Using the SonicOS Log Event Reference Guide - SonicWALL
Using the SonicOS Log Event Reference Guide - SonicWALL
Using the SonicOS Log Event Reference Guide - SonicWALL
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Using</strong> <strong>the</strong> <strong>SonicOS</strong> <strong>Log</strong> <strong>Event</strong> <strong>Reference</strong><br />
<strong>Guide</strong><br />
This reference guide lists and describes <strong>SonicOS</strong> log event messages. <strong>Reference</strong> a log event<br />
message by using <strong>the</strong> alphabetical index of log event messages.<br />
This document contains <strong>the</strong> following sections:<br />
• “<strong>Log</strong> > View” section on page 2<br />
• “<strong>Log</strong> > Categories” section on page 5<br />
• “<strong>Log</strong> > Syslog” section on page 9<br />
• “<strong>Log</strong> > Automation” section on page 10<br />
• “<strong>Log</strong> > Name Resolution” section on page 14<br />
• “<strong>Log</strong> > Reports” section on page 16<br />
• “<strong>Log</strong> > ViewPoint” section on page 17<br />
• “Index of <strong>Log</strong> <strong>Event</strong> Messages” section on page 19<br />
• “Index of Syslog Tag Field Description” section on page 57<br />
<strong>SonicOS</strong> <strong>Log</strong> <strong>Event</strong> <strong>Reference</strong> <strong>Guide</strong><br />
1
<strong>Log</strong> > View<br />
<strong>Log</strong> > View<br />
The <strong>SonicWALL</strong> security appliance maintains an <strong>Event</strong> log for tracking potential security<br />
threats. This log can be viewed in <strong>the</strong> <strong>Log</strong> > View page, or it can be automatically sent to an<br />
e-mail address for convenience and archiving. The log is displayed in a table and can be sorted<br />
by column.<br />
The <strong>SonicWALL</strong> security appliance can alert you of important events, such as an attack to <strong>the</strong><br />
<strong>SonicWALL</strong> security appliance. Alerts are immediately e-mailed, ei<strong>the</strong>r to an e-mail address or<br />
to an e-mail pager. Each log entry contains <strong>the</strong> date and time of <strong>the</strong> event and a brief message<br />
describing <strong>the</strong> event.<br />
<strong>Log</strong> View Table<br />
The log is displayed in a table and is sortable by column. The log table columns include:<br />
• Time - <strong>the</strong> date and time of <strong>the</strong> event.<br />
• Priority - <strong>the</strong> level of priority associated with your log event.<br />
Syslog uses eight categories to characterize messages – in descending order of severity,<br />
<strong>the</strong> categories include:<br />
– Emergency<br />
– Alert<br />
– Critical<br />
– Error<br />
– Warning<br />
– Notice<br />
– Informational<br />
– Debug<br />
Specify a priority level on a <strong>SonicWALL</strong> security appliance on <strong>the</strong> <strong>Log</strong> > Categories page<br />
to log messages for that priority level, plus all messages tagged with a higher severity. For<br />
example, select ‘error’ as <strong>the</strong> priority level to log all messages tagged as ‘error,’ as well as<br />
any messages tagged with ‘critical,’ ‘alert,’ and ‘emergency.’ Select ‘debug’ to log all<br />
messages.<br />
Note<br />
Refer to <strong>Log</strong> <strong>Event</strong> Messages section for more information on your specific log event.<br />
• Category - <strong>the</strong> type of traffic, such as Network Access or Au<strong>the</strong>nticated Access.<br />
• Message - provides description of <strong>the</strong> event.<br />
• Source - displays source network and IP address.<br />
• Destination - displays <strong>the</strong> destination network and IP address.<br />
• Notes - provides additional information about <strong>the</strong> event.<br />
• Rule - notes Network Access Rule affected by event.<br />
2 <strong>SonicOS</strong> <strong>Log</strong> <strong>Event</strong> <strong>Reference</strong> <strong>Guide</strong>
<strong>Log</strong> > View<br />
Navigating and Sorting <strong>Log</strong> View Table Entries<br />
The <strong>Log</strong> View table provides easy pagination for viewing large numbers of log events. You can<br />
navigate <strong>the</strong>se log events by using <strong>the</strong> navigation control bar located at <strong>the</strong> top right of <strong>the</strong> <strong>Log</strong><br />
View table. Navigation control bar includes four buttons. The far left button displays <strong>the</strong> first<br />
page of <strong>the</strong> table. The far right button displays <strong>the</strong> last page. The inside left and right arrow<br />
buttons moved <strong>the</strong> previous or next page respectively.<br />
You can sort <strong>the</strong> entries in <strong>the</strong> table by clicking on <strong>the</strong> column header. The entries are sorted<br />
by ascending or descending order. The arrow to <strong>the</strong> right of <strong>the</strong> column entry indicates <strong>the</strong><br />
sorting status. A down arrow means ascending order. An up arrow indicates a descending<br />
order.<br />
Refresh<br />
To update log messages, clicking <strong>the</strong> Refresh button near <strong>the</strong> top right corner of <strong>the</strong> page.<br />
Clear <strong>Log</strong><br />
To delete <strong>the</strong> contents of <strong>the</strong> log, click <strong>the</strong> Clear <strong>Log</strong> button near <strong>the</strong> top right corner of <strong>the</strong><br />
page.<br />
Export <strong>Log</strong><br />
To export <strong>the</strong> contents of <strong>the</strong> log to a defined destination, click <strong>the</strong> Export <strong>Log</strong> button below<br />
<strong>the</strong> filter table.You can export log content to two formats:<br />
• Plain text format--Used in log and alert e-mail.<br />
• Comma-separated value (CSV) format--Used for importing into Excel or o<strong>the</strong>r<br />
presentation development applications.<br />
E-mail <strong>Log</strong><br />
If you have configured <strong>the</strong> <strong>SonicWALL</strong> security appliance to e-mail log files, clicking E-mail <strong>Log</strong><br />
near <strong>the</strong> top right corner of <strong>the</strong> page sends <strong>the</strong> current log files to <strong>the</strong> e-mail address specified<br />
in <strong>the</strong> <strong>Log</strong> > Automation > E-mail section.<br />
Note<br />
The <strong>SonicWALL</strong> security appliance can alert you of important events, such as an attack to<br />
<strong>the</strong> <strong>SonicWALL</strong> security appliance. Alerts are immediately sent via e-mail, ei<strong>the</strong>r to an e-mail<br />
address or to an e-mail pager. For sending alerts, you must enter your e-mail address and<br />
server information in <strong>the</strong> <strong>Log</strong> > Automation page.<br />
<strong>SonicOS</strong> <strong>Log</strong> <strong>Event</strong> <strong>Reference</strong> <strong>Guide</strong><br />
3
<strong>Log</strong> > View<br />
Filtering <strong>Log</strong> Records Viewed<br />
You can filter <strong>the</strong> results to display only event logs matching certain criteria. You can filter by<br />
Priority, Category, Source (IP or Interface), and Destination (IP or Interface).<br />
Step 1<br />
Step 2<br />
Step 3<br />
Step 4<br />
Enter your filter criteria in <strong>the</strong> <strong>Log</strong> View Settings table.<br />
The fields you enter values into are combined into a search string with a logical AND. For<br />
example, if you select an interface for Source and for Destination, <strong>the</strong> search string will look<br />
for connections matching:<br />
Source interface AND Destination interface<br />
Check <strong>the</strong> Group Filters box next to any two or more criteria to combine <strong>the</strong>m with a logical<br />
OR.<br />
For example, if you enter values for Source IP, Destination IP, and Protocol, and check Group<br />
Filters next to Source IP and Destination IP, <strong>the</strong> search string will look for connections<br />
matching:<br />
(Source IP OR Destination IP) AND Protocol<br />
Click Apply Filter to apply <strong>the</strong> filter immediately to <strong>the</strong> <strong>Log</strong> View Settings table. Click Reset<br />
to clear <strong>the</strong> filter and display <strong>the</strong> unfiltered results again.<br />
The following example filters for log events resulting from traffic from <strong>the</strong> WAN to <strong>the</strong> LAN:<br />
<strong>Log</strong> <strong>Event</strong> Messages<br />
For a complete reference guide of log event messages, refer to <strong>the</strong> “<strong>Log</strong> <strong>Event</strong> Message Index”<br />
section on page 20.<br />
4 <strong>SonicOS</strong> <strong>Log</strong> <strong>Event</strong> <strong>Reference</strong> <strong>Guide</strong>
<strong>Log</strong> > Categories<br />
<strong>Log</strong> > Categories<br />
This guide provides configuration tasks to enable you to categorize and customize <strong>the</strong> logging<br />
functions on your <strong>SonicWALL</strong> security appliance for troubleshooting and diagnostics.<br />
Note<br />
You can extend your <strong>SonicWALL</strong> security appliance log reporting capabilities by using<br />
<strong>SonicWALL</strong> ViewPoint. ViewPoint is a Web-based graphical reporting tool for detailed and<br />
comprehensive reports. For more information on <strong>the</strong> <strong>SonicWALL</strong> ViewPoint reporting tool,<br />
refer to www.sonicwall.com.<br />
<strong>Log</strong> Severity/Priority<br />
This section provides information on configuring <strong>the</strong> level of priority log messages are captured<br />
and corresponding alert messages are sent through e-mail for notification.<br />
<strong>Log</strong>ging Level<br />
Alert Level<br />
The <strong>Log</strong>ging Level control filters events by priority. <strong>Event</strong>s of equal of greater priority are<br />
passed, and events of lower priority are dropped. The <strong>Log</strong>ging Level menu includes <strong>the</strong><br />
following priority scale items from highest to lowest priority:<br />
• Emergency (highest priority)<br />
• Alert<br />
• Critical<br />
• Error<br />
• Warning<br />
• Notice<br />
• Informational<br />
• Debug (lowest priority)<br />
The Alert Level control determines how E-mail Alerts are sent. An event of equal or greater<br />
priority causes an E-mail alert to be issued. Lower priority events do not cause an alert to be<br />
sent. <strong>Event</strong>s are pre-filtered by <strong>the</strong> <strong>Log</strong>ging Level control, so if <strong>the</strong> <strong>Log</strong>ging Level control is set<br />
to a higher priority than that of <strong>the</strong> Alert Level control, only alerts at <strong>the</strong> <strong>Log</strong>ging Level or higher<br />
are sent. Alert levels include:<br />
• None (disables e-mail alerts)<br />
• Emergency (highest priority)<br />
• Alert<br />
• Critical<br />
• Error<br />
• Warning (lowest priority)<br />
<strong>SonicOS</strong> <strong>Log</strong> <strong>Event</strong> <strong>Reference</strong> <strong>Guide</strong><br />
5
<strong>Log</strong> > Categories<br />
<strong>Log</strong> Redundancy Filter<br />
The <strong>Log</strong> Redundancy Filter allows you to define <strong>the</strong> time in seconds that <strong>the</strong> same attack is<br />
logged on <strong>the</strong> <strong>Log</strong> > View page as a single entry in <strong>the</strong> <strong>SonicWALL</strong> log. Various attacks are often<br />
rapidly repeated, which can quickly fill up a log if each attack is logged. The <strong>Log</strong> Redundancy<br />
Filter has a default setting of 60 seconds.<br />
Alert Redundancy Filter<br />
The Alert Redundancy Filter allows you to define <strong>the</strong> time in seconds that <strong>the</strong> same attack is<br />
logged on <strong>the</strong> <strong>Log</strong> > View page as a single entry in <strong>the</strong> <strong>SonicWALL</strong> log before an alert is issued.<br />
The Alert Redundancy Filter has a default setting of 900 seconds.<br />
<strong>Log</strong> Categories<br />
<strong>SonicWALL</strong> security appliances provide automatic attack protection against well known<br />
exploits. The majority of <strong>the</strong>se legacy attacks were identified by telltale IP or TCP/UDP<br />
characteristics, and recognition was limited to a set of fixed layer 3 and layer 4 values. As <strong>the</strong><br />
breadth and sophistication of attacks evolved, it has become essential to dig deeper into <strong>the</strong><br />
traffic, and to develop <strong>the</strong> sort of adaptability that could keep pace with <strong>the</strong> new threats.<br />
All <strong>SonicWALL</strong> security appliances, even those running <strong>SonicWALL</strong> IPS, continue to recognize<br />
<strong>the</strong>se legacy port and protocol types of attacks. The current behavior on all <strong>SonicWALL</strong> security<br />
appliances devices is to automatically and holistically prevent <strong>the</strong>se legacy attacks, meaning<br />
that it is not possible to disable prevention of <strong>the</strong>se attacks ei<strong>the</strong>r individually or globally.<br />
<strong>SonicWALL</strong> security appliances now include an expanded list of attack categories that can be<br />
logged.<br />
The View Style menu provides <strong>the</strong> following three log category views:<br />
• All Categories - Displays both Legacy Categories and Expanded Categories.<br />
• Legacy Categories - Displays log categories carried over from earlier <strong>SonicWALL</strong> log event<br />
categories.<br />
• Expanded Categories - Displays <strong>the</strong> expanded listing of categories that includes <strong>the</strong> older<br />
Legacy Categories log events rearranged into <strong>the</strong> new structure.<br />
The following table describes both <strong>the</strong> Legacy and Extended log categories.<br />
<strong>Log</strong> Type Category Description<br />
802.11 Management Legacy <strong>Log</strong>s WLAN IEEE 802.11 connections.<br />
Advanced Routing Expanded <strong>Log</strong>s messages related to RIPv2 and OSPF routing events.<br />
Attacks Legacy <strong>Log</strong>s messages showing Denial of Service attacks, such as SYN Flood, Ping<br />
of Death, and IP spoofing<br />
Au<strong>the</strong>nticated Expanded <strong>Log</strong>s administrator, user, and guest account activity<br />
Access<br />
Blocked Java, etc. Legacy <strong>Log</strong>s Java, ActiveX, and Cookies blocked by <strong>the</strong> <strong>SonicWALL</strong> security<br />
appliance.<br />
Blocked Web Sites Legacy <strong>Log</strong>s Web sites or newsgroups blocked by <strong>the</strong> Content Filter List or by<br />
customized filtering.<br />
BOOTP Expanded <strong>Log</strong>s BOOTP activity<br />
Crypto Test Expanded <strong>Log</strong>s crypto algorithm and hardware testing<br />
6 <strong>SonicOS</strong> <strong>Log</strong> <strong>Event</strong> <strong>Reference</strong> <strong>Guide</strong>
<strong>Log</strong> > Categories<br />
<strong>Log</strong> Type Category Description<br />
DDNS Expanded <strong>Log</strong>s Dynamic DNS activity<br />
Denied LAN IP Legacy <strong>Log</strong>s all LAN IP addresses denied by <strong>the</strong> <strong>SonicWALL</strong> security appliance.<br />
DHCP Client Expanded <strong>Log</strong>s DHCP client protocol activity<br />
DHCP Relay Expanded <strong>Log</strong>s DHCP central and remote gateway activity<br />
Dropped ICMP Legacy <strong>Log</strong>s blocked incoming ICMP packets.<br />
Dropped TCP Legacy <strong>Log</strong>s blocked incoming TCP connections.<br />
Dropped UDP Legacy <strong>Log</strong>s blocked incoming UDP packets.<br />
Firewall <strong>Event</strong> Extended <strong>Log</strong>s internal firewall activity<br />
Firewall Hardware Extended <strong>Log</strong>s firewall hardware error events<br />
Firewall <strong>Log</strong>ging Extended <strong>Log</strong>s general events and errors<br />
Firewall Rule Extended <strong>Log</strong>s firewall rule modifications<br />
GMS Extended <strong>Log</strong>s GMS status event<br />
High Availability Extended <strong>Log</strong>s High Availability activity<br />
IPcomp Extended <strong>Log</strong>s IP compression activity<br />
Intrusion Prevention Extended <strong>Log</strong>s intrusion prevention related activity<br />
L2TP Client Extended <strong>Log</strong>s L2TP client activity<br />
L2TP Server Extended <strong>Log</strong>s L2TP server activity<br />
Multicast Extended <strong>Log</strong>s multicast IGMP activity<br />
Network Extended <strong>Log</strong>s network ARP, fragmentation, and MTU activity<br />
Network Access Extended <strong>Log</strong>s network and firewall protocol access activity<br />
Network Debug Legacy <strong>Log</strong>s NetBIOS broadcasts, ARP resolution problems, and NAT resolution<br />
problems. Also, detailed messages for VPN connections are displayed to assist<br />
<strong>the</strong> network administrator with troubleshooting problems with active VPN<br />
tunnels. Network Debug information is intended for experienced network<br />
administrators.<br />
Network Traffic Expanded <strong>Log</strong>s network traffic reporting events<br />
PPP Extended <strong>Log</strong>s generic PPP activity<br />
PPP Dial-Up Extended <strong>Log</strong>s PPP dial-up activity<br />
PPPoE Extended <strong>Log</strong>s PPPoE activity<br />
PPTP Extended <strong>Log</strong>s PPTP activity<br />
RBL Extended <strong>Log</strong>s real-time black list activity<br />
RIP Extended <strong>Log</strong>s RIP activity<br />
Remote<br />
Extended <strong>Log</strong>s RADIUS and LDAP server activity<br />
Au<strong>the</strong>ntication<br />
Security Services Extended <strong>Log</strong>s security services activity<br />
SonicPoint Extended <strong>Log</strong>s SonicPoint activity<br />
System Errors Legacy <strong>Log</strong>s problems with DNS or e-mail.<br />
System<br />
Legacy <strong>Log</strong>s general system activity, such as system activations.<br />
Maintenance<br />
User Activity Legacy <strong>Log</strong>s successful and unsuccessful log in attempts.<br />
VOIP Extended <strong>Log</strong>s VoIP H.323/RAS, H.323/H.225, and H.323/H.245 activity<br />
<strong>SonicOS</strong> <strong>Log</strong> <strong>Event</strong> <strong>Reference</strong> <strong>Guide</strong><br />
7
<strong>Log</strong> > Categories<br />
<strong>Log</strong> Type Category Description<br />
VPN Extended <strong>Log</strong>s VPN activity<br />
VPN Client Extended <strong>Log</strong>s VPN client activity<br />
VPN IKE Extended <strong>Log</strong>s VPN IKE activity<br />
VPN IPsec Extended <strong>Log</strong>s VPN IPSec activity<br />
VPN PKI Extended <strong>Log</strong>s VPN PKI activity<br />
VPN Tunnel Status Legacy <strong>Log</strong>s status information on VPN tunnels.<br />
WAN Failover Extended <strong>Log</strong>s WAN failover activity<br />
Wireless Extended <strong>Log</strong>s wireless activity<br />
Wlan IDS Extended <strong>Log</strong>s WLAN IDS activity<br />
Managing <strong>Log</strong> Categories<br />
The <strong>Log</strong> Categories table displays log category information organized into <strong>the</strong> following<br />
columns:<br />
• Category - Displays log category name.<br />
• Description - Provides description of <strong>the</strong> log category activity type.<br />
• <strong>Log</strong> - Provides checkbox for enabling/disabling <strong>the</strong> display of <strong>the</strong> log events in on <strong>the</strong> <strong>Log</strong><br />
> View page.<br />
• Alerts - Provides checkbox for enabling/disabling <strong>the</strong> sending of alerts for <strong>the</strong> category.<br />
• Syslog - Provides checkbox for enabling/disabling <strong>the</strong> capture of <strong>the</strong> log events into <strong>the</strong><br />
<strong>SonicWALL</strong> security appliance Syslog.<br />
• <strong>Event</strong> Count - Displays <strong>the</strong> number of events for that category. Clicking <strong>the</strong> Refresh button<br />
updates <strong>the</strong>se numbers.<br />
You can sort <strong>the</strong> log categories in <strong>the</strong> <strong>Log</strong> Categories table by clicking on <strong>the</strong> column header.<br />
For example, clicking on <strong>the</strong> Category header sorts <strong>the</strong> log categories in descending order from<br />
<strong>the</strong> default ascending order. An up or down arrow to <strong>the</strong> left of <strong>the</strong> column name indicates<br />
whe<strong>the</strong>r <strong>the</strong> column is assorted in ascending or descending order.<br />
You can enable or disable <strong>Log</strong>, Alerts, and Syslog on a category by category basis by clicking<br />
on <strong>the</strong> check box for <strong>the</strong> category in <strong>the</strong> table. You can enable or disable <strong>Log</strong>, Alerts, and Syslog<br />
for all categories by clicking <strong>the</strong> checkbox on <strong>the</strong> column header.<br />
8 <strong>SonicOS</strong> <strong>Log</strong> <strong>Event</strong> <strong>Reference</strong> <strong>Guide</strong>
<strong>Log</strong> > Syslog<br />
<strong>Log</strong> > Syslog<br />
In addition to <strong>the</strong> standard event log, <strong>the</strong> <strong>SonicWALL</strong> security appliance can send a detailed log<br />
to an external Syslog server. The <strong>SonicWALL</strong> Syslog captures all log activity and includes every<br />
connection source and destination IP address, IP service, and number of bytes transferred. The<br />
<strong>SonicWALL</strong> Syslog support requires an external server running a Syslog daemon on UDP Port<br />
514. Syslog Analyzers such as <strong>SonicWALL</strong> ViewPoint or WebTrends Firewall Suite can be used<br />
