Using the SonicOS Log Event Reference Guide

(1)

1 SonicOS Log Event Reference Guide

Using the SonicOS Log Event Reference

Guide

This reference guide lists and describes SonicOS log event messages. Reference a log event message by using the alphabetical index of log event messages.

This document contains the following sections: • “Log > View” section on page 2

• “Log > Categories” section on page 5

• “Log > Syslog” section on page 9

• “Log > Automation” section on page 10

• “Log > Name Resolution” section on page 14

• “Log > Reports” section on page 16

• “Log > ViewPoint” section on page 17

• “Index of Log Event Messages” section on page 19

(2)

Log > View

Log > View

The SonicWALL security appliance maintains an Event log for tracking potential security threats. This log can be viewed in the Log > View page, or it can be automatically sent to an e-mail address for convenience and archiving. The log is displayed in a table and can be sorted by column.

The SonicWALL security appliance can alert you of important events, such as an attack to the SonicWALL security appliance. Alerts are immediately e-mailed, either to an e-mail address or to an e-mail pager. Each log entry contains the date and time of the event and a brief message describing the event.

Log View Table

The log is displayed in a table and is sortable by column. The log table columns include: • Time - the date and time of the event.

• Priority - the level of priority associated with your log event.

Syslog uses eight categories to characterize messages – in descending order of severity, the categories include:

– Emergency – Alert – Critical – Error – Warning – Notice – Informational – Debug

Specify a priority level on a SonicWALL security appliance on the Log > Categories page to log messages for that priority level, plus all messages tagged with a higher severity. For example, select ‘error’ as the priority level to log all messages tagged as ‘error,’ as well as any messages tagged with ‘critical,’ ‘alert,’ and ‘emergency.’ Select ‘debug’ to log all messages.

Note Refer to Log Event Messages section for more information on your specific log event. • Category - the type of traffic, such as Network Access or Authenticated Access.

• Message - provides description of the event.

• Source - displays source network and IP address.

• Destination - displays the destination network and IP address.

• Notes - provides additional information about the event.

(3)

Log > View

Navigating and Sorting Log View Table Entries

The Log View table provides easy pagination for viewing large numbers of log events. You can navigate these log events by using the navigation control bar located at the top right of the Log

View table. Navigation control bar includes four buttons. The far left button displays the first

page of the table. The far right button displays the last page. The inside left and right arrow buttons moved the previous or next page respectively.

You can sort the entries in the table by clicking on the column header. The entries are sorted by ascending or descending order. The arrow to the right of the column entry indicates the sorting status. A down arrow means ascending order. An up arrow indicates a descending order.

Refresh

To update log messages, clicking the Refresh button near the top right corner of the page.

Clear Log

To delete the contents of the log, click the Clear Log button near the top right corner of the page.

Export Log

To export the contents of the log to a defined destination, click the Export Log button below the filter table.You can export log content to two formats:

• Plain text format--Used in log and alert e-mail.

• Comma-separated value (CSV) format--Used for importing into Excel or other

presentation development applications.

E-mail Log

If you have configured the SonicWALL security appliance to e-mail log files, clicking E-mail Log near the top right corner of the page sends the current log files to the e-mail address specified in the Log > Automation > E-mail section.

(4)

Log > View

Filtering Log Records Viewed

You can filter the results to display only event logs matching certain criteria. You can filter by

Priority, Category, Source (IP or Interface), and Destination (IP or Interface).

Step 1 Enter your filter criteria in the Log View Settings table.

Step 2 The fields you enter values into are combined into a search string with a logical AND. For example, if you select an interface for Source and for Destination, the search string will look for connections matching:

Source interface AND Destination interface

Step 3 Check the Group Filters box next to any two or more criteria to combine them with a logical

OR.

For example, if you enter values for Source IP, Destination IP, and Protocol, and check Group

Filters next to Source IP and Destination IP, the search string will look for connections

matching:

(Source IP OR Destination IP) AND Protocol

Step 4 Click Apply Filter to apply the filter immediately to the Log View Settings table. Click Reset to clear the filter and display the unfiltered results again.

The following example filters for log events resulting from traffic from the WAN to the LAN:

Log Event Messages

(5)

Log > Categories

Log > Categories

This guide provides configuration tasks to enable you to categorize and customize the logging functions on your SonicWALL security appliance for troubleshooting and diagnostics.

Note You can extend your SonicWALL security appliance log reporting capabilities by using SonicWALL ViewPoint. ViewPoint is a Web-based graphical reporting tool for detailed and comprehensive reports. For more information on the SonicWALL ViewPoint reporting tool, refer to www.sonicwall.com.

Log Severity/Priority

This section provides information on configuring the level of priority log messages are captured and corresponding alert messages are sent through e-mail for notification.

Logging Level

The Logging Level control filters events by priority. Events of equal of greater priority are passed, and events of lower priority are dropped. The Logging Level menu includes the following priority scale items from highest to lowest priority:

• Emergency (highest priority) • Alert • Critical • Error • Warning • Notice • Informational

• Debug (lowest priority)

Alert Level

The Alert Level control determines how E-mail Alerts are sent. An event of equal or greater priority causes an E-mail alert to be issued. Lower priority events do not cause an alert to be sent. Events are pre-filtered by the Logging Level control, so if the Logging Level control is set to a higher priority than that of the Alert Level control, only alerts at the Logging Level or higher are sent. Alert levels include:

• None (disables e-mail alerts) • Emergency (highest priority) • Alert

• Critical • Error

(6)

Log Redundancy Filter

The Log Redundancy Filter allows you to define the time in seconds that the same attack is logged on the Log > View page as a single entry in the SonicWALL log. Various attacks are often rapidly repeated, which can quickly fill up a log if each attack is logged. The Log Redundancy Filter has a default setting of 60 seconds.

Alert Redundancy Filter

The Alert Redundancy Filter allows you to define the time in seconds that the same attack is logged on the Log > View page as a single entry in the SonicWALL log before an alert is issued. The Alert Redundancy Filter has a default setting of 900 seconds.

Log Categories

SonicWALL security appliances provide automatic attack protection against well known exploits. The majority of these legacy attacks were identified by telltale IP or TCP/UDP characteristics, and recognition was limited to a set of fixed layer 3 and layer 4 values. As the breadth and sophistication of attacks evolved, it has become essential to dig deeper into the traffic, and to develop the sort of adaptability that could keep pace with the new threats. All SonicWALL security appliances, even those running SonicWALL IPS, continue to recognize these legacy port and protocol types of attacks. The current behavior on all SonicWALL security appliances devices is to automatically and holistically prevent these legacy attacks, meaning that it is not possible to disable prevention of these attacks either individually or globally. SonicWALL security appliances now include an expanded list of attack categories that can be logged.

The View Style menu provides the following three log category views:

• All Categories - Displays both Legacy Categories and Expanded Categories.

