fortigate-lmr-40-mr3

FortiGate® Log Message Reference

FortiOS 4.0 MR3

The FortiGate Log Message Reference is published every maintenance release, and contains only information that was gathered at the date of publication.

FortiGate Log Message Reference Version 4.0 MR321 November 201101-430-112804-20111121© Copyright 2011 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet, Inc.

TrademarksABACAS, APSecure, Dynamic Threat Prevention System (DTPS), FortiAnalyzer®, FortiASIC, FortiBIOS, FortiBridge, FortiClient®, FortiDB™, FortiGate®, FortiGate Unified Threat Management System, FortiGuard®, FortiGuard-Antispam, FortiGuard-Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiMail®, FortiManager®, Fortinet®, FortiOS®, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiScan, FortiShield, FortiVoIP, FortiWeb, and FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

F0h

Contents

Introduction 19Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

How this reference is organized . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Document conventions and other information . . . . . . . . . . . . . . . . . . . . . 20

Traffic 212 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3510 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3611 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Event-Administration 3932001 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4032002 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4032003 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4132004 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4132006 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4232007 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4332008 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4332010 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4432011 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4532012 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4732013 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4832014 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5032015 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5032016 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5132017 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5332020 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5332021 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5432022 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5432086 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5532087 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

ortiGate Log Message Reference1-430-112804-20111121 3ttp://docs.fortinet.com/ • Feedback

http://docs.fortinet.com/

http://docs.fortinet.com/surveyredirect.html

Contents

32140 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5632141 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5732095 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5732101 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5932102 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6032103 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6232104 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6232105 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6232120 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6332121 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6732122 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6832123 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7232124 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7332125 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7432126 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7432127 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7532128 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7632129 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7732130 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7732131 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7832132 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7832133 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8032134 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8032135 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8132136 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8132137 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8232138 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8332139 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8332140 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9132141 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9232142 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9332143 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9632144 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9732145 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9832148 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9932149 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10032150 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10032151 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10132152 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10132153 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10132154 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10232155 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10232156 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10332157 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10332158 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10732161 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

FortiGate Log Message Reference4 01-430-112804-20111121

http://docs.fortinet.com/ • Feedback



Contents

32162 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10832168 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10832170 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10932171 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11132172 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11332180 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11432200 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11432301 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11532302 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11532400 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11532401 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11632545 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11732546 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11732547 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11732548 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11832549 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

Event-System 11920001 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12020002 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12220003 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12220004 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12320007 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12320010 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12320031 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12420032 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12420033 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12420034 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12420035 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12520036 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12520037 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12620038 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12620039 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12620040 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12720041 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12720042 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12720043 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12820044 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12820045 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12820046 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12820047 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12920048 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12920049 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12920050 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12920051 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130





Contents

20052 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13020053 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13020054 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13020055 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13120056 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13120057 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13120058 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13120059 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13220060 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13220061 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13220062 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13220063 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13320064 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13320065 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13320066 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13320067 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13420068 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13420069 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13420070 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13520071 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13520072 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13520073 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13620074 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13620075 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13620076 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13620077 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13720078 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13720079 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13720080 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13720081 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13820082 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13820083 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13820084 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13920090 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13920099 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13920100 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14020101 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14020110 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14220111 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14220200 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14220201 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14320202 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14320203 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14422000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14422001 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14522002 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145





Contents

22003 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14622004 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14622005 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14622006 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14622009 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14722010 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14722011 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14822012 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14822013 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14922100 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14922101 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15022102 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15122103 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15122200 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15122201 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15222202 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15222203 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15222800 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15322801 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15322802 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15422803 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15422804 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15522805 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15522806 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15522901 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15622902 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15622903 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15622911 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15722912 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15722913 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15722914 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

Event-DHCP service 15926001 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15926002 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

Event-Firewall authentication 16138001 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16238002 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16438003 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16738004 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16738005 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16938010 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16938011 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170





Contents

38012 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17138020 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17138021 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17238022 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17438026 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17538027 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

Event-Wireless 17743520 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17843521 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17843522 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17943524 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17943525 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18043526 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

Event-IPsec negotiation 18337120 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18437121 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18537122 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18637123 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18737124 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18837125 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19037126 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19137127 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19237128 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19337129 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19437130 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19537131 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19637132 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19737133 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19837134 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19937135 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20037136 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20137137 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20237138 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20337139 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20437184 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20537185 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20737186 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20937187 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21037188 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21137189 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21237190 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21337191 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214





Contents

37192 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21537193 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21637194 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21737195 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21837196 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21937197 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22037198 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22137199 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22237200 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22337201 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22437202 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22537203 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226

Event-L2TP/PPP/PPPoE 22729001 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22829002 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22829003 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22929004 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22929009 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22929015 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23029016 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23029022 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23029024 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23030004 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23130005 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23130006 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23130007 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23230008 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23230009 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23331004 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23331005 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23331006 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23431007 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23431008 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23531009 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235

Event-SSL VPN 23739424 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23839425 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23939426 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24041984 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24041985 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24141986 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24141987 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242





Contents

41988 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24239936 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24339937 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24439938 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24439939 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24539940 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24539941 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24639942 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24639943 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24739944 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24739945 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24839946 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24839947 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24939948 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25039949 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25139950 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25239951 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252

Event-VIP SSL 25345001 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25445003 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25545005 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25545007 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25645009 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25745011 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25845012 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25845013 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25945015 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25945017 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26045019 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26145023 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26345027 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26345029 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26445031 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26545032 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266

Event-DNS 26744288 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267

Event-config 26944544 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27044545 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27044546 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271





Contents

44547 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272

Event-auth 27343008 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27443009 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27543010 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27643011 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27743012 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27843013 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27943014 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28043015 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28043016 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28143017 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28243018 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28343019 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28343020 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28443021 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28543022 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28543023 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28543024 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28643025 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28643026 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28743027 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28843028 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28943029 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29043030 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291

Event-wad 29340960 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29448001 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29548003 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29548005 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29648007 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29648009 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29748011 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29748012 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29848013 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29848015 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29948017 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29948019 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30048023 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30048027 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30148029 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30148031 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302





Contents

48032 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30348100 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30448101 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30448102 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30548123 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30548124 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30648127 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30748129 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30748131 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30848132 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30848200 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30948201 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30948205 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31048300 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31048301 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311

Event-LDB-monitor 31346000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31446001 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31446002 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31546003 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31546004 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31646005 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31646100 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31746101 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317

Event-nac-quarantine 31943776 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319

Event-his-performance 32140704 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321

Event-HA 32337888 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32437889 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32437890 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32437891 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32537892 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32537893 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32637894 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32637895 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32637896 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32737897 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327





Contents

F0h

37898 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32837899 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32837900 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32937901 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32937902 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33037903 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33037904 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331

Event-pattern 33341000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33441001 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335

Event-RADIUS 33738656 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33838657 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33838658 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33838659 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33938660 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33938661 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33938662 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34038663 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34038664 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34138665 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34138666 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34238667 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342

Event-notification 34338400 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34438401 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34538402 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346

Event-amc-intf-bypass 34747201 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34747202 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347

Event-GTP 34941216 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35041217 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35141218 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35341219 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35441220 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35541221 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356




Contents

41222 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358

Event-MMS-Stats 35943264 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359

Event-VoIP 36144032 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36244033 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36444034 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36644035 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37044036 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37144037 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37344038 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375

Data Leak Prevention 37724576 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37824577 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38024578 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38224579 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383

Application Control 38528672 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38628673 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38828674 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39028675 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39228676 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39428677 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39628678 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39828688 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40028689 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40228690 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40428704 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40628705 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408

Antivirus 4118192 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4128193 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4148194 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4168195 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4188196 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4208197 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422





Contents

F0h

8198 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4248199 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4268457 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4288458 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4308448 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4328449 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4358450 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4388451 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4408452 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4428453 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4448454 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4478455 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4498456 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4518704 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4538705 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4558706 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4578707 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4598960 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4618961 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4638962 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4658963 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4678964 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4698965 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4718966 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4738967 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4758968 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4778969 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4798970 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4818971 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4838972 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4858973 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487

Attack 48916384 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49016385 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49216386 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49418432 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49618433 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49818434 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 500

Email filter 50320480 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50420481 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50620482 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508




Contents

20483 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51020484 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51220491 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51420485 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51620486 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51820487 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52020488 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52220489 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52420490 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52620492 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52820493 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53020494 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53220495 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53420496 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53620497 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53820498 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54020499 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54220500 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54420501 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54620503 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54820504 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55020505 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 552

Webfilter 55512288 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55612289 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55812290 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56012291 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56212305 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56412544 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56612545 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56812546 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57012547 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57212548 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57412549 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57612550 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57812551 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58012552 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58012553 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58112554 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58212555 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58312556 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58412557 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58512558 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58512559 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 586





Contents

F0h

13056 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58813312 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59013313 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59213314 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59412800 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59612801 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59813601 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60013602 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60213568 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60413573 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60613584 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60813315 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61013316 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61212802 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 614

Netscan logs 6154096 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6164097 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6164098 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6174099 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6184100 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6194101 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6194102 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6204103 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6204104 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6214105 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 622

DLP archives 62332768 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62432776 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62632770 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62832772 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63032774 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63232769 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63432782 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63632783 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63832784 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64132785 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64432786 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64732787 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64932788 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65232789 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65532790 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65832791 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 661




Contents

32792 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66332793 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66532777 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66732794 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66932795 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67132796 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67332797 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67532798 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67732800 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 679328001 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68332778 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68532779 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68732780 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68932781 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69132771 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69332773 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69532775 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 697

Appendix 700Document conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 700

IP addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 700Example Network configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 702Cautions, Notes and Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 703Typographical conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 703CLI command syntax conventions . . . . . . . . . . . . . . . . . . . . . . . . . 703

Entering FortiOS configuration data . . . . . . . . . . . . . . . . . . . . . . . . . . 705Entering text strings (names). . . . . . . . . . . . . . . . . . . . . . . . . . . . 705Entering numeric values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 706Selecting options from a list . . . . . . . . . . . . . . . . . . . . . . . . . . . . 706Enabling or disabling options. . . . . . . . . . . . . . . . . . . . . . . . . . . . 706

Registering your Fortinet product. . . . . . . . . . . . . . . . . . . . . . . . . . . . 706

Fortinet products End User License Agreement . . . . . . . . . . . . . . . . . . . . 706

Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 707

Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 707Fortinet Tools and Documentation CD . . . . . . . . . . . . . . . . . . . . . . . 707Fortinet Knowledge Base . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 707Comments on Fortinet technical documentation . . . . . . . . . . . . . . . . . 707

Customer service and technical support . . . . . . . . . . . . . . . . . . . . . . . . 707





F0h

IntroductionThis reference provides detailed information about all log messages that are recorded by the FortiGate unit. It is intended for administrators that are already logging FortiGate features and require information about a specific log message that was recorded, such as an event-administration log message with the log ID 41990. This chapter includes the following topics:• Before you begin• Document conventions and other information

Before you begin Before you begin using this guide, take a moment to note the following: • The information in this reference applies to all FortiGate units and models currently

running FortiOS 4.0 and higher. • You have enabled logging of FortiGate features. If you have not chosen a log device, or

have not enabled logging of FortiGate features, see the Logging and Reporting chapter in the FortiOS Handbook.

• Each log message is written similar to how it appears in the log viewer table, but based on the Raw format. For more information, see the Logging and Reporting chapter in the FortiOS Handbook.

• FortiOS Carrier log messages are included and is indicated within the table, in the Firmware version row.

• This reference contains detailed information for each log message field; however, this reference contains only information gathered at publication and, as a result, not every log message field contains detailed information. More detailed information will be available in future releases of this reference.

• The UTM-related logs, such as antivirus and IPS, are located in the new log file called UTM log. This is reflected in the web-based manager, where you can view these log messages in Log&Report > Log & Archive Access > UTM Log.

How this reference is organizedThis document describes what log messages are recorded by the FortiGate unit.The following chapters are grouped by log type with the exception of the event log, and include only log messages for that log type. The event log type chapters are grouped by subtype, for example event-system, due to the large amount of subtypes associated with the event log. • Traffic• Event-Administration• Event-System• Event-DHCP service• Event-Firewall authentication• Event-Wireless


http://docs.fortinet.com/fgt.html




Document conventions and other information Introduction

• Event-IPsec negotiation• Event-L2TP/PPP/PPPoE• Event-SSL VPN• Event-VIP SSL• Event-DNS• Event-config• Event-auth• Event-wad• Event-LDB-monitor• Event-nac-quarantine• Event-his-performance• Event-HA• Event-pattern• Event-RADIUS• Event-notification• Event-amc-intf-bypass• Event-GTP• Event-MMS-Stats• Event-VoIP• Data Leak Prevention• Application Control• Antivirus• Attack• Email filter• Webfilter• Netscan logs• DLP archives

Document conventions and other informationThe document conventions, as well as additional information, are located in the appendix section of this reference. See “Appendix” on page 700.





F0h

TrafficTraffic log messages record the network traffic going through the FortiGate unit. In the policyid field of traffic log messages, the number may be zero because any policy that is automatically added by the FortiGate unit is indexed as zero. For more information, see the Fortinet Knowledge Base article, Firewall policy=0.

234567891011




http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=13900&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=793416&stateId=0%200%20795468

Traffic

2

Message ID 2

Log SubType Allowed

Severity Notification

Firmware version FortiOS 4.0 MR3

Meaning Allowed traffic log message

Fields Field Descriptionstatus The session status. This field displays accept in this field, which indicates that

the session has been allowed by the unit.

vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.

dir_disp The direction of the sessions. Org displays if a session is not a child session or the child session originated in the same direction as the master session. Reply displays if a differen direction is taken from the master session.

tran_disp The packet is source NAT translated (snat) or destination NAT translated (dnat). This field can also contain noop.

src The source IP address.

srcname The name of the source or the source IP address.

src_port The source port of the TCP or UDP traffic. The source protocol is zero for other types of traffic.

dst The destination IP address.

dstname The destination name or destination IP address.

dst_country The country name for the destination IP address. This name is used when geography-based filtering is configured for the firewall address used in the firewall policy.

dst_port The destination port number of the TCP or UDP traffic. The destination port is zero for other types of traffic.

tran_ip The translated IP in NAT mode. For Transparent mode, it is zero.

tran_port The translated port number in NAT mode. For Transparent mode, it is zero.

tran_sip The translated source IP address.

tran_sport The translated source port.

service The IP network service that applies to the session or packet. The services displayed correspond to the services configured in the firewall policy.

proto The protocol number that applies to the session or packet. The protocol number in the packet header that identifies the next level protocol. Protocol number’s are assigned by the Internet Assigned Number Authority (IANA).

app_type The application or program used. If there was no program used to create the traffic, then it is empty and displays N/A. The following are the application types that can appear in this field:

• N/A (is unknown type)

• Skype

• WinNY • AIM

• BitTorrent • ICQ

• eDonKey • MSN

• Gnutella • Yahoo

• KaZaa

duration This represents the value in seconds.

rule The rule number.





Traffic

F0h

policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.

custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.

identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.

sent The total number of bytes sent.

rcvd The total number of bytes received.

shaper_drop_sent The number of sent traffic shaper bytes that were dropped.

shaper_drop_rcvd The number of received traffic shaper bytes that were dropped.

perip_drop The number of per-IP traffic shaper bytes that were dropped.

shaper_sent_name The name of the traffic shaper sending the bytes.

shaper_rcvd_name The name of the traffic shaper receiving the bytes.

perip_name The name of the per-IP traffic shaper.

sent_pkt The total number of packets sent during the session

rcvd_pkt The total number of packets received during the session.

vpn The name of the VPN tunnel used by the traffic.

vpn_type The type of VPN tunnel that the traffic is flowing through. This field can be any one of the following:

• ipsec-static • ipsec-dynamic

• ipsec-ddns • sslvpn

vpn_tunnel The VPN tunnel.

src_int The interface where the through traffic comes in. For outgoing traffic originating from the firewall, it is unknown.

dst_int The interface where the through traffic goes to the public or Internet.

SN The session number of the log message.

app The name of the application that triggered the action within the control list. For example, SSL.

app_cat The application category that the application is associated with.

user The name of the user creating the traffic.

group The name of the group creating the traffic.

carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.




Traffic

3

Message ID 3

Log SubType Violation

Severity Warning


Meaning Traffic violation log message

Fields Field Descriptionstatus The status of the session. This field always displays deny in this field and indicates

that the session has been blocked by the unit.

vd The virtual domain where the traffic was logged. If no virtual domains are enabled and configured, this field contains the virtual domain, root.











• N/A (is unknown type) • Skype

• WinNY • AIM


• eDonKey • MSN


• KaZaa













Traffic

F0h











The type of VPN tunnel that the traffic is flowing through. This field can be any one of the following:








msg The log message information. This is usually a sentence and explains the activity and/or action taken.





Traffic

4

Message ID 4

Log Subtype Traffic - Other



Meaning Traffic other log message

Fields Field Descriptionstatus The status of the session. This field always displays start in this field and indicates

that the session has started.













service The IP network service that applies to the session or packet. The services displayed corresponds to the services configured in the firewall policy.



• NA • Skype

• WinNY • AIM


• eDonKey • MSN


• KaZaa










Traffic

F0h












The VPN tunnel.

vpn_tunnel The type of VPN tunnel that the traffic is flowing through. This field can be any one of the following:












Traffic

5

Message ID 5

Log Subtype Other



Meaning Traffic allowed ICMP log message

Fields Field Descriptionstatus The session status. This field displays accept in this field, which indicates that

the session has been allowed by the unit.


dir_disp The direction of the sessions. Org displays if a session is not a child session or the child session originated in the same direction as the master session. Reply displays if a differen direction is taken from the master session.

tran_disp The packet is source NAT translated (snat) or destination NAT translated (dnat). This field can also contain noop.















• NA • Skype

• WinNY • AIM


• eDonKey • MSN


• KaZaa







Traffic

F0h












sent_pkt The number of sent packets.

rcvd_pkt The number of received packets.

















Traffic

6

Message ID 6

Log Subtype Other



Meaning Deny internal ICMP log message

Fields Field Descriptionstatus The status of the session. This field always displays deny in this field and indicates

that the session has been blocked by the unit.












• NA • Skype

• WinNY • AIM


• eDonKey • MSN


• KaZaa












Traffic

F0h
























Traffic

7

Message ID 7

Log Subtype Other

Severity Warning


Meaning Deny external ICMP log message

Fields Field Descriptionstatus The status of the session. This field always displays deny in this field and

indicates that the session has been blocked by the unit.














• NA • Skype

• WinNY • AIM


• eDonKey • MSN


• KaZaa





identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an idenity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.





Traffic

F0h


























Traffic

8

Message ID 8

Log Subtype Traffic - WAN opt



Meaning WAN optimization traffic log message

Fields Field Descriptionvd The virtual domain where the traffic was logged. If no virtual domains are

enabled and configured, this field contains the virtual domain, root.


srcname The name of the source or the IP address.






wanopt_app_type The type of WAN optimization that was used. This field can contain any one of the following:

• web-cache • ftp

• cifs • mapi

• tcp • http

• web-proxy • ftp-proxy




identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. identity index.

wan_in This field always displays WAN in.

wan_out This field always displays WAN out.

lan_in This field always displays LAN in.

lan_out This field always displays LAN out.

src_int The name of the interface used by the source.

dst_int The name of the interface used by the destination.







Traffic

F0h

9

Message ID 9

Log Subtype Web cache



Meaning Web cache traffic log message










wanopt_app_type The WAN Opt application type.

• web-cache • cifs

• tcp • ftp

• mapi • http

• web-proxy ftp-proxy
















Traffic

10

Message ID 10

Log Subtype explicit-proxy-traffic



Meaning Explicit proxy traffic log message









wanopt_app_type The type of WAN Opt application. This can be any one of the following:

• web-cache • cifs

• tfp • ftp

• mapi • http

• web-proxy

















Traffic

F0h

11

Message ID 11

Log Subtype failed-conn

Severity Warning


Meaning Failed connection attempts






src_int The source interface name.




dst_int The destination interface name.



action The action that was taken by the unit. This can be any one of the following:

• dns – a DNS lookup • ip – an IP connection

• url – a URL connection







Traffic





F0h

Event-AdministrationEvent-Administration log messages record what administration users are configuring on the FortiGate unit, and what is occurring on the FortiGate unit. For example, memory storage is becoming full.

32001320033200432008320103201032011320123201332014320153201632017320203202132022320953210132102321033210432105320163201732120321213212232086

32087321233212432125321263212732128321293213032131321323213332134321353213632137321383213932140321413214232143321443214532148321493215032151

32152321533215532156321573215832161321623216832170321713217232180322003254532546325473254832549




Event-Administration

32001

32002

Message ID 32001

Log Subtype Admin

Severity Information


Meaning An administrator successfully logged into the FortiGate unit.

Fields Field Descriptionuser The name of the administrator creating the traffic.

ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).

action This field always contains login.

status This field always contains success.

reason The reason for the event. This field is either timeout or exit, depending on the action taken.

profile The administrator’s access profile.

msg Administrator <admin_name> logged in successfully from <ui(<ip_address>).

Message ID 32002

Log Subtype Admin

Severity Alert


Meaning Depending on what is in the msg field, the meaning can be any one of the following: • There is alarm testing occurring. • The administrator failed to log in.


ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). Note: If this is an alarm test, this field will contain cli.

action This field always contains login.

status This field always contains failed

reason The reason for the event. This field always contains test.

profile The administrator’s access profile.

msg This field contains any one of the following: • Alarm testing• Administrator <admin_name> login failed from <ui>






F0h

32003

32004

Message ID 32003

Log Subtype Admin



Meaning Depending on what the msg field contains, the meaning can be any one of the following: • An administrator was successfully logged out because of inactivity. The

FortiGate unit automatically logged them out. • An administrator successfully logged out of the user interface.



action This field always contains logout.


reason The reason for the event. This field is either timeout or exit, depending on the action taken.

msg This field contains any one of the following: • Administrator <admin_name> timed out from <ui(<ip_address>)> • Administrator <admin_name> logged out from <ui<ip_address>)>


pri The priority level. This field always contains information.

Message ID 32004

Log Subtype Admin



Meaning The meaning can be one of the following, depending on the msg field: • Alarm testing is occurring on the FortiGate unit. • System has entered error-mode.

Fields Field Descriptionaction This field always contains error-mode.

reason The reason for the trigger. This field can contain self-test if the log message is about alarm testing.

msg This field contains any one of the following: • Alarm testing is occurring on the FortiGate unit• System enters error mode due to <string>





32006

Message ID 32006

Log Subtype Admin



Meaning Depending on what is in the msg field, the meaning can be any one of the following: • The user has entered the specified virtual domain. • The FortiGate unit ‘s system has started.

Fields Field Descriptionuser The name of the user creating the traffic. In this log message, it is an

administrator, or an administrator that has the super_admin profile.

ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 access the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).

action This field always contains vdom-switch.

reason This field always contains none.

msg This field contains any one of the following: • User <user_name> has entered the virtual domain

<virtual_domain_name>.• FortiGate started

Message ID 32006

Log Subtype Admin



Meaning The FortiGate unit has started.

Fields Field Descriptionmsg Fortigate started.

vd The name of the virtual domain where the action occurred in. If no virtual domain exist, this field always contains root.







F0h

32007

32008

Message ID 32007

Log Subtype Admin



Meaning The super admin has left the specified virtual domain.

Fields Field Descriptionuser The name of the user creating the traffic. In this log message, it is an

administrator, or an administrator that has the super_admin profile.


action This field always contains vdom-switch.


msg User <user_name> has left the virtual domain <virtual_domain_name>

Message ID 32007

Log Subtype Admin

Severity Critical


Meaning The FortiGate unit cannot store the configuration file because the local drive does not have enough space left.

Fields Field Descriptionmsg Cannot store config due to short of flash space: require <number_blocks>

blocks, only <number_blocks> free blocks left on flash disk.

Message ID 32008

Log Subtype Admin



Meaning The specified user has viewed the specified log files in memory or on the disk.

Fields Field Descriptionuser The name of the user creating the traffic.


log The name of the log file.

msg This field can be any of the following: • User <user_name. has viewed the memory logs from <ui>.• User <user_name> has viewed disk logs from <ui>





32010

Message ID 32010

Log Subtype Admin

Severity Emergency


Meaning Depending on the content in the msg field, the meaning can be any one of the following: • The log roll has reach the maximum number. • The amount of logs exceeds the disk size and the rolled log file was

deleted. • The log disk has reached a specific percentage point that, once passed,

the system will either overwrite the logs or stop logging. • The log is full. • The space in memory for logs is full.

Fields Field Descriptionmsg This field contains any of the following:

• Disk has rolled the max number of times, it will not roll logs again until deleting of the old rolled logs

• Disk log exceeds <percentage> of disk size. Deleted rolled log file name <log_name>

• DLP archive is <percentage> full.System will overwrite old DLP archive.• Log disk is <percentage> full. System will stop logging. • Log is <percentage> full. • Memory <percentage> log is <percentage> full. • Disk logs exceeed full final warning threshold. Deleted rolled log file <file

name>• Disk logs exceed full final warning threshold. Deleted rolled packet

directory <directory> • Disk logs eceeed full final warning threshold. Deleted rolled dlp-archive

directory <directory>

Message ID 32010

Log Subtype Admin



Meaning Depending on the content in the msg field, the meaning can be any one of the following: • The system uploads the oldest log files because the storage is to

capacity. • The system deletes the oldest log files, then uploads another group of log

files. • The system deletes the uploaded log files.

Fields Field Descriptionaction This field always contains delete. This only appears when the system has

deleted uploaded logs.

msg This field contains any of the following: • <string> is <string> full.System will upload oldest <number> logs. • <string> is <string> full.System will delete oldest <number> uploaded

logs, and upload another oldest <number> un-uploaded logs. • System deleted logs that are uploaded






F0h

32011

Message ID 32011

Log Subtype Admin



Meaning The disk log has rolled.

Fields Field Descriptionaction The action the FortiGate unit took. This field always contains roll-log.

reason The reason for rolling the log file. This field contains schedule because the log was rolled at a specified date and time that was previously configured.

log The type of log that was rolled. This field contains all.

msg Disk log has rolled.


pri The level of priority. This field always contains notice.

log This field always contains all.

Message ID 32011

Log Subtype Admin





reason The reason for rolling the log file. This field contains file-size.

log The type of log that was rolled.


Message ID 32011

Log Subtype Admin





reason The reason for rolling the log file. This field contains log-format-change.

log The type of log that was rolled.


Message ID 32011

Log Subtype Admin

Severity Emergency






Meaning Depending on the content in the msg field, this field contains any one of the following: • The system’s memory is full and that is why the system entered error

mode. • The disk is filled to capacity with log files, and that is why the system

entered error mode. • The system entered error mode but it is unclear as to why.