to sort, analyze, and graph <strong>the</strong> Syslog data. Messages from <strong>the</strong> <strong>SonicWALL</strong> security appliance<br />
are <strong>the</strong>n sent to <strong>the</strong> server(s). Up to three Syslog server IP addresses can be added.Syslog<br />
Settings<br />
Syslog Facility<br />
• Syslog Facility - Allows you to select <strong>the</strong> facilities and severities of <strong>the</strong> messages based on<br />
<strong>the</strong> syslog protocol.<br />
Note<br />
See RCF 3164 - The BSD Syslog Protocol for more information.<br />
• Override Syslog Settings with ViewPoint Settings - Check this box to override Syslog<br />
settings, if you’re using <strong>SonicWALL</strong> ViewPoint for your reporting solution.<br />
Note<br />
For more information on <strong>SonicWALL</strong> ViewPoint, go to http://www.sonicwall.com.<br />
– Syslog <strong>Event</strong> Redundancy Filter (seconds) - This setting prevents repetitive messages<br />
from being written to Syslog. If duplicate events occur during <strong>the</strong> period specified in <strong>the</strong><br />
Syslog <strong>Event</strong> Redundancy Rate field, <strong>the</strong>y are not written to Syslog as unique events.<br />
Instead, <strong>the</strong> additional events are counted, and <strong>the</strong>n at <strong>the</strong> end of <strong>the</strong> period, a<br />
message is written to <strong>the</strong> Syslog that includes <strong>the</strong> number of times <strong>the</strong> event occurred.<br />
The Syslog <strong>Event</strong> Redundancy Filter default value is 60 seconds and <strong>the</strong> maximum<br />
value is 86,400 seconds (24 hours). Setting this value to 0 seconds sends all Syslog<br />
messages without filtering.<br />
– Syslog Format - You can choose <strong>the</strong> format of <strong>the</strong> Syslog to be Default or WebTrends.<br />
If you select WebTrends, however, you must have WebTrends software installed on<br />
your system.<br />
Note<br />
If <strong>the</strong> <strong>SonicWALL</strong> security appliance is managed by <strong>SonicWALL</strong> GMS, <strong>the</strong> Syslog Server<br />
fields cannot be configured by <strong>the</strong> administrator of <strong>the</strong> <strong>SonicWALL</strong> security appliance.<br />
• Enable <strong>Event</strong> Rate Limiting - This control allows you to enable rate limiting of events to<br />
prevent <strong>the</strong> internal or external logging mechanism from being overwhelmed by log events.<br />
• Enable Data Rate Limiting - This control allows you to enable rate limiting of data to prevent<br />
<strong>the</strong> internal or external logging mechanism from being overwhelmed by log events.<br />
<strong>SonicOS</strong> <strong>Log</strong> <strong>Event</strong> <strong>Reference</strong> <strong>Guide</strong><br />
9
<strong>Log</strong> > Automation<br />
Syslog Servers<br />
Adding a Syslog Server<br />
To add syslog servers to <strong>the</strong> <strong>SonicWALL</strong> security appliance<br />
Step 1<br />
Step 2<br />
Step 3<br />
Step 4<br />
Step 5<br />
Click Add. The Add Syslog Server window is displayed.<br />
Type <strong>the</strong> Syslog server name or IP address in <strong>the</strong> Name or IP Address field. Messages from<br />
<strong>the</strong> <strong>SonicWALL</strong> security appliance are <strong>the</strong>n sent to <strong>the</strong> servers.<br />
If your syslog is not using <strong>the</strong> default port of 514, type <strong>the</strong> port number in <strong>the</strong> Port Number field.<br />
Click OK.<br />
Click Accept to save all Syslog Server settings.<br />
<strong>Log</strong> > Automation<br />
The <strong>Log</strong> > Automation page includes settings for configuring <strong>the</strong> <strong>SonicWALL</strong> to send log files<br />
using e-mail and configuring mail server settings.<br />
E-mail <strong>Log</strong> Automation<br />
• Send <strong>Log</strong> to E-mail address - Enter your e-mail address (username@mydomain.com) in<br />
this field to receive <strong>the</strong> event log via e-mail. Once sent, <strong>the</strong> log is cleared from <strong>the</strong><br />
<strong>SonicWALL</strong> memory. If this field is left blank, <strong>the</strong> log is not e-mailed.<br />
• Send Alerts to E-mail address - Enter your e-mail address (username@mydomain.com) in<br />
<strong>the</strong> Send alerts to field to be immediately e-mailed when attacks or system errors occur.<br />
Type a standard e-mail address or an e-mail paging service. If this field is left blank, e-mail<br />
alert messages are not sent.<br />
• Send <strong>Log</strong> - Determines <strong>the</strong> frequency of sending log files. The options are When Full,<br />
Weekly, or Daily. If <strong>the</strong> Weekly or Daily option is selected, <strong>the</strong>n select <strong>the</strong> day of <strong>the</strong> week<br />
<strong>the</strong> log is sent in <strong>the</strong> every menu and <strong>the</strong> time of day in 24-hour format in <strong>the</strong> At field.<br />
• Email Format - Specifies whe<strong>the</strong>r log emails will be sent in Plain Text or HTML format.<br />
Mail Server Settings<br />
The mail server settings allow you to specify <strong>the</strong> name or IP address of your mail server, <strong>the</strong><br />
from e-mail address, and au<strong>the</strong>ntication method.<br />
• Mail Server (name or IP address) - Enter <strong>the</strong> IP address or FQDN of <strong>the</strong> e-mail server used<br />
to send your log e-mails in this field.<br />
• From E-mail Address - Enter <strong>the</strong> E-mail address you want to display in <strong>the</strong> From field of <strong>the</strong><br />
message.<br />
• Au<strong>the</strong>ntication Method - You can use <strong>the</strong> default None item or select POP Before SMTP.<br />
Note If <strong>the</strong> Mail Server (name or IP address) is left blank, log and alert messages are not e-<br />
mailed.<br />
10 <strong>SonicOS</strong> <strong>Log</strong> <strong>Event</strong> <strong>Reference</strong> <strong>Guide</strong>
<strong>Log</strong> > Automation<br />
Deep Packet Forensics<br />
<strong>SonicWALL</strong> UTM appliances have configurable deep-packet classification capabilities that<br />
intersect with forensic and content-management products. While <strong>the</strong> <strong>SonicWALL</strong> can reliably<br />
detect and prevent any ‘interesting-content’ events, it can only provide a record of <strong>the</strong><br />
occurrence, but not <strong>the</strong> actual data of <strong>the</strong> event.<br />
Of equal importance are diagnostic applications where <strong>the</strong> interesting-content is traffic that is<br />
being unpredictably handled or inexplicably dropped.<br />
Although <strong>the</strong> <strong>SonicWALL</strong> can achieve interesting-content using our Enhanced packet capture<br />
diagnostic tool, data-recorders are application-specific appliances designed to record all <strong>the</strong><br />
packets on a network. They are highly optimized for this task, and can record network traffic<br />
without dropping a single packet.<br />
While data-recorders are good at recording data, <strong>the</strong>y lack <strong>the</strong> sort of deep-packet inspection<br />
intelligence afforded by IPS/GAV/ASPY/AF. Consider <strong>the</strong> minimal requirements of effective<br />
data analysis:<br />
• Reliable storage of data<br />
• Effective indexing of data<br />
• Classification of interesting-content<br />
Toge<strong>the</strong>r, a UTM device (a <strong>SonicWALL</strong> appliance) and data-recorder (a Solera Networks<br />
appliance) satisfy <strong>the</strong> requirements to offer outstanding forensic and data-leakage capabilities.<br />
Distributed <strong>Event</strong> Detection and Replay<br />
The Solera appliance can search its data-repository, while also allowing <strong>the</strong> administrator to<br />
define “interesting-content” events on <strong>the</strong> <strong>SonicWALL</strong>. The level of logging detail and frequency<br />
of <strong>the</strong> logging can be configured by <strong>the</strong> administrator. Nearly all events include Source IP,<br />
Source Port, Destination IP, Destination Port, and Time. <strong>SonicOS</strong> Enhanced has an extensive<br />
set of log events, including:<br />
• Debug/Informational <strong>Event</strong>s—Connection setup/tear down<br />
• User-events—Administrative access, single sign-on activity, user logins, content filtering<br />
details<br />
• Firewall Rule/Policy <strong>Event</strong>s—Access to and from particular IP:Port combinations, also<br />
identifiable by time<br />
• Interesting-content at <strong>the</strong> Network or Application Layer—Port-scans, SYN floods, DPI or AF<br />
signature/policy hits<br />
The following is an example of <strong>the</strong> process of distributed event detection and replay:<br />
1. The administrator defines <strong>the</strong> event trigger. For example, an Application Firewall policy is<br />
defined to detect and log <strong>the</strong> transmission of an official document:<br />
<strong>SonicOS</strong> <strong>Log</strong> <strong>Event</strong> <strong>Reference</strong> <strong>Guide</strong><br />
11
<strong>Log</strong> > Automation<br />
2. A user (at IP address 192.168.19.1) on <strong>the</strong> network retrieves <strong>the</strong> file.<br />
3. The event is logged by <strong>the</strong> <strong>SonicWALL</strong>.<br />
4. The administrator selects <strong>the</strong> Recorder icon from <strong>the</strong> left column of <strong>the</strong> log entry. Icon/link<br />
only appears in <strong>the</strong> logs when a NPCS is defined on <strong>the</strong> <strong>SonicWALL</strong> (e.g. IP:<br />
[192.168.169.100], Port: [443]). The defined NPCS appliance will be <strong>the</strong> link’s target. The<br />
link will include <strong>the</strong> query string parameters defining <strong>the</strong> desired connection.<br />
5. The NPCS will (optionally) au<strong>the</strong>nticate <strong>the</strong> user session.<br />
6. The requested data will be presented to <strong>the</strong> client as a .cap file, and can be saved or viewed<br />
on <strong>the</strong> local machine.<br />
Methods of Access<br />
The client and NPCS must be able to reach one ano<strong>the</strong>r. Usually, this means <strong>the</strong> client and <strong>the</strong><br />
NPCS will be in <strong>the</strong> same physical location, both connected to <strong>the</strong> <strong>SonicWALL</strong> appliance. In<br />
any case, <strong>the</strong> client will be able to directly reach <strong>the</strong> NPCS, or will be able to reach <strong>the</strong> NPCS<br />
through <strong>the</strong> <strong>SonicWALL</strong>. Administrators in a remote location will require some method of VPN<br />
connectivity to <strong>the</strong> internal network. Access from a centralized GMS console will have similar<br />
requirements.<br />
<strong>Log</strong> Persistence<br />
<strong>SonicOS</strong> currently allocates 32K to a rolling log buffer. When <strong>the</strong> log becomes full, it can be<br />
emailed to a defined recipient and flushed, or it can simply be flushed. Emailing provides a<br />
simple version of logging persistence, while GMS provides a more reliable and scalable<br />
method.<br />
By offering <strong>the</strong> administrator <strong>the</strong> option to deliver logs as ei<strong>the</strong>r plain-text or HTML, <strong>the</strong><br />
administrator has an easy method to review and replay events logged.<br />
12 <strong>SonicOS</strong> <strong>Log</strong> <strong>Event</strong> <strong>Reference</strong> <strong>Guide</strong>
<strong>Log</strong> > Automation<br />
GMS<br />
To provide <strong>the</strong> ability to identify and view events across an entire enterprise, a GMS update will<br />
be required. Device-specific interesting-content events at <strong>the</strong> GMS console appear in Reports<br />
> <strong>Log</strong> Viewer Search page, but are also found throughout <strong>the</strong> various reports, such as Top<br />
Intrusions Over Time.<br />
Solera Capture Stack<br />
Solera Networks makes a series of appliances of varying capacities and speeds designed to<br />
capture, archive, and regenerate network traffic. The Solera Networks Network Packet Capture<br />
System (NPCS) provides utilities that allow <strong>the</strong> captured data to be accessed in time<br />
sequenced playback, that is, analysis of captured data can be performed on a live network via<br />
NPCS while <strong>the</strong> device is actively capturing and archiving data.<br />
<strong>SonicOS</strong> <strong>Log</strong> <strong>Event</strong> <strong>Reference</strong> <strong>Guide</strong><br />
13
<strong>Log</strong> > Name Resolution<br />
To configure your <strong>SonicWALL</strong> appliance with Solera select <strong>the</strong> Enable Solera Capture Stack<br />
Integration option.<br />
Configure <strong>the</strong> following options:<br />
• Server - Select <strong>the</strong> host for <strong>the</strong> Solera server. You can dynamically create <strong>the</strong> host by<br />
selecting Create New Host...<br />
• Protocol - Select ei<strong>the</strong>r HTTP or HTTPS.<br />
• Port - Specify <strong>the</strong> port number for connecting to <strong>the</strong> Solera server.<br />
• Interface(s) - Specify which interfaces you want to transmit data for to <strong>the</strong> Solera server.<br />
• User (optional) - Enter <strong>the</strong> username, if required.<br />
• Password (optional) - Enter <strong>the</strong> password, if required.<br />
• Confirm Password - Confirm <strong>the</strong> password.<br />
– Mask Password - Leave this enabled to send <strong>the</strong> password as encrypted text.<br />
<strong>Log</strong> > Name Resolution<br />
The <strong>Log</strong> > Name Resolution page includes settings for configuring <strong>the</strong> name servers used to<br />
resolve IP addresses and server names in <strong>the</strong> log reports.<br />
The security appliance uses a DNS server or NetBIOS to resolve all IP addresses in log reports<br />
into server names. It stores <strong>the</strong> names/address pairs in a cache, to assist with future lookups.<br />
You can clear <strong>the</strong> cache by clicking Reset Name Cache in <strong>the</strong> top of <strong>the</strong> <strong>Log</strong> > Name Resolution<br />
page.<br />
14 <strong>SonicOS</strong> <strong>Log</strong> <strong>Event</strong> <strong>Reference</strong> <strong>Guide</strong>
<strong>Log</strong> > Name Resolution<br />
Selecting Name Resolution Settings<br />
The security appliance can use DNS, NetBIOS, or both to resolve IP addresses and server<br />
names.<br />
In <strong>the</strong> Name Resolution Method list, select:<br />
• None: The security appliance will not attempt to resolve IP addresses and Names in <strong>the</strong> log<br />
reports.<br />
• DNS: The security appliance will use <strong>the</strong> DNS server you specify to resolve addresses and<br />
names.<br />
• NetBIOS: The security appliance will use NetBIOS to resolve addresses and names. If you<br />
select NetBIOS, no fur<strong>the</strong>r configuration is necessary.<br />
• DNS <strong>the</strong>n NetBIOS: The security appliance will first use <strong>the</strong> DNS server you specify to<br />
resolve addresses and names. If it cannot resolve <strong>the</strong> name, it will try again with NetBIOS.<br />
Specifying <strong>the</strong> DNS Server<br />
To choose specific DNS servers or use <strong>the</strong> same servers as <strong>the</strong> WAN zone, perform <strong>the</strong><br />
following steps:<br />
Step 1<br />
Step 2<br />
Step 3<br />
Select Specify DNS Servers Manually or Inherit DNS Settings Dynamically from WAN Zone.<br />
The second choice is selected by default.<br />
If you selected to specify a DNS server, enter <strong>the</strong> IP address for at least one DNS server on<br />
your network. You can enter up to three servers.<br />
Click Accept in <strong>the</strong> top right corner of <strong>the</strong> <strong>Log</strong> > Name Resolution page to make your changes<br />
take effect.<br />
<strong>SonicOS</strong> <strong>Log</strong> <strong>Event</strong> <strong>Reference</strong> <strong>Guide</strong><br />
15
<strong>Log</strong> > Reports<br />
<strong>Log</strong> > Reports<br />
The <strong>SonicWALL</strong> security appliance can perform a rolling analysis of <strong>the</strong> event log to show <strong>the</strong><br />
top 25 most frequently accessed Web sites, <strong>the</strong> top 25 users of bandwidth by IP address, and<br />
<strong>the</strong> top 25 services consuming <strong>the</strong> most bandwidth. You can generate <strong>the</strong>se reports from <strong>the</strong><br />
<strong>Log</strong> > Reports page.<br />
Note<br />
<strong>SonicWALL</strong> ViewPoint provides a comprehensive Web-based reporting solution for<br />
<strong>SonicWALL</strong> security appliances. For more information on <strong>SonicWALL</strong> ViewPoint, go to<br />
http://www.sonicwall.com<br />
Data Collection<br />
The Reports window includes <strong>the</strong> following functions and commands:<br />
• Start Data Collection<br />
Click Start Data Collection to begin log analysis. When log analysis is enabled, <strong>the</strong> button<br />
label changes to Stop Data Collection.<br />
• Reset Data<br />
Click Reset Data to clear <strong>the</strong> report statistics and begin a new sample period. The sample<br />
period is also reset when data collection is stopped or started, and when <strong>the</strong> <strong>SonicWALL</strong><br />
security appliance is restarted.<br />
View Data<br />
Select <strong>the</strong> desired report from <strong>the</strong> Report to view menu. The options are Web Site Hits,<br />
Bandwidth Usage by IP Address, and Bandwidth Usage by Service. These reports are<br />
explained below. Click Refresh Data to update <strong>the</strong> report. The length of time analyzed by <strong>the</strong><br />
report is displayed in <strong>the</strong> Current Sample Period.<br />
Web Site Hits<br />
Selecting Web Site Hits from <strong>the</strong> Report to view menu displays a table showing <strong>the</strong> URLs for<br />
<strong>the</strong> 25 most frequently accessed Web sites and <strong>the</strong> number of hits to a site during <strong>the</strong> current<br />
sample period.<br />
The Web Site Hits report ensures that <strong>the</strong> majority of Web access is to appropriate Web sites.<br />
If leisure, sports, or o<strong>the</strong>r inappropriate sites appear in <strong>the</strong> Web Site Hits Report, you can<br />
choose to block <strong>the</strong> sites. For information on blocking inappropriate Web sites, see .<br />
Click on <strong>the</strong> name of a Web site to open that site in a new window.<br />
Bandwidth Usage by IP Address<br />
Selecting Bandwidth Usage by IP Address from <strong>the</strong> Report to view menu displays a table<br />
showing <strong>the</strong> IP address of <strong>the</strong> 25 top users of Internet bandwidth and <strong>the</strong> number of megabytes<br />
transmitted during <strong>the</strong> current sample period.<br />
16 <strong>SonicOS</strong> <strong>Log</strong> <strong>Event</strong> <strong>Reference</strong> <strong>Guide</strong>
<strong>Log</strong> > ViewPoint<br />
Bandwidth Usage by Service<br />
Selecting Bandwidth Usage by Service from <strong>the</strong> Report to view menu displays a table showing<br />
<strong>the</strong> name of <strong>the</strong> 25 top Internet services, such as HTTP, FTP, RealAudio, etc., and <strong>the</strong> number<br />
of megabytes received from <strong>the</strong> service during <strong>the</strong> current sample period.<br />
The Bandwidth Usage by Service report shows whe<strong>the</strong>r <strong>the</strong> services being used are<br />
appropriate for your organization. If services such as video or push broadcasts are consuming<br />
a large portion of <strong>the</strong> available bandwidth, you can choose to block <strong>the</strong>se services.<br />
<strong>Log</strong> > ViewPoint<br />
<strong>SonicWALL</strong> ViewPoint is a Web-based graphical reporting tool that provides unprecedented<br />
security awareness and control over your network environment through detailed and<br />
comprehensive reports of your security and network activities. ViewPoint’s broad reporting<br />
capabilities allow administrators to easily monitor network access and Internet usage, enhance<br />
security, assess risks, understand more about employee Internet use and productivity, and<br />
anticipate future bandwidth needs.<br />
ViewPoint creates dynamic, real-time and historical network summaries, providing a flexible,<br />
comprehensive view of network events and activities. Reports are based on syslog data<br />
streams received from each <strong>SonicWALL</strong> appliance through LAN, Wireless LAN, WAN or VPN<br />
connections. With ViewPoint, your organization can generate individual or aggregate reports<br />
about virtually any aspect of appliance activity, including individual user or group usage<br />
patterns, evens on specific appliances or groups of appliances, types and times of attacks,<br />
resource consumption and constraints, and more.<br />
For more information on <strong>SonicWALL</strong> ViewPoint, go to http://www.sonicwall.com.<br />
For complete <strong>SonicWALL</strong> ViewPoint documentation, go to <strong>the</strong> <strong>SonicWALL</strong> documentation Web<br />
site at http://www.sonicwall.com/us/support/3340.html.<br />
<strong>SonicOS</strong> <strong>Log</strong> <strong>Event</strong> <strong>Reference</strong> <strong>Guide</strong><br />
17
<strong>Log</strong> > ViewPoint<br />
Activating ViewPoint<br />