• Legacy Categories - Displays log categories carried over from earlier SonicWALL log event categories.

• Expanded Categories - Displays the expanded listing of categories that includes the older Legacy Categories log events rearranged into the new structure.

The following table describes both the Legacy and Extended log categories.

Log Type Category Description

802.11 Management Legacy Logs WLAN IEEE 802.11 connections.

Advanced Routing Expanded Logs messages related to RIPv2 and OSPF routing events.

Attacks Legacy Logs messages showing Denial of Service attacks, such as SYN Flood, Ping

of Death, and IP spoofing Authenticated

Access

Expanded Logs administrator, user, and guest account activity

Blocked Java, etc. Legacy Logs Java, ActiveX, and Cookies blocked by the SonicWALL security appliance.

Blocked Web Sites Legacy Logs Web sites or newsgroups blocked by the Content Filter List or by customized filtering.

BOOTP Expanded Logs BOOTP activity

(7)

DDNS Expanded Logs Dynamic DNS activity

Denied LAN IP Legacy Logs all LAN IP addresses denied by the SonicWALL security appliance.

DHCP Client Expanded Logs DHCP client protocol activity

DHCP Relay Expanded Logs DHCP central and remote gateway activity

Dropped ICMP Legacy Logs blocked incoming ICMP packets.

Dropped TCP Legacy Logs blocked incoming TCP connections.

Dropped UDP Legacy Logs blocked incoming UDP packets.

Firewall Event Extended Logs internal firewall activity Firewall Hardware Extended Logs firewall hardware error events Firewall Logging Extended Logs general events and errors Firewall Rule Extended Logs firewall rule modifications

GMS Extended Logs GMS status event

High Availability Extended Logs High Availability activity

IPcomp Extended Logs IP compression activity

Intrusion Prevention Extended Logs intrusion prevention related activity

L2TP Client Extended Logs L2TP client activity

L2TP Server Extended Logs L2TP server activity

Multicast Extended Logs multicast IGMP activity

Network Extended Logs network ARP, fragmentation, and MTU activity

Network Access Extended Logs network and firewall protocol access activity

Network Debug Legacy Logs NetBIOS broadcasts, ARP resolution problems, and NAT resolution problems. Also, detailed messages for VPN connections are displayed to assist the network administrator with troubleshooting problems with active VPN tunnels. Network Debug information is intended for experienced network administrators.

Network Traffic Expanded Logs network traffic reporting events

PPP Extended Logs generic PPP activity

PPP Dial-Up Extended Logs PPP dial-up activity

PPPoE Extended Logs PPPoE activity

PPTP Extended Logs PPTP activity

RBL Extended Logs real-time black list activity

RIP Extended Logs RIP activity

Remote Authentication

Extended Logs RADIUS and LDAP server activity Security Services Extended Logs security services activity

SonicPoint Extended Logs SonicPoint activity

System Errors Legacy Logs problems with DNS or e-mail.

System Maintenance

Legacy Logs general system activity, such as system activations. User Activity Legacy Logs successful and unsuccessful log in attempts.

VOIP Extended Logs VoIP H.323/RAS, H.323/H.225, and H.323/H.245 activity

(8)

Managing Log Categories

The Log Categories table displays log category information organized into the following columns:

• Category - Displays log category name.

• Description - Provides description of the log category activity type.

• Log - Provides checkbox for enabling/disabling the display of the log events in on the Log > View page.

• Alerts - Provides checkbox for enabling/disabling the sending of alerts for the category. • Syslog - Provides checkbox for enabling/disabling the capture of the log events into the

SonicWALL security appliance Syslog.

• Event Count - Displays the number of events for that category. Clicking the Refresh button updates these numbers.

You can sort the log categories in the Log Categories table by clicking on the column header. For example, clicking on the Category header sorts the log categories in descending order from the default ascending order. An up or down arrow to the left of the column name indicates whether the column is assorted in ascending or descending order.

You can enable or disable Log, Alerts, and Syslog on a category by category basis by clicking on the check box for the category in the table. You can enable or disable Log, Alerts, and Syslog for all categories by clicking the checkbox on the column header.

VPN Extended Logs VPN activity

VPN Client Extended Logs VPN client activity

VPN IKE Extended Logs VPN IKE activity

VPN IPsec Extended Logs VPN IPSec activity

VPN PKI Extended Logs VPN PKI activity

VPN Tunnel Status Legacy Logs status information on VPN tunnels.

WAN Failover Extended Logs WAN failover activity

Wireless Extended Logs wireless activity

Wlan IDS Extended Logs WLAN IDS activity

(9)

Log > Syslog

Log > Syslog

In addition to the standard event log, the SonicWALL security appliance can send a detailed log to an external Syslog server. The SonicWALL Syslog captures all log activity and includes every connection source and destination IP address, IP service, and number of bytes transferred. The SonicWALL Syslog support requires an external server running a Syslog daemon on UDP Port 514. Syslog Analyzers such as SonicWALL ViewPoint or WebTrends Firewall Suite can be used to sort, analyze, and graph the Syslog data. Messages from the SonicWALL security appliance are then sent to the server(s). Up to three Syslog server IP addresses can be added.Syslog Settings

Syslog Facility

• Syslog Facility - Allows you to select the facilities and severities of the messages based on the syslog protocol.

Note See RCF 3164 - The BSD Syslog Protocol for more information.

• Override Syslog Settings with ViewPoint Settings - Check this box to override Syslog settings, if you’re using SonicWALL ViewPoint for your reporting solution.

Note For more information on SonicWALL ViewPoint, go to http://www.sonicwall.com.

– Syslog Event Redundancy Filter (seconds) - This setting prevents repetitive messages from being written to Syslog. If duplicate events occur during the period specified in the Syslog Event Redundancy Rate field, they are not written to Syslog as unique events. Instead, the additional events are counted, and then at the end of the period, a message is written to the Syslog that includes the number of times the event occurred. The Syslog Event Redundancy Filter default value is 60 seconds and the maximum value is 86,400 seconds (24 hours). Setting this value to 0 seconds sends all Syslog messages without filtering.

– Syslog Format - You can choose the format of the Syslog to be Default or WebTrends. If you select WebTrends, however, you must have WebTrends software installed on your system.

Note If the SonicWALL security appliance is managed by SonicWALL GMS, the Syslog Server fields cannot be configured by the administrator of the SonicWALL security appliance.

• Enable Event Rate Limiting - This control allows you to enable rate limiting of events to prevent the internal or external logging mechanism from being overwhelmed by log events. • Enable Data Rate Limiting - This control allows you to enable rate limiting of data to prevent

(10)

Log > Automation

Syslog Servers

Adding a Syslog Server

To add syslog servers to the SonicWALL security appliance Step 1 Click Add. The Add Syslog Server window is displayed.

