rejected -maximum userconnectionsreached
user connections has been reached.Maximum:50
user connection rejected becausethe specified concurrent userconnections limit has beenreached. The logmessagespecifies the concurrent userconnections limit.
user from%s becausemaximum allowed userconnections has beenreached. Maximum:%d
allowed user connections has beenreached. Maximum:${max_value}
02030017 ERROR VPN /IPSEC
CA certificatenot available
IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1' Reason=NoCA certificate available
IKE phase-1 negotiation failedbecause no Certificate Authority(CA) certificate is available.
IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=%s
IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=${reason}
02030017 ERROR VPN /IPSEC
CA certificatenot available
IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1' Reason=NoCA certificate available
IKE phase-1 negotiation failedbecause no Certificate Authority(CA) certificate is available.
IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=%s
IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=${reason}
02030018 ERROR VPN /IPSEC
IKE Phase 1peer certificateCA is notsupported
IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1' Reason=Peercertificate is not issued by knowntrusted CA
IKE Phase 1 negotiation failedbecause peer certificate is notissued by a known and trustedCertificate Authority(CA).
IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=%s
IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=${reason}
02030019 ERROR VPN /IPSEC
IKE Phase 1receivedcertificate withinvalid CAname
IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'Reason=Received certificate withinvalid CA name
IKE Phase 1 negotiation failedbecause of invalid CertificateAuthority (CA) name in certificatefor remote gateway.
IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=%s
IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=${reason}
VPN LogMessages
Log Catalog 98
ID Level Area Name Log Message Example Description Format Message Variables
02030020 ERROR VPN /IPSEC
IKE Phase 1possibleshared secretmismatch
IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'Reason=Message decryption faileddue to possible shared secretmismatch
IKE Phase 1 negotiation failedbecause of possible shared keymismatch.
IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Messagedecryption failed due topossible shared secretmismatch
IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Message decryption faileddue to possible shared secretmismatch
02030021 WARN VPN /IPSEC
DPD R_U_THERE_ACKnot received
Remote gateway 'gateway.1' with IP172.16.13.204:500 did not sendDPD R_U_THERE_ACK message.2 retries left
Firebox or XTM device sent aDPD_R_U_THERE request toremote gateway, but did notreceive DPD R_U_THERE_ACKresponse. The logmessagespecifies the number of retriesbefore it will delete the VPNtunnel.
Remote gateway '%s' withIP %s did not send DPD R_U_THERE_ACK message.%d retries left
Remote gateway '${gw-ep}' with IP${peer_addr} did not send DPD R_U_THERE_ACK message. ${n} retriesleft.
02030022 WARN VPN /IPSEC
DPD maxfailure
Remote gateway 'gateway.1' with IP172.16.13.204:500 presumed deaddue to DPD failure. Deleted alltunnels that use this gateway.Check the connection between localand remote gateway endpoints.
The Firebox or XTM devicedeleted a VPN tunnel because theremote gateway did not respond toDPD R_U_THERE requests.
Remote gateway '%s' withIP %s presumed dead dueto DPD failure.%s
Remote gateway '${gw-ep}' with IP${peer_addr} presumed dead due toDPD failure. ${action}
02030023 WARN VPN /IPSEC
Did notreceiveKEEP_ALIVE_ACKresponse
Remote gateway 'gateway.1' with IP172.16.13.204:500 did not sendKEEP_ALIVE_ACK message. 2retries left.
Firebox or XTM device sent aKEEP_ALIVE request to remotegateway, but did not receiveKEEP_ALIVE_ACK response.The logmessage specifies thenumber of retries before it willdelete the VPN tunnel.
Remote gateway '%s' withIP %s did not send KEEP_ALIVE_ACK message. %dretries left.
Remote gateway '${gw-ep}' with IP${peer_addr} did not send KEEP_ALIVE_ACK message. ${n} retriesleft.
VPN LogMessages
Log Catalog 99
ID Level Area Name Log Message Example Description Format Message Variables
02030024 WARN VPN /IPSEC
Deleted VPNtunnels due tokeep-alivefailure
Remote gateway 'gateway.1' with IP172.16.13.204:500 presumed deaddue to keep-alive negotiation failure.Deleted all tunnels that use thisgateway. Check the connectionbetween local and remote gatewayendpoints.
Firebox or XTM device deleted oneor more VPN tunnels because theremote gateway did not respond tokeep-alive requests.
Remote gateway '%s' withIP %s presumed dead dueto keep-alive negotiationfailure.%s
Remote gateway '${gw-ep}' with IP${peer_addr} presumed dead due tokeep-alive negotiation failure.${action}
02030025 INFO VPN /IPSEC
Received IKEmessage forunknownPhase 1 SA
Received IKE message from172.16.13.204:500 for unknown P1SA. Sending delete message toremote gateway 'gateway.1'.
Received IKE message forunknown P1 SA. Sending deletemessage to remote gateway
Received IKE messagefrom%s for unknown P1SA. Sending deletemessage to remote gateway'%s'.
Received IKE message from ${peer_addr} for unknown P1 SA. Sendingdelete message to remote gateway'${gateway}'.
02030026 ERROR VPN /IPSEC
DSScertificate IDmismatch
IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'Reason=Authentication failure duetomismatched DSS certificate IDsetting
IKE Phase 1 negotiation failedbecause of mismatched DSScertificate ID setting.
IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Authenticationfailure due tomismatchedDSS certificate ID setting
IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Authentication failure due tomismatched DSS certificate IDsetting
02030027 ERROR VPN /IPSEC
Failed to getID informationfromcertificate
IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'Reason=Failed to get ID informationfrom certificate 20001
IKE phase-1 negotiation failedbecause failed to get IDinformation from certificate.
IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Failed to get IDinformation from certificate%d
IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}' Reason=Failedto get ID information from certificate${certificate_id}
02030028 INFO VPN /IPSEC
IKE Phase 1messagereceived onwronginterface
IKE phase-1 negotiation from198.51.100.2:500 to 203.0.113.2:500failed. Reason=Received IKEmessage on wrong interface 'eth0'(index:3). Expecting it to be receivedon 'eth6'.
IKE Phase 1 negotiation failedbecause of IKE message peerwas received on wrong interface.
IKE phase-1 negotiationfrom%s to%s failed.Reason=Received IKEmessage on wrong interface'%s'(index:%d). Expecting itto be received on '%s'.
IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed.Reason=Received IKE message onwrong interface '${received_if}'(index:${received_ifindex}). Expectingit to be received on '${expected_if}'
VPN LogMessages
Log Catalog 100
ID Level Area Name Log Message Example Description Format Message Variables
02030029 ERROR VPN /IPSEC
IKE Phase 1invalidaggressivemode ID
IKE phase-1 negotiation from198.51.100.2:500 to 203.0.113.2:500failed. Gateway-Endpoint='gateway.1'Reason=Received ID did not matchwith configured aggressivemode ID.
IKE Phase 1 negotiation failedbecause received ID did not matchwith configured ID on localgateway. Check aggressivemodeID information in gateway endpointconfiguration on both local andremote gateways.
IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Received ID didnot match with configuredaggressivemode ID.
IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Received ID did not matchwith configured aggressivemode ID.
02050002 ERROR VPN /IPSEC
IKE Phase 2PFSmismatch
IKE phase-2 negotiation from172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1' Reason=Receivedproposal without PFS, ExpectingPFS enabled
The IPSec tunnel negotiationfailed because the PerfectForward Secrecy (PFS) value didnot match the Phase 2configuration.
