SonicOS Log Event Reference Guide - SonicWALL

COMPREHENSIVE INTERNET SECURITY 

S o n i c WALL Internet Security Ap p l i a n c e s 

SonicOS Log Event Reference Guide

Using the SonicOS Log Event 

Reference Guide 

This reference guide lists and describes SonicOS log event messages. Reference a log event message 

by using the alphabetical index of log event messages. 

This document contains the following sections: 

• “SonicOS Log Event Messages Overview” on page 1 

• “Configuring SonicOS ‘Log’ > ‘View’” on page 4 

• “Referencing the SonicOS ‘Log’ > ‘View ’ Field Display” on page 7 

• “Index of Log Event Messages” on page 9 

• “Index of Syslog Tag Field Description” on page 63 

SonicOS Log Event Messages Overview 

During the operation of a SonicWALL security appliance, SonicOS software sends log event messages 

to the ‘Log’ > ‘View’ page in the SonicWALL management interface. 

In Figure 1, the ‘Log’ > ‘View’ page is displayed. 

Figure 1 

SonicOS Enhanced ‘Log’ > ‘View’ page 

 

Note: 

Event logging automatically begins when the SonicWALL security appliance is powered on and configured. 

SonicOS supports a traffic log containing entries with multiple fields. 

Log event messages provide operational informational and debugging information to help you diagnose 

problems with communication lines, internal hardware, or your firmware configuration. 

For the SonicOS CLI console display, use the show log command to display log events. Refer 

to the SonicOS CLI Reference Guide located on the SonicWALL Web site: 

 

SONICOS LOG EVENT REFERENCE GUIDE 1

Note: 

Not all log event messages indicate operational issues with your SonicWALL security 

appliance. 

SonicOS Log Entries 

Each log entry contains the date and time of the event and a brief message describing the event. The 

SonicWALL manages log events in the following manner: 

• TCP, UDP, or ICMP packets dropped 

When IP packets are dropped by the SonicWALL security appliance, dropped TCP, UDP and 

ICMP messages are displayed. The messages include the source and destination IP addresses of 

the packet. The TCP or UDP port number or the ICMP code follows the IP address. Log event 

messages usually include the name of the service in quotation marks. 

• Web, FTP, Gopher, or Newsgroup blocked 

When a computer attempts to connect to the blocked site or newsgroup, a log event is displayed. 

Blocked is defined as a Web site, connection, or event that is denied access from the SonicWALL 

security appliance. The computer’s IP address, Ethernet address, the name of the blocked Web 

site, and the Content Filter List Code is displayed. Code definitions for the 12 Content Filter List 

categories are shown below. 

1. Violence 7. Cult 

2. Intimate Apparel/Swimsuit 

8. Drugs/Illegal Drugs 

3. Nudism 9. Criminal Skills/Illegal Skills 

4. Adult/Mature Content/ 

Pornography 

10. Sex Education 

5. Weapons 11. Gambling 

6. Hate/Racism 12. Alcohol & Tobacco 

• ActiveX, Java, Cookie or Code Archive blocked 

When ActiveX, Java or Web cookies are blocked, messages with the source and destination IP 

addresses of the connection attempt is displayed. 

• Ping of Death, IP Spoof, and SYN Flood Attacks 

The IP address of the machine under attack and the source of the attack is displayed. In most 

attacks, the source address shown is fake and does not reflect the real source of the attack. 

SonicOS ‘Log View Settings’ 

The ‘Log View Settings’ section of the ‘Log’ > ‘View’ page provides you the filtering controls to filter log 

event messages based on your configured log filter logic. It also contains the following log management 

buttons: 

• Refresh—Renews the ‘Log View’ table with current log event messages. 

• Clear Log—Empties the entries in the ‘Log View’ table. 

• E-mail Log—E-mails log event messages to your configured SMTP server or list of e-mail 

addresses. 

• Export Log—Exports the log into a plain .txt or .csv file format. 

2 SONICOS LOG EVENT REFERENCE GUIDE

SonicOS ‘Log View’ Display Format 

The ‘Log’ > ‘View’ page displays log event messages in following format for alert notification: 

• Time—Displays the hour and minute the event occurred. 

• Priority—Displays the level urgency for the event. 

• Category—Displays the event type. 

• Message—Displays a description of the event. 

• Source—Displays the source IP address of incoming IP packet. 

• Destination—Displays the destination IP address of incoming IP packet. 

• Note—Displays displays additional information specific to a particular event occurrence. 

• Rule—Displays the source and destination zones for the access rule. This field provides a link to 

the access rule defined in the ‘Firewall’ > ‘Access Rules’ page. 

The display fields for a log event message provides you with data to verify your configurations, trouble-shoot 

your security appliance, and track IP traffic. 


Configuring SonicOS ‘Log’ > ‘View’ 

The ‘Log’ > ‘View” page in the Web-based SonicWALL management interface allows you to export log 

reports, e-mail log reports, and monitor real-time Syslog data. As soon as you power on your SonicWALL 

security appliance, SonicOS software sends Syslog data to your log. In the SonicWALL management 

interface, you can navigate through the subcategories of the ‘Log’ setting for reporting and 

customizing log reports. 

In Figure 2, the ‘Log’ > ‘View’ page is displayed. 

Figure 2 SonicOS Enhanced ‘Log’ > ‘View’ page 


Setting the Log Filter Logic 

By default, the SonicOS filter logic is set to “Priority && Category && Source && Destination.” The 

double ampersand symbols (&&) indicate the boolean expression “and.” The default SonicOS filter 

logic displays all log events. 

In Figure 3, the ‘Log’ > ‘View’ > ‘Log View Settings’ page is displayed. 

Figure 3 

SonicOS ‘Log View Settings’ 

Log Event Message Filters 

Default filter logic value 

Group filters 

Apply filters 

Default filter logic 

Export logs 

Reset filters 

Applying Custom Log Event Message Filters 

This section provides examples on using the ‘Log View Settings’ to filter log event messages displayed 

in the ‘Log View’ page. 

Configuration Example: Filtering Log Event Messages by Priority Value 

To set the log filter logic to display only log event messages with a priority level of Emergency: 

1. Select Emergency from the filter-Priority Value pull-down menu. 

2. Click on the Apply Filters button. 

Configuration Example: Filtering Log Event Messages by Category Value 

To set the log filter logic to display only log event messages with a category event type of Attacks: 

1. Select Attacks from the filter-Category Value pull-down menu. 



Configuration Example: Filtering Log Event Messages by Source Value 

To set the log filter logic to display only log event messages associated to a source IP address: 

1. Enter the source IP address or select an interface from the filter-Source Value pull-down menu. 


Configuration Example: Filtering Log Event Messages by Destination Value 

To set the log filter logic to display only log event messages associated to a destination IP address: 

1. Enter the destination IP address or select an interface from the filter-Source Value pull-down 

menu. 


Using Group Filters 

 

Note: 

Use Group filters to change the default SonicOS filter logic (Priority && Category && Source && Destination) 

from double ampersand symbols (&&) to double pipe symbols (||) to indicate the boolean 

expression “or.” When using group filters, select two or more Group Filters checkboxes. 

If you select only one Group Filter checkbox, the filter logic will remain the same. Selecting only 

the Priority-Group Filter checkbox provides you with the following filter logic: 

(Priority) && Category && Source && Destination 

Configuration Example: Using the ‘Priority’ Group Filter and ‘Category Group’ Filter 

To set the log filter logic to display log event messages with a priority level of Emergency or a category 

event type of Attack: 

1. Select the ‘Priority’ group filter checkbox. 

2. Select the ‘Category’ group filter checkbox. 

3. Select Emergency from the filter-Priority Value pull-down menu. 

4. Select Attacks from the filter-Category Value pull-down menu. 

Figure 4 illustrates the SonicOS filter logic updated as follows: 

(Priority || Category) && Source && Destination 

Figure 4 SonicOS Log Group Filters 

A filter logic using the boolean expression “||” is less restrictive than the default filter logic using the 

boolean expression “&&”. With the boolean expression “||”, log event messages are displayed if they 

match either filter values. With the boolean expression “&&”, log event messages are displayed if they 

match both filter values. 


Exporting the Logs to a File 

This section provides instructions to export your log to a file. 

To export the log to a file: 

1. Click on the Export Log button. You will be prompted to select a export file format type as 

illustrated in Figure 5. 

Figure 5 SonicOS Export Log 

 

Note: 

2. Select a file format: 

Plain text format used in log and alert e-mail—Saves the log file as plain text, which can be 

used for alert e-mails. 

Comma-Separated Value (CSV) format—Saves the log file for importing into Microsoft Excel or 

other presentation development application. 

3. Click on the Export button. 

4. Save the exported log file to a location on your personal computer’s hard drive. 

You can export a log to a file with applied filter settings. 

Referencing the SonicOS ‘Log’ > ‘View ’ 

Field Display 

SonicOS 2.5 Enhanced and Standard releases and greater provide the SonicOS ‘Log’ > ‘View’ field 

display as illustrated in Figure 6. 