Step 2 Type the Syslog server name or IP address in the Name or IP Address field. Messages from the SonicWALL security appliance are then sent to the servers.

Step 3 If your syslog is not using the default port of 514, type the port number in the Port Number field. Step 4 Click OK.

Step 5 Click Accept to save all Syslog Server settings.

Log > Automation

The Log > Automation page includes settings for configuring the SonicWALL to send log files using e-mail and configuring mail server settings.

E-mail Log Automation

• Send Log to E-mail address - Enter your e-mail address ([email protected]) in this field to receive the event log via e-mail. Once sent, the log is cleared from the SonicWALL memory. If this field is left blank, the log is not e-mailed.

• Send Alerts to E-mail address - Enter your e-mail address ([email protected]) in the Send alerts to field to be immediately e-mailed when attacks or system errors occur. Type a standard e-mail address or an e-mail paging service. If this field is left blank, e-mail alert messages are not sent.

• Send Log - Determines the frequency of sending log files. The options are When Full, Weekly, or Daily. If the Weekly or Daily option is selected, then select the day of the week the log is sent in the every menu and the time of day in 24-hour format in the At field. • Email Format - Specifies whether log emails will be sent in Plain Text or HTML format.

Mail Server Settings

The mail server settings allow you to specify the name or IP address of your mail server, the from e-mail address, and authentication method.

• Mail Server (name or IP address) - Enter the IP address or FQDN of the e-mail server used to send your log e-mails in this field.

• From E-mail Address - Enter the E-mail address you want to display in the From field of the message.

• Authentication Method - You can use the default None item or select POP Before SMTP. Note If the Mail Server (name or IP address) is left blank, log and alert messages are not

(11)

Deep Packet Forensics

SonicWALL UTM appliances have configurable deep-packet classification capabilities that intersect with forensic and content-management products. While the SonicWALL can reliably detect and prevent any ‘interesting-content’ events, it can only provide a record of the occurrence, but not the actual data of the event.

Of equal importance are diagnostic applications where the interesting-content is traffic that is being unpredictably handled or inexplicably dropped.

Although the SonicWALL can achieve interesting-content using our Enhanced packet capture diagnostic tool, data-recorders are application-specific appliances designed to record all the packets on a network. They are highly optimized for this task, and can record network traffic without dropping a single packet.

While data-recorders are good at recording data, they lack the sort of deep-packet inspection intelligence afforded by IPS/GAV/ASPY/AF. Consider the minimal requirements of effective data analysis:

• Reliable storage of data • Effective indexing of data

• Classification of interesting-content

Together, a UTM device (a SonicWALL appliance) and data-recorder (a Solera Networks appliance) satisfy the requirements to offer outstanding forensic and data-leakage capabilities.

Distributed Event Detection and Replay

The Solera appliance can search its data-repository, while also allowing the administrator to define “interesting-content” events on the SonicWALL. The level of logging detail and frequency of the logging can be configured by the administrator. Nearly all events include Source IP, Source Port, Destination IP, Destination Port, and Time. SonicOS Enhanced has an extensive set of log events, including:

• Debug/Informational Events—Connection setup/tear down

• User-events—Administrative access, single sign-on activity, user logins, content filtering details

• Firewall Rule/Policy Events—Access to and from particular IP:Port combinations, also identifiable by time

• Interesting-content at the Network or Application Layer—Port-scans, SYN floods, DPI or AF signature/policy hits

The following is an example of the process of distributed event detection and replay:

(12)

2. A user (at IP address 192.168.19.1) on the network retrieves the file. 3. The event is logged by the SonicWALL.

4. The administrator selects the Recorder icon from the left column of the log entry. Icon/link only appears in the logs when a NPCS is defined on the SonicWALL (e.g. IP:

[192.168.169.100], Port: [443]). The defined NPCS appliance will be the link’s target. The link will include the query string parameters defining the desired connection.

5. The NPCS will (optionally) authenticate the user session.

6. The requested data will be presented to the client as a .cap file, and can be saved or viewed on the local machine.

Methods of Access

The client and NPCS must be able to reach one another. Usually, this means the client and the NPCS will be in the same physical location, both connected to the SonicWALL appliance. In any case, the client will be able to directly reach the NPCS, or will be able to reach the NPCS through the SonicWALL. Administrators in a remote location will require some method of VPN connectivity to the internal network. Access from a centralized GMS console will have similar requirements.

Log Persistence

SonicOS currently allocates 32K to a rolling log buffer. When the log becomes full, it can be emailed to a defined recipient and flushed, or it can simply be flushed. Emailing provides a simple version of logging persistence, while GMS provides a more reliable and scalable method.

(13)

GMS

To provide the ability to identify and view events across an entire enterprise, a GMS update will be required. Device-specific interesting-content events at the GMS console appear in Reports > Log Viewer Search page, but are also found throughout the various reports, such as Top Intrusions Over Time.

Solera Capture Stack

Solera Networks makes a series of appliances of varying capacities and speeds designed to capture, archive, and regenerate network traffic. The Solera Networks Network Packet Capture System (NPCS) provides utilities that allow the captured data to be accessed in time

(14)

Log > Name Resolution

To configure your SonicWALL appliance with Solera select the Enable Solera Capture Stack Integration option.

Configure the following options:

• Server - Select the host for the Solera server. You can dynamically create the host by selecting Create New Host...

• Protocol - Select either HTTP or HTTPS.

• Port - Specify the port number for connecting to the Solera server.

• Interface(s) - Specify which interfaces you want to transmit data for to the Solera server. • User (optional) - Enter the username, if required.

• Password (optional) - Enter the password, if required. • Confirm Password - Confirm the password.

– Mask Password - Leave this enabled to send the password as encrypted text.

Log > Name Resolution

The Log > Name Resolution page includes settings for configuring the name servers used to resolve IP addresses and server names in the log reports.

(15)

Log > Name Resolution

Selecting Name Resolution Settings

The security appliance can use DNS, NetBIOS, or both to resolve IP addresses and server names.

In the Name Resolution Method list, select:

• None: The security appliance will not attempt to resolve IP addresses and Names in the log reports.

• DNS: The security appliance will use the DNS server you specify to resolve addresses and names.

• NetBIOS: The security appliance will use NetBIOS to resolve addresses and names. If you select NetBIOS, no further configuration is necessary.

• DNS then NetBIOS: The security appliance will first use the DNS server you specify to resolve addresses and names. If it cannot resolve the name, it will try again with NetBIOS.

Specifying the DNS Server

To choose specific DNS servers or use the same servers as the WAN zone, perform the following steps:

Step 1 Select Specify DNS Servers Manually or Inherit DNS Settings Dynamically from WAN Zone. The second choice is selected by default.

Step 2 If you selected to specify a DNS server, enter the IP address for at least one DNS server on your network. You can enter up to three servers.