IKE phase-2 negotiationfrom%s to%s failed.Tunnel='%s'Reason=Received proposalwithout PFS, ExpectingPFS enabled
IKE phase-2 negotiation from ${local_addr} to ${peer_addr} failed.Tunnel='${tunnel}' Reason=Receivedproposal without PFS, Expecting PFSenabled
02050003 ERROR VPN /IPSEC
IKE Phase-2proposal typemismatch
IKE phase-2 negotiation from172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1' Reason=Receivedprotocol 'AH'. Expecting 'ESP' inphase-2 proposal.
The IPSec tunnel negotiationfailed because the proposal did notmatch the Phase 2 configuration.The logmessage specifies thereceived and expected proposals.
IKE phase-2 negotiationfrom%s to%s failed.Tunnel='%s'Reason=Received protocol'%s'. Expecting '%s' inphase-2 proposal.
IKE phase-2 negotiation from ${local_addr} to ${peer_addr} failed.Tunnel='${tunnel}' Reason=Receivedprotocol '${received_proto}'.Expecting '${expected_proto}' inphase-2 proposal.
02050003 ERROR VPN /IPSEC
IKE Phase-2proposal typemismatch
IKE phase-2 negotiation from172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1' Reason=Receivedprotocol 'AH'. Expecting 'ESP' inphase-2 proposal.
The IPSec tunnel negotiationfailed because the proposal did notmatch the Phase 2 configuration.The logmessage specifies thereceived and expected proposals.
IKE phase-2 negotiationfrom%s to%s failed.Tunnel='%s'Reason=Received protocol'%s'. Expecting '%s' inphase-2 proposal.
IKE phase-2 negotiation from ${local_addr} to ${peer_addr} failed.Tunnel='${tunnel}' Reason=Receivedprotocol '${received_proto}'.Expecting '${expected_proto}' inphase-2 proposal.
02050004 ERROR VPN /IPSEC
IKE Phase 2AHauthenticationmethodmismatch
IKE phase-2 negotiation from172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1' Reason=ReceivedAH authenticationMD5, expectingSHA1
The IPSec tunnel negotiationfailed because the proposed AHauthenticationmethod did notmatch the Phase 2 configuration.The logmessage specifies thereceived and expected AH
IKE phase-2 negotiationfrom%s to%s failed.Tunnel='%s'Reason=Received AHauthentication%s,expecting%s
IKE phase-2 negotiation from ${local_addr} to ${peer_addr} failed.Tunnel='${tunnel}' Reason=ReceivedAH authentication ${received},expecting ${expected}
VPN LogMessages
Log Catalog 101
ID Level Area Name Log Message Example Description Format Message Variables
authenticationmethod.
02050005 ERROR VPN /IPSEC
IKE Phase 2ESPencryptionmethodmismatch
IKE phase-2 negotiation from172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1' Reason=ReceivedESP encryption DES, expectingAES
The IPSec tunnel negotiationfailed because the proposed ESPencryptionmethod did not matchthe Phase 2 configuration. The logmessage specifies the receivedand expected ESP encryptionmethod.
IKE phase-2 negotiationfrom%s to%s failed.Tunnel='%s'Reason=Received ESPencryption%s, expecting%s
IKE phase-2 negotiation from ${local_addr} to ${peer_addr} failed.Tunnel='${tunnel}' Reason=ReceivedESP encryption ${received},expecting ${expected}
02050006 ERROR VPN /IPSEC
IKE Phase 2PFS DH groupmismatch
IKE phase-2 negotiation from172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1' Reason=ReceivedPFS DH group 2, expecting 5
The IPSec tunnel negotiationfailed because the proposedPerfect Forward Secrecy Diffe-Hellman (PFS DH) group numberdid not match the Phase 2configuration. The logmessagespecifies the received andexpected PFS DH group numbers.
IKE phase-2 negotiationfrom%s to%s failed.Tunnel='%s'Reason=Received PFS DHgroup%d, expecting%d
IKE phase-2 negotiation from ${local_addr} to ${peer_addr} failed.Tunnel='${tunnel}' Reason=ReceivedPFS DH group ${received}, expecting${expected}
02050007 ERROR VPN /IPSEC
IKE Phase 2ESPauthenticationmethodmismatch
IKE phase-2 negotiation from172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1' Reason=ReceivedESP authenticationMD5-HMAC,expecting SHA1-HMAC
The IPSec tunnel negotiationfailed because the proposed ESPauthenticationmethod did notmatch the Phase 2 configuration.The logmessage specifies thereceived and expected ESPauthenticationmethod.
IKE phase-2 negotiationfrom%s to%s failed.Tunnel='%s'Reason=Received ESPauthentication%s,expecting%s
IKE phase-2 negotiation from ${local_addr} to ${peer_addr} failed.Tunnel='${tunnel}' Reason=ReceivedESP authentication ${received},expecting ${expected}
02050008 ERROR VPN /IPSEC
IKE Phase 2AES keylengthmismatch
IKE phase-2 negotiation from172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1' Reason=ReceivedAES key length 128, expecting 256
The IPSec tunnel negotiationfailed because the proposed AESencryption key length did notmatch the Phase 2 configuration.The logmessage specifies thereceived and expected AES keylength.
IKE phase-2 negotiationfrom%s to%s failed.Tunnel='%s'Reason=Received AES keylength%d, expecting%d
IKE phase-2 negotiation from ${local_addr} to ${peer_addr} failed.Tunnel='${tunnel}' Reason=ReceivedAES key length ${received},expecting ${expected}
VPN LogMessages
Log Catalog 102
ID Level Area Name Log Message Example Description Format Message Variables
02050008 ERROR VPN /IPSEC
IKE Phase 2AES keylengthmismatch
IKE phase-2 negotiation from172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1' Reason=ReceivedAES key length 128, expecting 256
The IPSec tunnel negotiationfailed because the proposed AESencryption key length did notmatch the Phase 2 configuration.The logmessage specifies thereceived and expected AES keylength.
IKE phase-2 negotiationfrom%s to%s failed.Tunnel='%s'Reason=Received AES keylength%d, expecting%d
IKE phase-2 negotiation from ${local_addr} to ${peer_addr} failed.Tunnel='${tunnel}' Reason=ReceivedAES key length ${received},expecting ${expected}
02050010 INFO VPN /IPSEC
Receivedquick modeinformationalerror message
Received 'No Proposal Chosen'message from 172.16.12.81:500 for'tunnel.1' tunnel. Check VPN IKEdiagnostic logmessages on theremote gateway endpoint for moreinformation.
Remote gateway sent aninformation error message inresponse to VPN tunnel proposal.
Received '%s' messagefrom%s for '%s' tunnel.Check VPN IKE diagnosticlogmessages on the remotegateway endpoint for moreinformation.
Received '${info_msg}' message from${peer_addr} for '${tunnel}' tunnel.Check VPN IKE diagnostic logmessages on the remote gatewayendpoint for more information.
02050011 INFO VPN /IPSEC
DroppedsimultaneousPhase 2negotiation
Dropped a simultaneous phase-2negotiation from the peer172.16.13.204:500
Firebox or XTM device droppedphase-2 negotiation because ofanother Phase 2 negotiation inprogress.
Dropped a simultaneousphase-2 negotiation from thepeer%s
Dropped a simultaneous IPSecnegotiation from the peer ${peer_addr}
02060001 WARN VPN /IPSEC
ReceivedXAuth failnotification
Received XAuth failed notificationfrom 172.16.24.1:4500.Group:'ToFirebox_mu'
Received notification thatExtended Authentication(XAuth)failed. Aborting XAuth negotiation.
Received XAuth failednotification from%s.Group:'%s'
Received XAuth failed notificationfrom ${peer_addr}. Group:'${gateway}'
02060002 WARN VPN /IPSEC
Rejected PSKauthentication,Expect clientXAUTHenabled.