Fields Field Descriptionaction The action the FortiGate unit took. This field always contains error-mode

reason The reason for rolling the log file. This field contains memory-log-full, disk-log full or unknown.

msg This field contains any one of the following: • CC error: Memory logs are full. System entered error mode. • CC error: Disk logs are full. System entered error mode. • CC error: Unknown. System entered error mode.






F0h

32012

Message ID 32012

Log Subtype Admin



Meaning The FortiGate system is exiting out of error mode.

Fields Field Descriptionaction The action the FortiGate unit took. This field always contains exit-error-

mode.

msg System existing out of error mode.

Message ID 32012

Log Subtype Admin



Meaning The log disk is almost full, and will resume archiving log data.

Fields Field Descriptionmsg Log disk is under <string> full. System will resume logging content archive

data.





32013

Message ID 32013

Log Subtype Admin



Meaning A user has cleared the disk log from either the web-based manager or CLI.


log The log identification number.

msg User <user_name> has cleared disk log from <ui>

Message ID 32013

Log Subtype Admin



Meaning Depending on what appears in the msg field, the meaning can be any one of the following: • A user has deleted rolled log files. • A user cleared all current logs. • A user has cleared FortiGuard Analysis Service logs from the specified

location.• A user has removed filtered data from memory logs. • A user cleared logs associated with the FortiGuard Analysis Service. • A user has removed filtered data from disk logs. • A user has deleted one rolled log file from either the web-based manager

or CLI. • A user has cleared current logs from the disk.

Fields Field Descriptionuser The name of the user creating the traffic. For this log message, it can be

user or administrator.


period The period’s information. This field does not always show in all 32013 log messages.


msg This field contains any one of the following:

• User <user_name> has deleted rolled <integer> log files from <ui>

• User <user_name> has cleared all current logs <percentage_memory> from <ui>

• User <user_name> has cleared logs (FortiGuard Log) from <ui>

• A user has cleared FortiGuard logs from the specified location.

• User <administrator_name> has cleared logs (FortiGuard Analysis Service) from <ui>

• User <user_name> has removed filtered data from memory logs from <ui>

• User <user_name> has cleared logs (FortiGuard Analysis Service) from <ui>






F0h

• User <user_name> has removed filtered data from disk logs from <ui>

• User <user_name> has deleted 1 rolled <rolled_interger> log file (<log_file_name>) from <ui>

• User has deleted 1 rolled <string> log (disk) from <ui>

• User <user_name> has cleared current <string> log (disk) from <ui>





32014

32015

Message ID 32014

Log Subtype Admin



Meaning Depending on what appears in the msg field, the meaning can be any one of the following: • The FDS support license is expiring.• The FDS AV license is expiring. • The FDS IPS license is expiring. • The FortiGuard customer support license expires in the specified number

of days.• The FortiGuard Antivirus update license will expire in the specified

number of days. • The FortiGuard IPS update license will expire in the specified number of

days. • The FortiGuard web filtering license will expire in the specified number of

days. • The FortiGuard anti-spam license will expire in the specified number of

days. • The FortiGuard Analysis Service license will expire in the specified

number of days. • The FortiGuard Management Service license will expire in the specified

number of days

Fields Field Descriptionmsg This field contains any one of the following:

• FDS support license will expire in <integer> day(s)• FDS AV license will expire in <integer> day(s)• FDS IPS license will expire in <integer> day(s)• FortiGuard customer support license will expire in <value> day(s)• FortiGuard AV update license will expire in <value> day(s)• FortiGuard IPS update license will expire in <value> day(s)• FortiGuard web filtering license will expire in <value> day(s)• FortiGuard anti-spam license will expire in <value> day(s)• FortiGuard analysis service license will expire in <value> day(s)• FortiGuard management service license will expire in <value> day(s)

Message ID 32015

Log Subtype Admin

Severity Warning


Meaning Log disk is full.

Fields Field Descriptionmsg Log disk is <percentage> full






F0h

32016

Message ID 32016

Log Subtype Admin

Severity Warning


Meaning The FortiGuard disk quota is full and the system will either overwrite or stop logging when the quota is used.

Fields Field Descriptionmsg FortiGuard disk quota is <value> use. System will {overwrite | no log} once

passed all quota is used.

Message ID 32016

Log Subtype Admin

Severity Emergency


Meaning The FortiGuard Analysis Service disk quota is full and the system will either overwrite or stop logging when the quota is used.

Fields Field Descriptionmsg FortiGuard Analysis Service disk quota is <value> used. System will

{overwrite | no log} once passed all quota is used.

Message ID 32016

Log Subtype Admin

Severity Emergency


Meaning The FortiGuard Analysis Service disk quota is full.

Fields Field Descriptionmsg FortiGuard Analysis Service disk quota is <value> used.

Message ID 32016

Log Subtype Admin



Meaning The FortiGuard Analysis Service disk quota is full.

Fields Field Descriptionmsg FortiGuard Analysis Service disk quota is <value> used. System will

{overwrite | no log} once the full quota is used.

Message ID 32016

Log Subtype Admin



Meaning The FortiGate unit has stopped logging to the FortiGuard Analysis server because of the amount of disk quota that has been used. Logging will resume after an amount of time has passed, in seconds.





Fields Field Descriptionmsg FortiGuard Analysis Service disk quota is <value> used. System stops

logging until <seconds> later.

Message ID 32016

Log Subtype Admin

Severity Warning


Meaning The user failed to view logs from a specified location.



msg This field contains any one of the following: • User <user_name> failed to access the <log_file_name> logs from <ui>• User <user_name> failed to access the <log_file_name> logs from <ui>






F0h

32017

32020

Message ID 32017

Log Subtype Admin

Severity Alert


Meaning Depending on what appears in the msg field, the meaning can be any one of the following: • The FortiGuard daily quota is reached. • The FortiGuard Analysis Service daily quota is full.


• FortiGuard daily quota is reached. System stops logging until <value> sec later.

• FortiGuard Analysis Service daily quota is reached. System stops logging until <seconds> sec later.

Log Subtype Admin

Severity Warning


Meaning A corrupted MAC packet was detected.



action The action information.

status The status information.

reason The reason information.

profile The name of the profile that was used to detect and take action.

msg Corrupted MAC packet detected.





32021

32022

Message ID 32021

Log Subtype Admin



Meaning The user disabled the virtual domain root from the web-based manager, CLI or console.

Fields Field Descriptionui The location of the point-of-entry the user used to access the FortiGate unit

so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).

msg User <user_name> disabled virtual domain root from <ui ip_address>>

Message ID 32022

Log Subtype Admin



Meaning The administrator enabled a virtual domain.



msg User <admin_name> enabled virtual domain <vd_name> from <ui(<ip_address>)>






F0h

32086

32087

Message ID 32086

Log Subtype Admin

Severity Warning


Meaning The system has been changed to Transparent mode (LCD) from the LCD interface.

Fields Field Descriptionuser The administrator who is creating the traffic.

ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). Note: In this log message, this field always contains lcd.

action The action that was taken.


msg System has been changed to transparent mode LCD via LCD.

Message ID 32087

Log Subtype Admin

Severity Warning


Meaning The system has been changed to NAT/Route mode (LCD) from the LCD interface.


ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). Note: In this log message, this field always contains lcd.

action The action that was taken.


msg System has been changed to NAT mode LCD via LCD.





32140

Message ID 32140

Log Subtype Admin



Meaning The administrator changed the operation mode to Transparent.



field This field contains mode.

old_value The mode that the FortiGate unit was previously in. This field contains either NAT or TP, depending on what mode the FortiGate unit was previously in.

new_value The mode that the FortiGate unit is now in. This field contains either NAT or TP, depending on what mode the FortiGate unit was changed to.

msg User <administrator_name> changed to TP opmode from <ui>(<ip_address>

Message ID 32140

Log Subtype Admin



Meaning The administrator changed the global settings on the FortiGate unit, allowing virtual domain configuration.



action The status of the virtual domain feature. This field always contains enable.

field This field always contains virtual-domain.

msg User <admin_name> changed global settings from <ui(<ip_address>)>


pri The priority level. This field always contains notice.






F0h

32141

32095

Message ID 32141

Log Subtype Admin



Meaning The specified interface received a new DHCP lease address.

Fields Field Descriptionmsg interface <interface_name> gets a DHCP lease, ip:<ip_address>,

mask:<netmask>, gateway:<gateway_ip>, lease expires:<day_of_week> <month> <date> <hh:mm:ss:> <yyyy>


pri The priority level. This field is always information.

id The identification number.

Message ID 32095

Log Subtype Admin

Severity Warning


Meaning The specified administrator has performed a specified action on the FortiGate unit.



action The type of action that the FortiGate unit took. This field contains any one of the following:

• reboot • shutdown

• reload • backup

• factory_reset • restore (all types of configuration files)

• upgrade (upgrade the firmware)

• switch_mode

• download (all types of configuration files)

• upload

• clear_mlog (clear all log in memory buffer)

• del_log (delete log)

• update (virus or IPS signatures)

• downgrade (downgrade the firmware)

• del_session (delete session) • bootup

status This field contains either success or failure.

msg <action_type OR file_name> by user <administrator_name> via <ui> Note: The beginning of the sentence depends on what type of action was taken, and if a file was downloaded or not.





Message ID 32095

Log Subtype Admin

Severity Warning


Meaning A user has downloaded a log file from the firewall from the within the web-based manager.


ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). Note: In this log message, the location is the web-based manager.

action The type of action that the FortiGate unit took. This field contains any one of the following:

• reboot • shutdown

• reload • backup

• factory_reset • restore (all types of configuration files)

• upgrade (upgrade the firmware)

• switch_mode

• download (all types of configuration files)

• upload

• clear_mlog (clear all log in memory buffer)

• del_log (delete log)

• update (virus or IPS signatures)

• downgrade (downgrade the firmware)

• del_session (delete session) • bootup


hash The hash information.

file The name of the log file.

msg <action_type OR file_name> by user <administrator_name> via <ui>






F0h

32101

Message ID 32101

Log Subtype Admin



Meaning The administrator added a new access profile.



profile The name of the administration access profile that was created.

msg User <administrator_name> added new access profile <string> from {GUI | CLI | console}



Message ID 32101

Log Subtype Admin



Meaning The administrator changed the configuration from the LCD interface.



msg <administrator_name> by <ui>





32102

Message ID 32102

Log Subtype Admin



Meaning The administrator added a local certificate and is being generated.



msg User <admin_name> made a change via <ui(<ip_address>)>: VPN local certificate <cert_name> has been generated.



module This field always contains VPN.

submodule This field always contains cert-local.

Message ID 32102

Log Subtype Admin

Severity (Variable): can be any severity level


Meaning A user has changed the configuration.



module The module information.

submodule The submodule information.

msg User <admin_name> made a change from <ui>

Message ID 32102

Log Subtype Admin



Meaning A new firmware image is available from FortiGuard.

Fields Field Descriptionuser This field always contains system.

action The action that was taken. This field always contains firmware.






F0h

status The status of the firmware. This field always contains new.

msg New firmware is available from FortiGuard.

Message ID 32102

Log Subtype Admin

Severity (Variable): can be any severity level


Meaning A user has changed the configuration for a specific submodule from a specific location.



module The module information.

submodule The submodule information.

msg User <admin_name> made a change via <ui>: <ip_address>





32103

32104

32105

Message ID 32103

Log Subtype Admin



Meaning A user deleted an access profile.



profile The name of the access profile.

msg User <administrator_name> deleted an access profile <profile_name> from <string>

Message ID 32104

Log Subtype Admin

Severity Critical


Meaning An administrator has failed to update the FortiGate unit.

Fields Field Descriptionadmin The name of the administrator creating the traffic.

msg FortiGate <string> failed

Message ID 32105

Log Subtype Admin

Severity Warning


Meaning Depending on what appears in the msg field, the meaning can be any one of the following: • An administrator has update the databases and engines successfully. • An administrator has updated AV database successfully. • An administrator has updated the IDS database successfully.

Fields Field Descriptionadmin The name of the administrator creating the traffic.

status This field always contains update.

virdb This field always contains yes.

msg This field contains any one of the following: • Fortigate <string> virdb(<value>) idsdb(<value>) aven(<value>) idsen(<value>)

from <string>• Fortigate updated virdb (<value>)• Fortigate updated idsdb (<value>)






F0h

32120

Message ID 32120

Log Subtype Admin



Meaning The administrator added a UTM profile.



action The type of action that occurred. In this log message, this field can contain add.

msg Administrator <admin_name> added an <utm_profile_type> <utm_profile_name> from <ui(<ip_address>)>. Note: The UTM profile type can be a sensor, such as DLP or IPS.



cmdb_obj The type of profile that was used. For example, antivirus.profile.

name The name of the profile that was used. For example, av_1.

Message ID 32120

Log Subtype Admin



Meaning The administrator edited the settings within another administrator.

Fields Field Descriptionuser The name of the administrator who is creating the traffic.


msg Administrator <admin_name> edited the settings of administrator <admin_name> from <ui(<ip_address>)>



name The name of the administrator whose settings were modified within their account.

Message ID 32120

Log Subtype Admin



Meaning The administrator added an admin user.







msg User <admin_name> added an admin user <admin_name> from <ui(<ip_address>)>



name The name of the administrator who was added.

Message ID 32120

Log Subtype Admin



Meaning The administrator added a new interface.



msg User <admin_name> added a new interface <interface_name> from <ui(<ip_address>)>



intf The name of the new interface. For example, interface_1

Message ID 32120

Log Subtype Admin



Meaning The administrator modified the settings within another administrator’s account.



msg Administrator <admin_name> edited the settings of administrator <admin_name> from <ui(<ip_address>)>







F0h


name The name of the administrator who had their settings modified by another administrator.

Message ID 32120

Log Subtype Admin



Meaning The administrator modified the settings within another administrator’s account.



msg User <admin_name> added a user group <user_group_name> from <ui(<ip_address>)>



name The name of the new user group.

Message ID 32120

Log Subtype Admin



Meaning The administrator added a new Directory Server (FSAE) entry.



msg User <admin_name> added a Directory Server (FSAE) entry <fsae_entry_name> from <ui(<ip_address>)>



name The name of the new FSAE entry.

server The FSAE’s IP address.

Message ID 32120

Log Subtype Admin



Meaning The administrator added a new report dataset.







name The name of the report dataset.

msg User <admin_name> added a report dataset <dataset_name> from <ui>

Message ID 32120

Log Subtype Admin



Meaning The administrator added a new report chart widget.



name The name of the report chart.

msg User <admin_user> added a report chart widget <chart_name> from <ui>

Message ID 32120

Log Subtype Admin



Meaning The administrator added report summary entry.



name The name of the report summary entry that were added.

msg User <admin_name> added a report summary entry <summary_entry> from <ui>






F0h

32121

Message ID 32121

Log Subtype Admin



Meaning The administrator modified settings within a UTM profile.



action The type of action that occurred. This field always contains modify.

msg Administrator <admin_name> changed a <utm_profile_type> <utm_profile_name> from <ui(<ip_address>)> Note: The UTM profile can be a sensor, such as DLP or IPS.


pri The priority level. This field is always notice.

cmdb_obj The type of profile that was used. For example, antivirus.profile.

name The name of the profile that was used. For example, av_1.

Message ID 32121

Log Subtype Admin



Meaning The administrator changed the interface setting.



intf The name of the interface of the originating traffic.

field This field contains either status or mtu.

old This field contains either up or down.

new This field contains either up or down.

msg This field contains any one of the following: • User <administrator_name> changed the status of interface {internal | external |

dmz | <other>...} from <ui>• User <administrator_name> changed the mtu setting of interface

<interface_name> from <ui>• User <administrator_name> changed the ip setting of the interface

<interface_name> from <ui>





32122

Message ID 32122

Log Subtype Admin



Meaning The administrator deleted the specified interface.



msg User <administrator_name> deleted interface <interface_name> from <ui(<ip_address>)>



intf The name of the interface that was removed.

Message ID 32122

Log Subtype Admin



Meaning The administrator deleted the specified interface.



name The name of the administrator who was deleted.

msg User <administrator_name> deleted an admin user <user_name> from <ui>

Message ID 32122

Log Subtype Admin



Meaning An administrator deleted another administrator’s account.








F0h

msg User <admin_name> deleted user <admin_user> from <ui(<ip_address>)>



name The name of the administrator who was deleted by another administrator.

Message ID 32122

Log Subtype Admin



Meaning The administrator deleted an IPsec manualkey.



name The name of the manual key that was deleted by the administrator.

remote-gw The IP address of the remote gateway.

msg User <administrator_name> deleted an ipsec manualkey <manualkey_name> from <ui>

Message ID 32122

Log Subtype Admin



Meaning The administrator deleted an FSAE entry.



msg User <administrator_name> deleted a Directory Service (FSAE) entry <fsae_entry_name> from <ui(<ip_address>)>



name The name of the entry that was remove from the list.

server The removed FSAE’s IP address.

Message ID 32122

Log Subtype Admin







Meaning Depending on what appears in the msg field, the meaning can be any one of the following: • An administrator deleted a CA certificate.• An administrator has removed all CA certificates. • An administrator deleted a local certificate. • An administrator deleted all local certificates. • An administrator deleted a CRL certificate. • An administrator deleted all CRLs.



name The name of the administrator who deleted or removed the certificate.

msg This field contains any one of the following: • User <administrator_name> removed a CA certificate <certificate_name> from

<ui> • User <administrator_name> removed all CA certificates from <ui>• User <administrator_name> deleted a local certificate <certificate_name> from

<ui>• User <administrator_name> removed all local certificates from <ui>• User <administrator_name> removed a CRL certificate <certifcate_name> from

<ui>• User <administrator_name> removed all CRL certificates from <ui>

Message ID 32122

Log Subtype Admin



Meaning The administrator deleted a dataset.



name The name of the report dataset.

msg User <admin_name> delete a report dataset <dataset_name> from <ui>

Message ID 32122

Log Subtype Admin



Meaning The administrator deleted a chart widget.







F0h


name The name of the report chart widget.

msg User <admin_name> delete a report chart widget <chart_name> from <ui>

Message ID 32122

Log Subtype Admin



Meaning The administrator deleted a chart widget.



name The name of the report summary entry.

msg User <admin_name> delete a report summary entry <summary_entry> from <ui>





32123

Message ID 32123

Log Subtype Admin



Meaning The administrator added the specified static route entry.



status The status of the route entry. This field contains up.

msg User <administrator_name> added new static routing entry <seq_number> from <ui(<ip_address>)>


seq The number that describes where the entry is in the static route entry table.



device The interface that will be using the static route.

distance The distance number.

priority The priority number.

flags The flags information.






F0h

32124

Message ID 32124

Log Subtype Admin



Meaning The administrator made the specified changes to the static route entry.



seq The sequence number or the number of the order of that entry within the list.

old_device The previous interface.

old_distance The previous hops’ number.

old_priority The previous administrative priority.

old_dst The previous destination IP address.

old_status The previous status. This field contains either up or down.

old_flags The previous flag string.

new_device The new interface.

new_distance The new hops’ number.

new_priority The new administrative priority.

new_dst The new destination IP address.

new_status The new status. This field contains either up or down.

new_flags The new flag information.

msg User <administrator_name> changed the setting of a new static routing entry from <ui>





32125

32126

Message ID 32125

Log Subtype Admin



Meaning The administrator deleted the specified static route entry.



seq The NAT identification number. For example, the first entry in the table is 1, so this field displays 1.

device The interface.

distance The hops’ number information.

priority The administrative priority.


status The status. This field contains either up or down.

flags The flag information.

msg User <administrator_name> deleted a static routing entry from <ui>

Log Subtype Admin



Meaning An administrator added a firewall policy.



msg User <administrator_name> added <iptype> firewall central-nat policy <nat_id_number> from <ui(<ip_address>)>.

seq The NAT identification number. For example, the first entry in the table is 1, so this field dsplays 1.



orig-addr The original source IP address.

nat-ippool The name of translated IP pool that was applied to the entry.

orig-port The original source port number.

nat-port The translated port number range.






F0h

32127

Message ID 32127

Log Subtype Admin



Meaning An administrator modified a firewall policy.



msg User <admin_name> changed IPv4 firewall policy <policy_id_number> from <ui(<ip_address>)>.

seq The firewall policy identification number.


pri The priority level. This field is always notice.

sintf The name of the source interface or zone applied to the firewall policy.

dstintf The name of the destination interface or zone applied to the firewall policy.

saddr The firewall policy’s select source address. For example if you selected all, then all appears in this field.

daddr The firewall policy’s selected destination address. For example, if you selected all, then all appears in this field.

act The type of action applied to the firewall policy. For example, ACCEPT.

nat This field contains either no or yes.

iptype The type of IP address. This can be ipv4 or ipv6, depending if you have configured IPv4 addresses or IPv6 addresses.

schd The type of firewall schedule that was selected for that firewall policy.

srv The type of firewall service applied to the firewall policy. For example, ANY.





32128

Message ID 32128

Log Subtype Admin



Meaning The administrator deleted a firewall policy.



seq The firewall policy identification number.

sintf The name of the source interface.

dintf The name of the destination interface.

saddr The source IP address.

daddr The destination IP address.

schd The name of the schedule.

srv The network service.

act The type of action applied to the firewall policy. For example, ACCEPT.

nat This field contains either no or yes.


iptype The type of IP address, such as IPv6. This field always contains ipv6.

msg User <administrator_name> deleted a firewall policy from <ui>






F0h

32129

32130

Message ID 32129

Log Subtype Admin



Meaning The administrator added a local user.



status The status of the local user. This field always contains enable.

msg User <admin_name. added local user <user_name> from <ui(<ip_address>)>



name The name of the new local user.

Message ID 32130

Log Subtype Admin



Meaning The administrator added a new local administrator. The administrator changed the specified settings for a local administrator.



name The name of the new local administrator.

old_status The old_status information.

new_status The new_status information.

passwd The password information.

msg User <administrator_name> changed a local user’s setting from <ui>





32131

32132

Message ID 32131

Log Subtype Admin



Meaning The administrator added a new local administrator. The administrator changed the specified settings for a local administrator.



name The name of the new administrator.

status This field contains either enable or disable.

msg User <administrator_name> deleted a local user <administrator_name> deleted a local user from <ui>

Message ID 32132

Log Subtype Admin



Meaning The administrator added a RADIUS server.



msg User <admin_name> added radius server <radius_name> from <ui(<ip_address>)>



name The name of the new RADIUS server.

server The RADIUS server’s IP address.

Message ID 32132

Log Subtype Admin



Meaning The administrator added a TACACS+ server

Fields Field Description






F0h

user The name of the administrator creating the traffic.


msg User <admin_name> added TACACS+ server <tacacs+_name> from <ui(<ip_address>)>



name The name of the new TACACS+ server.

server The TACACS+ server’s IP address.





32133

32134

Message ID 32133

Log Subtype Admin



Meaning The administrator made the specified changes to the RADIUS server entry



name The name of the administrator.

old_server The previous server’s IP address.

new_server The new server’s IP address.

secret The server’s encrypted password.

msg User <administrator_name> changed a radius server <radius_server_name> setting from <ui>

Message ID 32134

Log Subtype Admin



Meaning The administrator deleted the RADIUS server from the server list.




server The server’s IP address.

msg User <administrator_name> deleted a radius server <radius_server_name> from <ui>






F0h

32135

32136

Message ID 32135

Log Subtype Admin



Meaning The administrator added a new LDAP server to the list.



msg User <admin_name> added ldap server <ldap_name> from <ui(<ip_address>)>



name The name of the new LDAP server.

server The LDAP server’s IP address.

Message ID 32136

Log Subtype Admin



Meaning The administrator made the specified changes to an LDAP server entry.




old_server The previous server’s IP address.

old_port The previous server’s port number.

old_cn The previous CN value.

old_dn The previous DN value.

new_server The new server’s IP address.

new_port The new server’s port number.

new_cn The new CN value.

new_dn The new DN value.

msg User <administrator_name> changed an ldap server <ldap_server_name> setting from <ui>





32137

Message ID 32137

Log Subtype Admin



Meaning The administrator deleted the LDAP server from the list.




server The server’s IP address.

msg User <administrator_name> deleted an ldap user from <ui>

Message ID 32137

Log Subtype Admin



Meaning An IM/P2P user was deleted.




policy The firewall policy identification number.

msg User <user_name> deleted im/p2p <im/p2puser_name> user <user_name> from <ui>






F0h

32138

32139

Message ID 32138

Log Subtype Admin

Severity Critical


Meaning The administrator either rebooted or shut down the FortiGate unit.



action This field is either reboot or shutdown.

msg User <administrator_name> rebooted the device from <ui>. The reason is “<reason>”


pri The priority level. This field always contains critical.

Message ID 32139

Log Subtype Admin

Severity Critical


Meaning The administrator reset the FortiGate unit to its default settings.



action This field contains factory-reset.

msg User <administrator_name> reset to the factory settings from <ui>



Message ID 32139

Log Subtype Admin

Severity Critical


Meaning The administrator or user formatted the log disk on the FortiGate unit.







action This field always contains format-disk.

msg User <administrator_name> formatted the log disk from <ui>



Message ID 32139

Log Subtype Admin

Severity Critical


Meaning The administrator restored a firmware image.



action This field contains any one of the following:

• restore-image • restore-configuration

• restore-all-configuration

msg User <administrator_name> restored the image from <ui(<ip_address> -> <ip_address>)



Message ID 32139

Log Subtype Admin

Severity Critical


Meaning Depending on what appears in the msg field, the meaning can be any one of the following: • The auto-install restored the configuration using the USB key. • The auto-install restored the firmware image using the USB key.

Fields Field Descriptionuser The name of the administrator creating the traffic. In this log message, this

field always contains auto-install. This means that the FortiGate unit automatically installed the image itself.

ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). In this log message, this field always contains usb.

action This field always contains restore-image.






F0h

msg This field contains any one of the following: • User auto-install restored the configuration from usb (<ip_address>)• User auto-install restored the image from usb (<ip_address> ->

<ip_address>)



Message ID 32139

Log Subtype Admin

Severity Critical


Meaning An administrator has updated either the virus engine and/or the IDS database.



action This field contains update.

msg This field contains any one of the following: • User <administrator_name> requested a virus and IDS engine/definitions

update from <ui> • User <administrator_name> requested an IDS engine/definitions update

from <ui>



Message ID 32139

Log Subtype Admin

Severity Critical


Meaning Depending on what appears in the msg field, the meaning can be any one of the following: • The system encountered an error when trying to restore an image from the

FortiGuard Analysis and Management Service. • The system restored an image from the FortiGuard Analysis and

Management Service. • The system restored a template from the management station. • The system failed to load a configuration file from the management

station.


field contains system.







• restore-image • restore-template

• restore-configuration

msg This field contains any one of the following: • System loaded an image from FortiGate Management, the new image has

an invalid CC signature. • System restored the image from FortiGuard Management (<ip_address>

-> <ip_address>)• System restored configuration template <template_name> from

management station.• System failed to restore configuration from management station.