The <strong>Log</strong> > ViewPoint page allows you to activate <strong>the</strong> ViewPoint license directly from <strong>the</strong><br />
<strong>SonicWALL</strong> Management Interface using two methods.<br />
If you received a license activation key, enter <strong>the</strong> activation key in <strong>the</strong> Enter upgrade key field,<br />
and click Accept.<br />
Warning<br />
You must have a mysonicwall.com account and your <strong>SonicWALL</strong> security appliance<br />
must be registered to activate <strong>SonicWALL</strong> ViewPoint for your SonicWALl security<br />
appliance.<br />
Step 1<br />
Step 2<br />
Step 3<br />
Step 4<br />
Click <strong>the</strong> Upgrade link in Click here to Upgrade on <strong>the</strong> <strong>Log</strong> > ViewPoint page. The<br />
mysonicwall.com <strong>Log</strong>in page is displayed.<br />
Enter your mysonicwall.com account username and password in <strong>the</strong> User Name and Password<br />
fields, <strong>the</strong>n click Submit. The System > Licenses page is displayed. If your <strong>SonicWALL</strong> security<br />
appliance is already connected to your mysonicwall.com account, <strong>the</strong> System > Licenses page<br />
appears after you click <strong>the</strong> <strong>SonicWALL</strong> Content Filtering Subscription link.<br />
Click Activate or Renew in <strong>the</strong> Manage Service column in <strong>the</strong> Manage Services Online table.<br />
Type in <strong>the</strong> Activation Key in <strong>the</strong> New License Key field and click Submit.<br />
If you activated <strong>SonicWALL</strong> ViewPoint at mysonicwall.com, <strong>the</strong> <strong>SonicWALL</strong> ViewPoint<br />
activation is automatically enabled on your <strong>SonicWALL</strong> within 24-hours or you can click <strong>the</strong><br />
Synchronize button on <strong>the</strong> Security Services > Summary page to update your <strong>SonicWALL</strong>.<br />
Enabling ViewPoint Settings<br />
Once you have installed <strong>the</strong> <strong>SonicWALL</strong> ViewPoint software, you can point <strong>the</strong> <strong>SonicWALL</strong><br />
security appliance to <strong>the</strong> server running ViewPoint, perform <strong>the</strong> following steps:<br />
Step 1 Check <strong>the</strong> Enable ViewPoint Settings checkbox in <strong>the</strong> Syslog Servers section of <strong>the</strong> <strong>Log</strong> ><br />
ViewPoint page.<br />
Step 2<br />
Step 3<br />
Step 4<br />
Step 5<br />
Click <strong>the</strong> Add button. The Add Syslog Server window is displayed.<br />
Enter <strong>the</strong> IP address or FQDN of <strong>the</strong> <strong>SonicWALL</strong> ViewPoint server in <strong>the</strong> Name or IP Address<br />
field.<br />
Enter <strong>the</strong> port number for <strong>the</strong> <strong>SonicWALL</strong> ViewPoint server traffic in <strong>the</strong> Port field or use <strong>the</strong><br />
default port number.<br />
Click Accept.<br />
Note The Override Syslog Settings with ViewPoint Settings control on <strong>the</strong> <strong>Log</strong> ><br />
Syslog page is automatically checked when you enable ViewPoint from <strong>the</strong> <strong>Log</strong> ><br />
ViewPoint page. The IP address or FQDN you entered in <strong>the</strong> Add Syslog Server<br />
window is also displayed on <strong>the</strong> <strong>Log</strong> > Syslog page as well as in <strong>the</strong> Syslog Servers<br />
table on <strong>the</strong> <strong>Log</strong> > ViewPoint page.<br />
Clicking <strong>the</strong> Edit icon displays <strong>the</strong> Add Syslog Server window for editing <strong>the</strong> ViewPoint server<br />
information. Clicking <strong>the</strong> Delete icon, deletes <strong>the</strong> ViewPoint syslog server entry.<br />
18 <strong>SonicOS</strong> <strong>Log</strong> <strong>Event</strong> <strong>Reference</strong> <strong>Guide</strong>
Index of <strong>Log</strong> <strong>Event</strong> Messages<br />
Index of <strong>Log</strong> <strong>Event</strong> Messages<br />
This section contains a list of log event messages for all <strong>SonicWALL</strong> Firmware and <strong>SonicOS</strong><br />
Software Releases, ordered alphabetically. Use your web browser’s Find function to search for<br />
a command.<br />
<strong>Log</strong> <strong>Event</strong> Message Symbols Key<br />
<strong>Log</strong> <strong>Event</strong> Message Symbol Description Context<br />
%s E<strong>the</strong>rnet Port Down Represents a character string. [WAN | LAN | DMZ] E<strong>the</strong>rnet Port<br />
Down<br />
The cache is full; %u open<br />
connections; some will be dropped<br />
Represents a numerical string.<br />
The cache is full; [40,000] open<br />
connections; some will be dropped<br />
TCP IP Layered-Data Packet Processing and <strong>SonicOS</strong> <strong>Log</strong> <strong>Event</strong> Handling<br />
In specific cases of multi-layer packet processing, a TCP connection initially logged as "open,"<br />
will be rejected by a deeper layer of packet processing. In <strong>the</strong>se cases, <strong>the</strong> connection request<br />
has not been forwarded by <strong>the</strong> <strong>SonicWALL</strong> security appliance, and <strong>the</strong> initial Connection Open<br />
<strong>SonicOS</strong> log event message should be ignored in favor of <strong>the</strong> TCP Connection Dropped log<br />
event message.<br />
Each log event message described in <strong>the</strong> following table provides <strong>the</strong> following log event details:<br />
• <strong>SonicOS</strong> Category—Displays <strong>the</strong> <strong>SonicOS</strong> Software category event type.<br />
• Legacy Category—Displays <strong>the</strong> <strong>SonicWALL</strong> Firmware Software category event type.<br />
• Priority Level—Displays <strong>the</strong> level of urgency of <strong>the</strong> log event message.<br />
• <strong>Log</strong> Message ID Number—Displays <strong>the</strong> ID number of <strong>the</strong> log event message.<br />
• SNMP Trap Type—Displays <strong>the</strong> SNMP Trap ID number of <strong>the</strong> log event message.<br />
<strong>SonicOS</strong> <strong>Log</strong> <strong>Event</strong> <strong>Reference</strong> <strong>Guide</strong><br />
19
Index of <strong>Log</strong> <strong>Event</strong> Messages<br />
<strong>Log</strong> <strong>Event</strong> Message Index<br />
<strong>Log</strong> <strong>Event</strong> Message New Category Legacy Category Priority ID<br />
SNMP<br />
Trap<br />
Type<br />
Network Security Appliance activated Firewall <strong>Event</strong> Maintenance Alert 4 ---<br />
<strong>Log</strong> cleared Firewall <strong>Log</strong>ging Maintenance Information 5 ---<br />
<strong>Log</strong> successfully sent via email Firewall <strong>Log</strong>ging Maintenance Information 6 ---<br />
<strong>Log</strong> full; deactivating Network Security Firewall <strong>Log</strong>ging System Error Error 7 601<br />
Appliance<br />
New URL List loaded Security Services Maintenance Information 8 ---<br />
No new URL List available Security Services Maintenance Information 9 ---<br />
Problem loading <strong>the</strong> URL List; check Filter Security Services System Error Error 10 602<br />
settings<br />
Problem loading <strong>the</strong> URL List; check your Security Services System Error Error 11 603<br />
DNS server<br />
Problem sending log email; check log Firewall <strong>Log</strong>ging System Error Warning 12 604<br />
settings<br />
Restarting Network Security Appliance; Firewall <strong>Event</strong> Maintenance Information 13 ---<br />
dumping log to email<br />
Web site access denied Network Access Blocked Sites Error 14 701<br />
Newsgroup access denied Network Access Blocked Sites Notice 15 702<br />
Web site access allowed Network Access Blocked Sites Notice 16 703<br />
Newsgroup access allowed Network Access Blocked Sites Notice 17 704<br />
ActiveX access denied Network Access Blocked Code Notice 18 ---<br />
Java access denied Network Access Blocked Code Notice 19 ---<br />
ActiveX or Java archive access denied Network Access Blocked Code Notice 20 ---<br />
Cookie removed Network Access Blocked Code Notice 21 ---<br />
Ping of death dropped Intrusion Detection Attack Alert 22 501<br />
IP spoof dropped Intrusion Detection Attack Alert 23 502<br />
User logged out - user disconnect detected Au<strong>the</strong>nticate User Activity Information 24 ---<br />
(heartbeat timer expired)<br />
Access<br />
Possible SYN flood attack detected Intrusion Detection Attack Warning 25 503<br />
Land attack dropped Intrusion Detection Attack Alert 27 505<br />
Fragmented packet dropped Network TCP | UDP | ICMP Notice 28 ---<br />
Administrator login allowed<br />
Au<strong>the</strong>nticate<br />
Access<br />
User Activity Information 29 ---<br />
Administrator login denied due to bad<br />
credentials<br />
User login from an internal zone allowed<br />
User login denied due to bad credentials<br />
User login denied due to bad credentials<br />
<strong>Log</strong>in screen timed out<br />
Au<strong>the</strong>nticate<br />
Access<br />
Au<strong>the</strong>nticate<br />
Access<br />
Au<strong>the</strong>nticate<br />
Access<br />
Au<strong>the</strong>nticate<br />
Access<br />
Au<strong>the</strong>nticate<br />
Access<br />
Attack Alert 30 560<br />
User Activity Information 31 ---<br />
User Activity Information 32 ---<br />
User Activity Information 33 ---<br />
User Activity Information 34 ---<br />
20 <strong>SonicOS</strong> <strong>Log</strong> <strong>Event</strong> <strong>Reference</strong> <strong>Guide</strong>
Index of <strong>Log</strong> <strong>Event</strong> Messages<br />
<strong>Log</strong> <strong>Event</strong> Message New Category Legacy Category Priority ID<br />
Attack Alert 35 506<br />
Administrator login denied from %s; logins<br />
disabled from this interface<br />
Au<strong>the</strong>nticate<br />
Access<br />
TCP connection dropped Network Access TCP Notice 36 ---<br />
UDP packet dropped Network Access UDP Notice 37 ---<br />
ICMP packet dropped due to policy Network Access ICMP Notice 38 ---<br />
PPTP packet dropped Network Access TCP | UDP | ICMP Notice 39 ---<br />
IPsec packet dropped Network Access TCP | UDP | ICMP Notice 40 ---<br />
Unknown protocol dropped Network Access Debug Notice 41 ---<br />
IPsec packet dropped; waiting for pending Network Access Debug Debug 42 ---<br />
IPsec connection<br />
IPsec connection interrupt Network Access Debug Debug 43 ---<br />
NAT could not remap incoming packet Unused System Error Error 44 606<br />
ARP timeout Network Debug Debug 45 ---<br />
Broadcast packet dropped Network Access Debug Debug 46 ---<br />
No ICMP redirect sent Unused Debug Debug 47 ---<br />
Out-of-order command packet dropped Network Access Debug Debug 48 ---<br />
Failure to add data channel Unused Debug Debug 49 ---<br />
RealAudio decode failure Unused Debug Debug 50 ---<br />
Duplicate packet dropped Network Access Debug Debug 51 ---<br />
No HOST tag found in HTTP request Network Access Debug Debug 52 ---<br />
The cache is full; %u open connections; Firewall <strong>Event</strong> System Error Error 53 607<br />
some will be dropped<br />
License exceeded: Connection dropped Firewall <strong>Event</strong> System Error Error 58 608<br />
because too many IP addresses are in use<br />
on your LAN<br />
Access to proxy server denied Network Access Blocked Sites Notice 60 705<br />
Diagnostic Code E VPN IPsec System Error Error 61 609<br />
Dynamic IPsec client connected VPN IPsec User Activity Information 62 ---<br />
Received fragmented packet or<br />
Network Debug Debug 63 ---<br />
fragmentation needed<br />
Diagnostic Code D Firewall Hardware System Error Error 64 610<br />
Illegal IPsec SPI VPN IPsec User Activity Information 65 ---<br />
Unknown IPsec SPI VPN IPsec Attack Error 66 507<br />
IPsec Au<strong>the</strong>ntication Failed VPN IPsec Attack Error 67 508<br />
IPsec Decryption Failed VPN IPsec Attack Error 68 509<br />
Incompatible IPsec Security Association VPN IPsec User Activity Information 69 ---<br />
IPsec packet from or to an illegal host VPN IPsec Attack Error 70 510<br />
NetBus attack dropped Intrusion Detection Attack Alert 72 511<br />
Back Orifice attack dropped Intrusion Detection Attack Alert 73 512<br />
Net Spy attack dropped Intrusion Detection Attack Alert 74 513<br />
Sub Seven attack dropped Intrusion Detection Attack Alert 75 514<br />
Ripper attack dropped Intrusion Detection Attack Alert 76 515<br />
Striker attack dropped Intrusion Detection Attack Alert 77 516<br />
Senna Spy attack dropped Intrusion Detection Attack Alert 78 517<br />
SNMP<br />
Trap<br />
Type<br />
<strong>SonicOS</strong> <strong>Log</strong> <strong>Event</strong> <strong>Reference</strong> <strong>Guide</strong><br />
21
Index of <strong>Log</strong> <strong>Event</strong> Messages<br />
<strong>Log</strong> <strong>Event</strong> Message New Category Legacy Category Priority ID<br />
Priority attack dropped Intrusion Detection Attack Alert 79 518<br />
Ini Killer attack dropped Intrusion Detection Attack Alert 80 519<br />
Smurf Amplification attack dropped Intrusion Detection Attack Alert 81 520<br />
Possible port scan detected Intrusion Detection Attack Alert 82 521<br />
Probable port scan detected Intrusion Detection Attack Alert 83 522<br />
Failed to resolve name Network Maintenance Information 84 ---<br />
IKE Responder: Accepting IPsec proposal VPN IKE User Activity Information 87 ---<br />
(Phase 2)<br />
IKE Responder: IPsec proposal does not VPN IKE User Activity Warning 88 523<br />
match (Phase 2)<br />
IKE negotiation complete. Adding IPsec SA. VPN IKE User Activity Information 89 ---<br />
(Phase 2)<br />
Starting IKE negotiation VPN IKE User Activity Information 90 ---<br />
Deleting IPsec SA for destination VPN IKE User Activity Information 91 ---<br />
Deleting IPsec SA VPN IKE User Activity Information 92 ---<br />
Diagnostic Code A Firewall Hardware System Error Error 93 611<br />
Diagnostic Code B Firewall Hardware System Error Error 94 612<br />
Diagnostic Code C Firewall Hardware System Error Error 95 613<br />
Status GMS Maintenance Emergency 96 ---<br />
#Web site hit Network Traffic Connection Traffic Information 97 ---<br />
Connection Opened Network Traffic Connection Information 98 ---<br />
Retransmitting DHCP DISCOVER. DHCP Client Maintenance Information 99 ---<br />
Retransmitting DHCP REQUEST<br />
DHCP Client Maintenance Information 100 ---<br />
(Requesting).<br />
Retransmitting DHCP REQUEST<br />
DHCP Client Maintenance Information 101 ---<br />
(Renewing).<br />
Retransmitting DHCP REQUEST<br />
DHCP Client Maintenance Information 102 ---<br />
(Rebinding).<br />
Retransmitting DHCP REQUEST<br />
DHCP Client Maintenance Information 103 ---<br />
(Rebooting).<br />
Retransmitting DHCP REQUEST (Verifying). DHCP Client Maintenance Information 104 ---<br />
Sending DHCP DISCOVER. DHCP Client Maintenance Information 105 ---<br />
DHCP Server not available. Did not get any DHCP Client Maintenance Information 106 ---<br />
DHCP OFFER.<br />
Got DHCP OFFER. Selecting. DHCP Client Maintenance Information 107 ---<br />
Sending DHCP REQUEST. DHCP Client Maintenance Information 108 ---<br />
DHCP Client did not get DHCP ACK. DHCP Client Maintenance Information 109 ---<br />
DHCP Client got NACK. DHCP Client Maintenance Information 110 ---<br />
DHCP Client got ACK from server. DHCP Client Maintenance Information 111 ---<br />
DHCP Client is declining address offered by DHCP Client Maintenance Information 112 ---<br />
<strong>the</strong> server.<br />
DHCP Client sending REQUEST and going<br />
to REBIND state.<br />
DHCP Client Maintenance Information 113 ---<br />
SNMP<br />
Trap<br />
Type<br />
22 <strong>SonicOS</strong> <strong>Log</strong> <strong>Event</strong> <strong>Reference</strong> <strong>Guide</strong>
Index of <strong>Log</strong> <strong>Event</strong> Messages<br />
<strong>Log</strong> <strong>Event</strong> Message New Category Legacy Category Priority ID<br />
DHCP Client sending REQUEST and going DHCP Client Maintenance Information 114 ---<br />
to RENEW state.<br />
Sending DHCP REQUEST (Renewing). DHCP Client Maintenance Information 115 ---<br />
Sending DHCP REQUEST (Rebinding). DHCP Client Maintenance Information 116 ---<br />
Sending DHCP REQUEST (Rebooting). DHCP Client Maintenance Information 117 ---<br />
Sending DHCP REQUEST (Verifying). DHCP Client Maintenance Information 118 ---<br />
DHCP Client failed to verify and lease has DHCP Client Maintenance Information 119 ---<br />
expired. Go to INIT state.<br />
DHCP Client failed to verify and lease is still DHCP Client Maintenance Information 120 ---<br />
valid. Go to BOUND state.<br />
DHCP Client got a new IP address lease. DHCP Client Maintenance Information 121 ---<br />
Sending DHCP RELEASE. DHCP Client Maintenance Information 122 ---<br />
Access attempt from host without Anti-Virus Security Services Maintenance Information 123 ---<br />
agent installed<br />
Anti-Virus agent out-of-date on host Security Services Maintenance Information 124 ---<br />
Received AV Alert: %s Security Services Maintenance Warning 125 524<br />
Starting PPPoE discovery PPPoE Maintenance Information 127 ---<br />
PPPoE LCP Link Up PPPoE Maintenance Information 128 ---<br />
PPPoE LCP Link Down PPPoE Maintenance Information 129 ---<br />
PPPoE terminated PPPoE Maintenance Information 130 ---<br />
PPPoE Network Connected PPPoE Maintenance Information 131 ---<br />
PPPoE Network Disconnected PPPoE Maintenance Information 132 ---<br />
PPPoE discovery process complete PPPoE Maintenance Information 133 ---<br />
PPPoE starting CHAP Au<strong>the</strong>ntication PPPoE Maintenance Information 134 ---<br />
PPPoE starting PAP Au<strong>the</strong>ntication PPPoE Maintenance Information 135 ---<br />
PPPoE CHAP Au<strong>the</strong>ntication Failed PPPoE Maintenance Information 136 ---<br />
PPPoE PAP Au<strong>the</strong>ntication Failed PPPoE Maintenance Information 137 ---<br />
Wan IP Changed Firewall <strong>Event</strong> System Error Warning 138 636<br />
XAUTH Succeeded with VPN client VPN Client User Activity Information 139 ---<br />
XAUTH Failed with VPN client,<br />
VPN Client User Activity Error 140 ---<br />
Au<strong>the</strong>ntication failure<br />
XAUTH Failed with VPN client, Cannot VPN Client User Activity Information 141 ---<br />
Contact RADIUS Server<br />
<strong>Log</strong> Debug Firewall <strong>Event</strong> Debug Error 142 ---<br />
Add an attack message Firewall <strong>Event</strong> Attack Error 143 525<br />
Primary firewall has transitioned to Active High Availability Maintenance Alert 144 ---<br />
Backup firewall has transitioned to Active High Availability Maintenance Alert 145 ---<br />
Primary firewall has transitioned to Idle High Availability System Error Alert 146 614<br />
Backup firewall has transitioned to Idle High Availability Maintenance Alert 147 ---<br />
Primary missed heartbeats from Backup High Availability System Error Error 148 615<br />
Backup missed heartbeats from Primary High Availability System Error Error 149 616<br />
Primary received error signal from Backup High Availability System Error Error 150 617<br />
Backup received error signal from Primary High Availability System Error Error 151 618<br />
Backup firewall being preempted by Primary High Availability System Error Error 152 619<br />
SNMP<br />
Trap<br />
Type<br />
<strong>SonicOS</strong> <strong>Log</strong> <strong>Event</strong> <strong>Reference</strong> <strong>Guide</strong><br />
23
Index of <strong>Log</strong> <strong>Event</strong> Messages<br />
SNMP<br />
Trap<br />
<strong>Log</strong> <strong>Event</strong> Message New Category Legacy Category Priority ID Type<br />
Primary firewall preempting Backup High Availability System Error Error 153 620<br />
Active Backup detects Active Primary: High Availability Maintenance Information 154 ---<br />
Backup going Idle<br />
Imported HA hardware ID did not match this High Availability Maintenance Information 155 ---<br />
firewall<br />
Discovered HA Backup Firewall High Availability Maintenance Information 156 ---<br />
HA Peer Firewall Synchronized High Availability Maintenance Information 157 ---<br />
Error synchronizing HA peer firewall (%s) High Availability System Error Error 158 662<br />
Received AV Alert: Your Network Anti-Virus Security Services Maintenance Warning 159 526<br />
subscription has expired. %s<br />
Primary received heartbeat from wrong High Availability Maintenance Information 160 ---<br />
source<br />
Backup received heartbeat from wrong High Availability Maintenance Information 161 ---<br />
source<br />
HA packet processing error High Availability Maintenance Information 162 ---<br />
Heartbeat received from incompatible source High Availability Maintenance Information 163 ---<br />
Diagnostic Code F Firewall Hardware System Error Error 164 621<br />
Forbidden E-Mail attachment disabled Intrusion Detection Attack Alert 165 527<br />
PPPoE PAP Au<strong>the</strong>ntication success. PPPoE Maintenance Information 166 ---<br />
PPPoE PAP Au<strong>the</strong>ntication Failed. Please PPPoE Maintenance Information 167 ---<br />
verify PPPoE username and password<br />
Disconnecting PPPoE due to traffic timeout PPPoE Maintenance Information 168 ---<br />
No response from ISP Disconnecting PPPoE Maintenance Information 169 ---<br />
PPPoE.<br />
Backup going Active in preempt mode after High Availability System Error Error 170 622<br />
reboot<br />
VPN <strong>Log</strong> Debug VPN IKE Debug Information 172 ---<br />
TCP connection from LAN denied Network Access LAN TCP Notice 173 ---<br />
UDP packet from LAN dropped Network Access LAN UDP | LAN Notice 174 ---<br />
TCP<br />
ICMP packet from LAN dropped Network Access LAN ICMP | LAN Notice 175 ---<br />
TCP<br />
Probable TCP FIN scan detected Intrusion Detection Attack Alert 177 528<br />
Probable TCP XMAS scan detected Intrusion Detection Attack Alert 178 529<br />