(16)

Log > Reports

Log > Reports

The SonicWALL security appliance can perform a rolling analysis of the event log to show the top 25 most frequently accessed Web sites, the top 25 users of bandwidth by IP address, and the top 25 services consuming the most bandwidth. You can generate these reports from the Log > Reports page.

Note SonicWALL ViewPoint provides a comprehensive Web-based reporting solution for SonicWALL security appliances. For more information on SonicWALL ViewPoint, go to

http://www.sonicwall.com

Data Collection

The Reports window includes the following functions and commands: • Start Data Collection

Click Start Data Collection to begin log analysis. When log analysis is enabled, the button label changes to Stop Data Collection.

• Reset Data

Click Reset Data to clear the report statistics and begin a new sample period. The sample period is also reset when data collection is stopped or started, and when the SonicWALL security appliance is restarted.

View Data

Select the desired report from the Report to view menu. The options are Web Site Hits, Bandwidth Usage by IP Address, and Bandwidth Usage by Service. These reports are explained below. Click Refresh Data to update the report. The length of time analyzed by the report is displayed in the Current Sample Period.

Web Site Hits

Selecting Web Site Hits from the Report to view menu displays a table showing the URLs for the 25 most frequently accessed Web sites and the number of hits to a site during the current sample period.

The Web Site Hits report ensures that the majority of Web access is to appropriate Web sites. If leisure, sports, or other inappropriate sites appear in the Web Site Hits Report, you can choose to block the sites. For information on blocking inappropriate Web sites, see . Click on the name of a Web site to open that site in a new window.

Bandwidth Usage by IP Address

(17)

Log > ViewPoint

Bandwidth Usage by Service

Selecting Bandwidth Usage by Service from the Report to view menu displays a table showing the name of the 25 top Internet services, such as HTTP, FTP, RealAudio, etc., and the number of megabytes received from the service during the current sample period.

The Bandwidth Usage by Service report shows whether the services being used are

appropriate for your organization. If services such as video or push broadcasts are consuming a large portion of the available bandwidth, you can choose to block these services.

Log > ViewPoint

SonicWALL ViewPoint is a Web-based graphical reporting tool that provides unprecedented security awareness and control over your network environment through detailed and

comprehensive reports of your security and network activities. ViewPoint’s broad reporting capabilities allow administrators to easily monitor network access and Internet usage, enhance security, assess risks, understand more about employee Internet use and productivity, and anticipate future bandwidth needs.

ViewPoint creates dynamic, real-time and historical network summaries, providing a flexible, comprehensive view of network events and activities. Reports are based on syslog data streams received from each SonicWALL appliance through LAN, Wireless LAN, WAN or VPN connections. With ViewPoint, your organization can generate individual or aggregate reports about virtually any aspect of appliance activity, including individual user or group usage patterns, evens on specific appliances or groups of appliances, types and times of attacks, resource consumption and constraints, and more.

For more information on SonicWALL ViewPoint, go to http://www.sonicwall.com.

(18)

Log > ViewPoint

Activating ViewPoint

The Log > ViewPoint page allows you to activate the ViewPoint license directly from the SonicWALL Management Interface using two methods.

If you received a license activation key, enter the activation key in the Enter upgrade key field, and click Accept.

Warning You must have a mysonicwall.com account and your SonicWALL security appliance must be registered to activate SonicWALL ViewPoint for your SonicWALl security appliance.

Step 1 Click the Upgrade link in Click here to Upgrade on the Log > ViewPoint page. The mysonicwall.com Login page is displayed.

Step 2 Enter your mysonicwall.com account username and password in the User Name and Password fields, then click Submit. The System > Licenses page is displayed. If your SonicWALL security appliance is already connected to your mysonicwall.com account, the System > Licenses page appears after you click the SonicWALL Content Filtering Subscription link.

Step 3 Click Activate or Renew in the Manage Service column in the Manage Services Online table. Type in the Activation Key in the New License Key field and click Submit.

Step 4 If you activated SonicWALL ViewPoint at mysonicwall.com, the SonicWALL ViewPoint activation is automatically enabled on your SonicWALL within 24-hours or you can click the Synchronize button on the Security Services > Summary page to update your SonicWALL.

Enabling ViewPoint Settings

Once you have installed the SonicWALL ViewPoint software, you can point the SonicWALL security appliance to the server running ViewPoint, perform the following steps:

Step 1 Check the Enable ViewPoint Settings checkbox in the Syslog Servers section of the Log >

ViewPoint page.

Step 2 Click the Add button. The Add Syslog Server window is displayed.

Step 3 Enter the IP address or FQDN of the SonicWALL ViewPoint server in the Name or IP Address field.

Step 4 Enter the port number for the SonicWALL ViewPoint server traffic in the Port field or use the default port number.

Step 5 Click Accept.

Note The Override Syslog Settings with ViewPoint Settings control on the Log >

Syslog page is automatically checked when you enable ViewPoint from the Log > ViewPoint page. The IP address or FQDN you entered in the Add Syslog Server

window is also displayed on the Log > Syslog page as well as in the Syslog Servers table on the Log > ViewPoint page.

(19)

Index of Log Event Messages

Index of Log Event Messages

This section contains a list of log event messages for all SonicWALL Firmware and SonicOS Software Releases, ordered alphabetically. Use your web browser’s Find function to search for a command.

Log Event Message Symbols Key

TCP IP Layered-Data Packet Processing and SonicOS Log Event Handling

In specific cases of multi-layer packet processing, a TCP connection initially logged as "open," will be rejected by a deeper layer of packet processing. In these cases, the connection request has not been forwarded by the SonicWALL security appliance, and the initial Connection Open SonicOS log event message should be ignored in favor of the TCP Connection Dropped log event message.

Each log event message described in the following table provides the following log event details: • SonicOS Category—Displays the SonicOS Software category event type.

• Legacy Category—Displays the SonicWALL Firmware Software category event type. • Priority Level—Displays the level of urgency of the log event message.

• Log Message ID Number—Displays the ID number of the log event message. • SNMP Trap Type—Displays the SNMP Trap ID number of the log event message.