Message ID 32139

Log Subtype Admin

Severity Critical


Meaning Depending on what appears in the msg field, the meaning can be any one of the following: • The administrator loaded an image with a valid RSA signature from a

FortiManager unit, which includes a new public key. • The administrator loaded a firmware image from a FortiManager unit and

that image has an invalid or no RSA signature. • The administrator loaded an image with a valid RSA signature from a

FortiManager unit. • The administrator updated the firmware image from a FortiManager unit.


field contains system.


action This field always contains update-image.

msg This field contains any one of the following: • User <user_name> loaded an image from FortiManager, the new image

does have a valid RSA signature with new public key. • User <user_name> loaded an image from FortiManager, the new image

has an invalid RSA signature. • User <user_name> loaded an image from FortiManager, the new image

does have a valid signature. • User <user_name> loaded an image from FortiManager, the new image

does not have a valid RSA signature. • User <user_name> updated the image from FortiManager (<ip_address>

-> <Ip_address>)



Message ID 32139

Log Subtype Admin

Severity Critical






F0h


Meaning The administrator loaded a diagnostic application.



action This field contains loaded-diag-app.

msg User <administrator_name> loaded a diagnostic application from <ui> with serial number <serial_number>. The executable result= <string>



Message ID 32139

Log Subtype Admin

Severity Critical


Meaning Depending on what appears in the msg field, the meaning can be any one of the following: • The system loaded an image that contains an invalid RSA signature.• The administrator uploaded an image with an invalid RSA signature. • The administrator uploaded an image with a valid RSA signature and new

public key. • The administrator uploaded an image with a valid RSA signature. • The administrator uploaded an image that does not have a valid RSA

signature.



action This field contains loaded-image.

msg This field contains any one of the following; • System loaded an image from FortiGuard Management, the new image

has an invalid RSA signature• User <administrator_name> loaded an image from <ui>, the new image

has an invalid signature. • User <administrator_name> loaded an image from <ui>, the new image

does have a valid RSA signature with a new public key.• User <administrator_name> loaded an image from <ui>, the new image

does have a valid RSA signature. • User <administrator_name> loaded an image from <ui>, the new image

does not have a valid RSA signature.







Message ID 32139

Log Subtype Admin

Severity Critical


Meaning Depening on what is in the msg field, the meanning can be any one of the following: • The administrator restored a FortiClient firmware image. • The administrator updated the firmware. • The administrator restored a firmware image. • The administrator successfully restored the configuration file. • The administrator failed to restore the configuration file. • The administrator restored a complete configuration.



action This field contains any one of the following: restore-forticlient.

• restore-forticlient • update

• restore-image • restore-configuration

• restore-all-configuration

msg This field contains any one of the following: • User <administrator_name> restored the image <image_name> from <ui> • User <administrator_name> updated the firmware from <ui>• User <administrator_name> restored image from <ui>(<ip_address> ->

<ip_address>)>• User <administrator_name> restored the configuration from <ui> • User <administrator_name> failed to restored the configuration from <ui>• User <administrator_name> restored all the configuration from <ui>



Message ID 32139

Log Subtype Admin

Severity Critical


Meaning The administrator either loaded a firmware image that does not support CC mode or the image has an invalid CC signature.



action This field contains either loaded-image or update-image






F0h

msg This field contains any one of the following: • User <administrator_name> loaded the image from <ui> the new image

does not support CC mode. • User <administrator_name> loaded an image from <ui>, the new image

has an invalid CC signature.



Message ID 32139

Log Subtype Admin

Severity Critical


Meaning The administrator imported a certificate.



action This field contains import-certificate.

msg User <administrator_name> imported the certificate from <ui>



Message ID 32139

Log Subtype Admin

Severity Critical


Meaning The administrator loaded a firmware image from a FortiManager unit and that image has an invalid RSA signature.


ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). Note: For this log message, the location is FortiManager.

action This field always contains update-image.

msg User <user_name> loaded an image from FortiManager, the new image has an invalid RSA signature.

Message ID 32139

Log Subtype Admin

Severity Critical






Meaning Depending on what is in the msg field, the meaning can be any one of the following:• The system uploaded a firmware image from the FortiGuard Analysis and

Management Service, however, the image has an invalid CC signature. • The system uploaded a firmware image from the FortiGuard Analysis and

Management Service, however, the image has an invalid RSA signature. • The system uploaded a firmware image from the FortiGuard Analysis and

Management Service, and the image has a valid RSA signature with new public key.

• The system uploaded a firmware image from the FortiGuard Analysis and Management Service, and the image has a valid RSA signature.

• The system uploaded a firmware image from the FortiGuard Analysis and Management Service, and the image does not has a valid RSA signature.

• The system restored a firmware image from FortiGuard Analysis and Management Service.

Fields Field Descriptionuser The name of the administrator creating the traffic. For this log message, the

user is the FortiGate system, or system.


action This field contains any one of the following: .

• restore-image • loaded-image

• restore-image

msg This field contains any one of the following: • System loaded an image from FortiGuard Management, the new image

has an invalid CC signature. • System loaded an image from FortiGuard Management, the new image

has an invalid RSAsignature. • System loaded an image from FortiGuard Management, the new image

does have a valid RSA signature with new public key. • System loaded an image from FortiGuard Management, the new image

does have a valid RSA signature. • System loaded an image from FortiGuard Management, the new image

does not have a valid RSA signature. • System restored the image from FortiGuard Management

(<firmware_build> -> <firmware_build>)

Message ID 32139

Log Subtype Admin

Severity Warning


Meaning Depending on what is in the msg field, the meaning can be any one of the following: • The system restored the specified script. • The system restored a configuration file from the management station. • The system failed to restore a configuration file from the management

station. • The system failed to upgrade a firmware image. • The system failed to restore a firmware image from the management

station.








F0h

32140



• restore-script • restore-cfg

• restore-<string> • update-image

msg This field contains any one of the following: • System restored script <script_name> from management station. • System restored <string> file <string> from management station. • System failed to restore <string> file <string> from management station. • User <user_name> loaded an image from <ui>, System upgrade failed

due to failed operation file. • System failed to restore <string> file <string> from management station.

Message ID 32139

Log Subtype Admin

Severity Critical


Meaning Depending on what is in the msg field, the meaning can be any one of the following: • The administrator formatted the RAID disk. • The administrator enabled the RAID disk.• The administrator disabled the RAID disk.




action This field contains any one of the following: • format-rebuild-level• enable-raid• disable-raid

msg This field contains any one of the following: • User <user-name> formatted the RAID disk from <ui> • User <user_name> enabled RAID from <ui> • User <user_name> disabled RAID from <ui>

Message ID 32140

Log Subtype Admin



Meaning The administrator changed a global setting.






32141


field The type of field within the Administration Settings page that was changed. For example, if you changed the idle timeout, located in Timeout Settings, this field would contain timeout. This field contains any one of the following:

• mode • virtual-domain

• hostname • ip-overlap

• timeout • detection-interval

old_value The previous setting for the type of field before it was changed. For example, if you changed the idle timeout from the default time, 5m would appear in this field.

new_value The new setting for the type of field that was changed.

msg User <administrator_name> changed <field_type> global setting to <new_value> from <ui>.

Message ID 32140

Log Subtype Admin



Meaning The administrator changed the user authentication settings.



field The type of action that was taken. This field always contains auth-timeout.

old_value The previous timeout period within the authentication settings.

new_value The new time out period within the authentication settings.

msg User <admin_name> changed auth-timeout user setting to <new_value> from <ui(<ip_address>)>



Message ID 32141

Log Subtype Admin



Meaning The specified interface has received a new DHCP address. The address expires at the specified time.







F0h

32142

id The identification number.

msg interface <interface_name> gets a DHCP lease, ip:<ip_address>, mask:<netmask>, gateway:<gateway_address>, lease expires:<name_day><name_month> <date> <hh:mm:ss> <yyyy>

Message ID 32142

Log Subtype Admin



Meaning Depending on what appears in the msg field, the meaning can be any one of the following: • The administrator backed up the current configuration to a file. • The administrator backed up the specified file. • The administrator failed to back up the specified file. • The administrator backed up all the logs. • A configuration file was automatically backed up to the management

station successfully.• The administrator failed to back up all log files. • The system backed up the configuration file to the FortiGuard

Analysis and Management Service, per a request from the FortiGuard Analysis and Management Service portal.



action The type of action that was taken by the administrator. This field always contains backup.

reason The reason for the trigger. For this log message, the service portal of the FortiGuard Analysis and Management Services was used.

msg This field contains any one of the following. • User <administrator_name> backed up the configuration from <ui>• User <administrator_name> backed up <file_name> log from <ui>• User <administrator_name> failed to backup <file_name> log from

<ui>• User <administrator_name> backed up all the logs from <ui> • Automatic configuration backup to Management Station succeeded• User <administrator_name> failed to back up all the logs from <ui> • System backed up configuration to Management Station per service

portal request.

Message ID 32142

Log Subtype Admin

Severity Warning






Meaning Depending on what appears in the msg field, the meaning can be any one of the following: • The administrator backed up a standardized error output by SCP.• The administrator backed up a batch of mode commands by SCP. • The administrator failed to update the antivirus package by SCP. • The administrator successfully updated the antivirus package by SCP. • The administrator successfully update the IPS package by SCP. • The administrator failed to update the IPS package by SCP. • The administrator failed to update the DLP fingerprint database by

SCP.


ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). Note: For this log message, location is FortiManager or the FortiManager unit.

action The type of action that was taken by the administrator. This field contains either update or backup.

msg This field contains any one of the following. • User <user_name> backed up the result of batch mode commands by

SCP. • User <user_name> backed up the result of batch mode commands by

SCP. • User <user_name> failed to update AV package by SCP. • User <user_name> updated AV package by SCP. • User <user_name> failed to update IPS package by SCP. • User <user_name> updated IPS package by SCP. • User <user_name> failed to update DLP fingerprint database by SCP.

Message ID 32142

Log Subtype Admin

Severity Alert


Meaning The administrator deleted a configuration revision from the database.

Fields Field Descriptionaction The type of action that was taken by the administrator. This field always

contains delete.


msg <configuration_revision_name> has been deleted from revision database.

Message ID 32142

Log Subtype Admin



Meaning Depending on what is in the msg field, the meaning can be any one of the following: • The administrator backed up a configuration file to the management

station. • The administrator deleted a configuration file from the local hard disk.






F0h



action The type of action that was taken by the administrator. This field is either backup or delete.


msg This field contains any one of the following: • User <user_name> backed up the configuration from <ui> to

management station. • User <user_name> delete the <string> from <string> from flash disk.





32143

Message ID 32143

Log Subtype Admin



Meaning The administrator loaded the wrong image type.



action The type of action that was taken by the administrator. This field always contains loaded-image.

msg User <administrator_name> loaded a wrong image from <ui>

Message ID 32143

Log Subtype Admin

Severity Critical


Meaning The administrator changed the policy routing entry.

Fields Field Descriptionuser The name of administrator creating the traffic.


msg User <administrator_name> changed policy routing entry <incoming_interface> from <ui(<ip_address>)>



old_iff The previous incoming interface.

new_iff The new incoming interface.






F0h

32144

Message ID 32144

Log Subtype Admin



Meaning An administrator added a policy routing entry.



msg User <admin_name> added policy routing entry <outgoing_interface_name> from <ui(<ip_address>)>





iff The “if” interface. In the policy routing entry, you must specify the interface “if”.

ipproto The IP protocol number.

ports The destination port range. For example ports 1-65535.

off The outgoing interface. This is the interface that was chosen in the section Force traffic to: on the New Routing Policy page.

gw The gateway IP address.





32145

Message ID 32145

Log Subtype Admin



Meaning An administrator deleted a policy routing entry.



iff The name of the incoming interface.



proto The name of the protocol.

ports The range of port numbers.

off The outgoing interface.

gw The gateway IP address.

msg User <administrator_name> deleted a policy routing entry

Message ID 32145

Log Subtype Admin



Meaning Found a new neighbor.

Fields Field Descriptionmsg Found a new connection to <connection_name> (<connection_ip>)

Message ID 32145

Log Subtype Admin



Meaning Lost a neighbor.

Fields Field Descriptionmsg Found a new connection to <connection_name> (<connection_ip>)






F0h

32148

Message ID 32148

Log Subtype Admin



Meaning An administrator required a CRL update.



action The type of action that was taken. This field is always crl-update.

crl The name of the CRL.

msg User <administrator_name> requested a CRL update from <ui>

Message ID 32148

Log Subtype Admin



Meaning The specified administrator changed a configuration.



action The type of action the administrator took.

obj The object information.

entry The entry information.

msg Administrator <administrator_name> of <location> from {GUI CLI}





32149

32150

Message ID 32149

Log Subtype Admin



Meaning A command failure occurred.



ret The ret value information.

msg Command failed: <value>. Return code <value>

Message ID 32150

Log Subtype Admin

Severity Warning


Meaning An administrator changed the password of another administrator.



action The action that was taken by the user. This field always contains password-changed

field This field always contains password.

msg Admin user <admin_name> changed password of admin user <admin_user>


pri The priority level. This field always contains warning.

admin-user The name of the administrator who had their password changed.






F0h

32151

32152

32153

Message ID 32151

Log Subtype Admin



Meaning Depending on what is in the msg field, the meaning can be any one of the following: • A new firewall local-in policy was added. • A new IPv6 firewll local-in policy was added.

Fields Field Descriptionmsg The log message information. This is usually a sentence and explains

the activity and/or action taken.

Message ID 32152

Log Subtype Admin



Meaning Depending on what is in the msg field, the meaning can be any one of the following: • A firewall local-in policy’s setting was changed. • An IPv6 firewall local-in policy’s setting was changed.



Message ID 32153

Log Subtype Admin



Meaning Depending on what is in the msg field, the meaning can be any one of the following: • A firewall local-in policy was deleted. • An IPv6 firewall local-in policy was deleted.







32154

32155

Message ID 32154

Log Subtype Admin



Meaning The administrator uploaded a FortiToken.



msg User <user_name> has uploaded a FortiToken file.

Message ID 32155

Log Subtype Admin



Meaning The administrator has requested to activate the specified FortiToken.



action This field always contains fortitoken-activate.

serialno The serial number of the FortiToken device.

msg User <user_name> has requested to activate FortiToken <serialno>






F0h

32156

32157

Message ID 32156

Log Subtype Admin



Meaning The FortiToken has been activiated by FortiGuard.

Fields Field Descriptionaction This field always contains fortitoken-activate


status The status of the activation process.

msg Activation of FortiToken <serialno> <status>.

Message ID 32157

Log Subtype Admin



Meaning The administrator added an email filter IP black/white list entry.

Fields Fields Descriptionuser The name of the administrator creating the traffic.


status The status of the UTM profile. This field always contains enabled.

ip The IP address.

msg User <admin_name> added antispam IP black/white entry <ip_address> from <ui(<ip_address>)>



Message ID 32157

Log Subtype Admin



Meaning The administrator added an email address black/white list entry.








ip The IP address.

msg User <admin_name> added email black/white entry <email_address> from <ui(<ip_address>)>



email-pattern The email address entry. For example, [email protected].

Message ID 32157

Log Subtype Admin



Meaning The administrator added a banned word to the email filtering banned word list.




msg User <admin_name> added antispam banned word entry <banned_word> from <ui(<ip_address>)>



pattern The banned word entry.

Message ID 32157

Log Subtype Admin



Meaning The administrator added an URL address to the URL filter.




ip The IP address.

msg User <admin_name> added URL filter entry <url_address> from <ui(<ip_address>)>



url The URL address that was entered.






F0h

Message ID 32157

Log Subtype Admin



Meaning The administrator added a banned word entry to the web content filter list.




msg User <admin_name> added webfilter banned word entry <banned_word> from <ui(<ip_address>)>



word The word or words that was added to the webfilter content filter list.

lang The type of language applied to the entry. For example, Western.

pattern_type The type of pattern applied to the word. For example, wildcard.

Message ID 32157

Log Subtype Admin



Meaning The administrator added an email address to the email address black/white list.



email-pattern The email address of the new entry in the list.


msg User <admin_name> added antispam email black/white entry <email_address> from <ui(<ip_address>)>

Message ID 32157

Log Subtype Admin



Meaning The administrator added an email address to the email address black/white list.







action This field always contains fortitoken-synchronize.


status The status of the synchronization process.

msg User <admin_name> resynchronized FortiToken <serialno> with result: <status>






F0h

32158

32161

Message ID 32158

Log Subtype Admin



Meaning The administrator deleted a word from within a web content filter list.



word The web filter word that was deleted from within the list.

lang The type of language that was chosen. For example, Western.

pattern_type The type of pattern that was chosen, for example, Regular Expression.

status The status of the word within the list before it was deleted. This field always contains enabled.

msg User <admin_name> deleted webfilter banned word entry <word> from <ui(<ip_address>)>

Message ID 32161

Log Subtype Admin



Meaning The administrator changed the specified sensor.



msg User <admin_name> changed sensor <ips_sensor_name>


pri The priority level.





32162

32168

Message ID 32162

Log Subtype Admin



Meaning The administrator changed the specified sensor.



msg User <admin_name> changed sensor <dos_sensor_name>


pri The priority level.

Message ID 32168

Log Subtype Admin



Meaning The administrator failed to add a new entry because the VDOM property limit has been reached.



msg Adding new entry failed: vdom property limit has been reached when user <user_name> adds <vdom> from <ui>






F0h

32170

Message ID 32170

Log Subtype Admin



Meaning An administrator added a new multicast firewall policy.



action The type of action that occurred. This field can contain config-add.

status The status of the action. This field contains success.

reason The reason for taking the action. This field contains none.

msg User <admin_name> added multicast firewall policy <policy_number> from <ui(<ip_address>)>

new_id The new firewall policy identification number for the new multicast firewall policy.



new_srcintf The new source interface that was applied to the new multicast firewall policy.

new_dintf The new destination interface that was applied to the new multicast firewall policy.

new_saddr The new source address that was applied to the policy.

new_daddr The new destination IP address. that was applied to the policy.

new_nat_addr The new NAT IP address that was applied to the policy.

new_dnat_addr The new DNAT IP address that was applied to the policy.

new_action The type of action that was applied.

new_proto The type of protocol that was applied.

new_start_port The new start port number. For example port 1.

new_end_port The new end port number. For example, port 655535

Message ID 32170

Log Subtype Admin

Severity Alert


Meaning An alarm was triggered.

Fields Field Descriptionaction The type of action that occurred. This field always contains alarm.

alarmid The alarm’s identification number.





groupid The group identification number.







F0h

32171

Message ID 32171

Log Subtype Admin



Meaning An administrator modified a multicast firewall policy.



action The type of action that occurred. This field can contain config-edit.



msg User <admin_name> changed multicast firewall policy <policy_number> from <ui(<ip_address>)>

pol_id The multicast firewall policy identification number.



old_srcintf The previous source interface.

old_dintf The previous destination interface.

old_saddr The previous source IP address.

old_daddr The previous destination IP address.

old_action The previous type of action that was applied.

old_start_port The previous start port number.

old_end_port The previous end port number.

new_srcintf The new source interface that was applied to the new multicast firewall policy.

new_dintf The new destination interface that was applied to the new multicast firewall policy.

new_saddr The new source address that was applied to the policy.

new_daddr The new destination IP address. that was applied to the policy.

new_nat_addr The new NAT IP address that was applied to the policy.

new_dnat_addr The new DNAT IP address that was applied to the policy.

new_action The type of action that was applied.

new_proto The type of protocol that was applied.

new_start_port The new start port number. For example port 1.

new_end_port The new end port number. For example, port 655535

Message ID 32171

Log Subtype Admin

Severity Alert






Meaning An alarm was triggered.



action The type of action that occurred. This field always contains alarm.-ack

alarmid The alarm’s identification number.

groupid The group identification number.







F0h

32172

Message ID 32172

Log Subtype Admin



Meaning An administrator deleted a multicast firewall policy.



action This field can contain config-delete.



msg User <admin_name> removed multicast firewall policy <policy_number> from <ui(<ip_address>)>

old_id The multicast firewall policy identification number.



old_srcintf The previous source interface.

old_dintf The previous destination interface.

old_saddr The previous source IP address.

old_daddr The previous destination IP address.

old_action The previous type of action. that was applied.

old_start_port The previous start port number.

old_end_port The previous end port number.





32180

32200

Message ID 32180

Log Subtype Admin



Meaning The administrator failed to backup the configuration from the management station, or the FortiGate unit’s automatic backup to the management station failed. The meaning can also be that there was a failed backup of the configuration file after the system upgraded.



action This field contains backup.

status The status of the action. This field contains failure.

msg This field contains any one of the following:• User <admin_name> failed to backup the configuration from <ui> to

management station. • Automatic configuration backup to Management Station failed. • Failed to backup configuration after system upgrading: <string>

Message ID 32200

Log Subtype Admin



Meaning The administrator uploaded the new web filter list specified in the “upload” field.



upload This field contains any one of the following:

• url-exempt-list • url-block-list

• word-block-list

num The num value information.

msg User <administrator_name> uploaded <upload_type> from <ui>






F0h

32301

32302

32400

Message ID 32301

Log Subtype Admin



Meaning The administrator added a virtual domain.



action This field contains add-vdom.

msg Virtual domain <vd_name> is added.

Message ID 32302

Log Subtype Admin



Meaning The administrator deleted a virtual domain.



action This field always contains del-vdom.

msg Virtual domain <vd_name> is deleted.

Message ID 32400

Log Subtype Admin

Severity Alert


Meaning The configuration changed.



msg Configuraiton is changed in the admin session.





32401

Message ID 32401

Log Subtype Admin



Meaning The administrator added an application control list.



action This field contains add.

msg Administrator <admin_name> added an application control list <app_crtl_list_name> from <ui(<ip_address>)>



name The name of the application control list.

Message ID 32401

Log Subtype Admin



Meaning The administrator modified settings within an application control list.



action This field always contains edit.

msg Administrator <admin_name> edited an application control list <default_app_name> from <ui(<ip_address>)>



name The name of the application control list.






F0h

32545

32546

32547

Message ID 32545

Log Subtype Admin



Meaning The system was restarted because it was scheduled to.



action This field always contains reboot.

msg System will reboot due to scheduled daily restart.


Message ID 32546

Log Subtype Admin



Meaning The archive log files are being uploaded to the FortiAnalyzer unit.

Fields Field Descriptionaction This field always contains upload_request

msg Content Archive data has been uploaded to FortiAnalyzer.

Message ID 32547

Log Subtype Admin

Severity Error


Meaning The content archive file failed to upload.


msg Content Archive data failed to upload to <string>.





32548

32549

Message ID 32548

Log Subtype Admin



Meaning The upload of memory logs to a remote server failed because it reached the maximum capacity.


msg Uploading memory logs to remote logging server(s) because it reached <percentage> percent full

Message ID 32549

Log Subtype Admin



Meaning The upload of memory logs to a remote server occurred as scheduled.


msg Uploading memory logs to remote logging server(s) as scheduled





F0h

Event-SystemEvent-System log messages record events that occur in the FortiGate system, such as administrators logging in and out, or events occurring on the interfaces.

200012000220003200042000720010200312003220033200342003520036200372003820039200402004120042200432004420045200462004720048200492005020051200522005320054200552005620057

200582005920060200612006220063200642006520066200672006820069200702007120072200732007420075200762007720078200792008020081200822008320084200992010020101201102011120200

202012020220203220002200122002220032200422005220062200922010220112201222013221002210122102221032280022801228022280322804228052280622901229022290322911229122291322914

ortiGate 4.0 MR3 Log Message Reference1-430-112804-20111121 119ttp://docs.fortinet.com/ • Feedback



Event-System

20001

Message ID 20001

Log Subtype System



Meaning The routing information has changed because of the gateway’s status, up or down.

Fields Field Descriptioninterface This field contains any one of the following:

• internal • external

• dmz • other

status This field contains either up or down.

msg Ping server is {up | down}

Message ID 20001

Log Subtype System



Meaning Depending on what appears in the msg field, the meaning can be any one of the following: • There is a problem contacting the modem. Verify the modem connection

and settings. • The FortiGate unit has attempted to redial the IPS from the modem and

could not connect after the set number of redial attempts. You must reset the modem to attempt the connection.

• The wireless user has been disconnected. • A client was accepted.

Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual

domains exist, this field always contain root.

msg This field contains any one of the following: • Problem contacting the modem• modem: Redial limit exceeded… giving up• Client <wireless_user> is disassociated.• Accepted associated from <client_name>

Message ID 20001

Log Subtype System



Meaning Depending on what appears in the msg field, the meaning can be any one of the following: • Client <client_name> does 1X – The client does 1X• Client <client_name> does WPA – The client does WPA.


• Client <client_name> does 1X• Client <client_name> does WPA

FortiGate 4.0 MR3 Log Message Reference120 01-430-112804-20111121




Event-System

F0h

Message ID 20001

Log Subtype System



Meaning Routing information is changed because the gateway is up/down.

Fields Field Descriptioninterface The name of the interface.



Message ID 20001

Log Subtype System

Severity Critical


Meaning A gateway’s status.

Fields Field Descriptioninterface The name of the interface.

gw_group The gateway group information.


gw_status The gateway status.

msg The status of <gateway> for gateway group <gw_group> is <information>




Event-System

20002

20003

Message ID 20002

Log Subtype System



Meaning The domain name configured for an alert email recipient cannot be resolved. Verify the email addresses to ensure that it is correct.

Fields Field Descriptionuser This field always contains system


action The type of action taken by the FortiGate unit.

status This field always contains failure.

msg Can’t resolve the IP address of <email_address>

Message ID 20003

Log Subtype System



Meaning Failed to send an alert email. You can verify the email addresses configured for alert emails and see if that solves the problem.



action The type of action taken by the FortiGate unit. This field always contains alert-email.


count The number of times the same event was detected within a short period of time.

msg Failed to send alert email from <ip_address> to <ip_address>.





Event-System

F0h

20004

20007

20010

Message ID 20004

Log Subtype System

Severity Critical


Meaning The policy is too big for the system to handle.




msg Policy <policy_id> is too big for system, it’s installed partially.

Message ID 20007

Log Subtype System

Severity Critical


Meaning The socket is exhausted.

Fields Field Descriptionservice The type of service. This field always contains kernel.


proto The protocol information.


src_port The source port number.

nat The NAT information.


dst_port The destination port number.

msg NAT port is exhausted.

Message ID 20010

Log Subtype System

Severity Error


Meaning A RADIUS IPC error.

Fields Field Descriptionmsg Unable to initialize RADIUS IPS (<value>)




Event-System

20031

20032

20033

20034

Message ID 20031

Log Subtype System

Severity Critical


Meaning The FortiGate unit’s flash memory is full in the specified sector. You can delete logs stored to the local disk, and perform other maintenance to free memory space.