Figure 6 SonicOS ‘Log’ > ‘View’ Field Display 

Time and Date Stamp 

Category 

Source IP Address 

Log Event Notes 

Priority 

Message Descrition 

Destination IP 

Network Rule 


Referencing the SonicWALL Firmware ‘Log’ > ‘View Log’ Field Display 

SonicWALL Firmware 6.6.0.0 release and greater provide the SonicWALL Firmware ‘Log’ > ‘View 

Log’ field display as illustrated in Figure 7. 

Figure 7 

SonicWALL Firmware Log’ > ‘View Log’ Field Display 

Time and Date Stamp 

Source IP Address 

Additional Information 

Event Message 

Destination IP Address 

Rule Number (If Applicable) 


Index of Log Event Messages 

This section contains a list of log event messages for all SonicWALL Firmware and SonicOS Software 

Releases, ordered alphabetically. Use your web browser’s Find function to search for a command. 

Log Event Message Symbols Key 

Log Event Message Symbol Description Context 

%s Ethernet Port Down Represents a character string. [WAN | LAN | DMZ] Ethernet Port 

Down 

The cache is full; %u open 

connections; some will be dropped 

Represents a numerical string. 

The cache is full; [40,000] open 

connections; some will be dropped 

TCP IP Layered-Data Packet Processing and SonicOS Log Event Handling 

In specific cases of multi-layer packet processing, a TCP connection initially logged as "open," will be 

rejected by a deeper layer of packet processing. In these cases, the connection request has not been 

forwarded by the SonicWALL security appliance, and the initial Connection Open SonicOS log event 

message should be ignored in favor of the TCP Connection Dropped log event message. 

Each log event message described in the following table provides the following log event details: 

• SonicOS Category—Displays the SonicOS Software category event type. 

• Legacy Category—Displays the SonicWALL Firmware Software category event type. 

• Priority Level—Displays the level of urgency of the log event message. 

• Log Message ID Number—Displays the ID number of the log event message. 

• SNMP Trap Type—Displays the SNMP Trap ID number of the log event message. 

Log Event 

Message 

SonicOS 

Category 

Legacy 

Category 

Priority 

Level 

Log 

Message 

ID 

Number 

SNMP 

Trap 

Type 

Log Event 

Type 

#Web site hit 

Network 

Traffic 

Connection 

Traffic 

Information 97 --- Standard 

HTTP 

Traffic 

Report 

%s VPN IKE User Activity Information 171 --- Standard 

Message 

String 

%s ARS --- Information 840 --- Standard 

Message 

String 

%s ARS --- Notice 841 --- Standard 

Message 

String 

%s ARS --- Debug 842 --- Standard 

Message 

String 


%s Ethernet Port 

Down 

%s Ethernet Port 

Up 

%s-payload 

processing error 

Firewall Event System Error Error 333 641 Standard 

String 

Service 

Firewall Event System Error Warning 332 640 Standard 

String 

Service 

VPN IKE Debug Error 616 --- Standard 

Message 

String 

SonicWALL 

Registration 

Update Needed: 

Restore your 

existing 

security service 

subscriptions by 

clicking here. 

Security 

Services 

Maintenance Warning 496 --- Simple 

802.11b 

Management 

Wireless 802.11b 

Management 

Information 518 --- Simple 

Destination 

A prior version of 

preferences was 

loaded because the 

most recent 

preferences file 

was inaccessible 

A SonicOS 

Standard to 

Enhanced Upgrade 

was performed 

Firewall Event System Error Warning 572 648 Simple 

Firewall Event Maintenance Information 611 --- Simple 

Access attempt 

from host out of 

compliance with 

GSC policy 


from host without 

Anti-Virus agent 

installed 


from host without 

GSC installed 

Security 

Services 

Security 

Services 

Security 

Services 

Maintenance Information 761 --- Standard 


Maintenance Information 763 524 Standard 

Access rule added Firewall Rule User Activity Information 440 --- Simple 

Rule 

Access rule 

deleted 

Firewall Rule User Activity Information 442 --- Simple 

Rule String 


Access rule 

modified 

Firewall Rule User Activity Information 441 --- Simple 

Rule 

Access to proxy 

server denied 

ActiveX access 

denied 

ActiveX or Java 

archive access 

denied 

Network 

Access 

Network 

Access 

Network 

Access 

Blocked Sites Notice 60 705 Standard 

Note 

Blocked 

Blocked Code Notice 18 --- Standard 

Note 

Blocked 


Note 

Blocked 

AD agent %s is not 

responding 

Add an attack 

message 

Adding Dynamic 

Entry for Bound 

MAC Address 

Adding L2TP IP 

pool Address 

object Failed 

Adding to 

multicast 

policyList, 

interface: %s 

Adding to Multicast 

policyList, VPN 

SPI: %s 

Administrator 

logged out 

Administrator 

logged 

out - inactivity 

timer expired 

Administrator login 

allowed 


denied due to bad 

credentials 

MS AD --- Error 769 --- Standard 

Message 

String 

Firewall Event Attack Error 143 525 Simple 

String 

Network --- Information 813 --- Standard 

Note ENET 

L2TP Server System Error Error 603 661 Simple 

Multicast --- Debug 697 --- Standard 

Message 

String 


Message 

String 

Authentication User Activity Information 261 --- Standard 



Authentication Attack Alert 30 560 Standard 



denied from %s; 

logins disabled 

from this interface 

Adminstrator name 

changed 

All DDNS 

associations have 

been deleted 

All preference 

values have been 

set to factory 

default values 

Allowed LDAP 

server certificate 

with wrong host 

name 

Authentication Attack Alert 35 506 Standard 

Message 

String 

Authentication Maintenance Information 328 --- Standard 

DDNS Maintenance Information 783 --- Simple 


RADIUS User Activity Warning 752 --- Standard 

Note String 

Anti-Spyware 

Detection Alert: %s 

Anti-Spyware 

Prevention Alert: 

%s 

Anti-Spyware 

Service Expired 

Anti-Virus agent 

out-of-date on host 

Anti-Virus 

Licenses Exceeded 

Intrusion 

Detection 

Intrusion 

Detection 

Security 

Services 

Security 

Services 

Security 

Services 

Attack Alert 795 576 Standard 

Anti-Spy 

Message 

String 


Anti-Spy 

Message 

String 

Maintenance Warning 796 577 Simple 



Arp request packet 

received 

Arp request packet 

sent 

Arp response 

packet received 

Arp response 

packet sent 


Note ENET 


Note ENET 


Note ENET 


Note ENET 

ARP timeout Network Debug Debug 45 --- Standard 

Association Flood 

from wlan station 

WLAN IDS WLAN IDS Alert 548 903 Simple 

Destination 


Authentication 

timeout during 

Remotely 

Triggered Dial-out 

session 

Authentication User Activity Information 821 --- Simple 

Back Orifice attack 

dropped 

Backup active 

Backup firewall 

being preempted 

by Primary 


has transitioned to 

Active 



Idle 

Backup going 

Active in preempt 

mode after reboot 

Backup missed 

heartbeats from 

Primary 

Backup received 

error signal from 

Primary 

Backup received 

reboot signal from 

Primary 

Backup shut down 

because license is 

expired 

Backup will be 

shut down in %s 

minutes 

Intrusion 

Detection 

High 

Avaiability 

High 

Availability 

High 

Availability 

High 

Availability 

High 

Availability 

High 

Availability 

High 

Availability 

High 

Availability 

High 

Availability 

High 

Availability 


System Error Information 825 --- Simple 

System Error Error 152 619 Simple 

Maintenance Information 145 --- Simple 






System Error Error 824 --- Simple 

System Error Error 823 --- Standard 

String 

Service 

Bad CRL format VPN PKI User Activity Alert 277 --- Simple 

Destination 

Blocked Quick 

Mode for Client 

using Default 

KeyId 

VPN Client System Error Error 505 660 Standard 


BOOTP Client IP 

address on LAN 

conflicts with 

remote device IP, 

deleting IP address 

from remote table 

BOOTP reply 

relayed to local 

device 

BOOTP Request 

received from 

remote device 

BOOTP server 

response relayed 

to remote device 

BOOTP Maintenance Information 619 --- Standard 

Destination 

BOOTP Maintenance Information 620 --- Standard 

Destination 

BOOTP Debug Debug 621 --- Standard 

Destination 

BOOTP Debug Debug 618 --- Standard 

Destination 

Broadcast packet 

dropped 

Network 

Access 

Debug Debug 46 --- Standard 

Note 

Protocol 

Cannot connect to 

the CRL server 

Cannot Validate 

Issuer Path 

Certificate on 

Revoked list (CRL) 

VPN PKI User Activity Alert 274 --- Simple 

Destination 


Destination 


Destination 

CFL 

auto-download 

disabled, time 

problem detected 

Security 

Services 


CLI administrator 

logged out 


login allowed 


login denied due to 

bad credentials 

Computed hash 

does not match 

hash received from 

peer 



Authentication User Activity Warning 200 --- Simple 

VPN IKE User Activity Warning 410 --- Standard 

Destination 


Connection Closed 

Note: In specific cases of 

multi-layer packet processing, 

a TCP connection initially 

logged as "open," will be 

rejected by a deeper layer of 

packet processing. In these 

cases, the connection request 

has not been forwarded by 

the SonicWALL security 

appliance, and the initial 

Connection Open SonicOS 

log event message should be 

ignored in favor of the TCP 

Connection Dropped log 

event message. 