Log Event Message Symbol Description Context

%s Ethernet Port Down Represents a character string. [WAN | LAN | DMZ] Ethernet Port Down

The cache is full; %u open

connections; some will be dropped

Represents a numerical string. The cache is full; [40,000] open

(20)

Log Event Message Index

Log Event Message New Category Legacy Category Priority ID

SNMP Trap Type

Network Security Appliance activated Firewall Event Maintenance Alert 4

---Log cleared Firewall Logging Maintenance Information 5

---Log successfully sent via email Firewall Logging Maintenance Information 6

---Log full; deactivating Network Security Appliance

Firewall Logging System Error Error 7 601

New URL List loaded Security Services Maintenance Information 8

---No new URL List available Security Services Maintenance Information 9

---Problem loading the URL List; check Filter settings

Security Services System Error Error 10 602

Problem loading the URL List; check your DNS server

Problem sending log email; check log settings

Firewall Logging System Error Warning 12 604

Restarting Network Security Appliance; dumping log to email

Firewall Event Maintenance Information 13

---Web site access denied Network Access Blocked Sites Error 14 701

Newsgroup access denied Network Access Blocked Sites Notice 15 702

Web site access allowed Network Access Blocked Sites Notice 16 703

Newsgroup access allowed Network Access Blocked Sites Notice 17 704

ActiveX access denied Network Access Blocked Code Notice 18

---Java access denied Network Access Blocked Code Notice 19

---ActiveX or Java archive access denied Network Access Blocked Code Notice 20

---Cookie removed Network Access Blocked Code Notice 21

---Ping of death dropped Intrusion Detection Attack Alert 22 501

IP spoof dropped Intrusion Detection Attack Alert 23 502

User logged out - user disconnect detected (heartbeat timer expired)

Authenticate Access

User Activity Information 24

---Possible SYN flood attack detected Intrusion Detection Attack Warning 25 503

Land attack dropped Intrusion Detection Attack Alert 27 505

Fragmented packet dropped Network TCP | UDP | ICMP Notice 28

---Administrator login allowed Authenticate

Access

---Administrator login denied due to bad credentials

Authenticate Access

Attack Alert 30 560

User login from an internal zone allowed Authenticate Access

---User login denied due to bad credentials Authenticate Access

---Login screen timed out Authenticate

Access

(21)

---Index of Log Event Messages

Administrator login denied from %s; logins disabled from this interface

Authenticate Access

Attack Alert 35 506

TCP connection dropped Network Access TCP Notice 36

---UDP packet dropped Network Access UDP Notice 37

---ICMP packet dropped due to policy Network Access ICMP Notice 38

---PPTP packet dropped Network Access TCP | UDP | ICMP Notice 39

---IPsec packet dropped Network Access TCP | UDP | ICMP Notice 40

---Unknown protocol dropped Network Access Debug Notice 41

---IPsec packet dropped; waiting for pending IPsec connection

Network Access Debug Debug 42

---IPsec connection interrupt Network Access Debug Debug 43

---NAT could not remap incoming packet Unused System Error Error 44 606

ARP timeout Network Debug Debug 45

---Broadcast packet dropped Network Access Debug Debug 46

---No ICMP redirect sent Unused Debug Debug 47

---Out-of-order command packet dropped Network Access Debug Debug 48

---Failure to add data channel Unused Debug Debug 49

---RealAudio decode failure Unused Debug Debug 50

---Duplicate packet dropped Network Access Debug Debug 51

---No HOST tag found in HTTP request Network Access Debug Debug 52

---The cache is full; %u open connections; some will be dropped

Firewall Event System Error Error 53 607

License exceeded: Connection dropped because too many IP addresses are in use on your LAN

Access to proxy server denied Network Access Blocked Sites Notice 60 705

Diagnostic Code E VPN IPsec System Error Error 61 609

Dynamic IPsec client connected VPN IPsec User Activity Information 62

---Received fragmented packet or fragmentation needed

Network Debug Debug 63

---Diagnostic Code D Firewall Hardware System Error Error 64 610

Illegal IPsec SPI VPN IPsec User Activity Information 65

---Unknown IPsec SPI VPN IPsec Attack Error 66 507

IPsec Authentication Failed VPN IPsec Attack Error 67 508

IPsec Decryption Failed VPN IPsec Attack Error 68 509

Incompatible IPsec Security Association VPN IPsec User Activity Information 69

---IPsec packet from or to an illegal host VPN IPsec Attack Error 70 510

NetBus attack dropped Intrusion Detection Attack Alert 72 511

Back Orifice attack dropped Intrusion Detection Attack Alert 73 512

Net Spy attack dropped Intrusion Detection Attack Alert 74 513

Sub Seven attack dropped Intrusion Detection Attack Alert 75 514

Ripper attack dropped Intrusion Detection Attack Alert 76 515

Striker attack dropped Intrusion Detection Attack Alert 77 516

Senna Spy attack dropped Intrusion Detection Attack Alert 78 517

(22)

Priority attack dropped Intrusion Detection Attack Alert 79 518

Ini Killer attack dropped Intrusion Detection Attack Alert 80 519

Smurf Amplification attack dropped Intrusion Detection Attack Alert 81 520

Possible port scan detected Intrusion Detection Attack Alert 82 521

Probable port scan detected Intrusion Detection Attack Alert 83 522

Failed to resolve name Network Maintenance Information 84

---IKE Responder: Accepting IPsec proposal (Phase 2)

VPN IKE User Activity Information 87

---IKE Responder: IPsec proposal does not match (Phase 2)

VPN IKE User Activity Warning 88 523

IKE negotiation complete. Adding IPsec SA. (Phase 2)

---Starting IKE negotiation VPN IKE User Activity Information 90

---Deleting IPsec SA for destination VPN IKE User Activity Information 91

---Deleting IPsec SA VPN IKE User Activity Information 92

---Diagnostic Code A Firewall Hardware System Error Error 93 611

Diagnostic Code B Firewall Hardware System Error Error 94 612

Diagnostic Code C Firewall Hardware System Error Error 95 613

Status GMS Maintenance Emergency 96

---#Web site hit Network Traffic Connection Traffic Information 97

---Connection Opened Network Traffic Connection Information 98

---Retransmitting DHCP DISCOVER. DHCP Client Maintenance Information 99

---Retransmitting DHCP REQUEST (Requesting).

DHCP Client Maintenance Information 100

---Retransmitting DHCP REQUEST (Renewing).

---Retransmitting DHCP REQUEST (Rebinding).

---Retransmitting DHCP REQUEST (Rebooting).

---Retransmitting DHCP REQUEST (Verifying). DHCP Client Maintenance Information 104

---Sending DHCP DISCOVER. DHCP Client Maintenance Information 105

---DHCP Server not available. Did not get any DHCP OFFER.

---Got DHCP OFFER. Selecting. DHCP Client Maintenance Information 107

---Sending DHCP REQUEST. DHCP Client Maintenance Information 108

---DHCP Client did not get ---DHCP ACK. DHCP Client Maintenance Information 109

---DHCP Client got NACK. DHCP Client Maintenance Information 110

---DHCP Client got ACK from server. DHCP Client Maintenance Information 111

---DHCP Client is declining address offered by the server.

---DHCP Client sending REQUEST and going to REBIND state.

---Log Event Message New Category Legacy Category Priority ID

(23)

DHCP Client sending REQUEST and going to RENEW state.