Fields Field Descriptionmsg Interface <interface_name> Out of memory in <memory_sector>.

Message ID 20032

Log Subtype System

Severity Critical


Meaning The FortiGate unit cannot find the specified interface by name. You can check configuration of the interface and check any physical connections to solve the problem.

Fields Field Descriptionmsg Interface <interface_name> not found in <memory_sector>.

Message ID 20033

Log Subtype System



Meaning An interface uses Mobile IPv6 extensions.

Fields Field Descriptionmsg Using Mobile IPv6 extensions.

Message ID 20034

Log Subtype System

Severity Critical


Meaning The minimum time allowed between sending unsolicited multicast router advertisements from the specified interface (using Mobile IPv6 extensions) must be configured within the specified range because it is not currently in the specified range. The range is specified in seconds.

Fields Field Descriptionmsg MinRtrAdvInterval for <interface> must be between <start_range_seconds>

and <end_range_seconds>





Event-System

F0h

20035

20036

Message ID 20034

Log Subtype System

Severity Critical


Meaning The minimum time allowed between sending unsolicited multicast router advertisements from the specified interface (using Mobile IPv6 extensions) must be configured within the specified range because it is not currently in the specified range. The range is specified in seconds.

Fields Field Descriptionmsg MinRtrAdvInterval for <interface_name> must be between

<start_range_seconds> and <end_range_seconds>

Message ID 20035

Log Subtype System

Severity Critical


Meaning The minimum time allowed between sending unsolicited multicast router advertisements from the specified interface must be configured within the specified range. Range is specified in seconds. You can reconfigure the router according to MinRtrAdvInterval to solve this problem.

Fields Field Descriptionmsg MinRtrAdvInterval must be between <start_range_seconds> and

<end_range_seconds> for <interface_name>

Message ID 20036

Log Subtype System

Severity Critical


Meaning The maximum time allowed between sending unsolicited multicast router advertisements from the specified interface, using Mobile IPv6 extensions, must be configured within the specified range. The range is specified in seconds.

Fields Field Descriptionmsg MaxRtrAdvInterval for <interface_name> must be between





Event-System

20037

20038

20039

Message ID 20037

Log Subtype System

Severity Critical


Meaning The maximum time allowed between sending unsolicited multicast router advertisements from the specified interface must be configured within the specified range. Range is specified in seconds. You can reconfigure the router according to MaxRtrAdvInterval to solve this problem.

Fields Field Descriptionmsg MaxRtrAdvInterval must be between <start_range_seconds> and

<end_range_seconds> for <interface_name>

Message ID 20038

Log Subtype System

Severity Critical


Meaning The value placed in MTU options sent by the router must be either zero or between the specified range for the specified interface. A value of zero indicates that no MTU options are sent. You can reconfigure the router according to range to solve this problem.

Fields Field Descriptionmsg AdvLinkMTU must be zero or between <start_range_bytes> and

<end_range_bytes> for <interface_name>

Message ID 20039

Log Subtype System

Severity Critical


Meaning The value placed in MTU options sent by the router must be either zero or greater than the specified value for the specified interface. A value of zero indicates that no MTU options are sent. You can reconfigure the router according to range to solve this problem.

Fields Field Descriptionmsg AdvLinkMTU must be zero or greater than <value_bytes> for

<interface_name>





Event-System

F0h

20040

20041

20042

Message ID 20040

Log Subtype System

Severity Critical


Meaning The value to be placed in the Reachable Time field in the Router Advertisement message sent by the router must be less than the specified value for the specified interface. A value of zero means unspecified by this router. You can reconfigure the router according to the specified value to solve this problem.

Fields Field Descriptionmsg AdvReachableTime must be less than <value> for <interface_name>

Message ID 20041

Log Subtype System

Severity Critical


Meaning The default value to be placed in the CurHopLimit field in the Router Advertisements message sent by the router must not be greater than the specified value for the specified interface.You can reconfigure the router according to the specified value to solve this problem.

Fields Field Descriptionmsg AdvCurHopLimit must not be greater than <value_hop_limit> for

<interface_name>

Message ID 20042

Log Subtype System

Severity Critical


Meaning The value to be placed in the Router Lifetime field of Router Advertisements sent from the interface in seconds, must be either zero or between the specified range. A value of zero indicates that the router is not to be used as a default router. You can reconfigure the router according to the specified range to solve this problem.

Fields Field Descriptionmsg AdvDefaultLifetime for <interface_name> must be zero or between





Event-System

20043

20044

20045

20046

Message ID 20043

Log Subtype System

Severity Critical


Meaning HomeAgentLifetime in Router Advertisement packet is out of range. You can reconfigure the router according to the specified range to solve this problem.

Fields Field Descriptionmsg HomeAgentLifetime must be between <value> and <value> for

<interface_name>

Message ID 20044

Log Subtype System

Severity Critical


Meaning AdvHomeAgentFlag and HomeAgentLifetime in Router Advertisement packet must be set with HomeAgentInfo.You can reconfigure the router according to the specified range to solve this problem.

Fields Field Descriptionmsg AdvHomeAgentFlag must be set with HomeAgentInfo

Message ID 20045

Log Subtype System

Severity Critical


Meaning Prefix length is too long.You can adjust packet prefix length to solve this problem.

Fields Field Descriptionmsg Invalid prefix length for <string>

Message ID 20046

Log Subtype System

Severity Critical


Meaning The value to be placed in the Valid Lifetime in the Prefix Information option, in seconds, must be greater than the AdvPreferredLifetime. You can adjust packet prefix length to solve this problem.

Fields Field Descriptionmsg AdvValidLifetime must be greater than AdvPreferredLifetime for <string>





Event-System

F0h

20047

20048

20049

20050

Message ID 20047

Log Subtype System

Severity Critical


Meaning The IPv6 router advertisement daemon failed to create an IPv6 socket.

Fields Field Descriptionmsg Can’t create socket (AF_INET6): <string>

Message ID 20048

Log Subtype System

Severity Critical


Meaning The IPv6 router advertisement daemon failed to set IPV6_PKTINFO option.

Fields Field Descriptionmsg Setsockopt(IPv6_PKTINFO): <string>

Message ID 20049

Log Subtype System

Severity Critical


Meaning The IPv6 router advertisement daemon failed to set IPV6_CHECKSUM option.

Fields Field Descriptionmsg Setsockopt(IPV6_CHECKSUM): <string>

Message ID 20050

Log Subtype System

Severity Critical


Meaning The IPv6 router advertisement daemon failed to set IPV6_UNICAST_HOPS option.

Fields Field Descriptionmsg Setsockopt(IPV6_UNICAST_HOPS): <string>




Event-System

20051

20052

20053

20054

Message ID 20051

Log Subtype System

Severity Critical


Meaning The IPv6 router advertisement daemon failed to set IPV6_MULTICAST_HOPS option.

Fields Field Descriptionmsg Setsockopt(IPV6_MULTICAST_HOPS): <string>

Message ID 20052

Log Subtype System

Severity Critical


Meaning The IPv6 router advertisement daemon failed to set IPV6_HOPLIMIT option.

Fields Field Descriptionmsg Setsockopt (IPV6_HOPLIMIT): <string>

Message ID 20053

Log Subtype System

Severity Critical


Meaning The IPv6 router advertisement daemon failed to set ICMPV6_FILTER option.

Fields Field Descriptionmsg Setsockopt(ICMPV6_FILTER): <string>

Message ID 20054

Log Subtype System

Severity Critical


Meaning The IPv6 router advertisement daemon received the specified signal and is going to exit.

Fields Field Descriptionmsg radvd receive signal=<value_signal>\n





Event-System

F0h

20055

20056

20057

20058

Message ID 20055

Log Subtype System

Severity Critical


Meaning The IPv6 router advertisement daemon cannot create query to interface by using cmf_query_create().

Fields Field Descriptionmsg Can not create query to interface at <string>:<string>:<value>!

Message ID 20056

Log Subtype System

Severity Critical


Meaning The IPv6 router advertisement daemon encounters an internal error when it uses cmf_query_for_each().

Fields Field Descriptionmsg Interfal error in cmf_query_for_each()!

Message ID 20057

Log Subtype System

Severity Critical


Meaning The IPv6 router advertisement daemon failed to find a virtual interface by interface index.

Fields Field Descriptionmsg Interface <string>:<value> not found in the list!

Message ID 20058

Log Subtype System

Severity Critical


Meaning The IPv6 router advertisement daemon reloaded or unloaded the specified interface.


• Interface <string>: <value> reloaded!• Interface <string>:<value> unloaded!




Event-System

20059

20060

20061

20062

Message ID 20059

Log Subtype System

Severity Warning


Meaning The IPv6 router advertisement daemon received a packet with no pkt_info.

Fields Field Descriptionmsg Received packet with no pkt_info!

Message ID 20060

Log Subtype System

Severity Warning


Meaning The IPv6 router advertisement daemon received an ICMPv6 packet with invalid length.

Fields Field Descriptionmsg Received icmpv6 packet with invalid length: <value_bytes>

Message ID 20061

Log Subtype System

Severity Critical


Meaning The IPv6 router advertisement daemon received an unwanted type of ICMPv6 packet.

Fields Field Descriptionmsg icmpv6 filter failed

Message ID 20062

Log Subtype System

Severity Warning


Meaning The IPv6 router advertisement daemon received an ICMPv6 RA packet with invalid length.

Fields Field Descriptionmsg Received icmpv6 RA packet with invalid length. <value_bytes>





Event-System

F0h

20063

20064

20065

20066

Message ID 20063

Log Subtype System

Severity Warning


Meaning The IPv6 router advertisement daemon received ICMPv6 RA packet with non-linklocal source address..

Fields Field Descriptionmsg Received icmpv6 RA packet with non-linklocal source address

Message ID 20064

Log Subtype System

Severity Warning


Meaning The IPv6 router advertisement daemon received ICMPv6 RS packet with invalid length.

Fields Field Descriptionmsg Received icmpv6 RS packet with invalid length: <value_bytes>

Message ID 20065

Log Subtype System

Severity Warning


Meaning The IPv6 router advertisement daemon received ICMPv6 RS/RA packet with invalid code.

Fields Field Descriptionmsg Received icmpv6 RS/RA packet with invalid code: <value_code>

Message ID 20066

Log Subtype System

Severity Warning


Meaning The IPv6 router advertisement daemon received ICMPv6 RS/RA packet with wrong hoplimit.

Fields Field Descriptionmsg Received RS or RA with invalid hoplimit <value_hops> from

<interface_name>




Event-System

20067

20068

20069

Message ID 20067

Log Subtype System

Severity Warning


Meaning The AdvCurHopLimit on the specified FortiGate interface does not agree with the value on the specified remote interface. A value of zero means unspecified by this router. You should configure the interfaces with the same AdvCurHopLimit value to correct the problem.

Fields Field Descriptionmsg Our AdvCurHopLimit on <interface_name> doesn’t agree with

<interface_name>

Message ID 20068

Log Subtype System

Severity Warning


Meaning The AdvManagerFlag value (True/False) on the specified FortiGate interface does not agree with the value on the specified remote interface. You should configure the interface with the same AdvManagerFlag value.

Fields Field Descriptionmsg Our AdvManagerFlag on <interface_name> doesn’t agree with

<interface_name>

Message ID 20069

Log Subtype System

Severity Warning


Meaning The AdvOtherConfigFlag value (True/False) on the specified FortiGate interface does not agree with the value on the specified remote interface.You should configure the interfaces with the same AdvOtherConfigFlag value.

Fields Field Descriptionmsg Our AdvOtherConfigFlag on <interface_name> doesn’t agree with

<interface_name>





Event-System

F0h

20070

20071

20072

Message ID 20070

Log Subtype System

Severity Warning


Meaning The AdvReachableTime configured on the specified FortiGate interface does not agree with the value on the specified remote interface. A value of zero means unspecified by this router. The value must be no greater than 3,600,000 seconds or 1 hour. You should configure the interfaces with the same AdvReachableTime value.

Fields Field Descriptionmsg Our AdvReachableTime on <interface_name> doesn’t agree with

<interface_name>

Message ID 20071

Log Subtype System

Severity Warning


Meaning The AdvRetransTimer value on the specified FortiGate interface does not agree with the value on the specified remote interface. A value of zero means unspecified (by this router). You should configure the interfaces with the same AdvRetransTimer value.

Fields Field Descriptionmsg our AdvRetransTimer on <interface_name> doesn’t agree with

<interface_name>

Message ID 20072

Log Subtype System

Severity Warning


Meaning The IPv6 router advertisement daemon found extra data in an RA packet from the specified source.

Fields Field Descriptionmsg trailing garbage in RA on <interface_name> from <interface_name>




Event-System

20073

20074

20075

20076

Message ID 20073

Log Subtype System

Severity Critical


Meaning The IPv6 router advertisement daemon found in an RA packet with no option data from the specified source.

Fields Field Descriptionmsg zero length option in RA on <interface_name> from <interface_name>

Message ID 20074

Log Subtype System

Severity Critical


Meaning The option length is greater than the total length in an RA packet from the specified source.

Fields Field Descriptionmsg option length greater than total length in RA on <interface_name> from

<interface_name>

Message ID 20075

Log Subtype System

Severity Warning


Meaning The AdvLinkMTU value on the specified FortiGate interface does not agree with the specified remote interface. A value of zero indicates that no MTU options are sent. You should configure the interfaces with the same AdvLinkMTU value.

Fields Field Descriptionmsg our AdvLinkMTU on <interface_name> doesn’t agree with <interface_name>

Message ID 20076

Log Subtype System

Severity Warning


Meaning The AdvValidLifetime value on the specified FortiGate interface does not agree with the value on the specified remote interface. You should configure the interfaces with the same AdvValidLifetime value.

Fields Field Descriptionmsg our AdvValidLifetime on <interface_name> for <value> doesn’t agree with

<interface_name>





Event-System

F0h

20077

20078

20079

20080

Message ID 20077

Log Subtype System

Severity Warning


Meaning The AdvPreferredLifetime value on the specified FortiGate interface does not agree with the value on the specified remote interface.You should configure the interfaces with the same AdvPreferredLifetime value.

Fields Field Descriptionmsg our AdvPreferredLifetime on <interface_name> for <value> doesn’t agree

with <interface_name>

Message ID 20078

Log Subtype System

Severity Critical


Meaning The IPv6 router advertisement daemon found the specified invalid option in an RA packet from the specified source from a remote site.

Fields Field Descriptionmsg Invalid option <value_option> in RA on <interface_name> from <location>

Message ID 20079

Log Subtype System



Meaning The IPv6 router advertisement daemon is ready to serve.

Fields Field Descriptionmsg radvd started\n

Message ID 20080

Log Subtype System

Severity Critical


Meaning Recvmsg() in the IPv6 router advertisement daemon failed.

Fields Field Descriptionmsg recvmsg: <string>




Event-System

20081

20082

20083

Message ID 20081

Log Subtype System

Severity Critical


Meaning The IPv6 router advertisement daemon received a packet with a wrong IPV6_HOPLIMIT.

Fields Field Descriptionmsg received a bogus IPV6_HOPLIMIT from the kernel! len=<value_bytes>,

data=<value>

Message ID 20082

Log Subtype System

Severity Critical


Meaning Depending on what appears in the msg field, the meaning can be any one of the following: • The wrong IPv6 router advertisement daemon received a packet with a

wrong IPV6_PKINFO.• The IPv6 router advertisement daemon failed to check whether we’ve

joined the all-routers multicast group.


• received a bogus IPV6_PKINFO from the kernel! len=<value_bytes>, index=<value_index>

• Problem checking all-routers membership on <interface_name>

Message ID 20083

Log Subtype System

Severity Warning


Meaning The rounting advertisement failed to check if joined the all-routers membership group.

Fields Field Descriptionmsg problem checking all-routers membership on <interface_name>





Event-System

F0h

20084

20090

20099

Message ID 20084

Log Subtype System

Severity Warning


Meaning Depending on what appears in the msg field, the meaning can be any one of the following: • Sendmsg () in the IPv6 router advertisement daemon failed. • Sendmsg () in radvd failed.

Fields Field Descriptionmsg sendmsg: <string>

Message ID 20090

Log Subtype System



Meaning The interface link status has changed.

Fields Field Descriptionintf The name of the interface.

status The status of the interface.

msg interface <interface_name> link status is <status_type>

Message ID 20099

Log Subtype System



Meaning The interface link status has changed.

Fields Field Descriptionaction This field is always interface-stat-change.

status This field contains either DOWN or UP.

msg This field contains any one of the following: • Link monitor: Interface <interface_name> was turned down• Link monitor: Interface <interface_name> was turned up




Event-System

20100

20101

Message ID 20099

Log Subtype System

Severity Critical


Meaning FortiGuard Web Filtering category has been updated.

Fields Field Descriptionmsg The FortiGuard Web Filtering category list has been updated. Please verify

the protection profile settings are still correct.

Message ID 20101

Log Subtype System



Meaning Status of the file upload.

Fields Field Descriptionaction This field always contains upload.

status The status of the upload.

hash The hash information.

file The name of the file that was uploaded.


server The name of the server.

port The number of the port.

msg <file_name> upload reached the <string> state \n

Message ID 20101

Log Subtype System

Severity Variable


Meaning File upload error.





server The name of the server.

port The number of the port.

Message ID 20101

Log Subtype System

Severity Critical.





Event-System

F0h


Meaning FortiGuard license is expired. You need to renew the FortiGuard license.

Fields Field Descriptionmsg FortiGuard license is expired.

Message ID 20101

Log Subtype System



Meaning Status of the uploaded file.

Fields Field Descriptionaction The type of upload being performed.




server The IP address of the server.

port The name of the port.

msg <file_name> upload reached the <server_ip_address> state <status_name>

Message ID 20101

Log Subtype System

Severity Variable


Meaning File upload error.


error The type of error that occurred during the file’s uploading process.




port The name of the port.

msg <file_name> upload error\ \n




Event-System

20110

20111

20200

Message ID 20110

Log Subtype System



Meaning A hp_api log message.

Fields Field Descriptionmsg hp_api: Connection to ESPd has been initialized.

Message ID 20111

Log Subtype System

Severity Warning


Meaning A hp_api log message.

Fields Field Descriptionmsg hp_api: Connection to ESPd has been reset, exiting.

Message ID 20200

Log Subtype System



Meaning An administrator initiated a self-test type from a specific location.

Fields Field Descriptionuser The name of the user creating the traffic. In this log message, it is the

administrator that is creating the traffic.


action This field always contains self-test.

test The type of test that was taken.

msg Administrator <administrator_name> initiates the <test_type> self-test from <ui>





Event-System

F0h

20201

20202

Message ID 20201

Log Subtype System



Meaning An administrator initiated all self-tests from a specified location.

Fields Field Descriptionuser The name of the user creating the traffic. In this log message, it is the

administrator that is creating the traffic.


action This field always contains self-test.

test This field always contains all.

msg Administrator <administrator_name> initiates all self-tests from <ui>

Message ID 20202

Log Subtype System



Meaning The daemon started.

Fields Field Descriptionaction This field always contains daemon-startup.

daemon The type of daemon used.

pid The PID number.

msg Daemon <daemon_type> started.

Message ID 20202

Log Subtype System

Severity Warning


Meaning There was an error when either partitioning the disk or formatting the disk.

Fields Field Descriptionmsg Partitioning or formatting error (<string>) partition=<partition>

format=<format> label=<label>




Event-System

20203

22000\

Message ID 20203

Log Subtype System



Meaning The daemon was shut down.

Fields Field Descriptionaction This field always contains daemon-shutdown.

daemon The type of daemon used.

pid The PID number.

msg Daemon <daemon_type> shutdown.

Message ID 22000

Log Subtype System

Severity Warning


Meaning Depending on what appears in the msg field, the meaning can be any one of the following:• Packet lengths do not match.• The packet length does not match what is specified in the request header.


• Packet length does not match that specified in the request header.• lengths of packets does not match





Event-System

F0h

22001

22002

Message ID 22001

Log Subtype System

Severity Warning/Information


Meaning Depending on what appears in the msg field, the meaning can be any one of the following:• The specified version of the URL agent is not supported. • The specified version of the protocol is not supported. • An administrator started to convert the current SQL format.

Fields Field Descriptionaction The action that was taken.

admin The name of the administrator.


status This field always contains started.

msg This field contains any one of the following: • version <agent_version_num> is not supported. • Protocol version <version_number> is not supported.• Administrator <administrator_name> started to convert existing logs to SQL

format from <ui>

Message ID 22002

Log Subtype System

Severity Warning


Meaning Depending on what appears in the msg field, the meaning can be any one of the following:• Only HTTP is supported. • Requests other than HTTP, HTTPS, FTP, MAIL, and AV are not supported. • Request other than HTTP, HTTPS, FTP, MAIL, and AV are not supported.• The conversion of the existing SQL logs failed. • The administrator failed to conver the existing logs into SQL format.


status This field always contains failed.

reason This field contains either sql-db-not-running or cannot-send-request.

msg This field contains any one of the following: • Other request <request_type> than http is not supported. • Other requests <string> than http & ftp is not supported. • Request type <type> is not supported• Conversion of existing logs to SQL format failed to start because SQL DB is

not running. • Conversion of existing logs to SQL format failed to start because request

cannot be sent.




Event-System

22003

22004

22005

22006

Message ID 22003

Log Subtype System

Severity Warning


Meaning Failed to set up a signal handler.

Fields Field Descriptionmsg sigaction(<signal_handler>)failed: <string>

Message ID 22004

Log Subtype System

Severity Warning


Meaning Depending on what the msg field contains, the meaning can be any one of the following: • The system failed to create a socket or failed to create a socket.• The system failed to create a socket or failed to create a HA socket.


• Socket () failed: <string>• Socket () failed: <string>

Message ID 22005

Log Subtype System

Severity Warning


Meaning The system failed to create a UDP socket to receive URL requests.


• Failed to create a udp socket to relay URL requests: <string>• failed to create a <value>/udp socket to receive URL request

Message ID 22006

Log Subtype System

Severity Warning


Meaning The system failed to register for cmdb events.

Fields Field Descriptionmsg Failed to register for cmdb events.





Event-System

F0h

22009

22010

Message ID 22009

Log Subtype System

Severity Warning


Meaning Could not find antivirus profile by using ID.

Fields Field Descriptionname The name of the antivirus profile.


msg failed to find its AV protection profile

Message ID 22010

Log Subtype System

Severity Error


Meaning Depending on what is in the msg field, it can contain any one of the following: • The url filter has failed to send the rating result back to HTTP proxy. • The HTTP proxy has crashed. • The sendto () failed.

Fields Field Descriptionprocess The type of process that is being performed by the FortiGate unit.

reason The reason for the trigger.

msg This field contains any one of the following: • <string> failed to send rating result• failed to send urlfilter packet• failed to send urlfilter packet because queue was full• failed to send urlfilter packet <sent_number> times




Event-System

22011

22012

Message ID 22011

Log Subtype System



Meaning The conversion of existing log files to SQL log files in the specified VDOM started.


status This field always contains started.

files The name of the logs files that are being converted.

msg Conversion of existing logs to SQL format for vdom <vdom_name> started.

Message ID 22012

Log Subtype System



Meaning Depending on what is in the msg field, the meaning can be any one of the following: • The SQL log database is full and cannot format any more logs. • The SQL conversion failed because the log could not be opened.



reason This field contains either sql-log-full or cannot-open-file.

file The name of the log file being converted.

msg This field contains any one of the following: • Conversion of <log_file_name> to SQL format failed because SQL log is

full.• Conversion of <log_file_name> to SQL format failed because the log file

cannto be opened.





Event-System

F0h

22013

22100

Message ID 22013

Log Subtype System



Meaning The conversion process finished and the logs are now in SQL format in the specified VDOM.


status This field always contains ended

converted_files The names of the converted log files.

entry The entry information.

msg Conversion of existing logs to SQL format for vdom <vdom_name> has been finished.

Message ID 22100

Log Subtype System

Severity Warning


Meaning Quarantine has dropped a FortiAnalyzer transfer job due to limited memory.

Fields Field Descriptionfile The name of the file.

size The size of the file.

limit The number of the set limit.

avail The number for avail.

action This field always contains content-archive.

status This field always contains drop.

reason This field always contains memory-limit.

msg File <file_name> is not transferred to FortiAnalyzer due to exceeding memory usage limit.

Message ID 22100

Log Subtype System

Severity Warning


Meaning Quarantine dropped FortiAnalyzer transfer jobs because there was limited available memory.

Fields Field Descriptioncount The number of times the same event was detected within a short period of

time.

duration The duration, or time lapse, in seconds.


used The amount used.




Event-System

22101




msg In the past <seconds> seconds, <value> files were not transferred to FortiAnalyzer due to exceeding memory usage limit.

Message ID 22101

Log Subtype System

Severity Warning


Meaning Quarantine has dropped a FortiAnalyzer transfer job due to memory limit.




avail The number for avail.




msg File <file-name> is not transferred to FortiAnalyzer due to exceeding memory usage limit.

Message ID 22101

Log Subtype System

Severity Warning


Meaning Quarantine has dropped a FortiAnalyzer transfer job due to memory limit.




status This field always contains fail.

msg Failed to transfer file <file_name> to FortiAnalyzer <ip_address>

Message ID 22101

Log Subtype System

Severity Warning


Meaning Failed to send a file to the FortiAnalyzer unit.







Event-System

F0h

22102

22103

22200

action The type of action taken by the FortiGate unit.

status This field always contains fail.

msg Failed to transfer file <file_name> to FortiAnalyzer <ip_address>

Message ID 22102

Log Subtype System

Severity Critical


Meaning Erroneous SMART status.

Fields Field Descriptionmsg Log disk failure is imminent, logs should be backed up

Message ID 22103

Log Subtype System

Severity Critical


Meaning The FortiGuard log buffer was reset because of a system overload. Current log data and possibly old log data may be lost. You must reopen FortiGuard log pipe to solve the issue.

Fields Field Descriptionreason This field always contains buffer-overflow.

msg This field contains any one of the following: • FortiGuard Log buffer is reset due to a buffer overflow (system overload).

Some log data may be lost.• FortiGuard Analysis Service buffer is reset due to a buffer overflow (system

overload). Some log data may be lost.\”

Message ID 22200

Log Subtype System

Severity Warning


Meaning The specified certificate will automatically update itself after a specified number of days is up.


action This field always contains certificate-update.

status This field always contains warning.

cert The name of the certificate.

msg CA certificate <certificate_name> will auto-update in <number_days> days.




Event-System

22201

22202

22203

Message ID 22201

Log Subtype System

Severity Warning


Meaning The specified certificate will automatically regenerate itself after a specified number of days is up.


action This field always contains certificate-regenerate.



msg Local certificate <certificate_name> will auto-regenerate in <number_days> days.

Message ID 22202

Log Subtype System

Severity Warning


Meaning The certificate failed to automatically update.


action This field always contains certificate-update



msg The log message information. This usually contains a sentence and explains the activity and/or action taken.

