SonicOS Log Event Reference Guide

(1)

SonicOS Log Event

Reference Guide

SonicWALL Internet Security Appliances

(2)

Guide

This reference guide lists and describes SonicOS log event messages. Reference a log event message by using the alphabetical index of log event messages.

This document contains the following sections: • “Log > View” section on page 2

• “Log > Categories” section on page 4 • “Log > Syslog” section on page 9 • “Log > Automation” section on page 11 • “Log > Name Resolution” section on page 15

• “Log > Reports” section on page 16

• “Log > ViewPoint” section on page 18

• “Index of Log Event Messages” section on page 20

(3)

Log > View

The SonicWALL security appliance maintains an Event log for tracking potential security threats. This log can be viewed in the Log > View page, or it can be automatically sent to an e-mail address for convenience and archiving. The log is displayed in a table and can be sorted by column.

The SonicWALL security appliance can alert you of important events, such as an attack to the SonicWALL security appliance. Alerts are immediately e-mailed, either to an e-mail address or to an e-mail pager. Each log entry contains the date and time of the event and a brief message describing the event.

Log View Table

The log is displayed in a table and is sortable by column. The log table columns include:

• Time - the date and time of the event.

• Priority - the level of priority associated with your log event.

Syslog uses eight categories to characterize messages – in descending order of severity, the categories include:

– Emergency – Alert – Critical – Error – Warning – Notice – Informational – Debug

Specify a priority level on a SonicWALL security appliance on the Log > Categories page to log messages for that priority level, plus all messages tagged with a higher severity. For example, select ‘error’ as the priority level to log all messages tagged as ‘error,’ as well as any messages tagged with ‘critical,’ ‘alert,’ and ‘emergency.’ Select ‘debug’ to log all messages.

Note Refer to Log Event Messages section for more information on your specific log event.

• Category - the type of traffic, such as Network Access or Authenticated Access.

• Message - provides description of the event.

• Source - displays source network and IP address.

• Destination - displays the destination network and IP address.

• Notes - provides additional information about the event.

(4)

Navigating and Sorting Log View Table Entries

The Log View table provides easy pagination for viewing large numbers of log events. You can navigate these log events by using the navigation control bar located at the top right of the Log

View table. Navigation control bar includes four buttons. The far left button displays the first

page of the table. The far right button displays the last page. The inside left and right arrow buttons moved the previous or next page respectively.

You can sort the entries in the table by clicking on the column header. The entries are sorted by ascending or descending order. The arrow to the right of the column entry indicates the sorting status. A down arrow means ascending order. An up arrow indicates a descending order.

Refresh

To update log messages, clicking the Refresh button near the top right corner of the page.

Clear Log

To delete the contents of the log, click the Clear Log button near the top right corner of the page.

Export Log

To export the contents of the log to a defined destination, click the Export Log button below the filter table.You can export log content to two formats:

• Plain text format--Used in log and alert e-mail.

• Comma-separated value (CSV) format--Used for importing into Excel or other

presentation development applications.

E-mail Log

If you have configured the SonicWALL security appliance to e-mail log files, clicking E-mail Log near the top right corner of the page sends the current log files to the e-mail address specified in the Log > Automation > E-mail section.

(5)

Filtering Log Records Viewed

You can filter the results to display only event logs matching certain criteria. You can filter by

Priority, Category, Source (IP or Interface), and Destination (IP or Interface).

Step 1 Enter your filter criteria in the Log View Settings table.

Step 2 The fields you enter values into are combined into a search string with a logical AND. For example, if you select an interface for Source and for Destination, the search string will look for connections matching:

Source interface AND Destination interface

Step 3 Check the Group Filters box next to any two or more criteria to combine them with a logical

OR.

For example, if you enter values for Source IP, Destination IP, and Protocol, and check Group

Filters next to Source IP and Destination IP, the search string will look for connections

matching:

(Source IP OR Destination IP) AND Protocol

Step 4 Click Apply Filter to apply the filter immediately to the Log View Settings table. Click Reset to clear the filter and display the unfiltered results again.

The following example filters for log events resulting from traffic from the WAN to the LAN:

Log Event Messages

For a complete reference guide of log event messages, refer to the “Log Event Message Index” section on page 21.

Log > Categories

This guide provides configuration tasks to enable you to categorize and customize the logging functions on your SonicWALL security appliance for troubleshooting and diagnostics.

(6)

Log Severity/Priority

This section provides information on configuring the level of priority log messages are captured and corresponding alert messages are sent through e-mail for notification.

Logging Level

The Logging Level control filters events by priority. Events of equal of greater priority are passed, and events of lower priority are dropped. The Logging Level menu includes the following priority scale items from highest to lowest priority:

• Emergency (highest priority) • Alert • Critical • Error • Warning • Notice • Informational

• Debug (lowest priority)

Alert Level

The Alert Level control determines how E-mail Alerts are sent. An event of equal or greater priority causes an E-mail alert to be issued. Lower priority events do not cause an alert to be sent. Events are pre-filtered by the Logging Level control, so if the Logging Level control is set to a higher priority than that of the Alert Level control, only alerts at the Logging Level or higher are sent. Alert levels include:

• None (disables e-mail alerts) • Emergency (highest priority) • Alert

• Critical • Error

• Warning (lowest priority)

Log Redundancy Filter

The Log Redundancy Filter allows you to define the time in seconds that the same attack is logged on the Log > View page as a single entry in the SonicWALL log. Various attacks are often rapidly repeated, which can quickly fill up a log if each attack is logged. The Log Redundancy Filter has a default setting of 60 seconds.

Alert Redundancy Filter

(7)

Log Categories

SonicWALL security appliances provide automatic attack protection against well known exploits. The majority of these legacy attacks were identified by telltale IP or TCP/UDP characteristics, and recognition was limited to a set of fixed layer 3 and layer 4 values. As the breadth and sophistication of attacks evolved, it has become essential to dig deeper into the traffic, and to develop the sort of adaptability that could keep pace with the new threats. All SonicWALL security appliances, even those running SonicWALL IPS, continue to recognize these legacy port and protocol types of attacks. The current behavior on all SonicWALL security appliances devices is to automatically and holistically prevent these legacy attacks, meaning that it is not possible to disable prevention of these attacks either individually or globally. SonicWALL security appliances now include an expanded list of attack categories that can be logged.

The View Style menu provides the following three log category views:

• All Categories - Displays both Legacy Categories and Expanded Categories.

• Legacy Categories - Displays log categories carried over from earlier SonicWALL log

event categories.

• Expanded Categories - Displays the expanded listing of categories that includes the older

Legacy Categories log events rearranged into the new structure.

The following table describes both the Legacy and Extended log categories.

Log Type Category Description

802.11 Management Legacy Logs WLAN IEEE 802.11 connections.

Advanced Routing Expanded Logs messages related to RIPv2 and OSPF routing events.

Attacks Legacy Logs messages showing Denial of Service attacks, such as SYN Flood, Ping of Death, and IP spoofing

Authenticated Access

Expanded Logs administrator, user, and guest account activity

Blocked Java, etc. Legacy Logs Java, ActiveX, and Cookies blocked by the SonicWALL security appliance.

Blocked Web Sites Legacy Logs Web sites or newsgroups blocked by the Content Filter List or by customized filtering.

