fortigate-lmr-40-mr3
-
Upload
huynh-trong-hieu -
Category
Documents
-
view
697 -
download
12
description
Transcript of fortigate-lmr-40-mr3
FortiGate® Log Message Reference
FortiOS 4.0 MR3
The FortiGate Log Message Reference is published every maintenance release, and contains only information that was gathered at the date of publication.
FortiGate Log Message Reference Version 4.0 MR321 November 201101-430-112804-20111121© Copyright 2011 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet, Inc.
TrademarksABACAS, APSecure, Dynamic Threat Prevention System (DTPS), FortiAnalyzer®, FortiASIC, FortiBIOS, FortiBridge, FortiClient®, FortiDB™, FortiGate®, FortiGate Unified Threat Management System, FortiGuard®, FortiGuard-Antispam, FortiGuard-Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiMail®, FortiManager®, Fortinet®, FortiOS®, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiScan, FortiShield, FortiVoIP, FortiWeb, and FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
F0h
Contents
Introduction 19Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
How this reference is organized . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Document conventions and other information . . . . . . . . . . . . . . . . . . . . . 20
Traffic 212 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3510 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3611 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Event-Administration 3932001 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4032002 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4032003 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4132004 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4132006 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4232007 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4332008 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4332010 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4432011 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4532012 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4732013 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4832014 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5032015 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5032016 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5132017 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5332020 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5332021 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5432022 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5432086 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5532087 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
ortiGate Log Message Reference1-430-112804-20111121 3ttp://docs.fortinet.com/ • Feedback
Contents
32140 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5632141 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5732095 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5732101 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5932102 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6032103 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6232104 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6232105 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6232120 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6332121 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6732122 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6832123 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7232124 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7332125 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7432126 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7432127 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7532128 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7632129 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7732130 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7732131 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7832132 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7832133 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8032134 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8032135 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8132136 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8132137 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8232138 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8332139 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8332140 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9132141 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9232142 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9332143 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9632144 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9732145 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9832148 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9932149 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10032150 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10032151 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10132152 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10132153 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10132154 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10232155 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10232156 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10332157 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10332158 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10732161 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
FortiGate Log Message Reference4 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Contents
32162 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10832168 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10832170 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10932171 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11132172 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11332180 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11432200 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11432301 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11532302 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11532400 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11532401 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11632545 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11732546 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11732547 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11732548 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11832549 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Event-System 11920001 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12020002 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12220003 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12220004 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12320007 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12320010 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12320031 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12420032 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12420033 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12420034 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12420035 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12520036 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12520037 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12620038 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12620039 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12620040 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12720041 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12720042 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12720043 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12820044 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12820045 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12820046 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12820047 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12920048 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12920049 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12920050 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12920051 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
FortiGate Log Message Reference5 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Contents
20052 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13020053 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13020054 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13020055 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13120056 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13120057 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13120058 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13120059 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13220060 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13220061 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13220062 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13220063 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13320064 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13320065 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13320066 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13320067 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13420068 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13420069 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13420070 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13520071 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13520072 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13520073 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13620074 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13620075 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13620076 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13620077 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13720078 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13720079 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13720080 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13720081 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13820082 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13820083 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13820084 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13920090 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13920099 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13920100 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14020101 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14020110 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14220111 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14220200 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14220201 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14320202 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14320203 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14422000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14422001 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14522002 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
FortiGate Log Message Reference6 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Contents
22003 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14622004 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14622005 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14622006 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14622009 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14722010 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14722011 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14822012 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14822013 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14922100 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14922101 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15022102 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15122103 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15122200 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15122201 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15222202 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15222203 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15222800 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15322801 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15322802 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15422803 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15422804 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15522805 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15522806 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15522901 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15622902 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15622903 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15622911 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15722912 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15722913 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15722914 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Event-DHCP service 15926001 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15926002 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Event-Firewall authentication 16138001 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16238002 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16438003 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16738004 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16738005 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16938010 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16938011 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
FortiGate Log Message Reference7 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Contents
38012 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17138020 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17138021 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17238022 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17438026 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17538027 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Event-Wireless 17743520 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17843521 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17843522 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17943524 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17943525 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18043526 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Event-IPsec negotiation 18337120 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18437121 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18537122 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18637123 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18737124 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18837125 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19037126 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19137127 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19237128 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19337129 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19437130 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19537131 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19637132 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19737133 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19837134 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19937135 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20037136 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20137137 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20237138 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20337139 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20437184 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20537185 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20737186 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20937187 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21037188 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21137189 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21237190 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21337191 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
FortiGate Log Message Reference8 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Contents
37192 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21537193 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21637194 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21737195 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21837196 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21937197 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22037198 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22137199 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22237200 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22337201 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22437202 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22537203 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Event-L2TP/PPP/PPPoE 22729001 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22829002 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22829003 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22929004 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22929009 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22929015 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23029016 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23029022 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23029024 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23030004 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23130005 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23130006 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23130007 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23230008 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23230009 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23331004 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23331005 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23331006 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23431007 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23431008 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23531009 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Event-SSL VPN 23739424 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23839425 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23939426 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24041984 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24041985 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24141986 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24141987 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
FortiGate Log Message Reference9 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Contents
41988 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24239936 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24339937 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24439938 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24439939 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24539940 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24539941 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24639942 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24639943 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24739944 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24739945 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24839946 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24839947 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24939948 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25039949 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25139950 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25239951 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Event-VIP SSL 25345001 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25445003 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25545005 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25545007 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25645009 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25745011 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25845012 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25845013 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25945015 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25945017 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26045019 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26145023 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26345027 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26345029 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26445031 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26545032 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
Event-DNS 26744288 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
Event-config 26944544 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27044545 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27044546 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
FortiGate Log Message Reference10 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Contents
44547 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
Event-auth 27343008 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27443009 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27543010 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27643011 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27743012 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27843013 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27943014 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28043015 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28043016 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28143017 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28243018 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28343019 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28343020 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28443021 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28543022 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28543023 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28543024 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28643025 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28643026 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28743027 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28843028 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28943029 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29043030 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Event-wad 29340960 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29448001 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29548003 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29548005 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29648007 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29648009 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29748011 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29748012 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29848013 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29848015 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29948017 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29948019 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30048023 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30048027 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30148029 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30148031 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
FortiGate Log Message Reference11 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Contents
48032 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30348100 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30448101 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30448102 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30548123 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30548124 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30648127 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30748129 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30748131 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30848132 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30848200 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30948201 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30948205 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31048300 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31048301 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
Event-LDB-monitor 31346000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31446001 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31446002 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31546003 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31546004 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31646005 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31646100 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31746101 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
Event-nac-quarantine 31943776 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
Event-his-performance 32140704 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
Event-HA 32337888 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32437889 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32437890 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32437891 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32537892 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32537893 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32637894 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32637895 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32637896 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32737897 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
FortiGate Log Message Reference12 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Contents
F0h
37898 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32837899 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32837900 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32937901 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32937902 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33037903 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33037904 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
Event-pattern 33341000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33441001 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
Event-RADIUS 33738656 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33838657 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33838658 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33838659 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33938660 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33938661 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33938662 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34038663 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34038664 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34138665 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34138666 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34238667 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
Event-notification 34338400 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34438401 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34538402 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
Event-amc-intf-bypass 34747201 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34747202 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
Event-GTP 34941216 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35041217 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35141218 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35341219 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35441220 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35541221 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
ortiGate Log Message Reference1-430-112804-20111121 13ttp://docs.fortinet.com/ • Feedback
Contents
41222 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
Event-MMS-Stats 35943264 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Event-VoIP 36144032 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36244033 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36444034 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36644035 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37044036 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37144037 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37344038 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375
Data Leak Prevention 37724576 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37824577 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38024578 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38224579 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
Application Control 38528672 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38628673 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38828674 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39028675 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39228676 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39428677 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39628678 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39828688 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40028689 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40228690 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40428704 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40628705 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
Antivirus 4118192 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4128193 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4148194 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4168195 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4188196 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4208197 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
FortiGate Log Message Reference14 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Contents
F0h
8198 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4248199 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4268457 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4288458 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4308448 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4328449 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4358450 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4388451 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4408452 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4428453 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4448454 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4478455 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4498456 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4518704 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4538705 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4558706 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4578707 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4598960 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4618961 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4638962 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4658963 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4678964 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4698965 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4718966 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4738967 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4758968 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4778969 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4798970 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4818971 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4838972 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4858973 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487
Attack 48916384 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49016385 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49216386 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49418432 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49618433 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49818434 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 500
Email filter 50320480 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50420481 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50620482 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508
ortiGate Log Message Reference1-430-112804-20111121 15ttp://docs.fortinet.com/ • Feedback
Contents
20483 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51020484 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51220491 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51420485 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51620486 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51820487 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52020488 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52220489 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52420490 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52620492 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52820493 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53020494 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53220495 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53420496 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53620497 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53820498 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54020499 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54220500 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54420501 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54620503 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54820504 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55020505 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 552
Webfilter 55512288 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55612289 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55812290 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56012291 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56212305 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56412544 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56612545 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56812546 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57012547 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57212548 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57412549 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57612550 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57812551 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58012552 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58012553 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58112554 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58212555 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58312556 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58412557 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58512558 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58512559 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 586
FortiGate Log Message Reference16 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Contents
F0h
13056 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58813312 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59013313 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59213314 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59412800 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59612801 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59813601 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60013602 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60213568 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60413573 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60613584 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60813315 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61013316 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61212802 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 614
Netscan logs 6154096 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6164097 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6164098 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6174099 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6184100 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6194101 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6194102 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6204103 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6204104 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6214105 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 622
DLP archives 62332768 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62432776 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62632770 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62832772 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63032774 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63232769 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63432782 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63632783 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63832784 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64132785 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64432786 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64732787 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64932788 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65232789 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65532790 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65832791 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 661
ortiGate Log Message Reference1-430-112804-20111121 17ttp://docs.fortinet.com/ • Feedback
Contents
32792 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66332793 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66532777 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66732794 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66932795 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67132796 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67332797 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67532798 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67732800 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 679328001 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68332778 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68532779 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68732780 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68932781 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69132771 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69332773 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69532775 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 697
Appendix 700Document conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 700
IP addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 700Example Network configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 702Cautions, Notes and Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 703Typographical conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 703CLI command syntax conventions . . . . . . . . . . . . . . . . . . . . . . . . . 703
Entering FortiOS configuration data . . . . . . . . . . . . . . . . . . . . . . . . . . 705Entering text strings (names). . . . . . . . . . . . . . . . . . . . . . . . . . . . 705Entering numeric values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 706Selecting options from a list . . . . . . . . . . . . . . . . . . . . . . . . . . . . 706Enabling or disabling options. . . . . . . . . . . . . . . . . . . . . . . . . . . . 706
Registering your Fortinet product. . . . . . . . . . . . . . . . . . . . . . . . . . . . 706
Fortinet products End User License Agreement . . . . . . . . . . . . . . . . . . . . 706
Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 707
Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 707Fortinet Tools and Documentation CD . . . . . . . . . . . . . . . . . . . . . . . 707Fortinet Knowledge Base . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 707Comments on Fortinet technical documentation . . . . . . . . . . . . . . . . . 707
Customer service and technical support . . . . . . . . . . . . . . . . . . . . . . . . 707
FortiGate Log Message Reference18 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
F0h
IntroductionThis reference provides detailed information about all log messages that are recorded by the FortiGate unit. It is intended for administrators that are already logging FortiGate features and require information about a specific log message that was recorded, such as an event-administration log message with the log ID 41990. This chapter includes the following topics:• Before you begin• Document conventions and other information
Before you begin Before you begin using this guide, take a moment to note the following: • The information in this reference applies to all FortiGate units and models currently
running FortiOS 4.0 and higher. • You have enabled logging of FortiGate features. If you have not chosen a log device, or
have not enabled logging of FortiGate features, see the Logging and Reporting chapter in the FortiOS Handbook.
• Each log message is written similar to how it appears in the log viewer table, but based on the Raw format. For more information, see the Logging and Reporting chapter in the FortiOS Handbook.
• FortiOS Carrier log messages are included and is indicated within the table, in the Firmware version row.
• This reference contains detailed information for each log message field; however, this reference contains only information gathered at publication and, as a result, not every log message field contains detailed information. More detailed information will be available in future releases of this reference.
• The UTM-related logs, such as antivirus and IPS, are located in the new log file called UTM log. This is reflected in the web-based manager, where you can view these log messages in Log&Report > Log & Archive Access > UTM Log.
How this reference is organizedThis document describes what log messages are recorded by the FortiGate unit.The following chapters are grouped by log type with the exception of the event log, and include only log messages for that log type. The event log type chapters are grouped by subtype, for example event-system, due to the large amount of subtypes associated with the event log. • Traffic• Event-Administration• Event-System• Event-DHCP service• Event-Firewall authentication• Event-Wireless
ortiGate Log Message Reference1-430-112804-20111121 19ttp://docs.fortinet.com/ • Feedback
Document conventions and other information Introduction
• Event-IPsec negotiation• Event-L2TP/PPP/PPPoE• Event-SSL VPN• Event-VIP SSL• Event-DNS• Event-config• Event-auth• Event-wad• Event-LDB-monitor• Event-nac-quarantine• Event-his-performance• Event-HA• Event-pattern• Event-RADIUS• Event-notification• Event-amc-intf-bypass• Event-GTP• Event-MMS-Stats• Event-VoIP• Data Leak Prevention• Application Control• Antivirus• Attack• Email filter• Webfilter• Netscan logs• DLP archives
Document conventions and other informationThe document conventions, as well as additional information, are located in the appendix section of this reference. See “Appendix” on page 700.
FortiGate Log Message Reference20 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
F0h
TrafficTraffic log messages record the network traffic going through the FortiGate unit. In the policyid field of traffic log messages, the number may be zero because any policy that is automatically added by the FortiGate unit is indexed as zero. For more information, see the Fortinet Knowledge Base article, Firewall policy=0.
234567891011
ortiGate Log Message Reference1-430-112804-20111121 21ttp://docs.fortinet.com/ • Feedback
Traffic
2
Message ID 2
Log SubType Allowed
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning Allowed traffic log message
Fields Field Descriptionstatus The session status. This field displays accept in this field, which indicates that
the session has been allowed by the unit.
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
dir_disp The direction of the sessions. Org displays if a session is not a child session or the child session originated in the same direction as the master session. Reply displays if a differen direction is taken from the master session.
tran_disp The packet is source NAT translated (snat) or destination NAT translated (dnat). This field can also contain noop.
src The source IP address.
srcname The name of the source or the source IP address.
src_port The source port of the TCP or UDP traffic. The source protocol is zero for other types of traffic.
dst The destination IP address.
dstname The destination name or destination IP address.
dst_country The country name for the destination IP address. This name is used when geography-based filtering is configured for the firewall address used in the firewall policy.
dst_port The destination port number of the TCP or UDP traffic. The destination port is zero for other types of traffic.
tran_ip The translated IP in NAT mode. For Transparent mode, it is zero.
tran_port The translated port number in NAT mode. For Transparent mode, it is zero.
tran_sip The translated source IP address.
tran_sport The translated source port.
service The IP network service that applies to the session or packet. The services displayed correspond to the services configured in the firewall policy.
proto The protocol number that applies to the session or packet. The protocol number in the packet header that identifies the next level protocol. Protocol number’s are assigned by the Internet Assigned Number Authority (IANA).
app_type The application or program used. If there was no program used to create the traffic, then it is empty and displays N/A. The following are the application types that can appear in this field:
• N/A (is unknown type)
• Skype
• WinNY • AIM
• BitTorrent • ICQ
• eDonKey • MSN
• Gnutella • Yahoo
• KaZaa
duration This represents the value in seconds.
rule The rule number.
FortiGate Log Message Reference22 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Traffic
F0h
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
sent The total number of bytes sent.
rcvd The total number of bytes received.
shaper_drop_sent The number of sent traffic shaper bytes that were dropped.
shaper_drop_rcvd The number of received traffic shaper bytes that were dropped.
perip_drop The number of per-IP traffic shaper bytes that were dropped.
shaper_sent_name The name of the traffic shaper sending the bytes.
shaper_rcvd_name The name of the traffic shaper receiving the bytes.
perip_name The name of the per-IP traffic shaper.
sent_pkt The total number of packets sent during the session
rcvd_pkt The total number of packets received during the session.
vpn The name of the VPN tunnel used by the traffic.
vpn_type The type of VPN tunnel that the traffic is flowing through. This field can be any one of the following:
• ipsec-static • ipsec-dynamic
• ipsec-ddns • sslvpn
vpn_tunnel The VPN tunnel.
src_int The interface where the through traffic comes in. For outgoing traffic originating from the firewall, it is unknown.
dst_int The interface where the through traffic goes to the public or Internet.
SN The session number of the log message.
app The name of the application that triggered the action within the control list. For example, SSL.
app_cat The application category that the application is associated with.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
ortiGate Log Message Reference1-430-112804-20111121 23ttp://docs.fortinet.com/ • Feedback
Traffic
3
Message ID 3
Log SubType Violation
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning Traffic violation log message
Fields Field Descriptionstatus The status of the session. This field always displays deny in this field and indicates
that the session has been blocked by the unit.
vd The virtual domain where the traffic was logged. If no virtual domains are enabled and configured, this field contains the virtual domain, root.
src The source IP address.
srcname The name of the source or the source IP address.
src_port The source port of the TCP or UDP traffic. The source protocol is zero for other types of traffic.
dst The destination IP address.
dstname The destination name or destination IP address.
dst_country The country name for the destination IP address. This name is used when geography-based filtering is configured for the firewall address used in the firewall policy.
dst_port The destination port number of the TCP or UDP traffic. The destination port is zero for other types of traffic.
service The IP network service that applies to the session or packet. The services displayed correspond to the services configured in the firewall policy.
proto The protocol number that applies to the session or packet. The protocol number in the packet header that identifies the next level protocol. Protocol number’s are assigned by the Internet Assigned Number Authority (IANA).
app_type The application or program used. If there was no program used to create the traffic, then it is empty and displays N/A. The following are the application types that can appear in this field:
• N/A (is unknown type) • Skype
• WinNY • AIM
• BitTorrent • ICQ
• eDonKey • MSN
• Gnutella • Yahoo
• KaZaa
duration This represents the value in seconds.
rule The rule number.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
sent The total number of bytes sent.
rcvd The total number of bytes received.
shaper_drop_sent The number of sent traffic shaper bytes that were dropped.
FortiGate Log Message Reference24 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Traffic
F0h
shaper_drop_rcvd The number of received traffic shaper bytes that were dropped.
perip_drop The number of per-IP traffic shaper bytes that were dropped.
shaper_sent_name The name of the traffic shaper sending the bytes.
shaper_rcvd_name The name of the traffic shaper receiving the bytes.
perip_name The name of the per-IP traffic shaper.
vpn The name of the VPN tunnel used by the traffic.
vpn_type The type of VPN tunnel that the traffic is flowing through. This field can be any one of the following:
• ipsec-static • ipsec-dynamic
• ipsec-ddns • sslvpn
vpn_tunnel The VPN tunnel.
The type of VPN tunnel that the traffic is flowing through. This field can be any one of the following:
src_int The interface where the through traffic comes in. For outgoing traffic originating from the firewall, it is unknown.
dst_int The interface where the through traffic goes to the public or Internet.
SN The session number of the log message.
app The name of the application that triggered the action within the control list. For example, SSL.
app_cat The application category that the application is associated with.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
ortiGate Log Message Reference1-430-112804-20111121 25ttp://docs.fortinet.com/ • Feedback
Traffic
4
Message ID 4
Log Subtype Traffic - Other
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning Traffic other log message
Fields Field Descriptionstatus The status of the session. This field always displays start in this field and indicates
that the session has started.
vd The virtual domain where the traffic was logged. If no virtual domains are enabled and configured, this field contains the virtual domain, root.
src The source IP address.
srcname The name of the source or the source IP address.
src_port The source port of the TCP or UDP traffic. The source protocol is zero for other types of traffic.
dst The destination IP address.
dstname The destination name or destination IP address.
dst_country The country name for the destination IP address. This name is used when geography-based filtering is configured for the firewall address used in the firewall policy.
dst_port The destination port number of the TCP or UDP traffic. The destination port is zero for other types of traffic.
tran_ip The translated IP in NAT mode. For Transparent mode, it is zero.
tran_port The translated port number in NAT mode. For Transparent mode, it is zero.
tran_sip The translated source IP address.
tran_sport The translated source port.
service The IP network service that applies to the session or packet. The services displayed corresponds to the services configured in the firewall policy.
proto The protocol number that applies to the session or packet. The protocol number in the packet header that identifies the next level protocol. Protocol number’s are assigned by the Internet Assigned Number Authority (IANA).
app_type The application or program used. If there was no program used to create the traffic, then it is empty and displays N/A. The following are the application types that can appear in this field:
• NA • Skype
• WinNY • AIM
• BitTorrent • ICQ
• eDonKey • MSN
• Gnutella • Yahoo
• KaZaa
duration This represents the value in seconds.
rule The rule number.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
sent The total number of bytes sent.
FortiGate Log Message Reference26 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Traffic
F0h
rcvd The total number of bytes received.
shaper_drop_sent The number of sent traffic shaper bytes that were dropped.
shaper_drop_rcvd The number of received traffic shaper bytes that were dropped.
perip_drop The number of per-IP traffic shaper bytes that were dropped.
shaper_sent_name The name of the traffic shaper sending the bytes.
shaper_rcvd_name The name of the traffic shaper receiving the bytes.
perip_name The name of the per-IP traffic shaper.
vpn The name of the VPN tunnel used by the traffic.
vpn_type The type of VPN tunnel that the traffic is flowing through. This field can be any one of the following:
• ipsec-static • ipsec-dynamic
• ipsec-ddns • sslvpn
The VPN tunnel.
vpn_tunnel The type of VPN tunnel that the traffic is flowing through. This field can be any one of the following:
src_int The interface where the through traffic comes in. For outgoing traffic originating from the firewall, it is unknown.
dst_int The interface where the through traffic goes to the public or Internet.
SN The session number of the log message.
app The name of the application that triggered the action within the control list. For example, SSL.
app_cat The application category that the application is associated with.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
ortiGate Log Message Reference1-430-112804-20111121 27ttp://docs.fortinet.com/ • Feedback
Traffic
5
Message ID 5
Log Subtype Other
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning Traffic allowed ICMP log message
Fields Field Descriptionstatus The session status. This field displays accept in this field, which indicates that
the session has been allowed by the unit.
vd The virtual domain where the traffic was logged. If no virtual domains are enabled and configured, this field contains the virtual domain, root.
dir_disp The direction of the sessions. Org displays if a session is not a child session or the child session originated in the same direction as the master session. Reply displays if a differen direction is taken from the master session.
tran_disp The packet is source NAT translated (snat) or destination NAT translated (dnat). This field can also contain noop.
src The source IP address.
srcname The name of the source or the source IP address.
src_port The source port of the TCP or UDP traffic. The source protocol is zero for other types of traffic.
dst The destination IP address.
dstname The destination name or destination IP address.
dst_country The country name for the destination IP address. This name is used when geography-based filtering is configured for the firewall address used in the firewall policy.
dst_port The destination port number of the TCP or UDP traffic. The destination port is zero for other types of traffic.
tran_ip The translated IP in NAT mode. For Transparent mode, it is zero.
tran_port The translated port number in NAT mode. For Transparent mode, it is zero.
tran_sip The translated source IP address.
tran_sport The translated source port.
service The IP network service that applies to the session or packet. The services displayed corresponds to the services configured in the firewall policy.
proto The protocol number that applies to the session or packet. The protocol number in the packet header that identifies the next level protocol. Protocol number’s are assigned by the Internet Assigned Number Authority (IANA).
app_type The application or program used. If there was no program used to create the traffic, then it is empty and displays N/A. The following are the application types that can appear in this field:
• NA • Skype
• WinNY • AIM
• BitTorrent • ICQ
• eDonKey • MSN
• Gnutella • Yahoo
• KaZaa
duration This represents the value in seconds.
rule The rule number.
FortiGate Log Message Reference28 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Traffic
F0h
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
sent The total number of bytes sent.
rcvd The total number of bytes received.
shaper_drop_sent The number of sent traffic shaper bytes that were dropped.
shaper_drop_rcvd The number of received traffic shaper bytes that were dropped.
perip_drop The number of per-IP traffic shaper bytes that were dropped.
shaper_sent_name The name of the traffic shaper sending the bytes.
shaper_rcvd_name The name of the traffic shaper receiving the bytes.
perip_name The name of the per-IP traffic shaper.
sent_pkt The number of sent packets.
rcvd_pkt The number of received packets.
vpn The name of the VPN tunnel used by the traffic.
vpn_type The type of VPN tunnel that the traffic is flowing through. This field can be any one of the following:
• ipsec-static • ipsec-dynamic
• ipsec-ddns • sslvpn
vpn_tunnel The VPN tunnel.
src_int The interface where the through traffic comes in. For outgoing traffic originating from the firewall, it is unknown.
dst_int The interface where the through traffic goes to the public or Internet.
SN The session number of the log message.
app The name of the application that triggered the action within the control list. For example, SSL.
app_cat The application category that the application is associated with.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
ortiGate Log Message Reference1-430-112804-20111121 29ttp://docs.fortinet.com/ • Feedback
Traffic
6
Message ID 6
Log Subtype Other
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning Deny internal ICMP log message
Fields Field Descriptionstatus The status of the session. This field always displays deny in this field and indicates
that the session has been blocked by the unit.
vd The virtual domain where the traffic was logged. If no virtual domains are enabled and configured, this field contains the virtual domain, root.
src The source IP address.
srcname The name of the source or the source IP address.
src_port The source port of the TCP or UDP traffic. The source protocol is zero for other types of traffic.
dst The destination IP address.
dstname The destination name or destination IP address.
dst_country The country name for the destination IP address. This name is used when geography-based filtering is configured for the firewall address used in the firewall policy.
dst_port The destination port number of the TCP or UDP traffic. The destination port is zero for other types of traffic.
service The IP network service that applies to the session or packet. The services displayed corresponds to the services configured in the firewall policy.
proto The protocol number that applies to the session or packet. The protocol number in the packet header that identifies the next level protocol. Protocol number’s are assigned by the Internet Assigned Number Authority (IANA).
app_type The application or program used. If there was no program used to create the traffic, then it is empty and displays N/A. The following are the application types that can appear in this field:
• NA • Skype
• WinNY • AIM
• BitTorrent • ICQ
• eDonKey • MSN
• Gnutella • Yahoo
• KaZaa
duration This represents the value in seconds.
rule The rule number.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
sent The total number of bytes sent.
rcvd The total number of bytes received.
FortiGate Log Message Reference30 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Traffic
F0h
shaper_drop_sent The number of sent traffic shaper bytes that were dropped.
shaper_drop_rcvd The number of received traffic shaper bytes that were dropped.
perip_drop The number of per-IP traffic shaper bytes that were dropped.
shaper_sent_name The name of the traffic shaper sending the bytes.
shaper_rcvd_name The name of the traffic shaper receiving the bytes.
perip_name The name of the per-IP traffic shaper.
vpn The name of the VPN tunnel used by the traffic.
vpn_type The type of VPN tunnel that the traffic is flowing through. This field can be any one of the following:
• ipsec-static • ipsec-dynamic
• ipsec-ddns • sslvpn
vpn_tunnel The VPN tunnel.
src_int The interface where the through traffic comes in. For outgoing traffic originating from the firewall, it is unknown.
dst_int The interface where the through traffic goes to the public or Internet.
SN The session number of the log message.
app The name of the application that triggered the action within the control list. For example, SSL.
app_cat The application category that the application is associated with.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
ortiGate Log Message Reference1-430-112804-20111121 31ttp://docs.fortinet.com/ • Feedback
Traffic
7
Message ID 7
Log Subtype Other
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning Deny external ICMP log message
Fields Field Descriptionstatus The status of the session. This field always displays deny in this field and
indicates that the session has been blocked by the unit.
vd The virtual domain where the traffic was logged. If no virtual domains are enabled and configured, this field contains the virtual domain, root.
src The source IP address.
srcname The name of the source or the source IP address.
src_port The source port of the TCP or UDP traffic. The source protocol is zero for other types of traffic.
dst The destination IP address.
dstname The destination name or destination IP address.
dst_country The country name for the destination IP address. This name is used when geography-based filtering is configured for the firewall address used in the firewall policy.
dst_port The destination port number of the TCP or UDP traffic. The destination port is zero for other types of traffic.
tran_ip The translated IP in NAT mode. For Transparent mode, it is zero.
tran_port The translated port number in NAT mode. For Transparent mode, it is zero.
service The IP network service that applies to the session or packet. The services displayed corresponds to the services configured in the firewall policy.
proto The protocol number that applies to the session or packet. The protocol number in the packet header that identifies the next level protocol. Protocol number’s are assigned by the Internet Assigned Number Authority (IANA).
app_type The application or program used. If there was no program used to create the traffic, then it is empty and displays N/A. The following are the application types that can appear in this field:
• NA • Skype
• WinNY • AIM
• BitTorrent • ICQ
• eDonKey • MSN
• Gnutella • Yahoo
• KaZaa
duration This represents the value in seconds.
rule The rule number.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an idenity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
FortiGate Log Message Reference32 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Traffic
F0h
sent The total number of bytes sent.
rcvd The total number of bytes received.
shaper_drop_sent The number of sent traffic shaper bytes that were dropped.
shaper_drop_rcvd The number of received traffic shaper bytes that were dropped.
perip_drop The number of per-IP traffic shaper bytes that were dropped.
shaper_sent_name The name of the traffic shaper sending the bytes.
shaper_rcvd_name The name of the traffic shaper receiving the bytes.
perip_name The name of the per-IP traffic shaper.
vpn The name of the VPN tunnel used by the traffic.
vpn_type The type of VPN tunnel that the traffic is flowing through. This field can be any one of the following:
• ipsec-static • ipsec-dynamic
• ipsec-ddns • sslvpn
vpn_tunnel The VPN tunnel.
src_int The interface where the through traffic comes in. For outgoing traffic originating from the firewall, it is unknown.
dst_int The interface where the through traffic goes to the public or Internet.
SN The session number of the log message.
app The name of the application that triggered the action within the control list. For example, SSL.
app_cat The application category that the application is associated with.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
ortiGate Log Message Reference1-430-112804-20111121 33ttp://docs.fortinet.com/ • Feedback
Traffic
8
Message ID 8
Log Subtype Traffic - WAN opt
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning WAN optimization traffic log message
Fields Field Descriptionvd The virtual domain where the traffic was logged. If no virtual domains are
enabled and configured, this field contains the virtual domain, root.
src The source IP address.
srcname The name of the source or the IP address.
src_port The source port of the TCP or UDP traffic. The source protocol is zero for other types of traffic.
dst The destination IP address.
dstname The destination name or destination IP address.
dst_country The country name for the destination IP address. This name is used when geography-based filtering is configured for the firewall address used in the firewall policy.
dst_port The destination port number of the TCP or UDP traffic. The destination port is zero for other types of traffic.
wanopt_app_type The type of WAN optimization that was used. This field can contain any one of the following:
• web-cache • ftp
• cifs • mapi
• tcp • http
• web-proxy • ftp-proxy
duration This represents the value in seconds.
rule The rule number.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. identity index.
wan_in This field always displays WAN in.
wan_out This field always displays WAN out.
lan_in This field always displays LAN in.
lan_out This field always displays LAN out.
src_int The name of the interface used by the source.
dst_int The name of the interface used by the destination.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
FortiGate Log Message Reference34 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Traffic
F0h
9
Message ID 9
Log Subtype Web cache
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning Web cache traffic log message
Fields Field Descriptionvd The virtual domain where the traffic was logged. If no virtual domains are
enabled and configured, this field contains the virtual domain, root.
src The source IP address.
srcname The name of the source or the source IP address.
src_port The source port of the TCP or UDP traffic. The source protocol is zero for other types of traffic.
dst The destination IP address.
dstname The destination name or destination IP address.
dst_country The country name for the destination IP address. This name is used when geography-based filtering is configured for the firewall address used in the firewall policy.
dst_port The destination port number of the TCP or UDP traffic. The destination port is zero for other types of traffic.
wanopt_app_type The WAN Opt application type.
• web-cache • cifs
• tcp • ftp
• mapi • http
• web-proxy ftp-proxy
duration This represents the value in seconds.
rule The rule number.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
wan_in This field always displays WAN in.
wan_out This field always displays WAN out.
lan_in This field always displays LAN in.
lan_out This field always displays LAN out.
src_int The name of the interface used by the source.
dst_int The name of the interface used by the destination.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
ortiGate Log Message Reference1-430-112804-20111121 35ttp://docs.fortinet.com/ • Feedback
Traffic
10
Message ID 10
Log Subtype explicit-proxy-traffic
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning Explicit proxy traffic log message
Fields Field Descriptionvd The virtual domain where the traffic was logged. If no virtual domains are
enabled and configured, this field contains the virtual domain, root.
src The source IP address.
srcname The name of the source or the source IP address.
src_port The source port of the TCP or UDP traffic. The source protocol is zero for other types of traffic.
dst The destination IP address.
dstname The destination name or destination IP address.
dst_port The destination port number of the TCP or UDP traffic. The destination port is zero for other types of traffic.
wanopt_app_type The type of WAN Opt application. This can be any one of the following:
• web-cache • cifs
• tfp • ftp
• mapi • http
• web-proxy
duration This represents the value in seconds.
rule The rule number.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
wan_in This field always displays WAN in.
wan_out This field always displays WAN out.
lan_in This field always displays LAN in.
lan_out This field always displays LAN out.
src_int The name of the interface used by the source.
dst_int The name of the interface used by the destination.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
FortiGate Log Message Reference36 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Traffic
F0h
11
Message ID 11
Log Subtype failed-conn
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning Failed connection attempts
Fields Field Descriptionvd The virtual domain where the traffic was logged. If no virtual domains are
enabled and configured, this field contains the virtual domain, root.
src The source IP address.
srcname The name of the source or the source IP address.
src_port The source port of the TCP or UDP traffic. The source protocol is zero for other types of traffic.
src_int The source interface name.
dst The destination IP address.
dstname The destination name or destination IP address.
dst_port The destination port number of the TCP or UDP traffic. The destination port is zero for other types of traffic.
dst_int The destination interface name.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
action The action that was taken by the unit. This can be any one of the following:
• dns – a DNS lookup • ip – an IP connection
• url – a URL connection
SN The session number of the log message.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
ortiGate Log Message Reference1-430-112804-20111121 37ttp://docs.fortinet.com/ • Feedback
Traffic
FortiGate Log Message Reference38 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
F0h
Event-AdministrationEvent-Administration log messages record what administration users are configuring on the FortiGate unit, and what is occurring on the FortiGate unit. For example, memory storage is becoming full.
32001320033200432008320103201032011320123201332014320153201632017320203202132022320953210132102321033210432105320163201732120321213212232086
32087321233212432125321263212732128321293213032131321323213332134321353213632137321383213932140321413214232143321443214532148321493215032151
32152321533215532156321573215832161321623216832170321713217232180322003254532546325473254832549
ortiGate Log Message Reference1-430-112804-20111121 39ttp://docs.fortinet.com/ • Feedback
Event-Administration
32001
32002
Message ID 32001
Log Subtype Admin
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning An administrator successfully logged into the FortiGate unit.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
action This field always contains login.
status This field always contains success.
reason The reason for the event. This field is either timeout or exit, depending on the action taken.
profile The administrator’s access profile.
msg Administrator <admin_name> logged in successfully from <ui(<ip_address>).
Message ID 32002
Log Subtype Admin
Severity Alert
Firmware version FortiOS 4.0 MR3
Meaning Depending on what is in the msg field, the meaning can be any one of the following: • There is alarm testing occurring. • The administrator failed to log in.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). Note: If this is an alarm test, this field will contain cli.
action This field always contains login.
status This field always contains failed
reason The reason for the event. This field always contains test.
profile The administrator’s access profile.
msg This field contains any one of the following: • Alarm testing• Administrator <admin_name> login failed from <ui>
FortiGate Log Message Reference40 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
F0h
32003
32004
Message ID 32003
Log Subtype Admin
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning Depending on what the msg field contains, the meaning can be any one of the following: • An administrator was successfully logged out because of inactivity. The
FortiGate unit automatically logged them out. • An administrator successfully logged out of the user interface.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
action This field always contains logout.
status This field always contains success.
reason The reason for the event. This field is either timeout or exit, depending on the action taken.
msg This field contains any one of the following: • Administrator <admin_name> timed out from <ui(<ip_address>)> • Administrator <admin_name> logged out from <ui<ip_address>)>
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
pri The priority level. This field always contains information.
Message ID 32004
Log Subtype Admin
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning The meaning can be one of the following, depending on the msg field: • Alarm testing is occurring on the FortiGate unit. • System has entered error-mode.
Fields Field Descriptionaction This field always contains error-mode.
reason The reason for the trigger. This field can contain self-test if the log message is about alarm testing.
msg This field contains any one of the following: • Alarm testing is occurring on the FortiGate unit• System enters error mode due to <string>
ortiGate Log Message Reference1-430-112804-20111121 41ttp://docs.fortinet.com/ • Feedback
Event-Administration
32006
Message ID 32006
Log Subtype Admin
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning Depending on what is in the msg field, the meaning can be any one of the following: • The user has entered the specified virtual domain. • The FortiGate unit ‘s system has started.
Fields Field Descriptionuser The name of the user creating the traffic. In this log message, it is an
administrator, or an administrator that has the super_admin profile.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 access the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
action This field always contains vdom-switch.
reason This field always contains none.
msg This field contains any one of the following: • User <user_name> has entered the virtual domain
<virtual_domain_name>.• FortiGate started
Message ID 32006
Log Subtype Admin
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning The FortiGate unit has started.
Fields Field Descriptionmsg Fortigate started.
vd The name of the virtual domain where the action occurred in. If no virtual domain exist, this field always contains root.
pri The priority level. This field always contains information.
FortiGate Log Message Reference42 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
F0h
32007
32008
Message ID 32007
Log Subtype Admin
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning The super admin has left the specified virtual domain.
Fields Field Descriptionuser The name of the user creating the traffic. In this log message, it is an
administrator, or an administrator that has the super_admin profile.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
action This field always contains vdom-switch.
reason This field always contains none.
msg User <user_name> has left the virtual domain <virtual_domain_name>
Message ID 32007
Log Subtype Admin
Severity Critical
Firmware version FortiOS 4.0 MR3
Meaning The FortiGate unit cannot store the configuration file because the local drive does not have enough space left.
Fields Field Descriptionmsg Cannot store config due to short of flash space: require <number_blocks>
blocks, only <number_blocks> free blocks left on flash disk.
Message ID 32008
Log Subtype Admin
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning The specified user has viewed the specified log files in memory or on the disk.
Fields Field Descriptionuser The name of the user creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
log The name of the log file.
msg This field can be any of the following: • User <user_name. has viewed the memory logs from <ui>.• User <user_name> has viewed disk logs from <ui>
ortiGate Log Message Reference1-430-112804-20111121 43ttp://docs.fortinet.com/ • Feedback
Event-Administration
32010
Message ID 32010
Log Subtype Admin
Severity Emergency
Firmware version FortiOS 4.0 MR3
Meaning Depending on the content in the msg field, the meaning can be any one of the following: • The log roll has reach the maximum number. • The amount of logs exceeds the disk size and the rolled log file was
deleted. • The log disk has reached a specific percentage point that, once passed,
the system will either overwrite the logs or stop logging. • The log is full. • The space in memory for logs is full.
Fields Field Descriptionmsg This field contains any of the following:
• Disk has rolled the max number of times, it will not roll logs again until deleting of the old rolled logs
• Disk log exceeds <percentage> of disk size. Deleted rolled log file name <log_name>
• DLP archive is <percentage> full.System will overwrite old DLP archive.• Log disk is <percentage> full. System will stop logging. • Log is <percentage> full. • Memory <percentage> log is <percentage> full. • Disk logs exceeed full final warning threshold. Deleted rolled log file <file
name>• Disk logs exceed full final warning threshold. Deleted rolled packet
directory <directory> • Disk logs eceeed full final warning threshold. Deleted rolled dlp-archive
directory <directory>
Message ID 32010
Log Subtype Admin
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning Depending on the content in the msg field, the meaning can be any one of the following: • The system uploads the oldest log files because the storage is to
capacity. • The system deletes the oldest log files, then uploads another group of log
files. • The system deletes the uploaded log files.
Fields Field Descriptionaction This field always contains delete. This only appears when the system has
deleted uploaded logs.
msg This field contains any of the following: • <string> is <string> full.System will upload oldest <number> logs. • <string> is <string> full.System will delete oldest <number> uploaded
logs, and upload another oldest <number> un-uploaded logs. • System deleted logs that are uploaded
FortiGate Log Message Reference44 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
F0h
32011
Message ID 32011
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The disk log has rolled.
Fields Field Descriptionaction The action the FortiGate unit took. This field always contains roll-log.
reason The reason for rolling the log file. This field contains schedule because the log was rolled at a specified date and time that was previously configured.
log The type of log that was rolled. This field contains all.
msg Disk log has rolled.
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
pri The level of priority. This field always contains notice.
log This field always contains all.
Message ID 32011
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The disk log has rolled.
Fields Field Descriptionaction The action the FortiGate unit took. This field always contains roll-log.
reason The reason for rolling the log file. This field contains file-size.
log The type of log that was rolled.
msg Disk log has rolled.
Message ID 32011
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The disk log has rolled.
Fields Field Descriptionaction The action the FortiGate unit took. This field always contains roll-log.
reason The reason for rolling the log file. This field contains log-format-change.
log The type of log that was rolled.
msg Disk log has rolled.
Message ID 32011
Log Subtype Admin
Severity Emergency
Firmware version FortiOS 4.0 MR3
ortiGate Log Message Reference1-430-112804-20111121 45ttp://docs.fortinet.com/ • Feedback
Event-Administration
Meaning Depending on the content in the msg field, this field contains any one of the following: • The system’s memory is full and that is why the system entered error
mode. • The disk is filled to capacity with log files, and that is why the system
entered error mode. • The system entered error mode but it is unclear as to why.
Fields Field Descriptionaction The action the FortiGate unit took. This field always contains error-mode
reason The reason for rolling the log file. This field contains memory-log-full, disk-log full or unknown.
msg This field contains any one of the following: • CC error: Memory logs are full. System entered error mode. • CC error: Disk logs are full. System entered error mode. • CC error: Unknown. System entered error mode.
FortiGate Log Message Reference46 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
F0h
32012
Message ID 32012
Log Subtype Admin
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning The FortiGate system is exiting out of error mode.
Fields Field Descriptionaction The action the FortiGate unit took. This field always contains exit-error-
mode.
msg System existing out of error mode.
Message ID 32012
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The log disk is almost full, and will resume archiving log data.
Fields Field Descriptionmsg Log disk is under <string> full. System will resume logging content archive
data.
ortiGate Log Message Reference1-430-112804-20111121 47ttp://docs.fortinet.com/ • Feedback
Event-Administration
32013
Message ID 32013
Log Subtype Admin
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning A user has cleared the disk log from either the web-based manager or CLI.
Fields Field Descriptionuser The name of the user creating the traffic.
log The log identification number.
msg User <user_name> has cleared disk log from <ui>
Message ID 32013
Log Subtype Admin
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning Depending on what appears in the msg field, the meaning can be any one of the following: • A user has deleted rolled log files. • A user cleared all current logs. • A user has cleared FortiGuard Analysis Service logs from the specified
location.• A user has removed filtered data from memory logs. • A user cleared logs associated with the FortiGuard Analysis Service. • A user has removed filtered data from disk logs. • A user has deleted one rolled log file from either the web-based manager
or CLI. • A user has cleared current logs from the disk.
Fields Field Descriptionuser The name of the user creating the traffic. For this log message, it can be
user or administrator.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
period The period’s information. This field does not always show in all 32013 log messages.
log The log identification number.
msg This field contains any one of the following:
• User <user_name> has deleted rolled <integer> log files from <ui>
• User <user_name> has cleared all current logs <percentage_memory> from <ui>
• User <user_name> has cleared logs (FortiGuard Log) from <ui>
• A user has cleared FortiGuard logs from the specified location.
• User <administrator_name> has cleared logs (FortiGuard Analysis Service) from <ui>
• User <user_name> has removed filtered data from memory logs from <ui>
• User <user_name> has cleared logs (FortiGuard Analysis Service) from <ui>
FortiGate Log Message Reference48 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
F0h
• User <user_name> has removed filtered data from disk logs from <ui>
• User <user_name> has deleted 1 rolled <rolled_interger> log file (<log_file_name>) from <ui>
• User has deleted 1 rolled <string> log (disk) from <ui>
• User <user_name> has cleared current <string> log (disk) from <ui>
ortiGate Log Message Reference1-430-112804-20111121 49ttp://docs.fortinet.com/ • Feedback
Event-Administration
32014
32015
Message ID 32014
Log Subtype Admin
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning Depending on what appears in the msg field, the meaning can be any one of the following: • The FDS support license is expiring.• The FDS AV license is expiring. • The FDS IPS license is expiring. • The FortiGuard customer support license expires in the specified number
of days.• The FortiGuard Antivirus update license will expire in the specified
number of days. • The FortiGuard IPS update license will expire in the specified number of
days. • The FortiGuard web filtering license will expire in the specified number of
days. • The FortiGuard anti-spam license will expire in the specified number of
days. • The FortiGuard Analysis Service license will expire in the specified
number of days. • The FortiGuard Management Service license will expire in the specified
number of days
Fields Field Descriptionmsg This field contains any one of the following:
• FDS support license will expire in <integer> day(s)• FDS AV license will expire in <integer> day(s)• FDS IPS license will expire in <integer> day(s)• FortiGuard customer support license will expire in <value> day(s)• FortiGuard AV update license will expire in <value> day(s)• FortiGuard IPS update license will expire in <value> day(s)• FortiGuard web filtering license will expire in <value> day(s)• FortiGuard anti-spam license will expire in <value> day(s)• FortiGuard analysis service license will expire in <value> day(s)• FortiGuard management service license will expire in <value> day(s)
Message ID 32015
Log Subtype Admin
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning Log disk is full.
Fields Field Descriptionmsg Log disk is <percentage> full
FortiGate Log Message Reference50 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
F0h
32016
Message ID 32016
Log Subtype Admin
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning The FortiGuard disk quota is full and the system will either overwrite or stop logging when the quota is used.
Fields Field Descriptionmsg FortiGuard disk quota is <value> use. System will {overwrite | no log} once
passed all quota is used.
Message ID 32016
Log Subtype Admin
Severity Emergency
Firmware version FortiOS 4.0 MR3
Meaning The FortiGuard Analysis Service disk quota is full and the system will either overwrite or stop logging when the quota is used.
Fields Field Descriptionmsg FortiGuard Analysis Service disk quota is <value> used. System will
{overwrite | no log} once passed all quota is used.
Message ID 32016
Log Subtype Admin
Severity Emergency
Firmware version FortiOS 4.0 MR3
Meaning The FortiGuard Analysis Service disk quota is full.
Fields Field Descriptionmsg FortiGuard Analysis Service disk quota is <value> used.
Message ID 32016
Log Subtype Admin
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning The FortiGuard Analysis Service disk quota is full.
Fields Field Descriptionmsg FortiGuard Analysis Service disk quota is <value> used. System will
{overwrite | no log} once the full quota is used.