Probable TCP NULL scan detected Intrusion Detection Attack Alert 179 530<br />
IPsec Replay Detected VPN IPsec Attack Alert 180 531<br />
TCP FIN packet dropped Network Debug Debug 181 ---<br />
Received a path MTU icmp message from Network User Activity Information 182 ---<br />
router/gateway<br />
Problem loading <strong>the</strong> URL List; Appliance not Security Services System Error Error 183 623<br />
registered.<br />
Problem loading <strong>the</strong> URL List; Subscription Security Services System Error Error 184 624<br />
expired.<br />
Problem loading <strong>the</strong> URL List; Try loading it<br />
again.<br />
Security Services System Error Error 185 625<br />
24 <strong>SonicOS</strong> <strong>Log</strong> <strong>Event</strong> <strong>Reference</strong> <strong>Guide</strong>
Index of <strong>Log</strong> <strong>Event</strong> Messages<br />
SNMP<br />
Trap<br />
<strong>Log</strong> <strong>Event</strong> Message New Category Legacy Category Priority ID Type<br />
Problem loading <strong>the</strong> URL List; Retrying later. Security Services System Error Error 186 626<br />
Problem loading <strong>the</strong> URL List; Flash write Security Services System Error Error 187 627<br />
failure.<br />
Received a path MTU icmp message from Network User Activity Information 188 ---<br />
router/gateway<br />
The loaded content URL List has expired. Security Services System Error Error 190 628<br />
Error setting <strong>the</strong> IP address of <strong>the</strong> backup, High Availability System Error Error 191 629<br />
please manually set to backup LAN IP<br />
Error updating HA peer configuration High Availability System Error Error 192 630<br />
Fraudulent Microsoft certificate found; Intrusion Detection Attack Error 193 532<br />
access denied<br />
VPN TCP SYN VPN VPN Statistics Information 194 ---<br />
VPN TCP FIN VPN VPN Statistics Information 195 ---<br />
VPN TCP PSH VPN VPN Statistics Information 196 ---<br />
Content filter subscription expired. Security Services System Error Error 197 631<br />
New firmware available. Firewall <strong>Event</strong> Maintenance Information 198 ---<br />
CLI administrator login allowed<br />
Au<strong>the</strong>nticate User Activity Information 199 ---<br />
Access<br />
CLI administrator login denied due to bad Au<strong>the</strong>nticate User Activity Warning 200 ---<br />
credentials<br />
Access<br />
L2TP Tunnel Negotiation Started L2TP Client Maintenance Information 201 ---<br />
L2TP Session Negotiation Started L2TP Client Maintenance Information 202 ---<br />
L2TP Max Retransmission Exceeded L2TP Client Maintenance Information 203 ---<br />
L2TP Tunnel Established L2TP Client Maintenance Information 204 ---<br />
L2TP Tunnel Disconnect from Remote L2TP Client Maintenance Information 205 ---<br />
L2TP Session Established L2TP Client Maintenance Information 206 ---<br />
L2TP Session Disconnect from Remote L2TP Client Maintenance Information 207 ---<br />
L2TP PPP Negotiation Started L2TP Client Maintenance Information 208 ---<br />
L2TP LCP Down L2TP Client Maintenance Information 209 ---<br />
L2TP PPP Session Up L2TP Client Maintenance Information 210 ---<br />
L2TP PPP Down L2TP Client Maintenance Information 211 ---<br />
L2TP PPP Au<strong>the</strong>ntication Failed L2TP Client Maintenance Information 212 ---<br />
L2TP LCP Up L2TP Client Maintenance Information 213 ---<br />
L2TP Disconnect Initiated by <strong>the</strong> User L2TP Client Maintenance Information 214 ---<br />
Disconnecting L2TP Tunnel due to traffic L2TP Client Maintenance Information 215 ---<br />
timeout<br />
L2TP Connect Initiated by <strong>the</strong> User L2TP Client Maintenance Information 216 ---<br />
L2TP PPP link down L2TP Client Maintenance Information 217 ---<br />
Primary WAN link down, Primary going Idle High Availability Maintenance Information 218 ---<br />
Backup WAN link down, Primary going High Availability System Error Error 219 633<br />
Active<br />
Primary WAN link down, Backup going High Availability System Error Error 220 634<br />
Active<br />
Primary WAN link up, preempting Backup High Availability Maintenance Information 221 ---<br />
<strong>SonicOS</strong> <strong>Log</strong> <strong>Event</strong> <strong>Reference</strong> <strong>Guide</strong><br />
25
Index of <strong>Log</strong> <strong>Event</strong> Messages<br />
SNMP<br />
Trap<br />
<strong>Log</strong> <strong>Event</strong> Message New Category Legacy Category Priority ID Type<br />
DHCP RELEASE relayed to Central<br />
Gateway<br />
DHCP Relay Maintenance Information 222 ---<br />
DHCP lease relayed to local device DHCP Relay Maintenance Information 223 ---<br />
DHCP RELEASE received from remote DHCP Relay Debug Information 224 ---<br />
device<br />
DHCP lease relayed to remote device DHCP Relay Debug Information 225 ---<br />
DHCP lease to LAN device conflicts with DHCP Relay Maintenance Information 226 ---<br />
remote device, deleting remote IP entry<br />
WARNING: DHCP lease relayed from DHCP Relay Maintenance Information 227 ---<br />
Central Gateway conflicts with IP in Static<br />
Devices list<br />
DHCP lease dropped. Lease from Central DHCP Relay Maintenance Warning 228 ---<br />
Gateway conflicts with Relay IP<br />
IP spoof detected on packet to Central DHCP Relay Attack Error 229 533<br />
Gateway, packet dropped<br />
Request for Relay IP Table from Central DHCP Relay Maintenance Information 230 ---<br />
Gateway<br />
Requesting Relay IP Table from Remote DHCP Relay Maintenance Information 231 ---<br />
Gateway<br />
Sent Relay IP Table to Central Gateway DHCP Relay Maintenance Information 232 ---<br />
Obtained Relay IP Table from Remote DHCP Relay Maintenance Information 233 ---<br />
Gateway<br />
Failed to synchronize Relay IP Table DHCP Relay System Error Warning 234 632<br />
VPN zone administrator login allowed Au<strong>the</strong>nticate User Activity Information 235 ---<br />
Access<br />
WAN zone administrator login allowed Au<strong>the</strong>nticate User Activity Information 236 ---<br />
Access<br />
VPN zone remote user login allowed Au<strong>the</strong>nticate User Activity Information 237 ---<br />
Access<br />
WAN zone remote user login allowed Au<strong>the</strong>nticate User Activity Information 238 ---<br />
Access<br />
NAT Discovery : Peer IPsec Security VPN IKE User Activity Information 239 ---<br />
Gateway behind a NAT/NAPT Device<br />
NAT Discovery : Local IPsec Security VPN IKE User Activity Information 240 ---<br />
Gateway behind a NAT/NAPT Device<br />
NAT Discovery : No NAT/NAPT device VPN IKE User Activity Information 241 ---<br />
detected between IPsec Security gateways<br />
NAT Discovery : Peer IPsec Security VPN IKE User Activity Information 242 ---<br />
Gateway doesn't support VPN NAT<br />
Traversal<br />
User login denied - RADIUS au<strong>the</strong>ntication RADIUS User Activity Information 243 ---<br />
failure<br />
User login denied - RADIUS server timeout RADIUS User Activity Warning 244 ---<br />
User login denied - RADIUS configuration<br />
error<br />
RADIUS User Activity Warning 245 ---<br />
26 <strong>SonicOS</strong> <strong>Log</strong> <strong>Event</strong> <strong>Reference</strong> <strong>Guide</strong>
Index of <strong>Log</strong> <strong>Event</strong> Messages<br />
<strong>Log</strong> <strong>Event</strong> Message New Category Legacy Category Priority ID<br />
User Activity Information 246 ---<br />
User login denied - User has no privileges for<br />
login from that location<br />
Au<strong>the</strong>nticate<br />
Access<br />
IPsec packet from an illegal host VPN IPsec Maintenance Information 247 ---<br />
Forbidden E-Mail attachment deleted Intrusion Detection Attack Error 248 534<br />
IKE Responder: Mode %d - not tunnel mode VPN IKE User Activity Warning 249 535<br />
IKE Responder: No matching Phase 1 ID VPN IKE User Activity Warning 250 536<br />
found for proposed remote network<br />
IKE Responder: Proposed remote network is VPN IKE User Activity Warning 251 537<br />
0.0.0.0 but not DHCP relay nor default route<br />
IKE Responder: No match for proposed VPN IKE User Activity Warning 252 538<br />
remote network address<br />
IKE Responder: Default LAN gateway is set VPN IKE User Activity Warning 253 539<br />
but peer is not proposing to use this SA as a<br />
default route<br />
IKE Responder: Tunnel terminates outside VPN IKE User Activity Warning 254 540<br />
firewall but proposed local network is not<br />
NAT public address<br />
IKE Responder: Tunnel terminates inside VPN IKE User Activity Warning 255 541<br />
firewall but proposed local network is not<br />
inside firewall<br />
IKE Responder: Tunnel terminates on DMZ VPN IKE User Activity Warning 256 542<br />
but proposed local network is on LAN<br />
IKE Responder: Tunnel terminates on LAN VPN IKE User Activity Warning 257 543<br />
but proposed local network is on DMZ<br />
IKE Responder: AH Perfect Forward VPN IKE User Activity Warning 258 544<br />
Secrecy mismatch<br />
IKE Responder: ESP Perfect Forward VPN IKE User Activity Warning 259 545<br />
Secrecy mismatch<br />
IKE Responder: Algorithms and/or keys do VPN IKE User Activity Warning 260 546<br />
not match<br />
Administrator logged out<br />
Au<strong>the</strong>nticate User Activity Information 261 ---<br />
Access<br />
Administrator logged out - inactivity timer Au<strong>the</strong>nticate User Activity Information 262 ---<br />
expired<br />
Access<br />
User logged out<br />
Au<strong>the</strong>nticate<br />
Access<br />
User Activity Information 263 ---<br />
User logged out - max session time<br />
exceeded<br />
User logged out - inactivity timer expired<br />
NAT device may not support IPsec AH<br />
passthrough<br />
Au<strong>the</strong>nticate<br />
Access<br />
User Activity Information 264 ---<br />
Au<strong>the</strong>nticate User Activity Information 265 ---<br />
Access<br />
VPN IPsec Maintenance Information 266 ---<br />
TCP Xmas Tree dropped Intrusion Detection Attack Alert 267 547<br />
CFL auto-download disabled, time problem Security Services Maintenance Information 268 ---<br />
detected<br />
Requesting CRL from VPN PKI User Activity Information 269 ---<br />
SNMP<br />
Trap<br />
Type<br />
<strong>SonicOS</strong> <strong>Log</strong> <strong>Event</strong> <strong>Reference</strong> <strong>Guide</strong><br />
27
Index of <strong>Log</strong> <strong>Event</strong> Messages<br />
SNMP<br />
Trap<br />
<strong>Log</strong> <strong>Event</strong> Message New Category Legacy Category Priority ID Type<br />
CRL loaded from VPN PKI User Activity Information 270 ---<br />
Failed to get CRL from VPN PKI User Activity Alert 271 ---<br />
Not enough memory to hold <strong>the</strong> CRL VPN PKI User Activity Warning 272 ---<br />
Connection timed out VPN PKI User Activity Alert 273 ---<br />
Cannot connect to <strong>the</strong> CRL server VPN PKI User Activity Alert 274 ---<br />
Unknown reason VPN PKI User Activity Error 275 ---<br />
Failed to Process CRL from VPN PKI User Activity Alert 276 ---<br />
Bad CRL format VPN PKI User Activity Alert 277 ---<br />
Issuer match failed VPN PKI User Activity Alert 278 ---<br />
Certificate on Revoked list(CRL) VPN PKI User Activity Alert 279 ---<br />
No Certificate for VPN PKI User Activity Alert 280 ---<br />
PPP Dial-Up: Dialing: %s PPP Dial Up User Activity Information 281 ---<br />
PPP Dial-Up: No dialtone detected - check PPP Dial Up User Activity Information 282 ---<br />
phone-line connection<br />
PPP Dial-Up: No link carrier detected - check PPP Dial Up User Activity Information 283 ---<br />
phone number<br />
PPP Dial-Up: Dialed number is busy PPP Dial Up User Activity Information 284 ---<br />
PPP Dial-Up: Dialed number did not answer PPP Dial Up User Activity Information 285 ---<br />
PPP Dial-Up: Connected at %s bps - starting PPP Dial Up User Activity Information 286 ---<br />
PPP<br />
PPP Dial-Up: Unknown dialing failure PPP Dial Up User Activity Information 287 ---<br />
PPP Dial-Up: Link carrier lost PPP Dial Up User Activity Information 288 ---<br />
PPP: Au<strong>the</strong>ntication successful PPP --- Information 289 ---<br />
PPP: PAP Au<strong>the</strong>ntication failed - check PPP --- Information 290 ---<br />
username / password<br />
PPP: CHAP au<strong>the</strong>ntication failed - check PPP --- Information 291 ---<br />
username / password<br />
PPP: MS-CHAP au<strong>the</strong>ntication failed - check PPP --- Information 292 ---<br />
username / password<br />
PPP: Starting MS-CHAP au<strong>the</strong>ntication PPP --- Information 293 ---<br />
PPP: Starting CHAP au<strong>the</strong>ntication PPP --- Information 294 ---<br />
PPP: Starting PAP au<strong>the</strong>ntication PPP --- Information 295 ---<br />
PPP Dial-Up: PPP negotiation failed - PPP Dial Up User Activity Information 296 ---<br />
disconnecting<br />
PPP Dial-Up: Idle time limit exceeded - PPP Dial Up User Activity Information 297 ---<br />
disconnecting<br />
PPP Dial-Up: Failed to get IP address PPP Dial Up User Activity Information 298 ---<br />
PPP Dial-Up: Received new IP address PPP Dial Up User Activity Information 299 ---<br />
PPP Dial-Up: PPP link established PPP Dial Up User Activity Information 300 ---<br />
PPP Dial-Up: PPP link down PPP Dial Up User Activity Information 301 ---<br />
PPP Dial-Up: Shutting down link PPP Dial Up User Activity Information 302 ---<br />
PPP Dial-Up: Initialization : %s PPP Dial Up User Activity Information 303 ---<br />
PPP Dial-Up: User requested disconnect PPP Dial Up User Activity Information 304 ---<br />
PPP Dial-Up: User requested connect PPP Dial Up User Activity Information 305 ---<br />
28 <strong>SonicOS</strong> <strong>Log</strong> <strong>Event</strong> <strong>Reference</strong> <strong>Guide</strong>
Index of <strong>Log</strong> <strong>Event</strong> Messages<br />
SNMP<br />
Trap<br />
<strong>Log</strong> <strong>Event</strong> Message New Category Legacy Category Priority ID Type<br />
PPP Dial-Up: Connect request canceled PPP Dial Up User Activity Information 306 ---<br />
The network connection in use is %s WAN Failover System Error Warning 307 639<br />
L2TP Server : L2TP Tunnel Established. L2TP Server Maintenance Information 308 ---<br />
L2TP Server : L2TP Session Established. L2TP Server Maintenance Information 309 ---<br />
L2TP Server : L2TP PPP Session<br />
L2TP Server Maintenance Information 310 ---<br />
Established.<br />
L2TP Server: RADIUS/LDAP reports L2TP Server Maintenance Information 311 ---<br />
Au<strong>the</strong>ntication Failure<br />
L2TP Server: Local Au<strong>the</strong>ntication Failure L2TP Server Maintenance Information 312 ---<br />
L2TP Server: RADIUS/LDAP server not L2TP Server Maintenance Information 313 ---<br />
assigned IP address<br />
L2TP Server: No IP address available in <strong>the</strong> L2TP Server Maintenance Information 314 ---<br />
Local IP Pool<br />
L2TP Server: L2TP Tunnel Disconnect from L2TP Server Maintenance Information 315 ---<br />
<strong>the</strong> Remote.<br />
L2TP Server: L2TP Session Disconnect L2TP Server Maintenance Information 316 ---<br />
from <strong>the</strong> Remote.<br />
L2TP Server: L2TP Remote terminated <strong>the</strong> L2TP Server Maintenance Information 317 ---<br />
PPP session<br />
L2TP Server: Local Au<strong>the</strong>ntication L2TP Server Maintenance Information 318 ---<br />
Success.<br />
L2TP Server: RADIUS/LDAP Au<strong>the</strong>ntication L2TP Server Maintenance Information 319 ---<br />
Success<br />
L2TP Server: Keep alive Failure. Closing L2TP Server Maintenance Information 320 ---<br />
Tunnel<br />
PPP Dial-Up: Manual intervention needed. PPP Dial Up User Activity Information 321 ---<br />
Check Primary Profile or Profile details<br />
PPP Dial-Up: Trying to failover but Primary PPP Dial Up User Activity Information 322 ---<br />
Profile is manual<br />
PPP Dial-Up: Startup without E<strong>the</strong>rnet cable, PPP Dial Up User Activity Information 323 ---<br />
will try to dial on outbound traffic<br />
PPP Dial-Up: Dial initiated by %s PPP Dial Up Maintenance Information 324 ---<br />
The current WAN interface is not ready to Firewall <strong>Event</strong> System Error Error 325 635<br />
route packets.<br />
Probing failure on %s WAN Failover System Error Alert 326 637<br />
PPP Dial-Up: Maximum connection time PPP Dial Up User Activity Information 327 ---<br />
exceeded - disconnecting<br />
Administrator name changed<br />
Au<strong>the</strong>nticate Maintenance Information 328 ---<br />
Access<br />
User login failure rate exceeded - logins from Au<strong>the</strong>nticate Attack Error 329 561<br />
user IP address denied<br />
Access<br />
PPP Dial-Up: The profile in use disabled PPP Dial Up Maintenance Information 330 ---<br />
VPN networking.<br />
PPP Dial-Up: VPN networking restored. PPP Dial Up Maintenance Information 331 ---<br />
%s E<strong>the</strong>rnet Port Up Firewall <strong>Event</strong> System Error Warning 332 640<br />
%s E<strong>the</strong>rnet Port Down Firewall <strong>Event</strong> System Error Error 333 641<br />
<strong>SonicOS</strong> <strong>Log</strong> <strong>Event</strong> <strong>Reference</strong> <strong>Guide</strong><br />
29
Index of <strong>Log</strong> <strong>Event</strong> Messages<br />
SNMP<br />
Trap<br />
<strong>Log</strong> <strong>Event</strong> Message New Category Legacy Category Priority ID Type<br />
L2TP Server: Call Disconnect from Remote. L2TP Server Maintenance Information 334 ---<br />
L2TP Server: Tunnel Disconnect from L2TP Server Maintenance Information 335 ---<br />
Remote.<br />
L2TP Server : Deleting <strong>the</strong> Tunnel L2TP Server Maintenance Information 336 ---<br />
L2TP Server : Deleting <strong>the</strong> L2TP active L2TP Server Maintenance Information 337 ---<br />
Session<br />
L2TP Server : Retransmission Timeout, L2TP Server Maintenance Information 338 ---<br />
Deleting <strong>the</strong> Tunnel<br />
NAT translated packet exceeds size limit, Network Debug Debug 339 ---<br />
packet dropped<br />
HTTP management port has changed Firewall <strong>Event</strong> Maintenance Information 340 ---<br />
HTTPS management port has changed Firewall <strong>Event</strong> Maintenance Information 341 ---<br />
IKE Responder: Mode %d - not transport VPN IKE Debug Warning 342 ---<br />
mode. Xauth is required but not supported<br />
by peer.<br />
L2TP Server : Access from L2TP VPN Client L2TP Server Maintenance Information 343 ---<br />
Privilege not enabled for Radius Users.<br />
L2TP Server : User Name au<strong>the</strong>ntication L2TP Server Maintenance Information 344 ---<br />
Failure locally.<br />
IKE Responder: Tunnel terminates outside VPN IKE User Activity Warning 345 548<br />
firewall but proposed remote network is not<br />
NAT public address<br />
IKE Initiator: Start Quick Mode (Phase 2). VPN IKE User Activity Information 346 ---<br />
Port configured to receive IPsec protocol Network Access TCP | UDP | ICMP Warning 347 ---<br />
ONLY; drop packet received in <strong>the</strong> clear<br />
Imported VPN SA is invalid - disabled Firewall <strong>Event</strong> Maintenance Warning 348 ---<br />
IPsec SA lifetime expired. VPN IPsec User Activity Information 349 ---<br />
IKE SA lifetime expired. VPN IKE User Activity Information 350 ---<br />
IKE Initiator: Start Main Mode negotiation VPN IKE User Activity Information 351 ---<br />
(Phase 1)<br />
IKE Responder: Received Quick Mode VPN IKE User Activity Information 352 ---<br />
Request (Phase 2)<br />
IKE Initiator: Main Mode complete (Phase 1) VPN IKE User Activity Information 353 ---<br />
IKE Initiator: Aggressive Mode complete VPN IKE User Activity Information 354 ---<br />
(Phase 1).<br />
IKE Responder: Received Main Mode VPN IKE User Activity Information 355 ---<br />
request (Phase 1)<br />
IKE Responder: Received Aggressive Mode VPN IKE User Activity Information 356 ---<br />
request (Phase 1)<br />
IKE Responder: Main Mode complete VPN IKE User Activity Information 357 ---<br />
(Phase 1)<br />
IKE Initiator: Start Aggressive Mode VPN IKE User Activity Information 358 ---<br />
negotiation (Phase 1)<br />
Entering FIPS ERROR state Crypto Test Maintenance Error 359 ---<br />
Crypto DES test failed Crypto Test Maintenance Error 360 ---<br />
Crypto DH test failed Crypto Test Maintenance Error 361 ---<br />
30 <strong>SonicOS</strong> <strong>Log</strong> <strong>Event</strong> <strong>Reference</strong> <strong>Guide</strong>
Index of <strong>Log</strong> <strong>Event</strong> Messages<br />
SNMP<br />
Trap<br />
<strong>Log</strong> <strong>Event</strong> Message New Category Legacy Category Priority ID Type<br />
Crypto Hmac-MD5 fest failed Crypto Test Maintenance Error 362 ---<br />
Crypto Hmac-Sha1 test failed Crypto Test Maintenance Error 363 ---<br />
Crypto RSA test failed Crypto Test Maintenance Error 364 ---<br />
Crypto Sha1 test failed Crypto Test Maintenance Error 365 ---<br />
Crypto hardware DES test failed Crypto Test Maintenance Error 366 ---<br />
Crypto hardware 3DES test failed Crypto Test Maintenance Error 367 ---<br />
Crypto hardware DES with SHA test failed Crypto Test Maintenance Error 368 ---<br />
Crypto Hardware 3DES with SHA test failed Crypto Test Maintenance Error 369 ---<br />
Crypto MD5 test failed Crypto Test Maintenance Error 370 ---<br />
VPN Client Policy Provisioning VPN Client User Activity Information 371 ---<br />
IKE Initiator: Accepting IPsec proposal VPN IKE User Activity Information 372 ---<br />
(Phase 2)<br />
IKE Responder: Aggressive Mode complete VPN IKE User Activity Information 373 ---<br />
(Phase 1)<br />
Error initializing Hardware acceleration for Firewall Hardware Maintenance Error 374 ---<br />
VPN<br />
PPTP Control Connection Negotiation PPTP Maintenance Information 375 ---<br />
Started<br />
PPTP Session Negotiation Started PPTP Maintenance Information 376 ---<br />
PPTP Max Retransmission Exceeded PPTP Maintenance Information 377 ---<br />
PPTP Control Connection Established PPTP Maintenance Information 378 ---<br />
PPTP Tunnel Disconnect from Remote PPTP Maintenance Information 379 ---<br />