Rejected phase-1 authenticationmethod PSK from 172.16.24.1:4500,expecting client XAUTH enabled.
Rejected proposed Phase 1authenticationmethod becauseFirebox or XTM Device expectsclient Extended Authentication(XAuth) enabled.
Rejected phase-1authenticationmethod%sfrom%s, expecting clientXAUTH enabled.
Rejected phase 1 authenticationmethod ${auth_method} from ${peer_addr}, expecting client XAUTHenabled.
02060003 WARN VPN /IPSEC
Rejected PSKauthentication,Expect serverXAUTHenabled.
Rejected phase-1 authenticationmethod PSK from 172.16.24.1:4500,expecting server XAUTH enabled.
Rejected proposed Phase 1authenticationmethod becauseFirebox or XTM Device expectsserver Extended Authentication(XAuth) enabled.
Rejected phase-1authenticationmethod%sfrom%s, expecting serverXAUTH enabled.
Rejected phase 1 authenticationmethod ${auth_method} from ${peer_addr}, expecting server XAUTHenabled.
VPN LogMessages
Log Catalog 103
ID Level Area Name Log Message Example Description Format Message Variables
02060004 WARN VPN /IPSEC
XAuthnegotiationfailed due tomismatchedmode
XAuth negotiation from172.16.24.1:4500 failed due to amismatched XAuthMode.
Mobile VPN with IPSec ExtendedAuthentication(XAuth) negotiationfailed because of mismatchedauthenticationmode.
XAuth negotiation from%sfailed due to amismatchedXAuthMode.
XAuth negotiation from ${peer_addr}failed due to amismatchedXAuthMode
02060005 WARN VPN /IPSEC
Mobile VPNwith IPSecauthenticationfailed becauseofunresponsivepeer
MUVPN user authentication faileddue to unresponsive peer at172.16.24.1:4500
Mobile VPN with IPSec userauthentication failed because thepeer did not respond.
MUVPN user authenticationfailed due to unresponsivepeer at %s
MUVPN user authentication faileddue to unresponsive peer at %s
02060006 INFO VPN /IPSEC
Mobile VPNwith IPSecuserconnectedwith no group
MUVPN user 'user.1' isauthenticated without groupinformation.
SpecifiedMobile VPN with IPSecuser successfully authenticated,but is not amember of any group.
MUVPN user '%s' isauthenticated without groupinformation.
MUVPN user '${user_name}' isauthenticated without groupinformation
02060007 INFO VPN /IPSEC
Mobile usergroupinformation
MUVPN user 'user.1' is amember of'muvpn' group.
SpecifiedMobile VPN with IPSecuser belongs to the specifiedgroup.
MUVPN user '%s' is amember of '%s' group.
MUVPN user '${user_name}' is amember of '${group_name}' group.
02080001 INFO VPN /IPSEC
IKE phase-1negotiatedsuccessful
BOVPN phase-1main-modecompleted successfully as initiatorfor 'gateway.1' gateway endpoint.local-gw:172.16.12.81:500 remote-gw:172.16.13.204:500 SAID:0x9d5e7809
IKE phase-1 negotiation wassuccessfully completed.
%s phase-1%s completedsuccessfully as %s for '%s'gateway endpoint. local-gw:%s:%d remote-gw:%s:%d SA ID:0x%08x
${tunnel_type} phase-1 ${nego_mode}completed successfully as ${nego_role} for '${gateway}' gatewayendpoint. local-gw:${src}:${sport}remote-gw:${dst}:${dport} SAID:${p1said}
0203000A ERROR VPN /IPSEC
IKE Phase 1invalid MainMode secondmessage
IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'
IKE Phase 1 negotiation failedbecause of invalid secondmessage received by localgateway.
IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Received invalid
IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Received invalid mainmodesecondmessage. Check VPN IKE
VPN LogMessages
Log Catalog 104
ID Level Area Name Log Message Example Description Format Message Variables
Reason=Received invalid mainmode secondmessage. Check VPNIKE diagnostic logmessages formore information.
mainmode secondmessage. Check VPN IKEdiagnostic logmessages formore information.
diagnostic logmessages for moreinformation.
0203000B ERROR VPN /IPSEC
IKE Phase 1invalid MainMode KeyExchangepayload
IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'Reason=Received invalid mainmode KE payload. Check VPN IKEdiagnostic logmessages for moreinformation.
IKE Phase 1 negotiation failedbecause local gateway receivedinvalid MainMode Key Exchange(KE) payload
IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Received invalidmainmode KE payload.Check VPN IKE diagnosticlogmessages for moreinformation.
IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Received invalid mainmodeKE payload. Check VPN IKEdiagnostic logmessages for moreinformation.
0203000C ERROR VPN /IPSEC
IKE Phase 1invalid mainmode ID
IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'Reason=Received invalid mainmode ID payload. Check VPN IKEdiagnostic logmessages for moreinformation.
IKE Phase 1 negotiation failedbecause of invalid MainMode IDpayload received by localgateway.
IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Received invalidmainmode ID payload.Check VPN IKE diagnosticlogmessages for moreinformation.
IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Received invalid mainmodeID payload. Check VPN IKEdiagnostic logmessages for moreinformation.
0203000D ERROR VPN /IPSEC
IKE Phase 1invalidaggressivemode hash
IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'Reason=Received invalidaggressivemode hash payload.Check VPN IKE diagnostic logmessages for more information.
IKE Phase 1 negotiation failedbecause invalid aggressivemodehash payload received byspecified local gateway.
IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Received invalidaggressivemode hashpayload. Check VPN IKEdiagnostic logmessages formore information.
IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Received invalid aggressivemode hash payload. Check VPN IKEdiagnostic logmessages for moreinformation.
0203000E ERROR VPN /IPSEC
IKE Phase 1invalidAggressive
IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-
IKE Phase 1 negotiation failedbecause of invalid Aggressivemode security association (SA)
IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'
IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'
VPN LogMessages
Log Catalog 105
ID Level Area Name Log Message Example Description Format Message Variables
mode SApayload
Endpoint='gateway.1'Reason=Received invalidaggressivemode SA payload.Check VPN IKE diagnostic logmessages for more information.
payload received by specifiedlocal gateway.
Reason=Received invalidaggressivemode SApayload. Check VPN IKEdiagnostic logmessages formore information.
Reason=Received invalid aggressivemode SA payload. Check VPN IKEdiagnostic logmessages for moreinformation.
0203000F INFO VPN /IPSEC
IKE Phase 1matchingaggressivemode policynot found
IKE phase-1 negotiation from172.16.12.82:500 to172.16.12.81:500 failed.Reason=Aggressivemodematchingpolicy not found
IKE Phase 1 negotiation becauselocal gateway did not find amatching aggressivemode policy.
IKE phase-1 negotiationfrom%s to%s failed.Reason=Aggressivemodematching policy not found
IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed.Reason=Aggressivemodematchingpolicy not found
0203002A ERROR VPN /IPSEC
IKE Phase 1IKE versionmismatch
IKE phase-1 negotiation from198.51.100.2:500 to 203.0.113.2:500failed. Gateway-Endpoint='gateway.1'Reason=Received IKE version didnot match the configured IKEversion.
IKE Phase 1 negotiation failedbecause the received IKE versiondid not match the IKE versionconfigured on the local gateway.Check the IKE version in thegateway endpoint configuration onboth the local and remotegateways.
IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Received IKEversion did not match theconfigured IKE version.
IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Received IKE version didnot match the configured IKE version.