BOOTP Expanded Logs BOOTP activity

Crypto Test Expanded Logs crypto algorithm and hardware testing

DDNS Expanded Logs Dynamic DNS activity

Denied LAN IP Legacy Logs all LAN IP addresses denied by the SonicWALL security appliance. DHCP Client Expanded Logs DHCP client protocol activity

DHCP Relay Expanded Logs DHCP central and remote gateway activity Dropped ICMP Legacy Logs blocked incoming ICMP packets.

Dropped TCP Legacy Logs blocked incoming TCP connections. Dropped UDP Legacy Logs blocked incoming UDP packets. Firewall Event Extended Logs internal firewall activity

(8)

Firewall Rule Extended Logs firewall rule modifications

GMS Extended Logs GMS status event

High Availability Extended Logs High Availability activity

IPcomp Extended Logs IP compression activity

Intrusion Prevention Extended Logs intrusion prevention related activity L2TP Client Extended Logs L2TP client activity

L2TP Server Extended Logs L2TP server activity Multicast Extended Logs multicast IGMP activity

Network Extended Logs network ARP, fragmentation, and MTU activity Network Access Extended Logs network and firewall protocol access activity

Network Debug Legacy Logs NetBIOS broadcasts, ARP resolution problems, and NAT resolution problems. Also, detailed messages for VPN connections are displayed to assist the network administrator with troubleshooting problems with active VPN tunnels. Network Debug information is intended for experienced network administrators.

Network Traffic Expanded Logs network traffic reporting events

PPP Extended Logs generic PPP activity

PPP Dial-Up Extended Logs PPP dial-up activity

PPPoE Extended Logs PPPoE activity

PPTP Extended Logs PPTP activity

RBL Extended Logs real-time black list activity

RIP Extended Logs RIP activity

Remote Authentication

Extended Logs RADIUS and LDAP server activity Security Services Extended Logs security services activity

SonicPoint Extended Logs SonicPoint activity

System Errors Legacy Logs problems with DNS or e-mail. System

Maintenance

Legacy Logs general system activity, such as system activations. User Activity Legacy Logs successful and unsuccessful log in attempts.

VOIP Extended Logs VoIP H.323/RAS, H.323/H.225, and H.323/H.245 activity

VPN Extended Logs VPN activity

VPN Client Extended Logs VPN client activity

VPN IKE Extended Logs VPN IKE activity

VPN IPsec Extended Logs VPN IPSec activity

VPN PKI Extended Logs VPN PKI activity

VPN Tunnel Status Legacy Logs status information on VPN tunnels. WAN Failover Extended Logs WAN failover activity

Wireless Extended Logs wireless activity

Wlan IDS Extended Logs WLAN IDS activity

(9)

Managing Log Categories

The Log Categories table displays log category information organized into the following columns:

• Category - Displays log category name.

• Description - Provides description of the log category activity type.

• Log - Provides checkbox for enabling/disabling the display of the log events in on the Log

> View page.

• Alerts - Provides checkbox for enabling/disabling the sending of alerts for the category.

• Syslog - Provides checkbox for enabling/disabling the capture of the log events into the

SonicWALL security appliance Syslog.

• Event Count - Displays the number of events for that category. Clicking the Refresh button

updates these numbers.

You can sort the log categories in the Log Categories table by clicking on the column header. For example, clicking on the Category header sorts the log categories in descending order from the default ascending order. An up or down arrow to the left of the column name indicates whether the column is assorted in ascending or descending order.

You can enable or disable Log, Alerts, and Syslog on a category by category basis by clicking on the check box for the category in the table. You can enable or disable Log, Alerts, and

(10)

Log > Syslog

In addition to the standard event log, the SonicWALL security appliance can send a detailed log to an external Syslog server. The SonicWALL Syslog captures all log activity and includes every connection source and destination IP address, IP service, and number of bytes transferred. The SonicWALL Syslog support requires an external server running a Syslog daemon on UDP Port 514. Syslog Analyzers such as SonicWALL ViewPoint or WebTrends Firewall Suite can be used to sort, analyze, and graph the Syslog data. Messages from the SonicWALL security appliance are then sent to the server(s). Up to three Syslog server IP addresses can be added.Syslog Settings

Syslog Facility

• Syslog Facility - Allows you to select the facilities and severities of the messages based

on the syslog protocol.

Note See RCF 3164 - The BSD Syslog Protocol for more information.

• Override Syslog Settings with ViewPoint Settings - Check this box to override Syslog

settings, if you’re using SonicWALL ViewPoint for your reporting solution.

Note For more information on SonicWALL ViewPoint, go to http://www.sonicwall.com.

– Syslog Event Redundancy Filter (seconds) - This setting prevents repetitive

messages from being written to Syslog. If duplicate events occur during the period specified in the Syslog Event Redundancy Rate field, they are not written to Syslog as unique events. Instead, the additional events are counted, and then at the end of the period, a message is written to the Syslog that includes the number of times the event occurred. The Syslog Event Redundancy Filter default value is 60 seconds and the maximum value is 86,400 seconds (24 hours). Setting this value to 0 seconds sends all Syslog messages without filtering.

– Syslog Format - You can choose the format of the Syslog to be Default or WebTrends.

If you select WebTrends, however, you must have WebTrends software installed on your system.

Note If the SonicWALL security appliance is managed by SonicWALL GMS, the Syslog Server fields cannot be configured by the administrator of the SonicWALL security appliance.

• Enable Event Rate Limiting - This control allows you to enable rate limiting of events to

prevent the internal or external logging mechanism from being overwhelmed by log events.

• Enable Data Rate Limiting - This control allows you to enable rate limiting of data to

(11)

Syslog Servers

Adding a Syslog Server

To add syslog servers to the SonicWALL security appliance Step 1 Click Add. The Add Syslog Server window is displayed.

Step 2 Type the Syslog server name or IP address in the Name or IP Address field. Messages from the SonicWALL security appliance are then sent to the servers.

Step 3 If your syslog is not using the default port of 514, type the port number in the Port Number field. Step 4 Click OK.

(12)

Log > Automation

The Log > Automation page includes settings for configuring the SonicWALL to send log files using e-mail and configuring mail server settings.

E-mail Log Automation

• Send Log to E-mail address - Enter your e-mail address ([email protected]) in

this field to receive the event log via e-mail. Once sent, the log is cleared from the SonicWALL memory. If this field is left blank, the log is not e-mailed.

• Send Alerts to E-mail address - Enter your e-mail address ([email protected])

in the Send alerts to field to be immediately e-mailed when attacks or system errors occur. Type a standard e-mail address or an e-mail paging service. If this field is left blank, e-mail alert messages are not sent.

• Send Log - Determines the frequency of sending log files. The options are When Full,

Weekly, or Daily. If the Weekly or Daily option is selected, then select the day of the week

the log is sent in the every menu and the time of day in 24-hour format in the At field.

• Email Format - Specifies whether log emails will be sent in Plain Text or HTML format.

Mail Server Settings

The mail server settings allow you to specify the name or IP address of your mail server, the from e-mail address, and authentication method.

• Mail Server (name or IP address) - Enter the IP address or FQDN of the e-mail server

used to send your log e-mails in this field.

• From E-mail Address - Enter the E-mail address you want to display in the From field of

the message.

• Authentication Method - You can use the default None item or select POP Before SMTP.

Note If the Mail Server (name or IP address) is left blank, log and alert messages are not e-mailed.