Network 

Traffic 

Connection 

Traffic 

Information 537 --- Standard 

Traffic 

Report 

Connection 

Opened 

Note: In specific cases of 

multi-layer packet processing, 

a TCP connection initially 

logged as "open," will be 

rejected by a deeper layer of 

packet processing. In these 

cases, the connection request 

has not been forwarded by 

the SonicWALL security 

appliance, and the initial 

Connection Open SonicOS 

log event message should be 

ignored in favor of the TCP 

Connection Dropped log 

event message. 

Network 

Traffic 

Connection Information 98 --- Standard 

Note 

Protocol 

Connection timed 

out 


Destination 

Cookie removed 

Network 

Access 


String 

Service 

CRL has expired VPN PKI User Activity Alert 874 --- Simple 

Destination 

CRL loaded from VPN PKI User Activity Information 270 --- Simple 

Destination 

CRL 

missing - Issuer 

requires CRL 

checking 

CRL validation 

failure for Root 

Certificate 

Crypto DES test 

failed 

Crypto DH test 

failed 


Destination 


Destination 

Crypto Test Maintenance Error 360 --- Simple 



Crypto Hardware 

3Des test failed 


3DES with SHA 

test failed 


AES test failed 

Crypto hardware 

DES test failed 

Crypto Haredware 

DES with SHA test 

failed 

Crypto Hmac-MD5 

fest failed 

Crypto Hmac-Sha1 

test failed 

Crypto MD5 test 

failed 

Crypto RSA test 

failed 

Crypto Sha1 test 

failed 

DDNS association 

%s disabled 


%s enabled 


%s added 


%s deactivated 


%s deleted 

DDNS Association 

%s put on line 



Crypto Test Maintenance Error 610 --- Standard 









Message 

String 


Message 

String 


Message 

String 


Message 

String 


Message 

String 


Message 

String 



%s taken Offline 

locally 

DDNS Failure: 

Provider %s 

DDNS Failure: 

Provider %s 

DDNS Failure: 

Provider %s 

DDNS Update 

success for 

domain %s 

DDNS Warning: 

Provider %s 

Deleting from 

Multicast policy 

list, interface : %s 

Deleting from 

Multicast policy 

list, VPN SPI : %s 


Message 

String 

DDNS System Error Error 774 --- Simple 

Message 

String 


Message 

String 


Message 

String 

DDNS Maintenance Information 776 --- Standard 

Message 

String 

DDNS System Error Warning 777 --- Simple 

Message 

String 


Message 

String 


Message 

String 

Deleting IPSec SA VPN IKE User Activity Information 92 --- Standard 

Note SPI 

DHCP client 

enabled but not 

ready 

DHCP Client did 

not get DHCP ACK 

DHCP Client failed 

to verify and lease 

has expired. Go to 

INIT state. 

DHCP Client got a 

new IP address 

lease. 

DHCP Client got 

ACK from server 

DHCP Client got 

NACK 

DHCP Client Maintenance Information 504 --- Simple 

DHCP Client Maintenance Information 109 --- Standard 



Destination 


Destination 



DHCP Client is 

declining address 

offered by the 

server. 

DHCP Client 

sending REQUEST 

and going to 

REBIND state 

DHCP Client 

sending REQUEST 

and going to 

RENEW state 

DHCP DISCOVER 

received from 

remote device 

DHCP lease 

dropped. Lease 

from Central 

Gateway conflicts 

with Relay IP 

DHCP lease 

dropped. Lease 

from Central 

Gateway conflicts 

with Remote 

Management IP 

DHCP lease 

relayed to local 

device 

DHCP lease 

relayed to remote 

device 

DHCP lease to LAN 

device conflicts 

with remote device, 

deleting remote IP 

entry 

DHCP NAK 

received from 

server 

DHCP OFFER 

received from 

server 


Destination 


Destination 


Destination 

DHCP Relay Debug Information 474 --- Standard 

Destination 

DHCP Relay Maintenance Warning 228 --- Standard 

Destination 

DHCP Relay Maintenance Warning 484 --- Standard 

Destination 

DHCP Relay Maintenance Information 223 --- Standard 

Destination 


Destination 


Destination 


Destination 


Destination 


DHCP Ranges 

altered 

automatically due 

to change in 

network settings 

for interface %s 

DHCP RELEASE 

received from 

remote device 

DHCP RELEASE 

relayed to Central 

Gateway 

DHCP REQUEST 

received from 

remote device 

DHCP Server not 

available. Did not 

get any DHCP 

OFFER. 

Firewall Event --- Information 832 --- Standard 

String 

Service 


Destination 


Destination 


Destination 


Diagnostic Code A 

Diagnostic Code B 

Diagnostic Code C 

Diagnostic Code D 

Diagnostic Code D 

Firewall 

Hardware 

Firewall 

Hardware 

Firewall 

Hardware 

Firewall 

Hardware 

Firewall 

Hardware 


Note String 


Note String 


Note String 

System Error Error 64 610 Standard 

Note Code 


Note String 

Diagnostic Code E VPN IPSec System Error Error 61 609 Standard 

Note Code 

Diagnostic Code F 

Diagnostic Code G 

Diagnostic Code H 

Diagnostic Code I 

Firewall 

Hardware 

Firewall 

Hardware 

Firewall 

Hardware 

Firewall 

Hardware 


Note String 


Note String 


Note String 


Note String 

Disconnecting 

L2TP Tunnel due to 

traffic timeout 

L2TP Client Maintenance Information 215 --- Simple 


Disconnecting 

PPPoE due to 

traffic timeout 

Disconnecting 

PPTP Tunnel due 

to traffic timeout 

PPPoE Maintenance Information 168 --- Simple 

PPTP Maintenance Information 389 --- Simple 

Discovered HA 

Backup Firewall 

DNS packet 

allowed 

Drop Wlan traffic 

from non 

SonicPoint devcies 

High 

Availability 

Network 

Access 

Intrusion 

Detection 


Debug Information 602 --- Standard 

Policy 

Attack Error 662 572 Standard 

Dynamic IPSec 

client connected 

VPN IPSec User Activity Information 62 --- Standard 

Destination 

EIGRP packet 

dropped 

E-Mail fragment 

dropped 

Error initializing 

Hardware 

acceleration for 

VPN 

Error Rebooting 

HA Peer Firewall 

Error setting the IP 

address of the 

backup, please 

manually set to 

backup LAN IP 

Error 

Synchronizing HA 

Peer Firewall 

Network 

Access 

Intrusion 

Detection 

Firewall 

Hardware 

High 

Availability 

High 

Availability 

High 

Availability 

Debug Notice 714 --- Standard 

Note String 


Maintenance Error 374 --- Simple 




Exceeded Max 

multicast address 

limit 

Failed payload 

validation 

Failed payload 

verification after 

decryption. 

Possible preshared 

key mismatch. 

Multicast --- Warning 703 --- Standard 




Failed to find 

certificate 

Failed to get CRL 

from 

Failed to Process 

CRL from 

Failed to resolve 

name 

Failed to 

synchronize Relay 

IP Table 

Failure to add data 

channel 


Destination 


Destination 


Destination 

Network Maintenance Information 84 --- Simple 

Destination 

DHCP Relay System Error Warning 234 632 Standard 

Unused Debug Debug 49 --- Standard 

Failure to reach 

Interface %s probe 

High 

Availability 


String Service 

Fan Failure 

Firewall 

Hardware 

System 

Environment 

Alert 576 102 Simple 

Forbidden E-Mail 

attachment deleted 

Forbidden E-Mail 

attachment 

disabled 

Intrusion 

Detection 

Intrusion 

Detection 


Destination 


Destination 

Found Rogue 

Access Point 

Found Rogue 

Access Point 


Destination 


Destination 

Fragmented packet 

dropped 

Network TCP | UDP | 

ICMP 

Notice 28 --- Standard 

Note 

Protocol 

Fraudulent 

Microsoft 

certificate found; 

access denied 

FTP: Data 

connection from 

non default port 

dropped 

FTP: PASV 

response bounce 

attack dropped. 

Intrusion 

Detection 

Network 

Access 

Intrusion 

Detection 




Note String 


FTP: PASV 

response spoof 


FTP: PORT bounce 


Gateway Anti-Virus 

Alert: %s 

Gateway Anti-Virus 

Service expired 

Intrusion 

Detection 

Intrusion 

Detection 

Security 

Services 

Security 

Services 



Note String 

Attack Alert 809 --- Standard 

Message 

String 

Maintenance Warning 810 --- Simple 

Global VPN Client 

connection is not 

allowed. Appliance 

is not registered. 