PPTP Session Established PPTP Maintenance Information 380 ---<br />
PPTP Session Disconnect from Remote PPTP Maintenance Information 381 ---<br />
PPTP PPP Negotiation Started PPTP Maintenance Information 382 ---<br />
PPTP LCP Down PPTP Maintenance Information 383 ---<br />
PPTP PPP Session Up PPTP Maintenance Information 384 ---<br />
PPTP PPP Down PPTP Maintenance Information 385 ---<br />
PPTP PPP Au<strong>the</strong>ntication Failed PPTP Maintenance Information 386 ---<br />
PPTP LCP Up PPTP Maintenance Information 387 ---<br />
PPTP Disconnect Initiated by <strong>the</strong> User PPTP Maintenance Information 388 ---<br />
Disconnecting PPTP Tunnel due to traffic PPTP Maintenance Information 389 ---<br />
timeout<br />
PPTP Connect Initiated by <strong>the</strong> User PPTP Maintenance Information 390 ---<br />
PPTP PPP link down PPTP Maintenance Information 391 ---<br />
PPTP starting CHAP Au<strong>the</strong>ntication PPTP Maintenance Information 392 ---<br />
PPTP starting PAP Au<strong>the</strong>ntication PPTP Maintenance Information 393 ---<br />
PPTP CHAP Au<strong>the</strong>ntication Failed. Please PPTP Maintenance Information 394 ---<br />
verify PPTP username and password<br />
PPTP PAP Au<strong>the</strong>ntication Failed PPTP Maintenance Information 395 ---<br />
PPTP PAP Au<strong>the</strong>ntication success. PPTP Maintenance Information 396 ---<br />
PPTP PAP Au<strong>the</strong>ntication Failed. Please PPTP Maintenance Information 397 ---<br />
verify PPTP username and password<br />
PPTP PPP Link Up PPTP Maintenance Information 398 ---<br />
<strong>SonicOS</strong> <strong>Log</strong> <strong>Event</strong> <strong>Reference</strong> <strong>Guide</strong><br />
31
Index of <strong>Log</strong> <strong>Event</strong> Messages<br />
SNMP<br />
Trap<br />
<strong>Log</strong> <strong>Event</strong> Message New Category Legacy Category Priority ID Type<br />
PPTP PPP Link down PPTP Maintenance Information 399 ---<br />
PPTP PPP Link Finished PPTP Maintenance Information 400 ---<br />
Received notify. NO_PROPOSAL_CHOSEN VPN IKE User Activity Warning 401 ---<br />
IKE Responder: IKE proposal does not VPN IKE User Activity Warning 402 ---<br />
match (Phase 1)<br />
IKE negotiation aborted due to timeout VPN IKE User Activity Information 403 ---<br />
Failed payload verification after decryption; VPN IKE User Activity Warning 404 ---<br />
possible preshared key mismatch<br />
Failed payload validation VPN IKE User Activity Warning 405 ---<br />
Received packet retransmission. Drop VPN IKE User Activity Warning 406 ---<br />
duplicate packet<br />
SA is disabled. Check VPN SA settings VPN IKE User Activity Information 407 ---<br />
Anti-Virus Licenses Exceeded Security Services Maintenance Information 408 ---<br />
Received notify: ISAKMP_AUTH_FAILED VPN IKE User Activity Warning 409 ---<br />
Computed hash does not match hash VPN IKE User Activity Warning 410 ---<br />
received from peer; preshared key mismatch<br />
Received notify: PAYLOAD_MALFORMED VPN IKE User Activity Warning 411 ---<br />
Received IPsec SA delete request VPN IKE User Activity Information 412 ---<br />
Received IKE SA delete request VPN IKE User Activity Information 413 ---<br />
Received notify: INVALID_COOKIES VPN IKE User Activity Information 414 ---<br />
Received notify: RESPONDER_LIFETIME VPN IKE User Activity Information 415 ---<br />
Received notify: INVALID_SPI VPN IKE User Activity Information 416 ---<br />
PKI Error: VPN PKI Maintenance Error 417 ---<br />
IKE Responder: Proposed local network is VPN IKE User Activity Warning 418 549<br />
0.0.0.0 but SA has no LAN Default Gateway<br />
RIP disabled on interface %s RIP Maintenance Information 419 8401<br />
RIPv1 enabled on interface %s RIP Maintenance Information 420 8402<br />
RIPv2 enabled on interface %s RIP Maintenance Information 421 8403<br />
RIPv2 compatibility (broadcast) mode RIP Maintenance Information 422 8404<br />
enabled on interface %s<br />
RIP disabled on DMZ interface RIP Maintenance Information 423 8405<br />
RIPv1 enabled on DMZ interface RIP Maintenance Information 424 8406<br />
RIPv2 enabled on DMZ interface RIP Maintenance Information 425 8407<br />
RIPv2 compatibility (broadcast) mode RIP Maintenance Information 426 8408<br />
enabled on DMZ interface<br />
IPsecTunnel status changed VPN VPN Tunnel Information 427 801<br />
Status<br />
Source routed IP packet dropped Intrusion Detection Debug Warning 428 ---<br />
No response from server to Echo Requests, PPTP Maintenance Information 429 ---<br />
disconnecting PPTP Tunnel<br />
No response from PPTP server to control PPTP Maintenance Information 430 ---<br />
connection requests<br />
No response from PPTP server to call<br />
requests<br />
PPTP Maintenance Information 431 ---<br />
32 <strong>SonicOS</strong> <strong>Log</strong> <strong>Event</strong> <strong>Reference</strong> <strong>Guide</strong>
Index of <strong>Log</strong> <strong>Event</strong> Messages<br />
SNMP<br />
Trap<br />
<strong>Log</strong> <strong>Event</strong> Message New Category Legacy Category Priority ID Type<br />
PPTP server rejected control connection PPTP Maintenance Information 432 ---<br />
PPTP server rejected <strong>the</strong> call request PPTP Maintenance Information 433 ---<br />
PPP Dial-Up: Trying to failover but Alternate<br />
Profile is manual<br />
WAN Failover User Activity Information 434 ---<br />
WLB Failback initiated by %s WAN Failover System Error Alert 435 652<br />
Probing succeeded on %s WAN Failover System Error Alert 436 638<br />
E-Mail fragment dropped Intrusion Detection Attack Error 437 550<br />
Locked-out user logins allowed - lockout Au<strong>the</strong>nticate User Activity Information 438 ---<br />
period expired<br />
Access<br />
Locked-out user logins allowed by<br />
administrator<br />
Au<strong>the</strong>nticate<br />
Access<br />
User Activity Information 439 ---<br />
Access rule added Firewall Rule User Activity Information 440 ---<br />
Access rule modified Firewall Rule User Activity Information 441 ---<br />
Access rule deleted Firewall Rule User Activity Information 442 ---<br />
Access rules restored to defaults Firewall Rule User Activity Information 443 ---<br />
PPTP Server is not responding, check if <strong>the</strong> PPTP Maintenance Information 444 ---<br />
server is UP and running.<br />
IKE Initiator: Accepting peer lifetime. (Phase VPN IKE User Activity Information 445 ---<br />
1)<br />
FTP: PASV response spoof attack dropped Intrusion Detection Attack Error 446 551<br />
PKI Failure VPN PKI Maintenance Error 447 ---<br />
PKI Failure: Output buffer too small VPN PKI Maintenance Error 448 ---<br />
PKI Failure: Cannot alloc memory VPN PKI Maintenance Error 449 ---<br />
PKI Failure: Reached <strong>the</strong> limit for local certs, VPN PKI Maintenance Error 450 ---<br />
cant load any more<br />
PKI Failure: Import failed VPN PKI Maintenance Error 451 ---<br />
PKI Failure: Incorrect admin password VPN PKI Maintenance Error 452 ---<br />
PKI Failure: CA certificates store exceeded. VPN PKI Maintenance Error 453 ---<br />
Cannot verify this Local Certificate<br />
PKI Failure: Improper file format. Please VPN PKI Maintenance Error 454 ---<br />
select PKCS#12 (*.p12) file<br />
PKI Failure: Certificate's ID does not match VPN PKI Maintenance Error 455 ---<br />
this Network Security Appliance<br />
PKI Failure: public-private key mismatch VPN PKI Maintenance Error 456 ---<br />
PKI Failure: Duplicate local certificate name VPN PKI Maintenance Error 457 ---<br />
PKI Failure: Duplicate local certificate VPN PKI Maintenance Error 458 ---<br />
PKI Failure: No CA certificates yet loaded VPN PKI Maintenance Error 459 ---<br />
PKI Failure: Internal error VPN PKI Maintenance Error 460 ---<br />
PKI Failure: Temporary memory shortage, try VPN PKI Maintenance Error 461 ---<br />
again<br />
PKI Failure: The certificate chain is circular VPN PKI Maintenance Error 462 ---<br />
PKI Failure: The certificate chain is<br />
VPN PKI Maintenance Error 463 ---<br />
incomplete<br />
PKI Failure: The certificate chain has no root VPN PKI Maintenance Error 464 ---<br />
<strong>SonicOS</strong> <strong>Log</strong> <strong>Event</strong> <strong>Reference</strong> <strong>Guide</strong><br />
33
Index of <strong>Log</strong> <strong>Event</strong> Messages<br />
<strong>Log</strong> <strong>Event</strong> Message New Category Legacy Category Priority ID<br />
PKI Failure: The certificate or a certificate in<br />
<strong>the</strong> chain has expired<br />
PKI Failure: The certificate or a certificate in<br />
<strong>the</strong> chain has a validity period in <strong>the</strong> future<br />
PKI Failure: The certificate or a certificate in<br />
<strong>the</strong> chain is corrupt<br />
PKI Failure: The certificate or a certificate in<br />
<strong>the</strong> chain has a bad signature<br />
VPN PKI Maintenance Error 465 ---<br />
VPN PKI Maintenance Error 466 ---<br />
VPN PKI Maintenance Error 467 ---<br />
VPN PKI Maintenance Error 468 ---<br />
PKI Failure: Loaded but could not verify VPN PKI Maintenance Error 469 ---<br />
certificate<br />
PKI Failure: Loaded <strong>the</strong> certificate but could VPN PKI Maintenance Error 470 ---<br />
not verify it's chain<br />
VPN Cleanup: Dynamic network settings VPN User Activity Information 471 ---<br />
change<br />
WARNING: Central Gateway does not have DHCP Relay Maintenance Information 472 ---<br />
a Relay IP Address. DHCP message<br />
dropped.<br />
DHCP REQUEST received from remote DHCP Relay Debug Information 473 ---<br />
device<br />
DHCP DISCOVER received from remote DHCP Relay Debug Information 474 ---<br />
device<br />
DHCP DECLINE received from remote DHCP Relay Debug Information 475 ---<br />
device<br />
DHCP OFFER received from server DHCP Relay Debug Information 476 ---<br />
DHCP NACK received from server DHCP Relay Debug Information 477 ---<br />
ERROR: DHCP over VPN policy is not DHCP Relay Maintenance Information 478 ---<br />
defined. Cannot start IKE.<br />
DHCP DISCOVER received from local DHCP Relay Debug Information 479 ---<br />
device<br />
DHCP REQUEST received from local device DHCP Relay Debug Information 480 ---<br />
PPP Dial-Up: No peer IP address from Dial- PPP Dial Up Maintenance Information 481 ---<br />
Up ISP, local and remote IPs will be <strong>the</strong><br />
same<br />
Received AV Alert: Your Network Anti-Virus Security Services Maintenance Warning 482 552<br />
subscription will expire in 7 days. %s<br />
Received notify: INVALID_ID_INFO VPN IPsec User Activity Warning 483 ---<br />
DHCP lease dropped. Lease from Central DHCP Relay Maintenance Warning 484 ---<br />
Gateway conflicts with Remote Management<br />
IP<br />
Category: None --- Debug 485 ---<br />
User login denied - User has no privileges for<br />
guest service<br />
Au<strong>the</strong>nticate<br />
Access<br />
User Activity Information 486 ---<br />
WLAN firmware image has been updated Wireless Maintenance Information 487 ---<br />
Packet dropped by guest check Network Access TCP | UDP | ICMP Warning 488 ---<br />
Received CFS Alert: Your Content Filtering<br />
subscription will expire in 7 days.<br />
Security Services Maintenance Warning 489 562<br />
SNMP<br />
Trap<br />
Type<br />
34 <strong>SonicOS</strong> <strong>Log</strong> <strong>Event</strong> <strong>Reference</strong> <strong>Guide</strong>
Index of <strong>Log</strong> <strong>Event</strong> Messages<br />
<strong>Log</strong> <strong>Event</strong> Message New Category Legacy Category Priority ID<br />
Received CFS Alert: Your Content Filtering<br />
subscription has expired.<br />
Security Services Maintenance Warning 490 563<br />
Received E-Mail Filter Alert: Your E-Mail Security Services Maintenance Warning 491 564<br />
Filtering subscription will expire in 7 days.<br />
Received E-Mail Filter Alert: Your E-Mail Security Services Maintenance Warning 492 565<br />
Filtering subscription has expired.<br />
ISDN Driver Firmware successfully updated Firewall <strong>Event</strong> Maintenance Information 493 ---<br />
Global VPN Client License Exceeded: VPN Client System Error Information 494 658<br />
Connection denied.<br />
Packet dropped by WLAN vpn traversal Wireless TCP | UDP | ICMP Warning 495 ---<br />
check<br />
Registration Update Needed: Restore your Security Services Maintenance Warning 496 ---<br />
existing security service subscriptions by<br />
clicking here.<br />
Entering FIPS Error State. Crypto Test System Error Error 497 659<br />
WAN Interface not setup Firewall <strong>Event</strong> Maintenance Information 498 ---<br />
PPPoE enabled but not ready PPPoE Maintenance Information 499 ---<br />
L2TP enabled but not ready Unused Maintenance Information 500 ---<br />
PPTP enabled but not ready PPTP Maintenance Information 501 ---<br />
WAN not ready Firewall <strong>Event</strong> Maintenance Information 502 ---<br />
VPN disabled for active dial up Unused Maintenance Information 503 ---<br />
DHCP client enabled but not ready DHCP Client Maintenance Information 504 ---<br />
Blocked Quick Mode for Client using Default VPN Client System Error Error 505 660<br />
KeyId<br />
VPN disabled by administrator<br />
Au<strong>the</strong>nticate Maintenance Information 506 ---<br />
Access<br />
VPN enabled by administrator<br />
Au<strong>the</strong>nticate Maintenance Information 507 ---<br />
Access<br />
WLAN disabled by administrator<br />
Au<strong>the</strong>nticate Maintenance Information 508 ---<br />
Access<br />
WLAN enabled by administrator<br />
Au<strong>the</strong>nticate<br />
Access<br />
Maintenance Information 509 ---<br />
WiFiSec Enforcement disabled by<br />
administrator<br />
WiFiSec Enforcement enabled by<br />
administrator<br />
Wireless MAC Filter List enabled by<br />
administrator<br />
Wireless MAC Filter List disabled by<br />
administrator<br />
Au<strong>the</strong>nticate<br />
Access<br />
Au<strong>the</strong>nticate<br />
Access<br />
Au<strong>the</strong>nticate<br />
Access<br />
Au<strong>the</strong>nticate<br />
Access<br />
PPPoE user name changed by Administrator Au<strong>the</strong>nticate<br />
Access<br />
PPPoE password changed by Administrator Au<strong>the</strong>nticate<br />
Access<br />
Maintenance Information 510 ---<br />
Maintenance Information 511 ---<br />
Maintenance Information 512 ---<br />
Maintenance Information 513 ---<br />
User Activity Information 514 ---<br />
User Activity Information 515 ---<br />
SNMP<br />
Trap<br />
Type<br />
<strong>SonicOS</strong> <strong>Log</strong> <strong>Event</strong> <strong>Reference</strong> <strong>Guide</strong><br />
35
Index of <strong>Log</strong> <strong>Event</strong> Messages<br />
<strong>Log</strong> <strong>Event</strong> Message New Category Legacy Category Priority ID<br />
IKE Responder: Default LAN gateway is not VPN IKE Attack Error 516 553<br />
set but peer is proposing to use this SA as a<br />
default route<br />
WLAN Reboot Firewall Hardware System Error Error 517 642<br />
802.11 Management Wireless 802.11b<br />
Information 518 ---<br />
Management<br />
WLAN recovery Wireless Maintenance Information 519 ---<br />
CLI administrator logged out<br />
Au<strong>the</strong>nticate User Activity Information 520 ---<br />
Access<br />
Network Security Appliance initializing Firewall <strong>Event</strong> Maintenance Information 521 ---<br />
Malformed or unhandled IP packet dropped Network Access Debug Alert 522 554<br />
ICMP packet dropped no match Network Access ICMP Notice 523 ---<br />
Web access request dropped Network Access TCP Notice 524 ---<br />
Web management request allowed Network Access User Activity Notice 526 ---<br />
FTP: PORT bounce attack dropped. Intrusion Detection Attack Alert 527 555<br />
FTP: PASV response bounce attack Intrusion Detection Attack Alert 528 556<br />
dropped.<br />
Global VPN Client connection is not allowed. VPN Client System Error Information 529 643<br />
Appliance is not registered.<br />
Network Modem Mode Enabled: turning off PPP Dial Up Maintenance Information 530 ---<br />
NAT<br />
Network Modem Mode Disabled: re-enabling PPP Dial Up Maintenance Information 531 ---<br />
NAT<br />
Internet Access restricted to authorized Wireless TCP | UDP | ICMP Warning 532 ---<br />
users. Dropped packet received in <strong>the</strong> clear.<br />
IPsec (ESP) packet dropped VPN IPsec TCP | UDP | ICMP Notice 533 ---<br />
IPsec (AH) packet dropped VPN IPsec TCP | UDP | ICMP Notice 534 ---<br />
IPsec (ESP) packet dropped; waiting for VPN IPsec Debug Debug 535 ---<br />
pending IPsec connection<br />
IPsec (AH) packet dropped; waiting for VPN IPsec Debug Debug 536 ---<br />
pending IPsec connection<br />
Connection Closed Network Traffic Connection Traffic Information 537 ---<br />
FTP: Data connection from non default port Network Access Attack Alert 538 557<br />
dropped<br />
Real time clock battery failure Time values Firewall Hardware System Error Warning 539 644<br />
may be incorrect<br />
If not already enabled, enabling NTP is Firewall Hardware System Error Warning 540 645<br />
recommended<br />
Maximum number of Bandwidth Managed Firewall <strong>Event</strong> Maintenance Notice 541 ---<br />
rules exceeded upon upgrade to this version.<br />
Some Bandwith settings ignored.<br />
PPP Dial-Up: Previous session was PPP Dial Up User Activity Information 542 ---<br />
connected for %s<br />
IKE Initiator: <strong>Using</strong> secondary gateway to<br />
negotiate<br />
VPN IKE User Activity Information 543 ---<br />
SNMP<br />
Trap<br />
Type<br />
36 <strong>SonicOS</strong> <strong>Log</strong> <strong>Event</strong> <strong>Reference</strong> <strong>Guide</strong>
Index of <strong>Log</strong> <strong>Event</strong> Messages<br />
<strong>Log</strong> <strong>Event</strong> Message New Category Legacy Category Priority ID<br />
IKE Initiator drop: VPN tunnel end point does VPN IKE User Activity Information 544 ---<br />
not match configured VPN Policy Bound to<br />
scope<br />
IKE Responder drop: VPN tunnel end point VPN IKE User Activity Information 545 ---<br />
does not match configured VPN Policy<br />
Bound to scope<br />
Found Rogue Access Point WLAN IDS WLAN IDS Alert 546 901<br />
WLAN sequence number out of order WLAN IDS WLAN IDS Warning 547 902<br />
Association Flood from WLAN station WLAN IDS WLAN IDS Alert 548 903<br />
User login failed - Guest service limit<br />
reached<br />
Guest Session Timeout<br />
Guest Account Timeout<br />
Au<strong>the</strong>nticate<br />
Access<br />
Au<strong>the</strong>nticate<br />
Access<br />
Au<strong>the</strong>nticate<br />
Access<br />
User Activity Information 549 ---<br />
User Activity Information 550 ---<br />
User Activity Information 551 ---<br />
SNMP<br />
Trap<br />
Type<br />
RIP disabled on WAN interface RIP Maintenance Information 552 8409<br />
RIPv1 enabled on WAN interface RIP Maintenance Information 553 8410<br />
RIPv2 enabled on WAN interface RIP Maintenance Information 554 8411<br />
RIPv2 compatibility (broadcast) mode RIP Maintenance Information 555 8412<br />
enabled on WAN interface<br />
Found Rogue Access Point WLAN IDS WLAN IDS Alert 556 10804<br />
Guest login denied. Guest '%s' is already Au<strong>the</strong>nticate User Activity Information 557 ---<br />
logged in. Please try again later.<br />
Access<br />
Guest account '%s' created<br />
Au<strong>the</strong>nticate User Activity Information 558 ---<br />
Access<br />
Guest account '%s' deleted<br />
Au<strong>the</strong>nticate User Activity Information 559 ---<br />
Access<br />
Guest account '%s' disabled<br />
Au<strong>the</strong>nticate User Activity Information 560 ---<br />
Access<br />
Guest account '%s' re-enabled<br />
Au<strong>the</strong>nticate User Activity Information 561 ---<br />
Access<br />
Guest account '%s' pruned<br />
Au<strong>the</strong>nticate User Activity Information 562 ---<br />
Access<br />
Guest account '%s' re-generated<br />
Au<strong>the</strong>nticate User Activity Information 563 ---<br />
Access<br />
Guest Idle Timeout<br />
Au<strong>the</strong>nticate User Activity Information 564 ---<br />
Access<br />
Interface %s Link Is Up Firewall <strong>Event</strong> System Error Warning 565 646<br />
Interface %s Link Is Down Firewall <strong>Event</strong> System Error Error 566 647<br />
Interface IP Assignment changed: Shutting Firewall <strong>Event</strong> Maintenance Information 567 ---<br />
down %s<br />
Interface IP Assignment : Binding and Firewall <strong>Event</strong> Maintenance Information 568 ---<br />
initializing %s<br />
Network for interface %s overlaps with<br />
ano<strong>the</strong>r interface.<br />
Firewall <strong>Event</strong> Maintenance Information 569 ---<br />
<strong>SonicOS</strong> <strong>Log</strong> <strong>Event</strong> <strong>Reference</strong> <strong>Guide</strong><br />
37
Index of <strong>Log</strong> <strong>Event</strong> Messages<br />
<strong>Log</strong> <strong>Event</strong> Message New Category Legacy Category Priority ID<br />
SNMP<br />
Trap<br />
Type<br />
Please connect interface %s to ano<strong>the</strong>r Firewall <strong>Event</strong> Maintenance Information 570 ---<br />
network to function properly<br />
RIP Broadcasts for LAN Network %s are RIP Maintenance Information 571 8413<br />
being broadcast over dialup-connection<br />
A prior version of preferences was loaded Firewall <strong>Event</strong> System Error Warning 572 648<br />
because <strong>the</strong> most recent preferences file<br />
was inaccessible<br />
The preferences file is too large to be saved Firewall <strong>Event</strong> System Error Warning 573 649<br />
in available flash memory<br />
All preference values have been set to Firewall <strong>Event</strong> System Error Warning 574 650<br />
factory default values<br />
Voltages Out of Tolerance Firewall Hardware System<br />
Error 575 101<br />
Environment<br />
Fan Failure Firewall Hardware System<br />
Alert 576 102<br />
Environment<br />
Thermal Yellow Firewall Hardware System<br />
Alert 577 103<br />
Environment<br />
Thermal Red Firewall Hardware System<br />