Deep Packet Forensics

SonicWALL UTM appliances have configurable deep-packet classification capabilities that intersect with forensic and content-management products. While the SonicWALL can reliably detect and prevent any ‘interesting-content’ events, it can only provide a record of the occurrence, but not the actual data of the event.

Of equal importance are diagnostic applications where the interesting-content is traffic that is being unpredictably handled or inexplicably dropped.

(13)

While data-recorders are good at recording data, they lack the sort of deep-packet inspection intelligence afforded by IPS/GAV/ASPY/AF. Consider the minimal requirements of effective data analysis:

• Reliable storage of data • Effective indexing of data

• Classification of interesting-content

Together, a UTM device (a SonicWALL appliance) and data-recorder (a Solera Networks appliance) satisfy the requirements to offer outstanding forensic and data-leakage capabilities.

Distributed Event Detection and Replay

The Solera appliance can search its data-repository, while also allowing the administrator to define “interesting-content” events on the SonicWALL. The level of logging detail and frequency of the logging can be configured by the administrator. Nearly all events include Source IP, Source Port, Destination IP, Destination Port, and Time. SonicOS Enhanced has an extensive set of log events, including:

• Debug/Informational Events—Connection setup/tear down

• User-events—Administrative access, single sign-on activity, user logins, content filtering

details

• Firewall Rule/Policy Events—Access to and from particular IP:Port combinations, also

identifiable by time

• Interesting-content at the Network or Application Layer—Port-scans, SYN floods, DPI

or AF signature/policy hits

The following is an example of the process of distributed event detection and replay:

1. The administrator defines the event trigger. For example, an Application Firewall policy is defined to detect and log the transmission of an official document:

2. A user (at IP address 192.168.19.1) on the network retrieves the file. 3. The event is logged by the SonicWALL.

4. The administrator selects the Recorder icon from the left column of the log entry. Icon/link only appears in the logs when a NPCS is defined on the SonicWALL (e.g. IP:

[192.168.169.100], Port: [443]). The defined NPCS appliance will be the link’s target. The link will include the query string parameters defining the desired connection.

5. The NPCS will (optionally) authenticate the user session.

(14)

Methods of Access

The client and NPCS must be able to reach one another. Usually, this means the client and the NPCS will be in the same physical location, both connected to the SonicWALL appliance. In any case, the client will be able to directly reach the NPCS, or will be able to reach the NPCS through the SonicWALL. Administrators in a remote location will require some method of VPN connectivity to the internal network. Access from a centralized GMS console will have similar requirements.

Log Persistence

SonicOS currently allocates 32K to a rolling log buffer. When the log becomes full, it can be emailed to a defined recipient and flushed, or it can simply be flushed. Emailing provides a simple version of logging persistence, while GMS provides a more reliable and scalable method.

By offering the administrator the option to deliver logs as either plain-text or HTML, the administrator has an easy method to review and replay events logged.

GMS

(15)

Solera Capture Stack

Solera Networks makes a series of appliances of varying capacities and speeds designed to capture, archive, and regenerate network traffic. The Solera Networks Network Packet Capture System (NPCS) provides utilities that allow the captured data to be accessed in time

sequenced playback, that is, analysis of captured data can be performed on a live network via NPCS while the device is actively capturing and archiving data.

To configure your SonicWALL appliance with Solera select the Enable Solera Capture Stack

Integration option.

Configure the following options:

• Server - Select the host for the Solera server. You can dynamically create the host by

selecting Create New Host...

• Protocol - Select either HTTP or HTTPS.

• Port - Specify the port number for connecting to the Solera server.

• Interface(s) - Specify which interfaces you want to transmit data for to the Solera server.

• User (optional) - Enter the username, if required.

• Password (optional) - Enter the password, if required.

• Confirm Password - Confirm the password.

(16)

Log > Name Resolution

The Log > Name Resolution page includes settings for configuring the name servers used to resolve IP addresses and server names in the log reports.

The security appliance uses a DNS server or NetBIOS to resolve all IP addresses in log reports into server names. It stores the names/address pairs in a cache, to assist with future lookups. You can clear the cache by clicking Reset Name Cache in the top of the Log > Name

Resolution page.

Selecting Name Resolution Settings

The security appliance can use DNS, NetBIOS, or both to resolve IP addresses and server names.

In the Name Resolution Method list, select:

• None: The security appliance will not attempt to resolve IP addresses and Names in the log

reports.

• DNS: The security appliance will use the DNS server you specify to resolve addresses and

names.

• NetBIOS: The security appliance will use NetBIOS to resolve addresses and names. If you

select NetBIOS, no further configuration is necessary.

• DNS then NetBIOS: The security appliance will first use the DNS server you specify to

resolve addresses and names. If it cannot resolve the name, it will try again with NetBIOS.

Specifying the DNS Server

You can choose to specify DNS servers, or to use the same servers as the WAN zone. Step 1 Select Specify DNS Servers Manually or Inherit DNS Settings Dynamically from WAN

Zone. The second choice is selected by default.

Step 2 If you selected to specify a DNS server, enter the IP address for at least one DNS server on your network. You can enter up to three servers.

(17)

Log > Reports

The SonicWALL security appliance can perform a rolling analysis of the event log to show the top 25 most frequently accessed Web sites, the top 25 users of bandwidth by IP address, and the top 25 services consuming the most bandwidth. You can generate these reports from the

Log > Reports page.

Note SonicWALL ViewPoint provides a comprehensive Web-based reporting solution for SonicWALL security appliances. For more information on SonicWALL ViewPoint, go to http://www.sonicwall.com

Data Collection

The Reports window includes the following functions and commands:

• Start Data Collection

Click Start Data Collection to begin log analysis. When log analysis is enabled, the button label changes to Stop Data Collection.

• Reset Data

Click Reset Data to clear the report statistics and begin a new sample period. The sample period is also reset when data collection is stopped or started, and when the SonicWALL security appliance is restarted.

View Data

Select the desired report from the Report to view menu. The options are Web Site Hits,

Bandwidth Usage by IP Address, and Bandwidth Usage by Service. These reports are

explained below. Click Refresh Data to update the report. The length of time analyzed by the report is displayed in the Current Sample Period.

Web Site Hits

Selecting Web Site Hits from the Report to view menu displays a table showing the URLs for the 25 most frequently accessed Web sites and the number of hits to a site during the current sample period.

The Web Site Hits report ensures that the majority of Web access is to appropriate Web sites. If leisure, sports, or other inappropriate sites appear in the Web Site Hits Report, you can choose to block the sites. For information on blocking inappropriate Web sites, see . Click on the name of a Web site to open that site in a new window.

Bandwidth Usage by IP Address

(18)

Bandwidth Usage by Service

Selecting Bandwidth Usage by Service from the Report to view menu displays a table showing the name of the 25 top Internet services, such as HTTP, FTP, RealAudio, etc., and the number of megabytes received from the service during the current sample period.

The Bandwidth Usage by Service report shows whether the services being used are

(19)

Log > ViewPoint

SonicWALL ViewPoint is a Web-based graphical reporting tool that provides unprecedented security awareness and control over your network environment through detailed and

comprehensive reports of your security and network activities. ViewPoint’s broad reporting capabilities allow administrators to easily monitor network access and Internet usage, enhance security, assess risks, understand more about employee Internet use and productivity, and anticipate future bandwidth needs.