Message ID 22203

Log Subtype System

Severity Warning


Meaning The specified certificate will automatically regenerate itself after a specified number of days is up.


action This field always contains certificate-regenerate.



msg The log message information. This usually contains a sentence and explains the activity and/or action taken.





Event-System

F0h

22800

22801

Message ID 22800

Log Subtype System

Severity Critical


Meaning Scan services entered conserve mode. Note: Not all of the fields may appear with every 22800 log message.

Fields Field Descriptionservice The name of the service.

mode The mode information.

conserve This field always contains on.

total The total information.

free The free information.

entermargin The entermargin information.

exitmargin The exitmargin information.

msg This field contains any one of the following: • The system has entered conserve mode” conserve=on total=<value>

free=<value> entermargin=<value> exitmargin=<value>• Scan services session fail mode. • Scan services entered conserve mode.

Message ID 22801

Log Subtype System

Severity Critical


Meaning Depending on what is in the msg field, the meaning can be any one of the following: • The system exited conserve mode. • The scan services exited conserve mode.

Fields Field Descriptionservice The type of service used.

conserve This field contains either on or exit.



entermargin The enter margin information.

exitmargin The exit margin information.

msg This field can be any one of the following: • The system exited conserve mode.• The system has entered conserve mode.




Event-System

22802

22803

Message ID 22802

Log Subtype System

Severity Critical


Meaning System services entered conserve mode.


sysconserve This field always contains on.





msg The system has entered system conserve mode

Message ID 22803

Log Subtype System

Severity Critical


Meaning System services exited conserve mode.


sysconserve This field always contains exit.





msg The system exited system conserve mode





Event-System

F0h

22804

22805

22806

Message ID 22804

Log Subtype System

Severity Critical


Meaning The status of the license has changed.

Fields Field Descriptionservice This field always contains license.

status The status information of the license.

msg License status changed to <status>

Message ID 22805

Log Subtype System

Severity Warning


Meaning The status of the license could not be validated.



msg License could not be validated for over 4 hours.

Message ID 22806

Log Subtype System

Severity Warning


Meaning There is a duplicate of the license.



msg Detected duplicate license in use.




Event-System

22901

22902

22903

Message ID 22901

Log Subtype System



Meaning The FortiGate unit is connected to the FortiAnalyzer unit.

Fields Field Descriptionaction This field always contains connect.



msg Connected to FortiAnalyzer <ip_address>

Message ID 22902

Log Subtype System



Meaning The FortiGate unit has been disconnected from the FortiAnalyzer unit.

Fields Field Descriptionaction This field always contains disconnect.



msg Disconnected from FortiAnalyzer <ip_address>

Message ID 22903

Log Subtype System

Severity Critical


Meaning The FortiGate unit failed to connect to the FortiAnalyzer unit.

Fields Field Descriptionaction This field always contains connect.



msg Failed to connect to FortiAnalyzer <ip_address>





Event-System

F0h

22911

22912

22913

Message ID 22911

Log Subtype System



Meaning The FortiGuard Analysis Service server is up.

Fields Field Descriptionserver This field contains either Home or Alter.

action This field always contains up.

msg FortiGuard Analysis Service {Home | Alter} server is up

Message ID 22912

Log Subtype System



Meaning The FortiGuard Analysis Service server is down.


action This field always contains down.

msg FortiGuard Analysis Service {Home | Alter} server is down

Message ID 22913

Log Subtype System



Meaning The FortiGuard Analysis Service server has been disconnected.


action This field always contains disconnect.

msg FortiGuard Analysis Service {Home | Alter} server is disconnected




Event-System

22914

Message ID 22914

Log Subtype System



Meaning The FortiGuard Analysis Service server was changed to “disable” on the FortiGuard Analysis and Management Service portal web site.


action This field always contains change.

msg FortiGuard Analysis Service server is changed to {Home | Alter}.





F0h

Event-DHCP serviceEvent-DHCP service log messages record DHCP service events.

26001

26002

Message ID 26001

Log Subtype DHCP service

Severity Error


Meaning A DHCP service occurred.

Fields Field Descriptiondhcp_msg Information about the DHCP server.

dir The direction information.

mac The MAC IP address with 2x.

ip The IP address.

lease The lease information.

hostname The host name information.


Message ID 26002

Log Subtype DHCP service

Severity Error


Meaning Depending on what appears in the msg field, the meaning can be any one of the following: • No shared network found.• The IP address range spans multiple subnets.• The IP address range does not belong to the net.

Fields Field Descriptiondhcp_msg Information about the DHCP server.

dir The direction information.

mac The MAC IP address with 2x at the end.

ip The IP address.

lease The lease information.

hostname The host name information.

msg This field contains any one of the following: • No shared network for network <interface_name> (ip_address)• Address range <ip_address> to <ip_address>, netmask

<netmask_address> spans <string>!• Address range <ip_address> to <ip_address> netmask

<netmask_address> not on net <string>!




Event-DHCP service





F0h

Event-Firewall authenticationEvent-Firewall authentication log messages record authentication events that occur within the FortiGate firewall.

38001380023800338004380053801038011380123802038021380223802638027




Event-Firewall authentication

38001

Message ID 38001

Log Subtype Firewall Authentication



Meaning The specified administrator succeeded in authentication.

Fields Field Descriptionpolicyid The ID number of the firewall policy that applies to the session or

packet. Any policy that is automatically added by the FortiGate will have an index number of zero.




action This field always contains authenticate.


msg User <user_name> succeeded in authentication

Message ID 38001




Meaning The specified AD group succeeded in authentication.

Fields Field Descriptionipproto The IP protocol information.




adgroup The name of the AD group.



action This field always contains FSAE-auth.


msg AD group <adgroup_name> user <user_name> succeeded in authentication.

Message ID 38001







F0h



Meaning The specified AD domain group failed in authentication.



domain The domain name.



action This field always contains NTML-auth.

status This field always contains failure

reason The reason that the trigger occurred.

msg AD domain <domain_name> user <user_name> failed in authentication.





38002

Message ID 38002




Meaning The specified user failed in concurrent check.

Fields Field Descriptionpolicyid The ID number of the firewall policy that applies to the session or packet.

Any policy that is automatically added by the FortiGate will have an index number of zero.



action This field is always authenticate.


msg User <user_name> failed in concurrent check.

Message ID 38002




Meaning The specified user failed in authentication.





action This field is always authenticate.


msg User <user_name> failed in authentication

Message ID 38002




Meaning The specified user failed in authentication.

Fields Field Descriptionipproto The IP protocol information.






F0h



policyid The firewall policy identification number.

adgroup The name of the AD group.



action This field always contains FSAE-auth.



msg AD group <group_name> user <user_name> failed in authentication.

Message ID 38002


Severity Warning


Meaning The user failed to was blacked out for a specified amount of time because of abnormal behavior.



ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 access the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).


action This field always contains authenticate

status This field always contains blackout.

reason This field always contains abnormal.

msg User from <ip_address> was blacked out for <time_seconds> seconds due to abnormal behavior.

Message ID 38002


Severity Warning


Meaning The user failed to authenticate within the allowed time frame.









action This field always contains authenticate

status This field always contains timeout.

reason This field always contains timeout.


srcname The name of the source. This can be the source’s IP address; however, it can also be N/A.


dstname The name of the destination. This can be the destination’s IP address; however it can also be N/A.

msg User failed to authenticate within the allowed period.






F0h

38003

38004

Message ID 38003




Meaning The specified administrator failed authentication and is locked out because they tried too many times.






status This field always contains lockout.

msg User at <ip_address> failed authentication too many times.

Message ID 38004




Meaning A successful FSAE log in event.



server The name or IP address of the server.

action This field always contains FSAE-logon.


msg FSAE-logon event from <ip_address>: user <user_name> logged on <ip_address>

Message ID 38004




Meaning A successful FSAE log in event.



server The name or IP address of the server.





action This field always contains FSAE-logoff.


msg FSAE-logoff event from <ip_address>: user <user_name> logged off <ip_address>






F0h

38005

38010

Message ID 38005




Meaning The policy authentication of the specified user has timed out.

Fields Field Descriptionsrc The source IP address.


group The name of the user group creating the traffic.



status This field always contains timeout.

msg Policy authentication of user <user_name> has timed out.

Message ID 38010


Severity Warning


Meaning The specified user failed authentication when creating a FortiGuard Web Filtering override.

Fields Field Descriptioninitiator The initiator information.


reason This field always contains credentials.



msg User <user_name> failed authentication when creating a FortiGuard Web Filtering overrride from <ip_address>

Message ID 38010


Severity Alert


Meaning The encryption for EVP failed.







38011

action This field always contains encryption.

cipher This field always contains aes-128-cbc.


msg EVP encryption failed.

Message ID 38011


Severity Warning


Meaning The FortiGuard Web Filtering override table is full and cannot contain anymore overrides.



reason This field always contains table_add_failed.



msg FortiGuard Web Filtering override table is full.

Message ID 38011


Severity Alert


Meaning The decryption for EVP failed.



action This field always contains decryption.

cipher This field always contains aes-128-cbc.


msg EVP decryption failed.






F0h

38012

38020

Message ID 38012




Meaning A FortiGuard Web Filtering override was successfully created.






action This field always contains authentication.

scope The scope information.

scope_data The scope data information

rule_type The rule type information.

rule_data The rule data information.

offsite The offsite information.

expiry The expiry information.

msg User <user_name> added webfilter override entry <entry_name> from <location>.

Message ID 38020




Meaning A FortiClient checking event occurred.

Fields Field Descriptionui The location of the point-of-entry the user used to access the FortiGate

unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).


msg Log message information.

Message ID 38020




Meaning A FortiClient checking event occurred.






38021



Message ID 38021




Meaning The quota for per IP shaper was exceeded.



action This field always contains ip-traffic-shaper.

status This field always contains blocked.

shaper The name of the traffic shaper.

bps The bps information.

giga The Gigabyte number.

mega The mega number.

bytes The number of bytes.

msg Traffic exceed per ip traffic shaper quota, ip: <ip_address>

Message ID 38021




Meaning The quota for per IP shaper was exceeded.



action This field always contains policy-traffic-shaper.

status This field always contains blocked.











F0h


msg Traffic exceed shared traffic shaper quota, policy id: <firewall_policy_id_number>.





38022

Message ID 38022




Meaning The shared traffic shaper data was logged.



action This field always contains ip-traffic-shaper

status This field always contains allowed.






msg Per ip traffic shaper statistic data is logged, ip: <ip_address>

Message ID 38022




Meaning The shared traffic shaper data was logged.



action This field always contains policy-traffic-shaper

status This field always contains allowed.







msg Shared traffic shaper statistic data is logged, policy id: <firewall_policy_id_number>






F0h

38026

38027

Message ID 38026




Meaning The Endpoint License Distribution has indicated that there are a specified number of keys assigned with a specified IP address.

Fields Field Descriptionmsg Endpoint License Distribution: active license keys left; key <key_number>

assigned to endpoint with ip=<ip_address>

Message ID 38027




Meaning An endpoint application was detected.




action The action taken by the FortiGate unit.





F0h

Event-WirelessEvent-Wireless log messages record wireless events that occur with FortiGate units that have WiFi capabilities.

435204352143522435244352543526




Event-Wireless

43520

43521

Log Subtype Wireless



Meaning A wireless system activity occurred.

Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual domain

exists, this field always contains root.

action The information about the action that was taken.





Meaning A wireless rogue AP activity occurred.


exists, this field always contains roots.

ssid The service set identifier.

bssid The basic service set identifier

rate The data rate number.

radio-band The radio band information.

channel The channel number.


manuf The name of the manufacturer.

security-mode The type of security mode.

nssi The NSSI number.

noise The noise number.

live The live number.

age The age number.

on-wire This is either no or yes.

detection-method The type of detection method being used. This can be any one of the following:

• N/A • sta

• mac adjancency

sta-mac The station MAC information.

ap-scan The WTP that scanned the station.






Event-Wireless

F0h

43522

43524




Meaning A physical AP activity occurred.


domains exist, this field always contains root.

sn The phsyical AP unit’s serial number.

ap The name of the physical AP.

ap_profile The name of the AP profile.

ip The IP address of the AP unit.


reason The reason for taking the specified action.





Meaning A wireless client activity occurred.



sn The physical AP unit’s serial number.

ap The physical AP name.

vap The virtual AP name.


mac The client wireless MAC address.

security This field contains any one of the following:

• open • wep64

• wep128 • wpa-psk

• wpa-radius • wpa

• wpa2 • wpa2-auto






Event-Wireless

43525


Severity Warning


Meaning A wireless rogue AP activity occurred.


exists, this field always contains roots.


bssid The basic service set identifier

rate The data rate number.

radio-band The radio band information.

channel The channel number.


manuf The name of the manufacturer.

security-mode The information about the security mode.

nssi The NSSI number.

noise The noise number.

live The live number.

age The age number.

on-wire This is either no or yes.

detection-method The type of detection method being used. This can be any one of the following:

• N/A • sta

• mac adjancency

sta-mac The station MAC information.

ap-scan The WTP that scanned the station.






Event-Wireless

F0h

43526




Meaning A physical AP radio activity.

Fields Field Descriptionvd The name of the virtual domain where the action occured in. If no virtual


sn The physical AP unit’s serial number.

ap The name of the physical AP unit.

ip The IP address of the AP unit.

radio-id The radio identification number.






Event-Wireless





F0h

Event-IPsec negotiationEvent-IPsec negotiation log messages record IPsec activities and events.

37120371213712237123371243712537126371273712937130371313713237133371343713537136371373713837139

37184371853718637187371883718937190371913719237193371943719537196371973719837199372003720137202

37203




Event-IPsec negotiation

37120

Log Subtype IPsec



Meaning Notification of an IPsec negotiation of Phase 1.



msg negotiate IPsec phase 1


• negotiate • tunnel-up

• error • tunnel-down

• install_sa • tunnel-stats

• delete_phase1_sa • phase2-up

• delete_IPsec_sa • phase2-down

• dpd

rem_ip The remote IP address.

loc_ip The local IP address.

rem_port The remote port number.

loc_port The local port number.

out_intf The interface that is outbound.

cookies The cookies for that IPsec session.



xauth_user The name of the XAuth user.

xauth_group The name of the Xauthentication group.

vpn_tunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.

status This field contains any one of the following:

• success • esp_error

• failure • dpd_failure

• negotiate_error

xauth_result This field contain either XAUTH authentication successful or XAUTH authentication failed.






F0h

37121

Log Subtype IPsec

Severity Error


Meaning Negotiation error of an IPsec Phase 1.










• dpd















• negotiate_error

xauth_result This field contain either XAUTH authentication successful or XAUTH authentication failed.





37122

Log Subtype IPsec



Meaning Notification of an IPsec negotiation of Phase 2.










• dpd















• negotiate_error

role This field contains either responder or initiator.

esp_transform This field contains any one of the following;

• ESP_NULL • ESP_3DES

• ESP_DES • ESP_AES

esp_auth This field contains any one of the following;

• no authentication • HMAC_MD5

• HMAC_SHA1 • HMAC_SHA256






F0h

37123

Log Subtype IPsec

Severity Error


Meaning Negotiation error of an IPsec Phase 2.










• dpd















• negotiate_error


esp_transform This field contains any one of the following;



esp_auth This field contains any one of the following;







37124

Log Subtype IPsec

Severity Error


Meaning IPsec Phase 1 error.

Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual domains

exist, this field always contains root.








• dpd















• negotiate_error

error_reason This field contains any one of the following:

• invalid certificate • peer notification

• invalid SA payload • not enough key material for tunnel

• probable preshared key • encapsulated mode mismatch

• mismatch • no matching gateway for new request

• peer SA proposal not match • aggressive vs main mode

• local policy • mismatch for new request

peer_notif This field, peer notification, can contain any one of the following:

• NOT-APPLICABLE • INVALID-CERTIFICATE

• INVALID-PAYLOAD-TYPE • BAD-CERT-REQUEST-SYNTAX

• DOI-NOT-SUPPORTED • INVALID-CERT-AUTHORITY

• SITUATION-NOT-SUPPORTED • INVALID-HASH-INFORMATION






F0h

• INVALID-COOKIE • AUTHENTICATION-FAILED

• INVALID-MAJOR-VERSION • INVALID-SIGNATURE

• INVALID-MINOR-VERSION • ADDRESS-NOTIFICATION

• INVALID-EXCHANGE-TYPE • NOTIFY-SA-LIFETIME

• INVALID-FLAGS • CERTIFICATE-UNAVAILABLE

• INVALID-MESSAGE-ID • UNSUPPORTED-EXCHANGE-TYPE

• INVALID-PROTOCOL-ID • UNEQUAL-PAYLOAD-LENGTHS

• INVALID-SPI • CONNECTED

• INVALID-TRANSFORM-ID • RESPONDER-LIFETIME

• ATTRIBUTES-NOT-SUPPORTED • REPLAY-STATUS

• NO-PROPOSAL-CHOSEN • INTIAL-CONTACT

• BAD-PROPOSAL-SYNTAX • R-U-THERE

• PAYLOAD-MALFORMED • R-U-THERE-ACK

• INVALID-KEY-INFORMATION • HEARTBEAT

• INVALID-ID-INFORMATION • RETRY-LIMIT-REACHED

• INVALID-CERT-ENCODING





37125

Log Subtype IPsec

Severity Error


Meaning IPsec Phase 2 error.










• dpd















• negotiate_error




• probable preshared key • encapsulated mode mismatch

• mismatch • no matching gateway for new request

• peer SA proposal not match • aggressive vs main mode

• local policy • mismatch for new request






F0h

37126

Log Subtype IPsec



Meaning IPsec not state error.










• dpd















• negotiate_error


• invalid certificate • not enough key material for tunnel

• invalid SA payload • encapsulated mode mismatch

• probable preshared key mismatch • no matching gateway for new request

• peer SA proposal not match local policy

• aggressive vs main mode mismatch for new request

• peer notification





37127

Log Subtype IPsec



Meaning Progress of an IPsec phase 1 notification.




action This field contains any one of the following;






• dpd















• negotiate_error

init This field can either be local or remote.

mode This field contains any one of the following;

• aggressive • xauth

• main • xauth_client

• quick

dir This field can be either outbound or inbound.

stage The stage number.


result This field contains any one of the following:

• ERROR • DONE

• OK • PENDING






F0h

37128

Log Subtype IPsec

Severity Error


Meaning Progress of an IPsec Phase 1 error.










• dpd












status This field contains any one of the following;



• negotiate_error

init This field contains either local or remote.

mode This field contains any one of the following:



• quick

dir The direction of the traffic. This field contains either outbound or inbound.




• ERROR • DONE

• OK • PENDING





37129

Log Subtype IPsec



Meaning Progress of an IPsec Phase 2 notification.

Fields Field Descriptionmsg negotiate IPsec phase 1







• dpd










xauth_group The name of the XAuthentication group.





• negotiate_error


mode This field contains any one of the following;



• quick





• ERROR • DONE

• OK • PENDING






F0h

37130

Log Subtype IPsec

Severity Error


Meaning The progress status of an IPsec Phase 2 error.



msg progress IPsec phase 2







• dpd












status This field contains any one of the following;



• negotiate_error


mode This field contains any one of the following:



• quick

dir The direction of the traffic. This field contain either outbound or inbound.




• ERROR • DONE

• OK • PENDING





37131

Log Subtype IPsec

Severity Error


Meaning A notification of IPsec ESP.

Fields Field Descriptionmsg IPsec ESP.







• dpd















• negotiate_error

error_num This field contains any one of the following:

• Invalid ESP packet detected • Invalid ESP packet detected (invalid padding length)

• Invalid ESP packet detected (HMAC validation failed)

• Invalid ESP packet detected (replayed packet)

• Invalid ESP packet detected (invalid padding)

• Received ESP packet with unknown SPI

spi The spi information.

seq The seq information.






F0h

37132

Log Subtype IPsec

Severity Critical


Meaning A notification of IPsec ESP error.

Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual domains exist,

this field always contains root.

msg IPsec ESP.







• dpd















• negotiate_error


• Invalid ESP packet detected • Invalid ESP packet detected (invalid padding length)











37133

Log Subtype IPsec



Meaning An administrator installed IPsec SA.

Fields Field DescriptionThe name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.

msg Install IPsec SA







• dpd













in_spi The in_spi information.

out_spi The out_spi information.






F0h

37134

Log Subtype IPsec



Meaning An administrator deleted an IPsec Phase 1 SA.



msg delete IPsec phase 1 SA.







• dpd
















37135

Log Subtype IPsec



Meaning An administrator deleted an IPsec Phase 1 SA.



msg delete IPsec phase 2 SA.







• dpd












enc_spi The enc_spi information.

dec_spi The desc_spi information.






F0h

37136

Log Subtype IPsec

Severity Error


Meaning An IPsec DPD failed.



msg IPsec DPD failure







• dpd















• negotiate_error





37137

Log Subtype IPsec

Severity Error


Meaning An IPsec connection failed.



msg IPsec connection failure







• dpd















• negotiate_error






F0h

37138

Log Subtype IPsec



Meaning An IPsec connection status changed.



msg IPsec connection status change







• dpd












tunnel_ip The tunnel’s IP address.

tunnel_id The tunnel’s identification number.

tunnel_type The type of tunnel. This field always contains IPsec.




next_stat The next_stat information.

tunnel The tunnel information.





37139

Log Subtype IPsec



Meaning An IPsec Phase 2 status changed.



msg IPsec phase 2 status change







• dpd












phase2_name The name given to the phase 2 configuration.






F0h

37184

Log Subtype IPsec

Severity Error












• dpd













• negotiate_error

peer_notif This field, peer notification, can contain any one of the following:

• NOT-APPLICABLE • INVALID-CERTIFICATE

• INVALID-PAYLOAD-TYPE • BAD-CERT-REQUEST-SYNTAX

• DOI-NOT-SUPPORTED • INVALID-CERT-AUTHORITY

• SITUATION-NOT-SUPPORTED

• INVALID-HASH-INFORMATION

• INVALID-COOKIE • AUTHENTICATION-FAILED

• INVALID-MAJOR-VERSION • INVALID-SIGNATURE

• INVALID-MINOR-VERSION • ADDRESS-NOTIFICATION

• INVALID-EXCHANGE-TYPE • NOTIFY-SA-LIFETIME

• INVALID-FLAGS • CERTIFICATE-UNAVAILABLE

• INVALID-MESSAGE-ID • UNSUPPORTED-EXCHANGE-TYPE

• INVALID-PROTOCOL-ID • UNEQUAL-PAYLOAD-LENGTHS

• INVALID-SPI • CONNECTED





• INVALID-TRANSFORM-ID • RESPONDER-LIFETIME

• ATTRIBUTES-NOT-SUPPORTED

• REPLAY-STATUS

• NO-PROPOSAL-CHOSEN • INTIAL-CONTACT

• BAD-PROPOSAL-SYNTAX • R-U-THERE

• PAYLOAD-MALFORMED • R-U-THERE-ACK

• INVALID-KEY INFORMATION

• HEARTBEAT

• INVALID-ID-INFORMATION • RETRY-LIMIT-REACHED

• INVALID-CERT-ENCODING






F0h

37185

Log Subtype IPsec

Severity Error












• dpd













• negotiate_error

peer_notif This field contains any one of the following:

• NOT APPLICABLE • ATTRIBUTES-NOT-SUPPORTED

• INVALID-PAYLOAD-TYPE • NO-PROPOSAL-CHOSEN

• DOI-NOT-SUPPORTED • BAD-PROPOSAL-SYNTAX

• SITUATION-NOT SUPPORTED • PAYLOAD-MALFORMED

• INVALID-COOKIE • INVALID-KEY-INFORMATION

• INVALID-MAJOR-VERSION • INVALID-ID-INFORMATION

• INVALID-MINOR-VERSION • INVALID-CERT-ENCODING

• INVALID-MINOR-VERSION • INVALID-CERTIIFCATE

• INVALID-EXCHANGE-TYPE • BAD-CERT-REQUEST-SYNTAX

• INVALID-FLAGS • INVALID-CERT-AUTHORITY

• INVALID-MESSAGE-ID • INVALID-HASH-INFORMATION

• INVALID-PROTOCOL-ID • AUTHENTICATION-FAILED

• INVALID-SPI • INVALID-SIGNATURE





• INVALID-TRANSFORM-ID • ADDRESS-NOTIFICATION

• NOTIFY-SA-LIFETIME • RESPONDER-LIFETIME

• CERTIFICATE-UNAVAILABLE • REPLAY-STATUS

• UNSUPPORTED-EXCHANGE-TYPE

• INITIAL-CONTACT

• UNEQUAL-PAYLOAD-LENGTHS • R-U-THERE

• CONNECTED • R-U-THERE-ACK

• HEARTBEAT • RETRY-LIMIT-REACHED






F0h

37186

Log Subtype IPsec



Meaning An IPsec Phase 2 negotiation notification.

Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no

vritual domains exist, this field always contains root.








• dpd













• negotiate_error


esp_transform This field contains any one of the following:



esp_auth This field contains any one of the following:







37187

Log Subtype IPsec

Severity Error


Meaning An IPsec Phase 2 negotiation notification.










• dpd













• negotiate_error


esp_transform This field contains any one of the following:



esp_auth This field contains any one of the following:








F0h

37188

Log Subtype IPsec

Severity Error


Meaning An IPsec Phase 1 negotiation error.

Fields Field Descriptionvd The name of the virtual domain where the action occurred in. if no virtual


msg IPsec phase 1 error







• dpd













• negotiate_error




• probable preshared key mismatch

• encapsulation mode mismatch


• no matching gateway for new request






37189

Log Subtype IPsec

Severity Error


Meaning An IPsec Phase 1 negotiation error.

Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no vritual domains


msg IPsec phase 2 error







• dpd













• negotiate_error














F0h

37190

Log Subtype IPsec

Severity Error


Meaning An IPsec no state error.



msg IPsec no state error







• dpd













• negotiate_error













37191

Log Subtype IPsec



Meaning An IPsec Phase 1 progress notification.










• dpd













• negotiate_error


exch This field contains any one of the following:

• SA_INIT • CREATE_CHILD

• AUTH

dir This field contains either outbound or inbound.


result This field contains one of the following:

• ERROR • DONE

• OK • PENDING

version The version of the IPsec, which is IKEv2.






F0h

37192

Log Subtype IPsec

Severity Error


Meaning An IPsec Phase 1 progress error.

Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If

no virtual domains exist, this field always contains root.








• dpd













• negotiate_error




• AUTH




• ERROR • DONE

• OK • PENDING






37193

Log Subtype IPsec



Meaning An IPsec Phase 2 progress notification.










• dpd













• negotiate_error




• AUTH




• ERROR • DONE

• OK • PENDING







F0h

37194

Log Subtype IPsec

Severity Error


Meaning An IPsec Phase 2 progress error.