Message ID 32016
Log Subtype Admin
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning The FortiGate unit has stopped logging to the FortiGuard Analysis server because of the amount of disk quota that has been used. Logging will resume after an amount of time has passed, in seconds.
ortiGate Log Message Reference1-430-112804-20111121 51ttp://docs.fortinet.com/ • Feedback
Event-Administration
Fields Field Descriptionmsg FortiGuard Analysis Service disk quota is <value> used. System stops
logging until <seconds> later.
Message ID 32016
Log Subtype Admin
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning The user failed to view logs from a specified location.
Fields Field Descriptionuser The name of the user creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
msg This field contains any one of the following: • User <user_name> failed to access the <log_file_name> logs from <ui>• User <user_name> failed to access the <log_file_name> logs from <ui>
FortiGate Log Message Reference52 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
F0h
32017
32020
Message ID 32017
Log Subtype Admin
Severity Alert
Firmware version FortiOS 4.0 MR3
Meaning Depending on what appears in the msg field, the meaning can be any one of the following: • The FortiGuard daily quota is reached. • The FortiGuard Analysis Service daily quota is full.
Fields Field Descriptionmsg This field contains any one of the following:
• FortiGuard daily quota is reached. System stops logging until <value> sec later.
• FortiGuard Analysis Service daily quota is reached. System stops logging until <seconds> sec later.
Log Subtype Admin
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning A corrupted MAC packet was detected.
Fields Field Descriptionuser The name of the user creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
action The action information.
status The status information.
reason The reason information.
profile The name of the profile that was used to detect and take action.
msg Corrupted MAC packet detected.
ortiGate Log Message Reference1-430-112804-20111121 53ttp://docs.fortinet.com/ • Feedback
Event-Administration
32021
32022
Message ID 32021
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The user disabled the virtual domain root from the web-based manager, CLI or console.
Fields Field Descriptionui The location of the point-of-entry the user used to access the FortiGate unit
so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
msg User <user_name> disabled virtual domain root from <ui ip_address>>
Message ID 32022
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The administrator enabled a virtual domain.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
msg User <admin_name> enabled virtual domain <vd_name> from <ui(<ip_address>)>
FortiGate Log Message Reference54 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
F0h
32086
32087
Message ID 32086
Log Subtype Admin
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning The system has been changed to Transparent mode (LCD) from the LCD interface.
Fields Field Descriptionuser The administrator who is creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). Note: In this log message, this field always contains lcd.
action The action that was taken.
status This field always contains success.
msg System has been changed to transparent mode LCD via LCD.
Message ID 32087
Log Subtype Admin
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning The system has been changed to NAT/Route mode (LCD) from the LCD interface.
Fields Field Descriptionuser The administrator who is creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). Note: In this log message, this field always contains lcd.
action The action that was taken.
status This field always contains success.
msg System has been changed to NAT mode LCD via LCD.
ortiGate Log Message Reference1-430-112804-20111121 55ttp://docs.fortinet.com/ • Feedback
Event-Administration
32140
Message ID 32140
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The administrator changed the operation mode to Transparent.
Fields Field Descriptionuser The name of the user creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
field This field contains mode.
old_value The mode that the FortiGate unit was previously in. This field contains either NAT or TP, depending on what mode the FortiGate unit was previously in.
new_value The mode that the FortiGate unit is now in. This field contains either NAT or TP, depending on what mode the FortiGate unit was changed to.
msg User <administrator_name> changed to TP opmode from <ui>(<ip_address>
Message ID 32140
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The administrator changed the global settings on the FortiGate unit, allowing virtual domain configuration.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
action The status of the virtual domain feature. This field always contains enable.
field This field always contains virtual-domain.
msg User <admin_name> changed global settings from <ui(<ip_address>)>
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
pri The priority level. This field always contains notice.
FortiGate Log Message Reference56 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
F0h
32141
32095
Message ID 32141
Log Subtype Admin
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning The specified interface received a new DHCP lease address.
Fields Field Descriptionmsg interface <interface_name> gets a DHCP lease, ip:<ip_address>,
mask:<netmask>, gateway:<gateway_ip>, lease expires:<day_of_week> <month> <date> <hh:mm:ss:> <yyyy>
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
pri The priority level. This field is always information.
id The identification number.
Message ID 32095
Log Subtype Admin
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning The specified administrator has performed a specified action on the FortiGate unit.
Fields Field Descriptionuser The name of the user creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
action The type of action that the FortiGate unit took. This field contains any one of the following:
• reboot • shutdown
• reload • backup
• factory_reset • restore (all types of configuration files)
• upgrade (upgrade the firmware)
• switch_mode
• download (all types of configuration files)
• upload
• clear_mlog (clear all log in memory buffer)
• del_log (delete log)
• update (virus or IPS signatures)
• downgrade (downgrade the firmware)
• del_session (delete session) • bootup
status This field contains either success or failure.
msg <action_type OR file_name> by user <administrator_name> via <ui> Note: The beginning of the sentence depends on what type of action was taken, and if a file was downloaded or not.
ortiGate Log Message Reference1-430-112804-20111121 57ttp://docs.fortinet.com/ • Feedback
Event-Administration
Message ID 32095
Log Subtype Admin
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning A user has downloaded a log file from the firewall from the within the web-based manager.
Fields Field Descriptionuser The name of the user creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). Note: In this log message, the location is the web-based manager.
action The type of action that the FortiGate unit took. This field contains any one of the following:
• reboot • shutdown
• reload • backup
• factory_reset • restore (all types of configuration files)
• upgrade (upgrade the firmware)
• switch_mode
• download (all types of configuration files)
• upload
• clear_mlog (clear all log in memory buffer)
• del_log (delete log)
• update (virus or IPS signatures)
• downgrade (downgrade the firmware)
• del_session (delete session) • bootup
status This field contains either success or failure.
hash The hash information.
file The name of the log file.
msg <action_type OR file_name> by user <administrator_name> via <ui>
FortiGate Log Message Reference58 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
F0h
32101
Message ID 32101
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The administrator added a new access profile.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
profile The name of the administration access profile that was created.
msg User <administrator_name> added new access profile <string> from {GUI | CLI | console}
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
pri The priority level. This field always contains notice.
Message ID 32101
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The administrator changed the configuration from the LCD interface.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
msg <administrator_name> by <ui>
ortiGate Log Message Reference1-430-112804-20111121 59ttp://docs.fortinet.com/ • Feedback
Event-Administration
32102
Message ID 32102
Log Subtype Admin
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning The administrator added a local certificate and is being generated.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
msg User <admin_name> made a change via <ui(<ip_address>)>: VPN local certificate <cert_name> has been generated.
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
pri The priority level. This field always contains information.
module This field always contains VPN.
submodule This field always contains cert-local.
Message ID 32102
Log Subtype Admin
Severity (Variable): can be any severity level
Firmware version FortiOS 4.0 MR3
Meaning A user has changed the configuration.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
module The module information.
submodule The submodule information.
msg User <admin_name> made a change from <ui>
Message ID 32102
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning A new firmware image is available from FortiGuard.
Fields Field Descriptionuser This field always contains system.
action The action that was taken. This field always contains firmware.
FortiGate Log Message Reference60 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
F0h
status The status of the firmware. This field always contains new.
msg New firmware is available from FortiGuard.
Message ID 32102
Log Subtype Admin
Severity (Variable): can be any severity level
Firmware version FortiOS 4.0 MR3
Meaning A user has changed the configuration for a specific submodule from a specific location.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
module The module information.
submodule The submodule information.
msg User <admin_name> made a change via <ui>: <ip_address>
ortiGate Log Message Reference1-430-112804-20111121 61ttp://docs.fortinet.com/ • Feedback
Event-Administration
32103
32104
32105
Message ID 32103
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning A user deleted an access profile.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
profile The name of the access profile.
msg User <administrator_name> deleted an access profile <profile_name> from <string>
Message ID 32104
Log Subtype Admin
Severity Critical
Firmware version FortiOS 4.0 MR3
Meaning An administrator has failed to update the FortiGate unit.
Fields Field Descriptionadmin The name of the administrator creating the traffic.
msg FortiGate <string> failed
Message ID 32105
Log Subtype Admin
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning Depending on what appears in the msg field, the meaning can be any one of the following: • An administrator has update the databases and engines successfully. • An administrator has updated AV database successfully. • An administrator has updated the IDS database successfully.
Fields Field Descriptionadmin The name of the administrator creating the traffic.
status This field always contains update.
virdb This field always contains yes.
msg This field contains any one of the following: • Fortigate <string> virdb(<value>) idsdb(<value>) aven(<value>) idsen(<value>)
from <string>• Fortigate updated virdb (<value>)• Fortigate updated idsdb (<value>)
FortiGate Log Message Reference62 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
F0h
32120
Message ID 32120
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The administrator added a UTM profile.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
action The type of action that occurred. In this log message, this field can contain add.
msg Administrator <admin_name> added an <utm_profile_type> <utm_profile_name> from <ui(<ip_address>)>. Note: The UTM profile type can be a sensor, such as DLP or IPS.
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
pri The priority level. This field always contains notice.
cmdb_obj The type of profile that was used. For example, antivirus.profile.
name The name of the profile that was used. For example, av_1.
Message ID 32120
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The administrator edited the settings within another administrator.
Fields Field Descriptionuser The name of the administrator who is creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
msg Administrator <admin_name> edited the settings of administrator <admin_name> from <ui(<ip_address>)>
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
pri The priority level. This field always contains notice.
name The name of the administrator whose settings were modified within their account.
Message ID 32120
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The administrator added an admin user.
ortiGate Log Message Reference1-430-112804-20111121 63ttp://docs.fortinet.com/ • Feedback
Event-Administration
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
msg User <admin_name> added an admin user <admin_name> from <ui(<ip_address>)>
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
pri The priority level. This field always contains notice.
name The name of the administrator who was added.
Message ID 32120
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The administrator added a new interface.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
msg User <admin_name> added a new interface <interface_name> from <ui(<ip_address>)>
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
pri The priority level. This field always contains notice.
intf The name of the new interface. For example, interface_1
Message ID 32120
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The administrator modified the settings within another administrator’s account.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
msg Administrator <admin_name> edited the settings of administrator <admin_name> from <ui(<ip_address>)>
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
FortiGate Log Message Reference64 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
F0h
pri The priority level. This field always contains notice.
name The name of the administrator who had their settings modified by another administrator.
Message ID 32120
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The administrator modified the settings within another administrator’s account.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
msg User <admin_name> added a user group <user_group_name> from <ui(<ip_address>)>
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
pri The priority level. This field always contains notice.
name The name of the new user group.
Message ID 32120
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The administrator added a new Directory Server (FSAE) entry.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
msg User <admin_name> added a Directory Server (FSAE) entry <fsae_entry_name> from <ui(<ip_address>)>
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
pri The priority level. This field always contains notice.
name The name of the new FSAE entry.
server The FSAE’s IP address.
Message ID 32120
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The administrator added a new report dataset.
ortiGate Log Message Reference1-430-112804-20111121 65ttp://docs.fortinet.com/ • Feedback
Event-Administration
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
name The name of the report dataset.
msg User <admin_name> added a report dataset <dataset_name> from <ui>
Message ID 32120
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The administrator added a new report chart widget.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
name The name of the report chart.
msg User <admin_user> added a report chart widget <chart_name> from <ui>
Message ID 32120
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The administrator added report summary entry.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
name The name of the report summary entry that were added.
msg User <admin_name> added a report summary entry <summary_entry> from <ui>
FortiGate Log Message Reference66 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
F0h
32121
Message ID 32121
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The administrator modified settings within a UTM profile.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
action The type of action that occurred. This field always contains modify.
msg Administrator <admin_name> changed a <utm_profile_type> <utm_profile_name> from <ui(<ip_address>)> Note: The UTM profile can be a sensor, such as DLP or IPS.
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
pri The priority level. This field is always notice.
cmdb_obj The type of profile that was used. For example, antivirus.profile.
name The name of the profile that was used. For example, av_1.
Message ID 32121
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The administrator changed the interface setting.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
intf The name of the interface of the originating traffic.
field This field contains either status or mtu.
old This field contains either up or down.
new This field contains either up or down.
msg This field contains any one of the following: • User <administrator_name> changed the status of interface {internal | external |
dmz | <other>...} from <ui>• User <administrator_name> changed the mtu setting of interface
<interface_name> from <ui>• User <administrator_name> changed the ip setting of the interface
<interface_name> from <ui>
ortiGate Log Message Reference1-430-112804-20111121 67ttp://docs.fortinet.com/ • Feedback
Event-Administration
32122
Message ID 32122
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The administrator deleted the specified interface.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
msg User <administrator_name> deleted interface <interface_name> from <ui(<ip_address>)>
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
pri The priority level. This field always contains notice.
intf The name of the interface that was removed.
Message ID 32122
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The administrator deleted the specified interface.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
name The name of the administrator who was deleted.
msg User <administrator_name> deleted an admin user <user_name> from <ui>
Message ID 32122
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning An administrator deleted another administrator’s account.
Fields Field Descriptionuser The administrator who is creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
FortiGate Log Message Reference68 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
F0h
msg User <admin_name> deleted user <admin_user> from <ui(<ip_address>)>
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
pri The priority level. This field always contains notice.
name The name of the administrator who was deleted by another administrator.
Message ID 32122
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The administrator deleted an IPsec manualkey.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
name The name of the manual key that was deleted by the administrator.
remote-gw The IP address of the remote gateway.
msg User <administrator_name> deleted an ipsec manualkey <manualkey_name> from <ui>
Message ID 32122
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The administrator deleted an FSAE entry.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
msg User <administrator_name> deleted a Directory Service (FSAE) entry <fsae_entry_name> from <ui(<ip_address>)>
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
pri The priority level. This field always contains notice.
name The name of the entry that was remove from the list.
server The removed FSAE’s IP address.
Message ID 32122
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
ortiGate Log Message Reference1-430-112804-20111121 69ttp://docs.fortinet.com/ • Feedback
Event-Administration
Meaning Depending on what appears in the msg field, the meaning can be any one of the following: • An administrator deleted a CA certificate.• An administrator has removed all CA certificates. • An administrator deleted a local certificate. • An administrator deleted all local certificates. • An administrator deleted a CRL certificate. • An administrator deleted all CRLs.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
name The name of the administrator who deleted or removed the certificate.
msg This field contains any one of the following: • User <administrator_name> removed a CA certificate <certificate_name> from
<ui> • User <administrator_name> removed all CA certificates from <ui>• User <administrator_name> deleted a local certificate <certificate_name> from
<ui>• User <administrator_name> removed all local certificates from <ui>• User <administrator_name> removed a CRL certificate <certifcate_name> from
<ui>• User <administrator_name> removed all CRL certificates from <ui>
Message ID 32122
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The administrator deleted a dataset.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
name The name of the report dataset.
msg User <admin_name> delete a report dataset <dataset_name> from <ui>
Message ID 32122
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The administrator deleted a chart widget.
Fields Field Descriptionuser The name of the administrator creating the traffic.
FortiGate Log Message Reference70 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
F0h
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
name The name of the report chart widget.
msg User <admin_name> delete a report chart widget <chart_name> from <ui>
Message ID 32122
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The administrator deleted a chart widget.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
name The name of the report summary entry.
msg User <admin_name> delete a report summary entry <summary_entry> from <ui>
ortiGate Log Message Reference1-430-112804-20111121 71ttp://docs.fortinet.com/ • Feedback
Event-Administration
32123
Message ID 32123
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The administrator added the specified static route entry.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
status The status of the route entry. This field contains up.
msg User <administrator_name> added new static routing entry <seq_number> from <ui(<ip_address>)>
dst The destination IP address.
seq The number that describes where the entry is in the static route entry table.
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
pri The priority level. This field always contains notice.
device The interface that will be using the static route.
distance The distance number.
priority The priority number.
flags The flags information.
FortiGate Log Message Reference72 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
F0h
32124
Message ID 32124
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The administrator made the specified changes to the static route entry.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
seq The sequence number or the number of the order of that entry within the list.
old_device The previous interface.
old_distance The previous hops’ number.
old_priority The previous administrative priority.
old_dst The previous destination IP address.
old_status The previous status. This field contains either up or down.
old_flags The previous flag string.
new_device The new interface.
new_distance The new hops’ number.
new_priority The new administrative priority.
new_dst The new destination IP address.
new_status The new status. This field contains either up or down.
new_flags The new flag information.
msg User <administrator_name> changed the setting of a new static routing entry from <ui>
ortiGate Log Message Reference1-430-112804-20111121 73ttp://docs.fortinet.com/ • Feedback
Event-Administration
32125
32126
Message ID 32125
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The administrator deleted the specified static route entry.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
seq The NAT identification number. For example, the first entry in the table is 1, so this field displays 1.
device The interface.
distance The hops’ number information.
priority The administrative priority.
dst The destination IP address.
status The status. This field contains either up or down.
flags The flag information.
msg User <administrator_name> deleted a static routing entry from <ui>
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning An administrator added a firewall policy.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
msg User <administrator_name> added <iptype> firewall central-nat policy <nat_id_number> from <ui(<ip_address>)>.
seq The NAT identification number. For example, the first entry in the table is 1, so this field dsplays 1.
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
pri The priority level. This field always contains notice.
orig-addr The original source IP address.
nat-ippool The name of translated IP pool that was applied to the entry.
orig-port The original source port number.
nat-port The translated port number range.
FortiGate Log Message Reference74 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
F0h
32127
Message ID 32127
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning An administrator modified a firewall policy.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
msg User <admin_name> changed IPv4 firewall policy <policy_id_number> from <ui(<ip_address>)>.
seq The firewall policy identification number.
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
pri The priority level. This field is always notice.
sintf The name of the source interface or zone applied to the firewall policy.
dstintf The name of the destination interface or zone applied to the firewall policy.
saddr The firewall policy’s select source address. For example if you selected all, then all appears in this field.
daddr The firewall policy’s selected destination address. For example, if you selected all, then all appears in this field.
act The type of action applied to the firewall policy. For example, ACCEPT.
nat This field contains either no or yes.
iptype The type of IP address. This can be ipv4 or ipv6, depending if you have configured IPv4 addresses or IPv6 addresses.
schd The type of firewall schedule that was selected for that firewall policy.
srv The type of firewall service applied to the firewall policy. For example, ANY.
ortiGate Log Message Reference1-430-112804-20111121 75ttp://docs.fortinet.com/ • Feedback
Event-Administration
32128
Message ID 32128
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The administrator deleted a firewall policy.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
seq The firewall policy identification number.
sintf The name of the source interface.
dintf The name of the destination interface.
saddr The source IP address.
daddr The destination IP address.
schd The name of the schedule.
srv The network service.
act The type of action applied to the firewall policy. For example, ACCEPT.
nat This field contains either no or yes.
log The log identification number.
iptype The type of IP address, such as IPv6. This field always contains ipv6.
msg User <administrator_name> deleted a firewall policy from <ui>
FortiGate Log Message Reference76 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
F0h
32129
32130
Message ID 32129
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The administrator added a local user.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
status The status of the local user. This field always contains enable.
msg User <admin_name. added local user <user_name> from <ui(<ip_address>)>
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
pri The priority level. This field always contains notice.
name The name of the new local user.
Message ID 32130
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The administrator added a new local administrator. The administrator changed the specified settings for a local administrator.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
name The name of the new local administrator.
old_status The old_status information.
new_status The new_status information.
passwd The password information.
msg User <administrator_name> changed a local user’s setting from <ui>
ortiGate Log Message Reference1-430-112804-20111121 77ttp://docs.fortinet.com/ • Feedback
Event-Administration
32131
32132
Message ID 32131
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The administrator added a new local administrator. The administrator changed the specified settings for a local administrator.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
name The name of the new administrator.
status This field contains either enable or disable.
msg User <administrator_name> deleted a local user <administrator_name> deleted a local user from <ui>
Message ID 32132
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The administrator added a RADIUS server.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
msg User <admin_name> added radius server <radius_name> from <ui(<ip_address>)>
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
pri The priority level. This field always contains notice.
name The name of the new RADIUS server.
server The RADIUS server’s IP address.
Message ID 32132
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The administrator added a TACACS+ server
Fields Field Description
FortiGate Log Message Reference78 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
F0h
user The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
msg User <admin_name> added TACACS+ server <tacacs+_name> from <ui(<ip_address>)>
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
pri The priority level. This field always contains notice.
name The name of the new TACACS+ server.
server The TACACS+ server’s IP address.
ortiGate Log Message Reference1-430-112804-20111121 79ttp://docs.fortinet.com/ • Feedback
Event-Administration
32133
32134
Message ID 32133
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The administrator made the specified changes to the RADIUS server entry
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
name The name of the administrator.
old_server The previous server’s IP address.
new_server The new server’s IP address.
secret The server’s encrypted password.
msg User <administrator_name> changed a radius server <radius_server_name> setting from <ui>
Message ID 32134
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The administrator deleted the RADIUS server from the server list.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
name The name of the administrator.
server The server’s IP address.
msg User <administrator_name> deleted a radius server <radius_server_name> from <ui>
FortiGate Log Message Reference80 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
F0h
32135
32136
Message ID 32135
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The administrator added a new LDAP server to the list.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
msg User <admin_name> added ldap server <ldap_name> from <ui(<ip_address>)>
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
pri The priority level. This field always contains notice.
name The name of the new LDAP server.
server The LDAP server’s IP address.
Message ID 32136
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The administrator made the specified changes to an LDAP server entry.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
name The name of the administrator.
old_server The previous server’s IP address.
old_port The previous server’s port number.
old_cn The previous CN value.
old_dn The previous DN value.
new_server The new server’s IP address.
new_port The new server’s port number.
new_cn The new CN value.
new_dn The new DN value.
msg User <administrator_name> changed an ldap server <ldap_server_name> setting from <ui>
ortiGate Log Message Reference1-430-112804-20111121 81ttp://docs.fortinet.com/ • Feedback
Event-Administration
32137
Message ID 32137
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The administrator deleted the LDAP server from the list.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
name The name of the administrator.
server The server’s IP address.
msg User <administrator_name> deleted an ldap user from <ui>
Message ID 32137
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning An IM/P2P user was deleted.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
name The name of the administrator.
policy The firewall policy identification number.
msg User <user_name> deleted im/p2p <im/p2puser_name> user <user_name> from <ui>
FortiGate Log Message Reference82 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
F0h
32138
32139
Message ID 32138
Log Subtype Admin
Severity Critical
Firmware version FortiOS 4.0 MR3
Meaning The administrator either rebooted or shut down the FortiGate unit.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
action This field is either reboot or shutdown.
msg User <administrator_name> rebooted the device from <ui>. The reason is “<reason>”
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
pri The priority level. This field always contains critical.
Message ID 32139
Log Subtype Admin
Severity Critical
Firmware version FortiOS 4.0 MR3
Meaning The administrator reset the FortiGate unit to its default settings.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
action This field contains factory-reset.
msg User <administrator_name> reset to the factory settings from <ui>
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
pri The priority level. This field always contains critical.
Message ID 32139
Log Subtype Admin
Severity Critical
Firmware version FortiOS 4.0 MR3
Meaning The administrator or user formatted the log disk on the FortiGate unit.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ortiGate Log Message Reference1-430-112804-20111121 83ttp://docs.fortinet.com/ • Feedback
Event-Administration
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
action This field always contains format-disk.
msg User <administrator_name> formatted the log disk from <ui>
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
pri The priority level. This field always contains critical.
Message ID 32139
Log Subtype Admin
Severity Critical
Firmware version FortiOS 4.0 MR3
Meaning The administrator restored a firmware image.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
action This field contains any one of the following:
• restore-image • restore-configuration
• restore-all-configuration
msg User <administrator_name> restored the image from <ui(<ip_address> -> <ip_address>)
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
pri The priority level. This field always contains critical.
Message ID 32139
Log Subtype Admin
Severity Critical
Firmware version FortiOS 4.0 MR3
Meaning Depending on what appears in the msg field, the meaning can be any one of the following: • The auto-install restored the configuration using the USB key. • The auto-install restored the firmware image using the USB key.
Fields Field Descriptionuser The name of the administrator creating the traffic. In this log message, this
field always contains auto-install. This means that the FortiGate unit automatically installed the image itself.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). In this log message, this field always contains usb.
action This field always contains restore-image.
FortiGate Log Message Reference84 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
F0h
msg This field contains any one of the following: • User auto-install restored the configuration from usb (<ip_address>)• User auto-install restored the image from usb (<ip_address> ->
<ip_address>)
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
pri The priority level. This field always contains critical.
Message ID 32139
Log Subtype Admin
Severity Critical
Firmware version FortiOS 4.0 MR3
Meaning An administrator has updated either the virus engine and/or the IDS database.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
action This field contains update.
msg This field contains any one of the following: • User <administrator_name> requested a virus and IDS engine/definitions
update from <ui> • User <administrator_name> requested an IDS engine/definitions update
from <ui>
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
pri The priority level. This field always contains critical.
Message ID 32139
Log Subtype Admin
Severity Critical
Firmware version FortiOS 4.0 MR3
Meaning Depending on what appears in the msg field, the meaning can be any one of the following: • The system encountered an error when trying to restore an image from the
FortiGuard Analysis and Management Service. • The system restored an image from the FortiGuard Analysis and
Management Service. • The system restored a template from the management station. • The system failed to load a configuration file from the management
station.
Fields Field Descriptionuser The name of the administrator creating the traffic. In this log message, this
field contains system.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
action This field contains any one of the following:
ortiGate Log Message Reference1-430-112804-20111121 85ttp://docs.fortinet.com/ • Feedback
Event-Administration
• restore-image • restore-template
• restore-configuration
msg This field contains any one of the following: • System loaded an image from FortiGate Management, the new image has
an invalid CC signature. • System restored the image from FortiGuard Management (<ip_address>
-> <ip_address>)• System restored configuration template <template_name> from
management station.• System failed to restore configuration from management station.
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
pri The priority level. This field always contains critical.
Message ID 32139
Log Subtype Admin
Severity Critical
Firmware version FortiOS 4.0 MR3
Meaning Depending on what appears in the msg field, the meaning can be any one of the following: • The administrator loaded an image with a valid RSA signature from a
FortiManager unit, which includes a new public key. • The administrator loaded a firmware image from a FortiManager unit and
that image has an invalid or no RSA signature. • The administrator loaded an image with a valid RSA signature from a
FortiManager unit. • The administrator updated the firmware image from a FortiManager unit.
Fields Field Descriptionuser The name of the administrator creating the traffic. In this log message, this
field contains system.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
action This field always contains update-image.
msg This field contains any one of the following: • User <user_name> loaded an image from FortiManager, the new image
does have a valid RSA signature with new public key. • User <user_name> loaded an image from FortiManager, the new image
has an invalid RSA signature. • User <user_name> loaded an image from FortiManager, the new image
does have a valid signature. • User <user_name> loaded an image from FortiManager, the new image
does not have a valid RSA signature. • User <user_name> updated the image from FortiManager (<ip_address>
-> <Ip_address>)
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
pri The priority level. This field always contains critical.
Message ID 32139
Log Subtype Admin
Severity Critical
FortiGate Log Message Reference86 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
F0h
Firmware version FortiOS 4.0 MR3
Meaning The administrator loaded a diagnostic application.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
action This field contains loaded-diag-app.
msg User <administrator_name> loaded a diagnostic application from <ui> with serial number <serial_number>. The executable result= <string>
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
pri The priority level. This field always contains critical.
Message ID 32139
Log Subtype Admin
Severity Critical
Firmware version FortiOS 4.0 MR3
Meaning Depending on what appears in the msg field, the meaning can be any one of the following: • The system loaded an image that contains an invalid RSA signature.• The administrator uploaded an image with an invalid RSA signature. • The administrator uploaded an image with a valid RSA signature and new
public key. • The administrator uploaded an image with a valid RSA signature. • The administrator uploaded an image that does not have a valid RSA
signature.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
action This field contains loaded-image.
msg This field contains any one of the following; • System loaded an image from FortiGuard Management, the new image
has an invalid RSA signature• User <administrator_name> loaded an image from <ui>, the new image
has an invalid signature. • User <administrator_name> loaded an image from <ui>, the new image
does have a valid RSA signature with a new public key.• User <administrator_name> loaded an image from <ui>, the new image
does have a valid RSA signature. • User <administrator_name> loaded an image from <ui>, the new image
does not have a valid RSA signature.
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
pri The priority level. This field always contains critical.
ortiGate Log Message Reference1-430-112804-20111121 87ttp://docs.fortinet.com/ • Feedback
Event-Administration
Message ID 32139
Log Subtype Admin
Severity Critical
Firmware version FortiOS 4.0 MR3
Meaning Depening on what is in the msg field, the meanning can be any one of the following: • The administrator restored a FortiClient firmware image. • The administrator updated the firmware. • The administrator restored a firmware image. • The administrator successfully restored the configuration file. • The administrator failed to restore the configuration file. • The administrator restored a complete configuration.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
action This field contains any one of the following: restore-forticlient.
• restore-forticlient • update
• restore-image • restore-configuration
• restore-all-configuration
msg This field contains any one of the following: • User <administrator_name> restored the image <image_name> from <ui> • User <administrator_name> updated the firmware from <ui>• User <administrator_name> restored image from <ui>(<ip_address> ->
<ip_address>)>• User <administrator_name> restored the configuration from <ui> • User <administrator_name> failed to restored the configuration from <ui>• User <administrator_name> restored all the configuration from <ui>
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
pri The priority level. This field always contains critical.
Message ID 32139
Log Subtype Admin
Severity Critical
Firmware version FortiOS 4.0 MR3
Meaning The administrator either loaded a firmware image that does not support CC mode or the image has an invalid CC signature.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
action This field contains either loaded-image or update-image
FortiGate Log Message Reference88 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
F0h
msg This field contains any one of the following: • User <administrator_name> loaded the image from <ui> the new image
does not support CC mode. • User <administrator_name> loaded an image from <ui>, the new image
has an invalid CC signature.
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
pri The priority level. This field always contains critical.
Message ID 32139
Log Subtype Admin
Severity Critical
Firmware version FortiOS 4.0 MR3
Meaning The administrator imported a certificate.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
action This field contains import-certificate.
msg User <administrator_name> imported the certificate from <ui>
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
pri The priority level. This field always contains critical.
Message ID 32139
Log Subtype Admin
Severity Critical
Firmware version FortiOS 4.0 MR3
Meaning The administrator loaded a firmware image from a FortiManager unit and that image has an invalid RSA signature.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). Note: For this log message, the location is FortiManager.
action This field always contains update-image.
msg User <user_name> loaded an image from FortiManager, the new image has an invalid RSA signature.
Message ID 32139
Log Subtype Admin
Severity Critical
Firmware version FortiOS 4.0 MR3
ortiGate Log Message Reference1-430-112804-20111121 89ttp://docs.fortinet.com/ • Feedback
Event-Administration
Meaning Depending on what is in the msg field, the meaning can be any one of the following:• The system uploaded a firmware image from the FortiGuard Analysis and
Management Service, however, the image has an invalid CC signature. • The system uploaded a firmware image from the FortiGuard Analysis and
Management Service, however, the image has an invalid RSA signature. • The system uploaded a firmware image from the FortiGuard Analysis and
Management Service, and the image has a valid RSA signature with new public key.
• The system uploaded a firmware image from the FortiGuard Analysis and Management Service, and the image has a valid RSA signature.
• The system uploaded a firmware image from the FortiGuard Analysis and Management Service, and the image does not has a valid RSA signature.
• The system restored a firmware image from FortiGuard Analysis and Management Service.
Fields Field Descriptionuser The name of the administrator creating the traffic. For this log message, the
user is the FortiGate system, or system.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
action This field contains any one of the following: .
• restore-image • loaded-image
• restore-image
msg This field contains any one of the following: • System loaded an image from FortiGuard Management, the new image
has an invalid CC signature. • System loaded an image from FortiGuard Management, the new image
has an invalid RSAsignature. • System loaded an image from FortiGuard Management, the new image
does have a valid RSA signature with new public key. • System loaded an image from FortiGuard Management, the new image
does have a valid RSA signature. • System loaded an image from FortiGuard Management, the new image
does not have a valid RSA signature. • System restored the image from FortiGuard Management
(<firmware_build> -> <firmware_build>)
Message ID 32139
Log Subtype Admin
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning Depending on what is in the msg field, the meaning can be any one of the following: • The system restored the specified script. • The system restored a configuration file from the management station. • The system failed to restore a configuration file from the management
station. • The system failed to upgrade a firmware image. • The system failed to restore a firmware image from the management
station.
Fields Field Descriptionuser The name of the administrator creating the traffic. For this log message, the
user is the FortiGate system, or system.
FortiGate Log Message Reference90 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
F0h
32140
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
action This field contains any one of the following:
• restore-script • restore-cfg
• restore-<string> • update-image
msg This field contains any one of the following: • System restored script <script_name> from management station. • System restored <string> file <string> from management station. • System failed to restore <string> file <string> from management station. • User <user_name> loaded an image from <ui>, System upgrade failed
due to failed operation file. • System failed to restore <string> file <string> from management station.
Message ID 32139
Log Subtype Admin
Severity Critical
Firmware version FortiOS 4.0 MR3
Meaning Depending on what is in the msg field, the meaning can be any one of the following: • The administrator formatted the RAID disk. • The administrator enabled the RAID disk.• The administrator disabled the RAID disk.
Fields Field Descriptionuser The name of the administrator creating the traffic. For this log message, the
user is the FortiGate system, or system.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
action This field contains any one of the following: • format-rebuild-level• enable-raid• disable-raid
msg This field contains any one of the following: • User <user-name> formatted the RAID disk from <ui> • User <user_name> enabled RAID from <ui> • User <user_name> disabled RAID from <ui>
Message ID 32140
Log Subtype Admin
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning The administrator changed a global setting.
Fields Field Description
ortiGate Log Message Reference1-430-112804-20111121 91ttp://docs.fortinet.com/ • Feedback
Event-Administration
32141
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
field The type of field within the Administration Settings page that was changed. For example, if you changed the idle timeout, located in Timeout Settings, this field would contain timeout. This field contains any one of the following:
• mode • virtual-domain
• hostname • ip-overlap
• timeout • detection-interval
old_value The previous setting for the type of field before it was changed. For example, if you changed the idle timeout from the default time, 5m would appear in this field.
new_value The new setting for the type of field that was changed.
msg User <administrator_name> changed <field_type> global setting to <new_value> from <ui>.
Message ID 32140
Log Subtype Admin
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning The administrator changed the user authentication settings.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
field The type of action that was taken. This field always contains auth-timeout.
old_value The previous timeout period within the authentication settings.
new_value The new time out period within the authentication settings.
msg User <admin_name> changed auth-timeout user setting to <new_value> from <ui(<ip_address>)>
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
pri The priority level. This field always contains notice.
Message ID 32141
Log Subtype Admin
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning The specified interface has received a new DHCP address. The address expires at the specified time.
Fields Field Description
FortiGate Log Message Reference92 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
F0h
32142
id The identification number.
msg interface <interface_name> gets a DHCP lease, ip:<ip_address>, mask:<netmask>, gateway:<gateway_address>, lease expires:<name_day><name_month> <date> <hh:mm:ss> <yyyy>
Message ID 32142
Log Subtype Admin
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning Depending on what appears in the msg field, the meaning can be any one of the following: • The administrator backed up the current configuration to a file. • The administrator backed up the specified file. • The administrator failed to back up the specified file. • The administrator backed up all the logs. • A configuration file was automatically backed up to the management
station successfully.• The administrator failed to back up all log files. • The system backed up the configuration file to the FortiGuard
Analysis and Management Service, per a request from the FortiGuard Analysis and Management Service portal.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
action The type of action that was taken by the administrator. This field always contains backup.
reason The reason for the trigger. For this log message, the service portal of the FortiGuard Analysis and Management Services was used.
msg This field contains any one of the following. • User <administrator_name> backed up the configuration from <ui>• User <administrator_name> backed up <file_name> log from <ui>• User <administrator_name> failed to backup <file_name> log from
<ui>• User <administrator_name> backed up all the logs from <ui> • Automatic configuration backup to Management Station succeeded• User <administrator_name> failed to back up all the logs from <ui> • System backed up configuration to Management Station per service
portal request.
Message ID 32142
Log Subtype Admin
Severity Warning
Firmware version FortiOS 4.0 MR3
ortiGate Log Message Reference1-430-112804-20111121 93ttp://docs.fortinet.com/ • Feedback
Event-Administration
Meaning Depending on what appears in the msg field, the meaning can be any one of the following: • The administrator backed up a standardized error output by SCP.• The administrator backed up a batch of mode commands by SCP. • The administrator failed to update the antivirus package by SCP. • The administrator successfully updated the antivirus package by SCP. • The administrator successfully update the IPS package by SCP. • The administrator failed to update the IPS package by SCP. • The administrator failed to update the DLP fingerprint database by
SCP.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). Note: For this log message, location is FortiManager or the FortiManager unit.
action The type of action that was taken by the administrator. This field contains either update or backup.
msg This field contains any one of the following. • User <user_name> backed up the result of batch mode commands by
SCP. • User <user_name> backed up the result of batch mode commands by
SCP. • User <user_name> failed to update AV package by SCP. • User <user_name> updated AV package by SCP. • User <user_name> failed to update IPS package by SCP. • User <user_name> updated IPS package by SCP. • User <user_name> failed to update DLP fingerprint database by SCP.
Message ID 32142
Log Subtype Admin
Severity Alert
Firmware version FortiOS 4.0 MR3
Meaning The administrator deleted a configuration revision from the database.
Fields Field Descriptionaction The type of action that was taken by the administrator. This field always
contains delete.
status This field always contains success.
msg <configuration_revision_name> has been deleted from revision database.
Message ID 32142
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning Depending on what is in the msg field, the meaning can be any one of the following: • The administrator backed up a configuration file to the management
station. • The administrator deleted a configuration file from the local hard disk.
FortiGate Log Message Reference94 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
F0h
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
action The type of action that was taken by the administrator. This field is either backup or delete.
status This field always contains success.
msg This field contains any one of the following: • User <user_name> backed up the configuration from <ui> to
management station. • User <user_name> delete the <string> from <string> from flash disk.
ortiGate Log Message Reference1-430-112804-20111121 95ttp://docs.fortinet.com/ • Feedback
Event-Administration
32143
Message ID 32143
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The administrator loaded the wrong image type.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
action The type of action that was taken by the administrator. This field always contains loaded-image.
msg User <administrator_name> loaded a wrong image from <ui>
Message ID 32143
Log Subtype Admin
Severity Critical
Firmware version FortiOS 4.0 MR3
Meaning The administrator changed the policy routing entry.
Fields Field Descriptionuser The name of administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
msg User <administrator_name> changed policy routing entry <incoming_interface> from <ui(<ip_address>)>
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
pri The priority level. This field always contains notice.
old_iff The previous incoming interface.
new_iff The new incoming interface.
FortiGate Log Message Reference96 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
F0h
32144
Message ID 32144
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning An administrator added a policy routing entry.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
msg User <admin_name> added policy routing entry <outgoing_interface_name> from <ui(<ip_address>)>
src The source IP address.
dst The destination IP address.
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
pri The priority level. This field always contains notice.
iff The “if” interface. In the policy routing entry, you must specify the interface “if”.
ipproto The IP protocol number.
ports The destination port range. For example ports 1-65535.
off The outgoing interface. This is the interface that was chosen in the section Force traffic to: on the New Routing Policy page.
gw The gateway IP address.
ortiGate Log Message Reference1-430-112804-20111121 97ttp://docs.fortinet.com/ • Feedback
Event-Administration
32145
Message ID 32145
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning An administrator deleted a policy routing entry.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
iff The name of the incoming interface.
src The source IP address.
dst The destination IP address.
proto The name of the protocol.
ports The range of port numbers.
off The outgoing interface.
gw The gateway IP address.
msg User <administrator_name> deleted a policy routing entry
Message ID 32145
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning Found a new neighbor.
Fields Field Descriptionmsg Found a new connection to <connection_name> (<connection_ip>)
Message ID 32145
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning Lost a neighbor.
Fields Field Descriptionmsg Found a new connection to <connection_name> (<connection_ip>)
FortiGate Log Message Reference98 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
F0h
32148
Message ID 32148
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning An administrator required a CRL update.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
action The type of action that was taken. This field is always crl-update.
crl The name of the CRL.
msg User <administrator_name> requested a CRL update from <ui>
Message ID 32148
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The specified administrator changed a configuration.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
action The type of action the administrator took.
obj The object information.
entry The entry information.
msg Administrator <administrator_name> of <location> from {GUI CLI}
ortiGate Log Message Reference1-430-112804-20111121 99ttp://docs.fortinet.com/ • Feedback
Event-Administration
32149
32150
Message ID 32149
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning A command failure occurred.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
ret The ret value information.
msg Command failed: <value>. Return code <value>
Message ID 32150
Log Subtype Admin
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning An administrator changed the password of another administrator.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
action The action that was taken by the user. This field always contains password-changed
field This field always contains password.
msg Admin user <admin_name> changed password of admin user <admin_user>
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
pri The priority level. This field always contains warning.
admin-user The name of the administrator who had their password changed.
FortiGate Log Message Reference100 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
F0h
32151
32152
32153
Message ID 32151
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning Depending on what is in the msg field, the meaning can be any one of the following: • A new firewall local-in policy was added. • A new IPv6 firewll local-in policy was added.
Fields Field Descriptionmsg The log message information. This is usually a sentence and explains
the activity and/or action taken.
Message ID 32152
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning Depending on what is in the msg field, the meaning can be any one of the following: • A firewall local-in policy’s setting was changed. • An IPv6 firewall local-in policy’s setting was changed.
Fields Field Descriptionmsg The log message information. This is usually a sentence and explains
the activity and/or action taken.
Message ID 32153
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning Depending on what is in the msg field, the meaning can be any one of the following: • A firewall local-in policy was deleted. • An IPv6 firewall local-in policy was deleted.
Fields Field Descriptionmsg The log message information. This is usually a sentence and explains
the activity and/or action taken.
ortiGate Log Message Reference1-430-112804-20111121 101ttp://docs.fortinet.com/ • Feedback
Event-Administration
32154
32155
Message ID 32154
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The administrator uploaded a FortiToken.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
msg User <user_name> has uploaded a FortiToken file.
Message ID 32155
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The administrator has requested to activate the specified FortiToken.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
action This field always contains fortitoken-activate.
serialno The serial number of the FortiToken device.
msg User <user_name> has requested to activate FortiToken <serialno>
FortiGate Log Message Reference102 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
F0h
32156
32157
Message ID 32156
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The FortiToken has been activiated by FortiGuard.
Fields Field Descriptionaction This field always contains fortitoken-activate
serialno The serial number of the FortiToken device.
status The status of the activation process.
msg Activation of FortiToken <serialno> <status>.
Message ID 32157
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The administrator added an email filter IP black/white list entry.
Fields Fields Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
status The status of the UTM profile. This field always contains enabled.
ip The IP address.
msg User <admin_name> added antispam IP black/white entry <ip_address> from <ui(<ip_address>)>
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
pri The priority level. This field always contains notice.
Message ID 32157
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The administrator added an email address black/white list entry.
Fields Fields Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
status The status of the UTM profile. This field always contains enabled.
ortiGate Log Message Reference1-430-112804-20111121 103ttp://docs.fortinet.com/ • Feedback
Event-Administration
ip The IP address.
msg User <admin_name> added email black/white entry <email_address> from <ui(<ip_address>)>
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
pri The priority level. This field always contains notice.
email-pattern The email address entry. For example, [email protected].
Message ID 32157
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The administrator added a banned word to the email filtering banned word list.
Fields Fields Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
status The status of the UTM profile. This field always contains enabled.
msg User <admin_name> added antispam banned word entry <banned_word> from <ui(<ip_address>)>
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
pri The priority level. This field always contains notice.
pattern The banned word entry.
Message ID 32157
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The administrator added an URL address to the URL filter.
Fields Fields Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
status The status of the UTM profile. This field always contains enabled.
ip The IP address.
msg User <admin_name> added URL filter entry <url_address> from <ui(<ip_address>)>
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
pri The priority level. This field always contains notice.
url The URL address that was entered.
FortiGate Log Message Reference104 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
F0h
Message ID 32157
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The administrator added a banned word entry to the web content filter list.
Fields Fields Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
status The status of the UTM profile. This field always contains enabled.
msg User <admin_name> added webfilter banned word entry <banned_word> from <ui(<ip_address>)>
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
pri The priority level. This field always contains notice.
word The word or words that was added to the webfilter content filter list.
lang The type of language applied to the entry. For example, Western.
pattern_type The type of pattern applied to the word. For example, wildcard.
Message ID 32157
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The administrator added an email address to the email address black/white list.
Fields Fields Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
email-pattern The email address of the new entry in the list.
status The status of the UTM profile. This field always contains enabled.
msg User <admin_name> added antispam email black/white entry <email_address> from <ui(<ip_address>)>
Message ID 32157
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The administrator added an email address to the email address black/white list.
Fields Fields Descriptionuser The name of the administrator creating the traffic.
ortiGate Log Message Reference1-430-112804-20111121 105ttp://docs.fortinet.com/ • Feedback
Event-Administration
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
action This field always contains fortitoken-synchronize.
serialno The serial number of the FortiToken device.
status The status of the synchronization process.
msg User <admin_name> resynchronized FortiToken <serialno> with result: <status>
FortiGate Log Message Reference106 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
F0h
32158
32161
Message ID 32158
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The administrator deleted a word from within a web content filter list.
Fields Fields Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
word The web filter word that was deleted from within the list.
lang The type of language that was chosen. For example, Western.
pattern_type The type of pattern that was chosen, for example, Regular Expression.
status The status of the word within the list before it was deleted. This field always contains enabled.
msg User <admin_name> deleted webfilter banned word entry <word> from <ui(<ip_address>)>
Message ID 32161
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The administrator changed the specified sensor.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
msg User <admin_name> changed sensor <ips_sensor_name>
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
pri The priority level.
ortiGate Log Message Reference1-430-112804-20111121 107ttp://docs.fortinet.com/ • Feedback
Event-Administration
32162
32168
Message ID 32162
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The administrator changed the specified sensor.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
msg User <admin_name> changed sensor <dos_sensor_name>
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
pri The priority level.
Message ID 32168
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The administrator failed to add a new entry because the VDOM property limit has been reached.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
msg Adding new entry failed: vdom property limit has been reached when user <user_name> adds <vdom> from <ui>
FortiGate Log Message Reference108 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
F0h
32170
Message ID 32170
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning An administrator added a new multicast firewall policy.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
action The type of action that occurred. This field can contain config-add.
status The status of the action. This field contains success.
reason The reason for taking the action. This field contains none.
msg User <admin_name> added multicast firewall policy <policy_number> from <ui(<ip_address>)>
new_id The new firewall policy identification number for the new multicast firewall policy.
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
pri The priority level. This field always contains notice.
new_srcintf The new source interface that was applied to the new multicast firewall policy.
new_dintf The new destination interface that was applied to the new multicast firewall policy.
new_saddr The new source address that was applied to the policy.
new_daddr The new destination IP address. that was applied to the policy.
new_nat_addr The new NAT IP address that was applied to the policy.
new_dnat_addr The new DNAT IP address that was applied to the policy.
new_action The type of action that was applied.
new_proto The type of protocol that was applied.
new_start_port The new start port number. For example port 1.
new_end_port The new end port number. For example, port 655535
Message ID 32170
Log Subtype Admin
Severity Alert
Firmware version FortiOS 4.0 MR3
Meaning An alarm was triggered.