ViewPoint creates dynamic, real-time and historical network summaries, providing a flexible, comprehensive view of network events and activities. Reports are based on syslog data streams received from each SonicWALL appliance through LAN, Wireless LAN, WAN or VPN connections. With ViewPoint, your organization can generate individual or aggregate reports about virtually any aspect of appliance activity, including individual user or group usage patterns, evens on specific appliances or groups of appliances, types and times of attacks, resource consumption and constraints, and more.

For more information on SonicWALL ViewPoint, go to http://www.sonicwall.com.

For complete SonicWALL ViewPoint documentation, go to the SonicWALL documentation Web site at http://www.sonicwall.com/us/support/3340.html.

Activating ViewPoint

The Log > ViewPoint page allows you to activate the ViewPoint license directly from the SonicWALL Management Interface using two methods.

If you received a license activation key, enter the activation key in the Enter upgrade key field, and click Accept.

Warning You must have a mysonicwall.com account and your SonicWALL security appliance must be registered to activate SonicWALL ViewPoint for your SonicWALl security appliance.

1. Click the Upgrade link in Click here to Upgrade on the Log > ViewPoint page. The

mysonicwall.com Login page is displayed.

2. Enter your mysonicwall.com account username and password in the User Name and

Password fields, then click Submit. The System > Licenses page is displayed. If your

SonicWALL security appliance is already connected to your mysonicwall.com account, the

System > Licenses page appears after you click the SonicWALL Content Filtering Subscription link.

3. Click Activate or Renew in the Manage Service column in the Manage Services Online table. Type in the Activation Key in the New License Key field and click Submit.

4. If you activated SonicWALL ViewPoint at mysonicwall.com, the SonicWALL ViewPoint activation is automatically enabled on your SonicWALL within 24-hours or you can click the

Synchronize button on the Security Services > Summary page to update your

(20)

Enabling ViewPoint Settings

Once you have installed the SonicWALL ViewPoint software, you can point the SonicWALL security appliance to the server running ViewPoint.

1. Check the Enable ViewPoint Settings checkbox in the Syslog Servers section of the Log

> ViewPoint page.

2. Click the Add button. The Add Syslog Server window is displayed.

3. Enter the IP address or FQDN of the SonicWALL ViewPoint server in the Name or IP

Address field.

4. Enter the port number for the SonicWALL ViewPoint server traffic in the Port field or use the default port number.

5. Click Accept.

Note The Override Syslog Settings with ViewPoint Settings control on the Log > Syslog page is automatically checked when you enable ViewPoint from the Log > ViewPoint page. The IP address or FQDN you entered in the Add Syslog Server window is also displayed on the

Log > Syslog page as well as in the Syslog Servers table on the Log > ViewPoint page.

(21)

Index of Log Event Messages

This section contains a list of log event messages for all SonicWALL Firmware and SonicOS Soft-ware Releases, ordered alphabetically. Use your web browser’s Find function to search for a com-mand.

Log Event Message Symbols Key

TCP IP Layered-Data Packet Processing and SonicOS Log Event Handling

In specific cases of multi-layer packet processing, a TCP connection initially logged as "open," will be rejected by a deeper layer of packet processing. In these cases, the connection request has not been forwarded by the SonicWALL security appliance, and the initial Connection Open SonicOS log event message should be ignored in favor of the TCP Connection Dropped log event message. Each log event message described in the following table provides the following log event details:

• SonicOS Category—Displays the SonicOS Software category event type.

• Legacy Category—Displays the SonicWALL Firmware Software category event type.

• Priority Level—Displays the level of urgency of the log event message.

• Log Message ID Number—Displays the ID number of the log event message.

• SNMP Trap Type—Displays the SNMP Trap ID number of the log event message.

Log Event Message Symbol Description Context

%s Ethernet Port Down Represents a character string. [WAN | LAN | DMZ] Ethernet Port Down

The cache is full; %u open connections; some will be dropped

(22)

Log Event Message Index

Log Events Messages SonicOS Category Legacy

Category Prioity Level

Log Msg ID Number snmpTrapTy pe Log Event Type

sw new category category priority id

snmpTrapTy pe eventType "As per Diagnostic Auto-restart configuration request, restarting system" Firewall

event --- INFO 1047 --- SIMPLE

#Web site hit

NetworkTraffi c Connection Traffic INFO 97 ---STD_HTTP_ TRAFFIC_R EPORT

%s VPN IKE UserActivity DEBUG 171

---STD_MESSA GE_STRING %s High Availability --- ERROR 826 ---SIMPLE_ME SSAGE_STR ING %s High Availability --- WARNING 827 ---SIMPLE_ME SSAGE_STR ING %s High Availability --- INFO 828 ---SIMPLE_ME SSAGE_STR ING %s High Availability --- ALERT 829 ---SIMPLE_ME SSAGE_STR ING %s High Availability --- NOTICE 830 ---SIMPLE_ME SSAGE_STR ING %s High Availability --- DEBUG 831 ---SIMPLE_ME SSAGE_STR ING %s ARS --- INFO 840 ---STD_MESSA GE_STRING %s ARS --- NOTICE 841 ---STD_MESSA GE_STRING %s ARS --- DEBUG 842 ---STD_MESSA GE_STRING %s Security

Services UserActivity NOTICE 872

(23)

%s SSL VPN --- INFO 1079 ---SIMPLE_ME SSAGE_STR ING %s Firewall

event System Error ALERT 1107

---SIMPLE_ME SSAGE_STR ING %s auto-dial failed: Current Connection Model is configured as

Ethernet Only PPP dialup System Error ALERT 1028

---SIMPLE_ME SSAGE_STR ING %s Ethernet Port Down Firewall

event System Error ERROR 333 641

SIMPLE_ME SSAGE_STR ING %s Ethernet Port Up Firewall

event System Error WARNING 332 640

SIMPLE_ME SSAGE_STR ING

%s is

operational. Anti-Spam --- WARNING 1082

---SIMPLE_ME SSAGE_STR ING

%s is

unavailable. Anti-Spam --- WARNING 1083

) dumped to

email at None --- DEBUG 1 --- UNUSED

*** Alert from SonicWALL

*** None --- DEBUG 3 --- UNUSED

[not found in

tip] Unused Attack WARNING 26 504 UNUSED

[not found in

tip] Unused Debug NOTICE 176 --- UNUSED

(24)

3G %s device detected Firewall Hardware System Environment INFO 1017 ---SIMPLE_ME SSAGE_STR ING 3G Dial-up:

%s. PPP dialup UserActivity ALERT 1026

---SIMPLE_ME SSAGE_STR ING 3G Dial-up: data usage limit reached for the '%s' billing cycle. Disconnectin g the 3G

session. PPP dialup UserActivity ALERT 1027 7643

SIMPLE_ME SSAGE_STR ING 3G: No SIM detected Firewall Hardware --- ALERT 1055 ---SIMPLE_ME SSAGE_STR ING 802.11

Management Wireless 80211bMgmt INFO 518

---SIMPLE_NO TE_STRING A prior version of preferences was loaded because the most recent preferences file was inaccessible Firewall

event System Error WARNING 572 648 SIMPLE

A SonicOS Standard to Enhanced Upgrade was performed Firewall

event Maintenance INFO 611 --- SIMPLE

Access attempt from host out of compliance with GSC policy Security

Services Maintenance INFO 761 --- STD

Access attempt from host without Anti-Virus agent installed Security

Access attempt from host without GSC installed

Security

Services Maintenance INFO 763 8627 STD

Access rule

added Firewall Rule UserActivity INFO 440

(25)