---Sending DHCP REQUEST (Renewing). DHCP Client Maintenance Information 115

---Sending DHCP REQUEST (Rebinding). DHCP Client Maintenance Information 116

---Sending DHCP REQUEST (Rebooting). DHCP Client Maintenance Information 117

---Sending DHCP REQUEST (Verifying). DHCP Client Maintenance Information 118

---DHCP Client failed to verify and lease has expired. Go to INIT state.

---DHCP Client failed to verify and lease is still valid. Go to BOUND state.

---DHCP Client got a new IP address lease. DHCP Client Maintenance Information 121

---Sending DHCP RELEASE. DHCP Client Maintenance Information 122

---Access attempt from host without Anti-Virus agent installed

Security Services Maintenance Information 123

---Anti-Virus agent out-of-date on host Security Services Maintenance Information 124

---Received AV Alert: %s Security Services Maintenance Warning 125 524

Starting PPPoE discovery PPPoE Maintenance Information 127

---PPPoE LCP Link Up PPPoE Maintenance Information 128

---PPPoE LCP Link Down PPPoE Maintenance Information 129

---PPPoE terminated PPPoE Maintenance Information 130

---PPPoE Network Connected PPPoE Maintenance Information 131

---PPPoE Network Disconnected PPPoE Maintenance Information 132

---PPPoE discovery process complete PPPoE Maintenance Information 133

---PPPoE starting CHAP Authentication PPPoE Maintenance Information 134

---PPPoE starting PAP Authentication PPPoE Maintenance Information 135

---PPPoE CHAP Authentication Failed PPPoE Maintenance Information 136

---PPPoE PAP Authentication Failed PPPoE Maintenance Information 137

---Wan IP Changed Firewall Event System Error Warning 138 636

XAUTH Succeeded with VPN client VPN Client User Activity Information 139

---XAUTH Failed with VPN client, Authentication failure

VPN Client User Activity Error 140

---XAUTH Failed with VPN client, Cannot Contact RADIUS Server

VPN Client User Activity Information 141

---Log Debug Firewall Event Debug Error 142

---Add an attack message Firewall Event Attack Error 143 525

Primary firewall has transitioned to Active High Availability Maintenance Alert 144

---Backup firewall has transitioned to Active High Availability Maintenance Alert 145

---Primary firewall has transitioned to Idle High Availability System Error Alert 146 614

Backup firewall has transitioned to Idle High Availability Maintenance Alert 147

---Primary missed heartbeats from Backup High Availability System Error Error 148 615

Backup missed heartbeats from Primary High Availability System Error Error 149 616

Primary received error signal from Backup High Availability System Error Error 150 617

Backup received error signal from Primary High Availability System Error Error 151 618

Backup firewall being preempted by Primary High Availability System Error Error 152 619

(24)

Primary firewall preempting Backup High Availability System Error Error 153 620

Active Backup detects Active Primary: Backup going Idle

High Availability Maintenance Information 154

---Imported HA hardware ID did not match this firewall

---Discovered HA Backup Firewall High Availability Maintenance Information 156

---HA Peer Firewall Synchronized High Availability Maintenance Information 157

---Error synchronizing HA peer firewall (%s) High Availability System Error Error 158 662

Received AV Alert: Your Network Anti-Virus subscription has expired. %s

Security Services Maintenance Warning 159 526

Primary received heartbeat from wrong source

---Backup received heartbeat from wrong source

---HA packet processing error High Availability Maintenance Information 162

---Heartbeat received from incompatible source High Availability Maintenance Information 163

---Diagnostic Code F Firewall Hardware System Error Error 164 621

Forbidden E-Mail attachment disabled Intrusion Detection Attack Alert 165 527

PPPoE PAP Authentication success. PPPoE Maintenance Information 166

---PPPoE PAP Authentication Failed. Please verify PPPoE username and password

PPPoE Maintenance Information 167

---Disconnecting PPPoE due to traffic timeout PPPoE Maintenance Information 168

---No response from ISP Disconnecting PPPoE.

PPPoE Maintenance Information 169

---Backup going Active in preempt mode after reboot

High Availability System Error Error 170 622

VPN Log Debug VPN IKE Debug Information 172

---TCP connection from LAN denied Network Access LAN TCP Notice 173

---UDP packet from LAN dropped Network Access LAN UDP | LAN

TCP

Notice 174

---ICMP packet from LAN dropped Network Access LAN ICMP | LAN

TCP

Notice 175

---Probable TCP FIN scan detected Intrusion Detection Attack Alert 177 528

Probable TCP XMAS scan detected Intrusion Detection Attack Alert 178 529

Probable TCP NULL scan detected Intrusion Detection Attack Alert 179 530

IPsec Replay Detected VPN IPsec Attack Alert 180 531

TCP FIN packet dropped Network Debug Debug 181

---Received a path MTU icmp message from router/gateway

Network User Activity Information 182

---Problem loading the URL List; Appliance not registered.

Problem loading the URL List; Subscription expired.

Problem loading the URL List; Try loading it again.

(25)

Problem loading the URL List; Retrying later. Security Services System Error Error 186 626 Problem loading the URL List; Flash write

failure.

Received a path MTU icmp message from router/gateway

Network User Activity Information 188

---The loaded content URL List has expired. Security Services System Error Error 190 628

Error setting the IP address of the backup, please manually set to backup LAN IP

Error updating HA peer configuration High Availability System Error Error 192 630

Fraudulent Microsoft certificate found; access denied

Intrusion Detection Attack Error 193 532

VPN TCP SYN VPN VPN Statistics Information 194

---VPN TCP FIN VPN VPN Statistics Information 195

---VPN TCP PSH VPN VPN Statistics Information 196

---Content filter subscription expired. Security Services System Error Error 197 631

New firmware available. Firewall Event Maintenance Information 198

---CLI administrator login allowed Authenticate

Access

---CLI administrator login denied due to bad credentials

Authenticate Access

User Activity Warning 200

---L2TP Tunnel Negotiation Started L2TP Client Maintenance Information 201

---L2TP Session Negotiation Started L2TP Client Maintenance Information 202

---L2TP Max Retransmission Exceeded L2TP Client Maintenance Information 203

---L2TP Tunnel Established L2TP Client Maintenance Information 204

---L2TP Tunnel Disconnect from Remote L2TP Client Maintenance Information 205

---L2TP Session Established L2TP Client Maintenance Information 206

---L2TP Session Disconnect from Remote L2TP Client Maintenance Information 207

---L2TP PPP Negotiation Started L2TP Client Maintenance Information 208

---L2TP LCP Down L2TP Client Maintenance Information 209

---L2TP PPP Session Up L2TP Client Maintenance Information 210

---L2TP PPP Down L2TP Client Maintenance Information 211

---L2TP PPP Authentication Failed L2TP Client Maintenance Information 212

---L2TP LCP Up L2TP Client Maintenance Information 213

---L2TP Disconnect Initiated by the User L2TP Client Maintenance Information 214

---Disconnecting L2TP Tunnel due to traffic timeout

L2TP Client Maintenance Information 215

---L2TP Connect Initiated by the User L2TP Client Maintenance Information 216

---L2TP PPP link down L2TP Client Maintenance Information 217

---Primary WAN link down, ---Primary going Idle High Availability Maintenance Information 218 ---Backup WAN link down, Primary going