0203002B ERROR VPN /IPSEC
IKE Phase 1messagereceived onwronginterface IP
IKE phase-1 negotiation from198.51.100.2:500 to 192.0.2.2:500failed. Gateway-Endpoint='gateway.1'Reason=Receivedmessage withwrong interface IP address192.0.2.2. Expecting peer to useremote gateway endpoint IP address203.0.113.2.
IKE Phase 1 negotiation failedbecause IKE message from thepeer was received on the wronginterface IP address. Check thelocal and remote gateway IPaddress in the gateway endpointconfiguration on both the local andremote gateways.
IKE phase-1 negotiationfrom%s to%s failed.Gateway-Endpoint='%s'Reason=Receivedmessage with wronginterface IP address %s.Expecting peer to useremote gateway endpoint IPaddress %s.
IKE phase-1 negotiation from ${local_addr} to ${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=Receivedmessage withwrong interface IP address${received_ip}. Expecting peer to useremote gateway endpoint IP address${expected_ip}.
0205000A ERROR VPN /IPSEC
IKE Phase 2tunnel routemismatch
IKE phase-2 negotiation from172.16.12.82:500 to172.16.12.81:500 failed.Gateway='gateway.1' Reason=No
The IPSec tunnel negotiationfailed because the proposed tunnelroutes did not match the tunnelconfiguration. The logmessage
IKE phase-2 negotiationfrom%s to%s failed.Gateway='%s' Reason=Nomatching tunnel route for
IKE phase-2 negotiation from ${local_addr} to ${peer_addr} failed.Gateway='${gateway}' Reason=Nomatching tunnel route for peer
VPN LogMessages
Log Catalog 106
ID Level Area Name Log Message Example Description Format Message Variables
matching tunnel route for peerproposed local:192.168.81.0/24remote:192.168.82.0/28
specifies the received andexpected tunnel routes.
peer proposed local:%s/%dremote:%s/%d
proposed local:${tr_local} remote:${tr_remote}
0205000B ERROR VPN /IPSEC
IKE Phase 2message retrytimeout
IKE phase-2 negotiation from172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1' Reason=Messageretry timeout. Check VPN IKEdiagnostic logmessages for moreinformation.
The IPSec tunnel negotiationfailed because an expectedresponse was not received beforethemessage retry timeout.
IKE phase-2 negotiationfrom%s to%s failed.Tunnel='%s'Reason=Message retrytimeout. Check VPN IKEdiagnostic logmessages formore information.
IKE phase-2 negotiation from ${local_addr} to ${peer_addr} failed.Tunnel='${tunnel}' Reason=Messageretry timeout. Check VPN IKEdiagnostic logmessages for moreinformation.
0205000C ERROR VPN /IPSEC
IKE Phase2message retrytimeoutbecausePhase 1 SAexpired
IKE phase-2 negotiation from172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1' Reason=Messageretry timeout because phase-1 SAexpired
The IPSec tunnel negotiationfailed because the Phase 1Security Association (SA) expired.
IKE phase-2 negotiationfrom%s to%s failed.Tunnel='%s'Reason=Message retrytimeout because phase-1SA expired
IKE phase-2 negotiation from ${local_addr} to ${peer_addr} failed.Tunnel='${tunnel}' Reason=Messageretry timeout because phase-1 SAexpired
0205000D ERROR VPN /IPSEC
IKE Phase 2PFS notenabled
IKE phase-2 negotiation from172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1' Reason=Receivedproposal with PFS. PFS notenabled.
The IPSec tunnel negotiationfailed because the PerfectForward Secrecy (PFS) value didnot match the Phase 2configuration.
IKE phase-2 negotiationfrom%s to%s failed.Tunnel='%s'Reason=Received proposalwith PFS. PFS not enabled.
IKE phase-2 negotiation from ${local_addr} to ${peer_addr} failed.Tunnel='${tunnel}' Reason=Receivedproposal with PFS. PFS not enabled.
0205000E ERROR VPN /IPSEC
IKE Phase 2wait timeout
IKE phase-2 negotiation from172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1' Reason=Messagewas not received in expected time.Check the connection between localand remote gateway endpoints.
The IPSec tunnel negotiationfailed because an expectedresponse was not received beforethe expected time.
IKE phase-2 negotiationfrom%s to%s failed.Tunnel='%s'Reason=Message was notreceived in expected time.Check the connectionbetween local and remotegateway endpoints.
IKE phase-2 negotiation from ${local_addr} to ${peer_addr} failed.Tunnel='${tunnel}' Reason=Messagewas not received in expected time.Check the connection between localand remote gateway endpoints.
VPN LogMessages
Log Catalog 107
ID Level Area Name Log Message Example Description Format Message Variables
0205000F WARN VPN /IPSEC
RejectedPhase 2negotiationdue toincorrectgateway
Rejected phase-2 negotiation from172.16.12.82:500 because'gateway.1*1' is not the preferredIKE gateway endpoint.
Rejected Phase 2 negotiation theproposal did not use the preferredIKE gateway endpoint.
Rejected phase-2negotiation from%sbecause '%s' is not thepreferred IKE gatewayendpoint.
Rejected quick mode negotiation from${peer_addr} because '${gw-ep}' is notthe preferred IKE gateway endpoint.
021A0001 ERROR VPN /IPSEC
DroppedreceivedIKEv2message
Dropped IKEv2 IKE_SA_INITmessage from 172.16.12.82:500.Reason=message has invalidinitiator SPI (all zeros)
Dropped received invalid IKEv2message.
Dropped IKEv2%smessage from%s.Reason=%s
Dropped IKEv2 ${exchange_type}message from ${peer_addr}.Reason=${reason}
021A0002 ERROR VPN /IPSEC
IKE SA notfound tohandle IKE_SA_INIT_Rmessage
Dropped IKEv2 IKE_SA_INITmessage from 172.16.12.82:500.Reason=IKE SA not found to handlemessage with message ID 0x0.
IKE SA was not found to handlethe received IKE_SA_INIT_Rmessage.
Dropped IKEv2%smessage from%s.Reason=IKE SA not foundto handlemessage withmessage ID 0x%x.
Dropped IKEv2 ${exchange_type}message from ${peer_addr}.Reason=IKE SA not found to handlemessage with message ID ${recvd_message_id}.
021A0003 ERROR VPN /IPSEC
Gatewayendpoint notfound tohandle IKE_SA_INIT_Rmessage
Dropped IKEv2 IKE_SA_INITmessage from 172.16.12.82:500.Reason='gateway.1' gatewayendpoint not found to handlemessage with message ID 0x0.
Gateway endpoint was not foundto handle the received IKE_SA_INIT_R message
Dropped IKEv2%smessage from%s.Reason='%s' gatewayendpoint not found to handlemessage with message ID0x%x.
Dropped IKEv2 ${exchange_type}message from ${peer_addr}.Reason='${gw-ep}' gateway endpointnot found to handle IKE_SA_INITmessage with message ID ${recvd_message_id}.
021A0004 INFO VPN /IPSEC
IKEv2 IKE SAis in deletingstate
Dropped IKEv2 IKE_SA_INITmessage from 172.16.12.82:500.Gateway-Endpoint='gateway.1'.Reason=IKE SA is in DELETINGstate.
Received IKEv2message wasignored because thecorresponding IKE SA to handlethemessage was in DELETINGstate.
Dropped IKEv2%smessage from%s.Gateway-Endpoint='%s'.Reason=IKE SA is in%sstate.
Dropped IKEv2 ${exchange_type}message from ${peer_addr}.Gateway-Endpoint='${gw-ep}'Reason=IKE SA is in ${ikev2_ikesa_state} state.