Access rule

deleted Firewall Rule UserActivity INFO 442

---SIMPLE_RU LE_STRING Access rule

modified Firewall Rule UserActivity INFO 441

---SIMPLE_RU LE

Access rules restored to

defaults Firewall Rule UserActivity INFO 443 --- UNUSED

Access to proxy server denied

Network

Access BlockedSites NOTICE 60 705

STD_NOTE_ BLOCKED Active Backup detects Active Primary: Backup going Idle High

Availability Maintenance INFO 154 --- UNUSED

ActiveX access denied

Network

Access BlockedCode NOTICE 18

---STD_NOTE_ BLOCKED ActiveX or Java archive access denied Network

---STD_NOTE_ BLOCKED ADConnector %s response timed-out; applying caching policy Microsoft Active Directory --- ERROR 769 ---STD_MESSA GE_STRING Add an attack message Firewall

event Attack ERROR 143 525

SIMPLE_ST RING Added host entry to dynamic address object Dynamic Address

Objects Maintenance INFO 911

---STD_NOTE_ STRING Adding Dynamic Entry for Bound MAC

Address Network --- INFO 813

---STD_NOTE_ Ethernet Network Adding L2TP IP pool Address

object Failed. L2TP Server System Error ERROR 603 661 SIMPLE

Adding to multicast policyList ,

interface : %s Multicast --- DEBUG 697

(26)

Adding to Multicast policyList ,

VPN SPI : %s Multicast --- DEBUG 699

---STD_MESSA GE_STRING Administrator

logged out

Authenticatio

n Access UserActivity INFO 261

---STD_NOTE_ STRING Administrator logged out - inactivity timer expired Authenticatio

n Access UserActivity INFO 262 --- STD

Administrator login allowed

Authenticatio

---STD_STRIN G_SERVICE Administrator login denied due to bad credentials Authenticatio

n Access Attack ALERT 30 560

STD_STRIN G_SERVICE Administrator login denied from %s; logins disabled from this interface Authenticatio

n Access Attack ALERT 35 506

STD_MESSA GE_STRING Administrator name changed Authenticatio

n Access Maintenance INFO 328 --- STD

All DDNS associations have been

deleted DDNS Maintenance INFO 783 --- SIMPLE

All preference values have been set to factory default values Firewall

event System Error WARNING 574 650 SIMPLE

Allowed LDAP server certificate with wrong

host name RADIUS UserActivity WARNING 752

---STD_NOTE_ STRING Anti-Spam

service is disabled by

administrator. Anti-Spam --- INFO 1085 --- SIMPLE

Anti-Spam service is enabled by

administrator. Anti-Spam --- INFO 1084 --- SIMPLE

Anti-Spam Startup

Failure - %s Anti-Spam --- WARNING 1088

(27)

Anti-Spam Teardown

Failure - %s Anti-Spam --- WARNING 1089

---SIMPLE_ME SSAGE_STR ING Anti-Spyware Detection Alert: %s Intrusion

Detection Attack ALERT 795 6438

STD_AS_ME SSAGE_STR ING Anti-Spyware Prevention Alert: %s Intrusion

STD_AS_ME SSAGE_STR ING Anti-Spyware Service Expired Security

Services Maintenance WARNING 796 8631 SIMPLE

Anti-Virus agent out-of-date on host

Security

Anti-Virus Licenses Exceeded

Security

Application Filter Detection Alert: %s

Intrusion

Detection Attack ALERT 650

---STD_MESSA GE_STRING Application Filters Block Alert: %s Intrusion

Detection Attack ALERT 649

---STD_MESSA GE_STRING Application Firewall Alert: %s ApplicationFir

ewall UserActivity ALERT 793 13201

STD_Applicat ion Firewall_ME SSAGE_STR ING ARP request packet

received Network --- INFO 717

---STD_NOTE_ Ethernet Network ARP request

packet sent Network --- INFO 715

---STD_NOTE_ Ethernet Network ARP response packet

received Network --- INFO 716

---STD_NOTE_ Ethernet Network ARP

response

packet sent Network --- INFO 718

---STD_NOTE_ Ethernet Network

ARP timeout Network Debug DEBUG 45 --- STD

ARP unused/

spare Network --- DEBUG 816 --- UNUSED

ARS unused/

spare Unused --- DEBUG 843 --- UNUSED

ARS unused/

(28)

ARS unused/

Assigned IP

address %s DHCP Server --- INFO 1110

Association Flood from

WLAN station WLAN IDS WLAN IDS ALERT 548 903

SIMPLE_NO TE_STRING Authenticatio n timeout during Remotely Triggered Dial-out session Authenticatio

n Access UserActivity INFO 821 --- SIMPLE

AV unused/

spare Unused 0 DEBUG 126 --- UNUSED

Back Orifice attack dropped

Intrusion

Detection Attack ALERT 73 512 STD

Backup active

High

Availability System Error INFO 825 --- SIMPLE

Backup firewall being preempted by Primary

High

Availability System Error ERROR 152 619 SIMPLE

Backup firewall has transitioned to Active

High

Availability Maintenance ALERT 145 --- SIMPLE

Backup firewall has transitioned to Idle

High

Availability Maintenance ALERT 147 --- SIMPLE

Backup firewall rebooting itself as it transitioned from Active to Idle while Preempt High

Availability --- INFO 1059 --- SIMPLE

Backup going Active in preempt mode after reboot High

Backup missed heartbeats from Primary

High

(29)

Backup received error signal from Primary

High

Backup received heartbeat from wrong source High

Backup received reboot signal from Primary

High

Backup shut down because license is expired High

Availability System Error ERROR 824 --- SIMPLE

Backup WAN link down, Primary going Active

High

Availability System Error ERROR 219 633 UNUSED

Backup will be shut down in %s

minutes

High

Availability System Error ERROR 823

Bad CRL

format VPN PKI UserActivity ALERT 277 --- SIMPLE

Bind to LDAP

server failed RADIUS System Error ERROR 1009

---SIMPLE_NO TE_STRING Blocked Quick Mode for Client using Default

KeyId VPN Client System Error ERROR 505 660 STD

BOOTP Client IP address on LAN conflicts with remote device IP, deleting IP address from

remote table Bootp Maintenance INFO 619

---STD_NOTE_ STRING BOOTP reply

relayed to

local device Bootp Maintenance INFO 620

---STD_NOTE_ STRING BOOTP

(30)

BOOTP server response relayed to remote

device Bootp Debug DEBUG 618

---STD_NOTE_ STRING Broadcast packet dropped Network

Access Debug DEBUG 46

---STD_NOTE_ PROTOCOL Cannot

connect to the CRL

server VPN PKI UserActivity ALERT 274 --- SIMPLE

Cannot Validate

Issuer Path VPN PKI UserActivity ALERT 878

---SIMPLE_NO TE_STRING

Category: None 0 DEBUG 485 --- UNUSED

Certificate on Revoked

list(CRL) VPN PKI UserActivity ALERT 279

---SIMPLE_NO TE_STRING CFL auto-download disabled, time problem detected Security

Services Maintenance INFO 268 --- SIMPLE

Chat %s PPP dialup UserActivity INFO 1022

---STD_MESSA GE_STRING Chat

completed PPP dialup UserActivity INFO 1020

---STD_MESSA GE_STRING Chat failed:

%s PPP dialup UserActivity INFO 1023

---STD_MESSA GE_STRING

Chat started PPP dialup UserActivity INFO 1019

---STD_MESSA GE_STRING Chat started

by '%s' PPP dialup UserActivity INFO 1032

---STD_MESSA GE_STRING Chat wrote

'%s' PPP dialup UserActivity INFO 1021

---STD_MESSA GE_STRING CLI administrator logged out Authenticatio

n Access UserActivity INFO 520 --- SIMPLE

CLI

administrator login allowed

Authenticatio

---STD_NOTE_ STRING CLI administrator login denied due to bad credentials Authenticatio

n Access UserActivity WARNING 200

---STD_NOTE_ STRING

(31)

Computed hash does not match hash received from peer; preshared

key mismatch VPN IKE UserActivity WARNING 410

---STD_NOTE_ STRING Configuration mode administratio n session ended Authenticatio

---STD_NOTE_ STRING Configuration mode administratio n session started Authenticatio

---STD_NOTE_ STRING Connection Closed NetworkTraffi c Connection Traffic INFO 537 ---STD_TRAFFI C_REPORT Connection Opened NetworkTraffi c Connection INFO 98 ---STD_TRAFFI C_REPORT Connection

timed out VPN PKI UserActivity ALERT 273 --- SIMPLE

Content filter subscRIPtion expired.

Security

Services System Error ERROR 197 631 UNUSED

Cookie removed

Network

---STD_STRIN G_SERVICE CRL has

expired VPN PKI UserActivity ALERT 874

---SIMPLE_NO TE_STRING CRL loaded

from VPN PKI UserActivity INFO 270

---SIMPLE_NO TE_STRING CRL missing

- Issuer requires CRL

checking. VPN PKI UserActivity ALERT 876

---SIMPLE_NO TE_STRING CRL validation failure for Root

Certificate VPN PKI UserActivity ALERT 877

---SIMPLE_NO TE_STRING Crypto DES

test failed Crypto Test Maintenance ERROR 360 --- SIMPLE

Crypto DH

Crypto hardware 3DES test

(32)

Crypto Hardware 3DES with SHA test

failed Crypto Test Maintenance ERROR 369 --- SIMPLE

Crypto Hardware AES test

failed Crypto Test Maintenance ERROR 610 --- STD

Crypto hardware DES test

Crypto hardware DES with SHA test

Crypto Hmac-MD5

fest failed Crypto Test Maintenance ERROR 362 --- SIMPLE

Crypto Hmac-Sha1

Crypto MD5

Crypto RSA

Crypto SHA1 based DRNG KAT test

failed Crypto Test --- ERROR 1060 --- SIMPLE

Crypto Sha1

CSR Generation: %s VPN PKI --- INFO 1109 ---SIMPLE_ME SSAGE_STR ING DDNS association

%s disabled DDNS Maintenance INFO 781

DDNS association

%s enabled DDNS Maintenance INFO 780

DDNS association

%s added DDNS Maintenance INFO 779

---SIMPLE_ME SSAGE_STR ING DDNS association %s

deactivated DDNS Maintenance INFO 784

DDNS association

%s deleted DDNS Maintenance INFO 785

(33)

DDNS Association %s put on

line DDNS Maintenance INFO 782

---SIMPLE_ME SSAGE_STR ING DDNS association %s taken

Offline locally DDNS Maintenance INFO 778

DDNS Failure:

Provider %s DDNS System Error ERROR 774

DDNS Failure:

---SIMPLE_ME SSAGE_STR ING DDNS Update success for

domain %s DDNS Maintenance INFO 776

---STD_MESSA GE_STRING DDNS

Warning:

Provider %s DDNS System Error WARNING 777

---SIMPLE_ME SSAGE_STR ING Deleting from Multicast policy list,

interface : %s Multicast --- DEBUG 698

---STD_MESSA GE_STRING Deleting from

Multicast policy list,

VPN SPI : %s Multicast --- DEBUG 700

---STD_MESSA GE_STRING Deleting

IPsec SA VPN IKE UserActivity INFO 92

---STD_NOTE_ SPI

Deleting IPsec SA for

destination VPN IKE UserActivity INFO 91 --- UNUSED

Destination IP address connection status: %s Firewall event --- INFO 735 ---STD_MESSA GE_STRING

Destination: None --- DEBUG 57 --- UNUSED

DHCP client enabled but

not ready DHCP Client Maintenance INFO 504 --- SIMPLE

DHCP Client did not get

(34)

DHCP Client failed to verify and lease has expired. Go to INIT

state. DHCP Client Maintenance INFO 119 --- STD

DHCP Client failed to verify and lease is still valid. Go to BOUND

state. DHCP Client Maintenance INFO 120 --- UNUSED

DHCP Client got a new IP address

lease. DHCP Client Maintenance INFO 121

---STD_NOTE_ STRING DHCP Client

got ACK from

server. DHCP Client Maintenance INFO 111

---STD_NOTE_ STRING DHCP Client

got NACK. DHCP Client Maintenance INFO 110 --- STD

DHCP Client is declining address offered by the

server. DHCP Client Maintenance INFO 112

---STD_NOTE_ STRING DHCP Client sending REQUEST and going to REBIND

state. DHCP Client Maintenance INFO 113

---STD_NOTE_ STRING DHCP Client sending REQUEST and going to RENEW

state. DHCP Client Maintenance INFO 114

---STD_NOTE_ STRING DHCP DECLINE received from remote

device DHCP Relay Debug INFO 475 --- UNUSED

DHCP DISCOVER received from

local device DHCP Relay Debug INFO 479 --- UNUSED

DHCP DISCOVER received from remote

device DHCP Relay Debug INFO 474

(35)

DHCP lease dropped. Lease from Central Gateway conflicts with

Relay IP DHCP Relay Maintenance WARNING 228

---STD_NOTE_ STRING DHCP lease dropped. Lease from Central Gateway conflicts with Remote Management

IP DHCP Relay Maintenance WARNING 484

---STD_NOTE_ STRING DHCP lease file in the flash is corrupted; read failed Firewall

event System Error WARNING 833 --- SIMPLE

DHCP lease relayed to

local device DHCP Relay Maintenance INFO 223

---STD_NOTE_ STRING DHCP lease

relayed to remote

---STD_NOTE_ STRING DHCP lease to LAN device conflicts with remote device, deleting remote IP

entry DHCP Relay Maintenance INFO 226

---STD_NOTE_ STRING DHCP leases written to flash Firewall

DHCP NACK received from

server DHCP Relay Debug INFO 477

---STD_NOTE_ STRING DHCP

OFFER received from

server DHCP Relay Debug INFO 476

(36)

DHCP Ranges altered automatically due to change in network settings for interface %s Firewall event --- INFO 832 ---SIMPLE_ME SSAGE_STR ING DHCP RELEASE received from remote

---STD_NOTE_ STRING DHCP RELEASE relayed to Central

Gateway DHCP Relay Maintenance INFO 222

---STD_NOTE_ STRING DHCP

REQUEST received from

local device DHCP Relay Debug INFO 480 --- UNUSED

DHCP REQUEST received from remote

---STD_NOTE_ STRING DHCP Server

not available. Did not get any DHCP

OFFER. DHCP Client Maintenance INFO 106 --- STD

(37)