Active

Primary WAN link down, Backup going Active

Primary WAN link up, preempting Backup High Availability Maintenance Information 221

(26)

DHCP RELEASE relayed to Central Gateway

DHCP Relay Maintenance Information 222

---DHCP lease relayed to local device DHCP Relay Maintenance Information 223

---DHCP RELEASE received from remote device

DHCP Relay Debug Information 224

---DHCP lease relayed to remote device DHCP Relay Debug Information 225

---DHCP lease to LAN device conflicts with remote device, deleting remote IP entry

---WARNING: DHCP lease relayed from Central Gateway conflicts with IP in Static Devices list

---DHCP lease dropped. Lease from Central Gateway conflicts with Relay IP

DHCP Relay Maintenance Warning 228

---IP spoof detected on packet to Central Gateway, packet dropped

DHCP Relay Attack Error 229 533

Request for Relay IP Table from Central Gateway

---Requesting Relay IP Table from Remote Gateway

---Sent Relay IP Table to Central Gateway DHCP Relay Maintenance Information 232

---Obtained Relay IP Table from Remote Gateway

---Failed to synchronize Relay IP Table DHCP Relay System Error Warning 234 632

VPN zone administrator login allowed Authenticate Access

---WAN zone administrator login allowed Authenticate Access

---VPN zone remote user login allowed Authenticate Access

---WAN zone remote user login allowed Authenticate Access

---NAT Discovery : Peer IPsec Security Gateway behind a NAT/NAPT Device

---NAT Discovery : Local IPsec Security Gateway behind a NAT/NAPT Device

---NAT Discovery : No ---NAT/NAPT device detected between IPsec Security gateways

---NAT Discovery : Peer IPsec Security Gateway doesn't support VPN NAT Traversal

---User login denied - RADIUS authentication failure

RADIUS User Activity Information 243

---User login denied - RADIUS server timeout RADIUS User Activity Warning 244

---User login denied - RADIUS configuration error

RADIUS User Activity Warning 245

(27)

User login denied - User has no privileges for login from that location

Authenticate Access

---IPsec packet from an illegal host VPN IPsec Maintenance Information 247

---Forbidden E-Mail attachment deleted Intrusion Detection Attack Error 248 534

IKE Responder: Mode %d - not tunnel mode VPN IKE User Activity Warning 249 535

IKE Responder: No matching Phase 1 ID found for proposed remote network

IKE Responder: Proposed remote network is 0.0.0.0 but not DHCP relay nor default route

IKE Responder: No match for proposed remote network address

IKE Responder: Default LAN gateway is set but peer is not proposing to use this SA as a default route

IKE Responder: Tunnel terminates outside firewall but proposed local network is not NAT public address

IKE Responder: Tunnel terminates inside firewall but proposed local network is not inside firewall

IKE Responder: Tunnel terminates on DMZ but proposed local network is on LAN

IKE Responder: Tunnel terminates on LAN but proposed local network is on DMZ

IKE Responder: AH Perfect Forward Secrecy mismatch

IKE Responder: ESP Perfect Forward Secrecy mismatch

IKE Responder: Algorithms and/or keys do not match

Administrator logged out Authenticate

Access

---Administrator logged out - inactivity timer expired

Authenticate Access

---User logged out Authenticate

Access

---User logged out - max session time exceeded

Authenticate Access

---User logged out - inactivity timer expired Authenticate Access

---NAT device may not support IPsec AH passthrough

VPN IPsec Maintenance Information 266

---TCP Xmas Tree dropped Intrusion Detection Attack Alert 267 547

CFL auto-download disabled, time problem detected

Security Services Maintenance Information 268

---Requesting CRL from VPN PKI User Activity Information 269

(28)

CRL loaded from VPN PKI User Activity Information 270

---Failed to get CRL from VPN PKI User Activity Alert 271

---Not enough memory to hold the CRL VPN PKI User Activity Warning 272

---Connection timed out VPN PKI User Activity Alert 273

---Cannot connect to the CRL server VPN PKI User Activity Alert 274

---Unknown reason VPN PKI User Activity Error 275

---Failed to Process CRL from VPN PKI User Activity Alert 276

---Bad CRL format VPN PKI User Activity Alert 277

---Issuer match failed VPN PKI User Activity Alert 278

---Certificate on Revoked list(CRL) VPN PKI User Activity Alert 279

---No Certificate for VPN PKI User Activity Alert 280

---PPP Dial-Up: Dialing: %s PPP Dial Up User Activity Information 281

---PPP Dial-Up: No dialtone detected - check phone-line connection

PPP Dial Up User Activity Information 282

---PPP Dial-Up: No link carrier detected - check phone number

---PPP Dial-Up: Dialed number is busy PPP Dial Up User Activity Information 284

---PPP Dial-Up: Dialed number did not answer PPP Dial Up User Activity Information 285

---PPP Dial-Up: Connected at %s bps - starting PPP

---PPP Dial-Up: Unknown dialing failure PPP Dial Up User Activity Information 287

---PPP Dial-Up: Link carrier lost PPP Dial Up User Activity Information 288

---PPP: Authentication successful PPP --- Information 289

---PPP: PAP Authentication failed - check username / password

PPP --- Information 290

---PPP: CHAP authentication failed - check username / password

---PPP: MS-CHAP authentication failed - check username / password

---PPP: Starting MS-CHAP authentication PPP --- Information 293

---PPP: Starting CHAP authentication PPP --- Information 294

---PPP: Starting PAP authentication PPP --- Information 295

---PPP Dial-Up: ---PPP negotiation failed - disconnecting

---PPP Dial-Up: Idle time limit exceeded - disconnecting

---PPP Dial-Up: Failed to get IP address PPP Dial Up User Activity Information 298

---PPP Dial-Up: Received new IP address PPP Dial Up User Activity Information 299

---PPP Dial-Up: ---PPP link established PPP Dial Up User Activity Information 300

---PPP Dial-Up: ---PPP link down PPP Dial Up User Activity Information 301

---PPP Dial-Up: Shutting down link PPP Dial Up User Activity Information 302

---PPP Dial-Up: Initialization : %s PPP Dial Up User Activity Information 303

---PPP Dial-Up: User requested disconnect PPP Dial Up User Activity Information 304

---PPP Dial-Up: User requested connect PPP Dial Up User Activity Information 305

(29)

PPP Dial-Up: Connect request canceled PPP Dial Up User Activity Information 306

---The network connection in use is %s WAN Failover System Error Warning 307 639

L2TP Server : L2TP Tunnel Established. L2TP Server Maintenance Information 308

---L2TP Server : ---L2TP Session Established. L2TP Server Maintenance Information 309

---L2TP Server : ---L2TP PPP Session Established.