Fields Field Descriptionaction The type of action that occurred. This field always contains alarm.
alarmid The alarm’s identification number.
ortiGate Log Message Reference1-430-112804-20111121 109ttp://docs.fortinet.com/ • Feedback
Event-Administration
groupid The group identification number.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
FortiGate Log Message Reference110 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
F0h
32171
Message ID 32171
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning An administrator modified a multicast firewall policy.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
action The type of action that occurred. This field can contain config-edit.
status The status of the action. This field contains success.
reason The reason for taking the action. This field contains none.
msg User <admin_name> changed multicast firewall policy <policy_number> from <ui(<ip_address>)>
pol_id The multicast firewall policy identification number.
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
pri The priority level. This field always contains notice.
old_srcintf The previous source interface.
old_dintf The previous destination interface.
old_saddr The previous source IP address.
old_daddr The previous destination IP address.
old_action The previous type of action that was applied.
old_start_port The previous start port number.
old_end_port The previous end port number.
new_srcintf The new source interface that was applied to the new multicast firewall policy.
new_dintf The new destination interface that was applied to the new multicast firewall policy.
new_saddr The new source address that was applied to the policy.
new_daddr The new destination IP address. that was applied to the policy.
new_nat_addr The new NAT IP address that was applied to the policy.
new_dnat_addr The new DNAT IP address that was applied to the policy.
new_action The type of action that was applied.
new_proto The type of protocol that was applied.
new_start_port The new start port number. For example port 1.
new_end_port The new end port number. For example, port 655535
Message ID 32171
Log Subtype Admin
Severity Alert
ortiGate Log Message Reference1-430-112804-20111121 111ttp://docs.fortinet.com/ • Feedback
Event-Administration
Firmware version FortiOS 4.0 MR3
Meaning An alarm was triggered.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
action The type of action that occurred. This field always contains alarm.-ack
alarmid The alarm’s identification number.
groupid The group identification number.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
FortiGate Log Message Reference112 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
F0h
32172
Message ID 32172
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning An administrator deleted a multicast firewall policy.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
action This field can contain config-delete.
status The status of the action. This field contains success.
reason The reason for taking the action. This field contains none.
msg User <admin_name> removed multicast firewall policy <policy_number> from <ui(<ip_address>)>
old_id The multicast firewall policy identification number.
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
pri The priority level. This field always contains notice.
old_srcintf The previous source interface.
old_dintf The previous destination interface.
old_saddr The previous source IP address.
old_daddr The previous destination IP address.
old_action The previous type of action. that was applied.
old_start_port The previous start port number.
old_end_port The previous end port number.
ortiGate Log Message Reference1-430-112804-20111121 113ttp://docs.fortinet.com/ • Feedback
Event-Administration
32180
32200
Message ID 32180
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The administrator failed to backup the configuration from the management station, or the FortiGate unit’s automatic backup to the management station failed. The meaning can also be that there was a failed backup of the configuration file after the system upgraded.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
action This field contains backup.
status The status of the action. This field contains failure.
msg This field contains any one of the following:• User <admin_name> failed to backup the configuration from <ui> to
management station. • Automatic configuration backup to Management Station failed. • Failed to backup configuration after system upgrading: <string>
Message ID 32200
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The administrator uploaded the new web filter list specified in the “upload” field.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
upload This field contains any one of the following:
• url-exempt-list • url-block-list
• word-block-list
num The num value information.
msg User <administrator_name> uploaded <upload_type> from <ui>
FortiGate Log Message Reference114 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
F0h
32301
32302
32400
Message ID 32301
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The administrator added a virtual domain.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
action This field contains add-vdom.
msg Virtual domain <vd_name> is added.
Message ID 32302
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The administrator deleted a virtual domain.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
action This field always contains del-vdom.
msg Virtual domain <vd_name> is deleted.
Message ID 32400
Log Subtype Admin
Severity Alert
Firmware version FortiOS 4.0 MR3
Meaning The configuration changed.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
msg Configuraiton is changed in the admin session.
ortiGate Log Message Reference1-430-112804-20111121 115ttp://docs.fortinet.com/ • Feedback
Event-Administration
32401
Message ID 32401
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The administrator added an application control list.
Fields Field Descriptionuser The administrator who is creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
action This field contains add.
msg Administrator <admin_name> added an application control list <app_crtl_list_name> from <ui(<ip_address>)>
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
pri The priority level. This field always contains notice.
name The name of the application control list.
Message ID 32401
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The administrator modified settings within an application control list.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
action This field always contains edit.
msg Administrator <admin_name> edited an application control list <default_app_name> from <ui(<ip_address>)>
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
pri The priority level. This field always contains notice.
name The name of the application control list.
FortiGate Log Message Reference116 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
F0h
32545
32546
32547
Message ID 32545
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The system was restarted because it was scheduled to.
Fields Field Descriptionuser The name of the administrator creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
action This field always contains reboot.
msg System will reboot due to scheduled daily restart.
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
Message ID 32546
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The archive log files are being uploaded to the FortiAnalyzer unit.
Fields Field Descriptionaction This field always contains upload_request
msg Content Archive data has been uploaded to FortiAnalyzer.
Message ID 32547
Log Subtype Admin
Severity Error
Firmware version FortiOS 4.0 MR3
Meaning The content archive file failed to upload.
Fields Field Descriptionaction This field always contains upload_request
msg Content Archive data failed to upload to <string>.
ortiGate Log Message Reference1-430-112804-20111121 117ttp://docs.fortinet.com/ • Feedback
Event-Administration
32548
32549
Message ID 32548
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The upload of memory logs to a remote server failed because it reached the maximum capacity.
Fields Field Descriptionaction This field always contains upload_request
msg Uploading memory logs to remote logging server(s) because it reached <percentage> percent full
Message ID 32549
Log Subtype Admin
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The upload of memory logs to a remote server occurred as scheduled.
Fields Field Descriptionaction This field always contains upload_request
msg Uploading memory logs to remote logging server(s) as scheduled
FortiGate Log Message Reference118 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
F0h
Event-SystemEvent-System log messages record events that occur in the FortiGate system, such as administrators logging in and out, or events occurring on the interfaces.
200012000220003200042000720010200312003220033200342003520036200372003820039200402004120042200432004420045200462004720048200492005020051200522005320054200552005620057
200582005920060200612006220063200642006520066200672006820069200702007120072200732007420075200762007720078200792008020081200822008320084200992010020101201102011120200
202012020220203220002200122002220032200422005220062200922010220112201222013221002210122102221032280022801228022280322804228052280622901229022290322911229122291322914
ortiGate 4.0 MR3 Log Message Reference1-430-112804-20111121 119ttp://docs.fortinet.com/ • Feedback
Event-System
20001
Message ID 20001
Log Subtype System
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning The routing information has changed because of the gateway’s status, up or down.
Fields Field Descriptioninterface This field contains any one of the following:
• internal • external
• dmz • other
status This field contains either up or down.
msg Ping server is {up | down}
Message ID 20001
Log Subtype System
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning Depending on what appears in the msg field, the meaning can be any one of the following: • There is a problem contacting the modem. Verify the modem connection
and settings. • The FortiGate unit has attempted to redial the IPS from the modem and
could not connect after the set number of redial attempts. You must reset the modem to attempt the connection.
• The wireless user has been disconnected. • A client was accepted.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contain root.
msg This field contains any one of the following: • Problem contacting the modem• modem: Redial limit exceeded… giving up• Client <wireless_user> is disassociated.• Accepted associated from <client_name>
Message ID 20001
Log Subtype System
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning Depending on what appears in the msg field, the meaning can be any one of the following: • Client <client_name> does 1X – The client does 1X• Client <client_name> does WPA – The client does WPA.
Fields Field Descriptionmsg This field contains any one of the following:
• Client <client_name> does 1X• Client <client_name> does WPA
FortiGate 4.0 MR3 Log Message Reference120 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-System
F0h
Message ID 20001
Log Subtype System
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning Routing information is changed because the gateway is up/down.
Fields Field Descriptioninterface The name of the interface.
status The status information.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
Message ID 20001
Log Subtype System
Severity Critical
Firmware version FortiOS 4.0 MR3
Meaning A gateway’s status.
Fields Field Descriptioninterface The name of the interface.
gw_group The gateway group information.
status The status information.
gw_status The gateway status.
msg The status of <gateway> for gateway group <gw_group> is <information>
ortiGate 4.0 MR3 Log Message Reference1-430-112804-20111121 121ttp://docs.fortinet.com/ • Feedback
Event-System
20002
20003
Message ID 20002
Log Subtype System
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The domain name configured for an alert email recipient cannot be resolved. Verify the email addresses to ensure that it is correct.
Fields Field Descriptionuser This field always contains system
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
action The type of action taken by the FortiGate unit.
status This field always contains failure.
msg Can’t resolve the IP address of <email_address>
Message ID 20003
Log Subtype System
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning Failed to send an alert email. You can verify the email addresses configured for alert emails and see if that solves the problem.
Fields Field Descriptionuser This field always contains system
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
action The type of action taken by the FortiGate unit. This field always contains alert-email.
status This field always contains failure.
count The number of times the same event was detected within a short period of time.
msg Failed to send alert email from <ip_address> to <ip_address>.
FortiGate 4.0 MR3 Log Message Reference122 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-System
F0h
20004
20007
20010
Message ID 20004
Log Subtype System
Severity Critical
Firmware version FortiOS 4.0 MR3
Meaning The policy is too big for the system to handle.
Fields Field Descriptionuser This field always contains system
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
status This field always contains failure.
msg Policy <policy_id> is too big for system, it’s installed partially.
Message ID 20007
Log Subtype System
Severity Critical
Firmware version FortiOS 4.0 MR3
Meaning The socket is exhausted.
Fields Field Descriptionservice The type of service. This field always contains kernel.
status This field always contains failure.
proto The protocol information.
src The source IP address.
src_port The source port number.
nat The NAT information.
dst The destination IP address.
dst_port The destination port number.
msg NAT port is exhausted.
Message ID 20010
Log Subtype System
Severity Error
Firmware version FortiOS 4.0 MR3
Meaning A RADIUS IPC error.
Fields Field Descriptionmsg Unable to initialize RADIUS IPS (<value>)
ortiGate 4.0 MR3 Log Message Reference1-430-112804-20111121 123ttp://docs.fortinet.com/ • Feedback
Event-System
20031
20032
20033
20034
Message ID 20031
Log Subtype System
Severity Critical
Firmware version FortiOS 4.0 MR3
Meaning The FortiGate unit’s flash memory is full in the specified sector. You can delete logs stored to the local disk, and perform other maintenance to free memory space.
Fields Field Descriptionmsg Interface <interface_name> Out of memory in <memory_sector>.
Message ID 20032
Log Subtype System
Severity Critical
Firmware version FortiOS 4.0 MR3
Meaning The FortiGate unit cannot find the specified interface by name. You can check configuration of the interface and check any physical connections to solve the problem.
Fields Field Descriptionmsg Interface <interface_name> not found in <memory_sector>.
Message ID 20033
Log Subtype System
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning An interface uses Mobile IPv6 extensions.
Fields Field Descriptionmsg Using Mobile IPv6 extensions.
Message ID 20034
Log Subtype System
Severity Critical
Firmware version FortiOS 4.0 MR3
Meaning The minimum time allowed between sending unsolicited multicast router advertisements from the specified interface (using Mobile IPv6 extensions) must be configured within the specified range because it is not currently in the specified range. The range is specified in seconds.
Fields Field Descriptionmsg MinRtrAdvInterval for <interface> must be between <start_range_seconds>
and <end_range_seconds>
FortiGate 4.0 MR3 Log Message Reference124 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-System
F0h
20035
20036
Message ID 20034
Log Subtype System
Severity Critical
Firmware version FortiOS 4.0 MR3
Meaning The minimum time allowed between sending unsolicited multicast router advertisements from the specified interface (using Mobile IPv6 extensions) must be configured within the specified range because it is not currently in the specified range. The range is specified in seconds.
Fields Field Descriptionmsg MinRtrAdvInterval for <interface_name> must be between
<start_range_seconds> and <end_range_seconds>
Message ID 20035
Log Subtype System
Severity Critical
Firmware version FortiOS 4.0 MR3
Meaning The minimum time allowed between sending unsolicited multicast router advertisements from the specified interface must be configured within the specified range. Range is specified in seconds. You can reconfigure the router according to MinRtrAdvInterval to solve this problem.
Fields Field Descriptionmsg MinRtrAdvInterval must be between <start_range_seconds> and
<end_range_seconds> for <interface_name>
Message ID 20036
Log Subtype System
Severity Critical
Firmware version FortiOS 4.0 MR3
Meaning The maximum time allowed between sending unsolicited multicast router advertisements from the specified interface, using Mobile IPv6 extensions, must be configured within the specified range. The range is specified in seconds.
Fields Field Descriptionmsg MaxRtrAdvInterval for <interface_name> must be between
<start_range_seconds> and <end_range_seconds>
ortiGate 4.0 MR3 Log Message Reference1-430-112804-20111121 125ttp://docs.fortinet.com/ • Feedback
Event-System
20037
20038
20039
Message ID 20037
Log Subtype System
Severity Critical
Firmware version FortiOS 4.0 MR3
Meaning The maximum time allowed between sending unsolicited multicast router advertisements from the specified interface must be configured within the specified range. Range is specified in seconds. You can reconfigure the router according to MaxRtrAdvInterval to solve this problem.
Fields Field Descriptionmsg MaxRtrAdvInterval must be between <start_range_seconds> and
<end_range_seconds> for <interface_name>
Message ID 20038
Log Subtype System
Severity Critical
Firmware version FortiOS 4.0 MR3
Meaning The value placed in MTU options sent by the router must be either zero or between the specified range for the specified interface. A value of zero indicates that no MTU options are sent. You can reconfigure the router according to range to solve this problem.
Fields Field Descriptionmsg AdvLinkMTU must be zero or between <start_range_bytes> and
<end_range_bytes> for <interface_name>
Message ID 20039
Log Subtype System
Severity Critical
Firmware version FortiOS 4.0 MR3
Meaning The value placed in MTU options sent by the router must be either zero or greater than the specified value for the specified interface. A value of zero indicates that no MTU options are sent. You can reconfigure the router according to range to solve this problem.
Fields Field Descriptionmsg AdvLinkMTU must be zero or greater than <value_bytes> for
<interface_name>
FortiGate 4.0 MR3 Log Message Reference126 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-System
F0h
20040
20041
20042
Message ID 20040
Log Subtype System
Severity Critical
Firmware version FortiOS 4.0 MR3
Meaning The value to be placed in the Reachable Time field in the Router Advertisement message sent by the router must be less than the specified value for the specified interface. A value of zero means unspecified by this router. You can reconfigure the router according to the specified value to solve this problem.
Fields Field Descriptionmsg AdvReachableTime must be less than <value> for <interface_name>
Message ID 20041
Log Subtype System
Severity Critical
Firmware version FortiOS 4.0 MR3
Meaning The default value to be placed in the CurHopLimit field in the Router Advertisements message sent by the router must not be greater than the specified value for the specified interface.You can reconfigure the router according to the specified value to solve this problem.
Fields Field Descriptionmsg AdvCurHopLimit must not be greater than <value_hop_limit> for
<interface_name>
Message ID 20042
Log Subtype System
Severity Critical
Firmware version FortiOS 4.0 MR3
Meaning The value to be placed in the Router Lifetime field of Router Advertisements sent from the interface in seconds, must be either zero or between the specified range. A value of zero indicates that the router is not to be used as a default router. You can reconfigure the router according to the specified range to solve this problem.
Fields Field Descriptionmsg AdvDefaultLifetime for <interface_name> must be zero or between
<start_range_seconds> and <end_range_seconds>
ortiGate 4.0 MR3 Log Message Reference1-430-112804-20111121 127ttp://docs.fortinet.com/ • Feedback
Event-System
20043
20044
20045
20046
Message ID 20043
Log Subtype System
Severity Critical
Firmware version FortiOS 4.0 MR3
Meaning HomeAgentLifetime in Router Advertisement packet is out of range. You can reconfigure the router according to the specified range to solve this problem.
Fields Field Descriptionmsg HomeAgentLifetime must be between <value> and <value> for
<interface_name>
Message ID 20044
Log Subtype System
Severity Critical
Firmware version FortiOS 4.0 MR3
Meaning AdvHomeAgentFlag and HomeAgentLifetime in Router Advertisement packet must be set with HomeAgentInfo.You can reconfigure the router according to the specified range to solve this problem.
Fields Field Descriptionmsg AdvHomeAgentFlag must be set with HomeAgentInfo
Message ID 20045
Log Subtype System
Severity Critical
Firmware version FortiOS 4.0 MR3
Meaning Prefix length is too long.You can adjust packet prefix length to solve this problem.
Fields Field Descriptionmsg Invalid prefix length for <string>
Message ID 20046
Log Subtype System
Severity Critical
Firmware version FortiOS 4.0 MR3
Meaning The value to be placed in the Valid Lifetime in the Prefix Information option, in seconds, must be greater than the AdvPreferredLifetime. You can adjust packet prefix length to solve this problem.
Fields Field Descriptionmsg AdvValidLifetime must be greater than AdvPreferredLifetime for <string>
FortiGate 4.0 MR3 Log Message Reference128 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-System
F0h
20047
20048
20049
20050
Message ID 20047
Log Subtype System
Severity Critical
Firmware version FortiOS 4.0 MR3
Meaning The IPv6 router advertisement daemon failed to create an IPv6 socket.
Fields Field Descriptionmsg Can’t create socket (AF_INET6): <string>
Message ID 20048
Log Subtype System
Severity Critical
Firmware version FortiOS 4.0 MR3
Meaning The IPv6 router advertisement daemon failed to set IPV6_PKTINFO option.
Fields Field Descriptionmsg Setsockopt(IPv6_PKTINFO): <string>
Message ID 20049
Log Subtype System
Severity Critical
Firmware version FortiOS 4.0 MR3
Meaning The IPv6 router advertisement daemon failed to set IPV6_CHECKSUM option.
Fields Field Descriptionmsg Setsockopt(IPV6_CHECKSUM): <string>
Message ID 20050
Log Subtype System
Severity Critical
Firmware version FortiOS 4.0 MR3
Meaning The IPv6 router advertisement daemon failed to set IPV6_UNICAST_HOPS option.
Fields Field Descriptionmsg Setsockopt(IPV6_UNICAST_HOPS): <string>
ortiGate 4.0 MR3 Log Message Reference1-430-112804-20111121 129ttp://docs.fortinet.com/ • Feedback
Event-System
20051
20052
20053
20054
Message ID 20051
Log Subtype System
Severity Critical
Firmware version FortiOS 4.0 MR3
Meaning The IPv6 router advertisement daemon failed to set IPV6_MULTICAST_HOPS option.
Fields Field Descriptionmsg Setsockopt(IPV6_MULTICAST_HOPS): <string>
Message ID 20052
Log Subtype System
Severity Critical
Firmware version FortiOS 4.0 MR3
Meaning The IPv6 router advertisement daemon failed to set IPV6_HOPLIMIT option.
Fields Field Descriptionmsg Setsockopt (IPV6_HOPLIMIT): <string>
Message ID 20053
Log Subtype System
Severity Critical
Firmware version FortiOS 4.0 MR3
Meaning The IPv6 router advertisement daemon failed to set ICMPV6_FILTER option.
Fields Field Descriptionmsg Setsockopt(ICMPV6_FILTER): <string>
Message ID 20054
Log Subtype System
Severity Critical
Firmware version FortiOS 4.0 MR3
Meaning The IPv6 router advertisement daemon received the specified signal and is going to exit.
Fields Field Descriptionmsg radvd receive signal=<value_signal>\n
FortiGate 4.0 MR3 Log Message Reference130 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-System
F0h
20055
20056
20057
20058
Message ID 20055
Log Subtype System
Severity Critical
Firmware version FortiOS 4.0 MR3
Meaning The IPv6 router advertisement daemon cannot create query to interface by using cmf_query_create().
Fields Field Descriptionmsg Can not create query to interface at <string>:<string>:<value>!
Message ID 20056
Log Subtype System
Severity Critical
Firmware version FortiOS 4.0 MR3
Meaning The IPv6 router advertisement daemon encounters an internal error when it uses cmf_query_for_each().
Fields Field Descriptionmsg Interfal error in cmf_query_for_each()!
Message ID 20057
Log Subtype System
Severity Critical
Firmware version FortiOS 4.0 MR3
Meaning The IPv6 router advertisement daemon failed to find a virtual interface by interface index.
Fields Field Descriptionmsg Interface <string>:<value> not found in the list!
Message ID 20058
Log Subtype System
Severity Critical
Firmware version FortiOS 4.0 MR3
Meaning The IPv6 router advertisement daemon reloaded or unloaded the specified interface.
Fields Field Descriptionmsg This field contains any one of the following:
• Interface <string>: <value> reloaded!• Interface <string>:<value> unloaded!
ortiGate 4.0 MR3 Log Message Reference1-430-112804-20111121 131ttp://docs.fortinet.com/ • Feedback
Event-System
20059
20060
20061
20062
Message ID 20059
Log Subtype System
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning The IPv6 router advertisement daemon received a packet with no pkt_info.
Fields Field Descriptionmsg Received packet with no pkt_info!
Message ID 20060
Log Subtype System
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning The IPv6 router advertisement daemon received an ICMPv6 packet with invalid length.
Fields Field Descriptionmsg Received icmpv6 packet with invalid length: <value_bytes>
Message ID 20061
Log Subtype System
Severity Critical
Firmware version FortiOS 4.0 MR3
Meaning The IPv6 router advertisement daemon received an unwanted type of ICMPv6 packet.
Fields Field Descriptionmsg icmpv6 filter failed
Message ID 20062
Log Subtype System
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning The IPv6 router advertisement daemon received an ICMPv6 RA packet with invalid length.
Fields Field Descriptionmsg Received icmpv6 RA packet with invalid length. <value_bytes>
FortiGate 4.0 MR3 Log Message Reference132 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-System
F0h
20063
20064
20065
20066
Message ID 20063
Log Subtype System
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning The IPv6 router advertisement daemon received ICMPv6 RA packet with non-linklocal source address..
Fields Field Descriptionmsg Received icmpv6 RA packet with non-linklocal source address
Message ID 20064
Log Subtype System
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning The IPv6 router advertisement daemon received ICMPv6 RS packet with invalid length.
Fields Field Descriptionmsg Received icmpv6 RS packet with invalid length: <value_bytes>
Message ID 20065
Log Subtype System
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning The IPv6 router advertisement daemon received ICMPv6 RS/RA packet with invalid code.
Fields Field Descriptionmsg Received icmpv6 RS/RA packet with invalid code: <value_code>
Message ID 20066
Log Subtype System
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning The IPv6 router advertisement daemon received ICMPv6 RS/RA packet with wrong hoplimit.
Fields Field Descriptionmsg Received RS or RA with invalid hoplimit <value_hops> from
<interface_name>
ortiGate 4.0 MR3 Log Message Reference1-430-112804-20111121 133ttp://docs.fortinet.com/ • Feedback
Event-System
20067
20068
20069
Message ID 20067
Log Subtype System
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning The AdvCurHopLimit on the specified FortiGate interface does not agree with the value on the specified remote interface. A value of zero means unspecified by this router. You should configure the interfaces with the same AdvCurHopLimit value to correct the problem.
Fields Field Descriptionmsg Our AdvCurHopLimit on <interface_name> doesn’t agree with
<interface_name>
Message ID 20068
Log Subtype System
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning The AdvManagerFlag value (True/False) on the specified FortiGate interface does not agree with the value on the specified remote interface. You should configure the interface with the same AdvManagerFlag value.
Fields Field Descriptionmsg Our AdvManagerFlag on <interface_name> doesn’t agree with
<interface_name>
Message ID 20069
Log Subtype System
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning The AdvOtherConfigFlag value (True/False) on the specified FortiGate interface does not agree with the value on the specified remote interface.You should configure the interfaces with the same AdvOtherConfigFlag value.
Fields Field Descriptionmsg Our AdvOtherConfigFlag on <interface_name> doesn’t agree with
<interface_name>
FortiGate 4.0 MR3 Log Message Reference134 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-System
F0h
20070
20071
20072
Message ID 20070
Log Subtype System
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning The AdvReachableTime configured on the specified FortiGate interface does not agree with the value on the specified remote interface. A value of zero means unspecified by this router. The value must be no greater than 3,600,000 seconds or 1 hour. You should configure the interfaces with the same AdvReachableTime value.
Fields Field Descriptionmsg Our AdvReachableTime on <interface_name> doesn’t agree with
<interface_name>
Message ID 20071
Log Subtype System
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning The AdvRetransTimer value on the specified FortiGate interface does not agree with the value on the specified remote interface. A value of zero means unspecified (by this router). You should configure the interfaces with the same AdvRetransTimer value.
Fields Field Descriptionmsg our AdvRetransTimer on <interface_name> doesn’t agree with
<interface_name>
Message ID 20072
Log Subtype System
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning The IPv6 router advertisement daemon found extra data in an RA packet from the specified source.
Fields Field Descriptionmsg trailing garbage in RA on <interface_name> from <interface_name>
ortiGate 4.0 MR3 Log Message Reference1-430-112804-20111121 135ttp://docs.fortinet.com/ • Feedback
Event-System
20073
20074
20075
20076
Message ID 20073
Log Subtype System
Severity Critical
Firmware version FortiOS 4.0 MR3
Meaning The IPv6 router advertisement daemon found in an RA packet with no option data from the specified source.
Fields Field Descriptionmsg zero length option in RA on <interface_name> from <interface_name>
Message ID 20074
Log Subtype System
Severity Critical
Firmware version FortiOS 4.0 MR3
Meaning The option length is greater than the total length in an RA packet from the specified source.
Fields Field Descriptionmsg option length greater than total length in RA on <interface_name> from
<interface_name>
Message ID 20075
Log Subtype System
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning The AdvLinkMTU value on the specified FortiGate interface does not agree with the specified remote interface. A value of zero indicates that no MTU options are sent. You should configure the interfaces with the same AdvLinkMTU value.
Fields Field Descriptionmsg our AdvLinkMTU on <interface_name> doesn’t agree with <interface_name>
Message ID 20076
Log Subtype System
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning The AdvValidLifetime value on the specified FortiGate interface does not agree with the value on the specified remote interface. You should configure the interfaces with the same AdvValidLifetime value.
Fields Field Descriptionmsg our AdvValidLifetime on <interface_name> for <value> doesn’t agree with
<interface_name>
FortiGate 4.0 MR3 Log Message Reference136 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-System
F0h
20077
20078
20079
20080
Message ID 20077
Log Subtype System
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning The AdvPreferredLifetime value on the specified FortiGate interface does not agree with the value on the specified remote interface.You should configure the interfaces with the same AdvPreferredLifetime value.
Fields Field Descriptionmsg our AdvPreferredLifetime on <interface_name> for <value> doesn’t agree
with <interface_name>
Message ID 20078
Log Subtype System
Severity Critical
Firmware version FortiOS 4.0 MR3
Meaning The IPv6 router advertisement daemon found the specified invalid option in an RA packet from the specified source from a remote site.
Fields Field Descriptionmsg Invalid option <value_option> in RA on <interface_name> from <location>
Message ID 20079
Log Subtype System
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning The IPv6 router advertisement daemon is ready to serve.
Fields Field Descriptionmsg radvd started\n
Message ID 20080
Log Subtype System
Severity Critical
Firmware version FortiOS 4.0 MR3
Meaning Recvmsg() in the IPv6 router advertisement daemon failed.
Fields Field Descriptionmsg recvmsg: <string>
ortiGate 4.0 MR3 Log Message Reference1-430-112804-20111121 137ttp://docs.fortinet.com/ • Feedback
Event-System
20081
20082
20083
Message ID 20081
Log Subtype System
Severity Critical
Firmware version FortiOS 4.0 MR3
Meaning The IPv6 router advertisement daemon received a packet with a wrong IPV6_HOPLIMIT.
Fields Field Descriptionmsg received a bogus IPV6_HOPLIMIT from the kernel! len=<value_bytes>,
data=<value>
Message ID 20082
Log Subtype System
Severity Critical
Firmware version FortiOS 4.0 MR3
Meaning Depending on what appears in the msg field, the meaning can be any one of the following: • The wrong IPv6 router advertisement daemon received a packet with a
wrong IPV6_PKINFO.• The IPv6 router advertisement daemon failed to check whether we’ve
joined the all-routers multicast group.
Fields Field Descriptionmsg This field contains any one of the following:
• received a bogus IPV6_PKINFO from the kernel! len=<value_bytes>, index=<value_index>
• Problem checking all-routers membership on <interface_name>
Message ID 20083
Log Subtype System
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning The rounting advertisement failed to check if joined the all-routers membership group.
Fields Field Descriptionmsg problem checking all-routers membership on <interface_name>
FortiGate 4.0 MR3 Log Message Reference138 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-System
F0h
20084
20090
20099
Message ID 20084
Log Subtype System
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning Depending on what appears in the msg field, the meaning can be any one of the following: • Sendmsg () in the IPv6 router advertisement daemon failed. • Sendmsg () in radvd failed.
Fields Field Descriptionmsg sendmsg: <string>
Message ID 20090
Log Subtype System
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The interface link status has changed.
Fields Field Descriptionintf The name of the interface.
status The status of the interface.
msg interface <interface_name> link status is <status_type>
Message ID 20099
Log Subtype System
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning The interface link status has changed.
Fields Field Descriptionaction This field is always interface-stat-change.
status This field contains either DOWN or UP.
msg This field contains any one of the following: • Link monitor: Interface <interface_name> was turned down• Link monitor: Interface <interface_name> was turned up
ortiGate 4.0 MR3 Log Message Reference1-430-112804-20111121 139ttp://docs.fortinet.com/ • Feedback
Event-System
20100
20101
Message ID 20099
Log Subtype System
Severity Critical
Firmware version FortiOS 4.0 MR3
Meaning FortiGuard Web Filtering category has been updated.
Fields Field Descriptionmsg The FortiGuard Web Filtering category list has been updated. Please verify
the protection profile settings are still correct.
Message ID 20101
Log Subtype System
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning Status of the file upload.
Fields Field Descriptionaction This field always contains upload.
status The status of the upload.
hash The hash information.
file The name of the file that was uploaded.
user The name of the user creating the traffic.
server The name of the server.
port The number of the port.
msg <file_name> upload reached the <string> state \n
Message ID 20101
Log Subtype System
Severity Variable
Firmware version FortiOS 4.0 MR3
Meaning File upload error.
Fields Field Descriptionaction This field always contains upload.
status The status of the upload.
file The name of the file that was uploaded.
user The name of the user creating the traffic.
server The name of the server.
port The number of the port.
Message ID 20101
Log Subtype System
Severity Critical.
FortiGate 4.0 MR3 Log Message Reference140 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-System
F0h
Firmware version FortiOS 4.0 MR3
Meaning FortiGuard license is expired. You need to renew the FortiGuard license.
Fields Field Descriptionmsg FortiGuard license is expired.
Message ID 20101
Log Subtype System
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning Status of the uploaded file.
Fields Field Descriptionaction The type of upload being performed.
status The status of the upload.
file The name of the file that was uploaded.
user The name of the user creating the traffic.
server The IP address of the server.
port The name of the port.
msg <file_name> upload reached the <server_ip_address> state <status_name>
Message ID 20101
Log Subtype System
Severity Variable
Firmware version FortiOS 4.0 MR3
Meaning File upload error.
Fields Field Descriptionaction This field always contains upload.
error The type of error that occurred during the file’s uploading process.
file The name of the file that was uploaded.
user The name of the user creating the traffic.
server The IP address of the server.
port The name of the port.
msg <file_name> upload error\ \n
ortiGate 4.0 MR3 Log Message Reference1-430-112804-20111121 141ttp://docs.fortinet.com/ • Feedback
Event-System
20110
20111
20200
Message ID 20110
Log Subtype System
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning A hp_api log message.
Fields Field Descriptionmsg hp_api: Connection to ESPd has been initialized.
Message ID 20111
Log Subtype System
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning A hp_api log message.
Fields Field Descriptionmsg hp_api: Connection to ESPd has been reset, exiting.
Message ID 20200
Log Subtype System
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning An administrator initiated a self-test type from a specific location.
Fields Field Descriptionuser The name of the user creating the traffic. In this log message, it is the
administrator that is creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
action This field always contains self-test.
test The type of test that was taken.
msg Administrator <administrator_name> initiates the <test_type> self-test from <ui>
FortiGate 4.0 MR3 Log Message Reference142 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-System
F0h
20201
20202
Message ID 20201
Log Subtype System
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning An administrator initiated all self-tests from a specified location.
Fields Field Descriptionuser The name of the user creating the traffic. In this log message, it is the
administrator that is creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
action This field always contains self-test.
test This field always contains all.
msg Administrator <administrator_name> initiates all self-tests from <ui>
Message ID 20202
Log Subtype System
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning The daemon started.
Fields Field Descriptionaction This field always contains daemon-startup.
daemon The type of daemon used.
pid The PID number.
msg Daemon <daemon_type> started.
Message ID 20202
Log Subtype System
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning There was an error when either partitioning the disk or formatting the disk.
Fields Field Descriptionmsg Partitioning or formatting error (<string>) partition=<partition>
format=<format> label=<label>
ortiGate 4.0 MR3 Log Message Reference1-430-112804-20111121 143ttp://docs.fortinet.com/ • Feedback
Event-System
20203
22000\
Message ID 20203
Log Subtype System
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The daemon was shut down.
Fields Field Descriptionaction This field always contains daemon-shutdown.
daemon The type of daemon used.
pid The PID number.
msg Daemon <daemon_type> shutdown.
Message ID 22000
Log Subtype System
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning Depending on what appears in the msg field, the meaning can be any one of the following:• Packet lengths do not match.• The packet length does not match what is specified in the request header.
Fields Field Descriptionmsg This field contains any one of the following:
• Packet length does not match that specified in the request header.• lengths of packets does not match
FortiGate 4.0 MR3 Log Message Reference144 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-System
F0h
22001
22002
Message ID 22001
Log Subtype System
Severity Warning/Information
Firmware version FortiOS 4.0 MR3
Meaning Depending on what appears in the msg field, the meaning can be any one of the following:• The specified version of the URL agent is not supported. • The specified version of the protocol is not supported. • An administrator started to convert the current SQL format.
Fields Field Descriptionaction The action that was taken.
admin The name of the administrator.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
status This field always contains started.
msg This field contains any one of the following: • version <agent_version_num> is not supported. • Protocol version <version_number> is not supported.• Administrator <administrator_name> started to convert existing logs to SQL
format from <ui>
Message ID 22002
Log Subtype System
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning Depending on what appears in the msg field, the meaning can be any one of the following:• Only HTTP is supported. • Requests other than HTTP, HTTPS, FTP, MAIL, and AV are not supported. • Request other than HTTP, HTTPS, FTP, MAIL, and AV are not supported.• The conversion of the existing SQL logs failed. • The administrator failed to conver the existing logs into SQL format.
Fields Field Descriptionaction The action that was taken.
status This field always contains failed.
reason This field contains either sql-db-not-running or cannot-send-request.
msg This field contains any one of the following: • Other request <request_type> than http is not supported. • Other requests <string> than http & ftp is not supported. • Request type <type> is not supported• Conversion of existing logs to SQL format failed to start because SQL DB is
not running. • Conversion of existing logs to SQL format failed to start because request
cannot be sent.
ortiGate 4.0 MR3 Log Message Reference1-430-112804-20111121 145ttp://docs.fortinet.com/ • Feedback
Event-System
22003
22004
22005
22006
Message ID 22003
Log Subtype System
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning Failed to set up a signal handler.
Fields Field Descriptionmsg sigaction(<signal_handler>)failed: <string>
Message ID 22004
Log Subtype System
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning Depending on what the msg field contains, the meaning can be any one of the following: • The system failed to create a socket or failed to create a socket.• The system failed to create a socket or failed to create a HA socket.
Fields Field Descriptionmsg This field contains any one of the following:
• Socket () failed: <string>• Socket () failed: <string>
Message ID 22005
Log Subtype System
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning The system failed to create a UDP socket to receive URL requests.
Fields Field Descriptionmsg This field contains any one of the following:
• Failed to create a udp socket to relay URL requests: <string>• failed to create a <value>/udp socket to receive URL request
Message ID 22006
Log Subtype System
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning The system failed to register for cmdb events.
Fields Field Descriptionmsg Failed to register for cmdb events.
FortiGate 4.0 MR3 Log Message Reference146 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-System
F0h
22009
22010
Message ID 22009
Log Subtype System
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning Could not find antivirus profile by using ID.
Fields Field Descriptionname The name of the antivirus profile.
status This field always contains failure.
msg failed to find its AV protection profile
Message ID 22010
Log Subtype System
Severity Error
Firmware version FortiOS 4.0 MR3
Meaning Depending on what is in the msg field, it can contain any one of the following: • The url filter has failed to send the rating result back to HTTP proxy. • The HTTP proxy has crashed. • The sendto () failed.
Fields Field Descriptionprocess The type of process that is being performed by the FortiGate unit.
reason The reason for the trigger.
msg This field contains any one of the following: • <string> failed to send rating result• failed to send urlfilter packet• failed to send urlfilter packet because queue was full• failed to send urlfilter packet <sent_number> times
ortiGate 4.0 MR3 Log Message Reference1-430-112804-20111121 147ttp://docs.fortinet.com/ • Feedback
Event-System
22011
22012
Message ID 22011
Log Subtype System
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning The conversion of existing log files to SQL log files in the specified VDOM started.
Fields Field Descriptionaction The action that was taken.
status This field always contains started.
files The name of the logs files that are being converted.
msg Conversion of existing logs to SQL format for vdom <vdom_name> started.
Message ID 22012
Log Subtype System
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning Depending on what is in the msg field, the meaning can be any one of the following: • The SQL log database is full and cannot format any more logs. • The SQL conversion failed because the log could not be opened.
Fields Field Descriptionaction The action that was taken.
status This field always contains failed.
reason This field contains either sql-log-full or cannot-open-file.
file The name of the log file being converted.
msg This field contains any one of the following: • Conversion of <log_file_name> to SQL format failed because SQL log is
full.• Conversion of <log_file_name> to SQL format failed because the log file
cannto be opened.
FortiGate 4.0 MR3 Log Message Reference148 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-System
F0h
22013
22100
Message ID 22013
Log Subtype System
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning The conversion process finished and the logs are now in SQL format in the specified VDOM.
Fields Field Descriptionaction The action that was taken.
status This field always contains ended
converted_files The names of the converted log files.
entry The entry information.
msg Conversion of existing logs to SQL format for vdom <vdom_name> has been finished.
Message ID 22100
Log Subtype System
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning Quarantine has dropped a FortiAnalyzer transfer job due to limited memory.
Fields Field Descriptionfile The name of the file.
size The size of the file.
limit The number of the set limit.
avail The number for avail.
action This field always contains content-archive.
status This field always contains drop.
reason This field always contains memory-limit.
msg File <file_name> is not transferred to FortiAnalyzer due to exceeding memory usage limit.
Message ID 22100
Log Subtype System
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning Quarantine dropped FortiAnalyzer transfer jobs because there was limited available memory.
Fields Field Descriptioncount The number of times the same event was detected within a short period of
time.
duration The duration, or time lapse, in seconds.
limit The number of the set limit.
used The amount used.
ortiGate 4.0 MR3 Log Message Reference1-430-112804-20111121 149ttp://docs.fortinet.com/ • Feedback
Event-System
22101
action This field always contains content-archive.
status This field always contains drop.
reason This field always contains memory-limit.
msg In the past <seconds> seconds, <value> files were not transferred to FortiAnalyzer due to exceeding memory usage limit.
Message ID 22101
Log Subtype System
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning Quarantine has dropped a FortiAnalyzer transfer job due to memory limit.
Fields Field Descriptionfile The name of the file.
size The size of the file.
limit The number of the set limit.
avail The number for avail.
action This field always contains content-archive.
status This field always contains drop.
reason This field always contains memory-limit.
msg File <file-name> is not transferred to FortiAnalyzer due to exceeding memory usage limit.
Message ID 22101
Log Subtype System
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning Quarantine has dropped a FortiAnalyzer transfer job due to memory limit.
Fields Field Descriptionfile The name of the file.
size The size of the file.
action This field always contains content-archive.
status This field always contains fail.
msg Failed to transfer file <file_name> to FortiAnalyzer <ip_address>
Message ID 22101
Log Subtype System
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning Failed to send a file to the FortiAnalyzer unit.
Fields Field Descriptionfile The name of the file.
size The size of the file.
FortiGate 4.0 MR3 Log Message Reference150 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-System
F0h
22102
22103
22200
action The type of action taken by the FortiGate unit.
status This field always contains fail.
msg Failed to transfer file <file_name> to FortiAnalyzer <ip_address>
Message ID 22102
Log Subtype System
Severity Critical
Firmware version FortiOS 4.0 MR3
Meaning Erroneous SMART status.
Fields Field Descriptionmsg Log disk failure is imminent, logs should be backed up
Message ID 22103
Log Subtype System
Severity Critical
Firmware version FortiOS 4.0 MR3
Meaning The FortiGuard log buffer was reset because of a system overload. Current log data and possibly old log data may be lost. You must reopen FortiGuard log pipe to solve the issue.
Fields Field Descriptionreason This field always contains buffer-overflow.
msg This field contains any one of the following: • FortiGuard Log buffer is reset due to a buffer overflow (system overload).
Some log data may be lost.• FortiGuard Analysis Service buffer is reset due to a buffer overflow (system
overload). Some log data may be lost.\”
Message ID 22200
Log Subtype System
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning The specified certificate will automatically update itself after a specified number of days is up.
Fields Field Descriptionuser This field always contains system.
action This field always contains certificate-update.
status This field always contains warning.
cert The name of the certificate.
msg CA certificate <certificate_name> will auto-update in <number_days> days.
ortiGate 4.0 MR3 Log Message Reference1-430-112804-20111121 151ttp://docs.fortinet.com/ • Feedback
Event-System
22201
22202
22203
Message ID 22201
Log Subtype System
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning The specified certificate will automatically regenerate itself after a specified number of days is up.
Fields Field Descriptionuser This field always contains system.
action This field always contains certificate-regenerate.
status This field always contains warning.
cert The name of the certificate.
msg Local certificate <certificate_name> will auto-regenerate in <number_days> days.
Message ID 22202
Log Subtype System
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning The certificate failed to automatically update.
Fields Field Descriptionuser This field always contains system.
action This field always contains certificate-update
status This field always contains failure.
cert The name of the certificate.
msg The log message information. This usually contains a sentence and explains the activity and/or action taken.
Message ID 22203
Log Subtype System
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning The specified certificate will automatically regenerate itself after a specified number of days is up.
Fields Field Descriptionuser This field always contains system.
action This field always contains certificate-regenerate.
status This field always contains failure.
cert The name of the certificate.
msg The log message information. This usually contains a sentence and explains the activity and/or action taken.
FortiGate 4.0 MR3 Log Message Reference152 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-System
F0h
22800
22801
Message ID 22800
Log Subtype System
Severity Critical
Firmware version FortiOS 4.0 MR3
Meaning Scan services entered conserve mode. Note: Not all of the fields may appear with every 22800 log message.
Fields Field Descriptionservice The name of the service.
mode The mode information.
conserve This field always contains on.
total The total information.
free The free information.
entermargin The entermargin information.
exitmargin The exitmargin information.
msg This field contains any one of the following: • The system has entered conserve mode” conserve=on total=<value>
free=<value> entermargin=<value> exitmargin=<value>• Scan services session fail mode. • Scan services entered conserve mode.
Message ID 22801
Log Subtype System
Severity Critical
Firmware version FortiOS 4.0 MR3
Meaning Depending on what is in the msg field, the meaning can be any one of the following: • The system exited conserve mode. • The scan services exited conserve mode.
Fields Field Descriptionservice The type of service used.
conserve This field contains either on or exit.
total The total information.
free The free information.
entermargin The enter margin information.
exitmargin The exit margin information.
msg This field can be any one of the following: • The system exited conserve mode.• The system has entered conserve mode.
ortiGate 4.0 MR3 Log Message Reference1-430-112804-20111121 153ttp://docs.fortinet.com/ • Feedback
Event-System
22802
22803
Message ID 22802
Log Subtype System
Severity Critical
Firmware version FortiOS 4.0 MR3
Meaning System services entered conserve mode.
Fields Field Descriptionservice The type of service used.
sysconserve This field always contains on.
total The total information.
free The free information.
entermargin The enter margin information.
exitmargin The exit margin information.
msg The system has entered system conserve mode
Message ID 22803
Log Subtype System
Severity Critical
Firmware version FortiOS 4.0 MR3
Meaning System services exited conserve mode.
Fields Field Descriptionservice The type of service used.
sysconserve This field always contains exit.
total The total information.
free The free information.
entermargin The enter margin information.
exitmargin The exit margin information.
msg The system exited system conserve mode
FortiGate 4.0 MR3 Log Message Reference154 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-System
F0h
22804
22805
22806
Message ID 22804
Log Subtype System
Severity Critical
Firmware version FortiOS 4.0 MR3
Meaning The status of the license has changed.
Fields Field Descriptionservice This field always contains license.
status The status information of the license.
msg License status changed to <status>
Message ID 22805
Log Subtype System
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning The status of the license could not be validated.
Fields Field Descriptionservice This field always contains license.
status This field always contains warning.
msg License could not be validated for over 4 hours.
Message ID 22806
Log Subtype System
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning There is a duplicate of the license.
Fields Field Descriptionservice This field always contains license.
status This field always contains warning.
msg Detected duplicate license in use.
ortiGate 4.0 MR3 Log Message Reference1-430-112804-20111121 155ttp://docs.fortinet.com/ • Feedback
Event-System
22901
22902
22903
Message ID 22901
Log Subtype System
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The FortiGate unit is connected to the FortiAnalyzer unit.
Fields Field Descriptionaction This field always contains connect.
status This field always contains success.
reason The reason for the trigger.
msg Connected to FortiAnalyzer <ip_address>
Message ID 22902
Log Subtype System
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The FortiGate unit has been disconnected from the FortiAnalyzer unit.
Fields Field Descriptionaction This field always contains disconnect.
status This field always contains success.
reason The reason for the trigger.
msg Disconnected from FortiAnalyzer <ip_address>
Message ID 22903
Log Subtype System
Severity Critical
Firmware version FortiOS 4.0 MR3
Meaning The FortiGate unit failed to connect to the FortiAnalyzer unit.
Fields Field Descriptionaction This field always contains connect.
status This field always contains failure.
reason The reason for the trigger.
msg Failed to connect to FortiAnalyzer <ip_address>
FortiGate 4.0 MR3 Log Message Reference156 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-System
F0h
22911
22912
22913
Message ID 22911
Log Subtype System
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The FortiGuard Analysis Service server is up.
Fields Field Descriptionserver This field contains either Home or Alter.
action This field always contains up.
msg FortiGuard Analysis Service {Home | Alter} server is up
Message ID 22912
Log Subtype System
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The FortiGuard Analysis Service server is down.
Fields Field Descriptionserver This field contains either Home or Alter.
action This field always contains down.
msg FortiGuard Analysis Service {Home | Alter} server is down
Message ID 22913
Log Subtype System
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The FortiGuard Analysis Service server has been disconnected.
Fields Field Descriptionserver This field contains either Home or Alter.
action This field always contains disconnect.
msg FortiGuard Analysis Service {Home | Alter} server is disconnected
ortiGate 4.0 MR3 Log Message Reference1-430-112804-20111121 157ttp://docs.fortinet.com/ • Feedback
Event-System
22914
Message ID 22914
Log Subtype System
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The FortiGuard Analysis Service server was changed to “disable” on the FortiGuard Analysis and Management Service portal web site.