DHCP Server: Received DHCP message from untrusted relay agent Firewall event --- NOTICE 1090 ---STD_NOTE_ STRING Diagnostic Auto-restart canceled Firewall

event --- INFO 1046 --- SIMPLE

Diagnostic Auto-restart scheduled for %s minutes from now Firewall event --- INFO 1045 ---SIMPLE_ME SSAGE_STR ING Diagnostic Code A Firewall

Hardware System Error ERROR 93 611

SIMPLE_NO TE_STRING Diagnostic

Code B

Firewall

Code C

Firewall

Code D

Firewall

STD_NOTE_ CODE Diagnostic

Code E VPN IPsec System Error ERROR 61 609

STD_NOTE_ CODE Diagnostic

Code F

Firewall

Code G

Firewall

Code H

Firewall

Code I

Firewall

Code J

Firewall

SIMPLE_NO TE_STRING Dial-up:

Session initiated by

data packet PPP dialup --- INFO 1039

---STD_SERVI CE Dial-up: Traffic generated by '%s' PPP dialup --- INFO 1038 ---STD_MESSA GE_STRING Disconnectin g L2TP Tunnel due to

traffic timeout L2TP Client Maintenance INFO 215 --- SIMPLE

(38)

Disconnectin g PPTP Tunnel due to

traffic timeout PPTP Maintenance INFO 389 --- SIMPLE

Discovered HA %s Firewall High Availability --- INFO 1044 ---SIMPLE_ME SSAGE_STR ING Discovered HA Backup Firewall High

Availability Maintenance INFO 156 --- SIMPLE

DNS packet allowed

Network

Access Debug INFO 602

---STD_POLIC Y DNS rebind attack blocked Intrusion Detection --- ALERT 1099 6466 STD_NOTE_ STRING Drop WLAN traffic from non-SonicPoint devices Intrusion

Detection Attack ERROR 662 6434 STD

Duplicate packet dropped

Network

Access Debug DEBUG 51 --- UNUSED

Dynamic IPsec client

connected VPN IPsec UserActivity INFO 62

---STD_NOTE_ STRING EIGRP packet dropped Network

Access Debug NOTICE 714

---STD_NOTE_ STRING E-Mail fragment dropped Intrusion

Entering FIPS ERROR

state Crypto Test Maintenance ERROR 359 --- UNUSED

Entering FIPS Error

State. Crypto Test System Error ERROR 497 659 UNUSED

Error initializing Hardware acceleration for VPN Firewall

Hardware Maintenance ERROR 374 --- SIMPLE

Error Rebooting HA Peer Firewall

High

(39)

Error setting the IP address of the backup, please manually set to backup LAN IP High

Error

synchronizing HA peer firewall (%s)

High

Availability System Error ERROR 158 662

SIMPLE_ME SSAGE_STR ING Error updating HA peer configuration High

Availability System Error ERROR 192 630 UNUSED

ERROR: DHCP over VPN policy is not defined. Cannot start

IKE. DHCP Relay Maintenance INFO 478 --- UNUSED

Exceeded Max multicast

address limit Multicast --- WARNING 703 --- STD

External Web Server Host Resolution Failed %s Authenticatio n Access --- ERROR 1069 ---SIMPLE_ME SSAGE_STR ING Failed payload

validation VPN IKE UserActivity WARNING 405

---STD_NOTE_ STRING Failed payload verification after decryption; possible preshared

key mismatch VPN IKE UserActivity WARNING 404

---STD_NOTE_ STRING Failed to find

certificate VPN PKI UserActivity ALERT 875

---SIMPLE_NO TE_STRING Failed to get

CRL from VPN PKI UserActivity ALERT 271

---SIMPLE_NO TE_STRING Failed to

Process CRL

from VPN PKI UserActivity ALERT 276

---SIMPLE_NO TE_STRING Failed to

resolve name Network Maintenance INFO 84

(40)

Failed to send file to remote backup server, Error: %s Firewall

event Maintenance INFO 1066

---SIMPLE_ME SSAGE_STR ING Failed to send Preference file to remote backup server, Error: %s Firewall

---SIMPLE_ME SSAGE_STR ING Failed to send TSR file to remote backup server, Error: %s Firewall

---SIMPLE_ME SSAGE_STR ING Failed to synchronize license information with Licensing Server. Please see HTTP:// help.mySonic WALL.com/ licsyncfail.ht ml (code: %s) Security

Services Maintenance WARNING 766 8628

SIMPLE_ME SSAGE_STR ING Failed to synchronize Relay IP

Table DHCP Relay System Error WARNING 234 632 STD

Failed to write DHCP leases to flash

Firewall

event System Error WARNING 834 --- SIMPLE

Failure to add

data channel Unused Debug DEBUG 49 --- STD

Failure to reach Interface %s probe

High

Availability System Error ERROR 675 6234

SIMPLE_ME SSAGE_STR ING Fan Failure Firewall Hardware System

Environment ALERT 576 102 SIMPLE

FIN Flood Blacklist on IF %s continues

Intrusion

Detection Debug WARNING 902

(41)

FIN-Flooding machine %s blacklisted

Intrusion

Detection Debug ALERT 901

---SIMPLE_ME SSAGE_STR ING Forbidden E-Mail attachment deleted Intrusion

Detection Attack ERROR 248 534

STD_DESTI NATION Forbidden E-Mail attachment disabled Intrusion

STD_DESTI NATION Found Rogue

Access Point WLAN IDS WLAN IDS ALERT 546 901

SIMPLE_NO TE_STRING Found Rogue

Access Point WLAN IDS WLAN IDS ALERT 556 10804

SIMPLE_NO TE_STRING Fragmented packet dropped Network TCP | UDP | ICMP NOTICE 28 ---STD_NOTE_ PROTOCOL Fraudulent Microsoft certificate found; access denied Intrusion

FTP client user logged in failed FTP --- DEBUG 1115 ---STD_NOTE_ STRING FTP client user logged in successfully FTP --- DEBUG 1114 ---STD_NOTE_ STRING FTP client user logged out FTP --- DEBUG 1116 ---STD_NOTE_ STRING FTP client user name

was sent FTP --- DEBUG 1113

---STD_NOTE_ STRING FTP server accepted the connection FTP --- DEBUG 1112 ---STD_NOTE_ STRING FTP: Data connection from non default port dropped Network

Access Attack ALERT 538 557 STD

FTP: PASV response bounce attack dropped. Intrusion

(42)

FTP: PASV response spoof attack dropped

Intrusion

FTP: PORT bounce attack dropped.

Intrusion

STD_NOTE_ STRING Gateway Anti-Virus Alert: %s Security

Services Attack ALERT 809 8632

STD_MESSA GE_STRING Gateway Anti-Virus Service expired Security

Services Maintenance WARNING 810 8633 SIMPLE

Global VPN Client connection is not allowed. Appliance is not

registered. VPN Client System Error INFO 529 643 STD

Global VPN Client License Exceeded: Connection

denied. VPN Client System Error INFO 494 658 STD

Global VPN Client version cannot enforce personal firewall. Minimum Version required is

2.1 VPN Client UserActivity INFO 604

---STD_NOTE_ STRING Got DHCP

OFFER.