Alert 578 104<br />
Environment<br />
Thermal Red Timer Exceeded Firewall Hardware System<br />
Alert 579 105<br />
Environment<br />
TCP Syn/Fin packet dropped Network Access Attack Alert 580 558<br />
WLB Spill-over started, configured threshold WAN Failover Maintenance Warning 581 ---<br />
exceeded<br />
WLB Spill-over stopped WAN Failover Maintenance Warning 582 ---<br />
User login disabled from %s<br />
Au<strong>the</strong>nticate Attack Error 583 559<br />
Access<br />
WLB Failover in progress WAN Failover System Error Alert 584 651<br />
WLB Resource is now available WAN Failover System Error Alert 585 653<br />
WLB Resource failed WAN Failover System Error Alert 586 654<br />
Header verification failed VPN IKE User Activity Warning 587 ---<br />
Received DHCP offer packet has errors DHCP Client Maintenance Information 588 ---<br />
Received response packet for DHCP request DHCP Client Maintenance Information 589 ---<br />
has errors<br />
IP type %s packet dropped Network Access LAN UDP | LAN Notice 590 ---<br />
TCP<br />
Maximum sequential failed dial attempts (10) PPP Dial Up Attack Error 591 566<br />
to a single dial-up number: %s<br />
Regulatory requirements prohibit %s from PPP Dial Up Attack Error 592 567<br />
being re-dialed for 30 minutes<br />
Received PPPoE Active Discovery Offer PPPoE Maintenance Information 593 ---<br />
Received PPPoE Active Discovery<br />
PPPoE Maintenance Information 594 ---<br />
Session_confirmation<br />
Sending PPPoE Active Discovery Request PPPoE Maintenance Information 595 ---<br />
PPTP decode failure PPTP Debug Debug 596 ---<br />
ICMP packet allowed Network Access Debug Information 597 ---<br />
38 <strong>SonicOS</strong> <strong>Log</strong> <strong>Event</strong> <strong>Reference</strong> <strong>Guide</strong>
Index of <strong>Log</strong> <strong>Event</strong> Messages<br />
<strong>Log</strong> <strong>Event</strong> Message New Category Legacy Category Priority ID<br />
ICMP packet from LAN allowed Network Access Debug Information 598 ---<br />
Diagnostic Code G Firewall Hardware System Error Error 599 655<br />
Diagnostic Code H Firewall Hardware System Error Error 600 656<br />
Diagnostic Code I Firewall Hardware System Error Error 601 657<br />
DNS packet allowed Network Access Debug Information 602 ---<br />
Adding L2TP IP pool Address object Failed. L2TP Server System Error Error 603 661<br />
Global VPN Client version cannot enforce VPN Client User Activity Information 604 ---<br />
personal firewall. Minimum Version required<br />
is 2.1<br />
Received unencrypted packet in crypto VPN IKE User Activity Warning 605 ---<br />
active state<br />
Spank attack multicast packet dropped Intrusion Detection Attack Alert 606 568<br />
Received ISAKMP packet destined to port VPN IKE Debug | UDP Information 607 ---<br />
%s<br />
IPS Detection Alert: %s Intrusion Detection Attack Alert 608 569<br />
IPS Prevention Alert: %s Intrusion Detection Attack Alert 609 570<br />
Crypto Hardware AES test failed Crypto Test Maintenance Error 610 ---<br />
A <strong>SonicOS</strong> Standard to Enhanced Upgrade Firewall <strong>Event</strong> Maintenance Information 611 ---<br />
was performed<br />
Not all configurations may have been Firewall <strong>Event</strong> Maintenance Information 612 ---<br />
completely upgraded<br />
Please manually check all system<br />
Firewall <strong>Event</strong> Maintenance Information 613 ---<br />
configurations for correctness of Upgrade<br />
Received IPS Alert: Your Intrusion<br />
Security Services Maintenance Warning 614 571<br />
Prevention (IDP) subscription has expired.<br />
WLAN client null probing WLAN IDS WLAN IDS Warning 615 904<br />
Payload processing failed VPN IKE Debug Error 616 ---<br />
WLAN not in AP mode, DHCP server will not Wireless Maintenance Information 617 ---<br />
provide lease to clients on WLAN<br />
BOOTP server response relayed to remote BOOTP Debug Debug 618 ---<br />
device<br />
BOOTP Client IP address on LAN conflicts BOOTP Maintenance Information 619 ---<br />
with remote device IP, deleting IP address<br />
from remote table<br />
BOOTP reply relayed to local device BOOTP Maintenance Information 620 ---<br />
BOOTP Request received from remote BOOTP Debug Debug 621 ---<br />
device<br />
VoIP Call Connected VoIP VoIP Information 622 ---<br />
VoIP Call Disconnected VoIP VoIP Information 623 ---<br />
H.323/RAS Admission Reject VoIP VoIP Debug 624 ---<br />
H.323/RAS Admission Confirm VoIP VoIP Debug 625 ---<br />
H.323/RAS Admission Request VoIP VoIP Debug 626 ---<br />
H.323/RAS Bandwidth Reject VoIP VoIP Debug 627 ---<br />
H.323/RAS Disengage Confirm VoIP VoIP Debug 628 ---<br />
H.323/RAS Gatekeeper Reject VoIP VoIP Debug 629 ---<br />
SNMP<br />
Trap<br />
Type<br />
<strong>SonicOS</strong> <strong>Log</strong> <strong>Event</strong> <strong>Reference</strong> <strong>Guide</strong><br />
39
Index of <strong>Log</strong> <strong>Event</strong> Messages<br />
SNMP<br />
Trap<br />
<strong>Log</strong> <strong>Event</strong> Message New Category Legacy Category Priority ID Type<br />
H.323/RAS Location Confirm VoIP VoIP Debug 630 ---<br />
H.323/RAS Location Reject VoIP VoIP Debug 631 ---<br />
H.323/RAS Registration Reject VoIP VoIP Debug 632 ---<br />
H.323/H.225 Setup VoIP VoIP Debug 633 ---<br />
H.323/H.225 Connect VoIP VoIP Debug 634 ---<br />
H.323/H.245 Address VoIP VoIP Debug 635 ---<br />
H.323/H.245 End Session VoIP VoIP Debug 636 ---<br />
VoIP %s Endpoint added VoIP VoIP Debug 637 ---<br />
VoIP %s Endpoint removed VoIP VoIP Debug 638 ---<br />
VoIP %s Endpoint not added - configured VoIP VoIP Warning 639 ---<br />
'public' endpoint limit reached<br />
H.323/RAS Unknown Message Response VoIP VoIP Debug 640 ---<br />
H.323/RAS Disengage Reject VoIP VoIP Debug 641 ---<br />
H.323/RAS Unregistration Reject VoIP VoIP Debug 642 ---<br />
SIP Request VoIP VoIP Debug 643 ---<br />
SIP Response VoIP VoIP Debug 644 ---<br />
SIP Register expiration exceeds configured VoIP VoIP Warning 645 ---<br />
Signaling inactivity time out<br />
Packet dropped; connection limit for this Firewall <strong>Event</strong> System Error Alert 646 5238<br />
source IP address has been reached<br />
Packet dropped; connection limit for this Firewall <strong>Event</strong> System Error Alert 647 5239<br />
destination IP address has been reached<br />
Packet destination not in VPN Access list VPN IPsec Attack Error 648 572<br />
Application Filters Block Alert: %s Intrusion Detection Attack Alert 649 ---<br />
Application Filter Detection Alert: %s Intrusion Detection Attack Alert 650 ---<br />
IPComp connection interrupt IPComp Debug Debug 651 ---<br />
IPComp packet dropped IPComp TCP | UDP | ICMP Notice 652 ---<br />
IPComp packet dropped; waiting for pending IPComp Debug Debug 653 ---<br />
IPComp connection<br />
Maximum events per second threshold Firewall <strong>Log</strong>ging System Error Critical 654 ---<br />
exceeded<br />
Maximum syslog data per second threshold Firewall <strong>Log</strong>ging System Error Critical 655 ---<br />
exceeded<br />
SMTP POP-Before-SMTP au<strong>the</strong>ntication Firewall <strong>Log</strong>ging System Error Warning 656 ---<br />
failed<br />
Syslog Server cannot be reached Network Maintenance Information 657 ---<br />
IKE Responder: Proposed IKE ID mismatch VPN IKE System Error Warning 658 ---<br />
IKE Responder: IP Address already exists in VPN Client System Error Error 659 ---<br />
<strong>the</strong> DHCP relay table. Client traffic not<br />
allowed.<br />
IKE Responder: %s policy does not allow VPN Client System Error Error 660 ---<br />
static IP for Virtual Adapter.<br />
Received notify: INVALID_PAYLOAD VPN IKE User Activity Error 661 ---<br />
Drop WLAN traffic from non-SonicPoint<br />
devices<br />
Intrusion Detection Attack Error 662 6434<br />
40 <strong>SonicOS</strong> <strong>Log</strong> <strong>Event</strong> <strong>Reference</strong> <strong>Guide</strong>
Index of <strong>Log</strong> <strong>Event</strong> Messages<br />
<strong>Log</strong> <strong>Event</strong> Message New Category Legacy Category Priority ID<br />
WPA MIC Failure Wireless 802.11b<br />
Management<br />
WPA Radius Server Timeout Wireless 802.11b<br />
Management<br />
Warning 663 ---<br />
Information 664 ---<br />
SNMP<br />
Trap<br />
Type<br />
PPP Dial-Up: Dialing not allowed by PPP Dial Up --- Information 665 ---<br />
schedule. %s<br />
PPP Dial-Up: Connection disconnected as PPP Dial Up --- Information 666 ---<br />
scheduled.<br />
SonicPoint Status SonicPoint SonicPoint Information 667 ---<br />
HA Peer Firewall Rebooted High Availability Maintenance Information 668 ---<br />
Error Rebooting HA Peer Firewall High Availability System Error Error 669 663<br />
License of HA pair doesn't match: %s High Availability System Error Error 670 664<br />
Primary received reboot signal from Backup High Availability System Error Error 671 665<br />
Backup received reboot signal from Primary High Availability System Error Error 672 666<br />
Synchronizing preferences to HA Peer High Availability Maintenance Information 673 ---<br />
Firewall<br />
Success to reach Interface %s probe High Availability System Error Information 674 ---<br />
Failure to reach Interface %s probe High Availability System Error Error 675 6234<br />
IGMP V2 client joined multicast Group : %s Multicast --- Information 676 ---<br />
IGMP V3 client joined multicast Group : %s Multicast --- Information 677 ---<br />
IGMP V3 Membership report received from Multicast --- Debug 678 ---<br />
interface %s<br />
IGMP V2 Membership report received from Multicast --- Debug 679 ---<br />
interface %s<br />
Router IGMP General query received on Multicast --- Debug 680 ---<br />
interface %s<br />
Router IGMP Membership query received Multicast --- Debug 681 ---<br />
on interface %s<br />
IGMP Leave group message Received on Multicast --- Information 682 ---<br />
interface %s<br />
IGMP packet dropped, wrong checksum Multicast --- Notice 683 ---<br />
received on interface %s<br />
Multicast packet dropped, wrong MAC Multicast --- Alert 684 ---<br />
address received on interface : %s<br />
Multicast packet dropped, Invalid src IP Multicast --- Alert 685 ---<br />
received on interface : %s<br />
IGMP packet dropped, decoding error Multicast --- Notice 686 ---<br />
IGMP Packet Not handled. Packet type : %s Multicast --- Notice 687 ---<br />
IGMP V3 packet dropped, unsupported Multicast --- Notice 688 ---<br />
Record type : %s<br />
IGMP V3 reord type : %s not Handled Multicast --- Debug 689 ---<br />
Multicast UDP packet dropped, no state Multicast --- Notice 690 ---<br />
entry<br />
Multicast TCP packet dropped Multicast --- Notice 691 ---<br />
<strong>SonicOS</strong> <strong>Log</strong> <strong>Event</strong> <strong>Reference</strong> <strong>Guide</strong><br />
41
Index of <strong>Log</strong> <strong>Event</strong> Messages<br />
<strong>Log</strong> <strong>Event</strong> Message New Category Legacy Category Priority ID<br />
SNMP<br />
Trap<br />
Type<br />
IGMP state table entry time out,deleting Multicast --- Debug 692 ---<br />
interface : %s for multicast address : %s<br />
IGMP state table entry time out,deleting VPN Multicast --- Debug 693 ---<br />
SPI :%s for Multicast address : %s<br />
Multicast UDP packet dropped, RTP stateful Multicast --- Warning 694 ---<br />
failed<br />
Multicast UDP packet dropped, RTCP Multicast --- Warning 695 ---<br />
stateful failed<br />
Multicast application %s not supported Multicast --- Information 696 ---<br />
Adding to multicast policyList , interface : %s Multicast --- Debug 697 ---<br />
Deleting from Multicast policy list, interface : Multicast --- Debug 698 ---<br />
%s<br />
Adding to Multicast policyList , VPN SPI : %s Multicast --- Debug 699 ---<br />
Deleting from Multicast policy list, VPN SPI : Multicast --- Debug 700 ---<br />
%s<br />
IGMP querier Router detected on interface Multicast --- Debug 701 ---<br />
%s<br />
IGMP querier Router detected on VPN Multicast --- Debug 702 ---<br />
tunnel , SPI %S<br />
Exceeded Max multicast address limit Multicast --- Warning 703 ---<br />
Invalid Product Code Upgrade request Firewall <strong>Event</strong> --- Error 704 ---<br />
received: %s<br />
Overriding Product Code Upgrade to: %s Firewall <strong>Event</strong> --- Error 705 ---<br />
Network Monitor: Host %s is offline Network Monitor --- Alert 706 14005<br />
Network Monitor: Host %s is online Network Monitor --- Alert 707 14006<br />
TCP packet received with invalid SEQ Network Debug Debug 708 ---<br />
number; TCP packet dropped<br />
TCP packet received with invalid ACK Network Debug Debug 709 ---<br />
number; TCP packet dropped<br />
TCP stateful inspection: Invalid flag; TCP Network Debug Information 710 ---<br />
packet dropped<br />
TCP stateful inspection: Bad header; TCP Network Debug Debug 711 ---<br />
packet dropped<br />
TCP connection reject received; TCP Network Debug Debug 712 ---<br />
connection dropped<br />
TCP connection abort received; TCP Network Debug Debug 713 ---<br />
connection dropped<br />
EIGRP packet dropped Network Access Debug Notice 714 ---<br />
ARP request packet sent Network --- Information 715 ---<br />
ARP response packet received Network --- Information 716 ---<br />
ARP request packet received Network --- Information 717 ---<br />
ARP response packet sent Network --- Information 718 ---<br />
VPN policy count received exceeds <strong>the</strong> limit; VPN System Error Error 719 ---<br />
%s<br />
Sending LCP Echo Request PPPoE Maintenance Information 720 ---<br />
42 <strong>SonicOS</strong> <strong>Log</strong> <strong>Event</strong> <strong>Reference</strong> <strong>Guide</strong>
Index of <strong>Log</strong> <strong>Event</strong> Messages<br />
SNMP<br />
Trap<br />
<strong>Log</strong> <strong>Event</strong> Message New Category Legacy Category Priority ID Type<br />
Received LCP Echo Request PPPoE Maintenance Information 721 ---<br />
Sending LCP Echo Reply PPPoE Maintenance Information 722 ---<br />
Received LCP Echo Reply PPPoE Maintenance Information 723 ---<br />
Guest Services drop traffic to deny network Network Access --- Information 724 ---<br />
Guest Services pass traffic to access allow Network Access --- Information 725 ---<br />
network<br />
WLAN max concurrent users reached Network Access --- Information 726 ---<br />
already<br />
SonicPoint Provision SonicPoint SonicPoint Information 727 ---<br />
WLAN disabled by schedule<br />
Au<strong>the</strong>nticate Maintenance Information 728 ---<br />
Access<br />
WLAN enabled by schedule<br />
Au<strong>the</strong>nticate Maintenance Information 729 ---<br />
Access<br />
Virtual Access Point is enabled SonicPoint 802.11b<br />
Information 730 ---<br />
Management<br />
Virtual Access Point is disabled SonicPoint 802.11b<br />
Information 731 ---<br />
Management<br />
Packet dropped by WLAN SSL-VPN Wireless TCP | UDP | ICMP Warning 732 ---<br />
enforcement check<br />
SSL-VPN enforcement Wireless Maintenance Information 733 ---<br />
Source IP address connection status: %s Firewall <strong>Event</strong> --- Information 734 ---<br />
Destination IP address connection status: Firewall <strong>Event</strong> --- Information 735 ---<br />
%s<br />
SMTP au<strong>the</strong>ntication problem:%s Firewall <strong>Log</strong>ging System Error Warning 737 ---<br />
PPPoE Client: Previous session was PPPoE Maintenance Information 738 ---<br />
connected for %s<br />
Packet dropped. No firewall rule associated VPN System Error Alert 739 ---<br />
with VPN policy.<br />
NetBIOS settings were not upgraded. Use Firewall <strong>Event</strong> Maintenance Information 740 ---<br />
Network>IP Helper to configure NetBIOS<br />
support<br />
LAN Subnet configurations were not Firewall <strong>Event</strong> Maintenance Information 741 ---<br />
upgraded.<br />
Time of day settings for firewall policies were Firewall <strong>Event</strong> Maintenance Information 742 ---<br />
not upgraded.<br />
Hardware Failover settings were not Firewall <strong>Event</strong> Maintenance Information 743 ---<br />
upgraded.<br />
User login denied - RADIUS communication RADIUS User Activity Warning 744 ---<br />
problem<br />
User login denied - LDAP au<strong>the</strong>ntication RADIUS User Activity Information 745 ---<br />
failure<br />
User login denied - LDAP server timeout RADIUS User Activity Warning 746 ---<br />
User login denied - LDAP server down or RADIUS User Activity Warning 747 ---<br />
misconfigured<br />
User login denied - LDAP communication<br />
problem<br />
RADIUS User Activity Warning 748 ---<br />
<strong>SonicOS</strong> <strong>Log</strong> <strong>Event</strong> <strong>Reference</strong> <strong>Guide</strong><br />
43
Index of <strong>Log</strong> <strong>Event</strong> Messages<br />
<strong>Log</strong> <strong>Event</strong> Message New Category Legacy Category Priority ID<br />
SNMP<br />
Trap<br />
Type<br />
User login denied - invalid credentials on RADIUS User Activity Warning 749 ---<br />
LDAP server<br />
User login denied - insufficient access on RADIUS User Activity Warning 750 ---<br />
LDAP server<br />
User login denied - LDAP schema mismatch RADIUS User Activity Warning 751 ---<br />
Allowed LDAP server certificate with wrong RADIUS User Activity Warning 752 ---<br />
host name<br />
User login denied - LDAP server name RADIUS User Activity Warning 753 ---<br />
resolution failed<br />
User login denied - RADIUS server name RADIUS User Activity Warning 754 ---<br />
resolution failed<br />
User login denied - LDAP server certificate RADIUS User Activity Warning 755 ---<br />
not valid<br />
User login denied - TLS or local certificate RADIUS User Activity Warning 756 ---<br />
problem<br />
User login denied - LDAP directory mismatch RADIUS User Activity Warning 757 ---<br />
LDAP server does not allow CHAP RADIUS User Activity Warning 758 ---<br />
User login denied - user already logged in Au<strong>the</strong>nticate User Activity Information 759 ---<br />
Access<br />
TCP handshake violation detected; TCP Network Access --- Notice 760 ---<br />
connection dropped<br />
Access attempt from host out of compliance Security Services Maintenance Information 761 ---<br />
with GSC policy<br />
GSC policy out-of-date on host Security Services Maintenance Information 762 ---<br />
Access attempt from host without GSC Security Services Maintenance Information 763 8627<br />
installed<br />
Failed to synchronize license information Security Services Maintenance Warning 766 8628<br />
with Licensing Server. Please see http://<br />
help.mysonicwall.com/licsyncfail.html (code:<br />
%s)<br />
ADConnector %s response timed-out; Microsoft AD --- Error 769 ---<br />
applying caching policy<br />
DDNS Failure: Provider %s DDNS System Error Error 773 ---<br />
DDNS Failure: Provider %s DDNS System Error Error 774 ---<br />
DDNS Failure: Provider %s DDNS System Error Error 775 ---<br />
DDNS Update success for domain %s DDNS Maintenance Information 776 ---<br />
DDNS Warning: Provider %s DDNS System Error Warning 777 ---<br />
DDNS association %s taken Offline locally DDNS Maintenance Information 778 ---<br />
DDNS association %s added DDNS Maintenance Information 779 ---<br />
DDNS association %s enabled DDNS Maintenance Information 780 ---<br />
DDNS association %s disabled DDNS Maintenance Information 781 ---<br />
DDNS Association %s put on line DDNS Maintenance Information 782 ---<br />
All DDNS associations have been deleted DDNS Maintenance Information 783 ---<br />
DDNS association %s deactivated DDNS Maintenance Information 784 ---<br />
DDNS association %s deleted DDNS Maintenance Information 785 ---<br />
44 <strong>SonicOS</strong> <strong>Log</strong> <strong>Event</strong> <strong>Reference</strong> <strong>Guide</strong>
Index of <strong>Log</strong> <strong>Event</strong> Messages<br />
SNMP<br />
Trap<br />
<strong>Log</strong> <strong>Event</strong> Message New Category Legacy Category Priority ID Type<br />
DDNS association %s updated DDNS --- Information 786 ---<br />
IPS Detection Alert: %s Intrusion Detection Attack Alert 789 6435<br />
IPS Prevention Alert: %s Intrusion Detection Attack Alert 790 6436<br />
DPI-SSL: %s DPI SSL Network Access Information 791 ---<br />
Application Firewall Alert: %s Application Firewall User Activity Alert 793 13201<br />
Anti-Spyware Prevention Alert: %s Intrusion Detection Attack Alert 794 6437<br />
Anti-Spyware Detection Alert: %s Intrusion Detection Attack Alert 795 6438<br />
Anti-Spyware Service Expired Security Services Maintenance Warning 796 8631<br />
Outbound connection to RBL-listed SMTP RBL --- Notice 797 ---<br />
server dropped<br />
Inbound connection from RBL-listed SMTP RBL --- Notice 798 ---<br />
server dropped<br />
SMTP server found on RBL blacklist RBL --- Notice 799 ---<br />
No valid DNS server specified for RBL RBL --- Error 800 ---<br />
lookups<br />
Interface statistics report GMS --- Information 805 ---<br />
SonicPoint statistics report GMS --- Information 806 ---<br />
Gateway Anti-Virus Alert: %s Security Services Attack Alert 809 8632<br />
Gateway Anti-Virus Service expired Security Services Maintenance Warning 810 8633<br />
PPP Dial-Up: Invalid DNS IP address PPP Dial Up Maintenance Information 811 ---<br />
returned from Dial-Up ISP; overriding using<br />
dial-up profile settings<br />
WAN node exceeded: Connection dropped Firewall <strong>Event</strong> System Error Error 812 ---<br />
because too many IP addresses are in use<br />
on your LAN<br />
Adding Dynamic Entry for Bound MAC Network --- Information 813 ---<br />
Address<br />
MAC address collides with Static ARP Entry Network --- Notice 814 ---<br />
with Bound MAC address; packet dropped<br />
Too many gratuitous ARPs detected Network --- Warning 815 ---<br />
ARP unused/spare Network --- Debug 816 ---<br />
Incoming call received for Remotely<br />
Triggered Dial-out session<br />
Au<strong>the</strong>nticate<br />
Access<br />
User Activity Information 817 ---<br />
Remotely Triggered Dial-out session started.<br />
Requesting au<strong>the</strong>ntication<br />