Fields Field Descriptionserver This field contains either Home or Alter.
action This field always contains change.
msg FortiGuard Analysis Service server is changed to {Home | Alter}.
FortiGate 4.0 MR3 Log Message Reference158 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
F0h
Event-DHCP serviceEvent-DHCP service log messages record DHCP service events.
26001
26002
Message ID 26001
Log Subtype DHCP service
Severity Error
Firmware version FortiOS 4.0 MR3
Meaning A DHCP service occurred.
Fields Field Descriptiondhcp_msg Information about the DHCP server.
dir The direction information.
mac The MAC IP address with 2x.
ip The IP address.
lease The lease information.
hostname The host name information.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
Message ID 26002
Log Subtype DHCP service
Severity Error
Firmware version FortiOS 4.0 MR3
Meaning Depending on what appears in the msg field, the meaning can be any one of the following: • No shared network found.• The IP address range spans multiple subnets.• The IP address range does not belong to the net.
Fields Field Descriptiondhcp_msg Information about the DHCP server.
dir The direction information.
mac The MAC IP address with 2x at the end.
ip The IP address.
lease The lease information.
hostname The host name information.
msg This field contains any one of the following: • No shared network for network <interface_name> (ip_address)• Address range <ip_address> to <ip_address>, netmask
<netmask_address> spans <string>!• Address range <ip_address> to <ip_address> netmask
<netmask_address> not on net <string>!
ortiGate Log Message Reference1-430-112804-20111121 159ttp://docs.fortinet.com/ • Feedback
Event-DHCP service
FortiGate Log Message Reference160 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
F0h
Event-Firewall authenticationEvent-Firewall authentication log messages record authentication events that occur within the FortiGate firewall.
38001380023800338004380053801038011380123802038021380223802638027
ortiGate Log Message Reference1-430-112804-20111121 161ttp://docs.fortinet.com/ • Feedback
Event-Firewall authentication
38001
Message ID 38001
Log Subtype Firewall Authentication
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The specified administrator succeeded in authentication.
Fields Field Descriptionpolicyid The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
action This field always contains authenticate.
status This field always contains success.
msg User <user_name> succeeded in authentication
Message ID 38001
Log Subtype Firewall Authentication
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The specified AD group succeeded in authentication.
Fields Field Descriptionipproto The IP protocol information.
src The source IP address.
dst The destination IP address.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
adgroup The name of the AD group.
user The name of the user creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
action This field always contains FSAE-auth.
status This field always contains success.
msg AD group <adgroup_name> user <user_name> succeeded in authentication.
Message ID 38001
Log Subtype Firewall Authentication
FortiGate Log Message Reference162 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Firewall authentication
F0h
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The specified AD domain group failed in authentication.
Fields Field Descriptionpolicyid The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
domain The domain name.
user The name of the user creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
action This field always contains NTML-auth.
status This field always contains failure
reason The reason that the trigger occurred.
msg AD domain <domain_name> user <user_name> failed in authentication.
ortiGate Log Message Reference1-430-112804-20111121 163ttp://docs.fortinet.com/ • Feedback
Event-Firewall authentication
38002
Message ID 38002
Log Subtype Firewall Authentication
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The specified user failed in concurrent check.
Fields Field Descriptionpolicyid The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index number of zero.
user The name of the user creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
action This field is always authenticate.
status This field always contains failure.
msg User <user_name> failed in concurrent check.
Message ID 38002
Log Subtype Firewall Authentication
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The specified user failed in authentication.
Fields Field Descriptionpolicyid The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index number of zero.
user The name of the user creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
action This field is always authenticate.
status This field always contains failure.
msg User <user_name> failed in authentication
Message ID 38002
Log Subtype Firewall Authentication
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The specified user failed in authentication.
Fields Field Descriptionipproto The IP protocol information.
FortiGate Log Message Reference164 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Firewall authentication
F0h
src The source IP address.
dst The destination IP address.
policyid The firewall policy identification number.
adgroup The name of the AD group.
user The name of the user creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
action This field always contains FSAE-auth.
status This field always contains failure.
reason The reason that the trigger occurred.
msg AD group <group_name> user <user_name> failed in authentication.
Message ID 38002
Log Subtype Firewall Authentication
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning The user failed to was blacked out for a specified amount of time because of abnormal behavior.
Fields Field Descriptionpolicyid The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index number of zero.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 access the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
dst The destination IP address.
action This field always contains authenticate
status This field always contains blackout.
reason This field always contains abnormal.
msg User from <ip_address> was blacked out for <time_seconds> seconds due to abnormal behavior.
Message ID 38002
Log Subtype Firewall Authentication
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning The user failed to authenticate within the allowed time frame.
Fields Field Descriptionpolicyid The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index number of zero.
user The name of the user creating the traffic.
service The IP network service that applies to the session or packet. The services displayed correspond to the services configured in the firewall policy.
ortiGate Log Message Reference1-430-112804-20111121 165ttp://docs.fortinet.com/ • Feedback
Event-Firewall authentication
action This field always contains authenticate
status This field always contains timeout.
reason This field always contains timeout.
src The source IP address.
srcname The name of the source. This can be the source’s IP address; however, it can also be N/A.
dst The destination IP address.
dstname The name of the destination. This can be the destination’s IP address; however it can also be N/A.
msg User failed to authenticate within the allowed period.
FortiGate Log Message Reference166 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Firewall authentication
F0h
38003
38004
Message ID 38003
Log Subtype Firewall Authentication
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The specified administrator failed authentication and is locked out because they tried too many times.
Fields Field Descriptionpolicyid The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index number of zero.
user The name of the user creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
action This field always contains authenticate.
status This field always contains lockout.
msg User at <ip_address> failed authentication too many times.
Message ID 38004
Log Subtype Firewall Authentication
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning A successful FSAE log in event.
Fields Field Descriptionuser The name of the user creating the traffic.
src The source IP address.
server The name or IP address of the server.
action This field always contains FSAE-logon.
status This field always contains success.
msg FSAE-logon event from <ip_address>: user <user_name> logged on <ip_address>
Message ID 38004
Log Subtype Firewall Authentication
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning A successful FSAE log in event.
Fields Field Descriptionuser The name of the user creating the traffic.
src The source IP address.
server The name or IP address of the server.
ortiGate Log Message Reference1-430-112804-20111121 167ttp://docs.fortinet.com/ • Feedback
Event-Firewall authentication
action This field always contains FSAE-logoff.
status This field always contains success.
msg FSAE-logoff event from <ip_address>: user <user_name> logged off <ip_address>
FortiGate Log Message Reference168 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Firewall authentication
F0h
38005
38010
Message ID 38005
Log Subtype Firewall Authentication
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The policy authentication of the specified user has timed out.
Fields Field Descriptionsrc The source IP address.
user The name of the user creating the traffic.
group The name of the user group creating the traffic.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
action This field always contains authenticate.
status This field always contains timeout.
msg Policy authentication of user <user_name> has timed out.
Message ID 38010
Log Subtype Firewall Authentication
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning The specified user failed authentication when creating a FortiGuard Web Filtering override.
Fields Field Descriptioninitiator The initiator information.
status This field always contains failure.
reason This field always contains credentials.
src The source IP address.
dst The destination IP address.
msg User <user_name> failed authentication when creating a FortiGuard Web Filtering overrride from <ip_address>
Message ID 38010
Log Subtype Firewall Authentication
Severity Alert
Firmware version FortiOS 4.0 MR3
Meaning The encryption for EVP failed.
Fields Field Descriptionuser The name of the user creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
ortiGate Log Message Reference1-430-112804-20111121 169ttp://docs.fortinet.com/ • Feedback
Event-Firewall authentication
38011
action This field always contains encryption.
cipher This field always contains aes-128-cbc.
status This field always contains failed.
msg EVP encryption failed.
Message ID 38011
Log Subtype Firewall Authentication
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning The FortiGuard Web Filtering override table is full and cannot contain anymore overrides.
Fields Field Descriptioninitiator The initiator information.
status This field always contains failure.
reason This field always contains table_add_failed.
src The source IP address.
dst The destination IP address.
msg FortiGuard Web Filtering override table is full.
Message ID 38011
Log Subtype Firewall Authentication
Severity Alert
Firmware version FortiOS 4.0 MR3
Meaning The decryption for EVP failed.
Fields Field Descriptionuser The name of the user creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
action This field always contains decryption.
cipher This field always contains aes-128-cbc.
status This field always contains failed.
msg EVP decryption failed.
FortiGate Log Message Reference170 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Firewall authentication
F0h
38012
38020
Message ID 38012
Log Subtype Firewall Authentication
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning A FortiGuard Web Filtering override was successfully created.
Fields Field Descriptioninitiator The initiator information.
status This field always contains success.
reason This field always contains none.
src The source IP address.
dst The destination IP address.
action This field always contains authentication.
scope The scope information.
scope_data The scope data information
rule_type The rule type information.
rule_data The rule data information.
offsite The offsite information.
expiry The expiry information.
msg User <user_name> added webfilter override entry <entry_name> from <location>.
Message ID 38020
Log Subtype Firewall Authentication
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning A FortiClient checking event occurred.
Fields Field Descriptionui The location of the point-of-entry the user used to access the FortiGate
unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
dst The destination IP address.
msg Log message information.
Message ID 38020
Log Subtype Firewall Authentication
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning A FortiClient checking event occurred.
Fields Field Description
ortiGate Log Message Reference1-430-112804-20111121 171ttp://docs.fortinet.com/ • Feedback
Event-Firewall authentication
38021
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
msg Log message information.
Message ID 38021
Log Subtype Firewall Authentication
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The quota for per IP shaper was exceeded.
Fields Field Descriptionui The location of the point-of-entry the user used to access the FortiGate
unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
action This field always contains ip-traffic-shaper.
status This field always contains blocked.
shaper The name of the traffic shaper.
bps The bps information.
giga The Gigabyte number.
mega The mega number.
bytes The number of bytes.
msg Traffic exceed per ip traffic shaper quota, ip: <ip_address>
Message ID 38021
Log Subtype Firewall Authentication
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The quota for per IP shaper was exceeded.
Fields Field Descriptionui The location of the point-of-entry the user used to access the FortiGate
unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
action This field always contains policy-traffic-shaper.
status This field always contains blocked.
shaper The name of the traffic shaper.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
bps The bps information.
giga The Gigabyte number.
mega The mega number.
FortiGate Log Message Reference172 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Firewall authentication
F0h
bytes The number of bytes.
msg Traffic exceed shared traffic shaper quota, policy id: <firewall_policy_id_number>.
ortiGate Log Message Reference1-430-112804-20111121 173ttp://docs.fortinet.com/ • Feedback
Event-Firewall authentication
38022
Message ID 38022
Log Subtype Firewall Authentication
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The shared traffic shaper data was logged.
Fields Field Descriptionui The location of the point-of-entry the user used to access the FortiGate
unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
action This field always contains ip-traffic-shaper
status This field always contains allowed.
shaper The name of the traffic shaper.
bps The bps information.
giga The Gigabyte number.
mega The mega number.
bytes The number of bytes.
msg Per ip traffic shaper statistic data is logged, ip: <ip_address>
Message ID 38022
Log Subtype Firewall Authentication
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The shared traffic shaper data was logged.
Fields Field Descriptionui The location of the point-of-entry the user used to access the FortiGate
unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
action This field always contains policy-traffic-shaper
status This field always contains allowed.
shaper The name of the traffic shaper.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
bps The bps information.
giga The Gigabyte number.
mega The mega number.
bytes The number of bytes.
msg Shared traffic shaper statistic data is logged, policy id: <firewall_policy_id_number>
FortiGate Log Message Reference174 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Firewall authentication
F0h
38026
38027
Message ID 38026
Log Subtype Firewall Authentication
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The Endpoint License Distribution has indicated that there are a specified number of keys assigned with a specified IP address.
Fields Field Descriptionmsg Endpoint License Distribution: active license keys left; key <key_number>
assigned to endpoint with ip=<ip_address>
Message ID 38027
Log Subtype Firewall Authentication
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning An endpoint application was detected.
Fields Field Descriptionui The location of the point-of-entry the user used to access the FortiGate
unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
dst The destination IP address.
action The action taken by the FortiGate unit.
msg Log message information.
ortiGate Log Message Reference1-430-112804-20111121 175ttp://docs.fortinet.com/ • Feedback
Event-Firewall authentication
FortiGate Log Message Reference176 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
F0h
Event-WirelessEvent-Wireless log messages record wireless events that occur with FortiGate units that have WiFi capabilities.
435204352143522435244352543526
ortiGate Log Message Reference1-430-112804-20111121 177ttp://docs.fortinet.com/ • Feedback
Event-Wireless
43520
43521
Log Subtype Wireless
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning A wireless system activity occurred.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual domain
exists, this field always contains root.
action The information about the action that was taken.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
Log Subtype Wireless
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning A wireless rogue AP activity occurred.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual domain
exists, this field always contains roots.
ssid The service set identifier.
bssid The basic service set identifier
rate The data rate number.
radio-band The radio band information.
channel The channel number.
action The information about the action that was taken.
manuf The name of the manufacturer.
security-mode The type of security mode.
nssi The NSSI number.
noise The noise number.
live The live number.
age The age number.
on-wire This is either no or yes.
detection-method The type of detection method being used. This can be any one of the following:
• N/A • sta
• mac adjancency
sta-mac The station MAC information.
ap-scan The WTP that scanned the station.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
FortiGate Log Message Reference178 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Wireless
F0h
43522
43524
Log Subtype Wireless
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning A physical AP activity occurred.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
sn The phsyical AP unit’s serial number.
ap The name of the physical AP.
ap_profile The name of the AP profile.
ip The IP address of the AP unit.
action The information about the action that was taken.
reason The reason for taking the specified action.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
Log Subtype Wireless
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning A wireless client activity occurred.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
sn The physical AP unit’s serial number.
ap The physical AP name.
vap The virtual AP name.
ssid The service set identifier.
mac The client wireless MAC address.
security This field contains any one of the following:
• open • wep64
• wep128 • wpa-psk
• wpa-radius • wpa
• wpa2 • wpa2-auto
action The information about the action that was taken.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
ortiGate Log Message Reference1-430-112804-20111121 179ttp://docs.fortinet.com/ • Feedback
Event-Wireless
43525
Log Subtype Wireless
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning A wireless rogue AP activity occurred.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual domain
exists, this field always contains roots.
ssid The service set identifier.
bssid The basic service set identifier
rate The data rate number.
radio-band The radio band information.
channel The channel number.
action The information about the action that was taken.
manuf The name of the manufacturer.
security-mode The information about the security mode.
nssi The NSSI number.
noise The noise number.
live The live number.
age The age number.
on-wire This is either no or yes.
detection-method The type of detection method being used. This can be any one of the following:
• N/A • sta
• mac adjancency
sta-mac The station MAC information.
ap-scan The WTP that scanned the station.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
FortiGate Log Message Reference180 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Wireless
F0h
43526
Log Subtype Wireless
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning A physical AP radio activity.
Fields Field Descriptionvd The name of the virtual domain where the action occured in. If no virtual
domains exist, this field always contains root.
sn The physical AP unit’s serial number.
ap The name of the physical AP unit.
ip The IP address of the AP unit.
radio-id The radio identification number.
action The information about the action that was taken.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
ortiGate Log Message Reference1-430-112804-20111121 181ttp://docs.fortinet.com/ • Feedback
Event-Wireless
FortiGate Log Message Reference182 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
F0h
Event-IPsec negotiationEvent-IPsec negotiation log messages record IPsec activities and events.
37120371213712237123371243712537126371273712937130371313713237133371343713537136371373713837139
37184371853718637187371883718937190371913719237193371943719537196371973719837199372003720137202
37203
ortiGate Log Message Reference1-430-112804-20111121 183ttp://docs.fortinet.com/ • Feedback
Event-IPsec negotiation
37120
Log Subtype IPsec
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning Notification of an IPsec negotiation of Phase 1.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg negotiate IPsec phase 1
action This field contains any one of the following:
• negotiate • tunnel-up
• error • tunnel-down
• install_sa • tunnel-stats
• delete_phase1_sa • phase2-up
• delete_IPsec_sa • phase2-down
• dpd
rem_ip The remote IP address.
loc_ip The local IP address.
rem_port The remote port number.
loc_port The local port number.
out_intf The interface that is outbound.
cookies The cookies for that IPsec session.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
xauth_user The name of the XAuth user.
xauth_group The name of the Xauthentication group.
vpn_tunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
status This field contains any one of the following:
• success • esp_error
• failure • dpd_failure
• negotiate_error
xauth_result This field contain either XAUTH authentication successful or XAUTH authentication failed.
FortiGate Log Message Reference184 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-IPsec negotiation
F0h
37121
Log Subtype IPsec
Severity Error
Firmware version FortiOS 4.0 MR3
Meaning Negotiation error of an IPsec Phase 1.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg negotiate IPsec phase 1
action This field contains any one of the following:
• negotiate • tunnel-up
• error • tunnel-down
• install_sa • tunnel-stats
• delete_phase1_sa • phase2-up
• delete_IPsec_sa • phase2-down
• dpd
rem_ip The remote IP address.
loc_ip The local IP address.
rem_port The remote port number.
loc_port The local port number.
out_intf The interface that is outbound.
cookies The cookies for that IPsec session.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
xauth_user The name of the XAuth user.
xauth_group The name of the Xauthentication group.
vpn_tunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
status This field contains any one of the following:
• success • esp_error
• failure • dpd_failure
• negotiate_error
xauth_result This field contain either XAUTH authentication successful or XAUTH authentication failed.
ortiGate Log Message Reference1-430-112804-20111121 185ttp://docs.fortinet.com/ • Feedback
Event-IPsec negotiation
37122
Log Subtype IPsec
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning Notification of an IPsec negotiation of Phase 2.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg negotiate IPsec phase 1
action This field contains any one of the following:
• negotiate • tunnel-up
• error • tunnel-down
• install_sa • tunnel-stats
• delete_phase1_sa • phase2-up
• delete_IPsec_sa • phase2-down
• dpd
rem_ip The remote IP address.
loc_ip The local IP address.
rem_port The remote port number.
loc_port The local port number.
out_intf The interface that is outbound.
cookies The cookies for that IPsec session.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
xauth_user The name of the XAuth user.
xauth_group The name of the Xauthentication group.
vpn_tunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
status This field contains any one of the following:
• success • esp_error
• failure • dpd_failure
• negotiate_error
role This field contains either responder or initiator.
esp_transform This field contains any one of the following;
• ESP_NULL • ESP_3DES
• ESP_DES • ESP_AES
esp_auth This field contains any one of the following;
• no authentication • HMAC_MD5
• HMAC_SHA1 • HMAC_SHA256
FortiGate Log Message Reference186 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-IPsec negotiation
F0h
37123
Log Subtype IPsec
Severity Error
Firmware version FortiOS 4.0 MR3
Meaning Negotiation error of an IPsec Phase 2.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg negotiate IPsec phase 1
action This field contains any one of the following:
• negotiate • tunnel-up
• error • tunnel-down
• install_sa • tunnel-stats
• delete_phase1_sa • phase2-up
• delete_IPsec_sa • phase2-down
• dpd
rem_ip The remote IP address.
loc_ip The local IP address.
rem_port The remote port number.
loc_port The local port number.
out_intf The interface that is outbound.
cookies The cookies for that IPsec session.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
xauth_user The name of the XAuth user.
xauth_group The name of the Xauthentication group.
vpn_tunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
status This field contains any one of the following:
• success • esp_error
• failure • dpd_failure
• negotiate_error
role This field contains either responder or initiator.
esp_transform This field contains any one of the following;
• ESP_NULL • ESP_3DES
• ESP_DES • ESP_AES
esp_auth This field contains any one of the following;
• no authentication • HMAC_MD5
• HMAC_SHA1 • HMAC_SHA256
ortiGate Log Message Reference1-430-112804-20111121 187ttp://docs.fortinet.com/ • Feedback
Event-IPsec negotiation
37124
Log Subtype IPsec
Severity Error
Firmware version FortiOS 4.0 MR3
Meaning IPsec Phase 1 error.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual domains
exist, this field always contains root.
msg negotiate IPsec phase 1
action This field contains any one of the following:
• negotiate • tunnel-up
• error • tunnel-down
• install_sa • tunnel-stats
• delete_phase1_sa • phase2-up
• delete_IPsec_sa • phase2-down
• dpd
rem_ip The remote IP address.
loc_ip The local IP address.
rem_port The remote port number.
loc_port The local port number.
out_intf The interface that is outbound.
cookies The cookies for that IPsec session.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
xauth_user The name of the XAuth user.
xauth_group The name of the Xauthentication group.
vpn_tunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
status This field contains any one of the following:
• success • esp_error
• failure • dpd_failure
• negotiate_error
error_reason This field contains any one of the following:
• invalid certificate • peer notification
• invalid SA payload • not enough key material for tunnel
• probable preshared key • encapsulated mode mismatch
• mismatch • no matching gateway for new request
• peer SA proposal not match • aggressive vs main mode
• local policy • mismatch for new request
peer_notif This field, peer notification, can contain any one of the following:
• NOT-APPLICABLE • INVALID-CERTIFICATE
• INVALID-PAYLOAD-TYPE • BAD-CERT-REQUEST-SYNTAX
• DOI-NOT-SUPPORTED • INVALID-CERT-AUTHORITY
• SITUATION-NOT-SUPPORTED • INVALID-HASH-INFORMATION
FortiGate Log Message Reference188 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-IPsec negotiation
F0h
• INVALID-COOKIE • AUTHENTICATION-FAILED
• INVALID-MAJOR-VERSION • INVALID-SIGNATURE
• INVALID-MINOR-VERSION • ADDRESS-NOTIFICATION
• INVALID-EXCHANGE-TYPE • NOTIFY-SA-LIFETIME
• INVALID-FLAGS • CERTIFICATE-UNAVAILABLE
• INVALID-MESSAGE-ID • UNSUPPORTED-EXCHANGE-TYPE
• INVALID-PROTOCOL-ID • UNEQUAL-PAYLOAD-LENGTHS
• INVALID-SPI • CONNECTED
• INVALID-TRANSFORM-ID • RESPONDER-LIFETIME
• ATTRIBUTES-NOT-SUPPORTED • REPLAY-STATUS
• NO-PROPOSAL-CHOSEN • INTIAL-CONTACT
• BAD-PROPOSAL-SYNTAX • R-U-THERE
• PAYLOAD-MALFORMED • R-U-THERE-ACK
• INVALID-KEY-INFORMATION • HEARTBEAT
• INVALID-ID-INFORMATION • RETRY-LIMIT-REACHED
• INVALID-CERT-ENCODING
ortiGate Log Message Reference1-430-112804-20111121 189ttp://docs.fortinet.com/ • Feedback
Event-IPsec negotiation
37125
Log Subtype IPsec
Severity Error
Firmware version FortiOS 4.0 MR3
Meaning IPsec Phase 2 error.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg negotiate IPsec phase 1
action This field contains any one of the following:
• negotiate • tunnel-up
• error • tunnel-down
• install_sa • tunnel-stats
• delete_phase1_sa • phase2-up
• delete_IPsec_sa • phase2-down
• dpd
rem_ip The remote IP address.
loc_ip The local IP address.
rem_port The remote port number.
loc_port The local port number.
out_intf The interface that is outbound.
cookies The cookies for that IPsec session.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
xauth_user The name of the XAuth user.
xauth_group The name of the Xauthentication group.
vpn_tunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
status This field contains any one of the following:
• success • esp_error
• failure • dpd_failure
• negotiate_error
error_reason This field contains any one of the following:
• invalid certificate • peer notification
• invalid SA payload • not enough key material for tunnel
• probable preshared key • encapsulated mode mismatch
• mismatch • no matching gateway for new request
• peer SA proposal not match • aggressive vs main mode
• local policy • mismatch for new request
FortiGate Log Message Reference190 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-IPsec negotiation
F0h
37126
Log Subtype IPsec
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning IPsec not state error.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual domains
exist, this field always contains root.
msg negotiate IPsec phase 1
action This field contains any one of the following:
• negotiate • tunnel-up
• error • tunnel-down
• install_sa • tunnel-stats
• delete_phase1_sa • phase2-up
• delete_IPsec_sa • phase2-down
• dpd
rem_ip The remote IP address.
loc_ip The local IP address.
rem_port The remote port number.
loc_port The local port number.
out_intf The interface that is outbound.
cookies The cookies for that IPsec session.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
xauth_user The name of the XAuth user.
xauth_group The name of the Xauthentication group.
vpn_tunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
status This field contains any one of the following:
• success • esp_error
• failure • dpd_failure
• negotiate_error
error_reason This field contains any one of the following:
• invalid certificate • not enough key material for tunnel
• invalid SA payload • encapsulated mode mismatch
• probable preshared key mismatch • no matching gateway for new request
• peer SA proposal not match local policy
• aggressive vs main mode mismatch for new request
• peer notification
ortiGate Log Message Reference1-430-112804-20111121 191ttp://docs.fortinet.com/ • Feedback
Event-IPsec negotiation
37127
Log Subtype IPsec
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning Progress of an IPsec phase 1 notification.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg negotiate IPsec phase 1
action This field contains any one of the following;
• negotiate • tunnel-up
• error • tunnel-down
• install_sa • tunnel-stats
• delete_phase1_sa • phase2-up
• delete_IPsec_sa • phase2-down
• dpd
rem_ip The remote IP address.
loc_ip The local IP address.
rem_port The remote port number.
loc_port The local port number.
out_intf The interface that is outbound.
cookies The cookies for that IPsec session.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
xauth_user The name of the XAuth user.
xauth_group The name of the Xauthentication group.
vpn_tunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
status This field contains any one of the following:
• success • esp_error
• failure • dpd_failure
• negotiate_error
init This field can either be local or remote.
mode This field contains any one of the following;
• aggressive • xauth
• main • xauth_client
• quick
dir This field can be either outbound or inbound.
stage The stage number.
role This field contains either responder or initiator.
result This field contains any one of the following:
• ERROR • DONE
• OK • PENDING
FortiGate Log Message Reference192 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-IPsec negotiation
F0h
37128
Log Subtype IPsec
Severity Error
Firmware version FortiOS 4.0 MR3
Meaning Progress of an IPsec Phase 1 error.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg negotiate IPsec phase 1
action This field contains any one of the following;
• negotiate • tunnel-up
• error • tunnel-down
• install_sa • tunnel-stats
• delete_phase1_sa • phase2-up
• delete_IPsec_sa • phase2-down
• dpd
rem_ip The remote IP address.
loc_ip The local IP address.
rem_port The remote port number.
loc_port The local port number.
out_intf The interface that is outbound.
cookies The cookies for that IPsec session.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
xauth_user The name of the XAuth user.
xauth_group The name of the Xauthentication group.
vpn_tunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
status This field contains any one of the following;
• success • esp_error
• failure • dpd_failure
• negotiate_error
init This field contains either local or remote.
mode This field contains any one of the following:
• aggressive • xauth
• main • xauth_client
• quick
dir The direction of the traffic. This field contains either outbound or inbound.
stage The stage number.
role This field contains either responder or initiator.
result This field contains any one of the following:
• ERROR • DONE
• OK • PENDING
ortiGate Log Message Reference1-430-112804-20111121 193ttp://docs.fortinet.com/ • Feedback
Event-IPsec negotiation
37129
Log Subtype IPsec
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning Progress of an IPsec Phase 2 notification.
Fields Field Descriptionmsg negotiate IPsec phase 1
action This field contains any one of the following;
• negotiate • tunnel-up
• error • tunnel-down
• install_sa • tunnel-stats
• delete_phase1_sa • phase2-up
• delete_IPsec_sa • phase2-down
• dpd
rem_ip The remote IP address.
loc_ip The local IP address.
rem_port The remote port number.
loc_port The local port number.
out_intf The interface that is outbound.
cookies The cookies for that IPsec session.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
xauth_user The name of the XAuth user.
xauth_group The name of the XAuthentication group.
vpn_tunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
status This field contains any one of the following:
• success • esp_error
• failure • dpd_failure
• negotiate_error
init This field can either be local or remote.
mode This field contains any one of the following;
• aggressive • xauth
• main • xauth_client
• quick
dir The direction of the traffic. This field contains either outbound or inbound.
stage The stage number.
role This field contains either responder or initiator.
result This field contains any one of the following:
• ERROR • DONE
• OK • PENDING
FortiGate Log Message Reference194 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-IPsec negotiation
F0h
37130
Log Subtype IPsec
Severity Error
Firmware version FortiOS 4.0 MR3
Meaning The progress status of an IPsec Phase 2 error.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg progress IPsec phase 2
action This field contains any one of the following:
• negotiate • tunnel-up
• error • tunnel-down
• install_sa • tunnel-stats
• delete_phase1_sa • phase2-up
• delete_IPsec_sa • phase2-down
• dpd
rem_ip The remote IP address.
loc_ip The local IP address.
rem_port The remote port number.
loc_port The local port number.
out_intf The interface that is outbound.
cookies The cookies for that IPsec session.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
xauth_user The name of the XAuth user.
xauth_group The name of the XAuthentication group.
vpn_tunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
status This field contains any one of the following;
• success • esp_error
• failure • dpd_failure
• negotiate_error
init This field can either be local or remote.
mode This field contains any one of the following:
• aggressive • xauth
• main • xauth_client
• quick
dir The direction of the traffic. This field contain either outbound or inbound.
stage The stage number.
role This field contains either responder or initiator.
result This field contains any one of the following:
• ERROR • DONE
• OK • PENDING
ortiGate Log Message Reference1-430-112804-20111121 195ttp://docs.fortinet.com/ • Feedback
Event-IPsec negotiation
37131
Log Subtype IPsec
Severity Error
Firmware version FortiOS 4.0 MR3
Meaning A notification of IPsec ESP.
Fields Field Descriptionmsg IPsec ESP.
action This field contains any one of the following:
• negotiate • tunnel-up
• error • tunnel-down
• install_sa • tunnel-stats
• delete_phase1_sa • phase2-up
• delete_IPsec_sa • phase2-down
• dpd
rem_ip The remote IP address.
loc_ip The local IP address.
rem_port The remote port number.
loc_port The local port number.
out_intf The interface that is outbound.
cookies The cookies for that IPsec session.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
xauth_user The name of the XAuth user.
xauth_group The name of the Xauthentication group.
vpn_tunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
status This field contains any one of the following:
• success • esp_error
• failure • dpd_failure
• negotiate_error
error_num This field contains any one of the following:
• Invalid ESP packet detected • Invalid ESP packet detected (invalid padding length)
• Invalid ESP packet detected (HMAC validation failed)
• Invalid ESP packet detected (replayed packet)
• Invalid ESP packet detected (invalid padding)
• Received ESP packet with unknown SPI
spi The spi information.
seq The seq information.
FortiGate Log Message Reference196 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-IPsec negotiation
F0h
37132
Log Subtype IPsec
Severity Critical
Firmware version FortiOS 4.0 MR3
Meaning A notification of IPsec ESP error.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual domains exist,
this field always contains root.
msg IPsec ESP.
action This field contains any one of the following:
• negotiate • tunnel-up
• error • tunnel-down
• install_sa • tunnel-stats
• delete_phase1_sa • phase2-up
• delete_IPsec_sa • phase2-down
• dpd
rem_ip The remote IP address.
loc_ip The local IP address.
rem_port The remote port number.
loc_port The local port number.
out_intf The interface that is outbound.
cookies The cookies for that IPsec session.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
xauth_user The name of the XAuth user.
xauth_group The name of the Xauthentication group.
vpn_tunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
status This field contains any one of the following:
• success • esp_error
• failure • dpd_failure
• negotiate_error
error_num This field contains any one of the following:
• Invalid ESP packet detected • Invalid ESP packet detected (invalid padding length)
• Invalid ESP packet detected (HMAC validation failed)
• Invalid ESP packet detected (replayed packet)
• Invalid ESP packet detected (invalid padding)
• Received ESP packet with unknown SPI
spi The spi information.
seq The seq information.
ortiGate Log Message Reference1-430-112804-20111121 197ttp://docs.fortinet.com/ • Feedback
Event-IPsec negotiation
37133
Log Subtype IPsec
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning An administrator installed IPsec SA.
Fields Field DescriptionThe name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
msg Install IPsec SA
action This field contains any one of the following:
• negotiate • tunnel-up
• error • tunnel-down
• install_sa • tunnel-stats
• delete_phase1_sa • phase2-up
• delete_IPsec_sa • phase2-down
• dpd
rem_ip The remote IP address.
loc_ip The local IP address.
rem_port The remote port number.
loc_port The local port number.
out_intf The interface that is outbound.
cookies The cookies for that IPsec session.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
xauth_user The name of the XAuth user.
xauth_group The name of the XAuthentication group.
vpn_tunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
role This field contains either responder or initiator.
in_spi The in_spi information.
out_spi The out_spi information.
FortiGate Log Message Reference198 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-IPsec negotiation
F0h
37134
Log Subtype IPsec
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning An administrator deleted an IPsec Phase 1 SA.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg delete IPsec phase 1 SA.
action This field contains any one of the following:
• negotiate • tunnel-up
• error • tunnel-down
• install_sa • tunnel-stats
• delete_phase1_sa • phase2-up
• delete_IPsec_sa • phase2-down
• dpd
rem_ip The remote IP address.
loc_ip The local IP address.
rem_port The remote port number.
loc_port The local port number.
out_intf The interface that is outbound.
cookies The cookies for that IPsec session.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
xauth_user The name of the XAuth user.
xauth_group The name of the XAuthentication group.
vpn_tunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
ortiGate Log Message Reference1-430-112804-20111121 199ttp://docs.fortinet.com/ • Feedback
Event-IPsec negotiation
37135
Log Subtype IPsec
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning An administrator deleted an IPsec Phase 1 SA.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg delete IPsec phase 2 SA.
action This field contains any one of the following:
• negotiate • tunnel-up
• error • tunnel-down
• install_sa • tunnel-stats
• delete_phase1_sa • phase2-up
• delete_IPsec_sa • phase2-down
• dpd
rem_ip The remote IP address.
loc_ip The local IP address.
rem_port The remote port number.
loc_port The local port number.
out_intf The interface that is outbound.
cookies The cookies for that IPsec session.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
xauth_user The name of the XAuth user.
xauth_group The name of the Xauthentication group.
vpn_tunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
enc_spi The enc_spi information.
dec_spi The desc_spi information.
FortiGate Log Message Reference200 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-IPsec negotiation
F0h
37136
Log Subtype IPsec
Severity Error
Firmware version FortiOS 4.0 MR3
Meaning An IPsec DPD failed.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual domains
exist, this field always contains root.
msg IPsec DPD failure
action This field contains any one of the following:
• negotiate • tunnel-up
• error • tunnel-down
• install_sa • tunnel-stats
• delete_phase1_sa • phase2-up
• delete_IPsec_sa • phase2-down
• dpd
rem_ip The remote IP address.
loc_ip The local IP address.
rem_port The remote port number.
loc_port The local port number.
out_intf The interface that is outbound.
cookies The cookies for that IPsec session.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
xauth_user The name of the XAuth user.
xauth_group The name of the XAuthentication group.
vpn_tunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
status This field contains any one of the following:
• success • esp_error
• failure • dpd_failure
• negotiate_error
ortiGate Log Message Reference1-430-112804-20111121 201ttp://docs.fortinet.com/ • Feedback
Event-IPsec negotiation
37137
Log Subtype IPsec
Severity Error
Firmware version FortiOS 4.0 MR3
Meaning An IPsec connection failed.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg IPsec connection failure
action This field contains any one of the following:
• negotiate • tunnel-up
• error • tunnel-down
• install_sa • tunnel-stats
• delete_phase1_sa • phase2-up
• delete_IPsec_sa • phase2-down
• dpd
rem_ip The remote IP address.
loc_ip The local IP address.
rem_port The remote port number.
loc_port The local port number.
out_intf The interface that is outbound.
cookies The cookies for that IPsec session.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
xauth_user The name of the XAuth user.
xauth_group The name of the XAuthentication group.
vpn_tunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
status This field contains any one of the following:
• success • esp_error
• failure • dpd_failure
• negotiate_error
FortiGate Log Message Reference202 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-IPsec negotiation
F0h
37138
Log Subtype IPsec
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning An IPsec connection status changed.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg IPsec connection status change
action This field contains any one of the following:
• negotiate • tunnel-up
• error • tunnel-down
• install_sa • tunnel-stats
• delete_phase1_sa • phase2-up
• delete_IPsec_sa • phase2-down
• dpd
rem_ip The remote IP address.
loc_ip The local IP address.
rem_port The remote port number.
loc_port The local port number.
out_intf The interface that is outbound.
cookies The cookies for that IPsec session.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
xauth_user The name of the XAuth user.
xauth_group The name of the Xauthentication group.
vpn_tunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
tunnel_ip The tunnel’s IP address.
tunnel_id The tunnel’s identification number.
tunnel_type The type of tunnel. This field always contains IPsec.
duration This represents the value in seconds.
sent The total number of bytes sent.
rcvd The total number of bytes received.
next_stat The next_stat information.
tunnel The tunnel information.
ortiGate Log Message Reference1-430-112804-20111121 203ttp://docs.fortinet.com/ • Feedback
Event-IPsec negotiation
37139
Log Subtype IPsec
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning An IPsec Phase 2 status changed.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg IPsec phase 2 status change
action This field contains any one of the following:
• negotiate • tunnel-up
• error • tunnel-down
• install_sa • tunnel-stats
• delete_phase1_sa • phase2-up
• delete_IPsec_sa • phase2-down
• dpd
rem_ip The remote IP address.
loc_ip The local IP address.
rem_port The remote port number.
loc_port The local port number.
out_intf The interface that is outbound.
cookies The cookies for that IPsec session.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
xauth_user The name of the XAuth user.
xauth_group The name of the XAuthentication group.
vpn_tunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
phase2_name The name given to the phase 2 configuration.
FortiGate Log Message Reference204 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-IPsec negotiation
F0h
37184
Log Subtype IPsec
Severity Error
Firmware version FortiOS 4.0 MR3
Meaning An IPsec connection failed.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg negotiate IPsec phase 1
action This field contains any one of the following:
• negotiate • tunnel-up
• error • tunnel-down
• install_sa • tunnel-stats
• delete_phase1_sa • phase2-up
• delete_IPsec_sa • phase2-down
• dpd
rem_ip The remote IP address.
loc_ip The local IP address.
rem_port The remote port number.
loc_port The local port number.
out_intf The interface that is outbound.
cookies The cookies for that IPsec session.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
vpn_tunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
status This field contains any one of the following:
• success • esp_error
• failure • dpd_failure
• negotiate_error
peer_notif This field, peer notification, can contain any one of the following:
• NOT-APPLICABLE • INVALID-CERTIFICATE
• INVALID-PAYLOAD-TYPE • BAD-CERT-REQUEST-SYNTAX
• DOI-NOT-SUPPORTED • INVALID-CERT-AUTHORITY
• SITUATION-NOT-SUPPORTED
• INVALID-HASH-INFORMATION
• INVALID-COOKIE • AUTHENTICATION-FAILED
• INVALID-MAJOR-VERSION • INVALID-SIGNATURE
• INVALID-MINOR-VERSION • ADDRESS-NOTIFICATION
• INVALID-EXCHANGE-TYPE • NOTIFY-SA-LIFETIME
• INVALID-FLAGS • CERTIFICATE-UNAVAILABLE
• INVALID-MESSAGE-ID • UNSUPPORTED-EXCHANGE-TYPE
• INVALID-PROTOCOL-ID • UNEQUAL-PAYLOAD-LENGTHS
• INVALID-SPI • CONNECTED
ortiGate Log Message Reference1-430-112804-20111121 205ttp://docs.fortinet.com/ • Feedback
Event-IPsec negotiation
• INVALID-TRANSFORM-ID • RESPONDER-LIFETIME
• ATTRIBUTES-NOT-SUPPORTED
• REPLAY-STATUS
• NO-PROPOSAL-CHOSEN • INTIAL-CONTACT
• BAD-PROPOSAL-SYNTAX • R-U-THERE
• PAYLOAD-MALFORMED • R-U-THERE-ACK
• INVALID-KEY INFORMATION
• HEARTBEAT
• INVALID-ID-INFORMATION • RETRY-LIMIT-REACHED
• INVALID-CERT-ENCODING
FortiGate Log Message Reference206 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-IPsec negotiation
F0h
37185
Log Subtype IPsec
Severity Error
Firmware version FortiOS 4.0 MR3
Meaning An IPsec connection failed.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg negotiate IPsec phase 1
action This field contains any one of the following:
• negotiate • tunnel-up
• error • tunnel-down
• install_sa • tunnel-stats
• delete_phase1_sa • phase2-up
• delete_IPsec_sa • phase2-down
• dpd
rem_ip The remote IP address.
loc_ip The local IP address.
rem_port The remote port number.
loc_port The local port number.
out_intf The interface that is outbound.
cookies The cookies for that IPsec session.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
vpn_tunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
status This field contains any one of the following:
• success • esp_error
• failure • dpd_failure
• negotiate_error
peer_notif This field contains any one of the following:
• NOT APPLICABLE • ATTRIBUTES-NOT-SUPPORTED
• INVALID-PAYLOAD-TYPE • NO-PROPOSAL-CHOSEN
• DOI-NOT-SUPPORTED • BAD-PROPOSAL-SYNTAX
• SITUATION-NOT SUPPORTED • PAYLOAD-MALFORMED
• INVALID-COOKIE • INVALID-KEY-INFORMATION
• INVALID-MAJOR-VERSION • INVALID-ID-INFORMATION
• INVALID-MINOR-VERSION • INVALID-CERT-ENCODING
• INVALID-MINOR-VERSION • INVALID-CERTIIFCATE
• INVALID-EXCHANGE-TYPE • BAD-CERT-REQUEST-SYNTAX
• INVALID-FLAGS • INVALID-CERT-AUTHORITY
• INVALID-MESSAGE-ID • INVALID-HASH-INFORMATION
• INVALID-PROTOCOL-ID • AUTHENTICATION-FAILED
• INVALID-SPI • INVALID-SIGNATURE
ortiGate Log Message Reference1-430-112804-20111121 207ttp://docs.fortinet.com/ • Feedback
Event-IPsec negotiation
• INVALID-TRANSFORM-ID • ADDRESS-NOTIFICATION
• NOTIFY-SA-LIFETIME • RESPONDER-LIFETIME
• CERTIFICATE-UNAVAILABLE • REPLAY-STATUS
• UNSUPPORTED-EXCHANGE-TYPE
• INITIAL-CONTACT
• UNEQUAL-PAYLOAD-LENGTHS • R-U-THERE
• CONNECTED • R-U-THERE-ACK
• HEARTBEAT • RETRY-LIMIT-REACHED
FortiGate Log Message Reference208 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-IPsec negotiation
F0h
37186
Log Subtype IPsec
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning An IPsec Phase 2 negotiation notification.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no
vritual domains exist, this field always contains root.
msg negotiate IPsec phase 2
action This field contains any one of the following:
• negotiate • tunnel-up
• error • tunnel-down
• install_sa • tunnel-stats
• delete_phase1_sa • phase2-up
• delete_IPsec_sa • phase2-down
• dpd
rem_ip The remote IP address.
loc_ip The local IP address.
rem_port The remote port number.
loc_port The local port number.
out_intf The interface that is outbound.
cookies The cookies for that IPsec session.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
vpn_tunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
status This field contains any one of the following:
• success • esp_error
• failure • dpd_failure
• negotiate_error
role This field contains either responder or initiator.
esp_transform This field contains any one of the following:
• ESP_NULL • ESP_3DES
• ESP_DES • ESP_AES
esp_auth This field contains any one of the following:
• no authentication • HMAC_MD5
• HMAC_SHA1 • HMAC_SHA256
ortiGate Log Message Reference1-430-112804-20111121 209ttp://docs.fortinet.com/ • Feedback
Event-IPsec negotiation
37187
Log Subtype IPsec
Severity Error
Firmware version FortiOS 4.0 MR3
Meaning An IPsec Phase 2 negotiation notification.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg negotiate IPsec phase 2
action This field contains any one of the following:
• negotiate • tunnel-up
• error • tunnel-down
• install_sa • tunnel-stats
• delete_phase1_sa • phase2-up
• delete_IPsec_sa • phase2-down
• dpd
rem_ip The remote IP address.
loc_ip The local IP address.
rem_port The remote port number.
loc_port The local port number.
out_intf The interface that is outbound.
cookies The cookies for that IPsec session.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
vpn_tunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
status This field contains any one of the following:
• success • esp_error
• failure • dpd_failure
• negotiate_error
role This field contains either responder or initiator.
esp_transform This field contains any one of the following:
• ESP_NULL • ESP_3DES
• ESP_DES • ESP_AES
esp_auth This field contains any one of the following:
• no authentication • HMAC_MD5
• HMAC_SHA1 • HMAC_SHA256
FortiGate Log Message Reference210 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-IPsec negotiation
F0h
37188
Log Subtype IPsec
Severity Error
Firmware version FortiOS 4.0 MR3
Meaning An IPsec Phase 1 negotiation error.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. if no virtual
domains exist, this field always contains root.
msg IPsec phase 1 error
action This field contains any one of the following:
• negotiate • tunnel-up
• error • tunnel-down
• install_sa • tunnel-stats
• delete_phase1_sa • phase2-up
• delete_IPsec_sa • phase2-down
• dpd
rem_ip The remote IP address.
loc_ip The local IP address.
rem_port The remote port number.
loc_port The local port number.
out_intf The interface that is outbound.
cookies The cookies for that IPsec session.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
vpn_tunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
status This field contains any one of the following:
• success • esp_error
• failure • dpd_failure
• negotiate_error
error_reason This field contains any one of the following:
• invalid certificate • peer notification
• invalid SA payload • not enough key material for tunnel
• probable preshared key mismatch
• encapsulation mode mismatch
• peer SA proposal not match local policy
• no matching gateway for new request
• aggressive vs main mode mismatch for new request
ortiGate Log Message Reference1-430-112804-20111121 211ttp://docs.fortinet.com/ • Feedback
Event-IPsec negotiation
37189
Log Subtype IPsec
Severity Error
Firmware version FortiOS 4.0 MR3
Meaning An IPsec Phase 1 negotiation error.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no vritual domains
exist, this field always contains root.
msg IPsec phase 2 error
action This field contains any one of the following:
• negotiate • tunnel-up
• error • tunnel-down
• install_sa • tunnel-stats
• delete_phase1_sa • phase2-up
• delete_IPsec_sa • phase2-down
• dpd
rem_ip The remote IP address.
loc_ip The local IP address.
rem_port The remote port number.
loc_port The local port number.
out_intf The interface that is outbound.
cookies The cookies for that IPsec session.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
vpn_tunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
status This field contains any one of the following:
• success • esp_error
• failure • dpd_failure
• negotiate_error
error_reason This field contains any one of the following:
• invalid certificate • peer notification
• invalid SA payload • not enough key material for tunnel
• probable preshared key mismatch
• encapsulation mode mismatch
• peer SA proposal not match local policy
• no matching gateway for new request
• aggressive vs main mode mismatch for new request
FortiGate Log Message Reference212 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-IPsec negotiation
F0h
37190
Log Subtype IPsec
Severity Error
Firmware version FortiOS 4.0 MR3
Meaning An IPsec no state error.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg IPsec no state error
action This field contains any one of the following:
• negotiate • tunnel-up
• error • tunnel-down
• install_sa • tunnel-stats
• delete_phase1_sa • phase2-up
• delete_IPsec_sa • phase2-down
• dpd
rem_ip The remote IP address.
loc_ip The local IP address.
rem_port The remote port number.
loc_port The local port number.
out_intf The interface that is outbound.
cookies The cookies for that IPsec session.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
vpn_tunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
status This field contains any one of the following:
• success • esp_error
• failure • dpd_failure
• negotiate_error
error_reason This field contains any one of the following:
• invalid certificate • peer notification
• invalid SA payload • not enough key material for tunnel
• probable preshared key mismatch
• encapsulation mode mismatch
• peer SA proposal not match local policy
• no matching gateway for new request
• aggressive vs main mode mismatch for new request
ortiGate Log Message Reference1-430-112804-20111121 213ttp://docs.fortinet.com/ • Feedback
Event-IPsec negotiation
37191
Log Subtype IPsec
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning An IPsec Phase 1 progress notification.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg progress IPsec phase 1
action This field contains any one of the following:
• negotiate • tunnel-up
• error • tunnel-down
• install_sa • tunnel-stats
• delete_phase1_sa • phase2-up
• delete_IPsec_sa • phase2-down
• dpd
rem_ip The remote IP address.
loc_ip The local IP address.
rem_port The remote port number.
loc_port The local port number.
out_intf The interface that is outbound.
cookies The cookies for that IPsec session.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
vpn_tunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
status This field contains any one of the following:
• success • esp_error
• failure • dpd_failure
• negotiate_error
init This field contains either local or remote.
exch This field contains any one of the following:
• SA_INIT • CREATE_CHILD
• AUTH
dir This field contains either outbound or inbound.
role This field contains either responder or initiator.
result This field contains one of the following:
• ERROR • DONE
• OK • PENDING
version The version of the IPsec, which is IKEv2.