Selecting. DHCP Client Maintenance INFO 107

---STD_NOTE_ STRING GSC policy out-of-date on host Security

Guest account '%s' created

Authenticatio

---STD_MESSA GE_STRING Guest account '%s' deleted Authenticatio

(43)

Guest account '%s' disabled

Authenticatio

---STD_MESSA GE_STRING Guest account '%s' pruned Authenticatio

---STD_MESSA GE_STRING Guest account '%s' re-enabled Authenticatio

---STD_MESSA GE_STRING Guest account '%s' re-generated Authenticatio

---STD_MESSA GE_STRING Guest Account Timeout Authenticatio

---STD_NOTE_ STRING Guest Idle

Timeout

Authenticatio

---STD_NOTE_ STRING Guest login denied. Guest '%s' is already logged in. Please try again later. Authenticatio

---STD_MESSA GE_STRING Guest Services drop traffic to deny network Network Access --- INFO 724 ---STD_NOTE_ STRING Guest Services pass traffic to access allow network Network Access --- INFO 725 ---STD_NOTE_ STRING Guest Session Timeout Authenticatio

---STD_NOTE_ STRING GUI administratio n session ended Authenticatio

---STD_NOTE_ STRING H.323/H.225

Connect VOIP VOIP DEBUG 634

Setup VOIP VOIP DEBUG 633

Address VOIP VOIP DEBUG 635

End Session VOIP VOIP DEBUG 636

---STD_NOTE_ STRING H.323/RAS

Admission

Confirm VOIP VOIP DEBUG 625

(44)

H.323/RAS Admission

Reject VOIP VOIP DEBUG 624

Admission

Request VOIP VOIP DEBUG 626

Bandwidth

Disengage

Gatekeeper

Location

Registration

Unknown Message

Response VOIP VOIP DEBUG 640

Unregistratio

n Reject VOIP VOIP DEBUG 642

---STD_NOTE_ STRING HA packet processing error High

HA Peer Firewall Rebooted

High

HA Peer Firewall Synchronized

High

Hardware Failover settings were not upgraded. Firewall

Header verification

(45)

Heartbeat received from incompatible source

High

HTTP management port has changed

Firewall

---SIMPLE_NO TE_STRING HTTP method detected; examining stream for host header Network Access TCP DEBUG 882 ---STD_POLIC Y HTTPS management port has changed Firewall

---SIMPLE_NO TE_STRING ICMP checksum error; packet dropped Network

Access UDP NOTICE 886 --- STD

ICMP packet allowed

Network

---STD_POLIC Y ICMP packet dropped due to policy Network

Access ICMP NOTICE 38

---STD_POLIC Y ICMP packet dropped no match Network

Access ICMP NOTICE 523

---STD_ICMP_ SERVICE ICMP packet from LAN allowed Network

---STD_ICMP_ SERVICE ICMP packet from LAN dropped Network Access LanICMP | LanTCP NOTICE 175 ---STD_ICMP_ SERVICE If not already enabled, enabling NTP is recommende d Firewall

Hardware System Error WARNING 540 645 SIMPLE

IGMP packet dropped, wrong checksum received on

interface %s Multicast --- NOTICE 683

(46)

IGMP Leave group message Received on

interface %s Multicast --- INFO 682

---STD_MESSA GE_STRING IGMP packet

dropped, decoding

error Multicast --- NOTICE 686 --- STD

IGMP Packet Not handled. Packet type : %s Multicast --- NOTICE 687 ---STD_MESSA GE_STRING IGMP querier Router detected on

interface %s Multicast --- DEBUG 701

---STD_MESSA GE_STRING IGMP querier Router detected on VPN tunnel ,

SPI %S Multicast --- DEBUG 702

---STD_MESSA GE_STRING IGMP state table entry time out,deleting interface : %s for multicast

address : %s Multicast --- DEBUG 692

---STD_MESSA GE_STRING IGMP state table entry time out,deleting VPN SPI :%s for Multicast

address : %s Multicast --- DEBUG 693

---STD_MESSA GE_STRING IGMP V2

client joined multicast

Group : %s Multicast --- INFO 676

---STD_MESSA GE_STRING IGMP V2 Membership report received from

---STD_MESSA GE_STRING IGMP V3

client joined multicast

Group : %s Multicast --- INFO 677

(47)

IGMP V3 Membership report received from

---STD_MESSA GE_STRING IGMP V3 packet dropped, unsupported Record type : %s Multicast --- NOTICE 688 ---STD_MESSA GE_STRING IGMP V3 record type : %s not

Handled Multicast --- DEBUG 689

---STD_MESSA GE_STRING IKE Initiator drop: VPN tunnel end point does not match configured VPN Policy Bound to

scope VPN IKE UserActivity INFO 544 --- STD

IKE Initiator: Accepting IPsec proposal

(Phase 2) VPN IKE UserActivity INFO 372

---STD_NOTE_ STRING IKE Initiator:

Accepting peer lifetime.

---STD_NOTE_ STRING IKE Initiator: Aggressive Mode complete

(Phase 1). VPN IKE UserActivity INFO 354

---STD_NOTE_ STRING IKE Initiator: IKE proposal does not match

(Phase 1) VPN IKE UserActivity WARNING 937

Main Mode complete

Proposed

(48)

IKE Initiator: Remote party timeout - Retransmittin g IKE

request. VPN IKE UserActivity INFO 930

---STD_NOTE_ STRING IKE Initiator: Start Aggressive Mode negotiation

---STD_NOTE_ STRING IKE Initiator: Start Main Mode negotiation

Start Quick Mode (Phase

2). VPN IKE UserActivity INFO 346

---STD_NOTE_ STRING IKE Initiator: Using secondary gateway to

negotiate VPN IKE UserActivity INFO 543

---STD_NOTE_ STRING IKE

negotiation aborted due

to timeout VPN IKE UserActivity INFO 403

---STD_NOTE_ STRING IKE negotiation complete. Adding IPsec SA. (Phase

2) VPN IKE UserActivity INFO 89

---STD_NOTE_ STRING IKE Responder drop: VPN tunnel end point does not match configured VPN Policy Bound to

(49)

IKE Responder: %s policy does not allow static IP for Virtual

Adapter. VPN Client System Error ERROR 660

---STD_MESSA GE_STRING IKE Responder: Accepting IPsec proposal

---STD_NOTE_ STRING IKE Responder: Aggressive Mode complete

---STD_NOTE_ STRING IKE Responder: AH authenticatio n algorithm does not

match VPN IKE UserActivity WARNING 920

---STD_NOTE_ STRING IKE Responder: AH authenticatio n key length does not

---STD_NOTE_ STRING IKE Responder: AH authenticatio n key rounds does not

---STD_NOTE_ STRING IKE Responder: AH Perfect Forward Secrecy

mismatch VPN IKE UserActivity WARNING 258 544

STD_NOTE_ STRING IKE

Responder: Algorithms

(50)

IKE Responder: Client Policy has no VPN Access Networks assigned. Check Configuration

. VPN IKE System Error ERROR 965

---STD_NOTE_ STRING IKE Responder: Default LAN gateway is not set but peer is proposing to use this SA as a default

route VPN IKE Attack ERROR 516 553

STD_NOTE_ STRING IKE Responder: Default LAN gateway is set but peer is not proposing to use this SA as a default

route VPN IKE UserActivity WARNING 253 539

STD_NOTE_ STRING IKE Responder: ESP authenticatio n algorithm does not

---STD_NOTE_ STRING IKE Responder: ESP authenticatio n key length does not

---STD_NOTE_ STRING IKE Responder: ESP authenticatio n key rounds does not