License Exceeded: 

Connection 

denied. 


version cannot 

enforce personal 

firewall. Minimum 

Version required is 

2.1. 

Got DHCP OFFER. 

Selecting. 

VPN Client System Error Information 529 643 Standard 

VPN Client System Error Information 494 658 Standard 

VPN Client User Activity Information 604 --- Standard 

Destination 


Destination 

GSC policy 

out-of-date on host 

Security 

Services 


Guest account '%s' 

created 


deleted 


disabled 


pruned 


re-enabled 


Message 

String 


Message 

String 


Message 

String 


Message 

String 


Message 

String 



re-generated 

Guest login denied. 

Guest '%s' is 

already logged in. 

Please try again 

later. 

H.323/H.225 

Connect 


Message 

String 


Message 

String 

VoIP VoIP Debug 634 --- Standard 

Note String 

H.323/H.225 Setup VoIP VoIP Debug 633 --- Standard 

Note String 

H.323/H.245 

Address 

H.323/H.245 End 

Session 

H.323/RAS 

Admission Confirm 

H.323/RAS 

Admission Reject 

H.323/RAS 

Admission 

Request 

H.323/RAS 

Bandwidth Reject 

H.323/RAS 

Disengage Confirm 

H.323/RAS 

Disengage Reject 

H.323/RAS 

Gatekeeper Reject 

H.323/RAS 

Location Confirm 

H.323/RAS 

Location Reject 

H.323/RAS 

Registration Reject 

H.323/RAS 

Unknown Message 

Response 


Note String 


Note String 


Note String 


Note String 


Note String 


Note String 


Note String 


Note String 


Note String 


Note String 


Note String 


Note String 


Note String 


H.323/RAS 

Unregistration 

Reject 


Note String 

HA packet 

processing error 

High 

Availability 


Hardware Failover 

settings were not 

upgraded 

Header verification 

failed 

HTTP 

management port 

has changed 

HTTPS 

management port 

has changed 




Note String 


Note String 

ICMP checksum 

error 

ICMP packet 

allowed 

ICMP packet 

dropped 

ICMP packet 

dropped 

ICMP packet from 

LAN allowed 

Network 

Access 

Network 

Access 

Network 

Access 

Network 

Access 

Network 

Access 

UDP Notice 886 --- Standard 


Policy 

ICMP Notice 38 --- Standard 

Policy 

ICMP Notice 523 --- Standard 

ICMP 

Service 


ICMP 

Service 

ICMP packet from 

LAN dropped 

Network 

Access 

LAN ICMP | 

LAN TCP 


ICMP 

Service 

If not already 

enabled, enabling 

NTP is 

recommended 

Firewall 

Hardware 

System Error Warning 540 645 Simple 

IGMP packet 

dropped, wrong 

checksum received 

on interface %s 

IGMP Leave group 

message Received 

on interface %s 

Multicast --- Notice 683 --- Standard 

Message 

String 

Multicast --- Information 682 --- Standard 

Message 

String 


IGMP packet 

dropped, decoding 

error 

IGMP Packet Not 

handled. Packet 

type : %s 

IGMP querier 

Router detected on 

interface %s 

IGMP querier 

Router detected on 

VPN tunnel , SPI 

%S 

IGMP state table 

entry time 

out,deleting 

interface : %s for 

multicast address : 

%s 

IGMP state table 

entry time 

out,deleting VPN 

SPI :%s for 

Multicast address : 

%s 

IGMP V2 client 

joined multicast 

Group : %s 

IGMP V2 

Membership report 

received from 

interface %s 

IGMP V3 client 

joined multicast 

Group : %s 

IGMP V3 

Membership report 

received from 

interface %s 

IGMP V3 packet 

dropped, 

unsupported 

Record type : %s 



Message 

String 


Message 

String 


Message 

String 


Message 

String 


Message 

String 


Message 

String 


Message 

String 


Message 

String 


Message 

String 


Message 

String 


IGMP V3 reord 

type : %s not 

Handled 

IKE ID mismatch 

%s 

IKE Initiator drop: 

Packet dest 

address does not 

match selected 

local interface 

address 

IKE Initiator: 

Accepting IPSec 

proposal (Phase 2) 


Accepting peer 

lifetime (Phase 1) 


Aggressive Mode 

complete (Phase 1) 

IKE Initiator: Main 

Mode complete 

(Phase 1) 


Received notify. 

NO_PROPOSAL_ 

CHOSEN 

IKE Initiator: Start 


negotiation (Phase 

1) 


Main Mode 

negotiation (Phase 

1) 


Quick Mode (Phase 

2) 

IKE Initiator: Using 

secondary gateway 

to negotiate 


Message 

String 

VPN IKE Debug Debug 658 --- Standard 

String 

Service 

VPN IKE User Activity Information 544 --- Standard 


Note String 


Destination 


Destination 


Destination 


Destination 





Destination 


IKE negotiation 

aborted due to 

timeout 

IKE negotiation 

complete. Adding 

IPSec SA. (Phase 

2) 

IKE Responder 

drop: Packet dest 

address does not 

match selected 

local interface 

address 

IKE Responder: %s 

policy does not 

allow static IP for 

Virtual Adapter. 

IKE Responder: 

Accepting IPSec 

proposal (Phase 2) 




IKE Responder: AH 

Perfect Forward 

Secrecy mismatch 


Algorithms and/or 

keys do not match 


Default LAN 

gateway is not set 

but peer is proposing 

to use this SA 

as a default route 


Default LAN 

gateway is set but 

peer is not 

proposing to use 

this SA as a default 

route 




VPN Client System Error Error 660 --- Standard 

Message 

String 


Note String 


Destination 

VPN IKE User Activity Warning 258 544 Standard 


VPN IKE Attack Error 516 553 Standard 

Note String 


Note String 



ESP Perfect 

Forward Secrecy 

mismatch 


IKE proposal does 

not match 

(Phase 1) 

IKE Responder: IP 

Address already 

exists in the DHCP 

relay table. Client 

traffic not allowed. 


IPSec proposal 


(Phase 2) 


Main Mode 



Mode %d - not 

transport mode. 

Xauth is required 

but not supported 

by peer. 


Mode %d - not 

tunnel mode 

IKE Responder: No 

match for 

proposed remote 

network address 

IKE Responder: No 

matching Phase 1 

ID found for 


network 


Proposed local 

network is 0.0.0.0 

but SA has no LAN 

Default Gateway 



Destination 

VPN Client System Error Error 659 --- Standard 

Note String 


Note String 


Destination 

VPN IKE Debug Warning 342 --- Standard 

Message 

Number 


Message 

Number 


Note String 


Note String 


Note String 



Proposed remote 

network is 0.0.0.0 

but not DHCP relay 

nor default route 


Received 


request (Phase 1) 


Received Main 

Mode request 

(Phase 1) 


Received Quick 

Mode Request 

(Phase 2) 


Tunnel terminates 

inside firewall but 

proposed local 

network is not 

inside firewall 



on DMZ but 


network is on LAN 



on LAN but 


network is on DMZ 



outside firewall but 


network is not NAT 

public address 



outside firewall but 


network is not NAT 

public address 






Note String 


Note String 


Note String 


Note String 


Note String 


IKE SA lifetime 

expired. 


Illegal IPSec SPI VPN IPSec User Activity Information 65 --- Standard 

Destination 

Imported VPN SA 

is invalid - disabled 

Inbound 

connection from 

RBL-listed SMTP 

server dropped 

Incoming call 

received for 

Remotely 


session 

Incompatible IPSec 

Security 

Association 

Incorrect 

authentication 

received for 

Remotely 


Firewall Event Maintenance Warning 348 --- Standard 

Note String 

RBL --- Notice 798 --- Standard 


VPN IPSec User Activity Information 69 --- Standard 

Destination 


Ini Killer attack 

dropped 

Intrusion 

Detection 


Interface %s Link 

Is Down 

Interface %s Link 

Is Up 

Interface IP 

Assignment : 