Incorrect au<strong>the</strong>ntication received for<br />
Remotely Triggered Dial-out<br />
Successful au<strong>the</strong>ntication received for<br />
Remotely Triggered Dial-out<br />
Au<strong>the</strong>ntication timeout during Remotely<br />
Triggered Dial-out session<br />
Remotely Triggered Dial-out session ended.<br />
Valid WAN bound data found. Normal dialup<br />
sequence will commence<br />
Au<strong>the</strong>nticate<br />
Access<br />
Au<strong>the</strong>nticate<br />
Access<br />
Au<strong>the</strong>nticate<br />
Access<br />
Au<strong>the</strong>nticate<br />
Access<br />
Au<strong>the</strong>nticate<br />
Access<br />
User Activity Information 818 ---<br />
User Activity Information 819 ---<br />
User Activity Information 820 ---<br />
User Activity Information 821 ---<br />
User Activity Information 822 ---<br />
Backup will be shut down in %s minutes High Availability System Error Error 823 ---<br />
<strong>SonicOS</strong> <strong>Log</strong> <strong>Event</strong> <strong>Reference</strong> <strong>Guide</strong><br />
45
Index of <strong>Log</strong> <strong>Event</strong> Messages<br />
<strong>Log</strong> <strong>Event</strong> Message New Category Legacy Category Priority ID<br />
Backup shut down because license is High Availability System Error Error 824 ---<br />
expired<br />
Backup active High Availability System Error Information 825 ---<br />
DHCP Scopes altered automatically due to Firewall <strong>Event</strong> --- Information 832 ---<br />
change in network settings for interface %s<br />
DHCP lease file in <strong>the</strong> flash is corrupted; Firewall <strong>Event</strong> System Error Warning 833 ---<br />
read failed<br />
Failed to write DHCP leases to flash Firewall <strong>Event</strong> System Error Warning 834 ---<br />
DHCP leases written to flash Firewall <strong>Event</strong> Maintenance Information 835 ---<br />
Invalid VLAN packet dropped Network --- Alert 836 ---<br />
IP address conflict detected from e<strong>the</strong>rnet Network Maintenance Warning 847 ---<br />
address %s<br />
OCSP sending request. VPN PKI User Activity Information 848 ---<br />
OCSP send request message failed. VPN PKI User Activity Error 849 ---<br />
OCSP received response. VPN PKI User Activity Information 850 ---<br />
OCSP received response error. VPN PKI User Activity Error 851 ---<br />
OCSP Resolved Domain Name. VPN PKI User Activity Information 852 ---<br />
OCSP Failed to Resolve Domain Name. VPN PKI User Activity Error 853 ---<br />
OCSP Internal error handling received VPN PKI User Activity Error 854 ---<br />
response.<br />
SYN Flood Mode changed by user to: Watch Intrusion Detection Debug Warning 856 ---<br />
and report possible SYN floods<br />
SYN Flood Mode changed by user to: Watch Intrusion Detection Debug Warning 857 ---<br />
and proxy WAN connections when under<br />
attack<br />
SYN Flood Mode changed by user to: Intrusion Detection Debug Warning 858 ---<br />
Always proxy WAN connections<br />
Possible SYN flood detected on WAN IF %s Intrusion Detection Debug Alert 859 ---<br />
- switching to connection-proxy mode<br />
Possible SYN Flood on IF %s Intrusion Detection Debug Alert 860 ---<br />
SYN flood ceased or flooding machines Intrusion Detection Debug Alert 861 ---<br />
blacklisted - connection proxy disabled<br />
SYN Flood blacklisting enabled by user Intrusion Detection Debug Warning 862 ---<br />
SYN Flood blacklisting disabled by user Intrusion Detection Debug Warning 863 ---<br />
SYN-Flooding machine %s blacklisted Intrusion Detection Debug Alert 864 ---<br />
Machine %s removed from SYN flood Intrusion Detection Debug Alert 865 ---<br />
blacklist<br />
Possible SYN Flood on IF %s continues Intrusion Detection Debug Warning 866 ---<br />
Possible SYN Flood on IF %s has ceased Intrusion Detection Debug Alert 867 ---<br />
SYN Flood Blacklist on IF %s continues Intrusion Detection Debug Warning 868 ---<br />
TCP SYN received Intrusion Detection Debug Debug 869 ---<br />
CRL has expired VPN PKI User Activity Alert 874 ---<br />
Failed to find certificate VPN PKI User Activity Alert 875 ---<br />
CRL missing - Issuer requires CRL checking. VPN PKI User Activity Alert 876 ---<br />
CRL validation failure for Root Certificate VPN PKI User Activity Alert 877 ---<br />
SNMP<br />
Trap<br />
Type<br />
46 <strong>SonicOS</strong> <strong>Log</strong> <strong>Event</strong> <strong>Reference</strong> <strong>Guide</strong>
Index of <strong>Log</strong> <strong>Event</strong> Messages<br />
SNMP<br />
Trap<br />
<strong>Log</strong> <strong>Event</strong> Message New Category Legacy Category Priority ID Type<br />
Cannot Validate Issuer Path VPN PKI User Activity Alert 878 ---<br />
WLAN radio frequency threat detected RF Management --- Warning 879 ---<br />
Unable to resolve dynamic address object<br />
Dynamic Address<br />
Objects<br />
Maintenance Information 880 ---<br />
System clock manually updated Firewall <strong>Log</strong>ging --- Notice 881 ---<br />
HTTP method detected; examining stream Network Access TCP Debug 882 ---<br />
for host header<br />
IP Header checksum error; packet dropped Network Access TCP|UDP Notice 883 ---<br />
TCP checksum error; packet dropped Network Access TCP Notice 884 ---<br />
UDP checksum error; packet dropped Network Access UDP Notice 885 ---<br />
ICMP checksum error; packet dropped Network Access UDP Notice 886 ---<br />
TCP packet received with invalid header Network Debug Debug 887 ---<br />
length; TCP packet dropped<br />
TCP packet received on non-existent/closed Network Debug Debug 888 ---<br />
connection; TCP packet dropped<br />
TCP packet received without mandatory Network Debug Debug 889 ---<br />
SYN flag; TCP packet dropped<br />
TCP packet received without mandatory Network Debug Debug 890 ---<br />
ACK flag; TCP packet dropped<br />
TCP packet received on a closing<br />
Network Debug Debug 891 ---<br />
connection; TCP packet dropped<br />
TCP packet received with SYN flag on an Network Debug Information 892 ---<br />
existing connection; TCP packet dropped<br />
TCP packet received with invalid SACK Network Debug Debug 893 ---<br />
option length; TCP packet dropped<br />
TCP packet received with invalid MSS option Network Debug Debug 894 ---<br />
length; TCP packet dropped<br />
TCP packet received with invalid option Network Debug Debug 895 ---<br />
length; TCP packet dropped<br />
TCP packet received with invalid source Network Debug Debug 896 ---<br />
port; TCP packet dropped<br />
TCP packet received with invalid SYN Flood Network Debug Information 897 ---<br />
cookie; TCP packet dropped<br />
RST-Flooding machine %s blacklisted Intrusion Detection Debug Alert 898 ---<br />
RST Flood Blacklist on IF %s continues Intrusion Detection Debug Warning 899 ---<br />
Machine %s removed from RST flood Intrusion Detection Debug Alert 900 ---<br />
blacklist<br />
FIN-Flooding machine %s blacklisted Intrusion Detection Debug Alert 901 ---<br />
FIN Flood Blacklist on IF %s continues Intrusion Detection Debug Warning 902 ---<br />
Machine %s removed from FIN flood Intrusion Detection Debug Alert 903 ---<br />
blacklist<br />
Possible RST Flood on IF %s Intrusion Detection Debug Alert 904 ---<br />
Possible FIN Flood on IF %s Intrusion Detection Debug Alert 905 ---<br />
Possible RST Flood on IF %s has ceased Intrusion Detection Debug Alert 906 ---<br />
Possible FIN Flood on IF %s has ceased Intrusion Detection Debug Alert 907 ---<br />
<strong>SonicOS</strong> <strong>Log</strong> <strong>Event</strong> <strong>Reference</strong> <strong>Guide</strong><br />
47
Index of <strong>Log</strong> <strong>Event</strong> Messages<br />
SNMP<br />
Trap<br />
<strong>Log</strong> <strong>Event</strong> Message New Category Legacy Category Priority ID Type<br />
Possible RST Flood on IF %s continues Intrusion Detection Debug Warning 908 ---<br />
Possible FIN Flood on IF %s continues Intrusion Detection Debug Warning 909 ---<br />
Packet Dropped - IP TTL expired Network Debug Warning 910 ---<br />
Added host entry to dynamic address object<br />
Removed host entry from dynamic address<br />
object<br />
IKE Responder: Phase 1 Au<strong>the</strong>ntication<br />
Method does not match<br />
IKE Responder: Phase 1 encryption<br />
algorithm does not match<br />
IKE Responder: Phase 1 encryption<br />
algorithm keylength does not match<br />
IKE Responder: Phase 1 hash algorithm<br />
does not match<br />
IKE Responder: Phase 1 XAUTH required<br />
but policy has no user name<br />
IKE Responder: Phase 1 XAUTH required<br />
but policy has no user password<br />
IKE Responder: Phase 1 DH Group does not<br />
match<br />
IKE Responder: AH au<strong>the</strong>ntication algorithm<br />
does not match<br />
IKE Responder: ESP encryption algorithm<br />
does not match<br />
IKE Responder: ESP au<strong>the</strong>ntication<br />
algorithm does not match<br />
IKE Responder: AH au<strong>the</strong>ntication key<br />
length does not match<br />
IKE Responder: ESP encryption key length<br />
does not match<br />
IKE Responder: ESP au<strong>the</strong>ntication key<br />
length does not match<br />
IKE Responder: AH au<strong>the</strong>ntication key<br />
rounds does not match<br />
IKE Responder: ESP encryption key rounds<br />
does not match<br />
IKE Responder: ESP au<strong>the</strong>ntication key<br />
rounds does not match<br />
IKE Responder: IP Compression algorithm<br />
does not match<br />
IKE Initiator: Remote party timeout -<br />
Retransmitting IKE request.<br />
IKE Responder: Remote party timeout -<br />
Retransmitting IKE request.<br />
Dynamic Address<br />
Objects<br />
Maintenance Information 911 ---<br />
Dynamic Address Maintenance Information 912 ---<br />
Objects<br />
VPN IKE User Activity Warning 913 ---<br />
VPN IKE User Activity Warning 914 ---<br />
VPN IKE User Activity Warning 915 ---<br />
VPN IKE User Activity Warning 916 ---<br />
VPN IKE User Activity Warning 917 ---<br />
VPN IKE User Activity Warning 918 ---<br />
VPN IKE User Activity Warning 919 ---<br />
VPN IKE User Activity Warning 920 ---<br />
VPN IKE User Activity Warning 921 ---<br />
VPN IKE User Activity Warning 922 ---<br />
VPN IKE User Activity Warning 923 ---<br />
VPN IKE User Activity Warning 924 ---<br />
VPN IKE User Activity Warning 925 ---<br />
VPN IKE User Activity Warning 926 ---<br />
VPN IKE User Activity Warning 927 ---<br />
VPN IKE User Activity Warning 928 ---<br />
VPN IKE User Activity Warning 929 ---<br />
VPN IKE User Activity Information 930 ---<br />
VPN IKE User Activity Information 931 ---<br />
IKE Responder: IPsec protocol mismatch VPN IKE User Activity Warning 932 ---<br />
48 <strong>SonicOS</strong> <strong>Log</strong> <strong>Event</strong> <strong>Reference</strong> <strong>Guide</strong>
Index of <strong>Log</strong> <strong>Event</strong> Messages<br />
<strong>Log</strong> <strong>Event</strong> Message New Category Legacy Category Priority ID<br />
IKE Initiator: Proposed IKE ID mismatch VPN IKE User Activity Warning 933 ---<br />
IKE Responder: Peer's local network does VPN IKE User Activity Warning 934 ---<br />
not match VPN policy's Destination<br />
Network<br />
IKE Responder: Peer's destination network VPN IKE User Activity Warning 935 ---<br />
does not match VPN policy's Local<br />
Network<br />
IKE Responder: Route table overrides VPN VPN IKE User Activity Warning 936 ---<br />
policy<br />
IKE Initiator: IKE proposal does not match VPN IKE User Activity Warning 937 ---<br />
(Phase 1)<br />
IKEv2 Initiator: Send IKE_SA_INIT request VPN IKE User Activity Information 938 ---<br />
IKEv2 Responder: Received IKE_SA_INIT VPN IKE User Activity Information 939 ---<br />
request<br />
IKEv2 Initiator: Send IKE_AUTH request VPN IKE User Activity Information 940 ---<br />
IKEv2 Responder: Received IKE_AUTH VPN IKE User Activity Information 941 ---<br />
request<br />
IKEv2 Au<strong>the</strong>ntication successful VPN IKE User Activity Information 942 ---<br />
IKEv2 Accept IKE SA Proposal VPN IKE User Activity Information 943 ---<br />
IKEv2 Accept IPsec SA Proposal VPN IKE User Activity Information 944 ---<br />
IKEv2 Initiator: Send CREATE_CHILD_SA VPN IKE User Activity Information 945 ---<br />
request<br />
IKEv2 Responder: Received<br />
VPN IKE User Activity Information 946 ---<br />
CREATE_CHILD_SA request<br />
IKEv2 Send delete IKE SA request VPN IKE User Activity Information 947 ---<br />
IKEv2 Received delete IKE SA request VPN IKE User Activity Information 948 ---<br />
IKEv2 Send delete IPsec SA request VPN IKE User Activity Information 949 ---<br />
IKEv2 Received delete IPsec SA request VPN IKE User Activity Information 950 ---<br />
IKEv2 Responder: Peer's destination VPN IKE User Activity Information 951 ---<br />
network does not match VPN policy's<br />
Local Network<br />
IKEv2 Responder: Peer's local network does VPN IKE User Activity Information 952 ---<br />
not match VPN policy's Destination<br />
Network<br />
IKEv2 Payload processing error VPN IKE User Activity Warning 953 ---<br />
IKEv2 Initiator: Negotiations failed. Extra VPN IKE User Activity Warning 954 ---<br />
payloads present.<br />
IKEv2 Initiator: Negotiations failed. Missing VPN IKE User Activity Warning 955 ---<br />
required payloads.<br />
IKEv2 Initiator: Negotiations failed. Invalid VPN IKE User Activity Warning 956 ---<br />
input state.<br />
IKEv2 Initiator: Negotiations failed. Invalid VPN IKE User Activity Warning 957 ---<br />
output state.<br />
IKEv2 Payload validation failed. VPN IKE User Activity Warning 958 ---<br />
IKEv2 Unable to find IKE SA VPN IKE User Activity Warning 959 ---<br />
IKEv2 Decrypt packet failed VPN IKE User Activity Warning 960 ---<br />
SNMP<br />
Trap<br />
Type<br />
<strong>SonicOS</strong> <strong>Log</strong> <strong>Event</strong> <strong>Reference</strong> <strong>Guide</strong><br />
49
Index of <strong>Log</strong> <strong>Event</strong> Messages<br />
SNMP<br />
Trap<br />
<strong>Log</strong> <strong>Event</strong> Message New Category Legacy Category Priority ID Type<br />
IKEv2 Out of memory VPN IKE User Activity Warning 961 ---<br />
IKEv2 Responder: Policy for remote IKE ID VPN IKE User Activity Error 962 ---<br />
not found<br />
IKEv2 Process Message queue failed VPN IKE User Activity Warning 963 ---<br />
IKEv2 Invalid state VPN IKE User Activity Warning 964 ---<br />
IKE Responder: Client Policy has no VPN VPN IKE System Error Error 965 ---<br />
Access Networks assigned. Check<br />
Configuration.<br />
IKEv2 Invalid SPI size VPN IKE User Activity Warning 966 ---<br />
IKEv2 VPN Policy not found VPN IKE User Activity Warning 967 ---<br />
IKEv2 IPsec proposal does not match VPN IKE User Activity Warning 968 ---<br />
IKEv2 IPsec attribute not found VPN IKE User Activity Warning 969 ---<br />
IKEv2 IKE attribute not found VPN IKE User Activity Warning 970 ---<br />
IKEv2 Peer is not responding. Negotiation VPN IKE User Activity Warning 971 ---<br />
aborted.<br />
IKEv2 Initiator: Remote party timeout - VPN IKE User Activity Information 972 ---<br />
Retransmitting IKEv2 request.<br />
IKEv2 Initiator: Received IKE_SA_INT VPN IKE User Activity Information 973 ---<br />
response<br />
IKEv2 Initiator: Received IKE_AUTH VPN IKE User Activity Information 974 ---<br />
response<br />
IKEv2 Initiator: Received<br />
VPN IKE User Activity Information 975 ---<br />
CREATE_CHILD_SA response<br />
IKEv2 Responder: Send IKE_SA_INIT VPN IKE User Activity Information 976 ---<br />
response<br />
IKEv2 Responder: Send IKE_AUTH VPN IKE User Activity Information 977 ---<br />
response<br />
IKEv2 negotiation complete VPN IKE User Activity Information 978 ---<br />
IKEv2 Function sendto() failed to transmit VPN IKE User Activity Error 979 ---<br />
packet.<br />
IKEv2 Initiator: Proposed IKE ID mismatch VPN IKE User Activity Warning 980 ---<br />
IKEv2 IKE proposal does not match VPN IKE User Activity Warning 981 ---<br />
IKEv2 Received notify status payload VPN IKE User Activity Information 982 ---<br />
IKEv2 Received notify error payload VPN IKE User Activity Warning 983 ---<br />
IKEv2 No NAT device detected between VPN IKE User Activity Information 984 ---<br />
negotiating peers<br />
IKEv2 NAT device detected between VPN IKE User Activity Information 985 ---<br />
negotiating peers<br />
User login denied - not allowed by policy rule Au<strong>the</strong>nticate User Activity Information 986 ---<br />
Access<br />
User login denied - not found locally Au<strong>the</strong>nticate User Activity Information 987 ---<br />
Access<br />
User login denied - SSO agent timeout Au<strong>the</strong>nticate<br />
Access<br />
User Activity Warning 988 ---<br />
50 <strong>SonicOS</strong> <strong>Log</strong> <strong>Event</strong> <strong>Reference</strong> <strong>Guide</strong>
Index of <strong>Log</strong> <strong>Event</strong> Messages<br />
<strong>Log</strong> <strong>Event</strong> Message New Category Legacy Category Priority ID<br />
User Activity Warning 989 ---<br />
User login denied - SSO agent configuration<br />
error<br />
User login denied - SSO agent<br />
communication problem<br />
User login denied - SSO agent name<br />
resolution failed<br />
Au<strong>the</strong>nticate<br />
Access<br />
Au<strong>the</strong>nticate<br />
Access<br />
Au<strong>the</strong>nticate<br />
Access<br />
User Activity Warning 990 ---<br />
User Activity Warning 991 ---<br />
SSO returned a user name that is too long SSO User Activity Warning 992 ---<br />
SSO returned a domain name that is too SSO User Activity Warning 993 ---<br />
long<br />
Configuration mode administration session<br />
started<br />
Au<strong>the</strong>nticate<br />
Access<br />
User Activity Information 994 ---<br />
Configuration mode administration session<br />
ended<br />
Read-only mode GUI administration session<br />
started<br />
Non-config mode GUI administration session<br />
started<br />
GUI administration session ended<br />
Au<strong>the</strong>nticate<br />
Access<br />
Au<strong>the</strong>nticate<br />
Access<br />
Au<strong>the</strong>nticate<br />
Access<br />
Au<strong>the</strong>nticate<br />
Access<br />
User Activity Information 995 ---<br />
User Activity Information 996 ---<br />
User Activity Information 997 ---<br />
User Activity Information 998 ---<br />
SSL Control: Website found in blacklist Network Access Blocked Sites Information 999 ---<br />
SSL Control: Website found in whitelist Network Access Blocked Sites Information 1000 ---<br />
SSL Control: HTTPS via SSL2 Network Access Blocked Sites Information 1001 ---<br />
SSL Control: Certificate with invalid date Network Access Blocked Sites Information 1002 ---<br />
SSL Control: Self-signed certificate Network Access Blocked Sites Information 1003 ---<br />
SSL Control: Weak cipher being used Network Access Blocked Sites Information 1004 ---<br />
SSL Control: Untrusted CA Network Access Blocked Sites Information 1005 ---<br />
SSL Control: Certificate chain not complete Network Access Blocked Sites Information 1006 ---<br />
SSL Control: Failed to decode Server Hello Network Access Blocked Sites Information 1007 ---<br />
User logged out - logout detected by SSO Au<strong>the</strong>nticate User Activity Information 1008 ---<br />
Access<br />
Bind to LDAP server failed RADIUS System Error Error 1009 ---<br />
<strong>Using</strong> LDAP without TLS - highly insecure RADIUS System Error Alert 1010 ---<br />
LDAP using non-administrative account - RADIUS System Error Warning 1011 ---<br />
VPN client user will not be able to change<br />
passwords<br />
IKEv2 Responder: Send<br />
VPN IKE User Activity Information 1012 ---<br />
CREATE_CHILD_SA response<br />
IKEv2 Send delete IKE SA response VPN IKE User Activity Information 1013 ---<br />
IKEv2 Send delete IPsec SA response VPN IKE User Activity Information 1014 ---<br />
IKEv2 Received delete IKE SA response VPN IKE User Activity Information 1015 ---<br />
IKEv2 Received delete IPsec SA response VPN IKE User Activity Information 1016 ---<br />
3G %s device detected Firewall Hardware System<br />
Information 1017 ---<br />
Environment<br />
PPP message: %s PPP --- Information 1018 ---<br />
Chat started PPP Dial Up User Activity Information 1019 ---<br />
SNMP<br />
Trap<br />
Type<br />
<strong>SonicOS</strong> <strong>Log</strong> <strong>Event</strong> <strong>Reference</strong> <strong>Guide</strong><br />
51
Index of <strong>Log</strong> <strong>Event</strong> Messages<br />
SNMP<br />
Trap<br />
<strong>Log</strong> <strong>Event</strong> Message New Category Legacy Category Priority ID Type<br />
Chat completed PPP Dial Up User Activity Information 1020 ---<br />
Chat wrote '%s' PPP Dial Up User Activity Information 1021 ---<br />
Chat %s PPP Dial Up User Activity Information 1022 ---<br />
Chat failed: %s PPP Dial Up User Activity Information 1023 ---<br />
Unable to send message to dial-up task PPP Dial Up System Error Error 1024 ---<br />
Diagnostic Code J Firewall Hardware System Error Error 1025 5423<br />
3G Dial-up: %s. PPP Dial Up User Activity Alert 1026 ---<br />
3G Dial-up: data usage limit reached for <strong>the</strong> PPP Dial Up User Activity Alert 1027 7643<br />
'%s' billing cycle. Disconnecting <strong>the</strong> 3G<br />
session.<br />
%s auto-dial failed: Current Connection PPP Dial Up System Error Alert 1028 ---<br />
Model is configured as E<strong>the</strong>rnet Only<br />
TCP packet received with non-permitted Network Debug Debug 1029 ---<br />
option; TCP packet dropped<br />
TCP packet received with invalid Window Network Debug Debug 1030 ---<br />
Scale option length; TCP packet dropped<br />
TCP packet received with invalid Window Network Debug Debug 1031 ---<br />
Scale option value; TCP packet dropped<br />
Chat started by '%s' PPP Dial Up User Activity Information 1032 ---<br />
Problem occurred during user group Au<strong>the</strong>nticate User Activity Warning 1033 ---<br />
membership retrieval<br />
Access<br />
Received AF Alert: Your Application Firewall Security Services Maintenance Warning 1034 8635<br />
(AF) subscription has expired.<br />
User login denied - password expired Au<strong>the</strong>nticate User Activity Information 1035 ---<br />