FortiGate Log Message Reference214 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-IPsec negotiation
F0h
37192
Log Subtype IPsec
Severity Error
Firmware version FortiOS 4.0 MR3
Meaning An IPsec Phase 1 progress error.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If
no virtual domains exist, this field always contains root.
msg progress IPsec phase 1
action This field contains any one of the following:
• negotiate • tunnel-up
• error • tunnel-down
• install_sa • tunnel-stats
• delete_phase1_sa • phase2-up
• delete_IPsec_sa • phase2-down
• dpd
rem_ip The remote IP address.
loc_ip The local IP address.
rem_port The remote port number.
loc_port The local port number.
out_intf The interface that is outbound.
cookies The cookies for that IPsec session.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
vpn_tunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
status This field contains any one of the following:
• success • esp_error
• failure • dpd_failure
• negotiate_error
init This field contains either local or remote.
exch This field contains any one of the following:
• SA_INIT • CREATE_CHILD
• AUTH
dir The direction of the traffic. This field contains either outbound or inbound.
role This field contains either responder or initiator.
result This field contains one of the following:
• ERROR • DONE
• OK • PENDING
version The version of the IPsec, which is IKEv2.
ortiGate Log Message Reference1-430-112804-20111121 215ttp://docs.fortinet.com/ • Feedback
Event-IPsec negotiation
37193
Log Subtype IPsec
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning An IPsec Phase 2 progress notification.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg progress IPsec phase 2
action This field contains any one of the following:
• negotiate • tunnel-up
• error • tunnel-down
• install_sa • tunnel-stats
• delete_phase1_sa • phase2-up
• delete_IPsec_sa • phase2-down
• dpd
rem_ip The remote IP address.
loc_ip The local IP address.
rem_port The remote port number.
loc_port The local port number.
out_intf The interface that is outbound.
cookies The cookies for that IPsec session.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
vpn_tunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
status This field contains any one of the following:
• success • esp_error
• failure • dpd_failure
• negotiate_error
init This field contains either local or remote.
exch This field contains any one of the following:
• SA_INIT • CREATE_CHILD
• AUTH
dir The direction of the traffic. This field contains either outbound or inbound.
role This field contains either responder or initiator.
result This field contains one of the following:
• ERROR • DONE
• OK • PENDING
version The version of the IPsec, which is IKEv2.
FortiGate Log Message Reference216 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-IPsec negotiation
F0h
37194
Log Subtype IPsec
Severity Error
Firmware version FortiOS 4.0 MR3
Meaning An IPsec Phase 2 progress error.
Fields Field Descriptionmsg progress IPsec phase 2
action This field contains any one of the following:
• negotiate • tunnel-up
• error • tunnel-down
• install_sa • tunnel-stats
• delete_phase1_sa • phase2-up
• delete_IPsec_sa • phase2-down
• dpd
rem_ip The remote IP address.
loc_ip The local IP address.
rem_port The remote port number.
loc_port The local port number.
out_intf The interface that is outbound.
cookies The cookies for that IPsec session.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
vpn_tunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
status This field contains any one of the following:
• success • esp_error
• failure • dpd_failure
• negotiate_error
init This field contains either local or remote.
exch This field contains any one of the following:
• SA_INIT • CREATE_CHILD
• AUTH
dir The direction of the traffic. This field contains either outbound or inbound.
role This field contains either responder or initiator.
result This field contains one of the following:
• ERROR • DONE
• OK • PENDING
version The version of the IPsec, which is IKEv2.
ortiGate Log Message Reference1-430-112804-20111121 217ttp://docs.fortinet.com/ • Feedback
Event-IPsec negotiation
37195
Log Subtype IPsec
Severity Error
Firmware version FortiOS 4.0 MR3
Meaning An IPsec ESP notification.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg IPsec ESP
action This field contains any one of the following:
• negotiate • tunnel-up
• error • tunnel-down
• install_sa • tunnel-stats
• delete_phase1_sa • phase2-up
• delete_IPsec_sa • phase2-down
• dpd
rem_ip The remote IP address.
loc_ip The local IP address.
rem_port The remote port number.
loc_port The local port number.
out_intf The interface that is outbound.
cookies The cookies for that IPsec session.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
vpn_tunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
status This field contains any one of the following:
• success • esp_error
• failure • dpd_failure
• negotiate_error
error_num This field contains any one of the following:
• Invalid ESP packet detected • Invalid ESP packet detected. (invalid padding length)
• Invalid ESP packet detected (HMAC validation failed)
• Invalid ESP packet detected (replayed packet)
• Invalid ESP packet detected (invalid padding)
• Received ESP packet with unknown SPI
spi The spi information.
seq The seq information.
FortiGate Log Message Reference218 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-IPsec negotiation
F0h
37196
Log Subtype IPsec
Severity Critical
Firmware version FortiOS 4.0 MR3
Meaning An IPsec ESP error.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg IPsec ESP
action This field contains any one of the following:
• negotiate • tunnel-up
• error • tunnel-down
• install_sa • tunnel-stats
• delete_phase1_sa • phase2-up
• delete_IPsec_sa • phase2-down
• dpd
rem_ip The remote IP address.
loc_ip The local IP address.
rem_port The remote port number.
loc_port The local port number.
out_intf The interface that is outbound.
cookies The cookies for that IPsec session.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
vpn_tunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
status This field contains any one of the following:
• success • esp_error
• failure • dpd_failure
• negotiate_error
error_num This field contains any one of the following:
• Invalid ESP packet detected • Invalid ESP packet detected. (invalid padding length)
• Invalid ESP packet detected (HMAC validation failed)
• Invalid ESP packet detected (replayed packet)
• Invalid ESP packet detected (invalid padding)
• Received ESP packet with unknown SPI
spi The spi information.
seq The seq information.
ortiGate Log Message Reference1-430-112804-20111121 219ttp://docs.fortinet.com/ • Feedback
Event-IPsec negotiation
37197
Log Subtype IPsec
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning Installation of IPsec SA occurred.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
msg install IPsec SA
action This field contains any one of the following:
• negotiate • tunnel-up
• error • tunnel-down
• install_sa • tunnel-stats
• delete_phase1_sa • phase2-up
• delete_IPsec_sa • phase2-down
• dpd
rem_ip The remote IP address.
loc_ip The local IP address.
rem_port The remote port number.
loc_port The local port number.
out_intf The interface that is outbound.
cookies The cookies for that IPsec session.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
vpn_tunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
role This field contains either responder or initiator.
in_spi The in_spi information.
out_spi The out_spi information.
FortiGate Log Message Reference220 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-IPsec negotiation
F0h
37198
Log Subtype IPsec
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning Removed an IPsec Phase 1 SA.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If
no virtual domains exist, this field always contains root.
msg delete IPsec phase 1SA
action This field contains any one of the following:
• negotiate • tunnel-up
• error • tunnel-down
• install_sa • tunnel-stats
• delete_phase1_sa • phase2-up
• delete_IPsec_sa • phase2-down
• dpd
rem_ip The remote IP address.
loc_ip The local IP address.
rem_port The remote port number.
loc_port The local port number.
out_intf The interface that is outbound.
cookies The cookies for that IPsec session.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
vpn_tunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
ortiGate Log Message Reference1-430-112804-20111121 221ttp://docs.fortinet.com/ • Feedback
Event-IPsec negotiation
37199
Log Subtype IPsec
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning Removed an IPsec Phase 2 SA.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in.
If no virtual domains exist, this field always contains root.
msg delete IPsec phase 2 SA
action This field contains any one of the following:
• negotiate • tunnel-up
• error • tunnel-down
• install_sa • tunnel-stats
• delete_phase1_sa • phase2-up
• delete_IPsec_sa • phase2-down
• dpd
rem_ip The remote IP address.
loc_ip The local IP address.
rem_port The remote port number.
loc_port The local port number.
out_intf The interface that is outbound.
cookies The cookies for that IPsec session.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
vpn_tunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
FortiGate Log Message Reference222 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-IPsec negotiation
F0h
37200
Log Subtype IPsec
Severity Error
Firmware version FortiOS 4.0 MR3
Meaning An IPsec DPD failure occurred.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If
no virtual domains exist, this field always contains root.
msg IPsec DPD failure
action This field contains any one of the following:
• negotiate • tunnel-up
• error • tunnel-down
• install_sa • tunnel-stats
• delete_phase1_sa • phase2-up
• delete_IPsec_sa • phase2-down
• dpd
rem_ip The remote IP address.
loc_ip The local IP address.
rem_port The remote port number.
loc_port The local port number.
out_intf The interface that is outbound.
cookies The cookies for that IPsec session.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
vpn_tunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
status This field contains any one of the following:
• success • esp_error
• failure • dpd_failure
• negotiate_error
ortiGate Log Message Reference1-430-112804-20111121 223ttp://docs.fortinet.com/ • Feedback
Event-IPsec negotiation
37201
Log Subtype IPsec
Severity Error
Firmware version FortiOS 4.0 MR3
Meaning An IPsec connection failure occurred.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
msg IPsec connection failure
action This field contains any one of the following:
• negotiate • tunnel-up
• error • tunnel-down
• install_sa • tunnel-stats
• delete_phase1_sa • phase2-up
• delete_IPsec_sa • phase2-down}
• dpd
rem_ip The remote IP address.
loc_ip The local IP address.
rem_port The remote port number.
loc_port The local port number.
out_intf The interface that is outbound.
cookies The cookies for that IPsec session.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
vpn_tunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
status This field contains any one of the following:
• success • esp_error
• failure • dpd_failure
• negotiate_error
FortiGate Log Message Reference224 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-IPsec negotiation
F0h
37202
Log Subtype IPsec
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning An IPsec connection status changed.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
msg IPsec connection status change
action This field contains any one of the following:
• negotiate • tunnel-up
• error • tunnel-down
• install_sa • tunnel-stats
• delete_phase1_sa • phase2-up
• delete_IPsec_sa • phase2-down
• dpd
rem_ip The remote IP address.
loc_ip The local IP address.
rem_port The remote port number.
loc_port The local port number.
out_intf The interface that is outbound.
cookies The cookies for that IPsec session.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
vpn_tunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
tunnel_ip The VPN tunnel’s IP address.
tunnel_id The VPN tunnel’s identification number.
tunnel_type The type of VPN tunnel. This field contains IPsec.
duration This represents the value in seconds.
sent The total number of bytes sent.
rcvd The total number of bytes received.
next_stat The next_stat information.
tunnel The tunnel information.
ortiGate Log Message Reference1-430-112804-20111121 225ttp://docs.fortinet.com/ • Feedback
Event-IPsec negotiation
37203
Log Subtype IPsec
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning An IPsec phase 2 status change.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
msg IPsec phase 2 status change
action This field contains any one of the following:
• negotiate • tunnel-up
• error • tunnel-down
• install_sa • tunnel-stats
• delete_phase1_sa • phase2-up
• delete_IPsec_sa • phase2-down
• dpd
rem_ip The remote IP address.
loc_ip The local IP address.
rem_port The remote port number.
loc_port The local port number.
out_intf The interface that is outbound.
cookies The cookies for that IPsec session.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
vpn_tunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
phase2_name The name of the Phase 2 configuration.
FortiGate Log Message Reference226 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
F0h
Event-L2TP/PPP/PPPoEEvent-L2TP/PPP/PPPoE log messages record events and activities that occur with the Internet and modem protocols, L2TP, PPP, and PPPoE.
2900129002290032900429009290152901629022290243000430005300063000730008300093100431005
31006310073100831009
ortiGate Log Message Reference1-430-112804-20111121 227ttp://docs.fortinet.com/ • Feedback
Event-L2TP/PPP/PPPoE
29001
29002
Message ID 29001
Log Subtype L2TP/PPTP/PPPoE
Severity Variable
Firmware version FortiOS 4.0 MR3
Meaning PPPd log message.
Fields Field Description user The name of the user creating the traffic.
local The local IP address.
remote The remote IP address.
assigned The assigned IP address.
stat The stat information.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
Message ID 29002
Log Subtype L2TP/PPTP/PPPoE
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning PPPd authentication message.
Fields Field Description user The name of the user creating the traffic.
local The local IP address.
remote The remote IP address.
assigned The assigned IP address.
action This field always contains auth_success.
msg User <user_name> using <auth> with authentication protocol <protocol_information>
FortiGate Log Message Reference228 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-L2TP/PPP/PPPoE
F0h
29003
29004
29009
Message ID 29003
Log Subtype L2TP/PPTP/PPPoE
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The user failed authentication when trying to connect.
Fields Field Description local The local IP address.
remote The remote IP address.
assigned The assigned IP address.
action This field always contains auth_failed.
msg <user_name> is trying to connect using <auth> with authentication protocol <protocol_information>, failed.
Message ID 29004
Log Subtype L2TP/PPTP/PPPoE
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning The maximum number of PPTP connections has been reached.
Fields Field Description status This field always contains failure.
action This field always contains connect.
msg PPTP: the maximum number of connections has been reached. No more clients can connect.
Message ID 29009
Log Subtype L2TP/PPTP/PPPoE
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning A PPPoE status report.
Fields Field Description gateway_ip The gateway IP address.
assigned_IP The assigned IP address.
mtu The MTU information.
msg PPPoE status report.
ortiGate Log Message Reference1-430-112804-20111121 229ttp://docs.fortinet.com/ • Feedback
Event-L2TP/PPP/PPPoE
29015
29016
29022
29024
Message ID 29015
Log Subtype L2TP/PPTP/PPPoE
Severity Error
Firmware version FortiOS 4.0 MR3
Meaning PPP has received bad options.
Fields Field Description msg Peer IP is the same as an interface IP <interface>.
IP(<interface_ip_address>).
Message ID 29016
Log Subtype L2TP/PPTP/PPPoE
Severity Error
Firmware version FortiOS 4.0 MR3
Meaning PPP has received bad options.
Fields Field Description msg Local IP is the same as an interface IP <interface>.
IP(<interface_ip_address>)
Message ID 29022
Log Subtype L2TP/PPTP/PPPoE
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning No IP address is currently available.
Fields Field Description status This field always contains failure.
action This field always contains connect.
msg PPTP: No IP addresses left to assign in virtual domain: <virtual_domain_name>
Message ID 29024
Log Subtype L2TP/PPTP/PPPoE
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning Not enough memory available.
Fields Field Description status This field always contains failure.
action This field always contains start.
msg failed to expand pptp config list due to not enough memory.
FortiGate Log Message Reference230 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-L2TP/PPP/PPPoE
F0h
30004
30005
30006
Message ID 30004
Log Subtype L2TP/PPTP/PPPoE
Severity Variable
Firmware version FortiOS 4.0 MR3
Meaning Depending on the msg field, the meaning can be any one of the following: • The PPTPD successfully started. • An PPPTP log message.
Fields Field Description action This field always contains start.
status This field always contains success.
msg This field contains any one of the following: • PPTPD: started successfully• The log message information, which is usually a sentence
explaining the activity and/or action taken.
Message ID 30005
Log Subtype L2TP/PPTP/PPPoE
Severity Error
Firmware version FortiOS 4.0 MR3
Meaning The PPTPD failed to start.
Fields Field Description action This field always contains start.
status This field always contains failure.
reason failed to create socket
msg PPTPD failed to start because failed to create socket.
Message ID 30006
Log Subtype L2TP/PPTP/PPPoE
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The PPTPD successfully exited.
Fields Field Description action This field always contains exit.
status This field always contains success.
msg PPTPD exited successfully.
ortiGate Log Message Reference1-430-112804-20111121 231ttp://docs.fortinet.com/ • Feedback
Event-L2TP/PPP/PPPoE
30007
30008
Message ID 30007
Log Subtype L2TP/PPTP/PPPoE
Severity Error
Firmware version FortiOS 4.0 MR3
Meaning All PPTPD connections were closed because the PPTP setting changed.
Fields Field Description action This field always contains disconnect.
status This field always contains success.
reason PPTP setting is changed.
msg PPTPD closed all client connections in vdom <vdom_name> because PPTP setting was changed.
Message ID 30007
Log Subtype L2TP/PPTP/PPPoE
Severity Error
Firmware version FortiOS 4.0 MR3
Meaning The PPTPD disconnected.
Fields Field Description action This field always contains disconnect.
status This field always contains success.
reason failed to find the interface by device index
msg PPTPD closed all client connections in vdom <vdom_name> because failed to find the interface by device index.
Message ID 30008
Log Subtype L2TP/PPTP/PPPoE
Severity Error
Firmware version FortiOS 4.0 MR3
Meaning PPTPD client connection.
Fields Field Description action This field always contains connect
status This field always contains success.
msg Client <ip_address> control connection started.
FortiGate Log Message Reference232 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-L2TP/PPP/PPPoE
F0h
30009
31004
31005
Message ID 30009
Log Subtype L2TP/PPTP/PPPoE
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning PPTPD client disconnected.
Fields Field Description action This field always contains disconnect.
status This field always contains success.
msg Client <client_name> control connection finished.
Message ID 31004
Log Subtype L2TP/PPTP/PPPoE
Severity Variable
Firmware version FortiOS 4.0 MR3
Meaning An L2TP log message.
Fields Field Description msg The log message information. This is usually a sentence and
explains the activity and/or action taken.
Message ID 31005
Log Subtype L2TP/PPTP/PPPoE
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning L2TP exited successfully.
Fields Field Description action This field always contains exit.
status This field always contains success.
msg L2TPD exited successfully.
ortiGate Log Message Reference1-430-112804-20111121 233ttp://docs.fortinet.com/ • Feedback
Event-L2TP/PPP/PPPoE
31006
31007
Message ID 31006
Log Subtype L2TP/PPTP/PPPoE
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning L2TP closed all client connections in a specified VDOM because L2TP setting was changed.
Fields Field Description action This field always contains disconnect.
status This field always contains success.
reason L2TP setting changed.
msg L2TPD closed all client connections in vdom <vdom_name> because L2TP setting was changed.
Message ID 31006
Log Subtype L2TP/PPTP/PPPoE
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning L2TP closed all client connections in a specified VDOM because failed to find interface by device index.
Fields Field Description action This field always contains disconnect.
status This field always contains success.
reason interface not found
msg L2TPD closed all client connections in vdom <vdom_name> because failed to find interface by device index.
Message ID 31007
Log Subtype L2TP/PPTP/PPPoE
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning An L2TP client connection. There are no more available IP addresses to assign in the specified VDOM.
Fields Field Description action This field always contains connect.
status This field always contains failure
reason no ip available
msg No IP addresses left to assign in virtual domain: <vdom_name>
FortiGate Log Message Reference234 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-L2TP/PPP/PPPoE
F0h
31008
31009
Message ID 31008
Log Subtype L2TP/PPTP/PPPoE
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning An L2TP connection started.
Fields Field Description action This field always contains connect.
status This field always contains success.
msg Client <client_name> control connection started (id<ip_address>), assigned ip <ip_address>.
Message ID 31009
Log Subtype L2TP/PPTP/PPPoE
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning An L2TP connection has finished.
Fields Field Description action This field always contains disconnect.
status This field always contains success.
msg Client <client_name> control connection(id<ip_address>) finished.
ortiGate Log Message Reference1-430-112804-20111121 235ttp://docs.fortinet.com/ • Feedback
Event-L2TP/PPP/PPPoE
FortiGate Log Message Reference236 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
F0h
Event-SSL VPNEvent SSL-VPN log messages record SSL-VPN user, administration and session events.
3942439425394264198441985419864198741988399363993739939399403994139942
3994439945399463994739948399493995039951
ortiGate Log Message Reference1-430-112804-20111121 237ttp://docs.fortinet.com/ • Feedback
Event-SSL VPN
39424
Message ID 39424
Log Sub-type sslvpn-user
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning An SSL-VPN web access user has log into the system successfully.
Fields Field Descriptionaction The status of the SSL VPN tunnel. This field contains tunnel-up, which indicates
that the SSL VPN tunnel is currently up and running.
tunnel_type The type of SSL VPN tunnel. The field contains ssl-web, which indicates that it is an SSL VPN web access tunnel.
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
tunnel_id The tunnel identification number.
remote_ip The remote IP address.
tunnel_ip The tunnel IP address.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
dst_host The destination host information.
reason The reason that the trigger occurred.
msg SSL tunnel established.
FortiGate Log Message Reference238 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-SSL VPN
F0h
39425
Message ID 39425
Log Sub-type sslvpn-user
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning An SSL-VPN tunnel was shut down.
Fields Field Descriptionaction The status of the SSL VPN tunnel. This field contains tunnel-down, which
indicates that the SSL VPN tunnel is currently down, or not running.
tunnel_type The type of SSL VPN tunnel that was accessed. The field contains ssl-web, which indicates that it is an SSL VPN web access tunnel.
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
tunnel_id The tunnel identification number.
remote_ip The remote IP address.
tunnel_ip The tunnel IP address.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
dst_host The destination host information.
reason The reason that the trigger occurred.
duration This represents the value in seconds.
sent The total number of bytes sent.
rcvd The total number of bytes received.
msg SSL tunnel shutdown.
ortiGate Log Message Reference1-430-112804-20111121 239ttp://docs.fortinet.com/ • Feedback
Event-SSL VPN
39426
41984
Message ID 39426
Log Type sslvpn-user
Severity Alert
Firmware version FortiOS 4.0 MR3
Meaning An SSL VPN user has failed to log in.
Fields Field Descriptionaction The action of an SSL VPN user. This field contains ssl-login-fail, which
indicates that a user tried to log in using the SSL VPN tunnel but failed.
tunnel_type The type of SSL VPN tunnel that was accessed. This field contains ssl-web, which indicates that it is an SSL VPN web access tunnel.
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
tunnel_id The tunnel identification number.
remote_ip The remote IP address.
tunnel_ip The tunnel IP address.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
dst_host The destination host information.
reason The reason that the trigger occurred.
msg SSL user failed to logged in.
Message ID 41984
Log Type sslvpn-admin
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning An SSL-VPN admin user successfully uploaded a certificate.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
action This field contains info.
user The name of the user creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
msg A certificate is loaded.
cert-type This field contains any one of the following:
• CA • CRL
• Local • Remote
FortiGate Log Message Reference240 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-SSL VPN
F0h
41985
41986
Message ID 41985
Log Type sslvpn-admin
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning An SSL-VPN admin removed a certificate.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
action This field contains info.
user The name of the user creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
msg A certificate is removed.
cert-type This field contains any one of the following:
• CA • CRL
• Local • Remote
Message ID 41986
Log Type sslvpn-admin
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning An SSL-VPN admin regenerated a certificate.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
action This field contains info.
user The name of the user creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
msg A certificate is regenerated.
cert-type This field contains any one of the following:
• CA • CRL
• Local • Remote
status This field contains success.
ortiGate Log Message Reference1-430-112804-20111121 241ttp://docs.fortinet.com/ • Feedback
Event-SSL VPN
41987
41988
Message ID 41987
Log Type sslvpn-admin
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning An SSL-VPN admin updated a certificate.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
action This field contains info.
cert-type This field contains any one of the following:
• CA • CRL
• Local • Remote
status This field contains success.
name The name of the certificate.
method The method information.
msg A certificate is updated.
Message ID 41988
Log Type sslvpn-admin
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning An SSL-VPN admin changed a setting.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
action This field contains info.
user The name of the user creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accessed the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
msg User changed SSL setting.
FortiGate Log Message Reference242 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-SSL VPN
F0h
39936
Message ID 39936
Log Type sslvpn-session
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning SSL VPN web tunnel statistics.
Fields Field Descriptionaction The status of the SSL VPN tunnel. This field contains tunnel-stats.
tunnel_type The type of SSL VPN tunnel. This field contains ssl-web, which indicates that it is an SSL VPN web access tunnel.
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
tunnel_id The tunnel identification number.
remote_ip The remote IP address.
tunnel_ip The tunnel IP address.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
dst_host The destination host information.
next_stats The information of the next statistics.
duration This represents the value in seconds.
sent The number of bytes sent.
rcvd The number of bytes received.
reason The reason that the trigger occurred.
msg SSL web tunnel statistics.
ortiGate Log Message Reference1-430-112804-20111121 243ttp://docs.fortinet.com/ • Feedback
Event-SSL VPN
39937
39938
Message ID 39937
Log Type sslvpn-session
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning An SSL VPN web application was blocked.
Fields Field Descriptionaction This field contains ssl-web-deny.
tunnel_type The type of SSL VPN tunnel. This field contains ssl-web-deny. This indicates that the SSL VPN was blocked and users were denied access.
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
tunnel_id The tunnel identification number.
remote_ip The remote IP address.
tunnel_ip The tunnel IP address.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
dst_host The destination host information.
app-type The type of application that triggered the action within the control list.
msg SSL web application blocked.
Message ID 39938
Log Type sslvpn-session
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning An SSL VPN web application was activated.
Fields Field Descriptionaction The status of the SSL VPN tunnel. This field contains ssl-web-pass.
tunnel_type The type of SSL VPN tunnel. This field contains ssl-web, which indicates that it is for web access.
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
tunnel_id The tunnel identification number.
remote_ip The remote IP address.
tunnel_ip The tunnel IP address.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
dst_host The destination host information.
app-type The type of application that triggered the action within the control list.
msg SSL web application timeout.
FortiGate Log Message Reference244 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-SSL VPN
F0h
39939
39940
Message ID 39939
Log Type sslvpn-session
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning An SSL VPN web application timed out.
Fields Field Descriptionaction The status of the SSL VPN tunnel. This field contains ssl-web-timeout, which
indicates that the web application timed out.
tunnel_type The type of tunnel. This field contains ssl-web, which indicates that it is an SSL VPN web tunnel.
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
tunnel_id The tunnel identification number.
remote_ip The remote IP address.
tunnel_ip The tunnel IP address.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
dst_host The destination host information.
app-type The type of application that triggered the action within the control list.
msg SSL web application timeout.
Message ID 39940
Log Type sslvpn-session
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning An SSL VPN web application was closed.
Fields Field Descriptionaction The status of the SSL VPN web application. This field contains ssl-web-close,
which indicates that the application closed.
tunnel_type The type of tunnel. This field contains ssl-web, which indicates that it is an SSL VPN web tunnel.
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
tunnel_id The tunnel identification number.
remote_ip The remote IP address.
tunnel_ip The tunnel IP address.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
dst_host The destination host information.
app-type The type of application that triggered the action within the control list.
msg SSL web application closed.
ortiGate Log Message Reference1-430-112804-20111121 245ttp://docs.fortinet.com/ • Feedback
Event-SSL VPN
39941
39942
Message ID 39941
Log Type sslvpn-session
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning The SSL VPN system is busy.
Fields Field Descriptionaction The status of the SSL VPN tunnel. This field contains ssl-sys-busy.
tunnel_type The type of SSL VPN tunnel. This field contains ssl-web which indicates it is an SSL VPN tunnel with web access.
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
tunnel_id The tunnel identification number.
remote_ip The remote IP address.
tunnel_ip The tunnel IP address.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
dst_host The destination host information.
reason The reason that the trigger occurred.
msg SSL system busy.
Message ID 39942
Log Type sslvpn-session
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning A new SSL VPN certification was successfully verified.
Fields Field Descriptionaction The status of the SSL VPN tunnel. This field contains ssl-cert.
tunnel_type The type of SSL VPN tunnel. This field contains ssl, which indicates that it is an SSL VPN tunnel.
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
tunnel_id The tunnel identification number.
remote_ip The remote IP address.
tunnel_ip The tunnel IP address.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
dst_host The destination host information.
reason The reason that the trigger occurred.
msg SSL new SSL certificate verification success.
FortiGate Log Message Reference246 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-SSL VPN
F0h
39943
39944
Message ID 39943
Log Type sslvpn-session
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning A new connection was made.
Fields Field Descriptionaction The status of the SSL VPN tunnel. This field contains ssl-new-con, which indicates
a new SSL VPN tunnel connection was created.
tunnel_type The type of SSL VPN tunnel. This field contains ssl, which indicates that it is an SSL VPN tunnel.
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
tunnel_id The tunnel identification number.
remote_ip The remote IP address.
tunnel_ip The tunnel IP address.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
dst_host The destination host information.
reason The reason that the trigger occurred.
msg SSL new connection.
Message ID 39944
Log Type sslvpn-session
Severity Error
Firmware version FortiOS 4.0 MR3
Meaning SSL alerts
Fields Field Descriptionaction The status of the SSL VPN tunnel. This field contains ssl-alert.
tunnel_type The type of SSL VPN tunnel. This field contains ssl, which indicates that this is an SSL VPN tunnel.
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
tunnel_id The tunnel identification number.
remote_ip The remote IP address.
tunnel_ip The tunnel IP address.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
dst_host The destination host information.
alert The alert information.
desc The description information.
msg SSL alerts
ortiGate Log Message Reference1-430-112804-20111121 247ttp://docs.fortinet.com/ • Feedback
Event-SSL VPN
39945
39946
Message ID 39945
Log Type Session
Severity Error
Firmware version FortiOS 4.0 MR3
Meaning An SSL VPN exit failed.
Fields Field Descriptionaction The status of the SSL VPN tunnel. This field contains ssl-exit-fail.
tunnel_type The type of SSL VPN tunnel. This field contains ssl, which indicates that it is an SSL VPN tunnel.
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
tunnel_id The tunnel identification number.
remote_ip The remote IP address.
tunnel_ip The tunnel IP address.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
dst_host The destination host information.
reason The reason that the trigger occurred.
msg SSL exit fail.
Message ID 39946
Log Type sslvpn-session
Severity Error
Firmware version FortiOS 4.0 MR3
Meaning An SSL VPN exit error.
Fields Field Descriptionaction The status of the SSL VPN tunnel. This field contains ssl-exit-error.
tunnel_type The type of SSL VPN tunnel. This field contains ssl, which indicates that it is an SSL VPN tunnel.
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
tunnel_id The tunnel identification number.
remote_ip The remote IP address.
tunnel_ip The tunnel IP address.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
dst_host The destination host information.
reason The reason that the trigger occurred.
msg SSL exit error
FortiGate Log Message Reference248 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-SSL VPN
F0h
39947
Message ID 39947
Log Type sslvpn-session
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning An SSL VPN tunnel was established.
Fields Field Descriptionaction The status of the SSL VPN tunnel. This field contains tunnel-up, which indicates
that the current SSL VPN tunnel is up and running .
tunnel_type The type of SSL VPN tunnel. This field contains ssl-tunnel, which indicates that it is an SSL VPN tunnel.
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
tunnel_id The tunnel identification number.
remote_ip The remote IP address.
tunnel_ip The tunnel IP address.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
dst_host The destination host information.
reason The reason that the trigger occurred.
msg SSL tunnel established.
ortiGate Log Message Reference1-430-112804-20111121 249ttp://docs.fortinet.com/ • Feedback
Event-SSL VPN
39948
Message ID 39948
Log Type sslvpn-session
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning The SSL VPN tunnel was shut down.
Fields Field Descriptionaction The status of the SSL VPN tunnel. This field contains tunnel-down, which
indicates that the SSL VPN is no longer connected or running.
tunnel_type The type of SSL VPN tunnel. This field contains ssl-tunnel.
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
tunnel_id The tunnel identification number.
remote_ip The remote IP address.
tunnel_ip The tunnel IP address.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
dst_host Destination host.
duration This represents the value in seconds.
sent The total number of bytes that were sent.
rcvd The total number of bytes that were received.
reason The reason that the trigger occurred.
msg SSL tunnel shutdown.
FortiGate Log Message Reference250 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-SSL VPN
F0h
39949
Message ID 39949
Log Type sslvpn-session
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning SSL tunnel statistics.
Fields Field Descriptionaction The status of the SSL VPN tunnel. This field contains tunnel-stats.
tunnel_type The type of SSL VPN tunnel. This field contains ssl-tunnel, which indicates that it is an SSL VPN tunnel.
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
tunnel_id The tunnel identification number.
remote_ip The remote IP address.
tunnel_ip The tunnel IP address.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
dst_host The destination host information.
next_stats The next statistical number.
duration This represents the value in seconds.
sent The total number of bytes that were sent.
rcvd The total number of bytes that were received.
reason The reason that the trigger occurred.
msg SSL tunnel statistics
ortiGate Log Message Reference1-430-112804-20111121 251ttp://docs.fortinet.com/ • Feedback
Event-SSL VPN
39950
39951
Message ID 39950
Log Type sslvpn-session
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning SSL VPN tunnel unknown tag.
Fields Field Descriptionaction The status of the SSL VPN tunnel. This field contains ssl-tunnel-unknown-tag.
tunnel_type The type of SSL VPN tunnel. This field contains ssl-tunnel, which indicates that it is an SSL VPN tunnel.
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
tunnel_id The tunnel identification number.
remote_ip The remote IP address.
tunnel_ip The tunnel IP address.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
dst_host The destination host information.
reason The reason that the trigger occurred.
msg SSL tunnel unknown tag
Message ID 39951
Log Type sslvpn-session
Severity Error
Firmware version FortiOS 4.0 MR3
Meaning An SSL tunnel error.
Fields Field Descriptionaction The status of the SSL VPN tunnel. This field contains ssl-tunnel-error.
tunnel_type The type of SSL VPN tunnel. This field contains ssl-tunnel, which indicates that it is an SSL VPN tunnel.
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
tunnel_id The tunnel identification number.
remote_ip The remote IP address.
tunnel_ip The tunnel IP address.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
dst_host The destination host information.
reason The reason that the trigger occurred.
msg SSL tunnel error.
FortiGate Log Message Reference252 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
F0h
Event-VIP SSLEvent-VIP SSL log messages record VIP activities.
45001450034500545007450094501145012450134501545017450194502345027450294503145032
ortiGate Log Message Reference1-430-112804-20111121 253ttp://docs.fortinet.com/ • Feedback
Event-VIP SSL
45001
Message ID 45001
Log Subtype VIP SSL
Severity Error
Firmware version FortiOS 4.0 MR3
Meaning The SSL received an incorrect handshake message.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
serial The serial number of the firewall session on which the event happened.
policy The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate unit will have an index number of zero.
vip The virtual IP address.
src The source IP address.
src-port The source port number.
dst The destination IP address.
dst-port The destination port number.
action This field always contains received.
expected This field contains any one of the following:
• HelloRequest • ClientHello
• ServerHello • NewsSessionTicket
• Certificate • ServerKeyExchange
• CertificateRequest • ServerHelloDone
• CertificateVerify • ClientKeyExchange
• Finished
received This field contains any one of the following, especially if the record is corrupted:
• HelloRequest • ClientHello
• ServerHello • NewsSessionTicket
• Certificate • ServerKeyExchange
• CertificateRequest • ServerHelloDone
• CertificateVerify • ClientKeyExchange
• Finished
msg Incorrect SSL handshake message.
FortiGate Log Message Reference254 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-VIP SSL
F0h
45003
45005
Message ID 45003
Log Subtype VIP SSL
Severity Error
Firmware version FortiOS 4.0 MR3
Meaning An SSL handshake message has a bad length.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
serial The serial number of the firewall session on which the event happened.
policy The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate unit will have an index number of zero.
vip The virtual IP address.
src The source IP address.
src-port The source port number.
dst The destination IP address.
dst-port The destination port number.
action This field always contains close.
handshake The handshake information.
msg Bad length in SSL handshake.
Message ID 45005
Log Subtype VIP SSL
Severity Error
Firmware version FortiOS 4.0 MR3
Meaning An RSA verification of Diffie-Hellman parameters failed.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
serial The serial number of the firewall session on which the event happened.
policy The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate unit will have an index number of zero.
vip The virtual IP address.
src The source IP address.
src-port The source port number.
dst The destination IP address.
dst-port The destination port number.
action This field always contains close.
msg RSA verification of Diffie-Hellman parameters failed.
ortiGate Log Message Reference1-430-112804-20111121 255ttp://docs.fortinet.com/ • Feedback
Event-VIP SSL
45007
Message ID 45007
Log Subtype VIP SSL
Severity Error
Firmware version FortiOS 4.0 MR3
Meaning A Hash in the SSL Finished does not match the calculated hash. Each hash value in the local and remote log fields are hex encoded.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
serial The serial number of the firewall session on which the event happened.
policy The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate unit will have an index number of zero.
vip The virtual IP address.
src The source IP address.
src-port The source port number.
dst The destination IP address.
dst-port The destination port number.
local The local information.
remote The remote information.
action This field always contains close.
msg Hash in SSL Finished does not match calculated hash
FortiGate Log Message Reference256 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-VIP SSL
F0h
45009
Message ID 45007
Log Subtype VIP SSL
Severity Error
Firmware version FortiOS 4.0 MR3
Meaning The SSL decryption failed.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual domains
exist, this field always contains root.
serial The serial number of the firewall session on which the event happened.
policy The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate unit will have an index number of zero.
vip The virtual IP address.
src The source IP address.
src-port The source port number.
dst The destination IP address.
dst-port The destination port number.
action This field always contains close.
reason This field contains any one of the following:
• status_bad_pad_len=1 – indicates that the received SSL Record did not comply with RFC 4336 section 6.2.3.2 on padding_length
• status_bad_pad_value=2 – indicates that the received SSL Record did not comply with RFC 4346 section 6.2.3.2 on padding
• status_bad_mac=3 – indicates that the MAC in the received SSL Record did not match the MAC calculated by the FortiGate unit for that SSL Record.
• status_internal_error=4 – indicates that there was an internal error
msg SSL decryption failure
ortiGate Log Message Reference1-430-112804-20111121 257ttp://docs.fortinet.com/ • Feedback
Event-VIP SSL
45011
45012
Message ID 45011
Log Subtype VIP SSL
Severity Error
Firmware version FortiOS 4.0 MR3
Meaning An SSL minor version is below the configured minimum value.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual domains
exist, this field always contains root.
serial The serial number of the firewall session on which the event happened.
policy The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate unit will have an index number of zero.
vip The virtual IP address.
src The source IP address.
src-port The source port number.
dst The destination IP address.
dst-port The destination port number.
action This field always contains close.
min-minor The min-minor information.
recv-minor The recv-minor information.
msg SSL minor below minimum configured value.
Message ID 45012
Log Subtype VIP SSL
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning The SSL maximum connection limit was reached.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual domains
exist, this field always contains root.
serial The serial number of the firewall session on which the event happened.
policy The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate unit will have an index number of zero.
vip The virtual IP address.
src The source IP address.
src-port The source port number.
dst The destination IP address.
dst-port The destination port number.
action This field always contains close.
msg SSL maximum connections reached.
FortiGate Log Message Reference258 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-VIP SSL
F0h
45013
45015
Message ID 45013
Log Subtype VIP SSL
Severity Error
Firmware version FortiOS 4.0 MR3
Meaning None of the offered SSL CipherSuites are supported.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual domains
exist, this field always contains root.
serial The serial number of the firewall session on which the event happened.
policy The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate unit will have an index number of zero.
vip The virtual IP address.
src The source IP address.
src-port The source port number.
dst The destination IP address.
dst-port The destination port number.
action This field always contains close.
msg None of the offered CipherSuites are supported
Message ID 45015
Log Subtype VIP SSL
Severity Error
Firmware version FortiOS 4.0 MR3
Meaning The SSL handshake has an invalid length.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual domains
exist, this field always contains root.
serial The serial number of the firewall session on which the event happened.
policy The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate unit will have an index number of zero.
vip The virtual IP address.
src The source IP address.
src-port The source port number.
dst The destination IP address.
dst-port The destination port number.
action This field always contains receive.
len The length information.
msg Incorrect SSL handshake length
ortiGate Log Message Reference1-430-112804-20111121 259ttp://docs.fortinet.com/ • Feedback
Event-VIP SSL
45017
Message ID 45017
Log Subtype VIP SSL
Severity Error
Firmware version FortiOS 4.0 MR3
Meaning The SSL handshake was too long.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual domains
exist, this field always contains root.
serial The serial number of the firewall session on which the event happened.
policy The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate unit will have an index number of zero.
vip The virtual IP address.
src The source IP address.
src-port The source port number.
dst The destination IP address.
dst-port The destination port number.
action This field always contains receive.
handshake The handshake information.
len The length information.
max The maximum length information.
msg SSL Handshake too long
FortiGate Log Message Reference260 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-VIP SSL
F0h
45019
Message ID 45019
Log Subtype VIP SSL
Severity Error
Firmware version FortiOS 4.0 MR3
Meaning An SSL alert message was sent.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual domains
exist, this field always contains root.
serial The serial number of the firewall session on which the event happened.
policy The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate unit will have an index number of zero.
vip The virtual IP address.
src The source IP address.
src-port The source port number.
dst The destination IP address.
dst-port The destination port number.
action This field always contains send.
level The level information.
desc This field contains any one of the following:
• fts_alert_desc_close_notify=0 – notifies the recipient that the sender will not send any more messages on this connection
• fts_alert_desc_unexpected_message=10 – an inappropriate message was received; this is usually fatal and should be observed closely
• fts_alert_desc_bad_record_mac=20 – is returned if a record is received with an incorrect MAC
• fts_alert_desc_decryption_failed=21 – may be returned if a TLSCiphertext decrypted in an invalid way; either it was not an even multiple of the block length or its padding values, when checked, were not correct (always fatal)
• fts_alert_desc_record_overflow=22 – a TLSCiphertext record was received that had a length more than 2^14+2048 bytes, or a record decypted to a TLSCompressed record with more than 2^14+1024 bytes (always fatal)
• fts_alert_desc_handshake_failure=40 – indicates the sender was unable to negotiate an acceptable set of security parameters given the options available (fatal error)
• fts_alert_desc_no_certificate=41 – indicates there is no available certificate
• fts_alert_desc_illegal_parameter=47 – a field in the handshake was out of range or inconsistent with other fields (always fatal)
• fts_alert_desc_decord_error=50 – a message could not be decoded because some field was out of the specified range or the length of the message was incorrect (always fatal)
• fts_alert_desc_decrypt_error=51 – a handshake cryptographic operation failed, including being unable to correctly verify a signature, decrypt a key exchange, or validate a finished message
• fts_alert_desc_protocol_version=70 – the protocol version the client has attempted to negotiate is recognized but not supported (always fatal)
ortiGate Log Message Reference1-430-112804-20111121 261ttp://docs.fortinet.com/ • Feedback
Event-VIP SSL
• fts_alert_desc_internal_error=80 – an internal error unrelated to the peer or correctness of the protocol (always fatal)
msg SSL Alert sent
FortiGate Log Message Reference262 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-VIP SSL
F0h
45023
45027
Message ID 45023
Log Subtype VIP SSL
Severity Error
Firmware version FortiOS 4.0 MR3
Meaning An SSL alert was received.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual domains
exist, this field always contains root.
serial The serial number of the firewall session on which the event happened.
policy The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate unit will have an index number of zero.
vip The virtual IP address.
src The source IP address.
src-port The source port number.
dst The destination IP address.
dst-port The destination port number.
action This field always contains receive.
level The level information.
desc The description information.
msg SSL Alert received
Message ID 45027
Log Subtype VIP SSL
Severity Error
Firmware version FortiOS 4.0 MR3
Meaning An invalid SSL ContentType occurred.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual domains
exist, this field always contains root.
serial The serial number of the firewall session on which the event happened.
policy The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate unit will have an index number of zero.
vip The virtual IP address.
src The source IP address.
src-port The source port number.
dst The destination IP address.
dst-port The destination port number.
action This field always contains receive.
type The type information.
msg Invalid SSL ContentType
ortiGate Log Message Reference1-430-112804-20111121 263ttp://docs.fortinet.com/ • Feedback
Event-VIP SSL
45029
Message ID 45029
Log Subtype VIP SSL
Severity Error
Firmware version FortiOS 4.0 MR3
Meaning An SSL ChangeCipherSpec has a bad length.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual domains
exist, this field always contains root.
serial The serial number of the firewall session on which the event happened.
policy The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate unit will have an index number of zero.
vip The virtual IP address.
src The source IP address.
src-port The source port number.
dst The destination IP address.
dst-port The destination port number.
action This field always contains close.
msg Bad length in SSL ChangeCipherSpec
FortiGate Log Message Reference264 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-VIP SSL
F0h
45031
Message ID 45031
Log Subtype VIP SSL
Severity Error
Firmware version FortiOS 4.0 MR3
Meaning An SSL ChangeCipherSpec has a bad length.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual domains
exist, this field always contains root.
serial The serial number of the firewall session on which the event happened.
policy The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate unit will have an index number of zero.
vip The virtual IP address.
src The source IP address.
src-port The source port number.
dst The destination IP address.
dst-port The destination port number.
humin This field always contains close.
max The maximum information.
received The received information.
action This field always contains close.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
ortiGate Log Message Reference1-430-112804-20111121 265ttp://docs.fortinet.com/ • Feedback
Event-VIP SSL
45032
Message ID 45032
Log Subtype VIP SSL
Severity Error
Firmware version FortiOS 4.0 MR3
Meaning A certificate’s public key is too big for SSL off-loading.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual domains
exist, this field always contains root.
serial The serial number of the firewall session on which the event happened.
policy The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate unit will have an index number of zero.
vip The virtual IP address.
src The source IP address.
src-port The source port number.
dst The destination IP address.
dst-port The destination port number.
hulen This field is always close.
max The maximum information.
action This field always contains close.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
FortiGate Log Message Reference266 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
F0h
Event-DNSEvent-DNS log messages record DNS response activity.
44288
Message ID 44288
Log Subtype Event-DNS
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning A DNS response log message.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
policy_id The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate unit will have an index number of zero.
src The source IP address.
dst The destination IP address.
src_int The name of the source interface.
dst_int The name of the destination interface.
user The name of the user creating the traffic.
group The name of the gorup creating the traffic.
dns_name The name of the DNS sesrver.
dns_ip The IP address of the DNS server.
ortiGate Log Message Reference1-430-112804-20111121 267ttp://docs.fortinet.com/ • Feedback
Event-DNS
FortiGate Log Message Reference268 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
F0h
Event-configEvent-config log messages record configuration changes that an administrator or user makes to the FortiOS configuration.