021A0005 ERROR VPN /IPSEC
Invalidmessage ID inIKEv2exchange
Dropped IKEv2 IKE_SA_INITmessage from 172.16.12.82:500.Gateway-Endpoint='gateway.1'.Reason=Invalid message ID inrequest message.
Received IKEv2message wasdropped because it has invalidmessage ID.
Dropped IKEv2%smessage from%s.Gateway-Endpoint='%s'.Reason=Invalid messageID in%s message.
Dropped IKEv2 ${exchange_type}message from ${peer_addr}.Gateway-Endpoint='${gw-ep}'.Reason=Invalid message ID in ${req_or_resp} message.
VPN LogMessages
Log Catalog 108
ID Level Area Name Log Message Example Description Format Message Variables
021A0006 ERROR VPN /IPSEC
IKEv2gatewayendpoint wasnot found tohandle thereceivedmessage
IKEv2 IKE_SA_INIT exchange from172.16.12.82:500 to172.16.12.81:500 failed.Reason=Matching gateway endpointnot found.
IKEv2 gateway endpoint was notfound to handle the receivedmessage.
IKEv2%s exchange from%s to%s failed.Reason=Matching gatewayendpoint not found.
IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Reason=Matching gatewayendpoint not found.
021A0007 ERROR VPN /IPSEC
IKEv2gatewayendpointversion notmatched
IKEv2 IKE_SA_INIT exchange from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'.Reason=Received IKE version didnot match the configured IKEversion.
IKEv2message exchange failedbecause the received IKE versiondid not match the IKE versionconfigured on the local gateway.Check the IKE version in thegateway endpoint configuration onboth local and remote gateways.
IKEv2%s exchange from%s to%s failed. Gateway-Endpoint='%s'.Reason=Received IKEversion did not match theconfigured IKE version.
IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}'.Reason=Received IKE version didnot match the configured IKE version.
021A0008 ERROR VPN /IPSEC
IKEv2gatewayendpoint isdisabled
IKEv2 IKE_SA_INIT exchange from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'.Reason=gateway endpoint isdisabled.
The IKEv2 gateway endpoint isdisabled. It cannot be used intunnel negotiation.
IKEv2%s exchange from%s to%s failed. Gateway-Endpoint='%s'.Reason=gateway endpointis disabled.
IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}'.Reason=gateway endpoint isdisabled.
021A0009 ERROR VPN /IPSEC
IKEv2gateway IDmismatch
IKEv2 IKE_AUTH exchange from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'.Reason=Gateway endpoint withmatching ID was not found.
IKEv2 IKE_AUTH negotiationfailed because the remote IDconfigured in the gateway endpointdid not match proposed IDreceived from the remote gateway.
IKEv2%s exchange from%s to%s failed. Gateway-Endpoint='%s'.Reason=Gateway endpointwith matching ID was notfound.
IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}'Reason=Gateway endpoint withmatching ID was not found.
VPN LogMessages
Log Catalog 109
ID Level Area Name Log Message Example Description Format Message Variables
021A000A ERROR VPN /IPSEC
IKEv2 IKE_SA_INITmessagereceived onwronginterface
IKEv2 IKE_SA_INIT exchange from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'.Reason=Receivedmessage onwrong interface 'eth0'(index:3).Expecting it to be received on 'eth6'.
IKEv2 IKE_SA_INIT negotiationfailed because IKE message frompeer was received on the wronginterface.
IKEv2%s exchange from%s to%s failed. Gateway-Endpoint='%s'.Reason=Receivedmessage on wrong interface'%s'(index:%d). Expecting itto be received on '%s'.
IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}'.Reason=Receivedmessage onwrong interface. '${received_if}'(index:${received_ifindex}). Expectingit to be received on '${expected_if}'.
021A000B ERROR VPN /IPSEC
IKEv2 remotegatewayendpoint IDmismatch
IKEv2 IKE_AUTH exchange from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'.Reason=Received ID did not matchthe configured remote gatewayendpoint ID.
IKEv2 IKE_AUTH negotiationfailed because the remote ID in thegateway endpoint configuration didnot match the proposed IDreceived from the remote gateway.
IKEv2%s exchange from%s to%s failed. Gateway-Endpoint='%s'.Reason=Received ID didnot match the configuredremote gateway endpointID.
IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}'.Reason=Received ID did not matchthe configured remote gatewayendpoint ID.
021A000C ERROR VPN /IPSEC
IKEv2 localgatewayendpoint IDmismatch
IKEv2 IKE_AUTH exchange from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'.Reason=Received ID did not matchthe configured local gatewayendpoint ID.
IKEv2 IKE_AUTH negotiationfailed because the local ID in thegateway endpoint configuration didnot match the proposed IDreceived from the remote gateway.
IKEv2%s exchange from%s to%s failed. Gateway-Endpoint='%s'.Reason=Received ID didnot match the configuredlocal gateway endpoint ID.
IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}'.Reason=Received ID did not matchthe configured local gateway endpointID.
021A000D ERROR VPN /IPSEC
ReceivedIKEv2message doesnot haveexpectedpayloads
IKEv2 IKE_AUTH exchange from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'.Reason=Received IKE_AUTHresponsemessage does not havethe expected payloads.
IKEv2message exchange failedbecause the receivedmessagefrom the peer does not have theexpected payloads
IKEv2%s exchange from%s to%s failed. Gateway-Endpoint='%s'.Reason=Received%smessage does not have theexpected payloads.
IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}'.Reason=Received ${msg_info}message does not have the expectedpayloads.
VPN LogMessages
Log Catalog 110
ID Level Area Name Log Message Example Description Format Message Variables
021A000E ERROR VPN /IPSEC
IKEv2 IKEproposalmismatch
IKEv2 IKE_SA_INIT exchange from198.51.100.2:500 to 203.0.113.2:500failed. Gateway-Endpoint='gateway.1'. Reason=IKEproposal did not match. Receivedencryption 3DES, expected AES.
The IKEv2message exchangefailed because the IKE proposal inthe receivedmessage did notmatch the expected proposal.
IKEv2%s exchange from%s to%s failed. Gateway-Endpoint='%s'.Reason=%s
IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}'Reason=${msg_info}
021A000E ERROR VPN /IPSEC
IKEv2 IKEproposalmismatch
IKEv2 IKE_SA_INIT exchange from198.51.100.2:500 to 203.0.113.2:500failed. Gateway-Endpoint='gateway.1'. Reason=IKEproposal did not match. Receivedencryption 3DES, expected AES.
The IKEv2message exchangefailed because the IKE proposal inthe receivedmessage did notmatch the expected proposal.
IKEv2%s exchange from%s to%s failed. Gateway-Endpoint='%s'.Reason=%s
IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}'Reason=${msg_info}
021A000F ERROR VPN /IPSEC
IKEv2 KE DH-Groupmismatch
IKEv2 IKE_SA_INIT exchange from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'. Reason=DH-Group 14 in the KE payload does notmatch DH-Group 5 selected in theIKE_SA_INIT response proposal.
IKEv2message exchange failedbecause the DH group in thereceived Key Exchange (KE)payload does not match the DH-Group in the selected proposal.
IKEv2%s exchange from%s to%s failed. Gateway-Endpoint='%s'.Reason=DH-Group%d inthe KE payload does notmatch DH-Group%dselected in the%s proposal.
IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}'.Reason=DH-Group ${recvd_dh_group} in the KE payload does notmatch the DH-Group ${selected_dh_group} selected in the ${msg_info}proposal.
021A0010 ERROR VPN /IPSEC
IKEv2 IPSecKE DH-Groupmismatch
IKEv2 CREATE_CHILD_SAexchange from 172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1'. Reason=DH-Group 14 in the KE payload does notmatch DH-Group 5 selected in theCREATE_CHILD_SA requestproposal.