Fields Field Descriptionmsg progress IPsec phase 2







• dpd













• negotiate_error




• AUTH




• ERROR • DONE

• OK • PENDING






37195

Log Subtype IPsec

Severity Error


Meaning An IPsec ESP notification.



msg IPsec ESP







• dpd













• negotiate_error


• Invalid ESP packet detected • Invalid ESP packet detected. (invalid padding length)












F0h

37196

Log Subtype IPsec

Severity Critical


Meaning An IPsec ESP error.



msg IPsec ESP







• dpd













• negotiate_error


• Invalid ESP packet detected • Invalid ESP packet detected. (invalid padding length)











37197

Log Subtype IPsec



Meaning Installation of IPsec SA occurred.


virtual domains exist, this field always contains root.

msg install IPsec SA







• dpd











in_spi The in_spi information.

out_spi The out_spi information.






F0h

37198

Log Subtype IPsec



Meaning Removed an IPsec Phase 1 SA.



msg delete IPsec phase 1SA







• dpd














37199

Log Subtype IPsec



Meaning Removed an IPsec Phase 2 SA.

Fields Field Descriptionvd The name of the virtual domain where the action occurred in.

If no virtual domains exist, this field always contains root.

msg delete IPsec phase 2 SA







• dpd















F0h

37200

Log Subtype IPsec

Severity Error


Meaning An IPsec DPD failure occurred.



msg IPsec DPD failure







• dpd













• negotiate_error





37201

Log Subtype IPsec

Severity Error


Meaning An IPsec connection failure occurred.



msg IPsec connection failure






• delete_IPsec_sa • phase2-down}

• dpd













• negotiate_error






F0h

37202

Log Subtype IPsec



Meaning An IPsec connection status changed.



msg IPsec connection status change







• dpd










tunnel_ip The VPN tunnel’s IP address.

tunnel_id The VPN tunnel’s identification number.

tunnel_type The type of VPN tunnel. This field contains IPsec.




next_stat The next_stat information.

tunnel The tunnel information.





37203

Log Subtype IPsec



Meaning An IPsec phase 2 status change.



msg IPsec phase 2 status change







• dpd










phase2_name The name of the Phase 2 configuration.





F0h

Event-L2TP/PPP/PPPoEEvent-L2TP/PPP/PPPoE log messages record events and activities that occur with the Internet and modem protocols, L2TP, PPP, and PPPoE.

2900129002290032900429009290152901629022290243000430005300063000730008300093100431005

31006310073100831009




Event-L2TP/PPP/PPPoE

29001

29002

Message ID 29001

Log Subtype L2TP/PPTP/PPPoE

Severity Variable


Meaning PPPd log message.

Fields Field Description user The name of the user creating the traffic.

local The local IP address.

remote The remote IP address.

assigned The assigned IP address.

stat The stat information.


Message ID 29002




Meaning PPPd authentication message.

Fields Field Description user The name of the user creating the traffic.

local The local IP address.



action This field always contains auth_success.

msg User <user_name> using <auth> with authentication protocol <protocol_information>






F0h

29003

29004

29009

Message ID 29003




Meaning The user failed authentication when trying to connect.

Fields Field Description local The local IP address.



action This field always contains auth_failed.

msg <user_name> is trying to connect using <auth> with authentication protocol <protocol_information>, failed.

Message ID 29004


Severity Warning


Meaning The maximum number of PPTP connections has been reached.

Fields Field Description status This field always contains failure.

action This field always contains connect.

msg PPTP: the maximum number of connections has been reached. No more clients can connect.

Message ID 29009




Meaning A PPPoE status report.

Fields Field Description gateway_ip The gateway IP address.

assigned_IP The assigned IP address.

mtu The MTU information.

msg PPPoE status report.





29015

29016

29022

29024

Message ID 29015


Severity Error


Meaning PPP has received bad options.

Fields Field Description msg Peer IP is the same as an interface IP <interface>.

IP(<interface_ip_address>).

Message ID 29016


Severity Error


Meaning PPP has received bad options.

Fields Field Description msg Local IP is the same as an interface IP <interface>.

IP(<interface_ip_address>)

Message ID 29022


Severity Warning


Meaning No IP address is currently available.


action This field always contains connect.

msg PPTP: No IP addresses left to assign in virtual domain: <virtual_domain_name>

Message ID 29024


Severity Warning


Meaning Not enough memory available.


action This field always contains start.

msg failed to expand pptp config list due to not enough memory.






F0h

30004

30005

30006

Message ID 30004


Severity Variable


Meaning Depending on the msg field, the meaning can be any one of the following: • The PPTPD successfully started. • An PPPTP log message.

Fields Field Description action This field always contains start.


msg This field contains any one of the following: • PPTPD: started successfully• The log message information, which is usually a sentence

explaining the activity and/or action taken.

Message ID 30005


Severity Error


Meaning The PPTPD failed to start.

Fields Field Description action This field always contains start.


reason failed to create socket

msg PPTPD failed to start because failed to create socket.

Message ID 30006




Meaning The PPTPD successfully exited.

Fields Field Description action This field always contains exit.


msg PPTPD exited successfully.





30007

30008

Message ID 30007


Severity Error


Meaning All PPTPD connections were closed because the PPTP setting changed.

Fields Field Description action This field always contains disconnect.


reason PPTP setting is changed.

msg PPTPD closed all client connections in vdom <vdom_name> because PPTP setting was changed.

Message ID 30007


Severity Error


Meaning The PPTPD disconnected.



reason failed to find the interface by device index

msg PPTPD closed all client connections in vdom <vdom_name> because failed to find the interface by device index.

Message ID 30008


Severity Error


Meaning PPTPD client connection.

Fields Field Description action This field always contains connect


msg Client <ip_address> control connection started.






F0h

30009

31004

31005

Message ID 30009




Meaning PPTPD client disconnected.



msg Client <client_name> control connection finished.

Message ID 31004


Severity Variable


Meaning An L2TP log message.

Fields Field Description msg The log message information. This is usually a sentence and

explains the activity and/or action taken.

Message ID 31005




Meaning L2TP exited successfully.

Fields Field Description action This field always contains exit.


msg L2TPD exited successfully.





31006

31007

Message ID 31006




Meaning L2TP closed all client connections in a specified VDOM because L2TP setting was changed.



reason L2TP setting changed.

msg L2TPD closed all client connections in vdom <vdom_name> because L2TP setting was changed.

Message ID 31006


Severity Warning


Meaning L2TP closed all client connections in a specified VDOM because failed to find interface by device index.



reason interface not found

msg L2TPD closed all client connections in vdom <vdom_name> because failed to find interface by device index.

Message ID 31007


Severity Warning


Meaning An L2TP client connection. There are no more available IP addresses to assign in the specified VDOM.

Fields Field Description action This field always contains connect.

status This field always contains failure

reason no ip available

msg No IP addresses left to assign in virtual domain: <vdom_name>






F0h

31008

31009

Message ID 31008




Meaning An L2TP connection started.

Fields Field Description action This field always contains connect.


msg Client <client_name> control connection started (id<ip_address>), assigned ip <ip_address>.

Message ID 31009




Meaning An L2TP connection has finished.



msg Client <client_name> control connection(id<ip_address>) finished.




F0h

Event-SSL VPNEvent SSL-VPN log messages record SSL-VPN user, administration and session events.

3942439425394264198441985419864198741988399363993739939399403994139942

3994439945399463994739948399493995039951




Event-SSL VPN

39424

Message ID 39424

Log Sub-type sslvpn-user



Meaning An SSL-VPN web access user has log into the system successfully.

Fields Field Descriptionaction The status of the SSL VPN tunnel. This field contains tunnel-up, which indicates

that the SSL VPN tunnel is currently up and running.

tunnel_type The type of SSL VPN tunnel. The field contains ssl-web, which indicates that it is an SSL VPN web access tunnel.


tunnel_id The tunnel identification number.

remote_ip The remote IP address.

tunnel_ip The tunnel IP address.



dst_host The destination host information.


msg SSL tunnel established.





Event-SSL VPN

F0h

39425

Message ID 39425

Log Sub-type sslvpn-user



Meaning An SSL-VPN tunnel was shut down.

Fields Field Descriptionaction The status of the SSL VPN tunnel. This field contains tunnel-down, which

indicates that the SSL VPN tunnel is currently down, or not running.

tunnel_type The type of SSL VPN tunnel that was accessed. The field contains ssl-web, which indicates that it is an SSL VPN web access tunnel.












msg SSL tunnel shutdown.




Event-SSL VPN

39426

41984

Message ID 39426

Log Type sslvpn-user

Severity Alert


Meaning An SSL VPN user has failed to log in.

Fields Field Descriptionaction The action of an SSL VPN user. This field contains ssl-login-fail, which

indicates that a user tried to log in using the SSL VPN tunnel but failed.

tunnel_type The type of SSL VPN tunnel that was accessed. This field contains ssl-web, which indicates that it is an SSL VPN web access tunnel.









msg SSL user failed to logged in.

Message ID 41984

Log Type sslvpn-admin



Meaning An SSL-VPN admin user successfully uploaded a certificate.



action This field contains info.



msg A certificate is loaded.

cert-type This field contains any one of the following:

• CA • CRL

• Local • Remote





Event-SSL VPN

F0h

41985

41986

Message ID 41985




Meaning An SSL-VPN admin removed a certificate.






msg A certificate is removed.


• CA • CRL


Message ID 41986




Meaning An SSL-VPN admin regenerated a certificate.






msg A certificate is regenerated.


• CA • CRL


status This field contains success.




Event-SSL VPN

41987

41988

Message ID 41987




Meaning An SSL-VPN admin updated a certificate.





• CA • CRL


status This field contains success.

name The name of the certificate.

method The method information.

msg A certificate is updated.

Message ID 41988




Meaning An SSL-VPN admin changed a setting.





ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accessed the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).

msg User changed SSL setting.





Event-SSL VPN

F0h

39936

Message ID 39936

Log Type sslvpn-session



Meaning SSL VPN web tunnel statistics.

Fields Field Descriptionaction The status of the SSL VPN tunnel. This field contains tunnel-stats.

tunnel_type The type of SSL VPN tunnel. This field contains ssl-web, which indicates that it is an SSL VPN web access tunnel.








next_stats The information of the next statistics.


sent The number of bytes sent.

rcvd The number of bytes received.


msg SSL web tunnel statistics.




Event-SSL VPN

39937

39938

Message ID 39937


Severity Warning


Meaning An SSL VPN web application was blocked.

Fields Field Descriptionaction This field contains ssl-web-deny.

tunnel_type The type of SSL VPN tunnel. This field contains ssl-web-deny. This indicates that the SSL VPN was blocked and users were denied access.








app-type The type of application that triggered the action within the control list.

msg SSL web application blocked.

Message ID 39938




Meaning An SSL VPN web application was activated.

Fields Field Descriptionaction The status of the SSL VPN tunnel. This field contains ssl-web-pass.

tunnel_type The type of SSL VPN tunnel. This field contains ssl-web, which indicates that it is for web access.









msg SSL web application timeout.





Event-SSL VPN

F0h

39939

39940

Message ID 39939




Meaning An SSL VPN web application timed out.

Fields Field Descriptionaction The status of the SSL VPN tunnel. This field contains ssl-web-timeout, which

indicates that the web application timed out.

tunnel_type The type of tunnel. This field contains ssl-web, which indicates that it is an SSL VPN web tunnel.









msg SSL web application timeout.

Message ID 39940




Meaning An SSL VPN web application was closed.

Fields Field Descriptionaction The status of the SSL VPN web application. This field contains ssl-web-close,

which indicates that the application closed.

tunnel_type The type of tunnel. This field contains ssl-web, which indicates that it is an SSL VPN web tunnel.









msg SSL web application closed.




Event-SSL VPN

39941

39942

Message ID 39941




Meaning The SSL VPN system is busy.

Fields Field Descriptionaction The status of the SSL VPN tunnel. This field contains ssl-sys-busy.

tunnel_type The type of SSL VPN tunnel. This field contains ssl-web which indicates it is an SSL VPN tunnel with web access.









msg SSL system busy.

Message ID 39942




Meaning A new SSL VPN certification was successfully verified.

Fields Field Descriptionaction The status of the SSL VPN tunnel. This field contains ssl-cert.

tunnel_type The type of SSL VPN tunnel. This field contains ssl, which indicates that it is an SSL VPN tunnel.









msg SSL new SSL certificate verification success.





Event-SSL VPN

F0h

39943

39944

Message ID 39943




Meaning A new connection was made.

Fields Field Descriptionaction The status of the SSL VPN tunnel. This field contains ssl-new-con, which indicates

a new SSL VPN tunnel connection was created.










msg SSL new connection.

Message ID 39944


Severity Error


Meaning SSL alerts

Fields Field Descriptionaction The status of the SSL VPN tunnel. This field contains ssl-alert.

tunnel_type The type of SSL VPN tunnel. This field contains ssl, which indicates that this is an SSL VPN tunnel.








alert The alert information.

desc The description information.

msg SSL alerts




Event-SSL VPN

39945

39946

Message ID 39945

Log Type Session

Severity Error


Meaning An SSL VPN exit failed.

Fields Field Descriptionaction The status of the SSL VPN tunnel. This field contains ssl-exit-fail.










msg SSL exit fail.

Message ID 39946


Severity Error


Meaning An SSL VPN exit error.

Fields Field Descriptionaction The status of the SSL VPN tunnel. This field contains ssl-exit-error.










msg SSL exit error





Event-SSL VPN

F0h

39947

Message ID 39947




Meaning An SSL VPN tunnel was established.

Fields Field Descriptionaction The status of the SSL VPN tunnel. This field contains tunnel-up, which indicates

that the current SSL VPN tunnel is up and running .

tunnel_type The type of SSL VPN tunnel. This field contains ssl-tunnel, which indicates that it is an SSL VPN tunnel.









msg SSL tunnel established.




Event-SSL VPN

39948

Message ID 39948




Meaning The SSL VPN tunnel was shut down.

Fields Field Descriptionaction The status of the SSL VPN tunnel. This field contains tunnel-down, which

indicates that the SSL VPN is no longer connected or running.

tunnel_type The type of SSL VPN tunnel. This field contains ssl-tunnel.







dst_host Destination host.


sent The total number of bytes that were sent.

rcvd The total number of bytes that were received.


msg SSL tunnel shutdown.





Event-SSL VPN

F0h

39949

Message ID 39949




Meaning SSL tunnel statistics.

Fields Field Descriptionaction The status of the SSL VPN tunnel. This field contains tunnel-stats.









next_stats The next statistical number.


sent The total number of bytes that were sent.

rcvd The total number of bytes that were received.


msg SSL tunnel statistics




Event-SSL VPN

39950

39951

Message ID 39950




Meaning SSL VPN tunnel unknown tag.

Fields Field Descriptionaction The status of the SSL VPN tunnel. This field contains ssl-tunnel-unknown-tag.










msg SSL tunnel unknown tag

Message ID 39951


Severity Error


Meaning An SSL tunnel error.

Fields Field Descriptionaction The status of the SSL VPN tunnel. This field contains ssl-tunnel-error.










msg SSL tunnel error.





F0h

Event-VIP SSLEvent-VIP SSL log messages record VIP activities.

45001450034500545007450094501145012450134501545017450194502345027450294503145032




Event-VIP SSL

45001

Message ID 45001

Log Subtype VIP SSL

Severity Error


Meaning The SSL received an incorrect handshake message.



serial The serial number of the firewall session on which the event happened.

policy The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate unit will have an index number of zero.

vip The virtual IP address.


src-port The source port number.


dst-port The destination port number.

action This field always contains received.

expected This field contains any one of the following:

• HelloRequest • ClientHello

• ServerHello • NewsSessionTicket

• Certificate • ServerKeyExchange

• CertificateRequest • ServerHelloDone

• CertificateVerify • ClientKeyExchange

• Finished

received This field contains any one of the following, especially if the record is corrupted:

• HelloRequest • ClientHello

• ServerHello • NewsSessionTicket

• Certificate • ServerKeyExchange

• CertificateRequest • ServerHelloDone

• CertificateVerify • ClientKeyExchange

• Finished

msg Incorrect SSL handshake message.





Event-VIP SSL

F0h

45003

45005

Message ID 45003

Log Subtype VIP SSL

Severity Error


Meaning An SSL handshake message has a bad length.










action This field always contains close.

handshake The handshake information.

msg Bad length in SSL handshake.

Message ID 45005

Log Subtype VIP SSL

Severity Error


Meaning An RSA verification of Diffie-Hellman parameters failed.











msg RSA verification of Diffie-Hellman parameters failed.




Event-VIP SSL

45007

Message ID 45007

Log Subtype VIP SSL

Severity Error


Meaning A Hash in the SSL Finished does not match the calculated hash. Each hash value in the local and remote log fields are hex encoded.










local The local information.

remote The remote information.


msg Hash in SSL Finished does not match calculated hash





Event-VIP SSL

F0h

45009

Message ID 45007

Log Subtype VIP SSL

Severity Error


Meaning The SSL decryption failed.











reason This field contains any one of the following:

• status_bad_pad_len=1 – indicates that the received SSL Record did not comply with RFC 4336 section 6.2.3.2 on padding_length

• status_bad_pad_value=2 – indicates that the received SSL Record did not comply with RFC 4346 section 6.2.3.2 on padding

• status_bad_mac=3 – indicates that the MAC in the received SSL Record did not match the MAC calculated by the FortiGate unit for that SSL Record.

• status_internal_error=4 – indicates that there was an internal error

msg SSL decryption failure




Event-VIP SSL

45011

45012

Message ID 45011

Log Subtype VIP SSL

Severity Error


Meaning An SSL minor version is below the configured minimum value.











min-minor The min-minor information.

recv-minor The recv-minor information.

msg SSL minor below minimum configured value.

Message ID 45012

Log Subtype VIP SSL

Severity Warning


Meaning The SSL maximum connection limit was reached.











msg SSL maximum connections reached.





Event-VIP SSL

F0h

45013

45015

Message ID 45013

Log Subtype VIP SSL

Severity Error


Meaning None of the offered SSL CipherSuites are supported.











msg None of the offered CipherSuites are supported

Message ID 45015

Log Subtype VIP SSL

Severity Error


Meaning The SSL handshake has an invalid length.










action This field always contains receive.

len The length information.

msg Incorrect SSL handshake length




Event-VIP SSL

45017

Message ID 45017

Log Subtype VIP SSL

Severity Error


Meaning The SSL handshake was too long.













max The maximum length information.

msg SSL Handshake too long





Event-VIP SSL

F0h

45019

Message ID 45019

Log Subtype VIP SSL

Severity Error


Meaning An SSL alert message was sent.










action This field always contains send.

level The level information.

desc This field contains any one of the following:

• fts_alert_desc_close_notify=0 – notifies the recipient that the sender will not send any more messages on this connection

• fts_alert_desc_unexpected_message=10 – an inappropriate message was received; this is usually fatal and should be observed closely

• fts_alert_desc_bad_record_mac=20 – is returned if a record is received with an incorrect MAC

• fts_alert_desc_decryption_failed=21 – may be returned if a TLSCiphertext decrypted in an invalid way; either it was not an even multiple of the block length or its padding values, when checked, were not correct (always fatal)

• fts_alert_desc_record_overflow=22 – a TLSCiphertext record was received that had a length more than 2^14+2048 bytes, or a record decypted to a TLSCompressed record with more than 2^14+1024 bytes (always fatal)

• fts_alert_desc_handshake_failure=40 – indicates the sender was unable to negotiate an acceptable set of security parameters given the options available (fatal error)

• fts_alert_desc_no_certificate=41 – indicates there is no available certificate

• fts_alert_desc_illegal_parameter=47 – a field in the handshake was out of range or inconsistent with other fields (always fatal)

• fts_alert_desc_decord_error=50 – a message could not be decoded because some field was out of the specified range or the length of the message was incorrect (always fatal)

• fts_alert_desc_decrypt_error=51 – a handshake cryptographic operation failed, including being unable to correctly verify a signature, decrypt a key exchange, or validate a finished message

• fts_alert_desc_protocol_version=70 – the protocol version the client has attempted to negotiate is recognized but not supported (always fatal)




Event-VIP SSL

• fts_alert_desc_internal_error=80 – an internal error unrelated to the peer or correctness of the protocol (always fatal)

msg SSL Alert sent





Event-VIP SSL

F0h

45023

45027

Message ID 45023

Log Subtype VIP SSL

Severity Error


Meaning An SSL alert was received.













msg SSL Alert received

Message ID 45027

Log Subtype VIP SSL

Severity Error


Meaning An invalid SSL ContentType occurred.











type The type information.

msg Invalid SSL ContentType




Event-VIP SSL

45029

Message ID 45029

Log Subtype VIP SSL

Severity Error


Meaning An SSL ChangeCipherSpec has a bad length.











msg Bad length in SSL ChangeCipherSpec





Event-VIP SSL

F0h

45031

Message ID 45031

Log Subtype VIP SSL

Severity Error


Meaning An SSL ChangeCipherSpec has a bad length.










humin This field always contains close.

max The maximum information.

received The received information.






Event-VIP SSL

45032

Message ID 45032

Log Subtype VIP SSL

Severity Error


Meaning A certificate’s public key is too big for SSL off-loading.










hulen This field is always close.








F0h

Event-DNSEvent-DNS log messages record DNS response activity.

44288

Message ID 44288

Log Subtype Event-DNS



Meaning A DNS response log message.



policy_id The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate unit will have an index number of zero.



src_int The name of the source interface.

dst_int The name of the destination interface.


group The name of the gorup creating the traffic.

dns_name The name of the DNS sesrver.

dns_ip The IP address of the DNS server.




Event-DNS





F0h

Event-configEvent-config log messages record configuration changes that an administrator or user makes to the FortiOS configuration.

44544445454454644547




Event-config

44544

44545

Message ID 44544

Log Sub-type Event-config



Meaning A configuration path log message.



user The name of the user changing the configuration setting.

ui The user interface.

action This can be any one of the following:

• add • edit

• delete • clear

• move • rename

• clone • abort

cfg_tid The configuration transaction identification number.

cfg_path The configuration path.


Message ID 44545




Meaning A configuration object log message.






• add • edit


• move • rename

• clone • abort



cfg_obj The configuration object.






Event-config

F0h

44546

Message ID 44546




Meaning A configuration attributes log message.






• add • edit


• move • rename

• clone • abort



cfg_attr The configuration attributes.





Event-config

44547

Message ID 44547




Meaning A configuration object attributes log message.






• add • edit


• move • rename

• clone • abort



conf_obj The configuration object.

cfg_attr The configuration attributes.






F0h

Event-authEvent-auth log messages record authentication activity, including FSAE activity and NTLM authentication.

430084300943010430114301243013430144301543016430174301843019430204302143022

430234302443025430254302643027430284302943030




Event-auth

43008

Message ID 43008

Log Subtype auth



Meaning The authentication was successful.





policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate unit will have an index number of zero.




action The action that was taken. This can be any one of the following:

• authentication • FSAE-auth

• FSAE-logon • FSAE-logoff

• NTLM-auth

status The status of the authentication session. This can be any one of the following:

• success • failure

• timed_out • locked_out

reason The reason for recording the activity.






Event-auth

F0h

43009

Message ID 43009

Log Subtype auth



Meaning The authentication session failed.












• NTLM-auth









Event-auth

43010

Message ID 43010

Log Subtype auth

Severity Warning


Meaning The authentication locked out.












• NTLM-auth










Event-auth

F0h

43011

Message ID 43011

Log Subtype auth



Meaning The authentication timed out.












• NTLM-auth









Event-auth

43012

Message ID 43012

Log Subtype auth



Meaning FSAE authentication was successful.







adgroup The name of the active directory group.






• NTLM-auth










Event-auth

F0h

43013

Message ID 43013

Log Subtype auth



Meaning The FSAE authentication failed.













• NTLM-auth









Event-auth

43014

43015

Message ID 43014

Log Subtype auth



Meaning The FSAE user logged on.




user The name of the FSAE user who is logggin on.

server The IP address of the FSAE server.




• NTLM-auth


Message ID 43015

Log Subtype auth



Meaning The FSAE user logged off.




user The name of the FSAE user who is logggin on.

server The IP address of the FSAE server.




• NTLM-auth






Event-auth

F0h

43016

Message ID 43016

Log Subtype auth



Meaning The NTLM authentication was successful.













• NTLM-auth









Event-auth

43017

Message ID 43017

Log Subtype auth



Meaning The NTLM authentication failed.













• NTLM-auth










Event-auth

F0h

43018

43019

Message ID 43018

Log Subtype auth

Severity Warning


Meaning The FortiGuard override failed.





initiator The initiator information.






Message ID 43019

Log Subtype auth

Severity Warning
















Event-auth

43020

Message ID 43020

Log Subtype auth



Meaning The FortiGuard override was successful.





initator The initiator information.

status This can be any one of the following:



reason The reason that the activity or action occurred.

scope This can be any one of the following:

• user • user_group

• ip • profile

unhandled

scope_data The scope data information.

rule_type This can be any one of the following:

• directory • domain

• rating • unhandled


offsite This can be either yes, meaning the offsite was allowed, or no, meaning the offsite was not allowed.







Event-auth

F0h

43021

43022

43023

Message ID 43021

Log Subtype auth



Meaning Endpoint checking event.






Message ID 43022

Log Subtype auth



Meaning Endpoint license distribution.






Message ID 43023

Log Subtype auth



Meaning Endpoint detection.









Event-auth

43024

43025

Message ID 43024

Log Subtype auth



Meaning Endpoint detection.






Message ID 43025

Log Subtype auth



Meaning The authentication was successful.












• NTLM-auth










Event-auth

F0h

43026

Message ID 43026

Log Subtype auth



Meaning The authentication failed.












• NTLM-auth









Event-auth

43027

Message ID 43027

Log Subtype auth



Meaning The authentication session timed out.












• NTLM-auth










Event-auth

F0h

43028

Message ID 43028

Log Subtype auth



Meaning The authentication session failed.












• NTLM-auth









Event-auth

43029

Message ID 43029

Log Subtype auth



Meaning The FortiGuard override was successful.





initator The initiator information.

status This can be any one of the following:



reason The reason the activity or action occurred.

scope This can be any one of the following:

• user • user_group

• ip • profile

unhandled

scope_data The scope data information.

rule_type This can be any one of the following:


• rating • unhandled


offsite This can be either yes, meaning the offsite was allowed, or no, meaning the offsite was not allowed.







Event-auth

F0h

43030

Message ID 43030

Log Subtype auth

Severity Warning
















Event-auth





F0h

Event-wadEvent-wad log messages record WAN optimization events, such as a user adding an WAN optimization rule as well as web proxy events.