44544445454454644547
ortiGate Log Message Reference1-430-112804-20111121 269ttp://docs.fortinet.com/ • Feedback
Event-config
44544
44545
Message ID 44544
Log Sub-type Event-config
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning A configuration path log message.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
user The name of the user changing the configuration setting.
ui The user interface.
action This can be any one of the following:
• add • edit
• delete • clear
• move • rename
• clone • abort
cfg_tid The configuration transaction identification number.
cfg_path The configuration path.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
Message ID 44545
Log Sub-type Event-config
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning A configuration object log message.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
user The name of the user changing the configuration setting.
ui The user interface.
action This can be any one of the following:
• add • edit
• delete • clear
• move • rename
• clone • abort
cfg_tid The configuration transaction identification number.
cfg_path The configuration path.
cfg_obj The configuration object.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
FortiGate Log Message Reference270 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-config
F0h
44546
Message ID 44546
Log Sub-type Event-config
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning A configuration attributes log message.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
user The name of the user changing the configuration setting.
ui The user interface.
action This can be any one of the following:
• add • edit
• delete • clear
• move • rename
• clone • abort
cfg_tid The configuration transaction identification number.
cfg_path The configuration path.
cfg_attr The configuration attributes.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
ortiGate Log Message Reference1-430-112804-20111121 271ttp://docs.fortinet.com/ • Feedback
Event-config
44547
Message ID 44547
Log Sub-type Event-config
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning A configuration object attributes log message.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
user The name of the user changing the configuration setting.
ui The user interface.
action This can be any one of the following:
• add • edit
• delete • clear
• move • rename
• clone • abort
cfg_tid The configuration transaction identification number.
cfg_path The configuration path.
conf_obj The configuration object.
cfg_attr The configuration attributes.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
FortiGate Log Message Reference272 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
F0h
Event-authEvent-auth log messages record authentication activity, including FSAE activity and NTLM authentication.
430084300943010430114301243013430144301543016430174301843019430204302143022
430234302443025430254302643027430284302943030
ortiGate Log Message Reference1-430-112804-20111121 273ttp://docs.fortinet.com/ • Feedback
Event-auth
43008
Message ID 43008
Log Subtype auth
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The authentication was successful.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
src The source IP address.
dst The destination IP address.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate unit will have an index number of zero.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
ui The user interface.
action The action that was taken. This can be any one of the following:
• authentication • FSAE-auth
• FSAE-logon • FSAE-logoff
• NTLM-auth
status The status of the authentication session. This can be any one of the following:
• success • failure
• timed_out • locked_out
reason The reason for recording the activity.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
FortiGate Log Message Reference274 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-auth
F0h
43009
Message ID 43009
Log Subtype auth
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The authentication session failed.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
src The source IP address.
dst The destination IP address.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate unit will have an index number of zero.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
ui The user interface.
action The action that was taken. This can be any one of the following:
• authentication • FSAE-auth
• FSAE-logon • FSAE-logoff
• NTLM-auth
status The status of the authentication session. This can be any one of the following:
• success • failure
• timed_out • locked_out
reason The reason for recording the activity.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
ortiGate Log Message Reference1-430-112804-20111121 275ttp://docs.fortinet.com/ • Feedback
Event-auth
43010
Message ID 43010
Log Subtype auth
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning The authentication locked out.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
src The source IP address.
dst The destination IP address.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate unit will have an index number of zero.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
ui The user interface.
action The action that was taken. This can be any one of the following:
• authentication • FSAE-auth
• FSAE-logon • FSAE-logoff
• NTLM-auth
status The status of the authentication session. This can be any one of the following:
• success • failure
• timed_out • locked_out
reason The reason for recording the activity.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
FortiGate Log Message Reference276 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-auth
F0h
43011
Message ID 43011
Log Subtype auth
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The authentication timed out.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
src The source IP address.
dst The destination IP address.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate unit will have an index number of zero.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
ui The user interface.
action The action that was taken. This can be any one of the following:
• authentication • FSAE-auth
• FSAE-logon • FSAE-logoff
• NTLM-auth
status The status of the authentication session. This can be any one of the following:
• success • failure
• timed_out • locked_out
reason The reason for recording the activity.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
ortiGate Log Message Reference1-430-112804-20111121 277ttp://docs.fortinet.com/ • Feedback
Event-auth
43012
Message ID 43012
Log Subtype auth
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning FSAE authentication was successful.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
src The source IP address.
dst The destination IP address.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate unit will have an index number of zero.
user The name of the user creating the traffic.
adgroup The name of the active directory group.
group The name of the group creating the traffic.
ui The user interface.
action The action that was taken. This can be any one of the following:
• authentication • FSAE-auth
• FSAE-logon • FSAE-logoff
• NTLM-auth
status The status of the authentication session. This can be any one of the following:
• success • failure
• timed_out • locked_out
reason The reason for recording the activity.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
FortiGate Log Message Reference278 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-auth
F0h
43013
Message ID 43013
Log Subtype auth
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The FSAE authentication failed.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
src The source IP address.
dst The destination IP address.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate unit will have an index number of zero.
user The name of the user creating the traffic.
adgroup The name of the active directory group.
group The name of the group creating the traffic.
ui The user interface.
action The action that was taken. This can be any one of the following:
• authentication • FSAE-auth
• FSAE-logon • FSAE-logoff
• NTLM-auth
status The status of the authentication session. This can be any one of the following:
• success • failure
• timed_out • locked_out
reason The reason for recording the activity.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
ortiGate Log Message Reference1-430-112804-20111121 279ttp://docs.fortinet.com/ • Feedback
Event-auth
43014
43015
Message ID 43014
Log Subtype auth
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The FSAE user logged on.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
src The source IP address.
user The name of the FSAE user who is logggin on.
server The IP address of the FSAE server.
action The action that was taken. This can be any one of the following:
• authentication • FSAE-auth
• FSAE-logon • FSAE-logoff
• NTLM-auth
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
Message ID 43015
Log Subtype auth
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The FSAE user logged off.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
src The source IP address.
user The name of the FSAE user who is logggin on.
server The IP address of the FSAE server.
action The action that was taken. This can be any one of the following:
• authentication • FSAE-auth
• FSAE-logon • FSAE-logoff
• NTLM-auth
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
FortiGate Log Message Reference280 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-auth
F0h
43016
Message ID 43016
Log Subtype auth
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The NTLM authentication was successful.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
src The source IP address.
dst The destination IP address.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate unit will have an index number of zero.
user The name of the user creating the traffic.
adgroup The name of the active directory group.
group The name of the group creating the traffic.
ui The user interface.
action The action that was taken. This can be any one of the following:
• authentication • FSAE-auth
• FSAE-logon • FSAE-logoff
• NTLM-auth
status The status of the authentication session. This can be any one of the following:
• success • failure
• timed_out • locked_out
reason The reason for recording the activity.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
ortiGate Log Message Reference1-430-112804-20111121 281ttp://docs.fortinet.com/ • Feedback
Event-auth
43017
Message ID 43017
Log Subtype auth
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The NTLM authentication failed.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
src The source IP address.
dst The destination IP address.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate unit will have an index number of zero.
user The name of the user creating the traffic.
adgroup The name of the active directory group.
group The name of the group creating the traffic.
ui The user interface.
action The action that was taken. This can be any one of the following:
• authentication • FSAE-auth
• FSAE-logon • FSAE-logoff
• NTLM-auth
status The status of the authentication session. This can be any one of the following:
• success • failure
• timed_out • locked_out
reason The reason for recording the activity.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
FortiGate Log Message Reference282 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-auth
F0h
43018
43019
Message ID 43018
Log Subtype auth
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning The FortiGuard override failed.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
src The source IP address.
dst The destination IP address.
initiator The initiator information.
status The status of the authentication session. This can be any one of the following:
• success • failure
• timed_out • locked_out
reason The reason for recording the activity.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
Message ID 43019
Log Subtype auth
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning The FortiGuard override failed.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
src The source IP address.
dst The destination IP address.
initiator The initiator information.
status The status of the authentication session. This can be any one of the following:
• success • failure
• timed_out • locked_out
reason The reason for recording the activity.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
ortiGate Log Message Reference1-430-112804-20111121 283ttp://docs.fortinet.com/ • Feedback
Event-auth
43020
Message ID 43020
Log Subtype auth
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The FortiGuard override was successful.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
src The source IP address.
dst The destination IP address.
initator The initiator information.
status This can be any one of the following:
• success • failure
• timed_out • locked_out
reason The reason that the activity or action occurred.
scope This can be any one of the following:
• user • user_group
• ip • profile
unhandled
scope_data The scope data information.
rule_type This can be any one of the following:
• directory • domain
• rating • unhandled
rule_data The rule data information.
offsite This can be either yes, meaning the offsite was allowed, or no, meaning the offsite was not allowed.
expiry The expiry information.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
FortiGate Log Message Reference284 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-auth
F0h
43021
43022
43023
Message ID 43021
Log Subtype auth
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning Endpoint checking event.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
dst The destination IP address.
ui The user interface.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
Message ID 43022
Log Subtype auth
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning Endpoint license distribution.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
dst The destination IP address.
ui The user interface.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
Message ID 43023
Log Subtype auth
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning Endpoint detection.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
dst The destination IP address.
ui The user interface.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
ortiGate Log Message Reference1-430-112804-20111121 285ttp://docs.fortinet.com/ • Feedback
Event-auth
43024
43025
Message ID 43024
Log Subtype auth
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning Endpoint detection.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
dst The destination IP address.
ui The user interface.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
Message ID 43025
Log Subtype auth
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The authentication was successful.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
src The source IP address.
dst The destination IP address.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate unit will have an index number of zero.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
ui The user interface.
action The action that was taken. This can be any one of the following:
• authentication • FSAE-auth
• FSAE-logon • FSAE-logoff
• NTLM-auth
status The status of the authentication session. This can be any one of the following:
• success • failure
• timed_out • locked_out
reason The reason for recording the activity.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
FortiGate Log Message Reference286 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-auth
F0h
43026
Message ID 43026
Log Subtype auth
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The authentication failed.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
src The source IP address.
dst The destination IP address.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate unit will have an index number of zero.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
ui The user interface.
action The action that was taken. This can be any one of the following:
• authentication • FSAE-auth
• FSAE-logon • FSAE-logoff
• NTLM-auth
status The status of the authentication session. This can be any one of the following:
• success • failure
• timed_out • locked_out
reason The reason for recording the activity.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
ortiGate Log Message Reference1-430-112804-20111121 287ttp://docs.fortinet.com/ • Feedback
Event-auth
43027
Message ID 43027
Log Subtype auth
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The authentication session timed out.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
src The source IP address.
dst The destination IP address.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate unit will have an index number of zero.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
ui The user interface.
action The action that was taken. This can be any one of the following:
• authentication • FSAE-auth
• FSAE-logon • FSAE-logoff
• NTLM-auth
status The status of the authentication session. This can be any one of the following:
• success • failure
• timed_out • locked_out
reason The reason for recording the activity.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
FortiGate Log Message Reference288 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-auth
F0h
43028
Message ID 43028
Log Subtype auth
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The authentication session failed.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
src The source IP address.
dst The destination IP address.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate unit will have an index number of zero.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
ui The user interface.
action The action that was taken. This can be any one of the following:
• authentication • FSAE-auth
• FSAE-logon • FSAE-logoff
• NTLM-auth
status The status of the authentication session. This can be any one of the following:
• success • failure
• timed_out • locked_out
reason The reason for recording the activity.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
ortiGate Log Message Reference1-430-112804-20111121 289ttp://docs.fortinet.com/ • Feedback
Event-auth
43029
Message ID 43029
Log Subtype auth
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The FortiGuard override was successful.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
src The source IP address.
dst The destination IP address.
initator The initiator information.
status This can be any one of the following:
• success • failure
• timed_out • locked_out
reason The reason the activity or action occurred.
scope This can be any one of the following:
• user • user_group
• ip • profile
unhandled
scope_data The scope data information.
rule_type This can be any one of the following:
• directory • domain
• rating • unhandled
rule_data The rule data information.
offsite This can be either yes, meaning the offsite was allowed, or no, meaning the offsite was not allowed.
expiry The expiry information.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
FortiGate Log Message Reference290 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-auth
F0h
43030
Message ID 43030
Log Subtype auth
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning The FortiGuard override failed.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
src The source IP address.
dst The destination IP address.
initiator The initiator information.
status The status of the authentication session. This can be any one of the following:
• success • failure
• timed_out • locked_out
reason The reason for recording the activity.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
ortiGate Log Message Reference1-430-112804-20111121 291ttp://docs.fortinet.com/ • Feedback
Event-auth
FortiGate Log Message Reference292 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
F0h
Event-wadEvent-wad log messages record WAN optimization events, such as a user adding an WAN optimization rule as well as web proxy events.
40960480014800348005480074800948011480124801348015480174801948023480274802948031480324810048101
48102481234812448124481274812948131481324820048201482054830048301
ortiGate Log Message Reference1-430-112804-20111121 293ttp://docs.fortinet.com/ • Feedback
Event-wad
40960
Message ID 40960
Log Subtype wad
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning A web proxy forward server error.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
fwserver_name The name of the web proxy server.
addr_type The type of address used, for example FQDN. This field contains either IP or FQDN.
ip The IP address.
fqdn The FQDN address.
port The port number.
msg The log message is any one of the following:
• Failed to connection to forward server.
• Successfully connected to forward server.
FortiGate Log Message Reference294 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-wad
F0h
48001
48003
Message ID 48001
Log Subtype wad
Severity Error
Firmware version FortiOS 4.0 MR3
Meaning The SSL received an incorrect handshake message.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
serial The serial number of the firewall session on which the event happened.
policy The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
src The source IP address.
src-port The source port number.
dst The destination IP address.
dst-port The destination port number.
action This field always contains receive.
expected The expected information.
received The received information.
msg Incorrect SSL handshake message.
Message ID 48003
Log Subtype wad
Severity Error
Firmware version FortiOS 4.0 MR3
Meaning The SSL handshake message contains a bad length.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
serial The serial number of the firewall session on which the event happened.
policy The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
src The source IP address.
src-port The source port number.
dst The destination IP address.
dst-port The destination port number.
action This field always contains close.
handshake The handshake information.
msg Bad length in SSL handshake.
ortiGate Log Message Reference1-430-112804-20111121 295ttp://docs.fortinet.com/ • Feedback
Event-wad
48005
48007
Message ID 48005
Log Subtype wad
Severity Error
Firmware version FortiOS 4.0 MR3
Meaning The RSA verification of Diffie-Hellman parameters failed.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
serial The serial number of the firewall session on which the event happened.
policy The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
src The source IP address.
src-port The source port number.
dst The destination IP address.
dst-port The destination port number.
action This field always contains close.
msg RSA verification of Diffie-Hellman parameters failed.
Message ID 48007
Log Subtype wad
Severity Error
Firmware version FortiOS 4.0 MR3
Meaning The hash in SSL FInished does not match the calculated hash.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
serial The serial number of the firewall session on which the event happened.
policy The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
src The source IP address.
src-port The source port number.
dst The destination IP address.
dst-port The destination port number.
local The local information.
remote The remote information.
action This field always contains close.
msg Hash in SSL Finished does not match calculated hash.
FortiGate Log Message Reference296 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-wad
F0h
48009
48011
Message ID 48009
Log Subtype wad
Severity Error
Firmware version FortiOS 4.0 MR3
Meaning An SSL decryption failure occurred.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
serial The serial number of the firewall session on which the event happened.
policy The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
src The source IP address.
src-port The source port number.
dst The destination IP address.
dst-port The destination port number.
action This field always contains close.
reason The reason that the trigger occurred.
msg SSL decryption failure.
Message ID 48011
Log Subtype wad
Severity Error
Firmware version FortiOS 4.0 MR3
Meaning An SSL minor version is less than the configured minimum value.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
serial The serial number of the firewall session on which the event happened.
policy The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
src The source IP address.
src-port The source port number.
dst The destination IP address.
dst-port The destination port number.
action This field always contains close.
min-minor The min-minor information.
recv-minor The recv-minor information.
msg SSL minor below minimum configured value.
ortiGate Log Message Reference1-430-112804-20111121 297ttp://docs.fortinet.com/ • Feedback
Event-wad
48012
48013
Message ID 48012
Log Subtype wad
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning The maximum limit of SSL connections were reached.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
serial The serial number of the firewall session on which the event happened.
policy The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
src The source IP address.
src-port The source port number.
dst The destination IP address.
dst-port The destination port number.
action This field always contains close.
msg SSL maximum connections reached.
Message ID 48013
Log Subtype wad
Severity Error
Firmware version FortiOS 4.0 MR3
Meaning There is no support for the offered CipherSuites.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
serial The serial number of the firewall session on which the event happened.
policy The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
src The source IP address.
src-port The source port number.
dst The destination IP address.
dst-port The destination port number.
action This field always contains close.
msg None of the offered CipherSuites are supported.
FortiGate Log Message Reference298 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-wad
F0h
48015
48017
Message ID 48015
Log Subtype wad
Severity Error
Firmware version FortiOS 4.0 MR3
Meaning The SSL handshake does not have a valid length.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
serial The serial number of the firewall session on which the event happened.
policy The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
src The source IP address.
src-port The source port number.
dst The destination IP address.
dst-port The destination port number.
action This field always contains receive.
len The length information.
msg Incorrect SSL handshake length.
Message ID 48017
Log Subtype wad
Severity Error
Firmware version FortiOS 4.0 MR3
Meaning The SSL handshake is too long.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
serial The serial number of the firewall session on which the event happened.
policy The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
src The source IP address.
src-port The source port number.
dst The destination IP address.
dst-port The destination port number.
action This field always contains receive.
handshake The handshake information.
len The length information.
max The maximum length information.
msg SSL Handshake too long
ortiGate Log Message Reference1-430-112804-20111121 299ttp://docs.fortinet.com/ • Feedback
Event-wad
48019
48023
Message ID 48019
Log Subtype wad
Severity Error
Firmware version FortiOS 4.0 MR3
Meaning An SSL alert message was sent.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
serial The serial number of the firewall session on which the event happened.
policy The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
src The source IP address.
src-port The source port number.
dst The destination IP address.
dst-port The destination port number.
action This field always contains send.
level The level information.
desc The description information.
msg SSL Alert sent
Message ID 48023
Log Subtype wad
Severity Error
Firmware version FortiOS 4.0 MR3
Meaning An SSL alert message was received.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
serial The serial number of the firewall session on which the event happened.
policy The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
src The source IP address.
src-port The source port number.
dst The destination IP address.
dst-port The destination port number.
action This field always contains receive.
level The level information.
desc The description information.
msg SSL Alert received.
FortiGate Log Message Reference300 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-wad
F0h
48027
48029
Message ID 48027
Log Subtype wad
Severity Error
Firmware version FortiOS 4.0 MR3
Meaning An invalid SSL content type was received.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
serial The serial number of the firewall session on which the event happened.
policy The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
src The source IP address.
src-port The source port number.
dst The destination IP address.
dst-port The destination port number.
action This field always contains receive.
type The type information.
msg Invalid SSL ContentType.
Message ID 48029
Log Subtype wad
Severity Error
Firmware version FortiOS 4.0 MR3
Meaning An SSL ChangeCipherSpec has bad length.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
serial The serial number of the firewall session on which the event happened.
policy The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
src The source IP address.
src-port The source port number.
dst The destination IP address.
dst-port The destination port number.
action This field always contains close.
msg Bad length in SSL ChangeCipherSpec.
ortiGate Log Message Reference1-430-112804-20111121 301ttp://docs.fortinet.com/ • Feedback
Event-wad
48031
Message ID 48031
Log Subtype wad
Severity Error
Firmware version FortiOS 4.0 MR3
Meaning An SSL ChangeCipherSpec has bad length.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
serial The serial number of the firewall session on which the event happened.
policy The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
src The source IP address.
src-port The source port number.
dst The destination IP address.
dst-port The destination port number.
min The minimum information.
max The maximum information.
received The received information.
action This field always contains close.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
FortiGate Log Message Reference302 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-wad
F0h
48032
Message ID 48032
Log Subtype wad
Severity Error
Firmware version FortiOS 4.0 MR3
Meaning The certificate’s public key is too big for SSL offloading to handle.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
serial The serial number of the firewall session on which the event happened.
policy The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
src The source IP address.
src-port The source port number.
dst The destination IP address.
dst-port The destination port number.
len The length information.
max The maximum length information.
action This field always contains close.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
ortiGate Log Message Reference1-430-112804-20111121 303ttp://docs.fortinet.com/ • Feedback
Event-wad
48100
48101
Message ID 48100
Log Subtype wad
Severity Error
Firmware version FortiOS 4.0 MR3
Meaning Cert authentication has failed.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
serial The serial number of the firewall session on which the event happened.
policy The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
src The source IP address.
src-port The source port number.
dst The destination IP address.
dst-port The destination port number.
msg authentication failed: cert authentication failed.
Message ID 48101
Log Subtype wad
Severity Error
Firmware version FortiOS 4.0 MR3
Meaning Authentication failed because of an incorrect private shared key.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
serial The serial number of the firewall session on which the event happened.
policy The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
src The source IP address.
src-port The source port number.
dst The destination IP address.
dst-port The destination port number.
authgrp The authentication group information.
host The host information.
msg authentication failed: incorrect psk.
FortiGate Log Message Reference304 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-wad
F0h
48102
48123
Message ID 48102
Log Subtype wad
Severity Error
Firmware version FortiOS 4.0 MR3
Meaning Authentication failed.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
serial The serial number of the firewall session on which the event happened.
policy The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
src The source IP address.
src-port The source port number.
dst The destination IP address.
dst-port The destination port number.
authgrp The authentication group information.
peer The peer information.
msg authentication failed: <reason>
Message ID 48123
Log Subtype wad
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning A WAN optimization rule was changed.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
serial The serial number of the firewall session on which the event happened.
policy The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
src The source IP address.
src-port The source port number.
dst The destination IP address.
dst-port The destination port number.
msg A wan-opt rule has changed.
ortiGate Log Message Reference1-430-112804-20111121 305ttp://docs.fortinet.com/ • Feedback
Event-wad
48124
Message ID 48124
Log Subtype wad
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning A WAN optimization rule was added.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
serial The serial number of the firewall session on which the event happened.
policy The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
src The source IP address.
src-port The source port number.
dst The destination IP address.
dst-port The destination port number.
msg A wan-opt rule is added.
Message ID 48124
Log Subtype wad
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning A WAN optimization rule was removed.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
user The name of the user creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
id The identification information.
msg User <user_name> deleted a wad rule <rule_name> from <ui>
FortiGate Log Message Reference306 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-wad
F0h
48127
48129
Message ID 48127
Log Subtype wad
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning A web cache name was entered or a host name was entered.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
user The name of the user creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
msg This field contains one of the following: • user <user_name> set web proxy name. • user<user_name> set wan acceleration host-id
Message ID 48129
Log Subtype wad
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning Depending on what appears in the msg field, the meaning can be any one of the following: • The specified user set the WAN-opt storage. • The specified user deleted the WAN-opt storage entry. • The specified user set the byte cache storage.• The specified user set the web cache storage.• The specified user deleted the disk storage entry. • The ISCSI target is set.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
user The name of the user creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
action The action information. This field does not appear for all 48129 log messages.
name The name information.
msg This field contains one of the following: • user <user_name> set wanopt storage <storage> size=<size_amount>• Administrator <user_name> disk storage <disk_storage> from <ui>• user <user_name> delete disk storage entry
ortiGate Log Message Reference1-430-112804-20111121 307ttp://docs.fortinet.com/ • Feedback
Event-wad
48131
48132
Message ID 48131
Log Subtype wad
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning A user added a WAN accelerator SSL server.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
user The name of the user creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
name The name information.
msg User <user_name> added a wan accelerator ssl server setting <ssl_server_setting> from <ui>.
Message ID 48132
Log Subtype wad
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning A user removed a WAN accelerator SSL server.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
user The name of the user creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
name The name information.
msg User <user_name> deleted a wan accelerator ssl server setting <ssl_server_setting> from <ui>
FortiGate Log Message Reference308 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-wad
F0h
48200
48201
Message ID 48200
Log Subtype wad
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning A user added a network peer.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
user The name of the user creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
name The name information.
msg User <user_name> added network accelerator peer <peer_name> from <ui>
Message ID 48201
Log Subtype wad
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning A user deleted a peer.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
user The name of the user creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
name The name information.
msg User <user_name> deleted a network accelerator peer entry <peer_name> from <ui>
ortiGate Log Message Reference1-430-112804-20111121 309ttp://docs.fortinet.com/ • Feedback
Event-wad
48205
48300
Message ID 48205
Log Subtype wad
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning A user deleted an authentication group entry.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
user The name of the user creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
auth-group The authentication group information.
msg User <user_name> deleted a network accelerator auth-group entry <auth_group_name> from <ui>
Message ID 48300
Log Subtype wad
Severity Critical
Firmware version FortiOS 4.0 MR3
Meaning The server side, FortiGate, is not properly configured.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
serial The serial number of the firewall session on which the event happened.
policy The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
rule-id The identification number of the rule.
src The source IP address.
src-port The source port number.
dst The destination IP address.
dst-port The destination port number.
msg auto detection failed: server side ftg is not properly configured.
FortiGate Log Message Reference310 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-wad
F0h
48301
Message ID 48301
Log Subtype wad
Severity Critical
Firmware version FortiOS 4.0 MR3
Meaning An unexpected application type was detected.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
serial The serial number of the firewall session on which the event happened.
policy The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
rule-id The identification number of the rule.
app-type The type of application that triggered the action within the control list.
src The source IP address.
src-port The source port number.
dst The destination IP address.
dst-port The destination port number.
msg unexpected application type. Please report.
ortiGate Log Message Reference1-430-112804-20111121 311ttp://docs.fortinet.com/ • Feedback
Event-wad
FortiGate Log Message Reference312 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
F0h
Event-LDB-monitorEvent-LDB-monitor log messages record VIP activities.
4600046001460024600346004460054610046101
ortiGate Log Message Reference1-430-112804-20111121 313ttp://docs.fortinet.com/ • Feedback
Event-LDB-monitor
46000
46001
Message ID 46000
Log Subtype ldb-monitor
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The VIP real server was enabled.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
vip The name of the virtual IP list used.
server The IP address of the server.
port The port number.
status The status information.
action This field always contains enable.
msg ldb server enabled.
Message ID 46001
Log Subtype ldb-monitor
Severity Alert
Firmware version FortiOS 4.0 MR3
Meaning The VIP real server was disabled.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
vip The name of the virtual IP list used.
server The IP address of the server.
port The port number.
status The status information.
action This field always contains disable.
msg ldb server disabled.
FortiGate Log Message Reference314 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-LDB-monitor
F0h
46002
46003
Message ID 46002
Log Subtype ldb-monitor
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The VIP real server is now up.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
vip The name of the virtual IP list used.
server The IP address of the server.
port The port number.
status The status information.
action This field always contains up.
msg ldb server up.
Message ID 46003
Log Subtype ldb-monitor
Severity Alert
Firmware version FortiOS 4.0 MR3
Meaning The VIP real server is down.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
vip The name of the virtual IP list used.
server The IP address of the server.
port The port number.
status The status information.
action This field always contains down.
msg ldb server down
ortiGate Log Message Reference1-430-112804-20111121 315ttp://docs.fortinet.com/ • Feedback
Event-LDB-monitor
46004
46005
Message ID 46004
Log Subtype ldb-monitor
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The VIP real server has started a hold down period.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
vip The name of the virtual IP list used.
server The IP address of the server.
port The port number.
status The status information.
action This field always contains holddown.
msg ldb server entered holddown period
interval The hold-down interval period in seconds.
Message ID 46000
Log Subtype ldb-monitor
Severity Alert
Firmware version FortiOS 4.0 MR3
Meaning The VIP realserver failed during the hold down period.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
vip The name of the virtual IP list used.
server The IP address of the server.
port The port number.
status The status information.
action This field always contains holddown
msg ldb server health checking failed during holddown period.
FortiGate Log Message Reference316 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-LDB-monitor
F0h
46100
46101
Message ID 46100
Log Subtype ldb-monitor
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning A load balance server monitor was added.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
user The name of the user creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
name The name information.
msg User <user_name> added load balance monitor <load_balance_monitor_name> from <ui>
Message ID 46100
Log Subtype ldb-monitor
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning A load balance server monitor was added.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
user The name of the user creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
name The name information.
msg User <user_name> deleted a load balance server monitor <load_balance_monitor_name> from <ui>
ortiGate Log Message Reference1-430-112804-20111121 317ttp://docs.fortinet.com/ • Feedback
Event-LDB-monitor
FortiGate Log Message Reference318 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
F0h
Event-nac-quarantineEvent-nac-quarantine log messages record quarantine events, such as when banned users are quarantined.
43776
Log Sub-type nac-quarantine
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning A NAC quarantine event was recorded.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
src The banned IP address.
dst The destination IP address.
src_int The banned interface.
dst_int The destination interface.
src_port The source port number.
dst_port The destination port number.
proto The protocol number that applies to the session or packet. The protocol number in the packet header that identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
service The IP network service that applies to the session or packet. The services displayed correspond to the services configured in the firewall policy.
action This field contains any one of the following:
• ban-ip • ban-src-dst-ip (banned all traffic from source IP to destination IP by NAC quarantine)
• ban-interface
user The name of the user creating the traffic.
group The name of the group creating the traffic.
policid The ID number of the firewall policy that applies the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
banned_src The banned source. This field contains any one of the following:
• ips • dlp-compound
• dos • av
• dlp-rule
banned_rule The banned rule or reason that was detected.
sensor The name of the DLP sensor that was used to detect and take action.
ortiGate Log Message Reference1-430-112804-20111121 319ttp://docs.fortinet.com/ • Feedback
Event-nac-quarantine
FortiGate Log Message Reference320 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
F0h
Event-his-performanceEvent-his-performance log messages record the FortiGate unit’s performance statistics.
40704
Message ID 40704
Log Sub-type his-performance
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning Performance statistics for the FortiGate unit.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
action This field contains perf-stats.
cpu The CPU usage in percent.
mem The memory usage in percent.
total_session The total number of sessions.
msg Performance statistics.
ortiGate Log Message Reference1-430-112804-20111121 321ttp://docs.fortinet.com/ • Feedback
Event-his-performance
FortiGate Log Message Reference322 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
F0h
Event-HAEvent-HA log messages are recorded when FortiGate units are in high availability mode. These log messages describe changes in cluster unit status. These changes in status occur if a cluster unit fails/starts up, or if a link fails/restored. Each of these messages includes the serial number of the cluster unit reporting the message. You can use the serial number to determine which cluster unit’s status has changed.
3788837889378903789137892378933789437895378963789737898378993790037901
ortiGate Log Message Reference1-430-112804-20111121 323ttp://docs.fortinet.com/ • Feedback
Event-HA
37888
37889
37890
Message ID 37888
Log Subtype HA
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning A specified HA group was deleted.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg HA group is deleted.
ha_group The number of the HA group.
Message ID 37889
Log Subtype HA
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning A specified virtual cluster was deleted.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg Virtual cluster is deleted.
vcluster The number of the virtual cluster.
Message ID 37890
Log Subtype HA
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning A specific VDOM in a virtual cluster was moved.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg Virtual cluster’s vdom is moved.
from_vcluster The number of the virtual cluster that the VDOM is being moved from.
to_vcluster The number of the virtual cluster that the VDOM is being moved to.
vdname The name of the virtual domain where the VDOM has been moved to.
FortiGate Log Message Reference324 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-HA
F0h
37891
37892
Message ID 37891
Log Subtype HA
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning A VDOM was added to the specified virtual cluster.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg Virtual cluster’s vdom is added.
to_vcluster The number of the virtual cluster that the VDOM was added to.
vdname The name of the virtual domain where the new VDOM was added in.
Message ID 37892
Log Subtype HA
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning A virtual cluster moved a member’s status.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
msg Virtual cluster’s member state moved
ha_role The role of the unit within the cluster, for example, subordinate. This field contains either slave or master. Note: A FortiGate unit in a cluster has either a “slave” role (which is often referred to as subordinate), or “master” role (which is often referred to as primary). There are no other roles for the unit in a cluster.
vcluster The number of the virtual cluster that the VDOM was added to.
vcluster_state The state the virtual cluster is in. This field contains any one of the following:
• init • work
• helo • standby
vcluster_member The number of the member of the virtual cluster.
hostname The host name.
sn The serial number of the log message.
ortiGate Log Message Reference1-430-112804-20111121 325ttp://docs.fortinet.com/ • Feedback
Event-HA
37893
37894
37895
Message ID 37893
Log Subtype HA
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning A virtual cluster’s member was detected and its status was that it was not functioning.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg Virtual cluster detected memeber dead.
vcluster The number of the virtual cluster.
ha_group The number of the HA group.
Message ID 37894
Log Subtype HA
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning A virtual cluster’s member was detected and its status was that it joined the virtual cluster.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg Virtual cluster detected member join
vcluster The number of the virtual cluster.
ha_group The number of the HA group.
Message ID 37895
Log Subtype HA
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning A FortiGate unit in HA mode was added to the virtual cluster. The unit’s name is not given, only its internal interface name.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg Virtual cluster add HA device
vcluster The number of the virtual cluster.
devintfname The name of the unit’s interface.
FortiGate Log Message Reference326 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-HA
F0h
37896
37897
Message ID 37896
Log Subtype HA
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning A FortiGate unit in HA mode was deleted from the virtual cluster. The unit’s name is not given, only its internal interface name.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg Virtual cluster delete HA device(interface)
vcluster The number of the virtual cluster.
devintfname The name of the unit’s interface.
Message ID 37897
Log Subtype HA
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning A FortiGate unit in HA mode is ready. The unit’s name is not given, only its internal interface name.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg HA device(interface) ready
ha_role The type of role the device has in the HA cluster. This field contains either master or slave. Note: A FortiGate unit in a cluster has either a “slave” role (which is often referred to as subordinate), or “master” role (which is often referred to as primary). There are no other roles for the unit in a cluster.
devintfname The name of the unit’s interface.
ortiGate Log Message Reference1-430-112804-20111121 327ttp://docs.fortinet.com/ • Feedback
Event-HA
37898
37899
Message ID 37898
Log Subtype HA
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning A FortiGate unit in HA mode failed. The unit’s name is not given, only its internal interface name.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg HA device(interface) fail
ha_role The type of role the device has in the HA cluster. This field contains either master or slave. Note: A FortiGate unit in a cluster has either a “slave” role (which is often referred to as subordinate), or “master” role (which is often referred to as primary). There are no other roles for the unit in a cluster.
devintfname The name of the interface of the device.
Message ID 37899
Log Subtype HA
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning A FortiGate unit in HA mode with peer information. The unit’s name is not given, only its internal interface name.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg HA device(interface) peerinfo
ha_role The type of role the unit has in the HA cluster. This field contains either master or slave. Note: A FortiGate unit in a cluster has either a “slave” role (which is often referred to as subordinate), or “master” role (which is often referred to as primary). There are no other roles for the unit in a cluster.
devintfname The name of the unit’s interface.
FortiGate Log Message Reference328 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-HA
F0h
37900
37901
Message ID 37900
Log Subtype HA
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The HA heartbeat was deleted.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg Heartbeat device(interface) delete
devintfname The name of the interface on the FortiGate unit.
Message ID 37901
Log Subtype HA
Severity Critical
Firmware version FortiOS 4.0 MR3
Meaning The FortiGate unit in HA mode is not functioning properly. The unit’s name is not given, only its internal interface name.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg Heartbeat device(interface) down
ha_role The type of role the FortiGate unit has in the HA cluster. This field contains either master or slave. Note: A FortiGate unit in a cluster has either a “slave” role (which is often referred to as subordinate), or “master” role (which is often referred to as primary). There are no other roles for the unit in a cluster.
hbdn_reason The reason why the heartbeat is currently down. This field contains either linkfail or neighbor-info-lost.
devintfname The name of the interface on the FortiGate unit.
ortiGate Log Message Reference1-430-112804-20111121 329ttp://docs.fortinet.com/ • Feedback
Event-HA
37902
37903
Message ID 37902
Log Subtype HA
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning The HA heartbeat is up.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg Heartbeat device(interface) up
ha_role The type of role the FortiGate unit has in the HA cluster. This field contains either master or slave. Note: A FortiGate unit in a cluster has either a “slave” role (which is often referred to as subordinate), or “master” role (which is often referred to as primary). There are no other roles for the unit in a cluster.
devintfname The name of the interface on the FortiGate unit.
Message ID 37903
Log Subtype HA
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning The primary unit’s synchronization status.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg The sync status with the master
sync_type The type of synchronization being performed. This field contains either configurations or external-files.
synt_status The status of the synchronization. This field contains either out-of-sync or in-sync.
FortiGate Log Message Reference330 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-HA
F0h
37904
Message ID 37904
Log Subtype HA
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The HA activity report
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg HA activity report
vd The name of the virtual domain where the information for the report was gathered from.
ip The IP address of the unit.
ha-prio The priority number of the unit.
activity The HA activity message.
ortiGate Log Message Reference1-430-112804-20111121 331ttp://docs.fortinet.com/ • Feedback
Event-HA
FortiGate Log Message Reference332 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
F0h
Event-patternEvent-pattern logs are recorded whenever an administrator updates virus, IPS, and antispam databases from the FortiGuard network.
4100041001
ortiGate Log Message Reference1-430-112804-20111121 333ttp://docs.fortinet.com/ • Feedback
Event-pattern
41000
Message ID 41000
Log Subtype pattern
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning Depending on what appears in the msg field, the meaning can be any one of the following: • The specified administrator updated the IPS database from the web-based
manager. • The specified administrator failed to updated the virus database from the
web-based manager. • The specified administrator successfully updated the AntiSpam database from
the web-based manager. • The specified administrator successfully updated the IPS database from the
web-based manager.
Fields Field Descriptionuser The name of the user creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry, GUI(10.10.20.5).
action This field is always update.
status This field contains either success or failure.
msg This field contains any one of the following: • VCM plugin has been updated successfully by user <user_name> via
GUI(<ip_address>)• Virus database has been updated successfully by user <user_name> via
GUI(<ip_address>)• Antispam database has been updated successfully by user <user_name> via
GUI (<ip_address>)• IPS database has been updated successfully by user <user_name> via GUI
(<ip_address>)
FortiGate Log Message Reference334 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-pattern
F0h
41001
Message ID 41001
Log Subtype pattern
Severity Critical
Firmware version FortiOS 4.0 MR3
Meaning Depending on what appears in the msg field, the meaning can be any one of the following: • The specified administrator failed to update the IPS database from the web-based
manager. • The specified administrator failed to update the virus database from the
web-based manager. • The specified administrator failed to update the AntiSpam database from the
web-based manager. • The specified administrator failed to update the IPS database from the web-based
manager.
Fields Field Descriptionuser The name of the user creating the traffic.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry, GUI(10.10.20.5).
action This field is always update.
status This field contains either success or failure.
msg This field contains any one of the following: • Update VCM plugin failed by user <user_name> via GUI (<ip_address>)• Update virus database failed by user <user_name> via GUI(<ip_address>)• Update AntiSpam database failed by user <user_name> via GUI(<ip_address>)• Update IPS database failed by user <user_name> via GUI(<ip_address>)
ortiGate Log Message Reference1-430-112804-20111121 335ttp://docs.fortinet.com/ • Feedback
Event-pattern
FortiGate Log Message Reference336 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
F0h
Event-RADIUSEvent RADIUS log messages record RADIUS server events.
386563865738658386593866038661386623866338664386653866638667
ortiGate Log Message Reference1-430-112804-20111121 337ttp://docs.fortinet.com/ • Feedback
Event-RADIUS
38656
38657
38658
Message ID 38656
Log Sub-type RADIUS
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning A RADIUS protocol error report.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
count The number of times the same event was detected within a short period of time.
duration This represents the value in seconds.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
Message ID 38657
Log Sub-type RADIUS
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning A RADIUS profile error report.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
count The number of times the same event was detected within a short period of time.
duration This represents the value in seconds.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
Message ID 38658
Log Sub-type RADIUS
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning A RADIUS context error report.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual domains
exist, this field always contains root.
count The number of times the same event was detected within a short period of time.
duration This represents the value in seconds.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
FortiGate Log Message Reference338 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-RADIUS
F0h
38659
38660
38661
Message ID 38659
Log Sub-type RADIUS
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning A RADIUS missing stop packet report.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual domains
exist, this field always contains root.
count The number of times the same event was detected within a short period of time.
duration This represents the value in seconds.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
Message ID 38660
Log Sub-type RADIUS
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning A RADIUS accounting event report.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual domains
exist, this field always contains root.
count The number of times the same event was detected within a short period of time.
duration This represents the value in seconds.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
Message ID 38661
Log Sub-type RADIUS
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning A RADIUS other dynamic profile report.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual domains
exist, this field always contains root.
count The number of times the same event was detected within a short period of time.
duration This represents the value in seconds.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
ortiGate Log Message Reference1-430-112804-20111121 339ttp://docs.fortinet.com/ • Feedback
Event-RADIUS
38662
38663
Message ID 38662
Log Sub-type RADIUS
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning RADIUS protocol errors occurred.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual domains
exist, this field always contains root.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
ip The IP address.
profile The name of the profile that was used to detect and take action.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
acc_stat The accounting state. This field contains any one of the following:
• Start • Stop
• Interim-Update • Accounting-On
• Accounting-Off
reason The reason that the trigger occurred.
Message ID 38663
Log Sub-type RADIUS
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning A RADIUS start or interim-update packet received with missing or invalid profile specified.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual domains
exist, this field always contains root.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
ip The IP address.
profile The name of the profile that was used to detect and take action.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
acct_stat This field contains any one of the following:
• Start • Stop
• Interim-Update • Accounting-On
• Accounting-Off
reason The reason that the trigger occurred.
FortiGate Log Message Reference340 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-RADIUS
F0h
38664
38665
Message ID 38664
Log Sub-type RADIUS
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning RADIUS context not found for user.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
ip The IP address.
profile The name of the profile that was used to detect and take action.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
Message ID 38665
Log Sub-type RADIUS
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning A RADIUS stop packet was missed.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
ip The IP address.
profile The name of the profile that was used to detect and take action.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
acct_stat The accounting state. This field contains any one of the following:
• Start • Stop
• Interim-Update • Accounting-On
• Accounting-Off
reason The reason that the trigger occurred.
ortiGate Log Message Reference1-430-112804-20111121 341ttp://docs.fortinet.com/ • Feedback
Event-RADIUS
38666
38667
Message ID 38666
Log Sub-type RADIUS
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning A RADIUS account event.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
ip The IP address.
profile The name of the profile that was used to detect and take action.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
acct_stat This field contains any one of the following:
• Start • Stop
• Interim-Update • Accounting-On
• Accounting-Off
reason The reason that the trigger occurred.
Message ID 38667
Log Sub-type RADIUS
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning A RADIUS other dynamic profile event.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
ip The IP address.
profile The name of the profile that was used to detect and take action.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
acct_stat This field contains any one of the following:
• Start • Stop
• Interim-Update • Accounting-On
• Accounting-Off
reason The reason that the trigger occurred.
FortiGate Log Message Reference342 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
F0h
Event-notificationEvent-notification logs messages record sent email notification alerts.
384003840138402
ortiGate Log Message Reference1-430-112804-20111121 343ttp://docs.fortinet.com/ • Feedback
Event-notification
38400
Message ID 38400
Log Subtype Notification
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The system successfully sent an email notification message.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
user The name of the user creating the traffic.
from The sender’s email address.
to The recipient’s email address.
service The IP network service that applies to the session or packet. The services displayed correspond to the services configured in the firewall policy.
proto The MMS protocol used when running FortiOS Carrier. When running FortiOS, this field contains N/A. This field contains any one of the following:
• mm1 • mm4
• mm3 • mm7
dst The destination IP address.
dport The destination port number.
nf_type The type of notification that was sent. For example, if a file was blocked. This field contains any one of the following:
• bword • file_block
• carrier_ep_bwl • flood
• dupe • alert
• mms_checksum • virus
virus The name of the virus that was found.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile used.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured.
count The number of times the same event was detected within a short period of time.
duration This represents the value in seconds.
msg Successfully sent a notification message.
FortiGate Log Message Reference344 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-notification
F0h
38401
Message ID 38401
Log Subtype Notification
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning The system failed to send an email notification message.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
user The name of the user creating the traffic.
from The sender’s email address.
to The recipient’s email address.
service The IP network service that applies to the session or packet. The services displayed correspond to the services configured in the firewall policy.
proto The MMS protocol used when running FortiOS Carrier. When running FortiOS, this field contains N/A. This field contains any one of the following:
• mm1 • mm4
• mm3 • mm7
dst The destination IP address.
dport The destination port number.
nf_type The type of notification that was sent. For example, if a file was blocked. This field contains any one of the following:
• bword • file_block
• carrier_ep_bwl • flood
• dupe • alert
• mms_checksum • virus
virus The name of the virus that was found.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile used.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured.
count The number of times the same event was detected within a short period of time.
duration This represents the value in seconds.
msg Unable to send notification message.
sess_duration The session duration number.
ortiGate Log Message Reference1-430-112804-20111121 345ttp://docs.fortinet.com/ • Feedback
Event-notification
38402
Message ID 38402
Log Subtype Notification
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The system was unable to resolve an MMSC hostname.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
service The IP network service that applies to the session or packet. The services displayed correspond to the services configured in the firewall policy.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile used.
profile_vd The virtual domain that the profile is from.
msg Unable to resolve hostname.
FortiGate Log Message Reference346 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
F0h
Event-amc-intf-bypassEvent-amc-intf-bypass log messages record the AMC disks’ bypass mode activity.
47201
47202
Message ID 47201
Log Sub-type amc-intf-bypass
Severity Emergency
Firmware version FortiOS 4.0 MR3
Meaning AMC card entered bypass mode.
Fields Field Descriptionmsg The AMC card in slot <slot_number> has entered bypass mode due to <reason>.
Message ID 47202
Log Sub-type amc-intf-bypass
Severity Emergency
Firmware version FortiOS 4.0 MR3
Meaning AMC card exited bypass mode.
Fields Field Descriptionmsg The AMC card in slot <slot_number> has exited bypass mode due to <reason>.
ortiGate Log Message Reference1-430-112804-20111121 347ttp://docs.fortinet.com/ • Feedback
Event-amc-intf-bypass
FortiGate Log Message Reference348 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
F0h
Event-GTPEvent-GTP log messages record GTP activity. These messages are recorded only when running FortiOS Carrier firmware.
41216412174121841219412204122141222
ortiGate Log Message Reference1-430-112804-20111121 349ttp://docs.fortinet.com/ • Feedback
Event-GTP
41216
Message ID 41216
Log Subtype GTP
Severity Information
Firmware version FortiOS Carrier 4.0 MR3
Meaning GTP forward
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
profile The name of the VoIP profile that was used to detect and take action.
status This field can contain any one of the following:
• forwarded • prohibited
• rate-limited • state-invalid
• tunnel-limited • traffic-count
• user-data
version The version number.
msg-type The number of the message type.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
from The source IP address.
to The destination IP address.
imsi The IMSI information.
msisdn The MSISDN information.
apn The APN information.
selection This field contains any one of the following:
• apns-vrf • ms-apn-no-vrf
• net-apn-no-vrf
c-gsn The GSN IP address for signaling.
u-gsn The GSN IP address for user traffic.
nsapi The NSAPI number.
linked-nsapi The linked-NSAPI number.
imei-sv The IMEI-SV information.
rat-type This field contains any one of the following
• utran • gan
• geran • hspa
• wlan
rai The RAI information.
uli The ULI information.
end-user-address The end-user’s IP address.