IKEv2message exchange failedbecause the DH group in thereceived Key Exchange (KE)payload does not match the DH-Group in the selected proposal.
IKEv2%s exchange from%s to%s failed.Tunnel='%s'. Reason=DH-Group%d in the KE payloaddoes not match DH-Group%d selected in the%sproposal.
IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}'.Reason=DH-Group ${recvd_dh_group} in the KE payload does notmatch the DH-Group ${selected_dh_group} selected in the ${msg_info}proposal.
VPN LogMessages
Log Catalog 111
ID Level Area Name Log Message Example Description Format Message Variables
021A0011 ERROR VPN /IPSEC
Receivedunacceptabletraffic selectorduring firstCHILD SAnegotiation.
IKEv2 IKE_AUTH exchange from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'.Reason=Received unacceptabletraffic selector in IKE_AUTHrequest.
IKEv2 first CHILD SA creationfailed because the peer sent anunacceptable traffic selector.
IKEv2%s exchange from%s to%s failed. Gateway-Endpoint='%s'.Reason=Receivedunacceptable traffic selectorin%s.
IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}'.Reason=Received unacceptabletraffic selector in ${msg_info}.
021A0012 ERROR VPN /IPSEC
IKEv2 peerauthenticationmethodmismatch.
IKEv2 IKE_AUTH exchange from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'.Reason=Received authenticationmethod PSK, expecting RSAcertificate.
IKEv2 tunnel negotiation failedbecause the incorrect authenticatemethod was proposed by theremote gateway.
IKEv2%s exchange from%s to%s failed. Gateway-Endpoint='%s'.Reason=Receivedauthenticationmethod%s,expecting%s.
IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Reason=Receivedauthenticationmethod ${received},expecting ${expected}.
021A0013 ERROR VPN /IPSEC
IKEv2 peerauthenticationfailed
IKEv2 IKE_AUTH exchange from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'.Reason=Remote gateway endpointRSA certificate authentication failed.
IKEv2 tunnel negotiation failedbecause the local gateway couldnot authenticate the remotegateway.
IKEv2%s exchange from%s to%s failed. Gateway-Endpoint='%s'.Reason=Remote gatewayendpoint %s authenticationfailed.
IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Reason=Remote gatewayendpoint ${auth_method}authentication failed.
021A0014 ERROR VPN /IPSEC
IKEv2 PSKmismatch
IKEv2 IKE_AUTH exchange from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'.Reason=Remote gateway endpointauthentication failed due to apossible shared secret mismatch.
IKEv2 tunnel negotiation failedbecause of possible PSKmismatch.
IKEv2%s exchange from%s to%s failed. Gateway-Endpoint='%s'.Reason=Remote gatewayendpoint authenticationfailed due to a possibleshared secret mismatch.
IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Reason=Remote gatewayendpoint authentication failed due to apossible shared secret mismatch.
VPN LogMessages
Log Catalog 112
ID Level Area Name Log Message Example Description Format Message Variables
021A0015 ERROR VPN /IPSEC
ReceivedIKEv2 IKE_SA_INITnotificationerrormessage.
IKEv2 IKE_SA_INIT exchange from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'.Reason=Received N(NO_PROPOSAL_CHOSEN)message.
IKEv2 IKE_SA_INIT negotiationfailed because the peer sent anotification error message.
IKEv2%s exchange from%s to%s failed. Gateway-Endpoint='%s'.Reason=Received%smessage.
IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}'.Reason=Received ${notify_msg}message.
021A0016 ERROR VPN /IPSEC
ReceivedIKEv2CREATE_CHILD_SA/IKE_AUTHnotificationerrormessage.
IKEv2 IKE_AUTH exchange from10.139.36.185:500 to10.139.36.195:500 failed.Tunnel='tunnel.1'.Reason=Received N(NO_PROPOSAL_CHOSEN)message.
IKEv2 CREATE_CHILD_SA/IKE_AUTH negotiation failedbecause peer sent a notificationerror message.
IKEv2%s exchange from%s to%s failed.Tunnel='%s'.Reason=Received%smessage.
IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Tunnel='${tunnel_name}'.Reason=Received ${notify_msg}message.
021A0017 INFO VPN /IPSEC
IKEv2 IKE SAestablished
IKEv2 IKE SA establishedsuccessfully as initiator for'gateway.1' gateway endpoint. local-gw:10.139.36.185:500 remote-gw:10.139.36.195:500 SAID:0xbc2188a5.
IKEv2 IKE SA is establishedbecause IKE_AUTH negotiation isfinished or IKE SA is rekeyed.
IKEv2 IKE SA establishedsuccessfully as %s for '%s'gateway endpoint. local-gw:%s remote-gw:%s SAID:0x%08x.
IKEv2 IKE SA establishedsuccessfully as ${exchange_role} for'${gw-ep}' gateway endpoint. local-gw:${local_addr} remote-gw:${peer_addr} SA ID:${sa_id}.
021A0018 ERROR VPN /IPSEC
IKEv2 tunnelproposalmismatch.
IKEv2 CREATE_CHILD_SAexchange from 198.51.100.2:500 to203.0.113.2:500 failed.Tunnel='tunnel.1'. Reason=IPSecproposal did not match. Receivedencryption 3DES, expected AES.
The IKEv2message exchangefailed because the IPSec proposalin the receivedmessage did notmatch the expected proposal.
IKEv2%s exchange from%s to%s failed.Tunnel='%s'. Reason=%s
IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Tunnel='${tunnel}'.Reason=${msg_info}
VPN LogMessages
Log Catalog 113
ID Level Area Name Log Message Example Description Format Message Variables
021A0019 ERROR VPN /IPSEC
Receivedinvalid SPIduring firstCHILD SAnegotiation.
IKEv2 IKE_AUTH exchange from172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1'. Reason=Peerproposed invalid SPI in IKE_AUTHrequest.
IKEv2 first CHILD SA creationfailed because the peer sent aninvalid SPI.
IKEv2%s exchange from%s to%s failed.Tunnel='%s'. Reason=Peerproposed invalid SPI in%s.
IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Tunnel='${tunnel}'.Reason=Peer proposed invalid SPI in${msg_info}.
021A001A ERROR VPN /IPSEC
Receivedinvalid SPIduring IKEv2IPSec SArekey
IKEv2 CREATE_CHILD_SAexchange from 172.16.12.82:500 to172.16.12.81:500 failed.Tunnel='tunnel.1'. Reason=Couldnot find child SA by received SPI0xbaba1509 in CREATE_CHILD_SA(REKEY[CHILD SA]) request.
IKEv2 IPSec SA rekey failedbecause the peer sent an invalidSPI.
IKEv2%s exchange from%s to%s failed.Tunnel='%s'.Reason=Could not find childSA by received SPI %0x in%s.
IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Tunnel='${tunnel}'.Reason=Could not find child SA byreceived SPI ${spi} in ${msg_info}.
021A001B ERROR VPN /IPSEC
No responsefrom remotegateway
IKEv2 exchange from172.16.12.82:500 to172.16.12.81:500 failed. Gateway-Endpoint='gateway.1'. Reason=Noresponse for IKE_AUTH requestmessage. Check the connectionbetween the local and remotegateway endpoints.
IKEv2 connection was terminatedbecause there was no responsefrom the remote site.
IKEv2 exchange from%s to%s failed. Gateway-Endpoint='%s'. Reason=Noresponse for%s message.Check the connectionbetween the local andremote gateway endpoints.