40960480014800348005480074800948011480124801348015480174801948023480274802948031480324810048101

48102481234812448124481274812948131481324820048201482054830048301




Event-wad

40960

Message ID 40960

Log Subtype wad



Meaning A web proxy forward server error.



fwserver_name The name of the web proxy server.

addr_type The type of address used, for example FQDN. This field contains either IP or FQDN.

ip The IP address.

fqdn The FQDN address.

port The port number.

msg The log message is any one of the following:

• Failed to connection to forward server.

• Successfully connected to forward server.





Event-wad

F0h

48001

48003

Message ID 48001

Log Subtype wad

Severity Error


Meaning The SSL received an incorrect handshake message.




policy The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.






expected The expected information.


msg Incorrect SSL handshake message.

Message ID 48003

Log Subtype wad

Severity Error


Meaning The SSL handshake message contains a bad length.











msg Bad length in SSL handshake.




Event-wad

48005

48007

Message ID 48005

Log Subtype wad

Severity Error


Meaning The RSA verification of Diffie-Hellman parameters failed.










msg RSA verification of Diffie-Hellman parameters failed.

Message ID 48007

Log Subtype wad

Severity Error


Meaning The hash in SSL FInished does not match the calculated hash.









local The local information.

remote The remote information.


msg Hash in SSL Finished does not match calculated hash.





Event-wad

F0h

48009

48011

Message ID 48009

Log Subtype wad

Severity Error


Meaning An SSL decryption failure occurred.











msg SSL decryption failure.

Message ID 48011

Log Subtype wad

Severity Error


Meaning An SSL minor version is less than the configured minimum value.










min-minor The min-minor information.

recv-minor The recv-minor information.

msg SSL minor below minimum configured value.




Event-wad

48012

48013

Message ID 48012

Log Subtype wad

Severity Warning


Meaning The maximum limit of SSL connections were reached.










msg SSL maximum connections reached.

Message ID 48013

Log Subtype wad

Severity Error


Meaning There is no support for the offered CipherSuites.










msg None of the offered CipherSuites are supported.





Event-wad

F0h

48015

48017

Message ID 48015

Log Subtype wad

Severity Error


Meaning The SSL handshake does not have a valid length.











msg Incorrect SSL handshake length.

Message ID 48017

Log Subtype wad

Severity Error


Meaning The SSL handshake is too long.













msg SSL Handshake too long




Event-wad

48019

48023

Message ID 48019

Log Subtype wad

Severity Error


Meaning An SSL alert message was sent.









action This field always contains send.



msg SSL Alert sent

Message ID 48023

Log Subtype wad

Severity Error


Meaning An SSL alert message was received.












msg SSL Alert received.





Event-wad

F0h

48027

48029

Message ID 48027

Log Subtype wad

Severity Error


Meaning An invalid SSL content type was received.










type The type information.

msg Invalid SSL ContentType.

Message ID 48029

Log Subtype wad

Severity Error


Meaning An SSL ChangeCipherSpec has bad length.










msg Bad length in SSL ChangeCipherSpec.




Event-wad

48031

Message ID 48031

Log Subtype wad

Severity Error


Meaning An SSL ChangeCipherSpec has bad length.









min The minimum information.









Event-wad

F0h

48032

Message ID 48032

Log Subtype wad

Severity Error


Meaning The certificate’s public key is too big for SSL offloading to handle.
















Event-wad

48100

48101

Message ID 48100

Log Subtype wad

Severity Error


Meaning Cert authentication has failed.









msg authentication failed: cert authentication failed.

Message ID 48101

Log Subtype wad

Severity Error


Meaning Authentication failed because of an incorrect private shared key.









authgrp The authentication group information.

host The host information.

msg authentication failed: incorrect psk.





Event-wad

F0h

48102

48123

Message ID 48102

Log Subtype wad

Severity Error


Meaning Authentication failed.









authgrp The authentication group information.

peer The peer information.

msg authentication failed: <reason>

Message ID 48123

Log Subtype wad



Meaning A WAN optimization rule was changed.









msg A wan-opt rule has changed.




Event-wad

48124

Message ID 48124

Log Subtype wad



Meaning A WAN optimization rule was added.









msg A wan-opt rule is added.

Message ID 48124

Log Subtype wad



Meaning A WAN optimization rule was removed.





id The identification information.

msg User <user_name> deleted a wad rule <rule_name> from <ui>





Event-wad

F0h

48127

48129

Message ID 48127

Log Subtype wad



Meaning A web cache name was entered or a host name was entered.





msg This field contains one of the following: • user <user_name> set web proxy name. • user<user_name> set wan acceleration host-id

Message ID 48129

Log Subtype wad



Meaning Depending on what appears in the msg field, the meaning can be any one of the following: • The specified user set the WAN-opt storage. • The specified user deleted the WAN-opt storage entry. • The specified user set the byte cache storage.• The specified user set the web cache storage.• The specified user deleted the disk storage entry. • The ISCSI target is set.





action The action information. This field does not appear for all 48129 log messages.

name The name information.

msg This field contains one of the following: • user <user_name> set wanopt storage <storage> size=<size_amount>• Administrator <user_name> disk storage <disk_storage> from <ui>• user <user_name> delete disk storage entry




Event-wad

48131

48132

Message ID 48131

Log Subtype wad



Meaning A user added a WAN accelerator SSL server.






msg User <user_name> added a wan accelerator ssl server setting <ssl_server_setting> from <ui>.

Message ID 48132

Log Subtype wad



Meaning A user removed a WAN accelerator SSL server.






msg User <user_name> deleted a wan accelerator ssl server setting <ssl_server_setting> from <ui>





Event-wad

F0h

48200

48201

Message ID 48200

Log Subtype wad



Meaning A user added a network peer.






msg User <user_name> added network accelerator peer <peer_name> from <ui>

Message ID 48201

Log Subtype wad



Meaning A user deleted a peer.






msg User <user_name> deleted a network accelerator peer entry <peer_name> from <ui>




Event-wad

48205

48300

Message ID 48205

Log Subtype wad



Meaning A user deleted an authentication group entry.





auth-group The authentication group information.

msg User <user_name> deleted a network accelerator auth-group entry <auth_group_name> from <ui>

Message ID 48300

Log Subtype wad

Severity Critical


Meaning The server side, FortiGate, is not properly configured.





rule-id The identification number of the rule.





msg auto detection failed: server side ftg is not properly configured.





Event-wad

F0h

48301

Message ID 48301

Log Subtype wad

Severity Critical


Meaning An unexpected application type was detected.





rule-id The identification number of the rule.






msg unexpected application type. Please report.




Event-wad





F0h

Event-LDB-monitorEvent-LDB-monitor log messages record VIP activities.

4600046001460024600346004460054610046101




Event-LDB-monitor

46000

46001

Message ID 46000

Log Subtype ldb-monitor



Meaning The VIP real server was enabled.



vip The name of the virtual IP list used.




action This field always contains enable.

msg ldb server enabled.

Message ID 46001


Severity Alert


Meaning The VIP real server was disabled.







action This field always contains disable.

msg ldb server disabled.





Event-LDB-monitor

F0h

46002

46003

Message ID 46002




Meaning The VIP real server is now up.







action This field always contains up.

msg ldb server up.

Message ID 46003


Severity Alert


Meaning The VIP real server is down.







action This field always contains down.

msg ldb server down




Event-LDB-monitor

46004

46005

Message ID 46004




Meaning The VIP real server has started a hold down period.







action This field always contains holddown.

msg ldb server entered holddown period

interval The hold-down interval period in seconds.

Message ID 46000


Severity Alert


Meaning The VIP realserver failed during the hold down period.







action This field always contains holddown

msg ldb server health checking failed during holddown period.





Event-LDB-monitor

F0h

46100

46101

Message ID 46100




Meaning A load balance server monitor was added.






msg User <user_name> added load balance monitor <load_balance_monitor_name> from <ui>

Message ID 46100




Meaning A load balance server monitor was added.






msg User <user_name> deleted a load balance server monitor <load_balance_monitor_name> from <ui>




Event-LDB-monitor





F0h

Event-nac-quarantineEvent-nac-quarantine log messages record quarantine events, such as when banned users are quarantined.

43776

Log Sub-type nac-quarantine



Meaning A NAC quarantine event was recorded.



src The banned IP address.


src_int The banned interface.

dst_int The destination interface.



proto The protocol number that applies to the session or packet. The protocol number in the packet header that identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).



• ban-ip • ban-src-dst-ip (banned all traffic from source IP to destination IP by NAC quarantine)

• ban-interface



policid The ID number of the firewall policy that applies the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.

banned_src The banned source. This field contains any one of the following:

• ips • dlp-compound

• dos • av

• dlp-rule

banned_rule The banned rule or reason that was detected.

sensor The name of the DLP sensor that was used to detect and take action.




Event-nac-quarantine





F0h

Event-his-performanceEvent-his-performance log messages record the FortiGate unit’s performance statistics.

40704

Message ID 40704

Log Sub-type his-performance



Meaning Performance statistics for the FortiGate unit.



action This field contains perf-stats.

cpu The CPU usage in percent.

mem The memory usage in percent.

total_session The total number of sessions.

msg Performance statistics.




Event-his-performance





F0h

Event-HAEvent-HA log messages are recorded when FortiGate units are in high availability mode. These log messages describe changes in cluster unit status. These changes in status occur if a cluster unit fails/starts up, or if a link fails/restored. Each of these messages includes the serial number of the cluster unit reporting the message. You can use the serial number to determine which cluster unit’s status has changed.

3788837889378903789137892378933789437895378963789737898378993790037901




Event-HA

37888

37889

37890

Message ID 37888

Log Subtype HA



Meaning A specified HA group was deleted.



msg HA group is deleted.

ha_group The number of the HA group.

Message ID 37889

Log Subtype HA



Meaning A specified virtual cluster was deleted.



msg Virtual cluster is deleted.

vcluster The number of the virtual cluster.

Message ID 37890

Log Subtype HA



Meaning A specific VDOM in a virtual cluster was moved.



msg Virtual cluster’s vdom is moved.

from_vcluster The number of the virtual cluster that the VDOM is being moved from.

to_vcluster The number of the virtual cluster that the VDOM is being moved to.

vdname The name of the virtual domain where the VDOM has been moved to.





Event-HA

F0h

37891

37892

Message ID 37891

Log Subtype HA



Meaning A VDOM was added to the specified virtual cluster.



msg Virtual cluster’s vdom is added.

to_vcluster The number of the virtual cluster that the VDOM was added to.

vdname The name of the virtual domain where the new VDOM was added in.

Message ID 37892

Log Subtype HA



Meaning A virtual cluster moved a member’s status.



msg Virtual cluster’s member state moved

ha_role The role of the unit within the cluster, for example, subordinate. This field contains either slave or master. Note: A FortiGate unit in a cluster has either a “slave” role (which is often referred to as subordinate), or “master” role (which is often referred to as primary). There are no other roles for the unit in a cluster.

vcluster The number of the virtual cluster that the VDOM was added to.

vcluster_state The state the virtual cluster is in. This field contains any one of the following:

• init • work

• helo • standby

vcluster_member The number of the member of the virtual cluster.

hostname The host name.

sn The serial number of the log message.




Event-HA

37893

37894

37895

Message ID 37893

Log Subtype HA



Meaning A virtual cluster’s member was detected and its status was that it was not functioning.



msg Virtual cluster detected memeber dead.



Message ID 37894

Log Subtype HA



Meaning A virtual cluster’s member was detected and its status was that it joined the virtual cluster.



msg Virtual cluster detected member join



Message ID 37895

Log Subtype HA



Meaning A FortiGate unit in HA mode was added to the virtual cluster. The unit’s name is not given, only its internal interface name.



msg Virtual cluster add HA device


devintfname The name of the unit’s interface.





Event-HA

F0h

37896

37897

Message ID 37896

Log Subtype HA



Meaning A FortiGate unit in HA mode was deleted from the virtual cluster. The unit’s name is not given, only its internal interface name.



msg Virtual cluster delete HA device(interface)



Message ID 37897

Log Subtype HA



Meaning A FortiGate unit in HA mode is ready. The unit’s name is not given, only its internal interface name.



msg HA device(interface) ready

ha_role The type of role the device has in the HA cluster. This field contains either master or slave. Note: A FortiGate unit in a cluster has either a “slave” role (which is often referred to as subordinate), or “master” role (which is often referred to as primary). There are no other roles for the unit in a cluster.





Event-HA

37898

37899

Message ID 37898

Log Subtype HA

Severity Warning


Meaning A FortiGate unit in HA mode failed. The unit’s name is not given, only its internal interface name.



msg HA device(interface) fail

ha_role The type of role the device has in the HA cluster. This field contains either master or slave. Note: A FortiGate unit in a cluster has either a “slave” role (which is often referred to as subordinate), or “master” role (which is often referred to as primary). There are no other roles for the unit in a cluster.

devintfname The name of the interface of the device.

Message ID 37899

Log Subtype HA



Meaning A FortiGate unit in HA mode with peer information. The unit’s name is not given, only its internal interface name.



msg HA device(interface) peerinfo

ha_role The type of role the unit has in the HA cluster. This field contains either master or slave. Note: A FortiGate unit in a cluster has either a “slave” role (which is often referred to as subordinate), or “master” role (which is often referred to as primary). There are no other roles for the unit in a cluster.






Event-HA

F0h

37900

37901

Message ID 37900

Log Subtype HA



Meaning The HA heartbeat was deleted.



msg Heartbeat device(interface) delete

devintfname The name of the interface on the FortiGate unit.

Message ID 37901

Log Subtype HA

Severity Critical


Meaning The FortiGate unit in HA mode is not functioning properly. The unit’s name is not given, only its internal interface name.



msg Heartbeat device(interface) down

ha_role The type of role the FortiGate unit has in the HA cluster. This field contains either master or slave. Note: A FortiGate unit in a cluster has either a “slave” role (which is often referred to as subordinate), or “master” role (which is often referred to as primary). There are no other roles for the unit in a cluster.

hbdn_reason The reason why the heartbeat is currently down. This field contains either linkfail or neighbor-info-lost.





Event-HA

37902

37903

Message ID 37902

Log Subtype HA



Meaning The HA heartbeat is up.



msg Heartbeat device(interface) up

ha_role The type of role the FortiGate unit has in the HA cluster. This field contains either master or slave. Note: A FortiGate unit in a cluster has either a “slave” role (which is often referred to as subordinate), or “master” role (which is often referred to as primary). There are no other roles for the unit in a cluster.


Message ID 37903

Log Subtype HA



Meaning The primary unit’s synchronization status.



msg The sync status with the master

sync_type The type of synchronization being performed. This field contains either configurations or external-files.

synt_status The status of the synchronization. This field contains either out-of-sync or in-sync.





Event-HA

F0h

37904

Message ID 37904

Log Subtype HA



Meaning The HA activity report



msg HA activity report

vd The name of the virtual domain where the information for the report was gathered from.

ip The IP address of the unit.

ha-prio The priority number of the unit.

activity The HA activity message.




Event-HA





F0h

Event-patternEvent-pattern logs are recorded whenever an administrator updates virus, IPS, and antispam databases from the FortiGuard network.

4100041001




Event-pattern

41000

Message ID 41000

Log Subtype pattern



Meaning Depending on what appears in the msg field, the meaning can be any one of the following: • The specified administrator updated the IPS database from the web-based

manager. • The specified administrator failed to updated the virus database from the

web-based manager. • The specified administrator successfully updated the AntiSpam database from

the web-based manager. • The specified administrator successfully updated the IPS database from the

web-based manager.


ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry, GUI(10.10.20.5).

action This field is always update.


msg This field contains any one of the following: • VCM plugin has been updated successfully by user <user_name> via

GUI(<ip_address>)• Virus database has been updated successfully by user <user_name> via

GUI(<ip_address>)• Antispam database has been updated successfully by user <user_name> via

GUI (<ip_address>)• IPS database has been updated successfully by user <user_name> via GUI

(<ip_address>)





Event-pattern

F0h

41001

Message ID 41001

Log Subtype pattern

Severity Critical


Meaning Depending on what appears in the msg field, the meaning can be any one of the following: • The specified administrator failed to update the IPS database from the web-based

manager. • The specified administrator failed to update the virus database from the

web-based manager. • The specified administrator failed to update the AntiSpam database from the

web-based manager. • The specified administrator failed to update the IPS database from the web-based

manager.


ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry, GUI(10.10.20.5).

action This field is always update.


msg This field contains any one of the following: • Update VCM plugin failed by user <user_name> via GUI (<ip_address>)• Update virus database failed by user <user_name> via GUI(<ip_address>)• Update AntiSpam database failed by user <user_name> via GUI(<ip_address>)• Update IPS database failed by user <user_name> via GUI(<ip_address>)




Event-pattern





F0h

Event-RADIUSEvent RADIUS log messages record RADIUS server events.

386563865738658386593866038661386623866338664386653866638667




Event-RADIUS

38656

38657

38658

Message ID 38656

Log Sub-type RADIUS



Meaning A RADIUS protocol error report.






Message ID 38657

Log Sub-type RADIUS



Meaning A RADIUS profile error report.






Message ID 38658

Log Sub-type RADIUS



Meaning A RADIUS context error report.










Event-RADIUS

F0h

38659

38660

38661

Message ID 38659

Log Sub-type RADIUS



Meaning A RADIUS missing stop packet report.






Message ID 38660

Log Sub-type RADIUS



Meaning A RADIUS accounting event report.






Message ID 38661

Log Sub-type RADIUS



Meaning A RADIUS other dynamic profile report.









Event-RADIUS

38662

38663

Message ID 38662

Log Sub-type RADIUS



Meaning RADIUS protocol errors occurred.




ip The IP address.



acc_stat The accounting state. This field contains any one of the following:

• Start • Stop

• Interim-Update • Accounting-On

• Accounting-Off


Message ID 38663

Log Sub-type RADIUS



Meaning A RADIUS start or interim-update packet received with missing or invalid profile specified.




ip The IP address.



acct_stat This field contains any one of the following:

• Start • Stop


• Accounting-Off






Event-RADIUS

F0h

38664

38665

Message ID 38664

Log Sub-type RADIUS



Meaning RADIUS context not found for user.




ip The IP address.



Message ID 38665

Log Sub-type RADIUS



Meaning A RADIUS stop packet was missed.




ip The IP address.



acct_stat The accounting state. This field contains any one of the following:

• Start • Stop


• Accounting-Off





Event-RADIUS

38666

38667

Message ID 38666

Log Sub-type RADIUS



Meaning A RADIUS account event.




ip The IP address.




• Start • Stop


• Accounting-Off


Message ID 38667

Log Sub-type RADIUS



Meaning A RADIUS other dynamic profile event.




ip The IP address.




• Start • Stop


• Accounting-Off






F0h

Event-notificationEvent-notification logs messages record sent email notification alerts.

384003840138402




Event-notification

38400

Message ID 38400

Log Subtype Notification



Meaning The system successfully sent an email notification message.




from The sender’s email address.

to The recipient’s email address.


proto The MMS protocol used when running FortiOS Carrier. When running FortiOS, this field contains N/A. This field contains any one of the following:

• mm1 • mm4

• mm3 • mm7


dport The destination port number.

nf_type The type of notification that was sent. For example, if a file was blocked. This field contains any one of the following:

• bword • file_block

• carrier_ep_bwl • flood

• dupe • alert

• mms_checksum • virus

virus The name of the virus that was found.


profiletype The type of profile used.

profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured.



msg Successfully sent a notification message.





Event-notification

F0h

38401

Message ID 38401


Severity Warning


Meaning The system failed to send an email notification message.







proto The MMS protocol used when running FortiOS Carrier. When running FortiOS, this field contains N/A. This field contains any one of the following:

• mm1 • mm4

• mm3 • mm7



nf_type The type of notification that was sent. For example, if a file was blocked. This field contains any one of the following:

• bword • file_block

• carrier_ep_bwl • flood

• dupe • alert

• mms_checksum • virus

virus The name of the virus that was found.






msg Unable to send notification message.

sess_duration The session duration number.




Event-notification

38402

Message ID 38402




Meaning The system was unable to resolve an MMSC hostname.






profile_vd The virtual domain that the profile is from.

msg Unable to resolve hostname.





F0h

Event-amc-intf-bypassEvent-amc-intf-bypass log messages record the AMC disks’ bypass mode activity.

47201

47202

Message ID 47201

Log Sub-type amc-intf-bypass

Severity Emergency


Meaning AMC card entered bypass mode.

Fields Field Descriptionmsg The AMC card in slot <slot_number> has entered bypass mode due to <reason>.

Message ID 47202

Log Sub-type amc-intf-bypass

Severity Emergency


Meaning AMC card exited bypass mode.

Fields Field Descriptionmsg The AMC card in slot <slot_number> has exited bypass mode due to <reason>.




Event-amc-intf-bypass





F0h

Event-GTPEvent-GTP log messages record GTP activity. These messages are recorded only when running FortiOS Carrier firmware.

41216412174121841219412204122141222




Event-GTP

41216

Message ID 41216

Log Subtype GTP


Firmware version FortiOS Carrier 4.0 MR3

Meaning GTP forward



profile The name of the VoIP profile that was used to detect and take action.

status This field can contain any one of the following:

• forwarded • prohibited

• rate-limited • state-invalid

• tunnel-limited • traffic-count

• user-data

version The version number.

msg-type The number of the message type.


from The source IP address.

to The destination IP address.

imsi The IMSI information.

msisdn The MSISDN information.

apn The APN information.

selection This field contains any one of the following:

• apns-vrf • ms-apn-no-vrf

• net-apn-no-vrf

c-gsn The GSN IP address for signaling.

u-gsn The GSN IP address for user traffic.

nsapi The NSAPI number.

linked-nsapi The linked-NSAPI number.

imei-sv The IMEI-SV information.

rat-type This field contains any one of the following

• utran • gan

• geran • hspa

• wlan

rai The RAI information.

uli The ULI information.

end-user-address The end-user’s IP address.





Event-GTP

F0h

41217

Message ID 41217

Log Subtype GTP



Meaning GTP deny








• user-data






deny-cause Explains why the message is prohibited. This field contains any one of the following:

• packet-sanity • invalid-reserved-field

• reserved-msg • out-state-msg

• reserved-ie • out-state-ie

• invalid-msg-length • invalid-ie-length

• miss-mandatory-ie • ip-policy

• non-ip-policy • sgsn-not-authorized

• sgsn-no-handover • ggsn-not-authorized

• invalid-seq-num • msg-filter

• apn-filter • imsi-filter

• adv-policy-filter






• net-apn-no-vrf

c-gsn The IP address.

u-gsn The IP address.

nsapi The number of NSAPI.




Event-GTP

linked-nsapi The number of linked-NSAPI.



• utran • gan

• geran • hspa

• wlan








Event-GTP

F0h

41218

Message ID 41218

Log Subtype GTP



Meaning GTP rate limit.








• user-data






imsi The identification number of the IMSI.

msisdn The identification number of the MSISDN.

apn The identification number for APN.



• net-apn-no-vrf



nsapi The NSAPI number.

linked-nsapi The linked-NSAPI number.



• utran • gan

• geran • hspa

• wlan







Event-GTP

41219

Message ID 41219

Log Subtype GTP



Meaning GTP state invalid

Fields Field Descriptionvd The name of the virtual domain where the action occurred in.

If no virtual domains exist, this field always contains root.


status This field always contains state-invalid. This means the message is blocked because the FortiGate unit found no valid state. For example, a response message comes in and the FortiGate unit detects no corresponding request message.











• net-apn-no-vrf







• utran • gan

• geran • hspa

• wlan








Event-GTP

F0h

41220

Message ID 41220

Log Subtype GTP



Meaning Tunnel limit GTP message. These messages occur only when the maximum number of GTP tunnels is reached. No new tunnels are created when the maximum number is reached.








• user-data











• net-apn-no-vrf







• utran • gan

• geran • hspa

• wlan







Event-GTP

41221

Message ID 41221

Log Subtype GTP



Meaning Statistic summary information when the GTP tunnel is being torn down.








• user-data


c-sgsn The SGSN IP address for signaling.

c-ggsn The GGSN IP address for signaling.

u-sgsn The SGSN IP address for user traffic.

u-ggsn The GGSN IP address for user traffic.

c-sgsn-teid The identification number.

c-ggsn-teid The identification number.

u-sgsn-teid The identification number.

u-ggsn-teid The identification number.

tunnel-idx The tunnel’s identity index number.

duration The duration of the GTP tunnel’s existence. The duration is in seconds.

c-pkts The number of GTP-c packets.

c-bytes The number of bytes for GTP-c signaling traffic.

u-pkts The number of GTP-u packets.

u-bytes The number of bytes for GTP-u user traffic.






• net-apn-no-vrf

nsapi The NSAPI information.

linked-nsapi The linked-NSAPI information.






Event-GTP

F0h

rat-type This field contains any one of the following:

• utran • gan

• geran • hspa

• wlan







Event-GTP

41222

Message ID 41222

Log Subtype GTP



Meaning GTP user data








• user-data


tunnel-idx The tunnel’s identity index number.







user_data The actual user traffic content, represented in hexidecimal form.





F0h

Event-MMS-StatsEvent-MMS log messages record MMS activity. These log messages are recorded only when running FortiOS Carrier firmware.

43264

Message ID 43264

Log Sub-type MMS



Meaning MMS statistics.



proto The MMS protocol that was used. This field can be any one of the following:

• mm1 • mm3

• mm4 • mm7

infected The number of infected messages.

suspicious The number of suspicous messages.

scanned The number of scanned messages.

intercepted The number of intercepted messages.

blocked The number of blocked messages.

checksum The number of content checksum blocked messages.

duration The duration of the interval this counts over.




Event-MMS-Stats





F0h

Event-VoIPEvent-VoIP log messages record VoIP activites that include the SIP and SCCP protocols.

44032440334403444035440364403744038




Event-VoIP

44032

Message ID 44032

Log Subtype VoIP



Meaning A SIP log.



session_id The session identification number.

epoch The user session identification number.

event_id The event’s serial identification number.




dst_port The destination port number

proto The transport protocol number.

src_int The source interface.





endpoint The endpoint information.

profile The name of the VoIP profile that was used to detect the SIP activity.

profile_group The group that the profile is part of. This field contains N/A if there is no profile group configured.

profile_type The type of profile used.

voip_proto The VoIP application protocol that was detected. This field contains either sip or sccp.

kind This field contains any one of the following:

• register • call-info

• unregister • call-block

• call


• permit • cm-reject

• block • exempt

• monitor • ban

• kickout • ban-user

• encrypt-kickout • log-only





Event-VoIP

F0h


• start • succeeded

• end • failed

• timeout • authentication-required

• blocked


dir The direction of the traffic. This field contains either inbound or outbound.

from The source name.

to The destination name.




Event-VoIP

44033

Message ID 44033

Log Subtype VoIP



Meaning SIP was blocked.


















profile_group The name of the profile group. This is for FortiOS Carrier only.

profile_type The type of profile that was used.