FortiGate Log Message Reference350 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-GTP
F0h
41217
Message ID 41217
Log Subtype GTP
Severity Information
Firmware version FortiOS Carrier 4.0 MR3
Meaning GTP deny
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If
no virtual domains exist, this field always contains root.
profile The name of the VoIP profile that was used to detect and take action.
status This field can contain any one of the following:
• forwarded • prohibited
• rate-limited • state-invalid
• tunnel-limited • traffic-count
• user-data
version The version number.
msg-type The number of the message type.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
from The source IP address.
to The destination IP address.
deny-cause Explains why the message is prohibited. This field contains any one of the following:
• packet-sanity • invalid-reserved-field
• reserved-msg • out-state-msg
• reserved-ie • out-state-ie
• invalid-msg-length • invalid-ie-length
• miss-mandatory-ie • ip-policy
• non-ip-policy • sgsn-not-authorized
• sgsn-no-handover • ggsn-not-authorized
• invalid-seq-num • msg-filter
• apn-filter • imsi-filter
• adv-policy-filter
imsi The IMSI information.
msisdn The MSISDN information.
apn The APN information.
selection This field contains any one of the following:
• apns-vrf • ms-apn-no-vrf
• net-apn-no-vrf
c-gsn The IP address.
u-gsn The IP address.
nsapi The number of NSAPI.
ortiGate Log Message Reference1-430-112804-20111121 351ttp://docs.fortinet.com/ • Feedback
Event-GTP
linked-nsapi The number of linked-NSAPI.
imei-sv The IMEI-SV information.
rat-type This field contains any one of the following
• utran • gan
• geran • hspa
• wlan
rai The RAI information.
uli The ULI information.
end-user-address The end-user’s IP address.
FortiGate Log Message Reference352 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-GTP
F0h
41218
Message ID 41218
Log Subtype GTP
Severity Information
Firmware version FortiOS Carrier 4.0 MR3
Meaning GTP rate limit.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
profile The name of the VoIP profile that was used to detect and take action.
status This field can contain any one of the following:
• forwarded • prohibited
• rate-limited • state-invalid
• tunnel-limited • traffic-count
• user-data
version The version number.
msg-type The number of the message type.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
from The source IP address.
to The destination IP address.
imsi The identification number of the IMSI.
msisdn The identification number of the MSISDN.
apn The identification number for APN.
selection This field contains any one of the following:
• apns-vrf • ms-apn-no-vrf
• net-apn-no-vrf
c-gsn The IP address.
u-gsn The IP address.
nsapi The NSAPI number.
linked-nsapi The linked-NSAPI number.
imei-sv The IMEI-SV information.
rat-type This field contains any one of the following
• utran • gan
• geran • hspa
• wlan
rai The RAI information.
uli The ULI information.
end-user-address The end-user’s IP address.
ortiGate Log Message Reference1-430-112804-20111121 353ttp://docs.fortinet.com/ • Feedback
Event-GTP
41219
Message ID 41219
Log Subtype GTP
Severity Information
Firmware version FortiOS Carrier 4.0 MR3
Meaning GTP state invalid
Fields Field Descriptionvd The name of the virtual domain where the action occurred in.
If no virtual domains exist, this field always contains root.
profile The name of the VoIP profile that was used to detect and take action.
status This field always contains state-invalid. This means the message is blocked because the FortiGate unit found no valid state. For example, a response message comes in and the FortiGate unit detects no corresponding request message.
version The version number.
msg-type The number of the message type.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
from The source IP address.
to The destination IP address.
imsi The IMSI information.
msisdn The MSISDN information.
apn The APN information.
selection This field contains any one of the following:
• apns-vrf • ms-apn-no-vrf
• net-apn-no-vrf
c-gsn The IP address.
u-gsn The IP address.
nsapi The number of NSAPI.
linked-nsapi The number of linked-NSAPI.
imei-sv The IMEI-SV information.
rat-type This field contains any one of the following
• utran • gan
• geran • hspa
• wlan
rai The RAI information.
uli The ULI information.
end-user-address The end-user’s IP address.
FortiGate Log Message Reference354 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-GTP
F0h
41220
Message ID 41220
Log Subtype GTP
Severity Information
Firmware version FortiOS Carrier 4.0 MR3
Meaning Tunnel limit GTP message. These messages occur only when the maximum number of GTP tunnels is reached. No new tunnels are created when the maximum number is reached.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
profile The name of the VoIP profile that was used to detect and take action.
status This field contains any one of the following:
• forwarded • prohibited
• rate-limited • state-invalid
• tunnel-limited • traffic-count
• user-data
version The version number.
msg-type The number of the message type.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
from The source IP address.
to The destination IP address.
imsi The IMSI information.
msisdn The MSISDN information.
apn The APN information.
selection This field contains any one of the following:
• apns-vrf • ms-apn-no-vrf
• net-apn-no-vrf
c-gsn The IP address.
u-gsn The IP address.
nsapi The number of NSAPI.
linked-nsapi The number of linked-NSAPI.
imei-sv The IMEI-SV information.
rat-type This field contains any one of the following
• utran • gan
• geran • hspa
• wlan
rai The RAI information.
uli The ULI information.
end-user-address The end-user’s IP address.
ortiGate Log Message Reference1-430-112804-20111121 355ttp://docs.fortinet.com/ • Feedback
Event-GTP
41221
Message ID 41221
Log Subtype GTP
Severity Information
Firmware version FortiOS Carrier 4.0 MR3
Meaning Statistic summary information when the GTP tunnel is being torn down.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
profile The name of the VoIP profile that was used to detect and take action.
status This field contains any one of the following:
• forwarded • prohibited
• rate-limited • state-invalid
• tunnel-limited • traffic-count
• user-data
version The version number.
c-sgsn The SGSN IP address for signaling.
c-ggsn The GGSN IP address for signaling.
u-sgsn The SGSN IP address for user traffic.
u-ggsn The GGSN IP address for user traffic.
c-sgsn-teid The identification number.
c-ggsn-teid The identification number.
u-sgsn-teid The identification number.
u-ggsn-teid The identification number.
tunnel-idx The tunnel’s identity index number.
duration The duration of the GTP tunnel’s existence. The duration is in seconds.
c-pkts The number of GTP-c packets.
c-bytes The number of bytes for GTP-c signaling traffic.
u-pkts The number of GTP-u packets.
u-bytes The number of bytes for GTP-u user traffic.
imsi The IMSI information.
msisdn The MSISDN information.
apn The APN information.
selection This field contains any one of the following:
• apns-vrf • ms-apn-no-vrf
• net-apn-no-vrf
nsapi The NSAPI information.
linked-nsapi The linked-NSAPI information.
imei-sv The IMEI-SV information.
FortiGate Log Message Reference356 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-GTP
F0h
rat-type This field contains any one of the following:
• utran • gan
• geran • hspa
• wlan
rai The RAI information.
uli The ULI information.
end-user-address The end-user’s IP address.
ortiGate Log Message Reference1-430-112804-20111121 357ttp://docs.fortinet.com/ • Feedback
Event-GTP
41222
Message ID 41222
Log Subtype GTP
Severity Information
Firmware version FortiOS Carrier 4.0 MR3
Meaning GTP user data
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If
no virtual domains exist, this field always contains root.
profile The name of the VoIP profile that was used to detect and take action.
status This field contains any one of the following:
• forwarded • prohibited
• rate-limited • state-invalid
• tunnel-limited • traffic-count
• user-data
version The version number.
tunnel-idx The tunnel’s identity index number.
from The source IP address.
to The destination IP address.
end-user-address The end-user’s IP address.
imsi The IMSI information.
msisdn The MSISDN information.
apn The APN information.
user_data The actual user traffic content, represented in hexidecimal form.
FortiGate Log Message Reference358 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
F0h
Event-MMS-StatsEvent-MMS log messages record MMS activity. These log messages are recorded only when running FortiOS Carrier firmware.
43264
Message ID 43264
Log Sub-type MMS
Severity Information
Firmware version FortiOS Carrier 4.0 MR3
Meaning MMS statistics.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
proto The MMS protocol that was used. This field can be any one of the following:
• mm1 • mm3
• mm4 • mm7
infected The number of infected messages.
suspicious The number of suspicous messages.
scanned The number of scanned messages.
intercepted The number of intercepted messages.
blocked The number of blocked messages.
checksum The number of content checksum blocked messages.
duration The duration of the interval this counts over.
ortiGate Log Message Reference1-430-112804-20111121 359ttp://docs.fortinet.com/ • Feedback
Event-MMS-Stats
FortiGate Log Message Reference360 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
F0h
Event-VoIPEvent-VoIP log messages record VoIP activites that include the SIP and SCCP protocols.
44032440334403444035440364403744038
ortiGate Log Message Reference1-430-112804-20111121 361ttp://docs.fortinet.com/ • Feedback
Event-VoIP
44032
Message ID 44032
Log Subtype VoIP
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning A SIP log.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
session_id The session identification number.
epoch The user session identification number.
event_id The event’s serial identification number.
src The source IP address.
src_port The source port number.
dst The destination IP address.
dst_port The destination port number
proto The transport protocol number.
src_int The source interface.
dst_int The destination interface.
policy_id The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate unit will have an index number of zero.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
endpoint The endpoint information.
profile The name of the VoIP profile that was used to detect the SIP activity.
profile_group The group that the profile is part of. This field contains N/A if there is no profile group configured.
profile_type The type of profile used.
voip_proto The VoIP application protocol that was detected. This field contains either sip or sccp.
kind This field contains any one of the following:
• register • call-info
• unregister • call-block
• call
action This field contains any one of the following:
• permit • cm-reject
• block • exempt
• monitor • ban
• kickout • ban-user
• encrypt-kickout • log-only
FortiGate Log Message Reference362 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-VoIP
F0h
status This field contains any one of the following:
• start • succeeded
• end • failed
• timeout • authentication-required
• blocked
duration This represents the value in seconds.
dir The direction of the traffic. This field contains either inbound or outbound.
from The source name.
to The destination name.
ortiGate Log Message Reference1-430-112804-20111121 363ttp://docs.fortinet.com/ • Feedback
Event-VoIP
44033
Message ID 44033
Log Subtype VoIP
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning SIP was blocked.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
session_id The session identification number.
epoch The user session identification number.
event_id The event’s serial identification number.
src The source IP address.
src_port The source port number.
dst The destination IP address.
dst_port The destination port number
proto The transport protocol number.
src_int The source interface.
dst_int The destination interface.
policy_id The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate unit will have an index number of zero.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
endpoint The endpoint information.
profile The name of the VoIP profile that was used to detect the SIP activity.
profile_group The name of the profile group. This is for FortiOS Carrier only.
profile_type The type of profile that was used.
voip_proto The VoIP application protocol that was detected. This field contains either sip or sccp.
kind This field contains any one of the following:
• register • call-info
• unregister • call-block
• call
action This field contains any one of the following:
• permit • cm-reject
• block • exempt
• monitor • ban
• kickout • ban-user
• encrypt-kickout • log-only
FortiGate Log Message Reference364 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-VoIP
F0h
status This field contains any one of the following:
• start • succeeded
• end • failed
• timeout • authentication-required
• blocked
reason This field contains any one of the following:
• rate-limit • dialog-limit
• long-header • unrecognized-form
• unknown • block-request
• phone • session-close
• new-register • invalid-ip
• exceed-rate
duration This represents the value in seconds.
dir The direction of the traffic. This field contains either inbound or outbound.
message_type The type of message. This field contains either request or response.
request_name The name of the request.
count The number of times the same event was detected within a short period of time.
from The source name.
to The destination name.
ortiGate Log Message Reference1-430-112804-20111121 365ttp://docs.fortinet.com/ • Feedback
Event-VoIP
44034
Message ID 44034
Log Subtype VoIP
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning SIP fuzzing occurred.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
session_id The session identification number.
epoch The user session identification number.
event_id The event’s identification serial number
src The source IP address.
src_port The source port number.
dst The destination IP address.
dst_port The destination port number
proto The transport protocol number.
src_int The source interface.
dst_int The destination interface.
policy_id The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate unit will have an index number of zero.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
endpoint The endpoint information.
profile The name of the VoIP profile that was used to detect the SIP activity.
profile_group The group that the profile is part of. This field contains N/A if there is no profile group configured. profile groups are only available in FortiOS Carrier.
profile_type The type of profile used.
voip_proto The VoIP application protocol that was detected. This field contains either sip or sccp.
kind This field contains any one of the following:
• register • call-info
• unregister • call-block
• call
action This field contains any one of the following:
• permit • cm-reject
• block • exempt
• monitor • ban
• kickout • ban-user
• encrypt-kickout • log-only
duration This represents the value in seconds.
dir The direction of the traffic. This field contains either inbound or outbound.
message_type The type of message. This field contains either request or response.
FortiGate Log Message Reference366 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-VoIP
F0h
request_name The request name.
malform_desc The description of the syntax error. This field contains any one of the following:
• unexpected-character • invalid-quoting-character
• trailing-bytes • header-line-oversize
• msg-body-oversize • domain-name-oversize
• domain-name-oversize • domain-label-oversize
• syntax-malformed • duplicated-sip-header
• space-violation • invalid-ip4-address
• invalid-ipv6-address • invalid-port
• invalid-fqdn • no-matching-double-quote
• empty-quoted-string • invalid<userinfo>
• invalid-escape-encoding-in<userinfor>
• invalid-escape-encoding-in-uri-paramter
• invalid-escape-encoding-in-uri-header
• invalid-escape-encoding-in<reason-phrase>
• port-expected • port-not-allowed
• domain-name-invalid • <gen-value>-expected
• invalid-<gen-value> • invalid-<quoted-string>-in-<gen-value>
• ipv4-address-expected • ipv6-address-expected
• uri-expected • invalid-transport-uri-parameter
• invalid-user-uri-parameter • invalid-method-uri-parameter
• invalid-ttl-uri-parameter • invalid-uri-parameter-pname
• invalid-uri-parameter-value • uri-parameter-repeat
• invalid-uri-header-name • invalid-uri-header-value
• invalid-uri-header-name-value-pair
• invalid-quoted-string-in-display-name
• left-angle-bracket-is-mandatory • right-angle-bracket-not-found
• invalid-status-code • no-METHOD-on-request-line
• uri-parameters-not-allowed-by-RFC
• unknown-scheme
• whitespace-expected • LWS-expected
• invalid-<SIP-Version>-on-request-line
• invalid-<protocol-name>
• invalid-<protocol-version> • invalid-<transport>
• no-SLASH-after-<protocol-name>
• no-SLASH-after-<protocol-version>
• header-parameter-expected • invalid-ttl-parameter
• invalid-madddr-parameter • invalid-received-parameter
• invalid-branch-parameter • invalid-rport-parameter
• via-parameter-repeat • <seq>-number-expected
• <method>-expected • <method>-does-not-match-the-request-line
• <response-num>-expected • <CSeq-num>-expected
• <Method>-expected-after-<CSeq-num>
• expires-header-repeated
ortiGate Log Message Reference1-430-112804-20111121 367ttp://docs.fortinet.com/ • Feedback
Event-VoIP
• <delta-seconds>expected • invalid-max-forwards
• token-expected • invalid-expires-parameter
• invalid-q-parameter • <generic-param>-with-invalid<gen-value>
• <m-type>-expected • SLASH-expected-after-<m-type>
• <m-subtype>expected • <m-attribute>-expected-after-SEMI
• boundary-parameter-appears-more-than-once
• EQUAL-expected-after-<m-attribute>
• invalid-<quoted-string>-in-<m-value>
• invalid-<m-value>
• multipart-Content-Type-has-no-boundary
• digits-expected
• IN-expected • IP-expected
• IP4-or-IP6-expected • IPv4-or-IPv6-address-expected
• line-order-error • z-line-not-allowed-on-media-level
• <time>-expected • <typed-time>-expected
• r-line-not-allowed-on-media-level
• <repeat-interval>-expected
• <bwtype>-expected • colon-expected
• <bandwidth>-expected • t-liine-not-allowed-on-media-level
• invalid-<start-time> • invalid<stop-time>
• too-many-i-lines • <text>-expected
• too-many-c-lines • too-many-v-line
• v-line-not-allowed-on-media-level
• too-many-o-lines
• o-line-not-allowed-on-media-level
• <username>-expected
• <sess-id>-expected • <sess-version>-expected
• too-many-s-lines • s-line-not-allowed-on-media-level
• too-many-m-lines • <media>-expected
• <integer>-expected • <proto>-expected
• <token>-expected-in-<proto>-after-slash
• <fmt>-expected
• <att-field>-expected • <att-value>-expected
• <payload-type>-expected-in-rtpmap
• <encoding-name>-expected-in-rtpmap
• slash-expected-after-<encoding-name>-in-rtpmap
• invalid-<clock-rate>-in-rtpmap
• invalid-<encoding-parameters>-in-rtpmap
• invalid-candidate-line
• sdp-candidate-line-before-m-line
• sip-Yahoo-candidate-invalid-protocol
• invalid-port-after-ip-address-in-candidate-line
• too-many-candidate-lines
• sdp-invalid-alt-line • sdp-alt-line-before-m-line
• invalid-port-after-ip-address-in-alt-line
• sdp-rtcp-line-before-m-line
• invalid-port-in-rtcp-lines • too-many-rtcp-lines
FortiGate Log Message Reference368 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-VoIP
F0h
• <callid>-expected • <word>-expected
• invalid-tag-parameter • no-tag-parameter
• sdp-v-o-s-t-lines-are-mandatory • unknown-header
• end-of-line-error • sip-udp-message-truncated
• missing-mandatory-field
madlform_data The number of the malform data.
line The line information.
column The column number.
ortiGate Log Message Reference1-430-112804-20111121 369ttp://docs.fortinet.com/ • Feedback
Event-VoIP
44035
Message ID 44035
Log Subtype VoIP
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning SCCP registration
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
session_id The session identification number.
epoch The user session identification number.
event_id The event’s serial identification number
src The source IP address.
proto The transport protocol number.
src_int The source interface.
policy_id The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate unit will have an index number of zero.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
endpoint The endpoint information.
profile The name of the VoIP profile that was used to detect the SIP activity.
profile_group The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
profile_type The type of profile used.
voip_proto The VoIP protocol that was detected. This field contains either sip or sccp.
kind This field contains any one of the following:
• register • call-info
• unregister • call-block
• call
action This field contains any one of the following:
• permit • cm-reject
• block • exempt
• monitor • ban
• kickout • ban-user
• encrypt-kickout • log-only
status This field contains any one of the following:
• start • succeeded
• end • failed
• timeout • authentication-required
• blocked
phone The phone information.
FortiGate Log Message Reference370 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-VoIP
F0h
44036
Message ID 44036
Log Subtype VoIP
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning SCCP unregister
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
session_id The session identification number.
epoch The user session identification number.
event_id The event’s serial identification number
src The source IP address.
proto The transport protocol number.
src_int The source interface.
policy_id The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate unit will have an index number of zero.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
endpoint The endpoint information.
profile The name of the VoIP profile that was used to detect the VoIP activity.
profile_group The group that the profile is part of. This field contains N/A if there is no profile group configured.
profile_type The type of profile used.
voip_proto The VoIP protocol that was detected. This field contains either sip or sccp.
kind This field contains any one of the following:
• register • call-info
• unregister • call-block
• call
action This field contains any one of the following:
• permit • cm-reject
• block • exempt
• monitor • ban
• kickout • ban-user
• encrypt-kickout • log-only
status This field contains any one of the following:
• start • succeeded
• end • failed
• timeout • authentication-required
• blocked
reason This field contains any one of the following:
• rate-limit • block-request
• dialog-limit • phone
ortiGate Log Message Reference1-430-112804-20111121 371ttp://docs.fortinet.com/ • Feedback
Event-VoIP
• long-header • session-close
• unrecognized-form • new-register
• unknown • invalid-ip
• exceed-rate
phone The phone information.
FortiGate Log Message Reference372 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-VoIP
F0h
44037
Message ID 44037
Log Subtype VoIP
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning SCCP call block
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
session_id The session identification number.
epoch The user session identification number.
event_id The event’s serial identification number.
src The source IP address.
proto The transport protocol number.
src_int The source interface.
policy_id The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate unit will have an index number of zero.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
endpoint The endpoint information.
profile The name of the VoIP profile that was used to detect the VoIP activity.
profile_group The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
profile_type The type of profile used.
voip_proto The VoIP protocol that was detected. This field contains either sip or sccp.
kind This field contains any one of the following:
• register • call-info
• unregister • call-block
• call
action This field contains any one of the following:
• permit • cm-reject
• block • exempt
• monitor • ban
• kickout • ban-user
• encrypt-kickout • log-only
status This field contains any one of the following:
• start • succeeded
• end • failed
• timeout • authentication-required
• blocked
reason This field contains any one of the following:
• rate-limit • block-request
ortiGate Log Message Reference1-430-112804-20111121 373ttp://docs.fortinet.com/ • Feedback
Event-VoIP
• dialog-limit • phone
• long-header • session-close
• unrecognized-form • new-register
• unknown • invalid-ip
• exceed-rate
phone The phone information.
FortiGate Log Message Reference374 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-VoIP
F0h
44038
Message ID 44038
Log Subtype VoIP
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning SCCP call info
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
session_id The session identification number.
epoch The user session identification number.
event_id The event’s serial identification number
src The source IP address.
src_port The source port number.
dst The destination IP address.
dst_port The destination port number.
proto The transport protocol number.
src_int The source interface.
dst_int The destination interface.
policy_id The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate unit will have an index number of zero.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
endpoint The endpoint information.
profile The name of the VoIP profile that was used to detect the VoIP activity.
profile_group The group that the profile is part of. This field contains N/A if there is no profile group configured.
profile_type The type of profile used.
voip_proto The VoIP protocol that was detected. This field contains either sip or sccp.
kind This field contains any one of the following:
• register • call-info
• unregister • call-block
• call
action This field contains any one of the following:
• permit • cm-reject
• block • exempt
• monitor • ban
• kickout • ban-user
• encrypt-kickout • log-only
ortiGate Log Message Reference1-430-112804-20111121 375ttp://docs.fortinet.com/ • Feedback
Event-VoIP
status This field contains any one of the following:
• start • succeeded
• end • failed
• timeout • authentication-required
• blocked
duration This represents the value in seconds.
phone The phone information.
FortiGate Log Message Reference376 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
F0h
Data Leak PreventionData Leak Protection (DLP) log messages are log messages that record data leaks. These logs provide additional information to help administrators better analyze and detect data leaks. In FortiOS 4.0 MR3 and higher, DLP log messages are located in UTM log file. These log messages are also viewed in the web-based manager from Log&Report > Log & Archive Access > UTM.
24576245772457824579
ortiGate Log Message Reference1-430-112804-20111121 377ttp://docs.fortinet.com/ • Feedback
Data Leak Prevention
24576
Message ID 24576
Log Subtype DLP
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning A data leak was detected by a specified DLP sensor rule.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The serial number of the firewall session on which the event happend.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
src The source IP address.
sport The source port number.
src_port The source port number.
src_int The source interface.
dst The destination IP address.
dport The destination port number.
dst_port The destination port number.
dst_int The destination interface. For example, wan1.
service This field contains one of the following:
• http • mm4
• https • mm7
• smtp • nntp
• pop3 • im
• imap • smtps
• ftp • pop3s
• mm1 • imaps
• mm3 • ftp (ftp-over-http)
status The action the FortiGate unit took. This field contains any of the following:
• detected • blocked
• success • error
filefilter The type of file filter. This field contains any one of the following:
• none • file pattern
• file type
FortiGate Log Message Reference378 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Data Leak Prevention
F0h
filetype The type of file, for example, a zip file. This field contains any one of the following:
• arj • cab
• tzh • rar
• tar • zip
• bzip • gzip
• bzip2 • bat
• msc • uue
• mime • base64
• binhex • com
• elf • exe
• hta • html
• jad • class
• cod • javascript
• msoffice • fsg
• upx • petite
• aspack • prc
• sis • hlp
• activemime • jpeg
• gif • tiff
• png • bmp
• ignored • unknown
• N/A
sent The total number of bytes sent.
rcvd The total number of bytes received.
hostname The home page of the web site. For example, www.example.com
url The URL address of the web page that the user was viewing.
from The sender’s email address.
to The receiver’s email address.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
rulename The name of the DLP rule within the DLP sensor.
compoundname The name of the compound rule used.
filtername The name of the filter.
file The file information.
action The action that was specified within the rule. In some rules within sensors, you can specify content archiving. If no log type is specified, this field displays log-only. This field contains any one of the following:
• log-only • ban sender
• block • quarantine ip
• exempt • quarantine interface
• ban
severity The level of severity for that specific rule.
ortiGate Log Message Reference1-430-112804-20111121 379ttp://docs.fortinet.com/ • Feedback
Data Leak Prevention
24577
Message ID 24577
Log Subtype DLP
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning A data leak was detected by a specified DLP sensor rule.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The serial number of the firewall session on which the event happend.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
src The source IP address.
sport The source port number.
src_port The source port number.
src_int The source interface.
dst The destination IP address.
dport The destination port number.
dst_port The destination port number.
dst_int The destination interface. For example, wan1.
service This field contains one of the following:
• http • mm4
• https • mm7
• smtp • nntp
• pop3 • im
• imap • smtps
• ftp • pop3s
• mm1 • imaps
• mm3 • ftp (ftp-over-http)
status The action the FortiGate unit took. This field contains any one of the following:
• detected • blocked
• success • error
filefilter The type of file filter. This field contains any one of the following:
• none • file pattern
• file type
FortiGate Log Message Reference380 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Data Leak Prevention
F0h
filetype The type of file, for example, a zip file. This field contains any one of the following:
• arj • cab
• tzh • rar
• tar • zip
• bzip • gzip
• bzip2 • bat
• msc • uue
• mime • base64
• binhex • com
• elf • exe
• hta • html
• jad • class
• cod • javascript
• msoffice • fsg
• upx • petite
• aspack • prc
• sis • hlp
• activemime • jpeg
• gif • tiff
• png • bmp
• ignored • unknown
• N/A
sent The total number of bytes sent.
rcvd The total number of bytes received.
hostname The home page of the web site. For example, www.example.com.
url The URL address of the web page that the user was viewing.
from This field contains N/A.
to This field contains N/A.
msg data leak detected(Data Leak Prevention Rule matched)
rulename The name of the DLP rule that was used.
compoundname The name of the compound rule used.
filtername The name of the filter.
file The file information.
action The action that was specified within the rule. In some rules within sensors, you can specify content archiving. If no log type is specified, this field displays log-only. This field contains one of the following:
• log-only • ban sender
• block • quarantine ip
• exempt • quarantine interface
• ban
severity The level of severity for that specific rule.
ortiGate Log Message Reference1-430-112804-20111121 381ttp://docs.fortinet.com/ • Feedback
Data Leak Prevention
24578
24579
Message ID 24578
Log Subtype DLP
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning A DLP fingerprint document source notice.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
status The action the FortiGate unit took. This field contains any one of the following:
• detected • blocked
• success • error
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
sensitivity The document source.
docsource The document source.
errorstr The erorr information, if there was an error in scanning the document source.
Message ID 24579
Log Subtype DLP
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning A DLP fingerprint document source error.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
status The action the FortiGate unit took. This field contains any one of the following:
• detected • blocked
• success • error
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
sensitivity The document source.
docsource The document source.
errorstr The erorr information, if there was an error in scanning the document source.
FortiGate Log Message Reference382 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Data Leak Prevention
F0h
ortiGate Log Message Reference1-430-112804-20111121 383ttp://docs.fortinet.com/ • Feedback
Data Leak Prevention
FortiGate Log Message Reference384 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
F0h
Application Control Application Control log messages are log messages that record application control protocols and events. In FortiOS 4.0 MR3 and higher, application control log messages are located in UTM log file. These log messages are also viewed in the web-based manager from Log&Report > Log & Archive Access > UTM.
286722867328674286752867628677286782868828689286902870428705
ortiGate Log Message Reference1-430-112804-20111121 385ttp://docs.fortinet.com/ • Feedback
Application Control
28672
Message ID 28672
Log Subtype app-crtl-all
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning An application control IM-basic log message.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
kind This field can be any one of the following:
• login • chat
• file • photo
• audio • call
• regist • unregister
• call-block • request
• response
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
profiletype The type of profile that was used, for example, Antivirus_Profile.
profile The name of the profile that was used to detect and take action.
dir This field can be any one of the following:
• incoming • outgoing
• N/A
src The source IP address.
src_port The source port number.
src_int The source interface name. For example, internal.
dst The destination IP address.
dst_port The destination port number.
dst_int The destination interface name. For example, wan1.
src_name The source name. This can be a name or an IP address.
dst_name The destination name. This can be a name or an IP address.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
service The service where the event or activity occurred.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
FortiGate Log Message Reference386 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Application Control
F0h
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The serial number of the firewall session on which the event happened.
app_list The name of the application control list that was used to detect and take action. For example, the default application control list, monitor-all.
app_type The type of application that triggered the action within the control list.
app The name of the application that triggered the action within the control list. For example, SSL.
action The action that was taken by the application control engine. This field can be any one of the following:
• pass • block
• monitor • kickout
• encrypt-kickout • reject
ortiGate Log Message Reference1-430-112804-20111121 387ttp://docs.fortinet.com/ • Feedback
Application Control
28673
Message ID 28673
Log Subtype app-crtl-all
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning An application control IM log message.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
kind This field can be any one of the following:
• login • chat
• file • photo
• audio • call
• regist • unregister
• call-block • request
• response • video
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
profiletype The type of profile that was used, for example, Antivirus_Profile.
profile The name of the profile that was used to detect and take action.
dir This field can be any one of the following:
• incoming • outgoing
• N/A
src The source IP address.
src_port The source port number.
src_int The source interface name. For example, internal.
dst The destination IP address.
dst_port The destination port number.
dst_int The destination interface name. For example, wan1.
src_name The source name. This can be a name or an IP address.
dst_name The destination name. This can be a name or an IP address.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
service The service where the event or activity occurred.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
FortiGate Log Message Reference388 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Application Control
F0h
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The serial number of the firewall session on which the event happened.
app_list The name of the application control list that was used to detect and take action. For example, the default application control list, monitor-all.
app_type The type of application that triggered the action within the control list.
app The name of the application that triggered the action within the control list. For example, SSL.
action The action that was taken by the application control engine. This field can be any one of the following:
• pass • block
• monitor • kickout
• encrypt-kickout • reject
status This field can be any one of the following:
• request • cancel
• accept • fail
• download • stop
• start • end
• timeout • blocked
• succeeded • failed
• authentication-required • pass
• block
ortiGate Log Message Reference1-430-112804-20111121 389ttp://docs.fortinet.com/ • Feedback
Application Control
28674
Message ID 28674
Log Subtype app-crtl-all
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning An application control IM (chat message count) log message.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
kind This field can be any one of the following:
• login • chat
• file • photo
• audio • call
• regist • unregister
• call-block • request
• response • video
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
profiletype The type of profile that was used, for example, Antivirus_Profile.
profile The name of the profile that was used to detect and take action.
dir This field can be any one of the following:
• incoming • outgoing
• N/A
src The source IP address.
src_port The source port number.
src_int The source interface name. For example, internal.
dst The destination IP address.
dst_port The destination port number.
dst_int The destination interface name. For example, wan1.
src_name The source name. This can be a name or an IP address.
dst_name The destination name. This can be a name or an IP address.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
service The service where the event or activity occurred.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
FortiGate Log Message Reference390 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Application Control
F0h
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The serial number of the firewall session on which the event happened.
app_list The name of the application control list that was used to detect and take action. For example, the default application control list, monitor-all.
app_type The type of application that triggered the action within the control list.
app The name of the application that triggered the action within the control list. For example, SSL.
action The action that was taken by the application control engine. This field can be any one of the following:
• pass • block
• monitor • kickout
• encrypt-kickout • reject
count The number of times the same event was detected within a short period of time.
ortiGate Log Message Reference1-430-112804-20111121 391ttp://docs.fortinet.com/ • Feedback
Application Control
28675
Message ID 28675
Log Subtype app-crtl-all
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning An application control IM (file) log message.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
kind This field can be any one of the following:
• login • chat
• file • photo
• audio • call
• regist • unregister
• call-block • request
• response • video
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
profiletype The type of profile that was used, for example, Antivirus_Profile.
profile The name of the profile that was used to detect and take action.
dir This field can be any one of the following:
• incoming • outgoing
• N/A
src The source IP address.
src_port The source port number.
src_int The source interface name. For example, internal.
dst The destination IP address.
dst_port The destination port number.
dst_int The destination interface name. For example, wan1.
src_name The source name. This can be a name or an IP address.
dst_name The destination name. This can be a name or an IP address.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
service The service where the event or activity occurred.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
FortiGate Log Message Reference392 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Application Control
F0h
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The serial number of the firewall session on which the event happened.
app_list The name of the application control list that was used to detect and take action. For example, the default application control list, monitor-all.
app_type The type of application that triggered the action within the control list.
app The name of the application that triggered the action within the control list. For example, SSL.
action The action that was taken by the application control engine. This field can be any one of the following:
• pass • block
• monitor • kickout
• encrypt-kickout • reject
status This field can be any one of the following:
• request • cancel
• accept • fail
• download • stop
• start • end
• timeout • blocked
• succeeded • failed
• authentication-required • pass
• block
filename The name of the file.
filesize The size of the file.
message The log information. This is usually a sentence and explains the activity and/or action taken.
ortiGate Log Message Reference1-430-112804-20111121 393ttp://docs.fortinet.com/ • Feedback
Application Control
28676
Message ID 28676
Log Subtype app-crtl-all
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning An application control IM (chat) log message.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
kind This field can be any one of the following:
• login • chat
• file • photo
• audio • call
• regist • unregister
• call-block • request
• response • video
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
profiletype The type of profile that was used, for example, Antivirus_Profile.
profile The name of the profile that was used to detect and take action.
dir This field can be any one of the following:
• incoming • outgoing
• N/A
src The source IP address.
src_port The source port number.
src_int The source interface name. For example, internal.
dst The destination IP address.
dst_port The destination port number.
dst_int The destination interface name. For example, wan1.
src_name The source name. This can be a name or an IP address.
dst_name The destination name. This can be a name or an IP address.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
service The service where the event or activity occurred.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
FortiGate Log Message Reference394 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Application Control
F0h
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The serial number of the firewall session on which the event happened.
app_list The name of the application control list that was used to detect and take action. For example, the default application control list, monitor-all.
app_type The name of the application control list that was used to detect and take action. For example, the default application control list, monitor-all.
app The type of application that triggered the action within the control list.
action The action that was taken by the application control engine. This field can be any one of the following:
• pass • block
• monitor • kickout
• encrypt-kickout • reject
count The number of times the same event was detected within a short period of time.
content The content information.
ortiGate Log Message Reference1-430-112804-20111121 395ttp://docs.fortinet.com/ • Feedback
Application Control
28677
Message ID 28677
Log Subtype app-crtl-all
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning An application control IM (chat blocked) log message.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
kind This field can be any one of the following:
• login • chat
• file • photo
• audio • call
• regist • unregister
• call-block • request
• response • video
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
profiletype The type of profile that was used, for example, Antivirus_Profile.
profile The name of the profile that was used to detect and take action.
dir This field can be any one of the following:
• incoming • outgoing
• N/A
src The source IP address.
src_port The source port number.
src_int The source interface name. For example, internal.
dst The destination IP address.
dst_port The destination port number.
dst_int The destination interface name. For example, wan1.
src_name The source name. This can be a name or an IP address.
dst_name The destination name. This can be a name or an IP address.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
service The service where the event or activity occurred.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
FortiGate Log Message Reference396 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Application Control
F0h
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The serial number of the firewall session on which the event happend.
app_list The name of the application control list that was used to detect and take action. For example, the default application control list, monitor-all.
app_type The type of application that triggered the action within the control list.
app The name of the application that triggered the action within the control list. For example, SSL.
action The action that was taken by the application control engine. This field can be any one of the following:
• pass • block
• monitor • kickout
• encrypt-kickout • reject
count The number of times the same event was detected within a short period of time.
reason This field contains any one of the following:
• meter-overload-drop • meter-overload-refuse
• rate-limit • dialog-limit
• long-header • unrecognized-form
• unknown • block-request
• invalid-ip • exceed-rate
req The request information.
ortiGate Log Message Reference1-430-112804-20111121 397ttp://docs.fortinet.com/ • Feedback
Application Control
28678
Message ID 28678
Log Subtype app-crtl-all
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning An application control IM (blocked) log message.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
kind This field can be any one of the following:
• login • chat
• file • photo
• audio • call
• regist • unregister
• call-block • request
• response • video
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
profiletype The type of profile that was used, for example, Antivirus_Profile.
profile The name of the profile that was used to detect and take action.
dir This field can be any one of the following:
• incoming • outgoing
• N/A
src The source IP address.
src_port The source port number.
src_int The source interface name. For example, internal.
dst The destination IP address.
dst_port The destination port number.
dst_int The destination interface name. For example, wan1.
src_name The source name. This can be a name or an IP address.
dst_name The destination name. This can be a name or an IP address.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
service The service where the event or activity occurred.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
FortiGate Log Message Reference398 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Application Control
F0h
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The serial number of the firewall session on which the event happend.
app_list The name of the application control list that was used to detect and take action. For example, the default application control list, monitor-all.
app_type The type of application that triggered the action within the control list.
app The name of the application that triggered the action within the control list. For example, SSL.
action The action that was taken by the application control engine. This field can be any one of the following:
• pass • block
• monitor • kickout
• encrypt-kickout • reject
ortiGate Log Message Reference1-430-112804-20111121 399ttp://docs.fortinet.com/ • Feedback
Application Control
28688
Message ID 28688
Log Subtype app-crtl-all
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning An application control IM (VoIP basic) log message.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
kind This field can be any one of the following:
• login • chat
• file • photo
• audio • call
• regist • unregister
• call-block • request
• response • video
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
profiletype The type of profile that was used, for example, Antivirus_Profile.
profile The name of the profile that was used to detect and take action.
dir This field can be any one of the following:
• incoming • outgoing
• N/A
src The source IP address.
src_port The source port number.
src_int The source interface name. For example, internal.
dst The destination IP address.
dst_port The destination port number.
dst_int The destination interface name. For example, wan1.
src_name The source name. This can be a name or an IP address.
dst_name The destination name. This can be a name or an IP address.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
service The service where the event or activity occurred.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
FortiGate Log Message Reference400 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Application Control
F0h
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The serial number of the firewall session on which the event happend.
app_list The name of the application control list that was used to detect and take action. For example, the default application control list, monitor-all.
app_type The type of application that triggered the action within the control list.
app The name of the application that triggered the action within the control list. For example, SSL.
action The action that was taken by the application control engine. This field can be any one of the following:
• pass • block
• monitor • kickout
• encrypt-kickout • reject
status This field can be any one of the following:
• request • cancel
• accept • fail
• download • stop
• start • end
• timeout • blocked
• succeeded • failed
• authentication-required • pass
• block
ortiGate Log Message Reference1-430-112804-20111121 401ttp://docs.fortinet.com/ • Feedback
Application Control
28689
Message ID 28689
Log Subtype app-crtl-all
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning An application control IM (SCCP call blocked) log message.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
kind This field can be any one of the following:
• login • chat
• file • photo
• audio • call
• regist • unregister
• call-block • request
• response • video
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
profiletype The type of profile that was used, for example, Antivirus_Profile.
profile The name of the profile that was used to detect and take action.
dir This field can be any one of the following:
• incoming • outgoing
• N/A
src The source IP address.
src_port The source port number.
src_int The source interface name. For example, internal.
dst The destination IP address.
dst_port The destination port number.
dst_int The destination interface name. For example, wan1.
src_name The source name. This can be a name or an IP address.
dst_name The destination name. This can be a name or an IP address.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
service The service where the event or activity occurred.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
FortiGate Log Message Reference402 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Application Control
F0h
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The serial number of the firewall session on which the event happend.
app_list The name of the application control list that was used to detect and take action. For example, the default application control list, monitor-all.
app_type The type of application that triggered the action within the control list.
app The name of the application that triggered the action within the control list. For example, SSL.
action The action that was taken by the application control engine. This field can be any one of the following:
• pass • block
• monitor • kickout
• encrypt-kickout • reject
status This field can be any one of the following:
• request • cancel
• accept • fail
• download • stop
• start • end
• timeout • blocked
• succeeded • failed
• authentication-required • pass
• block
phone The phone information.
reason This field contains any one of the following:
• meter-overload-drop • meter-overload-refuse
• rate-limit • dialog-limit
• long-header • unrecognized-form
• unknown • block-request
• invalid-ip • exceed-rate
ortiGate Log Message Reference1-430-112804-20111121 403ttp://docs.fortinet.com/ • Feedback
Application Control
28690
Message ID 28690
Log Subtype app-crtl-all
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning An application control IM (SIP block) log message.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
kind This field can be any one of the following:
• login • chat
• file • photo
• audio • call
• regist • unregister
• call-block • request
• response • video
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
profiletype The type of profile that was used, for example, Antivirus_Profile.
profile The name of the profile that was used to detect and take action.
dir This field can be any one of the following:
• incoming • outgoing
• N/A
src The source IP address.
src_port The source port number.
src_int The source interface name. For example, internal.
dst The destination IP address.
dst_port The destination port number.
dst_int The destination interface name. For example, wan1.
src_name The source name. This can be a name or an IP address.
dst_name The destination name. This can be a name or an IP address.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
service The service where the event or activity occurred.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
FortiGate Log Message Reference404 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Application Control
F0h
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The serial number of the firewall session on which the event happend.
app_list The name of the application control list that was used to detect and take action. For example, the default application control list, monitor-all.
app_type The type of application that triggered the action within the control list.
app The name of the application that triggered the action within the control list. For example, SSL.
action The action that was taken by the application control engine. This field can be any one of the following:
• pass • block
• monitor • kickout
• encrypt-kickout • reject
count The number of times the same event was detected within a short period of time.
reason This field contains any one of the following:
• meter-overload-drop • meter-overload-refuse
• rate-limit • dialog-limit
• long-header • unrecognized-form
• unknown • block-request
• invalid-ip • exceed-rate
req The request information.
ortiGate Log Message Reference1-430-112804-20111121 405ttp://docs.fortinet.com/ • Feedback
Application Control
28704
Message ID 28704
Log Subtype app-crtl-all
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning An application control IM (IPS) log message (pass).
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
attack_id The identification number of the IM (IPS) log message.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
src The source IP address.
src_port The source port number.
src_int The source interface name. For example, internal.
dst The destination IP address.
dst_port The destination port number.
dst_int The destination interface name. For example, wan1.
src_name The source name. This can be a name or an IP address.
dst_name The destination name. This can be a name or an IP address.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
profiletype The type of profile that was used, for example, Antivirus_Profile.
profile The name of the profile that was used to detect and take action.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
service The service where the event or activity occurred.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
serial The serial number of the firewall session on which the event happend.
app_list The name of the application control list that was used to detect and take action. For example, the default application control list, monitor-all.
app_type The type of application that triggered the action within the control list.
app The name of the application that triggered the action within the control list. For example, SSL.
action The action that was taken by the application control engine. This field can be any one of the following:
• pass • block
• monitor • kickout
• encrypt-kickout • reject
FortiGate Log Message Reference406 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Application Control
F0h
count The number of times the same event was detected within a short period of time.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
ortiGate Log Message Reference1-430-112804-20111121 407ttp://docs.fortinet.com/ • Feedback
Application Control
28705
Message ID 28705
Log Subtype app-crtl-all
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning An application control IM (IPS) log message (pass).
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
attack_id The identification number of the IM (IPS) log message.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
src The source IP address.
src_port The source port number.
src_int The source interface name. For example, internal.
dst The destination IP address.
dst_port The destination port number.
dst_int The destination interface name. For example, wan1.
src_name The source name. This can be a name or an IP address.
dst_name The destination name. This can be a name or an IP address.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
profiletype The type of profile that was used, for example, Antivirus_Profile.
profile The name of the profile that was used to detect and take action.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
service The service where the event or activity occurred.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
serial The serial number of the firewall session on which the event happend.
app_list The name of the application control list that was used to detect and take action. For example, the default application control list, monitor-all.
app_type The type of application that triggered the action within the control list.
app The name of the application that triggered the action within the control list. For example, SSL.
action The action that was taken by the application control engine. This field can be any one of the following:
• pass • block
• monitor • kickout
• encrypt-kickout • reject
FortiGate Log Message Reference408 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Application Control
F0h
count The number of times the same event was detected within a short period of time.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
ortiGate Log Message Reference1-430-112804-20111121 409ttp://docs.fortinet.com/ • Feedback
Application Control
FortiGate Log Message Reference410 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
F0h
Antivirus Antivirus log messages record actual viruses that are contained in an email as well as anything that appears to be similar to a virus or suspicious, such as in a file or in an email. In FortiOS 4.0 MR3 and higher, antivirus log messages are located in UTM log file. These log messages are also viewed in the web-based manager from Log&Report > Log & Archive Access > UTM.
81928193819481958196819781988199844884498450845184528453845484558456
87048704870587068707896089618962896389648965896689678968896989708971
89728973
ortiGate Log Message Reference1-430-112804-20111121 411ttp://docs.fortinet.com/ • Feedback
Antivirus
8192
Message ID 8192
Log Subtype Infected
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning An infected file was detected by the FortiGate unit and blocked.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
msg File is infected
status The decision of the antivirus engine on how to treat the file. This field contains any one of the following:
• blocked • passthrough
• monitored
service The type of protocol that was used to send and receive the traffic. This field contains any one of the following:
• http • smtp
• pop3 • imap
• ftp • mm1
• mm3 • mm4
• mm7 • nntp
• im • smtps
• https • pop3s
• imaps • http (ftp-over-http)
src The source IP address.
dst The destination IP address.
sport The source port number.
src_port The source port number.
dport The destination port number.
dst_port The destination port number.
src_int The source interface. For example, internal.
dst_int The destination interface. For example, wan1.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The serial number of the firewall session on which the event happend.
dir This field contains any one of the following:
• N/A • tx
• rx
FortiGate Log Message Reference412 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Antivirus
F0h
file The name of the file.
checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same checksum, the FortiGate unit assumes that they have the same content.
quarskip This field contains any one of the following:
• No skip • No quarantine for HTTP
• GET file pattern block • No quarantine for oversized files.