IKEv2 exchange from ${local_addr} to${peer_addr} failed. Gateway-Endpoint='${gw-ep}'. Reason=Noresponse for ${msg_info} message.Check the connection between thelocal and remote gateway endpoints.
021A001C INFO VPN /IPSEC
IKEv2 IKE SAis waiting forthe userauthenticationresult
Dropped IKEv2 IKE_AUTHmessage from 198.51.100.2:4500.Gateway-Endpoint='ikev2_mobileuser'. Reason=Waiting for theEAP_MSCHAPv2 userauthentication result.
The Firebox ignored an IKEv2message because thecorresponding IKE SA is waitingfor the user authentication resultfrom the authenticationmodule.
Dropped IKEv2%smessage from%s.Gateway-Endpoint='%s'.Reason=Waiting for the%suser authentication result.
Dropped IKEv2 ${exchange_type}message from ${peer_addr}.Gateway-Endpoint='${gw-ep}'Reason=Waiting for the ${user-auth-protocol} user authentication result.
VPN LogMessages
Log Catalog 114
ID Level Area Name Log Message Example Description Format Message Variables
021A001D ERROR VPN /IPSEC
IKEv2gateway IDmismatch
IKEv2 IKE_AUTH exchange from198.51.100.2 to 203.0.113.2:500failed. Gateway-Endpoint='ikev2_mobileuser'. Reason=TheMobileVPN with IKEv2 profile is notenabled.
IKEv2 IKE_AUTH negotiationfailed becauseMobile VPN forIKEv2 is not enabled on thisgateway.
IKEv2%s exchange from%s to%s failed. Gateway-Endpoint='%s'.Reason=TheMobile VPNwith IKEv2 profile is notenabled.
IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}'Reason=Mobile VPN with IKEv2profile is not enabled.
021A001E ERROR VPN /IPSEC
IKEv2receivedinvalid EAPinformation
IKEv2 IKE_AUTH EAP exchangefrom 198.51.100.2:4500 to203.0.113.2:4500 failed. Gateway-Endpoint='WG IKEv2MVPN'.Reason='example' authenticationdomain is not configured.
IKEv2 IKE_AUTH EAPnegotiation failed because IKEv2Mobile VPN client sent invalidinformation.
IKEv2%s EAP exchangefrom%s to%s failed.Gateway-Endpoint='%s'.Reason=%s
IKEv2 ${exchange_type} EAPexchange from ${local_addr} to${peer_addr} failed. Gateway-Endpoint='${gw-ep}'Reason=${reason}
021A001F ERROR VPN /IPSEC
IKEv2 IKE_SA_INITmessagereceived onwronginterface IP
IKEv2 IKE_SA_INIT exchange from198.51.100.2:500 to 192.0.2.2:500failed. Gateway-Endpoint='gateway.1'.Reason=Receivedmessage withwrong interface IP address192.0.2.2. Expecting peer to useremote gateway endpoint IP address203.0.113.2.
IKEv2message exchange failedbecause IKE message from thepeer was received on the wronginterface IP address. Check thelocal and remote gateway IPaddress in the gateway endpointconfiguration on both the local andremote gateways.
IKEv2%s exchange from%s to%s failed. Gateway-Endpoint='%s'.Reason=Receivedmessage with wronginterface IP address %s.Expecting peer to useremote gateway endpoint IPaddress %s.
IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}'Reason=Receivedmessage with thewrong interface IP address${received_ip}. Expecting peer to useremote gateway endpoint IP address${expected_ip}.
021A0020 ERROR VPN /IPSEC
IKEv2 IKE_AUTHmessagereceived onwronginterface IP
IKEv2 IKE_AUTH exchange from198.51.100.2:500 to 192.0.2.2:500failed. Gateway-Endpoint='m500-197'. Reason=Receivedmessagewith the wrong interface IP address192.0.2.2. Expecting peer to useremote gateway endpoint IP address203.0.113.2.
IKEv2message exchange failedbecause IKE message from thepeer was received on the wronginterface IP address. Check thelocal and remote gateway IPaddress in the gateway endpointconfiguration on both the local andremote gateways.
IKEv2%s exchange from%s to%s failed. Gateway-Endpoint='%s'.Reason=Receivedmessage with wronginterface IP address %s.Expecting peer to useremote gateway endpoint IPaddress %s.
IKEv2 ${exchange_type} exchangefrom ${local_addr} to ${peer_addr}failed. Gateway-Endpoint='${gw-ep}'Reason=Receivedmessage withwrong interface IP address${received_ip}. Expecting peer to useremote gateway endpoint IP address${expected_ip}.
VPN LogMessages
Log Catalog 115
ID Level Area Name Log Message Example Description Format Message Variables
5B010004 INFO VPN /L2TP
Update usersession
UpdatedMobile VPN with L2TPsession for user 'Firebox-DB\test',virtual IP address '192.168.113.2'.
Mobile VPN with L2TP updatedthe session for the specified user.The logmessage specifies theassigned virtual IP address.
UpdatedMobile VPN withL2TP session for user'%s\%s', virtual IP address'%s'.
–
5B010005 INFO VPN /L2TP
Delete usersession
DeletedMobile VPN with L2TPsession for user 'Firebox-DB\test',virtual IP address '192.168.113.2'.
Deleted aMobile VPN with L2TPsession with the specified virtualIP address.
DeletedMobile VPN withL2TP session for user'%s\%s', virtual IP address'%s'.
–
25000000 INFO VPN /SSLVPN
User login Mobile VPN with SSL user tsmithlogged in. Virtual IP address is192.168.113.2. Real IP address is192.51.100.2.
A user logged in to VPN with SSL.The logmessage specifies theVPN user type,and the user'sname, virtual IP address, and realIP address.
%s %s logged in. Virtual IPaddress is %s. Real IPaddress is %s.
${vpn_user_type} ${user_name}logged in. Virtual IP address is${virtual_ipaddr}. Real IP address is${real_ipaddr}.
25000001 INFO VPN /SSLVPN
User log off Mobile VPN with SSL user tsmithlogged off. Virtual IP address is192.168.113.2.
The VPN with SSL user with thespecified virtual IP address loggedout.
%s %s logged off. Virtual IPaddress is %s.
${vpn_user_type} ${user_name}logged off. Virtual IP address was${virtual_ipaddr}.
VPN LogMessages
Log Catalog 116
EventVPN logmessages of theEvent log type.
ID Level Area Name Description Example Format Message Variables
02010001 INFO VPN /IPSEC
IKE processstarts
The IPSec IKE process started. WatchGuard iked v11.6.B341909 (C)1996-2012WatchGuardTechnologies Inc. starts at Wed Jun30 21:49:08 2012
WatchGuard iked v%s %s startsat %s
–
02010002 INFO VPN /IPSEC
Configurationupdatestarted
An IPSec configuration update started. Started processing a configurationsetting
Started to process aconfiguration setting
–
02010003 INFO VPN /IPSEC
Configurationupdatecompleted
An IPSec configuration update wassuccessfully completed.
A configuration setting has beenprocessed successfully
A configuration setting has beenprocessed successfully
–
02010004 WARN VPN /IPSEC
Device notactivated
The device is not activated. IPSectunnels cannot be established.
WARNING! Tunnel negotiation isNOT allowed because the local boxis not activated yet(no"LIVESECURITY" feature key isfound)!!
WARNING! Tunnel negotiationis NOT allowed because thelocal box is not activated yet(no"LIVESECURITY" feature key isfound)!!
–
02070001 INFO VPN /IPSEC
Tunnelestablishedor re-keyed
The IPSec tunnel was established or re-keyed successfully. The logmessageincludes the security associationidentifiers.