L2TP Server Maintenance Information 310

---L2TP Server: RADIUS/LDAP reports Authentication Failure

---L2TP Server: Local Authentication Failure L2TP Server Maintenance Information 312

---L2TP Server: RADIUS/LDAP server not assigned IP address

---L2TP Server: No IP address available in the Local IP Pool

---L2TP Server: ---L2TP Tunnel Disconnect from the Remote.

---L2TP Server: ---L2TP Session Disconnect from the Remote.

---L2TP Server: ---L2TP Remote terminated the PPP session

---L2TP Server: Local Authentication Success.

---L2TP Server: RADIUS/LDAP Authentication Success

---L2TP Server: Keep alive Failure. Closing Tunnel

---PPP Dial-Up: Manual intervention needed. Check Primary Profile or Profile details

---PPP Dial-Up: Trying to failover but Primary Profile is manual

---PPP Dial-Up: Startup without Ethernet cable, will try to dial on outbound traffic

---PPP Dial-Up: Dial initiated by %s PPP Dial Up Maintenance Information 324

---The current WAN interface is not ready to route packets.

Probing failure on %s WAN Failover System Error Alert 326 637

PPP Dial-Up: Maximum connection time exceeded - disconnecting

---Administrator name changed Authenticate

Access

Maintenance Information 328

---User login failure rate exceeded - logins from user IP address denied

Authenticate Access

Attack Error 329 561

PPP Dial-Up: The profile in use disabled VPN networking.

PPP Dial Up Maintenance Information 330

---PPP Dial-Up: VPN networking restored. PPP Dial Up Maintenance Information 331

---%s Ethernet Port Up Firewall Event System Error Warning 332 640

%s Ethernet Port Down Firewall Event System Error Error 333 641

(30)

L2TP Server: Call Disconnect from Remote. L2TP Server Maintenance Information 334

---L2TP Server: Tunnel Disconnect from Remote.

---L2TP Server : Deleting the Tunnel L2TP Server Maintenance Information 336

---L2TP Server : Deleting the ---L2TP active Session

---L2TP Server : Retransmission Timeout, Deleting the Tunnel

---NAT translated packet exceeds size limit, packet dropped

Network Debug Debug 339

---HTTP management port has changed Firewall Event Maintenance Information 340

---HTTPS management port has changed Firewall Event Maintenance Information 341

---IKE Responder: Mode %d - not transport mode. Xauth is required but not supported by peer.

VPN IKE Debug Warning 342

---L2TP Server : Access from ---L2TP VPN Client Privilege not enabled for Radius Users.

---L2TP Server : User Name authentication Failure locally.

---IKE Responder: Tunnel terminates outside firewall but proposed remote network is not NAT public address

IKE Initiator: Start Quick Mode (Phase 2). VPN IKE User Activity Information 346

---Port configured to receive IPsec protocol ONLY; drop packet received in the clear

Network Access TCP | UDP | ICMP Warning 347

---Imported VPN SA is invalid - disabled Firewall Event Maintenance Warning 348

---IPsec SA lifetime expired. VPN IPsec User Activity Information 349

---IKE SA lifetime expired. VPN IKE User Activity Information 350

---IKE Initiator: Start Main Mode negotiation (Phase 1)

---IKE Responder: Received Quick Mode Request (Phase 2)

---IKE Initiator: Main Mode complete (Phase 1) VPN ---IKE User Activity Information 353

---IKE Initiator: Aggressive Mode complete (Phase 1).

---IKE Responder: Received Main Mode request (Phase 1)

---IKE Responder: Received Aggressive Mode request (Phase 1)

---IKE Responder: Main Mode complete (Phase 1)

---IKE Initiator: Start Aggressive Mode negotiation (Phase 1)

---Entering FIPS ERROR state Crypto Test Maintenance Error 359

---Crypto DES test failed Crypto Test Maintenance Error 360

---Crypto DH test failed Crypto Test Maintenance Error 361

(31)

Crypto Hmac-MD5 fest failed Crypto Test Maintenance Error 362

---Crypto Hmac-Sha1 test failed Crypto Test Maintenance Error 363

---Crypto RSA test failed Crypto Test Maintenance Error 364

---Crypto Sha1 test failed Crypto Test Maintenance Error 365

---Crypto hardware DES test failed Crypto Test Maintenance Error 366

---Crypto hardware 3DES test failed Crypto Test Maintenance Error 367

---Crypto hardware DES with SHA test failed Crypto Test Maintenance Error 368

---Crypto Hardware 3DES with SHA test failed Crypto Test Maintenance Error 369

---Crypto MD5 test failed Crypto Test Maintenance Error 370

---VPN Client Policy Provisioning VPN Client User Activity Information 371

---IKE Initiator: Accepting IPsec proposal (Phase 2)

---IKE Responder: Aggressive Mode complete (Phase 1)

---Error initializing Hardware acceleration for VPN

Firewall Hardware Maintenance Error 374

---PPTP Control Connection Negotiation Started

PPTP Maintenance Information 375

---PPTP Session Negotiation Started PPTP Maintenance Information 376

---PPTP Max Retransmission Exceeded PPTP Maintenance Information 377

---PPTP Control Connection Established PPTP Maintenance Information 378

---PPTP Tunnel Disconnect from Remote PPTP Maintenance Information 379

---PPTP Session Established PPTP Maintenance Information 380

---PPTP Session Disconnect from Remote PPTP Maintenance Information 381

---PPTP PPP Negotiation Started PPTP Maintenance Information 382

---PPTP LCP Down PPTP Maintenance Information 383

---PPTP PPP Session Up PPTP Maintenance Information 384

---PPTP PPP Down PPTP Maintenance Information 385

---PPTP PPP Authentication Failed PPTP Maintenance Information 386

---PPTP LCP Up PPTP Maintenance Information 387

---PPTP Disconnect Initiated by the User PPTP Maintenance Information 388

---Disconnecting PPTP Tunnel due to traffic timeout

---PPTP Connect Initiated by the User PPTP Maintenance Information 390

---PPTP PPP link down PPTP Maintenance Information 391

---PPTP starting CHAP Authentication PPTP Maintenance Information 392

---PPTP starting PAP Authentication PPTP Maintenance Information 393

---PPTP CHAP Authentication Failed. Please verify PPTP username and password

---PPTP PAP Authentication Failed PPTP Maintenance Information 395

---PPTP PAP Authentication success. PPTP Maintenance Information 396

---PPTP PAP Authentication Failed. Please verify PPTP username and password

---PPTP PPP Link Up PPTP Maintenance Information 398