Binding and 

initializing %s 

Interface IP 

Assignment 

changed: Shutting 

down %s 

Interface statistics 

report 


String 

Service 

Firewall Event System Error Warning 565 646 Standard 

String 

Service 

Firewall Event Maintenance Information 568 --- Standard 

String 

Service 


String 

Service 

GMS --- Information 805 --- Simple 

Interface 

Statistics 


Invalid TCP flags 

on an incomplete 

connection 

Network 

Access 

--- Notice 760 --- Standard 

Note String 

Invalid VLAN 

packet dropped 

Network --- Alert 836 --- Standard 

Note String 

IP Header 

checksum error 

Network 

Access 

TCP | UDP Notice 883 --- Standard 

IP spoof detected 

on packet to 

Central Gateway, 


DHCP Relay Attack Error 229 533 Standard 

Note ENET 

IP spoof dropped 

Intrusion 

Detection 


Note ENET 

IP type %s packet 

dropped 

Network 

Access 

LAN UDP | 

LAN TCP 


Message 

String 

IPS Detection 

Alert: %s 

IPS Detection 

Alert: %s 

IPS Prevention 

Alert: %s 

IPS Prevention 

Alert: %s 

Intrusion 

Detection 

Intrusion 

Detection 

Intrusion 

Detection 

Intrusion 

Detection 


IDP 

Message 

String 


Message 

String 


IDP 

Message 

String 


Message 

String 

IPSec (AH) packet 

dropped 

VPN IPSec TCP | UDP | 

ICMP 


Note String 

IPSec (AH) packet 

dropped; waiting 

for pending IPSec 

connection 

VPN IPSec Debug Debug 536 --- Standard 

IPSec (ESP) packet 

dropped 

VPN IPSec TCP | UDP | 

ICMP 


Note String 

IPSec (ESP) packet 



connection 

VPN IPSec Debug Debug 535 --- Standard 


IPSec 


Failed 

VPN IPSec Attack Error 67 508 Standard 

Destination 

IPSec connection 

interrupt 

Network 

Access 


IPSec Decryption 

Failed 


Destination 

IPSec packet 

dropped 

Network 

Access 

TCP | UDP | 

ICMP 


IPSec packet 



connection 

Network 

Access 


IPSec packet from 

an illegal host 

IPSec packet from 

or to an illegal host 

IPSEC Replay 

Detected 

VPN IPSec Maintenance Information 247 --- Standard 

Destination 


Destination 

VPN IPSec Attack Alert 180 531 Standard 

Note String 

IPSecTunnel 

status changed 

VPN 

VPN Tunnel 

Status 

Information 427 801 Simple 

ISDN Driver 

Firmware 

successfully 

updated 


Issuer match failed VPN PKI User Activity Alert 278 --- Simple 

Destination 

Java access 

denied 

Network 

Access 


Note 

Blocked 

L2TP enabled but 

not ready 

L2TP Max 

Retransmission 

Exceeded 

L2TP PPP 


Failed 

Unused Maintenance Information 500 --- Simple 



L2TP PPP Down L2TP Client Maintenance Information 211 --- Simple 

L2TP PPP link 

down 



L2TP PPP 

Negotiation Started 

L2TP PPP Session 

Up 

L2TP Server : 

Deleting the L2TP 

active Session 

L2TP Server : 

Deleting the Tunnel 

L2TP Server : L2TP 

Session Established. 

L2TP Server : L2TP 

Tunnel Established. 

L2TP Server : 

Retransmission 

Timeout, Deleting 

the Tunnel 

L2TP Server : User 

Name 


Failure locally. 

L2TP Server: 

Local 


Failure 

L2TP Server: 

Local 


Success. 

L2TP Server: 

Radius 


Success 

L2TP Server: 

Radius reports 


Failure 

L2TP Server: 

Radius server not 

assigned IP 

address 



L2TP Server Maintenance Information 337 --- Standard 

Destination 


Destination 


Destination 


Destination 


Destination 


Destination 


Destination 


Destination 


Destination 


Destination 


Destination 


L2TP Server: Call 

Disconnect from 

Remote. 

L2TP Server: 

Tunnel Disconnect 

from Remote. 

L2TP Session 


Remote 

L2TP Session 

Established 

L2TP Session 


L2TP Tunnel 


Remote 

L2TP Tunnel 

Established 

L2TP Tunnel 


LAN Subnet 

configurations 

were not upgraded. 


Destination 


Destination 








Land attack 

dropped 

Intrusion 

Detection 


License exceeded: 

Connection 

dropped because 

too many IP 

addresses are in 

use on your LAN 


License of HA pair 

doesn't match 

High 

Availability 


Local user login 

allowed 

Local user login 

denied due to bad 

credentials 

Locked-out user 

logins 

allowed - lockout 

period expired 


String 

Service 


String 

Service 


Note String 


Locked-out user 

logins allowed by 

administrator 


Note String 

Log Cleared 

Firewall 

Logging 


Log Debug Firewall Event Debug Error 142 --- Simple 

String 

Log successfully 

sent via email 

Firewall 



Login screen timed 

out 

MAC address 

collides with Static 

ARP Entry with 

Bound MAC 

address; packet 

dropped 


String 

Service 

Network --- Notice 814 --- Standard 

Note ENET 

Machine %s 

removed from SYN 

flood blacklist 

Malformed or 

unhandled IP 


Maximum events 

per second 

threshold 

exceeded 

Intrusion 

Detection 

Network 

Access 

Firewall 


--- Alert 865 --- Standard 

String 

Service 


Destination 

System Error Critical 654 --- Simple 

Maximum 

sequential failed 

dial attempts (10) 

to a single dial-up 

number: %s 

PPP Dial-up Attack Error 591 566 Standard 

Message 

String 

Maximum syslog 

data per second 

threshold 

exceeded 

Firewall 


System Error Critical 655 --- Simple 

Multicast 

application %s not 

supported 

Multicast packet 

dropped, Invalid 

src IP received on 

interface : %s 


Message 

String 

Multicast --- Alert 685 --- Standard 

Message 

String 


Multicast packet 

dropped, wrong 

MAC address 

receieved on 

interface : %s 

Multicast TCP 


Multicast UDP 

packet dropped, no 

state entry 

Multicast UDP 

packet dropped, 

RTCP stateful 

failed 

Multicast UDP 

packet dropped, 

RTP stateful failed 

NAT device may 

not support IPSec 

AH passthrough 

NAT Discovery : 

No NAT/NAPT 

device detected 

between IPSec 

Security gateways 


Local IPSec 

Security Gateway 

behind a NAT/ 

NAPT Device 


Peer IPSec 


behind a NAT/ 

NAPT Device 


Peer IPSec 


doesn't support 

VPN NAT Traversal 

NAT translated 

packet exceeds 

size limit, packet 

dropped 

Multicast --- Alert 684 --- Standard 

Message 

String 





VPN IPSec Maintenance Information 266 --- Simple 





Network Debug Debug 339 --- Standard 


Net Spy attack 

dropped 

Intrusion 

Detection 


NetBIOS settings 

were not upgraded. 

Use Network>IP 

Helper to 

configure NetBIOS 

support 


NetBus attack 

dropped 

Intrusion 

Detection 


Network for 

interface %s 

overlaps with 

another interface. 

Network Modem 

Mode Disabled: 

re-enabling NAT 

Network Modem 

Mode Enabled: 

turning off NAT 


String 

Service 

PPP Dial-up Maintenance Information 531 --- Simple 


New URL List 

loaded 

Newsgroup access 

allowed 

Newsgroup access 

denied 

Security 

Services 

Network 

Access 

Network 

Access 



Note 

Blocked 


Note 

Blocked 

No Certificate for VPN PKI User Activity Alert 280 --- Simple 

Destination 

No new URL List 

available 

Security 

Services 


No response from 

ISP Disconnecting 

PPPoE. 


PPTP server to call 

requests 


PPTP server to 

control connection 

requests 






server to Echo 

Requests, 

disconnecting 

PPTP Tunnel 

No valid DNS 

server specified for 

RBL lookups 

Not all 

configurations may 

have been 

completely 

upgraded 

Not enough 

memory to hold the 

CRL 

Obtained Relay IP 

Table from Remote 

Gateway 

OCSP Failed to 

Resolve Domain 

Name. 

OCSP Internal 

error handling 

received response. 

OCSP received 

response error. 

OCSP received 

response. 

OCSP Resolved 

Domain Name. 

OCSP send 

request message 

failed. 

OCSP sending 

request. 

Outbound 

connection to 

RBL-listed SMTP 

server dropped 


RBL --- Error 800 --- Simple 


VPN PKI User Activity Warning 272 --- Simple 

Destination 


VPN PKI User Activity Error 853 --- Standard 

Note String 


Note String 


Note String 

VPN PKI User Activity Information 850 --- Standard 

Note String 


Note String 


Note String 


Note String 


Out-of-order 

command packet 

dropped 

Network 

Access 



Packet dropped by 

wlan guest check 

Packet dropped by 

wlan vpn traversal 

check 

Wireless TCP | UDP | 

ICMP 

Wireless TCP | UDP | 

ICMP 

Warning 488 --- Standard 

Destination 


Destination 

Packet dropped. 

No firewall rule 

associated with 

VPN policy. 

VPN System Error Alert 739 --- Standard 

Note String 

Ping of death 

dropped 

Intrusion 

Detection 


PKI Failure: CA 

certificates store 

exceeded. Cannot 

verify this Local 

Certificate 

PKI Failure: Cannot 

alloc memory 

PKI Failure: 

Certificate's ID 


this SonicWall 

PKI Failure: 

Duplicate local 

certificate 

PKI Failure: 

Duplicate local 

certificate name 

PKI Failure: Import 

failed 

PKI Failure: 

Improper file 

format. Please 

select PKCS#12 

(*.p12) file 

PKI Failure: 

Incorrect admin 

password 

PKI Failure: 

Internal error 

PKI Failure: 

Loaded but could 

not verify 

certificate 

VPN PKI Maintenance Error 453 --- Simple 











PKI Failure: 

Loaded the 

certificate but 

could not verify it's 

chain 

PKI Failure: No CA 

certificates yet 

loaded 

PKI Failure: 

Output buffer too 

small 

PKI Failure: 

public-private key 

mismatch 

PKI Failure: 

Reached the limit 

for local certs, cant 

load any more 

PKI Failure: 

Temporary memory 

shortage, try again 

PKI Failure: The 

certificate chain 

has no root 


certificate chain is 

circular 


certificate chain is 

incomplete 


certificate or a 

certificate in the 

chain has a bad 

signature 




chain has a validity 

period in the future 




chain has expired 

















chain is corrupt 

Please connect 

interface %s to 

another network to 

function properly 

Please manually 

check all system 

configurations for 

correctness of 

Upgrade 



String 

Service 


Port configured to 

receive IPSEC 

ONLY. Drop packet 

received in the 

clear. 