'gateway.1' BOVPN IPSec tunnel isestablished. local:192.168.81.0/28remote:192.168.25.0/28 in-SA:0x445e72b7 out-SA:0x5f9f256frole:responder
'%s' %s IPSec tunnel is %s.local:%s remote:%s in-SA:0x%08x out-SA:0x%08xrole:%s
${gateway} ${tunnel_type} IPSectunnel is ${action}. local:${local}remote:${remote} in-spi:${in_spi}out-spi:${out_spi} role:${nego_role}
02090001 WARN VPN /IPSEC
BOVPNtunnel limitreached
Themaximum allowed number ofBOVPN tunnel routes have beenestablished. No new tunnel routes canbe created until active tunnel routesexpire or are deleted.
Themaximum number of allowedactive BOVPN tunnels has beenreached (Maximum: 500 Current:500).
Themaximum number of activeallowed BOVPN tunnels hasbeen reached (Maximum: %dCurrent: %d)
–
VPN LogMessages
Log Catalog 117
ID Level Area Name Description Example Format Message Variables
02090001 WARN VPN /IPSEC
BOVPNtunnel limitreached
Themaximum allowed number ofBOVPN tunnel routes have beenestablished. No new tunnel routes canbe created until active tunnel routesexpire or are deleted.
Themaximum number of allowedactive BOVPN tunnels has beenreached (Maximum: 500 Current:500).
Themaximum number of activeallowed BOVPN tunnels hasbeen reached (Maximum: %dCurrent: %d)
–
02090002 INFO VPN /IPSEC
IKE process-- FireClusterrole changed
The cluster master has changedbecause of a FireCluster failover. Thelocal device will not handle IKEnegotiation.
A FireCluster failover occurred. Thecluster master has changed.
A FireCluster failover occurred.The cluster master has changed.
–
5B010001 INFO VPN /L2TP
Daemonstarted
TheMobile VPN with L2TP daemonstarted.
TheMobile VPN with L2TP daemonstarted successfully.
TheMobile VPN with L2TPdaemon started successfully.
–
5B010002 INFO VPN /L2TP
Configurationupdated
TheMobile VPN with L2TP daemonreceived a configuration update.
Updating configuration for MobileVPN with L2TP.
Updating configuration for MobileVPN with L2TP.
–
5B010003 INFO VPN /L2TP
Daemonstopped
TheMobile VPN with L2TP daemonstopped.
StoppedMobile VPN with L2TPdaemon.
StoppedMobile VPN with L2TPdaemon.
–
VPN LogMessages
Log Catalog 118
Mobile Security Log MessagesMobile Security logmessages are generated for activity related to traffic through your Firebox frommobile devices. This includes traffic related to FireClient and Endpoint Manager.
EventMobile Security logmessages of theEvent log type.
ID Level Area Name Log Message Example Description Format Message Variables
70000001 ERROR MobileSecurity/EndpointManager
Mobilesecuritylicense limitreached
Rejected a FireClient user loginbecause the licensedmaximum number ofconcurrent Mobile Securityusers has been reached.Maximum: 50
A user login from FireClient was rejected because thenumber of concurrently connectedMobile Security usershas reached the limit supported by theMobile Securitylicense. The logmessage specifies themaximumallowed number of concurrent Mobile Security users.
Rejected a FireClient userlogin because the licensedmaximum number ofconcurrent Mobile Securityusers has been reached.Maximum: %d
–
70000002 WARN MobileSecurity/EndpointManager
Mobilesecuritylicense highwatermarkreached
The number of connectedMobile Security users hasreached 90 percent of thelicensed capacity. Maximum:50
The number of concurrently connectedMobile Securityusers has reached 90 percent of the capacity supportedby theMobile Security license. The logmessagespecifies the supportedmaximum number of concurrentMobile Security users.
The number of connectedMobile Security users hasreached 90 percent of thelicensed capacity.Maximum: %d
–
70010000 INFO MobileSecurity/EndpointManager
Mobiledeviceconnect
Mobile device eee66f78-3d74-4002-8161-95938dca4390 isconnected.
FireClient on the device has connected to the Firebox. Mobile device%s isconnected.
–
70010001 INFO MobileSecurity/EndpointManager
Mobiledevice useralready login
Mobile device eee66f78-3d74-4002-8161-95938dca4390: userjoe has already logged in.
User has logged in to Firebox from the device prior to theconnection request.
Mobile device%s: user%shas already logged in.
–
Mobile Security LogMessages
Log Catalog 119
ID Level Area Name Log Message Example Description Format Message Variables
70010002 INFO MobileSecurity/EndpointManager
Mobiledevice userlogin
Mobile device eee66f78-3d74-4002-8161-95938dca4390: userjoe logged in.
User has logged in to Firebox through FireClient on thedevice.
Mobile device%s: user%slogged in.
–
70010003 INFO MobileSecurity/EndpointManager
Mobiledevice userlogout
Mobile device eee66f78-3d74-4002-8161-95938dca4390: userjoe logged out.
User has logged out of Firebox from FireClient on thedevice.
Mobile device%s: user%slogged out.
–
70010004 INFO MobileSecurity/EndpointManager
Mobiledevice idledisconnected
Mobile device eee66f78-3d74-4002-8161-95938dca4390 isdisconnected due to FireClientinactivity.
FireClient on the device is considered disconnected dueto inactivity.
Mobile device%s isdisconnected due toFireClient inactivity.
–
70010005 INFO MobileSecurity/EndpointManager
Mobiledevicedisconneted
Mobile device eee66f78-3d74-4002-8161-95938dca4390 isdisconnected.
FireClient on the device has disconnected. Mobile device%s isdisconnected.
–
70010006 INFO MobileSecurity/EndpointManager
MobiledeviceUnknowncompliance
Mobile device eee66f78-3d74-4002-8161-95938dca4390compliance status is Unknown.
Mobile device compliance status is Unknown. Thiscould be because the compliance check is in progress,or because FireClient on the device is not responding.
Mobile device%scompliance status isUnknown.
–
70010007 INFO MobileSecurity/EndpointManager
MobiledeviceCompliant
Mobile device eee66f78-3d74-4002-8161-95938dca4390compliance status isCompliant.
Mobile device compliance status is Compliant, becauseit meets the compliance requirements.
Mobile device%scompliance status isCompliant.
–
Mobile Security LogMessages
Log Catalog 120
ID Level Area Name Log Message Example Description Format Message Variables
70010008 INFO MobileSecurity/EndpointManager
Mobiledevice NotCompliant
Mobile device eee66f78-3d74-4002-8161-95938dca4390compliance status is NotCompliant.
Mobile device compliance status is Not Compliant,because it does not meet the compliance requirements.
Mobile device%scompliance status is NotCompliant.
–
70010009 INFO MobileSecurity/EndpointManager
Mobiledevice usersessionrecreated
Mobile device eee66f78-3d74-4002-8161-95938dca4390:session for user joe isrecreated.
User session is recreated because themobile device IPaddress changed. .
Mobile device%s: sessionfor user%s is recreated.
–
70020000 INFO MobileSecurity/EndpointManager
MobiledeviceAuthorizationAgreementsign action
Mobile device eee66f78-3d74-4002-8161-95938dca4390:device authorization agreement(version 1) is accepted by userjoe on 2015-09-01 09:10:12+0800.
The Device Authorization Agreement is either acceptedor declined by a user at the specified local time.
Mobile device%s: deviceauthorization agreement(version%d) is %s by user%s on%s.
device ${device id}:device authorizationagreement (version${ver_number}) is${action} by user${user} on ${local_time}
Mobile Security LogMessages
Log Catalog 121