Access<br />
IKE Responder: IKE Phase 1 exchange does VPN IKE User Activity Error 1036 ---<br />
not match<br />
PPP Dial-Up: Starting PPP PPP Dial Up --- Information 1037 ---<br />
Dial-up: Traffic generated by '%s' PPP Dial Up --- Information 1038 ---<br />
Dial-up: Session initiated by data packet PPP Dial Up --- Information 1039 ---<br />
DHCP Server: IP conflict detected Firewall <strong>Event</strong> --- Alert 1040 ---<br />
DHCP Server: Received DHCP decline from Firewall <strong>Event</strong> --- Alert 1041 ---<br />
client<br />
Physical environment normal Firewall Hardware --- Information 1042 5424<br />
Power supply without redundancy Firewall Hardware --- Error 1043 5425<br />
Discovered HA %s Firewall High Availability --- Information 1044 ---<br />
Diagnostic Auto-restart scheduled for %s Firewall <strong>Event</strong> --- Information 1045 ---<br />
minutes from now<br />
Diagnostic Auto-restart canceled Firewall <strong>Event</strong> --- Information 1046 ---<br />
"As per Diagnostic Auto-restart configuration<br />
request, restarting system"<br />
Firewall <strong>Event</strong> --- Information 1047 ---<br />
User login denied - password doesn't meet<br />
constraints<br />
Au<strong>the</strong>nticate<br />
Access<br />
--- Information 1048 ---<br />
Settings Import: %s Firewall <strong>Event</strong> --- Information 1049 ---<br />
VPN Policy Added VPN --- Information 1050 ---<br />
52 <strong>SonicOS</strong> <strong>Log</strong> <strong>Event</strong> <strong>Reference</strong> <strong>Guide</strong>
Index of <strong>Log</strong> <strong>Event</strong> Messages<br />
SNMP<br />
Trap<br />
<strong>Log</strong> <strong>Event</strong> Message New Category Legacy Category Priority ID Type<br />
VPN Policy Deleted VPN --- Information 1051 ---<br />
VPN Policy Modified VPN --- Information 1052 ---<br />
PC Card removed. Firewall Hardware --- Alert 1053 5418<br />
PC Card inserted. Firewall Hardware --- Alert 1054 5419<br />
3G: No SIM detected Firewall Hardware --- Alert 1055 ---<br />
PC Card: No device detected Firewall Hardware --- Alert 1056 ---<br />
Peer firewall rebooting (%s) High Availability --- Information 1057 ---<br />
Primary firewall rebooting itself as it High Availability --- Information 1058 ---<br />
transitioned from Active to Idle while<br />
Preempt<br />
Backup firewall rebooting itself as it High Availability --- Information 1059 ---<br />
transitioned from Active to Idle while<br />
Preempt<br />
Crypto SHA1 based DRNG KAT test failed Crypto Test --- Error 1060 ---<br />
Successfully sent Preference file to remote Firewall <strong>Event</strong> Maintenance Information 1061 ---<br />
backup server<br />
Failed to send Preference file to remote Firewall <strong>Event</strong> Maintenance Information 1062 ---<br />
backup server, Error: %s<br />
Successfully sent TSR file to remote backup Firewall <strong>Event</strong> Maintenance Information 1063 ---<br />
server<br />
Failed to send TSR file to remote backup Firewall <strong>Event</strong> Maintenance Information 1064 ---<br />
server, Error: %s<br />
Successfully sent %s file to remote backup Firewall <strong>Event</strong> Maintenance Information 1065 ---<br />
server<br />
Failed to send file to remote backup server, Firewall <strong>Event</strong> Maintenance Information 1066 ---<br />
Error: %s<br />
System shutdown by administrator. Power Firewall <strong>Event</strong> --- Alert 1067 5242<br />
cycle required.<br />
Multiple DHCP Servers are detected on Firewall <strong>Event</strong> --- Warning 1068 ---<br />
network<br />
External Web Server Host Resolution Failed Au<strong>the</strong>nticate --- Error 1069 ---<br />
%s<br />
Access<br />
Invalid DNS Server will not be accepted by Firewall <strong>Event</strong> --- Information 1070 ---<br />
<strong>the</strong> dynamic client<br />
DHCP Server sanity check passed %s Firewall <strong>Event</strong> --- Critical 1071 ---<br />
DHCP Server sanity check failed %s Firewall <strong>Event</strong> --- Critical 1072 ---<br />
SSO agent returned error SSO User Activity Warning 1073 ---<br />
L2TP Tunnel Negotiation %s L2TP Client --- Information 1074 ---<br />
SSO agent is down SSO User Activity Alert 1075 ---<br />
SSO agent is up SSO User Activity Alert 1076 ---<br />
SonicPointN Status SonicPoint-N --- Information 1077 ---<br />
SonicPointN Provision SonicPoint-N --- Information 1078 ---<br />
SSLVPN zone remote user login allowed Au<strong>the</strong>nticate<br />
Access<br />
User Activity Information 1080 ---<br />
<strong>SonicOS</strong> <strong>Log</strong> <strong>Event</strong> <strong>Reference</strong> <strong>Guide</strong><br />
53
Index of <strong>Log</strong> <strong>Event</strong> Messages<br />
SNMP<br />
Trap<br />
<strong>Log</strong> <strong>Event</strong> Message New Category Legacy Category Priority ID Type<br />
SSL Control: Certificate with MD5 Digest<br />
Signature Algorithm<br />
Network Access Blocked Sites Information 1081 ---<br />
%s is operational. Anti-Spam --- Warning 1082 13801<br />
%s is unavailable. Anti-Spam --- Warning 1083 13802<br />
Anti-Spam service is enabled by<br />
Anti-Spam --- Information 1084 13803<br />
administrator.<br />
Anti-Spam service is disabled by<br />
Anti-Spam --- Information 1085 13804<br />
administrator.<br />
Your Anti-Spam Service subscription has Anti-Spam --- Warning 1086 13805<br />
expired.<br />
SMTP connection limit is reached.<br />
Anti-Spam --- Warning 1087 13806<br />
Connection is dropped.<br />
Anti-Spam Startup Failure - %s Anti-Spam --- Warning 1088 13807<br />
Anti-Spam Teardown Failure - %s Anti-Spam --- Warning 1089 13808<br />
DHCP Server: Received DHCP message Firewall <strong>Event</strong> --- Notice 1090 ---<br />
from untrusted relay agent<br />
Outbound connection to GRID-listed SMTP Anti-Spam --- Notice 1091 13809<br />
server dropped<br />
Inbound connection from GRID-listed SMTP Anti-Spam --- Notice 1092 13810<br />
server dropped<br />
SMTP server found on Reject List Anti-Spam --- Notice 1093 13811<br />
No valid DNS server specified for GRID Anti-Spam --- Error 1094 13812<br />
lookups<br />
Unprocessed email received from MTA on Anti-Spam --- Information 1095 13813<br />
Inbound SMTP port<br />
Processed Email received from Email Anti-Spam --- Information 1096 13814<br />
Security Service<br />
SCEP Client: %s VPN PKI --- Notice 1097 ---<br />
Possible DNS rebind attack detected Intrusion Detection --- Alert 1098 6465<br />
DNS rebind attack blocked Intrusion Detection --- Alert 1099 6466<br />
Network Monitor: Policy %s status is UP Network Monitor --- Alert 1100 14001<br />
Network Monitor: Policy %s status is DOWN Network Monitor --- Alert 1101 14002<br />
Network Monitor: Policy %s status is Network Monitor --- Alert 1102 14003<br />
UNKNOWN<br />
Network Monitor: Host %s status is<br />
Network Monitor --- Alert 1103 14004<br />
UNKNOWN<br />
Network Monitor Policy %s Added Network Monitor --- Information 1104 ---<br />
Network Monitor Policy %s Deleted Network Monitor --- Information 1105 ---<br />
Network Monitor Policy %s Modified Network Monitor --- Information 1106 ---<br />
Message blocked by Real-Time Email Anti-Spam --- Information 1108 ---<br />
Scanner<br />
CSR Generation: %s VPN PKI --- Information 1109 ---<br />
Assigned IP address %s DHCP Server --- Information 1110 ---<br />
Released IP address %s DHCP Server --- Information 1111 ---<br />
Ftp server accepted <strong>the</strong> connection FTP --- Debug 1112 ---<br />
54 <strong>SonicOS</strong> <strong>Log</strong> <strong>Event</strong> <strong>Reference</strong> <strong>Guide</strong>
Index of <strong>Log</strong> <strong>Event</strong> Messages<br />
<strong>Log</strong> <strong>Event</strong> Message New Category Legacy Category Priority ID<br />
Ftp client user name was sent FTP --- Debug 1113 ---<br />
Ftp client user logged in successfully FTP --- Debug 1114 ---<br />
Ftp client user logged in failed FTP --- Debug 1115 ---<br />
Ftp client user logged out FTP --- Debug 1116 ---<br />
User login denied - SSO probe failed<br />
User login denied - Mail Address(From/to) or<br />
SMTP Server is not configured<br />
RADIUS user cannot use One Time<br />
Password - no mail address set for<br />
equivalent local user<br />
User login denied - Terminal Services agent<br />
timeout<br />
User login denied - Terminal Services agent<br />
name resolution failed<br />
User login denied - No name received from<br />
Terminal Services agent<br />
User login denied - Terminal Services agent<br />
communication problem<br />
User logged out - logout reported by<br />
Terminal Services agent<br />
High Availability has been enabled and Dial-<br />
Up device(s) are not supported in High<br />
Availability processing.<br />
The High Availability monitoring IP<br />
configuration of Interface %s is incorrect.<br />
IKE Responder: ESP mode mismatch Local<br />
- Tunnel Remote - Transport<br />
IKE Responder: ESP mode mismatch Local<br />
- Transport Remote - Tunnel<br />
Au<strong>the</strong>nticate<br />
Access<br />
Au<strong>the</strong>nticate<br />
Access<br />
Au<strong>the</strong>nticate<br />
Access<br />
User Activity Warning 1117 ---<br />
User Activity Information 1118 ---<br />
User Activity Information 1119 ---<br />
Au<strong>the</strong>nticate<br />
Access<br />
User Activity Warning 1120 ---<br />
Au<strong>the</strong>nticate User Activity Warning 1121 ---<br />
Access<br />
Au<strong>the</strong>nticate User Activity Warning 1122 ---<br />
Access<br />
Au<strong>the</strong>nticate User Activity Warning 1123 ---<br />
Access<br />
Au<strong>the</strong>nticate User Activity Information 1124 ---<br />
Access<br />
High Availability --- Information 1125 ---<br />
High Availability --- Error 1126 ---<br />
VPN IKE User Activity Warning 1127 ---<br />
VPN IKE User Activity Warning 1128 ---<br />
WAN DHCPC IP Changed Firewall <strong>Event</strong> System Error Warning 1129 ---<br />
WLAN DHCPC IP Changed Firewall <strong>Event</strong> System Error Warning 1130 ---<br />
Probe Response Success - %s Anti-Spam --- Debug 1131 ---<br />
Probe Response Failure - %s Anti-Spam --- Debug 1132 ---<br />
Peer HA firewall has stateful license but this High Availability System Error Alert 1136 ---<br />
firewall is not yet registered<br />
The stateful license of HA peer firewall is not High Availability System Error Alert 1137 ---<br />
activated<br />
Received unau<strong>the</strong>ntica<strong>the</strong>d GRID response Anti-Spam --- Debug 1138 ---<br />
Invalid key or serial number used for GRID Anti-Spam --- Debug 1139 ---<br />
response<br />
Invalid key version used for GRID response Anti-Spam --- Debug 1140 ---<br />
Host IP address not in GRID List Anti-Spam --- Debug 1141 ---<br />
No response received from DNS server Anti-Spam --- Debug 1142 ---<br />
Not blacklisted as per configuration Anti-Spam --- Debug 1143 ---<br />
SNMP<br />
Trap<br />
Type<br />
<strong>SonicOS</strong> <strong>Log</strong> <strong>Event</strong> <strong>Reference</strong> <strong>Guide</strong><br />
55
Index of <strong>Log</strong> <strong>Event</strong> Messages<br />
SNMP<br />
Trap<br />
<strong>Log</strong> <strong>Event</strong> Message New Category Legacy Category Priority ID Type<br />
Default to not blacklisted Anti-Spam --- Debug 1144 ---<br />
Failed to insert entry into GRID result IP<br />
cached table<br />
Anti-Spam --- Debug 1145 ---<br />
Resolved ES Cloud - %s Anti-Spam --- Debug 1146 ---<br />
Updated ES Cloud Address - %s Anti-Spam --- Debug 1147 ---<br />
Your Active/Active Clustering subscription High Availability --- Warning 1149 ---<br />
has expired.<br />
Terminal Services agent is down SSO User Activity Alert 1150 ---<br />
Terminal Services agent is up SSO User Activity Alert 1151 ---<br />
Active/Active Clustering license is not High Availability --- Error 1152 ---<br />
activated on <strong>the</strong> following cluster units: %s<br />
SSLVPN Traffic SSL VPN Connection Traffic Information 1153 ---<br />
Application Control Detection Alert: %s App-Control --- Alert 1154 15001<br />
Detection<br />
Application Control Prevention Alert: %s App-Control --- Alert 1155 15002<br />
Detection<br />
GMS or syslog server name lookup failed - Firewall <strong>Event</strong> --- Error 1156 ---<br />
try again in 60 secs.<br />
User account '%s' expired and disabled Au<strong>the</strong>nticate User Activity Information 1157 ---<br />
Access<br />
User account '%s' expired and pruned Au<strong>the</strong>nticate User Activity Information 1158 ---<br />
Access<br />
Received Alert: Your Firewall Visualization Security Services --- Warning 1159 ---<br />
Control subscription has expired.<br />
Attempt to contact Remote backup server for Firewall <strong>Event</strong> Maintenance Debug 1160 ---<br />
upload approval failed<br />
Backup remote server did not approve Firewall <strong>Event</strong> Maintenance Debug 1161 ---<br />
upload request<br />
Modules attached to HA units do not match: High Availability System Error Alert 1162 664<br />
%s<br />
Malformed DNS packet detected Network Access Debug Alert 1177 ---<br />
A high percentage of <strong>the</strong> system packet SSO User Activity Alert 1178 ---<br />
buffers are held waiting for SSO<br />
A user has a very high number of<br />
SSO User Activity Alert 1179 ---<br />
connections waiting for SSO<br />
DOS protection on WAN begins %s Intrusion Detection Debug Alert 1180 ---<br />
DOS protection on WAN %s Intrusion Detection Debug Warning 1181 ---<br />
DOS protection on WAN %s Intrusion Detection Debug Alert 1182 ---<br />
Deleting IPsec SA (Phase 2) VPN IKE User Activity Debug 1183 ---<br />
Delete invalid scope because port ip in <strong>the</strong> DHCP Server --- Warning 1184 ---<br />
range of this DHCP scope.<br />
IKE Responder: Peer's network does not VPN IKE User Activity Warning 1189 ---<br />
match VPN policy's Network<br />
Added new LDAP mirror user group: %s RADIUS User Activity Information 1190 ---<br />
Deleted LDAP mirror user group: %s RADIUS User Activity Information 1191 ---<br />
56 <strong>SonicOS</strong> <strong>Log</strong> <strong>Event</strong> <strong>Reference</strong> <strong>Guide</strong>
Index of Syslog Tag Field Description<br />
<strong>Log</strong> <strong>Event</strong> Message New Category Legacy Category Priority ID<br />
Added a new member to an LDAP mirror RADIUS User Activity Information 1192 ---<br />
user group<br />
Removed a member from an LDAP mirror RADIUS User Activity Information 1193 ---<br />
user group<br />
Monitoring probe out interface mismatch %s High Availability --- Error 1194 ---<br />
SNMP<br />
Trap<br />
Type<br />
Index of Syslog Tag Field Description<br />
This section provides an alphabetical listing of Syslog tags and <strong>the</strong> associated field description.<br />
Tag Field Description<br />
Syslog message prefix The beginning of each syslog message has a<br />
string of <strong>the</strong> form where ddd is a decimal<br />
number indicating facility and priority of <strong>the</strong> message.<br />
(See [1] Section 4.1.1)<br />
arg URL Used to render a URL: arg represents <strong>the</strong> URL<br />
path name part.<br />
bcastRx Interface statistics report Displays <strong>the</strong> broadcast packets received<br />
bcastTx Interface statistics report Displays <strong>the</strong> broadcast packets transmitted<br />
bytesRx Interface statistics report Displays <strong>the</strong> bytes received<br />
bytesTx Interface statistics report Displays <strong>the</strong> bytes transmitted<br />
c Message category (legacy only) Indicates <strong>the</strong> legacy category number (Note: We<br />
are not currently sending new category information.)<br />
change Configuration change webpage Displays <strong>the</strong> basename of <strong>the</strong> firewall web page<br />
that performed <strong>the</strong> last configuration change<br />
code Blocking code Indicates <strong>the</strong> CFS block code category<br />
code ICMP type and code Indicates <strong>the</strong> ICMP code<br />
conns Firewall status report Indicates <strong>the</strong> number of connections in use<br />
cpuUtil Firewall status report Displays <strong>the</strong> CPU utilization (not in use)<br />
dst Destination Destination IP address, and optionally, port, network<br />
interface, and resolved name.<br />
dstname Destination URL Displays <strong>the</strong> URL of web site hit and o<strong>the</strong>r legacy<br />
destination strings<br />
dstname URL Used to render a URL: dstname represents <strong>the</strong><br />
URL host part<br />
<strong>SonicOS</strong> <strong>Log</strong> <strong>Event</strong> <strong>Reference</strong> <strong>Guide</strong><br />
57
Index of Syslog Tag Field Description<br />
dyn Firewall status report Displays <strong>the</strong> HA and dialup connection state (rendered<br />
as “h.d” where “h” is “n” (not enabled), “b”<br />
(backup), or “p” (primary) and “d” is “1” (enabled)<br />
or “0” (disabled))<br />
fw Firewall WAN IP Indicates <strong>the</strong> WAN IP Address<br />
fwlan Firewall status report Indicates <strong>the</strong> LAN zone IP address<br />
goodRxBytes SonicPoint statistics report Indicates <strong>the</strong> well formed bytes recevied<br />
goodTxBytes SonicPoint statistics report Indicates <strong>the</strong> well formed bytes transmitted<br />
i Firewall status report Displays <strong>the</strong> GMS message interval in seconds<br />
id=firewall Webtrends prefix Syntactic sugar for WebTrends (and GMS by<br />
habit)<br />
if Interface statistics report Displays <strong>the</strong> interface on which statistics are<br />
reported<br />
ipscat IPS message Displays <strong>the</strong> IPS category<br />
ipspri IPS message Displays <strong>the</strong> IPS priority<br />
lic Firewall status report Indicates <strong>the</strong> number of licenses for firewalls with<br />
limited modes<br />
m Message ID Provides <strong>the</strong> message ID number<br />
mac MAC address Provides <strong>the</strong> MAC address<br />
msg Static message Displays <strong>the</strong> event message (from spreadsheet)<br />
msg Dynamically-defined message Displays a dynamically defined message string<br />
msg Static message with dynamic string Displays a message using <strong>the</strong> predefined message<br />
string containing a “%s” and a dynamic<br />
string argument.<br />
msg<br />
Static message with dynamic number<br />
Displays a message using <strong>the</strong> predefined string<br />
string containing a “%s” and a dynamic numeric<br />
argument.<br />
msg IPS message Displays a message using <strong>the</strong> predefined message<br />
string containing a “%s” and a dynamic<br />
string argument.<br />
msg Anti-Spyware message Displays <strong>the</strong> event message (from spreadsheet)<br />
n Message count Indicates <strong>the</strong> number of times event occurs<br />
op HTTP OP code Displays <strong>the</strong> HTTP operation (GET, POST, etc.)<br />
of web site hit<br />
pri Message priority Displays <strong>the</strong> event priority level (0=emergency..7=debug)<br />
58 <strong>SonicOS</strong> <strong>Log</strong> <strong>Event</strong> <strong>Reference</strong> <strong>Guide</strong>
Index of Syslog Tag Field Description<br />
proto IP protocol Indicates <strong>the</strong> IP protocol and detail information<br />
proto Protocol and service Displays <strong>the</strong> protocol information (rendered as<br />
“proto/service”)<br />
proto Protocol and service Displays <strong>the</strong> protocol information (rendered as<br />
“proto/service”)<br />
pt Firewall status report Displays <strong>the</strong> HTTP/HTTPS management port<br />
(rendered as “hhh.sss”)<br />
radio SonicPoint statistics report Displays <strong>the</strong> SonicPoint radio on which event<br />
occurred<br />
ramUtil Firewall status report Displays <strong>the</strong> RAM utilization (not in use)<br />
rcvd Bytes received Indicates <strong>the</strong> number of bytes received within<br />
connection<br />
result HTTP Result code Displays <strong>the</strong> HTTP result code (200, 403, etc.) of<br />
web site hit<br />
rule Rule ID Displays <strong>the</strong> Access Rule number causing packet<br />
drop<br />
sent Bytes sent Displays <strong>the</strong> number of bytes sent within connection<br />
sid IPS message Provides <strong>the</strong> IPS signature ID<br />
sid Anti-Spyware message Provides <strong>the</strong> AntiSpyware signature ID<br />
sn Firewall serial number Indicates <strong>the</strong> device serial number<br />
spycat Anti-Spyware message Displays <strong>the</strong> antiSpyware category<br />
spypri Anti-Spyware message Displays <strong>the</strong> AntiSpyware priority<br />
src Source Indicates <strong>the</strong> source IP address, and optionally,<br />
port, network interface, and resolved name.<br />
station SonicPoint statistics report Displays <strong>the</strong> client (station) on which event<br />
occurred<br />
time Time Reports <strong>the</strong> time of event<br />
type ICMP type and code Indicates <strong>the</strong> ICMP type<br />
ucastRx Interface statistics report Displays <strong>the</strong> unicast packets received<br />
ucastTx Interface statistics report Displays <strong>the</strong> unicast packets transmitted<br />
unsynched Firewall status report Reports <strong>the</strong> time since last local change in seconds<br />
usesstandbysa Firewall status report Displays whe<strong>the</strong>r standby SA is in use (“1” or “0”)<br />
for GMS management<br />
<strong>SonicOS</strong> <strong>Log</strong> <strong>Event</strong> <strong>Reference</strong> <strong>Guide</strong><br />
59
Index of Syslog Tag Field Description<br />
usr (or user) User Displays <strong>the</strong> user name (“user” is <strong>the</strong> tag used by<br />
WebTrends)<br />
vpnpolicy VPN policy name Displays <strong>the</strong> VPN policy name of event<br />
60 <strong>SonicOS</strong> <strong>Log</strong> <strong>Event</strong> <strong>Reference</strong> <strong>Guide</strong> 232-001835-00_Rev_A