Network 

Access 

TCP | UDP | 

ICMP 


Destination 

Possible port scan 

dropped 

Possible SYN flood 

attack detected 

Possible SYN flood 

detected on WAN 

IF %s - switching to 

connection-proxy 

mode 

Possible SYN 

Flood on IF %s 

Possible SYN 

Flood on IF %s 

continues 

Possible SYN 

Flood on IF %s has 

ceased 

Intrusion 

Detection 

Intrusion 

Detection 

Intrusion 

Detection 

Intrusion 

Detection 

Intrusion 

Detection 

Intrusion 

Detection 


Note String 

Attack Warning 25 503 Standard 


String 

Service 


String 

Service 

--- Warning 866 --- Standard 

String 

Service 


String 

Service 

PPP Dial-Up: 

Connect request 

canceled 

PPP Dial-Up: 

Connected at %s 

bps - starting PPP 

PPP Dial-up User Activity Information 306 --- Simple 

PPP Dial-up User Activity Information 286 --- Standard 

String 

Service 


PPP Dial-Up: 

Connection 

disconnected as 

scheduled. 

PPP Dial-Up: 

Dial initiated by %s 

PPP Dial-Up: 

Dialed number did 

not answer 

PPP Dial-Up: 

Dialed number is 

busy 

PPP Dial-Up: 

Dialing not allowed 

by schedule. %s 

PPP Dial-Up: 

Dialing: %s 

PPP Dial-Up: Idle 

time limit exceeded 

- disconnecting 

PPP Dial-Up: 

Initialization : %s 

PPP Dial-Up: Link 

carrier lost 

PPP Dial-Up: 

Manual 

intervention 

needed. Check 

Primary Profile or 

Profile details 

PPP Dial-Up: 

Maximum 

connection time 

exceeded - 

disconnecting 

PPP Dial-Up: No 

dialtone detected - 

check phone-line 

connection 

PPP Dial-up --- Information 666 --- Standard 

PPP Dial-up Maintenance Information 324 --- Standard 

Message 

String 



PPP Dial-up --- Information 665 --- Standard 

Message 

String 


String 

Service 



String 

Service 







link carrier 

detected - check 

phone number 


peer IP address 

from Dial-Up ISP, 

local and remote 

IPs will be the 

same 

PPP Dial-Up: 

PPP link down 

PPP Dial-Up: 

PPP link 

established 

PPP Dial-Up: 

Previous session 

was connected for 

%s 

PPP Dial-Up: 

Received new IP 

address 

PPP Dial-Up: 

Shutting down link 

PPP Dial-Up: The 

profile in use 

disabled VPN 

networking. 

PPP Dial-Up: 

Trying to failover 

but Alternate 

Profile is manual 

PPP Dial-Up: 

Trying to failover 

but Primary Profile 

is manual 

PPP Dial-Up: 

Unknown dialing 

failure 

PPP Dial-Up: 

User requested 

connect 






String 

Service 




WAN Failover User Activity Information 434 --- Simple 





PPP Dial-Up: 

User requested 

disconnect 

PPP Dial-Up: 

VPN networking 

restored. 

PPP: 


successful 

PPP: CHAP 


failed - check 

username / 

password 

PPP: MS-CHAP 



username / 

password 

PPP: PAP 



username / 

password 

PPP: Starting 

CHAP 


PPP: Starting 

MS-CHAP 


PPP: Starting PAP 




PPP User Activity Information 289 --- Simple 







PPPoE terminated PPPoE Maintenance Information 130 --- Simple 

PPPoE discovery 

process complete 

PPPoE enabled but 

not ready 

PPPoE LCP Link 

Down 

PPPoE LCP Link 

Up 

PPPoE Network 

Connected 







PPPoE Network 

Disconnected 

PPPoE starting 

CHAP 


PPTP enabled but 

not ready 

PPTP Connect 

Initiated by the 

User 

PPTP Control 

Connection 

Established 

PPTP Control 

Connection 


PPTP decode 

failure 

PPTP Disconnect 

Initiated by the 

User 

PPTP PAP 


success. 




PPTP Maintenance Information 390 --- Standard 

Destination 



PPTP Debug Debug 596 --- Standard 

PPTP Maintenance Information 388 --- Standard 

Destination 


PPTP PPP Down PPTP Maintenance Information 385 --- Simple 

PPTP PPP Link 

down 

PPTP PPP Link 

Finished 



PPTP PPP Link Up PPTP Maintenance Information 398 --- Simple 

PPTP PPP 


PPTP PPP Session 

Up 

PPTP Server is not 

responding, check 

if the server is UP 

and running. 

PPTP server 

rejected control 

connection 






PPTP server 

rejected the call 

request 

PPTP Session 


Remote 

PPTP Session 

Established 

PPTP Session 


PPTP starting 

CHAP 


PPTP starting PAP 


PPTP Tunnel 


Remote 








Primary firewall 


Active 



Idle 


preempting 

Backup 

Primary missed 

heartbeats from 

Backup 

Primary received 

error signal from 

Backup 

Primary received 

reboot signal from 

Backup 

Priority attack 

dropped 

Probable port scan 

dropped 

Probable TCP FIN 

scan dropped 

High Availability 

High Availability 

High 

Availability 

High 

Availability 

High 

Availability 

High 

Availability 

Intrusion 

Detection 

Intrusion 

Detection 

Intrusion 

Detection 









Note String 



Probable TCP 

NULL scan 

dropped 

Probable TCP 

XMAS scan 

dropped 

Intrusion 

Detection 

Intrusion 

Detection 



Probing failure on 

%s 

Probing succeeded 

on %s 

WAN Failover System Error Alert 326 637 Standard 

Message 

String 


Message 

String 

Problem loading 

the URL List; 

Appliance not 

registered. 


the URL List; 

check Filter 

settings 


the URL List; 

check your DNS 

server 


the URL List; Flash 

write failure. 


the URL List; 

Retrying later. 


the URL List; 

Subscription 

expired. 


the URL List; Try 

loading it again. 

Problem sending 

log email; check 

log settings. 

Real time clock 

battery failure. 

Time values may 

be incorrect. 

Security 

Services 

Security 

Services 

Security 

Services 

Security 

Services 

Security 

Services 

Security 

Services 

Security 

Services 

Firewall 


Firewall 

Hardware 



Note Code 









Received a path 

MTU icmp 

message from 

router/gateway 

Received a path 

MTU icmp 

message from 

router/gateway 

Network User Activity Information 182 --- Standard 

Note SPI 

Network User Activity Information 188 --- Standard 

Note MTU 

Received AV Alert: 

%s 


Your SonicWALL 

Network Anti-Virus 

subscription has 

expired. %s 



Network Anti-Virus 

subscription will 

expire in 7 days. 

%s 

Received CFS 

Alert: Your 


Content Filtering 


expired. 

Received CFS 

Alert: Your 


Content Filtering 



Security 

Services 

Security 

Services 

Security 

Services 

Security 

Services 

Security 

Services 

Maintenance Warning 125 524 Standard 

String 

Service 


String 

Service 


String 

Service 



Received DHCP 

offer packet has 

errors 


Destination 

Received E-Mail 

Filter Alert: Your 

SonicWALL E-Mail 

Filtering 


expired. 

Security 

Services 



Received E-Mail 

Filter Alert: Your 

SonicWALL E-Mail 

Filtering 



Security 

Services 


Received 

fragmented packet 

or fragmentation 

needed 

Received IKE SA 

delete request 



Received IPS Alert: 


Intrusion 

Prevention (IDP) 


expired. 

Security 

Services 


Received IPSEC 

SA delete request 

Received ISAKMP 

packet destined to 

port %s 

Received LCP 

Echo Reply 

Received LCP 

Echo Request 

Received notify: 

INVALID_COOKIES 


INVALID_ID_INFO 


INVALID_PAYLOAD 


INVALID_SPI 


ISAKMP_AUTH_ 

FAILED 


PAYLOAD_ 

MALFORMED 


Destination 

VPN IKE Debug | UDP Information 607 --- Standard 

Message 

String 




Destination 

VPN IPSec User Activity Warning 483 --- Standard 

VPN IKE User Activity Error 661 --- Standard 


Destination 


Destination 


Destination 



RESPONDER_ 

LIFETIME 

Received packet 

retransmission. 