• call




• monitor • ban







Event-VoIP

F0h



• end • failed


• blocked


• rate-limit • dialog-limit

• long-header • unrecognized-form

• unknown • block-request

• phone • session-close

• new-register • invalid-ip

• exceed-rate



message_type The type of message. This field contains either request or response.

request_name The name of the request.


from The source name.

to The destination name.




Event-VoIP

44034

Message ID 44034

Log Subtype VoIP



Meaning SIP fuzzing occurred.





event_id The event’s identification serial number













profile_group The group that the profile is part of. This field contains N/A if there is no profile group configured. profile groups are only available in FortiOS Carrier.






• call




• monitor • ban





message_type The type of message. This field contains either request or response.





Event-VoIP

F0h

request_name The request name.

malform_desc The description of the syntax error. This field contains any one of the following:

• unexpected-character • invalid-quoting-character

• trailing-bytes • header-line-oversize

• msg-body-oversize • domain-name-oversize

• domain-name-oversize • domain-label-oversize

• syntax-malformed • duplicated-sip-header

• space-violation • invalid-ip4-address

• invalid-ipv6-address • invalid-port

• invalid-fqdn • no-matching-double-quote

• empty-quoted-string • invalid<userinfo>

• invalid-escape-encoding-in<userinfor>

• invalid-escape-encoding-in-uri-paramter

• invalid-escape-encoding-in-uri-header

• invalid-escape-encoding-in<reason-phrase>

• port-expected • port-not-allowed

• domain-name-invalid • <gen-value>-expected

• invalid-<gen-value> • invalid-<quoted-string>-in-<gen-value>

• ipv4-address-expected • ipv6-address-expected

• uri-expected • invalid-transport-uri-parameter

• invalid-user-uri-parameter • invalid-method-uri-parameter

• invalid-ttl-uri-parameter • invalid-uri-parameter-pname

• invalid-uri-parameter-value • uri-parameter-repeat

• invalid-uri-header-name • invalid-uri-header-value

• invalid-uri-header-name-value-pair

• invalid-quoted-string-in-display-name

• left-angle-bracket-is-mandatory • right-angle-bracket-not-found

• invalid-status-code • no-METHOD-on-request-line

• uri-parameters-not-allowed-by-RFC

• unknown-scheme

• whitespace-expected • LWS-expected

• invalid-<SIP-Version>-on-request-line

• invalid-<protocol-name>

• invalid-<protocol-version> • invalid-<transport>

• no-SLASH-after-<protocol-name>

• no-SLASH-after-<protocol-version>

• header-parameter-expected • invalid-ttl-parameter

• invalid-madddr-parameter • invalid-received-parameter

• invalid-branch-parameter • invalid-rport-parameter

• via-parameter-repeat • <seq>-number-expected

• <method>-expected • <method>-does-not-match-the-request-line

• <response-num>-expected • <CSeq-num>-expected

• <Method>-expected-after-<CSeq-num>

• expires-header-repeated




Event-VoIP

• <delta-seconds>expected • invalid-max-forwards

• token-expected • invalid-expires-parameter

• invalid-q-parameter • <generic-param>-with-invalid<gen-value>

• <m-type>-expected • SLASH-expected-after-<m-type>

• <m-subtype>expected • <m-attribute>-expected-after-SEMI

• boundary-parameter-appears-more-than-once

• EQUAL-expected-after-<m-attribute>

• invalid-<quoted-string>-in-<m-value>

• invalid-<m-value>

• multipart-Content-Type-has-no-boundary

• digits-expected

• IN-expected • IP-expected

• IP4-or-IP6-expected • IPv4-or-IPv6-address-expected

• line-order-error • z-line-not-allowed-on-media-level

• <time>-expected • <typed-time>-expected

• r-line-not-allowed-on-media-level

• <repeat-interval>-expected

• <bwtype>-expected • colon-expected

• <bandwidth>-expected • t-liine-not-allowed-on-media-level

• invalid-<start-time> • invalid<stop-time>

• too-many-i-lines • <text>-expected

• too-many-c-lines • too-many-v-line

• v-line-not-allowed-on-media-level

• too-many-o-lines

• o-line-not-allowed-on-media-level

• <username>-expected

• <sess-id>-expected • <sess-version>-expected

• too-many-s-lines • s-line-not-allowed-on-media-level

• too-many-m-lines • <media>-expected

• <integer>-expected • <proto>-expected

• <token>-expected-in-<proto>-after-slash

• <fmt>-expected

• <att-field>-expected • <att-value>-expected

• <payload-type>-expected-in-rtpmap

• <encoding-name>-expected-in-rtpmap

• slash-expected-after-<encoding-name>-in-rtpmap

• invalid-<clock-rate>-in-rtpmap

• invalid-<encoding-parameters>-in-rtpmap

• invalid-candidate-line

• sdp-candidate-line-before-m-line

• sip-Yahoo-candidate-invalid-protocol

• invalid-port-after-ip-address-in-candidate-line

• too-many-candidate-lines

• sdp-invalid-alt-line • sdp-alt-line-before-m-line

• invalid-port-after-ip-address-in-alt-line

• sdp-rtcp-line-before-m-line

• invalid-port-in-rtcp-lines • too-many-rtcp-lines





Event-VoIP

F0h

• <callid>-expected • <word>-expected

• invalid-tag-parameter • no-tag-parameter

• sdp-v-o-s-t-lines-are-mandatory • unknown-header

• end-of-line-error • sip-udp-message-truncated

• missing-mandatory-field

madlform_data The number of the malform data.

line The line information.

column The column number.




Event-VoIP

44035

Message ID 44035

Log Subtype VoIP



Meaning SCCP registration





event_id The event’s serial identification number









profile_group The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.


voip_proto The VoIP protocol that was detected. This field contains either sip or sccp.




• call




• monitor • ban





• end • failed


• blocked

phone The phone information.





Event-VoIP

F0h

44036

Message ID 44036

Log Subtype VoIP



Meaning SCCP unregister













profile The name of the VoIP profile that was used to detect the VoIP activity.







• call




• monitor • ban





• end • failed


• blocked


• rate-limit • block-request

• dialog-limit • phone




Event-VoIP

• long-header • session-close

• unrecognized-form • new-register

• unknown • invalid-ip

• exceed-rate






Event-VoIP

F0h

44037

Message ID 44037

Log Subtype VoIP



Meaning SCCP call block














profile_group The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.






• call




• monitor • ban





• end • failed


• blocked


• rate-limit • block-request




Event-VoIP

• dialog-limit • phone

• long-header • session-close

• unrecognized-form • new-register

• unknown • invalid-ip

• exceed-rate






Event-VoIP

F0h

44038

Message ID 44038

Log Subtype VoIP



Meaning SCCP call info
























• call




• monitor • ban






Event-VoIP



• end • failed


• blocked







F0h

Data Leak PreventionData Leak Protection (DLP) log messages are log messages that record data leaks. These logs provide additional information to help administrators better analyze and detect data leaks. In FortiOS 4.0 MR3 and higher, DLP log messages are located in UTM log file. These log messages are also viewed in the web-based manager from Log&Report > Log & Archive Access > UTM.

24576245772457824579




Data Leak Prevention

24576

Message ID 24576

Log Subtype DLP

Severity Warning


Meaning A data leak was detected by a specified DLP sensor rule.






serial The serial number of the firewall session on which the event happend.




sport The source port number.






dst_int The destination interface. For example, wan1.

service This field contains one of the following:

• http • mm4

• https • mm7

• smtp • nntp

• pop3 • im

• imap • smtps

• ftp • pop3s

• mm1 • imaps

• mm3 • ftp (ftp-over-http)

status The action the FortiGate unit took. This field contains any of the following:

• detected • blocked

• success • error

filefilter The type of file filter. This field contains any one of the following:

• none • file pattern

• file type






F0h

filetype The type of file, for example, a zip file. This field contains any one of the following:

• arj • cab

• tzh • rar

• tar • zip

• bzip • gzip

• bzip2 • bat

• msc • uue

• mime • base64

• binhex • com

• elf • exe

• hta • html

• jad • class

• cod • javascript

• msoffice • fsg

• upx • petite

• aspack • prc

• sis • hlp

• activemime • jpeg

• gif • tiff

• png • bmp

• ignored • unknown

• N/A



hostname The home page of the web site. For example, www.example.com

url The URL address of the web page that the user was viewing.


to The receiver’s email address.


rulename The name of the DLP rule within the DLP sensor.

compoundname The name of the compound rule used.

filtername The name of the filter.

file The file information.

action The action that was specified within the rule. In some rules within sensors, you can specify content archiving. If no log type is specified, this field displays log-only. This field contains any one of the following:

• log-only • ban sender

• block • quarantine ip

• exempt • quarantine interface

• ban

severity The level of severity for that specific rule.





24577

Message ID 24577

Log Subtype DLP



Meaning A data leak was detected by a specified DLP sensor rule.

















service This field contains one of the following:

• http • mm4

• https • mm7

• smtp • nntp

• pop3 • im

• imap • smtps

• ftp • pop3s

• mm1 • imaps

• mm3 • ftp (ftp-over-http)

status The action the FortiGate unit took. This field contains any one of the following:



filefilter The type of file filter. This field contains any one of the following:


• file type






F0h

filetype The type of file, for example, a zip file. This field contains any one of the following:

• arj • cab

• tzh • rar

• tar • zip

• bzip • gzip

• bzip2 • bat

• msc • uue

• mime • base64

• binhex • com

• elf • exe

• hta • html

• jad • class



• upx • petite

• aspack • prc

• sis • hlp


• gif • tiff

• png • bmp


• N/A



hostname The home page of the web site. For example, www.example.com.

url The URL address of the web page that the user was viewing.

from This field contains N/A.

to This field contains N/A.

msg data leak detected(Data Leak Prevention Rule matched)

rulename The name of the DLP rule that was used.

compoundname The name of the compound rule used.

filtername The name of the filter.

file The file information.

action The action that was specified within the rule. In some rules within sensors, you can specify content archiving. If no log type is specified, this field displays log-only. This field contains one of the following:

• log-only • ban sender

• block • quarantine ip

• exempt • quarantine interface

• ban

severity The level of severity for that specific rule.





24578

24579

Message ID 24578

Log Subtype DLP



Meaning A DLP fingerprint document source notice.







sensitivity The document source.

docsource The document source.

errorstr The erorr information, if there was an error in scanning the document source.

Message ID 24579

Log Subtype DLP



Meaning A DLP fingerprint document source error.







sensitivity The document source.

docsource The document source.

errorstr The erorr information, if there was an error in scanning the document source.






F0h




F0h

Application Control Application Control log messages are log messages that record application control protocols and events. In FortiOS 4.0 MR3 and higher, application control log messages are located in UTM log file. These log messages are also viewed in the web-based manager from Log&Report > Log & Archive Access > UTM.

286722867328674286752867628677286782868828689286902870428705




Application Control

28672

Message ID 28672

Log Subtype app-crtl-all



Meaning An application control IM-basic log message.






kind This field can be any one of the following:

• login • chat

• file • photo

• audio • call

• regist • unregister

• call-block • request

• response

profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.

profiletype The type of profile that was used, for example, Antivirus_Profile.


dir This field can be any one of the following:

• incoming • outgoing

• N/A



src_int The source interface name. For example, internal.



dst_int The destination interface name. For example, wan1.

src_name The source name. This can be a name or an IP address.

dst_name The destination name. This can be a name or an IP address.

proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).

service The service where the event or activity occurred.







Application Control

F0h



app_list The name of the application control list that was used to detect and take action. For example, the default application control list, monitor-all.

app_type The type of application that triggered the action within the control list.


action The action that was taken by the application control engine. This field can be any one of the following:

• pass • block

• monitor • kickout

• encrypt-kickout • reject




Application Control

28673

Message ID 28673




Meaning An application control IM log message.







• login • chat

• file • photo

• audio • call



• response • video






• N/A

















Application Control

F0h







• pass • block



status This field can be any one of the following:

• request • cancel

• accept • fail

• download • stop

• start • end

• timeout • blocked

• succeeded • failed

• authentication-required • pass

• block




Application Control

28674

Message ID 28674




Meaning An application control IM (chat message count) log message.







• login • chat

• file • photo

• audio • call









• N/A

















Application Control

F0h







• pass • block







Application Control

28675

Message ID 28675




Meaning An application control IM (file) log message.







• login • chat

• file • photo

• audio • call









• N/A

















Application Control

F0h







• pass • block





• accept • fail


• start • end




• block

filename The name of the file.

filesize The size of the file.

message The log information. This is usually a sentence and explains the activity and/or action taken.




Application Control

28676

Message ID 28676




Meaning An application control IM (chat) log message.







• login • chat

• file • photo

• audio • call









• N/A

















Application Control

F0h




app_type The name of the application control list that was used to detect and take action. For example, the default application control list, monitor-all.

app The type of application that triggered the action within the control list.


• pass • block




content The content information.




Application Control

28677

Message ID 28677




Meaning An application control IM (chat blocked) log message.







• login • chat

• file • photo

• audio • call









• N/A

















Application Control

F0h







• pass • block





• meter-overload-drop • meter-overload-refuse




• invalid-ip • exceed-rate

req The request information.




Application Control

28678

Message ID 28678




Meaning An application control IM (blocked) log message.







• login • chat

• file • photo

• audio • call









• N/A

















Application Control

F0h







• pass • block






Application Control

28688

Message ID 28688




Meaning An application control IM (VoIP basic) log message.







• login • chat

• file • photo

• audio • call









• N/A

















Application Control

F0h







• pass • block





• accept • fail


• start • end




• block




Application Control

28689

Message ID 28689




Meaning An application control IM (SCCP call blocked) log message.







• login • chat

• file • photo

• audio • call









• N/A

















Application Control

F0h







• pass • block





• accept • fail


• start • end




• block











Application Control

28690

Message ID 28690




Meaning An application control IM (SIP block) log message.







• login • chat

• file • photo

• audio • call









• N/A

















Application Control

F0h







• pass • block










req The request information.




Application Control

28704

Message ID 28704




Meaning An application control IM (IPS) log message (pass).



attack_id The identification number of the IM (IPS) log message.























• pass • block







Application Control

F0h






Application Control

28705

Message ID 28705




Meaning An application control IM (IPS) log message (pass).



attack_id The identification number of the IM (IPS) log message.























• pass • block







Application Control

F0h






Application Control





F0h

Antivirus Antivirus log messages record actual viruses that are contained in an email as well as anything that appears to be similar to a virus or suspicious, such as in a file or in an email. In FortiOS 4.0 MR3 and higher, antivirus log messages are located in UTM log file. These log messages are also viewed in the web-based manager from Log&Report > Log & Archive Access > UTM.

81928193819481958196819781988199844884498450845184528453845484558456

87048704870587068707896089618962896389648965896689678968896989708971

89728973




Antivirus

8192

Message ID 8192

Log Subtype Infected

Severity Warning


Meaning An infected file was detected by the FortiGate unit and blocked.



msg File is infected

status The decision of the antivirus engine on how to treat the file. This field contains any one of the following:

• blocked • passthrough

• monitored

service The type of protocol that was used to send and receive the traffic. This field contains any one of the following:

• http • smtp

• pop3 • imap

• ftp • mm1

• mm3 • mm4

• mm7 • nntp

• im • smtps

• https • pop3s

• imaps • http (ftp-over-http)







src_int The source interface. For example, internal.






dir This field contains any one of the following:

• N/A • tx

• rx





Antivirus

F0h

file The name of the file.

checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same checksum, the FortiGate unit assumes that they have the same content.

quarskip This field contains any one of the following:

• No skip • No quarantine for HTTP

• GET file pattern block • No quarantine for oversized files.

• File was not quarantined.

virus The name of the virus that was detected.

dtype The dtype information.

ref The URL reference that give more information about the virus. If you enter the URL in the address bar of the web browser, you are directed to that specific page that contains information about the virus.

url The URL address of where the file was acquired.




profilegroup The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.



agent This field is for FortiOS Carrier only. If the unit is not running FortiOS Carrier, this field always contains N/A.






Antivirus

8193

Message ID 8193




Meaning An infected file was detected by the FortiGate unit and it passed.






• monitored


• http • smtp

• pop3 • imap

• ftp • mm1

• mm3 • mm4

• mm7 • nntp

• im • smtps

• https • pop3s















• N/A • tx

• rx





Antivirus

F0h























Antivirus

8194

Message ID 8194


Severity Warning


Meaning A MIME header was detected to have a virus and was blocked.






• monitored


• http • smtp

• pop3 • imap

• ftp • mm1

• mm3 • mm4

• mm7 • nntp

• im • smtps

• https • pop3s




















Antivirus

F0h










profiletype The name of the profile that was used to detect and take action.

profilegroup The type of profile that was used, for example, Antivirus_Profile.

profile The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.



from This field is for FortiOS Carrier only. If the unit is not running FortiOS Carrier, this field always contains N/A.

to The sender’s email address.




Antivirus

8195

Message ID 8195




Meaning A MIME header is infected and passed.





blocked passthrough

monitored


• http • smtp

• pop3 • imap

• ftp • mm1

• mm3 • mm4

• mm7 • nntp

• im • smtps

• https • pop3s




















Antivirus

F0h















from This field is for FortiOS Carrier only. If the unit is not running FortiOS Carrier, this field always contains N/A.





Antivirus

8196

Message ID 8196


Severity Warning


Meaning The FortiGate unit detected a computer worm and blocked it.



msg Worm detected.



• monitored


• http • smtp

• pop3 • imap

• ftp • mm1

• mm3 • mm4

• mm7 • nntp

• im • smtps

• https • pop3s





















Antivirus

F0h










Antivirus

8197

Message ID 8197




Meaning The FortiGate unit detected a computer worm and monitored it.



msg Worm deteceted.



• monitored


• http • smtp

• pop3 • imap

• ftp • mm1

• mm3 • mm4

• mm7 • nntp

• im • smtps

• https • pop3s





















Antivirus

F0h










Antivirus

8198

Message ID 8198


Severity Warning


Meaning The FortiGate unit detected a computer worm (MIME) and blocked it.



msg Worm detected.



• monitored


• http • smtp

• pop3 • imap

• ftp • mm1

• mm3 • mm4

• mm7 • nntp

• im • smtps

• https • pop3s





















Antivirus

F0h










Antivirus

8199

Message ID 8199




Meaning The FortiGate unit detected a computer worm (MIME) and monitored it.



msg Worm detected.



• monitored


• http • smtp

• pop3 • imap

• ftp • mm1

• mm3 • mm4

• mm7 • nntp

• im • smtps

• https • pop3s





















Antivirus

F0h












Antivirus

8457

Message ID 8457


Severity Warning


Meaning An MMS content checksum blocked an infected file.



msg Blocked by MMS content checksum



• monitored


• http • smtp

• pop3 • imap

• ftp • mm1

• mm3 • mm4

• mm7 • nntp

• im • smtps

• https • pop3s














dir This fieldl contains any one of the following:

• N/A • tx

• rx





Antivirus

F0h
















Antivirus

8458

Message ID 8458




Meaning An MMS content checksum was matched.



msg Matched by MMS content checksum.



• monitored


• http • smtp

• pop3 • imap

• ftp • mm1

• mm3 • mm4

• mm7 • nntp

• im • smtps

• https • pop3s














dir This fieldl contains any one of the following:

• N/A • tx

• rx





Antivirus

F0h
















Antivirus

8448

Message ID 8448

Log Subtype Filename

Severity Warning


Meaning The FortiGate unit blocked a file because it contains a virus.



msg File is blocked



• monitored


• http • smtp

• pop3 • imap

• ftp • mm1

• mm3 • mm4

• mm7 • nntp

• im • smtps

• https • pop3s















• N/A • tx

• rx





Antivirus

F0h

filefilter This field contains any one of the following:


• file type

filetype This field contains any one of the following:

• arj • cab

• lzh • rar

• tar • zip

• bzip • gzip

• bzip2 • bat

• msc • uue

• mime • base64

• binhex • com

• elf • exe

• hta • html

• jad • class



• upx • petite

• aspack • prc

• sis • hlp


• gif • tiff

• png • bmp


• N/A




• No skip • No quarantine for HTTP GET file pattern block.

• No quarantine for oversized files













Antivirus







Antivirus

F0h

8449

Message ID 8449




Meaning The FortiGate unit blocked a file because it contains a virus.



msg File is blocked



• monitored

service The type of protocol that was used to send and receive the traffic.This field contains any one of the following:

• http • smtp

• pop3 • imap

• ftp • mm1

• mm3 • mm4

• mm7 • nntp

• im • smtps

• https • pop3s















• N/A • tx

• rx




Antivirus



• file type


• arj • cab

• lzh • rar

• tar • zip

• bzip • gzip

• bzip2 • bat

• msc • uue

• mime • base64

• binhex • com

• elf • exe

• hta • html

• jad • class



• upx • petite

• aspack • prc

• sis • hlp


• gif • tiff

• png • bmp


• N/A



















Antivirus

F0h






Antivirus

8450

Message ID 8450


Severity Warning


Meaning The FortiGate unit blocked a file because it contains a virus (MIME).



msg File is blocked.



• monitored


• http • smtp

• pop3 • imap

• ftp • mm1

• mm3 • mm4

• mm7 • nntp

• im • smtps

• https • pop3s
















• file type





Antivirus

F0h


• arj • cab

• lzh • rar

• tar • zip

• bzip • gzip

• bzip2 • bat

• msc • uue

• mime • base64

• binhex • com

• elf • exe

• hta • html

• jad • class



• upx • petite

• aspack • prc

• sis • hlp


• gif • tiff

• png • bmp


• N/A



















Antivirus

8451

Message ID 8451




Meaning The FortiGate unit blocked a file because it contains a virus (MIME).



msg File is blocked.



• monitored


• http • smtp

• pop3 • imap

• ftp • mm1

• mm3 • mm4

• mm7 • nntp

• im • smtps

• https • pop3s
















• file type





Antivirus

F0h


• arj • cab

• lzh • rar

• tar • zip

• bzip • gzip

• bzip2 • bat

• msc • uue

• mime • base64

• binhex • com

• elf • exe

• hta • html

• jad • class



• upx • petite

• aspack • prc

• sis • hlp


• gif • tiff

• png • bmp


• N/A



















Antivirus

8452

Message ID 8452


Severity Warning


Meaning The FortiGate unit blocked a virus command.



msg Command blocked.



• monitored


• http • smtp

• pop3 • imap

• ftp • mm1

• mm3 • mm4

• mm7 • nntp

• im • smtps

• https • pop3s




















Antivirus

F0h


command The command information.




Antivirus

8453

Message ID 8453




Meaning The FortiGate unit intercepted a file containing a virus.



msg The file is intercepted.


blocked passthrough

monitored


• http • smtp

• pop3 • imap

• ftp • mm1

• mm3 • mm4

• mm7 • nntp

• im • smtps

• https • pop3s















• N/A • tx

• rx





Antivirus

F0h



• file type


• arj • cab

• lzh • rar

• tar • zip

• bzip • gzip

• bzip2 • bat

• msc • uue

• mime • base64

• binhex • com

• elf • exe

• hta • html

• jad • class



• upx • petite

• aspack • prc

• sis • hlp


• gif • tiff

• png • bmp


• N/A

















Antivirus








Antivirus

F0h

8454

Message ID 8454




Meaning The FortiGate unit intercepted a file (MIME).



msg The file is intercepted.



• monitored


• http • smtp

• pop3 • imap

• ftp • mm1

• mm3 • mm4

• mm7 • nntp

• im • smtps

• https • pop3s
















• file type




Antivirus


• arj • cab

• lzh • rar

• tar • zip

• bzip • gzip

• bzip2 • bat

• msc • uue

• mime • base64

• binhex • com

• elf • exe

• hta • html

• jad • class



• upx • petite

• aspack • prc

• sis • hlp


• gif • tiff

• png • bmp


• N/A


















Antivirus

F0h

8455

Message ID 8455




Meaning A file was exempted.



msg File has been exempted.



• monitored


• http • smtp

• pop3 • imap

• ftp • mm1

• mm3 • mm4

• mm7 • nntp

• im • smtps

• https • pop3s















• N/A • tx

• rx




Antivirus



• file type


• arj • cab

• lzh • rar

• tar • zip

• bzip • gzip

• bzip2 • bat

• msc • uue

• mime • base64

• binhex • com

• elf • exe

• hta • html

• jad • class



• upx • petite

• aspack • prc

• sis • hlp


• gif • tiff

• png • bmp


• N/A
















Antivirus

F0h

8456

Message ID 8456




Meaning A file was exempted.



msg File has been exempted.



• monitored


• http • smtp

• pop3 • imap

• ftp • mm1

• mm3 • mm4

• mm7 • nntp

• im • smtps

• https • pop3s
















• file type




Antivirus


• arj • cab

• lzh • rar

• tar • zip

• bzip • gzip

• bzip2 • bat

• msc • uue

• mime • base64

• binhex • com

• elf • exe

• hta • html

• jad • class



• upx • petite

• aspack • prc

• sis • hlp


• gif • tiff

• png • bmp


• N/A















Antivirus

F0h

8704

Message ID 8704

Log Subtype Oversize

Severity Warning


Meaning The defined file size limit was exceeded



msg Size limit is exceeded.



• monitored


• http • smtp

• pop3 • imap

• ftp • mm1

• mm3 • mm4

• mm7 • nntp

• im • smtps

• https • pop3s



















Antivirus














Antivirus

F0h

8705

Message ID 8705




Meaning The file size limit was exceeded.






• monitored


• http • smtp

• pop3 • imap

• ftp • mm1

• mm3 • mm4

• mm7 • nntp

• im • smtps

• https • pop3s



















Antivirus














Antivirus

F0h

8706

Message ID 8706


Severity Warning


Meaning The file (MIME) size exceed the defined size limit.






• monitored


• http • smtp

• pop3 • imap

• ftp • mm1

• mm3 • mm4

• mm7 • nntp

• im • smtps

• https • pop3s



















Antivirus













Antivirus

F0h

8707

Message ID 8707




Meaning The file (MIME) size exceed the defined size limit.






• monitored


• http • smtp

• pop3 • imap

• ftp • mm1

• mm3 • mm4

• mm7 • nntp

• im • smtps

• https • pop3s



















Antivirus













Antivirus

F0h

8960

Message ID 8960

Log Subtype Scanerror



Meaning The file reached the uncompressed nested limit.



msg File reached uncompressed nested limit.



• monitored


• http • smtp

• pop3 • imap

• ftp • mm1

• mm3 • mm4

• mm7 • nntp

• im • smtps

• https • pop3s















• N/A • tx

• rx




Antivirus




• No skip • No quaratine for HTTP GET file pattern block




















Antivirus

F0h

8961

Message ID 8961




Meaning The file reached the uncompressed size limit.



msg File reached uncompressed size limit.



• monitored


• http • smtp

• pop3 • imap

• ftp • mm1

• mm3 • mm4

• mm7 • nntp

• im • smtps

• https • pop3s















• N/A • tx

• rx