Drop duplicate 

packet 

Received PPPoE 

Active Discovery 

Offer 

Received PPPoE 


Session_ 

confirmation 

Received response 

packet for DHCP 

request has errors 

Received 

unencrypted 

packet while crypto 

active 

Regulatory 

requirements 

prohibit %s from 

being re-dialed for 

30 minutes 

Remotely 


session ended. 

Valid WAN bound 

data found. 

Normal dial-up 

sequence will 

commence 

Remotely 


session started. 

Requesting 


Request for Relay 

IP Table from 

Central Gateway 

Requesting CRL 

from 


Destination 





Destination 


PPP Dial-up Attack Error 592 567 Standard 

Message 

String 




VPN PKI User Activity Information 269 --- Simple 

Destination 


Requesting Relay 

IP Table from 

Remote Gateway 

Retransmitting 

DHCP DISCOVER 


DHCP REQUEST 

(Rebinding) 


DHCP REQUEST 

(Rebooting) 


DHCP REQUEST 

(Renewing) 


DHCP REQUEST 

(Requesting) 


DHCP REQUEST 

(Verifying) 

RIP disabled on 

interface %s 



Destination 


Destination 


Destination 


Destination 


Destination 


Destination 

RIP Maintenance Information 419 --- Standard 

String 

Service 

Ripper attack 

dropped 

Intrusion 

Detection 


RIPv1 enabled on 

interface %s 

RIPv2 

compatibility 

(broadcast) mode 

enabled on 

interface %s 

RIPv2 enabled on 

interface %s 

Router IGMP 

General query 

received on 

interface %s 

Router IGMP 

Membership query 

received on 

interface %s 


String 

Service 


String 

Service 


String 

Service 


Message 

String 


Message 

String 


Sending DHCP 

DISCOVER. 

Sending DHCP 

RELEASE. 

Sending DHCP 

REQUEST 

(Rebinding). 

Sending DHCP 

REQUEST 

(Rebooting). 

Sending DHCP 

REQUEST 

(Renewing). 

Sending DHCP 

REQUEST 

(Verifying). 

Sending DHCP 

REQUEST. 

Sending LCP Echo 

Reply 

Sending LCP Echo 

Request 

Sending PPPoE 


Request 


Destination 


Destination 


Destination 


Destination 


Destination 


Destination 


Destination 




Senna Spy attack 

dropped 

Intrusion 

Detection 


Sent Relay IP Table 

to Central Gateway 

SIP Register expiration 

exceeds 

configured 

Signaling 

inactivity time out 


VoIP VoIP Warning 645 --- Standard 

Note String 

SIP Request VoIP VoIP Debug 643 --- Standard 

Note String 

SIP Response VoIP VoIP Debug 644 --- Standard 

Note String 

SMTP 

POP-Before-SMTP 


failed 

Firewall 


System Error Warning 656 --- Simple 


SMTP server found 

on RBL blacklist 


Note String 

Smurf 

Amplification 

attack dropped 

Intrusion 

Detection 


SonicPoint 

Provision 

SonicPoint 

statistics report 

SonicPoint SonicPoint Information 727 --- Simple 

Destination 

GMS --- Information 806 --- Simple 

SonicPoint 

Statistics 

SonicPoint Status SonicPoint SonicPoint Information 667 --- Simple 

Destination 


activated 


initializing 

Firewall Event Maintenance Alert 4 --- Simple 


Source routed IP 


Spank attack 

multicast packet 

dropped 

Intrusion 

Detection 

Intrusion 

Detection 

Debug Warning 428 --- Standard 


Starting IKE 

negotiation 

Starting PPPoE 

discovery 


Note String 


Status GMS Maintenance Emergency 96 --- Simple 

GMS 

Status 

Striker attack 

dropped 

Sub Seven attack 

dropped 

Success to reach 

Interface %s probe 

Intrusion 

Detection 

Intrusion 

Detection 

High 

Availability 



System Error Information 674 --- Standard 

String 

Service 

Successful 


received for 

Remotely 




SYN Flood 

Blacklist on IF %s 

continues 

SYN Flood 

blacklisting 

disabled by user 

SYN Flood 

blacklisting 

enabled by user 

SYN flood ceased 

or flooding 

machines 

blacklisted - 

connection proxy 

disabled 

SYN Flood Mode 

changed by user 

to: Always proxy 

WAN connections 



to: Watch and 

proxy WAN 

connections when 

under attack 



to: Watch and 

report possible 

SYN floods 

Synchronizing 

preferences to HA 

Peer Firewall 

SYN-Flooding 

machine %s 

blacklisted 

TCP checksum 

error 

TCP connection 

dropped 

TCP connection 

from LAN denied 

Intrusion 

Detection 

Intrusion 

Detection 

Intrusion 

Detection 

Intrusion 

Detection 

Intrusion 

Detection 

Intrusion 

Detection 

Intrusion 

Detection 

High 

Availability 

Intrusion 

Detection 

Network 

Access 

Network 

Access 

Network 

Access 


String 

Service 









String 

Service 



Policy 

LAN TCP Notice 173 --- Standard 

Service 

TCP FIN packet 

dropped 



TCP stateful 

inspection 

enforcement: 

Bad header 

dropped 

TCP stateful 

inspection 

enforcement: 

Connection 

aborted 

TCP stateful 

inspection 

enforcement: 

Connection 

refused 

TCP stateful 

inspection 

enforcement: 

Invalid ack 

dropped 

TCP stateful 

inspection 

enforcement: 

Invalid flag 

dropped 

TCP stateful 

inspection 

enforcement: 

Invalid sequence 

dropped 





Network Debug Information 710 --- Standard 


TCP SYN received 

TCP Syn/Fin 


TCP Xmas Tree 

dropped 

Intrusion 

Detection 

Network 

Access 

Intrusion 

Detection 

--- Debug 869 --- Standard 



The cache is full; 

%u open 

connections; some 

will be dropped 


Message 

Number 

The loaded 

content URL List 

has expired 

Security 

Services 



The network 

connection in use 

is %s 

The preferences 

file is too large to 

be saved in 

available flash 

memory 

WAN Failover System Error Warning 307 639 Standard 

Message 

String 


Thermal Red 

Firewall 

Hardware 

System 

Environment 


Thermal Red Timer 

Exceeded 

Firewall 

Hardware 

System 

Environment 


Thermal Yellow 

Firewall 

Hardware 

System 

Environment 


Time of day 

settings for firewall 

policies were 

not upgraded. 


UDP checksum 

error 

UDP packet 

dropped 

Network 

Access 

Network 

Access 



Policy 

UDP packet from 

LAN dropped 

Network 

Access 

LAN UDP | 

LAN TCP 


Service 

Unable to 

download IPS/GAV/ 

Aspy Signature 

database. Firewall 

must first be 

restarted to free 

memory used by 

downloaded 

firmware. 

Unused --- Warning 873 --- Simple 

Unknown protocol 

dropped 

Network 

Access 

Debug Notice 41 --- Standard 

Note String 

Unknown reason VPN PKI User Activity Error 275 --- Simple 

Destination 

User logged out Authentication User Activity Information 263 --- Standard 

String 

Service 

User logged 

out - inactivity 

timer expired 


Note String 


User logged 

out - max session 

time exceeded 

User logged 

out - user 

disconnect 

detected (heartbeat 

timer expired) 

User login denied - 

insufficient access 

on LDAP server 


invalid credentials 

on LDAP server 


LDAP 

authentication failure 


LDAP 

communication 

problem 


LDAP directory 

mismatch 


LDAP schema 

mismatch 


LDAP server 

certificate not valid 


LDAP server down 

or misconfigured 


LDAP server name 

resolution failed 


LDAP server 

timeout 


RADIUS 


failure 


Note String 


Note String 





RADIUS User Activity Information 745 --- Standard 



String 

Service 


String 

Service 


String 

Service 


String 

Service 


String 

Service 


String 

Service 


String 

Service 


String 

Service 



RADIUS 

communication 

problem 


RADIUS 

configuration error 


RADIUS server 

name resolution 

failed 


RADIUS server 

timeout 


TLS or local 

certificate problem 


User has no 

privileges for login 

from that location 


User has no 

privileges for 

WLAN guest 

service 

User login denied 

due to bad 

credentials 

User login disabled 

from %s 

User login failed - 

Guest service limit 

reached 

User login failure 

rate exceeded - 

logins from user IP 

address denied 


String 

Service 


String 

Service 


String 

Service 


String 

Service 


String 

Service 


String 

Service 


Destination 


String 

Service 

Authentication Attack Error 583 559 Standard 

Message 

String 


Note String 

Authentication Attack Error 329 561 Standard 

Destination 

Virtual Access 

Point is disabled 

Virtual Access 

Point is enabled 

SonicPoint 802.11b 

Management 

SonicPoint 802.11b 

Management 


Destination 


Destination 


VoIP %s Endpoint 

added 


not added - 

configured 'public' 

endpoint limit 

reached 


removed 

VoIP Call 

Connected 

VoIP Call 

Disconnected 


String 

Service 

VoIP VoIP Warning 639 --- Standard 

String 

Service 


String 

Service 

VoIP VoIP Information 622 --- Standard 

Note String 

VoIP VoIP Information 623 --- Standard 

Note String 

Voltages Out of 

Tolerance 

Firewall Hardware 

System Environment 

Error 575 101 Simple 

VPN Cleanup: 

Dynamic network 

settings change 

VPN Client Policy 

Provisioning 

VPN disabled by 

administrator 

VPN disabled for 

active dial up 

VPN enabled by 

administrator 

VPN User Activity Information 471 --- Standard 


Destination 

Authentication Maintenance Information 506 --- Simple 

Unused Maintenance Information 503 --- Simple 


VPN Log Debug VPN IKE Debug Information 172 --- Simple 

String 

VPN policy count 

received exceeds 

the limit; %s 

VPN zone 

administrator login 

allowed 

VPN zone remote 

user login allowed 

WAN Interface not 

setup 

VPN System Error Error 719 --- Standard 

String 

Service 



String 

Service 


WAN IP Changed Firewall Event System Error Warning 138 636 Standard 


WAN not ready Firewall Event Maintenance Information 502 --- Simple 

WAN zone 

administrator login 

allowed 

WAN zone remote 

user login allowed 

WARNING: DHCP 

lease relayed from 

Central Gateway 

conflicts with IP in 

Static Devices list 





Destination 

Web access 

request dropped 

Web management 

request allowed 

Web site access 

allowed 

Web site access 

denied 

Network 

Access 

Network 

Access 

Network 

Access 

Network 

Access 


Policy 

User Activity Notice 526 --- Standard 

Service 


Note 

Blocked 


Note 

Blocked 

Wireless MAC 

Filter List disabled 

by administrator 

Wireless MAC 

Filter List enabled 

by administrator 

WLAN client null 

probing 

WLAN disabled by 

administrator 

WLAN disabled by 

schedule 



WLAN IDS WLAN IDS Warning 615 904 Standard 

Destination 



Wlan drop traffic to 

deny network 

Network 

Access 

--- Information 724 --- Standard 

Note String 

WLAN enabled by 

administrator 

WLAN enabled by 

schedule 




WLAN firmware 

image has been 

updated 

WLAN Guest 

Account Timeout 

WLAN Guest Idle 

Timeout 

WLAN Guest 

Session Timeout 

Wireless Maintenance Information 487 --- Simple 

String 


Note String 


Note String 


Note String 

WLAN max 

concurrent users 

reached already 

Network 

Access 


Note String 

WLAN not in AP 

mode, DHCP 

server will not 

provide lease to 

clients on WLAN 

Wireless Maintenance Information 617 --- Simple 

WLAN pass traffic 

to access allow 

network 

Network 

Access 


Note String 

WLAN recovery Wireless Maintenance Information 519 --- Simple 

String 

WLAN sequence 

number out of 

order 

WLB Failback 

initiated by %s 

WLB Failover in 

progress 

WLB Resource 

failed 

WLB Resource is 

now available 

WLB Spill-over 

started, 

configured 

threshold 

exceeded 

WLB Spill-over 

stopped 

WLAN IDS WLAN IDS Warning 547 902 Simple 

Destination 


Message 

String 




WAN Failover Maintenance Warning 581 --- Simple 

WAN Failover Maintenance Warning 582 --- Simple 


WPA MIC Failure Wireless 802.11b 

Management 

Warning 663 --- Simple 

Destination 

WPA Radius Server 

Timeout 

Wireless 802.11b 

Management 


Destination 

XAUTH Failed with 

VPN client, 


failure 

XAUTH Failed with 

VPN client, Cannot 

Contact RADIUS 

Server 

XAUTH Succeeded 

with VPN client 


Destination 


Destination 


Destination 


Index of Syslog Tag Field Description 

This section provides an alphabetical listing of Syslog tags and the associated field description. 

Tag Field Description 

Syslog message prefix The beginning of each syslog message has a 

string of the form where ddd is a decimal 

number indicating facility and priority of the message. 

(See [1] Section 4.1.1) 

arg URL Used to render a URL: arg represents the URL 

path name part. 

bcastRx Interface statistics report Displays the broadcast packets received 

bcastTx Interface statistics report Displays the broadcast packets transmitted 

bytesRx Interface statistics report Displays the bytes received 

bytesTx Interface statistics report Displays the bytes transmitted 

c Message category (legacy only) Indicates the legacy category number (Note: We 

are not currently sending new category information.) 

change Configuration change webpage Displays the basename of the firewall web page 

that performed the last configuration change 

code Blocking code Indicates the CFS block code category 

code ICMP type and code Indicates the ICMP code 

conns Firewall status report Indicates the number of connections in use 

cpuUtil Firewall status report Displays the CPU utilization (not in use) 

dst Destination Destination IP address, and optionally, port, network 

interface, and resolved name. 

dstname Destination URL Displays the URL of web site hit and other legacy 

destination strings 

dstname URL Used to render a URL: dstname represents the 

URL host part 

dyn Firewall status report Displays the HA and dialup connection state (rendered 

as “h.d” where “h” is “n” (not enabled), “b” 

(backup), or “p” (primary) and “d” is “1” (enabled) 

or “0” (disabled)) 

fw Firewall WAN IP Indicates the WAN IP Address 

fwlan Firewall status report Indicates the LAN zone IP address 

goodRxBytes SonicPoint statistics report Indicates the well formed bytes recevied 

goodTxBytes SonicPoint statistics report Indicates the well formed bytes transmitted 


i Firewall status report Displays the GMS message interval in seconds 

id=firewall Webtrends prefix Syntactic sugar for WebTrends (and GMS by 

habit) 

if Interface statistics report Displays the interface on which statistics are 

reported 

ipscat IPS message Displays the IPS category 

ipspri IPS message Displays the IPS priority 

lic Firewall status report Indicates the number of licenses for firewalls with 

limited modes 

m Message ID Provides the message ID number 

mac MAC address Provides the MAC address 

msg Static message Displays the event message (from spreadsheet) 

msg Dynamically-defined message Displays a dynamically defined message string 

msg Static message with dynamic string Displays a message using the predefined message 

string containing a “%s” and a dynamic 

string argument. 

msg 

Static message with dynamic number 

Displays a message using the predefined string 

string containing a “%s” and a dynamic numeric 

argument. 

msg IPS message Displays a message using the predefined message 

string containing a “%s” and a dynamic 

string argument. 

msg Anti-Spyware message Displays the event message (from spreadsheet) 

n Message count Indicates the number of times event occurs 

op HTTP OP code Displays the HTTP operation (GET, POST, etc.) 

of web site hit 

pri Message priority Displays the event priority level (0=emergency..7=debug) 

proto IP protocol Indicates the IP protocol and detail information 

proto Protocol and service Displays the protocol information (rendered as 

“proto/service”) 

proto Protocol and service Displays the protocol information (rendered as 

“proto/service”) 

pt Firewall status report Displays the HTTP/HTTPS management port 

(rendered as “hhh.sss”) 

radio SonicPoint statistics report Displays the SonicPoint radio on which event 

occurred 

ramUtil Firewall status report Displays the RAM utilization (not in use) 


cvd Bytes received Indicates the number of bytes received within 

connection 

result HTTP Result code Displays the HTTP result code (200, 403, etc.) of 

web site hit 

rule Rule ID Displays the Access Rule number causing packet 

drop 

sent Bytes sent Displays the number of bytes sent within connection 

sid IPS message Provides the IPS signature ID 

sid Anti-Spyware message Provides the AntiSpyware signature ID 

sn Firewall serial number Indicates the device serial number 

spycat Anti-Spyware message Displays the antiSpyware category 

spypri Anti-Spyware message Displays the AntiSpyware priority 

src Source Indicates the source IP address, and optionally, 

port, network interface, and resolved name. 

station SonicPoint statistics report Displays the client (station) on which event 

occurred 

time Time Reports the time of event 

type ICMP type and code Indicates the ICMP type 

ucastRx Interface statistics report Displays the unicast packets received 

ucastTx Interface statistics report Displays the unicast packets transmitted 

unsynched Firewall status report Reports the time since last local change in seconds 

usesstandbysa Firewall status report Displays whether standby SA is in use (“1” or “0”) 

for GMS management 

usr (or user) User Displays the user name (“user” is the tag used by 

WebTrends) 

vpnpolicy VPN policy name Displays the VPN policy name of event 



SonicWALL,Inc. 

1143 Borregas Avenue 

Sunnyvale,CA 94089-1306 

T: 408.745.9600 

F: 408.745.9300 

www.sonicwall.com 

© 2002 SonicWALL, I n c .SonicWALL is a registered trademark of SonicWALL, I n c .Other product and company names mentioned herein may be 

t rademarks and/ or registered trademarks of their respective companies. Specifications and descriptions subject to change with out notice. 

P/ N 232-000827-00 

Rev B 6/05

SonicOS Log Event Reference Guide - SonicWALL

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?