• File was not quarantined.
virus The name of the virus that was detected.
dtype The dtype information.
ref The URL reference that give more information about the virus. If you enter the URL in the address bar of the web browser, you are directed to that specific page that contains information about the virus.
url The URL address of where the file was acquired.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile that was used, for example, Antivirus_Profile.
profilegroup The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
agent This field is for FortiOS Carrier only. If the unit is not running FortiOS Carrier, this field always contains N/A.
from The sender’s email address.
to The recipient’s email address.
ortiGate Log Message Reference1-430-112804-20111121 413ttp://docs.fortinet.com/ • Feedback
Antivirus
8193
Message ID 8193
Log Subtype Infected
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning An infected file was detected by the FortiGate unit and it passed.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
msg File is infected
status The decision of the antivirus engine on how to treat the file. This field contains any one of the following:
• blocked • passthrough
• monitored
service The type of protocol that was used to send and receive the traffic. This field contains any one of the following:
• http • smtp
• pop3 • imap
• ftp • mm1
• mm3 • mm4
• mm7 • nntp
• im • smtps
• https • pop3s
• imaps • http (ftp-over-http)
src The source IP address.
dst The destination IP address.
sport The source port number.
src_port The source port number.
dport The destination port number.
dst_port The destination port number.
src_int The source interface. For example, internal.
dst_int The destination interface. For example, wan1.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The serial number of the firewall session on which the event happend.
dir This field contains any one of the following:
• N/A • tx
• rx
FortiGate Log Message Reference414 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Antivirus
F0h
file The name of the file.
checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same checksum, the FortiGate unit assumes that they have the same content.
quarskip This field contains any one of the following:
• No skip • No quarantine for HTTP
• GET file pattern block • No quarantine for oversized files.
• File was not quarantined.
virus The name of the virus that was detected.
dtype The dtype information.
ref The URL reference that give more information about the virus. If you enter the URL in the address bar of the web browser, you are directed to that specific page that contains information about the virus.
url The URL address of where the file was acquired.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile that was used, for example, Antivirus_Profile.
profilegroup The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
agent This field is for FortiOS Carrier only. If the unit is not running FortiOS Carrier, this field always contains N/A.
from The sender’s email address.
to The recipient’s email address.
ortiGate Log Message Reference1-430-112804-20111121 415ttp://docs.fortinet.com/ • Feedback
Antivirus
8194
Message ID 8194
Log Subtype Infected
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning A MIME header was detected to have a virus and was blocked.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
msg File is infected
status The decision of the antivirus engine on how to treat the file. This field contains any one of the following:
• blocked • passthrough
• monitored
service The type of protocol that was used to send and receive the traffic. This field contains any one of the following:
• http • smtp
• pop3 • imap
• ftp • mm1
• mm3 • mm4
• mm7 • nntp
• im • smtps
• https • pop3s
• imaps • http (ftp-over-http)
src The source IP address.
dst The destination IP address.
sport The source port number.
src_port The source port number.
dport The destination port number.
dst_port The destination port number.
src_int The source interface. For example, internal.
dst_int The destination interface. For example, wan1.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The serial number of the firewall session on which the event happend.
file The name of the file.
checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same checksum, the FortiGate unit assumes that they have the same content.
FortiGate Log Message Reference416 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Antivirus
F0h
quarskip This field contains any one of the following:
• No skip • No quarantine for HTTP
• GET file pattern block • No quarantine for oversized files.
• File was not quarantined.
virus The name of the virus that was detected.
dtype The dtype information.
ref The URL reference that give more information about the virus. If you enter the URL in the address bar of the web browser, you are directed to that specific page that contains information about the virus.
url The URL address of where the file was acquired.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profiletype The name of the profile that was used to detect and take action.
profilegroup The type of profile that was used, for example, Antivirus_Profile.
profile The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
from This field is for FortiOS Carrier only. If the unit is not running FortiOS Carrier, this field always contains N/A.
to The sender’s email address.
ortiGate Log Message Reference1-430-112804-20111121 417ttp://docs.fortinet.com/ • Feedback
Antivirus
8195
Message ID 8195
Log Subtype Infected
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning A MIME header is infected and passed.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
msg File is infected
status The decision of the antivirus engine on how to treat the file. This field contains any one of the following:
blocked passthrough
monitored
service The type of protocol that was used to send and receive the traffic. This field contains any one of the following:
• http • smtp
• pop3 • imap
• ftp • mm1
• mm3 • mm4
• mm7 • nntp
• im • smtps
• https • pop3s
• imaps • http (ftp-over-http)
src The source IP address.
dst The destination IP address.
sport The source port number.
src_port The source port number.
dport The destination port number.
dst_port The destination port number.
src_int The source interface. For example, internal.
dst_int The destination interface. For example, wan1.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The serial number of the firewall session on which the event happend.
file The name of the file.
checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same checksum, the FortiGate unit assumes that they have the same content.
FortiGate Log Message Reference418 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Antivirus
F0h
quarskip This field contains any one of the following:
• No skip • No quarantine for HTTP
• GET file pattern block • No quarantine for oversized files.
• File was not quarantined.
virus The name of the virus that was detected.
dtype The dtype information.
ref The URL reference that give more information about the virus. If you enter the URL in the address bar of the web browser, you are directed to that specific page that contains information about the virus.
url The URL address of where the file was acquired.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profiletype The name of the profile that was used to detect and take action.
profilegroup The type of profile that was used, for example, Antivirus_Profile.
profile The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
from This field is for FortiOS Carrier only. If the unit is not running FortiOS Carrier, this field always contains N/A.
to The sender’s email address.
ortiGate Log Message Reference1-430-112804-20111121 419ttp://docs.fortinet.com/ • Feedback
Antivirus
8196
Message ID 8196
Log Subtype Infected
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning The FortiGate unit detected a computer worm and blocked it.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
msg Worm detected.
status The decision of the antivirus engine on how to treat the file. This field contains any one of the following:
• blocked • passthrough
• monitored
service The type of protocol that was used to send and receive the traffic. This field contains any one of the following:
• http • smtp
• pop3 • imap
• ftp • mm1
• mm3 • mm4
• mm7 • nntp
• im • smtps
• https • pop3s
• imaps • http (ftp-over-http)
src The source IP address.
dst The destination IP address.
sport The source port number.
src_port The source port number.
dport The destination port number.
dst_port The destination port number.
src_int The source interface. For example, internal.
dst_int The destination interface. For example, wan1.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The serial number of the firewall session on which the event happend.
virus The name of the virus that was detected.
dtype The dtype information.
url The URL address of where the file was acquired.
FortiGate Log Message Reference420 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Antivirus
F0h
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profiletype The name of the profile that was used to detect and take action.
profilegroup The type of profile that was used, for example, Antivirus_Profile.
profile The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
ortiGate Log Message Reference1-430-112804-20111121 421ttp://docs.fortinet.com/ • Feedback
Antivirus
8197
Message ID 8197
Log Subtype Infected
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The FortiGate unit detected a computer worm and monitored it.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
msg Worm deteceted.
status The decision of the antivirus engine on how to treat the file. This field contains any one of the following:
• blocked • passthrough
• monitored
service The type of protocol that was used to send and receive the traffic. This field contains any one of the following:
• http • smtp
• pop3 • imap
• ftp • mm1
• mm3 • mm4
• mm7 • nntp
• im • smtps
• https • pop3s
• imaps • http (ftp-over-http)
src The source IP address.
dst The destination IP address.
sport The source port number.
src_port The source port number.
dport The destination port number.
dst_port The destination port number.
src_int The source interface. For example, internal.
dst_int The destination interface. For example, wan1.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The serial number of the firewall session on which the event happend.
virus The name of the virus that was detected.
dtype The dtype information.
url The URL address of where the file was acquired.
FortiGate Log Message Reference422 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Antivirus
F0h
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profiletype The name of the profile that was used to detect and take action.
profilegroup The type of profile that was used, for example, Antivirus_Profile.
profile The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
ortiGate Log Message Reference1-430-112804-20111121 423ttp://docs.fortinet.com/ • Feedback
Antivirus
8198
Message ID 8198
Log Subtype Infected
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning The FortiGate unit detected a computer worm (MIME) and blocked it.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
msg Worm detected.
status The decision of the antivirus engine on how to treat the file. This field contains any one of the following:
• blocked • passthrough
• monitored
service The type of protocol that was used to send and receive the traffic. This field contains any one of the following:
• http • smtp
• pop3 • imap
• ftp • mm1
• mm3 • mm4
• mm7 • nntp
• im • smtps
• https • pop3s
• imaps • http (ftp-over-http)
src The source IP address.
dst The destination IP address.
sport The source port number.
src_port The source port number.
dport The destination port number.
dst_port The destination port number.
src_int The source interface. For example, internal.
dst_int The destination interface. For example, wan1.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The serial number of the firewall session on which the event happend.
virus The name of the virus that was detected.
dtype The dtype information.
url The URL address of where the file was acquired.
FortiGate Log Message Reference424 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Antivirus
F0h
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profiletype The name of the profile that was used to detect and take action.
profilegroup The type of profile that was used, for example, Antivirus_Profile.
profile The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
ortiGate Log Message Reference1-430-112804-20111121 425ttp://docs.fortinet.com/ • Feedback
Antivirus
8199
Message ID 8199
Log Subtype Infected
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The FortiGate unit detected a computer worm (MIME) and monitored it.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
msg Worm detected.
status The decision of the antivirus engine on how to treat the file. This field contains any one of the following:
• blocked • passthrough
• monitored
service The type of protocol that was used to send and receive the traffic. This field contains any one of the following:
• http • smtp
• pop3 • imap
• ftp • mm1
• mm3 • mm4
• mm7 • nntp
• im • smtps
• https • pop3s
• imaps • http (ftp-over-http)
src The source IP address.
dst The destination IP address.
sport The source port number.
src_port The source port number.
dport The destination port number.
dst_port The destination port number.
src_int The source interface. For example, internal.
dst_int The destination interface. For example, wan1.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The serial number of the firewall session on which the event happend.
virus The name of the virus that was detected.
dtype The dtype information.
url The URL address of where the file was acquired.
FortiGate Log Message Reference426 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Antivirus
F0h
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profiletype The name of the profile that was used to detect and take action.
profilegroup The type of profile that was used, for example, Antivirus_Profile.
profile The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
from The sender’s email address.
to The recipient’s email address.
ortiGate Log Message Reference1-430-112804-20111121 427ttp://docs.fortinet.com/ • Feedback
Antivirus
8457
Message ID 8457
Log Subtype Infected
Severity Warning
Firmware version FortiOS Carrier 4.0 MR3
Meaning An MMS content checksum blocked an infected file.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
msg Blocked by MMS content checksum
status The decision of the antivirus engine on how to treat the file. This field contains any one of the following:
• blocked • passthrough
• monitored
service The type of protocol that was used to send and receive the traffic. This field contains any one of the following:
• http • smtp
• pop3 • imap
• ftp • mm1
• mm3 • mm4
• mm7 • nntp
• im • smtps
• https • pop3s
• imaps • http (ftp-over-http)
src The source IP address.
dst The destination IP address.
sport The source port number.
src_port The source port number.
dport The destination port number.
dst_port The destination port number.
src_int The source interface. For example, internal.
dst_int The destination interface. For example, wan1.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The serial number of the firewall session on which the event happend.
dir This fieldl contains any one of the following:
• N/A • tx
• rx
FortiGate Log Message Reference428 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Antivirus
F0h
checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same checksum, the FortiGate unit assumes that they have the same content.
file The name of the file.
url The URL address of where the file was acquired.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profiletype The name of the profile that was used to detect and take action.
profilegroup The type of profile that was used, for example, Antivirus_Profile.
profile The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
agent This field is for FortiOS Carrier only. If the unit is not running FortiOS Carrier, this field always contains N/A.
from The sender’s email address.
to The recipient’s email address.
ortiGate Log Message Reference1-430-112804-20111121 429ttp://docs.fortinet.com/ • Feedback
Antivirus
8458
Message ID 8458
Log Subtype Infected
Severity Notification
Firmware version FortiOS Carrier 4.0 MR3
Meaning An MMS content checksum was matched.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
msg Matched by MMS content checksum.
status The decision of the antivirus engine on how to treat the file. This field contains any one of the following:
• blocked • passthrough
• monitored
service The type of protocol that was used to send and receive the traffic. This field contains any one of the following:
• http • smtp
• pop3 • imap
• ftp • mm1
• mm3 • mm4
• mm7 • nntp
• im • smtps
• https • pop3s
• imaps • http (ftp-over-http)
src The source IP address.
dst The destination IP address.
sport The source port number.
src_port The source port number.
dport The destination port number.
dst_port The destination port number.
src_int The source interface. For example, internal.
dst_int The destination interface. For example, wan1.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The serial number of the firewall session on which the event happend.
dir This fieldl contains any one of the following:
• N/A • tx
• rx
FortiGate Log Message Reference430 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Antivirus
F0h
checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same checksum, the FortiGate unit assumes that they have the same content.
file The name of the file.
url The URL address of where the file was acquired.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profiletype The name of the profile that was used to detect and take action.
profilegroup The type of profile that was used, for example, Antivirus_Profile.
profile The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
agent This field is for FortiOS Carrier only. If the unit is not running FortiOS Carrier, this field always contains N/A.
from The sender’s email address.
to The recipient’s email address.
ortiGate Log Message Reference1-430-112804-20111121 431ttp://docs.fortinet.com/ • Feedback
Antivirus
8448
Message ID 8448
Log Subtype Filename
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning The FortiGate unit blocked a file because it contains a virus.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg File is blocked
status The decision of the antivirus engine on how to treat the file. This field contains any one of the following:
• blocked • passthrough
• monitored
service The type of protocol that was used to send and receive the traffic. This field contains any one of the following:
• http • smtp
• pop3 • imap
• ftp • mm1
• mm3 • mm4
• mm7 • nntp
• im • smtps
• https • pop3s
• imaps • http (ftp-over-http)
src The source IP address.
dst The destination IP address.
sport The source port number.
src_port The source port number.
dport The destination port number.
dst_port The destination port number.
src_int The source interface. For example, internal.
dst_int The destination interface. For example, wan1.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The serial number of the firewall session on which the event happend.
dir This field contains any one of the following:
• N/A • tx
• rx
FortiGate Log Message Reference432 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Antivirus
F0h
filefilter This field contains any one of the following:
• none • file pattern
• file type
filetype This field contains any one of the following:
• arj • cab
• lzh • rar
• tar • zip
• bzip • gzip
• bzip2 • bat
• msc • uue
• mime • base64
• binhex • com
• elf • exe
• hta • html
• jad • class
• cod • javascript
• msoffice • fsg
• upx • petite
• aspack • prc
• sis • hlp
• activemime • jpeg
• gif • tiff
• png • bmp
• ignored • unknown
• N/A
file The name of the file.
checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same checksum, the FortiGate unit assumes that they have the same content.
quarskip This field contains any one of the following:
• No skip • No quarantine for HTTP GET file pattern block.
• No quarantine for oversized files
• File was not quarantined.
url The URL address of where the file was acquired.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profiletype The name of the profile that was used to detect and take action.
profilegroup The type of profile that was used, for example, Antivirus_Profile.
profile The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
agent This field is for FortiOS Carrier only. If the unit is not running FortiOS Carrier, this field always contains N/A.
ortiGate Log Message Reference1-430-112804-20111121 433ttp://docs.fortinet.com/ • Feedback
Antivirus
from The sender’s email address.
to The recipient’s email address.
FortiGate Log Message Reference434 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Antivirus
F0h
8449
Message ID 8449
Log Subtype Filename
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The FortiGate unit blocked a file because it contains a virus.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg File is blocked
status The decision of the antivirus engine on how to treat the file. This field contains any one of the following:
• blocked • passthrough
• monitored
service The type of protocol that was used to send and receive the traffic.This field contains any one of the following:
• http • smtp
• pop3 • imap
• ftp • mm1
• mm3 • mm4
• mm7 • nntp
• im • smtps
• https • pop3s
• imaps • http (ftp-over-http)
src The source IP address.
dst The destination IP address.
sport The source port number.
src_port The source port number.
dport The destination port number.
dst_port The destination port number.
src_int The source interface. For example, internal.
dst_int The destination interface. For example, wan1.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The serial number of the firewall session on which the event happend.
dir This field contains any one of the following:
• N/A • tx
• rx
ortiGate Log Message Reference1-430-112804-20111121 435ttp://docs.fortinet.com/ • Feedback
Antivirus
filefilter This field contains any one of the following:
• none • file pattern
• file type
filetype This field contains any one of the following:
• arj • cab
• lzh • rar
• tar • zip
• bzip • gzip
• bzip2 • bat
• msc • uue
• mime • base64
• binhex • com
• elf • exe
• hta • html
• jad • class
• cod • javascript
• msoffice • fsg
• upx • petite
• aspack • prc
• sis • hlp
• activemime • jpeg
• gif • tiff
• png • bmp
• ignored • unknown
• N/A
file The name of the file.
checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same checksum, the FortiGate unit assumes that they have the same content.
quarskip This field contains any one of the following:
• No skip • No quarantine for HTTP GET file pattern block.
• No quarantine for oversized files
• File was not quarantined.
url The URL address of where the file was acquired.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profiletype The name of the profile that was used to detect and take action.
profilegroup The type of profile that was used, for example, Antivirus_Profile.
profile The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
agent This field is for FortiOS Carrier only. If the unit is not running FortiOS Carrier, this field always contains N/A.
FortiGate Log Message Reference436 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Antivirus
F0h
from The sender’s email address.
to The recipient’s email address.
ortiGate Log Message Reference1-430-112804-20111121 437ttp://docs.fortinet.com/ • Feedback
Antivirus
8450
Message ID 8450
Log Subtype Filename
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning The FortiGate unit blocked a file because it contains a virus (MIME).
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
msg File is blocked.
status The decision of the antivirus engine on how to treat the file. This field contains any one of the following:
• blocked • passthrough
• monitored
service The type of protocol that was used to send and receive the traffic. This field contains any one of the following:
• http • smtp
• pop3 • imap
• ftp • mm1
• mm3 • mm4
• mm7 • nntp
• im • smtps
• https • pop3s
• imaps • http (ftp-over-http)
src The source IP address.
dst The destination IP address.
sport The source port number.
src_port The source port number.
dport The destination port number.
dst_port The destination port number.
src_int The source interface. For example, internal.
dst_int The destination interface. For example, wan1.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The serial number of the firewall session on which the event happend.
filefilter This field contains any one of the following:
• none • file pattern
• file type
FortiGate Log Message Reference438 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Antivirus
F0h
filetype This field contains any one of the following:
• arj • cab
• lzh • rar
• tar • zip
• bzip • gzip
• bzip2 • bat
• msc • uue
• mime • base64
• binhex • com
• elf • exe
• hta • html
• jad • class
• cod • javascript
• msoffice • fsg
• upx • petite
• aspack • prc
• sis • hlp
• activemime • jpeg
• gif • tiff
• png • bmp
• ignored • unknown
• N/A
file The name of the file.
checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same checksum, the FortiGate unit assumes that they have the same content.
quarskip This field contains any one of the following:
• No skip • No quarantine for HTTP GET file pattern block.
• No quarantine for oversized files
• File was not quarantined.
url The URL address of where the file was acquired.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profiletype The name of the profile that was used to detect and take action.
profilegroup The type of profile that was used, for example, Antivirus_Profile.
profile The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
from The sender’s email address.
to The recipient’s email address.
ortiGate Log Message Reference1-430-112804-20111121 439ttp://docs.fortinet.com/ • Feedback
Antivirus
8451
Message ID 8451
Log Subtype Filename
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The FortiGate unit blocked a file because it contains a virus (MIME).
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
msg File is blocked.
status The decision of the antivirus engine on how to treat the file. This field contains any one of the following:
• blocked • passthrough
• monitored
service The type of protocol that was used to send and receive the traffic. This field contains any one of the following:
• http • smtp
• pop3 • imap
• ftp • mm1
• mm3 • mm4
• mm7 • nntp
• im • smtps
• https • pop3s
• imaps • http (ftp-over-http)
src The source IP address.
dst The destination IP address.
sport The source port number.
src_port The source port number.
dport The destination port number.
dst_port The destination port number.
src_int The source interface. For example, internal.
dst_int The destination interface. For example, wan1.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The serial number of the firewall session on which the event happend.
filefilter This field contains any one of the following:
• none • file pattern
• file type
FortiGate Log Message Reference440 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Antivirus
F0h
filetype This field contains any one of the following:
• arj • cab
• lzh • rar
• tar • zip
• bzip • gzip
• bzip2 • bat
• msc • uue
• mime • base64
• binhex • com
• elf • exe
• hta • html
• jad • class
• cod • javascript
• msoffice • fsg
• upx • petite
• aspack • prc
• sis • hlp
• activemime • jpeg
• gif • tiff
• png • bmp
• ignored • unknown
• N/A
file The name of the file.
checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same checksum, the FortiGate unit assumes that they have the same content.
quarskip This field contains any one of the following:
• No skip • No quarantine for HTTP GET file pattern block.
• No quarantine for oversized files
• File was not quarantined.
url The URL address of where the file was acquired.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profiletype The name of the profile that was used to detect and take action.
profilegroup The type of profile that was used, for example, Antivirus_Profile.
profile The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
from The sender’s email address.
to The recipient’s email address.
ortiGate Log Message Reference1-430-112804-20111121 441ttp://docs.fortinet.com/ • Feedback
Antivirus
8452
Message ID 8452
Log Subtype Filename
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning The FortiGate unit blocked a virus command.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
msg Command blocked.
status The decision of the antivirus engine on how to treat the file. This field contains any one of the following:
• blocked • passthrough
• monitored
service The type of protocol that was used to send and receive the traffic. This field contains any one of the following:
• http • smtp
• pop3 • imap
• ftp • mm1
• mm3 • mm4
• mm7 • nntp
• im • smtps
• https • pop3s
• imaps • http (ftp-over-http)
src The source IP address.
dst The destination IP address.
sport The source port number.
src_port The source port number.
dport The destination port number.
dst_port The destination port number.
src_int The source interface. For example, internal.
dst_int The destination interface. For example, wan1.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The serial number of the firewall session on which the event happend.
url The URL address of where the file was acquired.
user The name of the user creating the traffic.
FortiGate Log Message Reference442 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Antivirus
F0h
group The name of the group creating the traffic.
command The command information.
ortiGate Log Message Reference1-430-112804-20111121 443ttp://docs.fortinet.com/ • Feedback
Antivirus
8453
Message ID 8453
Log Subtype Filename
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The FortiGate unit intercepted a file containing a virus.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
msg The file is intercepted.
status The decision of the antivirus engine on how to treat the file. This field contains any one of the following:
blocked passthrough
monitored
service The type of protocol that was used to send and receive the traffic. This field contains any one of the following:
• http • smtp
• pop3 • imap
• ftp • mm1
• mm3 • mm4
• mm7 • nntp
• im • smtps
• https • pop3s
• imaps • http (ftp-over-http)
src The source IP address.
dst The destination IP address.
sport The source port number.
src_port The source port number.
dport The destination port number.
dst_port The destination port number.
src_int The source interface. For example, internal.
dst_int The destination interface. For example, wan1.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The serial number of the firewall session on which the event happend.
dir This field contains any one of the following:
• N/A • tx
• rx
FortiGate Log Message Reference444 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Antivirus
F0h
filefilter This field contains any one of the following:
• none • file pattern
• file type
filetype This field contains any one of the following:
• arj • cab
• lzh • rar
• tar • zip
• bzip • gzip
• bzip2 • bat
• msc • uue
• mime • base64
• binhex • com
• elf • exe
• hta • html
• jad • class
• cod • javascript
• msoffice • fsg
• upx • petite
• aspack • prc
• sis • hlp
• activemime • jpeg
• gif • tiff
• png • bmp
• ignored • unknown
• N/A
file The name of the file.
checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same checksum, the FortiGate unit assumes that they have the same content.
quarskip This field contains any one of the following:
• No skip • No quarantine for HTTP GET file pattern block.
• No quarantine for oversized files
• File was not quarantined.
url The URL address of where the file was acquired.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profiletype The name of the profile that was used to detect and take action.
profilegroup The type of profile that was used, for example, Antivirus_Profile.
profile The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
ortiGate Log Message Reference1-430-112804-20111121 445ttp://docs.fortinet.com/ • Feedback
Antivirus
agent This field is for FortiOS Carrier only. If the unit is not running FortiOS Carrier, this field always contains N/A.
from The sender’s email address.
to The recipient’s email address.
FortiGate Log Message Reference446 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Antivirus
F0h
8454
Message ID 8454
Log Subtype Filename
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The FortiGate unit intercepted a file (MIME).
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
msg The file is intercepted.
status The decision of the antivirus engine on how to treat the file. This field contains any one of the following:
• blocked • passthrough
• monitored
service The type of protocol that was used to send and receive the traffic. This field contains any one of the following:
• http • smtp
• pop3 • imap
• ftp • mm1
• mm3 • mm4
• mm7 • nntp
• im • smtps
• https • pop3s
• imaps • http (ftp-over-http)
src The source IP address.
dst The destination IP address.
sport The source port number.
src_port The source port number.
dport The destination port number.
dst_port The destination port number.
src_int The source interface. For example, internal.
dst_int The destination interface. For example, wan1.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The serial number of the firewall session on which the event happend.
filefilter This field contains any one of the following:
• none • file pattern
• file type
ortiGate Log Message Reference1-430-112804-20111121 447ttp://docs.fortinet.com/ • Feedback
Antivirus
filetype This field contains any one of the following:
• arj • cab
• lzh • rar
• tar • zip
• bzip • gzip
• bzip2 • bat
• msc • uue
• mime • base64
• binhex • com
• elf • exe
• hta • html
• jad • class
• cod • javascript
• msoffice • fsg
• upx • petite
• aspack • prc
• sis • hlp
• activemime • jpeg
• gif • tiff
• png • bmp
• ignored • unknown
• N/A
file The name of the file.
checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same checksum, the FortiGate unit assumes that they have the same content.
quarskip This field contains any one of the following:
• No skip • No quarantine for HTTP GET file pattern block.
• No quarantine for oversized files
• File was not quarantined.
url The URL address of where the file was acquired.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profiletype The name of the profile that was used to detect and take action.
profilegroup The type of profile that was used, for example, Antivirus_Profile.
profile The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
from The sender’s email address.
to The recipient’s email address.
FortiGate Log Message Reference448 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Antivirus
F0h
8455
Message ID 8455
Log Subtype Filename
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning A file was exempted.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
msg File has been exempted.
status The decision of the antivirus engine on how to treat the file. This field contains any one of the following:
• blocked • passthrough
• monitored
service The type of protocol that was used to send and receive the traffic. This field contains any one of the following:
• http • smtp
• pop3 • imap
• ftp • mm1
• mm3 • mm4
• mm7 • nntp
• im • smtps
• https • pop3s
• imaps • http (ftp-over-http)
src The source IP address.
dst The destination IP address.
sport The source port number.
src_port The source port number.
dport The destination port number.
dst_port The destination port number.
src_int The source interface. For example, internal.
dst_int The destination interface. For example, wan1.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The serial number of the firewall session on which the event happend.
dir This field contains any one of the following:
• N/A • tx
• rx
ortiGate Log Message Reference1-430-112804-20111121 449ttp://docs.fortinet.com/ • Feedback
Antivirus
filefilter This field contains any one of the following:
• none • file pattern
• file type
filetype This field contains any one of the following:
• arj • cab
• lzh • rar
• tar • zip
• bzip • gzip
• bzip2 • bat
• msc • uue
• mime • base64
• binhex • com
• elf • exe
• hta • html
• jad • class
• cod • javascript
• msoffice • fsg
• upx • petite
• aspack • prc
• sis • hlp
• activemime • jpeg
• gif • tiff
• png • bmp
• ignored • unknown
• N/A
file The name of the file.
url The URL address of where the file was acquired.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profiletype The name of the profile that was used to detect and take action.
profilegroup The type of profile that was used, for example, Antivirus_Profile.
profile The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
agent This field is for FortiOS Carrier only. If the unit is not running FortiOS Carrier, this field always contains N/A.
from The sender’s email address.
to The recipient’s email address.
FortiGate Log Message Reference450 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Antivirus
F0h
8456
Message ID 8456
Log Subtype Filename
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning A file was exempted.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
msg File has been exempted.
status The decision of the antivirus engine on how to treat the file. This field contains any one of the following:
• blocked • passthrough
• monitored
service The type of protocol that was used to send and receive the traffic. This field contains any one of the following:
• http • smtp
• pop3 • imap
• ftp • mm1
• mm3 • mm4
• mm7 • nntp
• im • smtps
• https • pop3s
• imaps • http (ftp-over-http)
src The source IP address.
dst The destination IP address.
sport The source port number.
src_port The source port number.
dport The destination port number.
dst_port The destination port number.
src_int The source interface. For example, internal.
dst_int The destination interface. For example, wan1.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The serial number of the firewall session on which the event happend.
filefilter This field contains any one of the following:
• none • file pattern
• file type
ortiGate Log Message Reference1-430-112804-20111121 451ttp://docs.fortinet.com/ • Feedback
Antivirus
filetype This field contains any one of the following:
• arj • cab
• lzh • rar
• tar • zip
• bzip • gzip
• bzip2 • bat
• msc • uue
• mime • base64
• binhex • com
• elf • exe
• hta • html
• jad • class
• cod • javascript
• msoffice • fsg
• upx • petite
• aspack • prc
• sis • hlp
• activemime • jpeg
• gif • tiff
• png • bmp
• ignored • unknown
• N/A
file The name of the file.
url The URL address of where the file was acquired.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profiletype The name of the profile that was used to detect and take action.
profilegroup The type of profile that was used, for example, Antivirus_Profile.
profile The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
from The sender’s email address.
to The recipient’s email address.
FortiGate Log Message Reference452 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Antivirus
F0h
8704
Message ID 8704
Log Subtype Oversize
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning The defined file size limit was exceeded
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
msg Size limit is exceeded.
status The decision of the antivirus engine on how to treat the file. This field contains any one of the following:
• blocked • passthrough
• monitored
service The type of protocol that was used to send and receive the traffic. This field contains any one of the following:
• http • smtp
• pop3 • imap
• ftp • mm1
• mm3 • mm4
• mm7 • nntp
• im • smtps
• https • pop3s
• imaps • http (ftp-over-http)
src The source IP address.
dst The destination IP address.
sport The source port number.
src_port The source port number.
dport The destination port number.
dst_port The destination port number.
src_int The source interface. For example, internal.
dst_int The destination interface. For example, wan1.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The serial number of the firewall session on which the event happend.
file The name of the file.
url The URL address of where the file was acquired.
ortiGate Log Message Reference1-430-112804-20111121 453ttp://docs.fortinet.com/ • Feedback
Antivirus
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profiletype The name of the profile that was used to detect and take action.
profilegroup The type of profile that was used, for example, Antivirus_Profile.
profile The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
from The sender’s email address.
to The recipient’s email address.
agent This field is for FortiOS Carrier only. If the unit is not running FortiOS Carrier, this field always contains N/A.
FortiGate Log Message Reference454 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Antivirus
F0h
8705
Message ID 8705
Log Subtype Oversize
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The file size limit was exceeded.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
msg Size limit is exceeded.
status The decision of the antivirus engine on how to treat the file. This field contains any one of the following:
• blocked • passthrough
• monitored
service The type of protocol that was used to send and receive the traffic. This field contains any one of the following:
• http • smtp
• pop3 • imap
• ftp • mm1
• mm3 • mm4
• mm7 • nntp
• im • smtps
• https • pop3s
• imaps • http (ftp-over-http)
src The source IP address.
dst The destination IP address.
sport The source port number.
src_port The source port number.
dport The destination port number.
dst_port The destination port number.
src_int The source interface. For example, internal.
dst_int The destination interface. For example, wan1.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The serial number of the firewall session on which the event happend.
file The name of the file.
url The URL address of where the file was acquired.
ortiGate Log Message Reference1-430-112804-20111121 455ttp://docs.fortinet.com/ • Feedback
Antivirus
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profiletype The name of the profile that was used to detect and take action.
profilegroup The type of profile that was used, for example, Antivirus_Profile.
profile The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
from The sender’s email address.
to The recipient’s email address.
agent This field is for FortiOS Carrier only. If the unit is not running FortiOS Carrier, this field always contains N/A.
FortiGate Log Message Reference456 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Antivirus
F0h
8706
Message ID 8706
Log Subtype Oversize
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning The file (MIME) size exceed the defined size limit.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
msg Size limit is exceeded.
status The decision of the antivirus engine on how to treat the file. This field contains any one of the following:
• blocked • passthrough
• monitored
service The type of protocol that was used to send and receive the traffic. This field contains any one of the following:
• http • smtp
• pop3 • imap
• ftp • mm1
• mm3 • mm4
• mm7 • nntp
• im • smtps
• https • pop3s
• imaps • http (ftp-over-http)
src The source IP address.
dst The destination IP address.
sport The source port number.
src_port The source port number.
dport The destination port number.
dst_port The destination port number.
src_int The source interface. For example, internal.
dst_int The destination interface. For example, wan1.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The serial number of the firewall session on which the event happend.
file The name of the file.
url The URL address of where the file was acquired.
ortiGate Log Message Reference1-430-112804-20111121 457ttp://docs.fortinet.com/ • Feedback
Antivirus
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profiletype The name of the profile that was used to detect and take action.
profilegroup The type of profile that was used, for example, Antivirus_Profile.
profile The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
from The sender’s email address.
to The recipient’s email address.
FortiGate Log Message Reference458 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Antivirus
F0h
8707
Message ID 8707
Log Subtype Oversize
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The file (MIME) size exceed the defined size limit.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
msg Size limit is exceeded.
status The decision of the antivirus engine on how to treat the file. This field contains any one of the following:
• blocked • passthrough
• monitored
service The type of protocol that was used to send and receive the traffic. This field contains any one of the following:
• http • smtp
• pop3 • imap
• ftp • mm1
• mm3 • mm4
• mm7 • nntp
• im • smtps
• https • pop3s
• imaps • http (ftp-over-http)
src The source IP address.
dst The destination IP address.
sport The source port number.
src_port The source port number.
dport The destination port number.
dst_port The destination port number.
src_int The source interface. For example, internal.
dst_int The destination interface. For example, wan1.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The serial number of the firewall session on which the event happend.
file The name of the file.
url The URL address of where the file was acquired.
ortiGate Log Message Reference1-430-112804-20111121 459ttp://docs.fortinet.com/ • Feedback
Antivirus
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profiletype The name of the profile that was used to detect and take action.
profilegroup The type of profile that was used, for example, Antivirus_Profile.
profile The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
from The sender’s email address.
to The recipient’s email address.
FortiGate Log Message Reference460 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Antivirus
F0h
8960
Message ID 8960
Log Subtype Scanerror
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The file reached the uncompressed nested limit.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg File reached uncompressed nested limit.
status The decision of the antivirus engine on how to treat the file. This field contains any one of the following:
• blocked • passthrough
• monitored
service The type of protocol that was used to send and receive the traffic. This field contains any one of the following:
• http • smtp
• pop3 • imap
• ftp • mm1
• mm3 • mm4
• mm7 • nntp
• im • smtps
• https • pop3s
• imaps • http (ftp-over-http)
src The source IP address.
dst The destination IP address.
sport The source port number.
src_port The source port number.
dport The destination port number.
dst_port The destination port number.
src_int The source interface. For example, internal.
dst_int The destination interface. For example, wan1.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The serial number of the firewall session on which the event happend.
dir This field contains any one of the following:
• N/A • tx
• rx
ortiGate Log Message Reference1-430-112804-20111121 461ttp://docs.fortinet.com/ • Feedback
Antivirus
file The name of the file.
checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same checksum, the FortiGate unit assumes that they have the same content.
quarskip This field contains any one of the following:
• No skip • No quaratine for HTTP GET file pattern block
• No quarantine for oversized files
• File was not quarantined.
virus The name of the virus that was detected.
dtype The dtype information.
ref The URL reference that give more information about the virus. If you enter the URL in the address bar of the web browser, you are directed to that specific page that contains information about the virus.
url The URL address of where the file was acquired.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile that was used, for example, Antivirus_Profile.
profilegroup The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
agent This field is for FortiOS Carrier only. If the unit is not running FortiOS Carrier, this field always contains N/A.
from The sender’s email address.
to The recipient’s email address.
FortiGate Log Message Reference462 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Antivirus
F0h
8961
Message ID 8961
Log Subtype Scanerror
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The file reached the uncompressed size limit.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
msg File reached uncompressed size limit.
status The decision of the antivirus engine on how to treat the file. This field contains any one of the following:
• blocked • passthrough
• monitored
service The type of protocol that was used to send and receive the traffic. This field contains any one of the following:
• http • smtp
• pop3 • imap
• ftp • mm1
• mm3 • mm4
• mm7 • nntp
• im • smtps
• https • pop3s
• imaps • http (ftp-over-http)
src The source IP address.
dst The destination IP address.
sport The source port number.
src_port The source port number.
dport The destination port number.
dst_port The destination port number.
src_int The source interface. For example, internal.
dst_int The destination interface. For example, wan1.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The serial number of the firewall session on which the event happend.
dir This field contains any one of the following:
• N/A • tx
• rx
ortiGate Log Message Reference1-430-112804-20111121 463ttp://docs.fortinet.com/ • Feedback
Antivirus
file The name of the file.
checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same checksum, the FortiGate unit assumes that they have the same content.
quarskip This field contains any one of the following:
• No skip • No quaratine for HTTP GET file pattern block
• No quarantine for oversized files
• File was not quarantined.
virus The name of the virus that was detected.
dtype The dtype information.
ref The URL reference that give more information about the virus. If you enter the URL in the address bar of the web browser, you are directed to that specific page that contains information about the virus.
url The URL address of where the file was acquired.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile that was used, for example, Antivirus_Profile.
profilegroup The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
agent This field is for FortiOS Carrier only. If the unit is not running FortiOS Carrier, this field always contains N/A.
from The sender’s email address.
to The recipient’s email address.
FortiGate Log Message Reference464 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Antivirus
F0h
8962
Message ID 8962
Log Subtype Scanerror
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The archived file is encrypted.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
msg Encrypted archive.
status The decision of the antivirus engine on how to treat the file. This field contains any one of the following:
• blocked • passthrough
• monitored
service The type of protocol that was used to send and receive the traffic. This field contains any one of the following:
• http • smtp
• pop3 • imap
• ftp • mm1
• mm3 • mm4
• mm7 • im
• nntp • https
• smtps • imaps
• pop3s • http (ftp-over-http)
src The source IP address.
dst The destination IP address.
sport The source port number.
src_port The source port number.
dport The destination port number.
dst_port The destination port number.
src_int The source interface. For example, internal.
dst_int The destination interface. For example, wan1.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The serial number of the firewall session on which the event happend.
dir This field contains any one of the following:
• N/A • tx
• rx
ortiGate Log Message Reference1-430-112804-20111121 465ttp://docs.fortinet.com/ • Feedback
Antivirus
file The name of the file.
checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same checksum, the FortiGate unit assumes that they have the same content.
quarskip This field contains any one of the following:
• No skip • No quaratine for HTTP GET file pattern block
• No quarantine for oversized files
• File was not quarantined.
virus The name of the virus that was detected.
dtype The dtype information.
ref The URL reference that give more information about the virus. If you enter the URL in the address bar of the web browser, you are directed to that specific page that contains information about the virus.
url The URL address of where the file was acquired.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile that was used, for example, Antivirus_Profile.
profilegroup The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
agent This field is for FortiOS Carrier only. If the unit is not running FortiOS Carrier, this field always contains N/A.
from The sender’s email address.
to The recipient’s email address.
FortiGate Log Message Reference466 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Antivirus
F0h
8963
Message ID 8963
Log Subtype Scanerror
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The archived file is encrypted.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
msg Encrypted archive.
status The decision of the antivirus engine on how to treat the file. This field contains any one of the following:
• blocked • passthrough
• monitored
service The type of protocol that was used to send and receive the traffic. This field contains any one of the following:
• http • smtp
• pop3 • imap
• ftp • mm1
• mm3 • mm4
• mm7 • im
• nntp • https
• smtps • imaps
• pop3s • http (ftp-over-http)
src The source IP address.
dst The destination IP address.
sport The source port number.
src_port The source port number.
dport The destination port number.
dst_port The destination port number.
src_int The source interface. For example, internal.
dst_int The destination interface. For example, wan1.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The serial number of the firewall session on which the event happend.
dir This field contains any one of the following:
• N/A • tx
• rx
ortiGate Log Message Reference1-430-112804-20111121 467ttp://docs.fortinet.com/ • Feedback
Antivirus
file The name of the file.
checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same checksum, the FortiGate unit assumes that they have the same content.
quarskip This field contains any one of the following:
• No skip • No quaratine for HTTP GET file pattern block
• No quarantine for oversized files
• File was not quarantined.
virus The name of the virus that was detected.
dtype The dtype information.
ref The URL reference that give more information about the virus. If you enter the URL in the address bar of the web browser, you are directed to that specific page that contains information about the virus.
url The URL address of where the file was acquired.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile that was used, for example, Antivirus_Profile.
profilegroup The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
agent This field is for FortiOS Carrier only. If the unit is not running FortiOS Carrier, this field always contains N/A.
from The sender’s email address.
to The recipient’s email address.
FortiGate Log Message Reference468 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Antivirus
F0h
8964
Message ID 8964
Log Subtype Scanerror
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning The archived file is corrupted.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
msg Corrupted archive
status The decision of the antivirus engine on how to treat the file. This field contains any one of the following:
• blocked • passthrough
• monitored
service The type of protocol that was used to send and receive the traffic. This field contains any one of the following:
• http • smtp
• pop3 • imap
• ftp • mm1
• mm3 • mm4
• mm7 • im
• nntp • https
• smtps • imaps
• pop3s • http (ftp-over-http)
src The source IP address.
dst The destination IP address.
sport The source port number.
src_port The source port number.
dport The destination port number.
dst_port The destination port number.
src_int The source interface. For example, internal.
dst_int The destination interface. For example, wan1.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The serial number of the firewall session on which the event happend.
dir This field contains any one of the following:
• N/A • tx
• rx
ortiGate Log Message Reference1-430-112804-20111121 469ttp://docs.fortinet.com/ • Feedback
Antivirus
file The name of the file.
checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same checksum, the FortiGate unit assumes that they have the same content.
quarskip This field contains any one of the following:
• No skip • No quaratine for HTTP GET file pattern block
• No quarantine for oversized files
• File was not quarantined.
virus The name of the virus that was detected.
dtype The dtype information.
ref The URL reference that give more information about the virus. If you enter the URL in the address bar of the web browser, you are directed to that specific page that contains information about the virus.
url The URL address of where the file was acquired.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile that was used, for example, Antivirus_Profile.
profilegroup The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
agent This field is for FortiOS Carrier only. If the unit is not running FortiOS Carrier, this field always contains N/A.
from The sender’s email address.
to The recipient’s email address.
FortiGate Log Message Reference470 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Antivirus
F0h
8965
Message ID 8962
Log Subtype Scanerror
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The archived file is corrupted.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
msg Corrupted archive.
status The decision of the antivirus engine on how to treat the file. This field contains any one of the following:
• blocked • passthrough
• monitored
service The type of protocol that was used to send and receive the traffic. This field contains any one of the following:
• http • smtp
• pop3 • imap
• ftp • mm1
• mm3 • mm4
• mm7 • im
• nntp • https
• smtps • imaps
• pop3s • http (ftp-over-http)
src The source IP address.
dst The destination IP address.
sport The source port number.
src_port The source port number.
dport The destination port number.
dst_port The destination port number.
src_int The source interface. For example, internal.
dst_int The destination interface. For example, wan1.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The serial number of the firewall session on which the event happend.
dir This field contains any one of the following:
• N/A • tx
• rx
ortiGate Log Message Reference1-430-112804-20111121 471ttp://docs.fortinet.com/ • Feedback
Antivirus
file The name of the file.
checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same checksum, the FortiGate unit assumes that they have the same content.
quarskip This field contains any one of the following:
• No skip • No quaratine for HTTP GET file pattern block
• No quarantine for oversized files
• File was not quarantined.
virus The name of the virus that was detected.
dtype The dtype information.
ref The URL reference that give more information about the virus. If you enter the URL in the address bar of the web browser, you are directed to that specific page that contains information about the virus.
url The URL address of where the file was acquired.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile that was used, for example, Antivirus_Profile.
profilegroup The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
agent This field is for FortiOS Carrier only. If the unit is not running FortiOS Carrier, this field always contains N/A.
from The sender’s email address.
to The recipient’s email address.
FortiGate Log Message Reference472 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Antivirus
F0h
8966
Message ID 8966
Log Subtype Scanerror
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning The file is a multipart archive or contains multiple files within the archive.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
msg Multipart archive.
status The decision of the antivirus engine on how to treat the file. This field contains any one of the following:
• blocked • passthrough
• monitored
service The type of protocol that was used to send and receive the traffic. This field contains any one of the following:
• http • smtp
• pop3 • imap
• ftp • mm1
• mm3 • mm4
• mm7 • im
• nntp • https
• smtps • imaps
• pop3s • http (ftp-over-http)
src The source IP address.
dst The destination IP address.
sport The source port number.
src_port The source port number.
dport The destination port number.
dst_port The destination port number.
src_int The source interface. For example, internal.
dst_int The destination interface. For example, wan1.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The serial number of the firewall session on which the event happend.
ortiGate Log Message Reference1-430-112804-20111121 473ttp://docs.fortinet.com/ • Feedback
Antivirus
dir This field contains any one of the following:
• N/A • tx
• rx
file The name of the file.
checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same checksum, the FortiGate unit assumes that they have the same content.
quarskip This field contains any one of the following:
• No skip • No quaratine for HTTP GET file pattern block
• No quarantine for oversized files
• File was not quarantined.
virus The name of the virus that was detected.
dtype The dtype information.
ref The URL reference that give more information about the virus. If you enter the URL in the address bar of the web browser, you are directed to that specific page that contains information about the virus.
url The URL address of where the file was acquired.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile that was used, for example, Antivirus_Profile.
profilegroup The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
agent This field is for FortiOS Carrier only. If the unit is not running FortiOS Carrier, this field always contains N/A.
from The sender’s email address.
to The recipient’s email address.
FortiGate Log Message Reference474 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Antivirus
F0h
8967
Message ID 8967
Log Subtype Scanerror
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The file is a multipart archive or contains multiple files within the archive.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
msg Encrypted archive.
status The decision of the antivirus engine on how to treat the file. This field contains any one of the following:
• blocked • passthrough
• monitored
service The type of protocol that was used to send and receive the traffic. This field contains any one of the following:
• http • smtp
• pop3 • imap
• ftp • mm1
• mm3 • mm4
• mm7 • im
• nntp • https
• smtps • imaps
• pop3s • http (ftp-over-http)
src The source IP address.
dst The destination IP address.
sport The source port number.
src_port The source port number.
dport The destination port number.
dst_port The destination port number.
src_int The source interface. For example, internal.
dst_int The destination interface. For example, wan1.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The serial number of the firewall session on which the event happend.
ortiGate Log Message Reference1-430-112804-20111121 475ttp://docs.fortinet.com/ • Feedback
Antivirus
dir This field contains any one of the following:
• N/A • tx
• rx
file The name of the file.
checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same checksum, the FortiGate unit assumes that they have the same content.
quarskip This field contains any one of the following:
• No skip • No quaratine for HTTP GET file pattern block
• No quarantine for oversized files
• File was not quarantined.
virus The name of the virus that was detected.
dtype The dtype information.
ref The URL reference that give more information about the virus. If you enter the URL in the address bar of the web browser, you are directed to that specific page that contains information about the virus.
url The URL address of where the file was acquired.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile that was used, for example, Antivirus_Profile.
profilegroup The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
agent This field is for FortiOS Carrier only. If the unit is not running FortiOS Carrier, this field always contains N/A.
from The sender’s email address.
to The recipient’s email address.
FortiGate Log Message Reference476 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Antivirus
F0h
8968
Message ID 8968
Log Subtype Scanerror
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning The file is a nested archived file.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
msg Nested archive.
status The decision of the antivirus engine on how to treat the file. This field contains any one of the following:
• blocked • passthrough
• monitored
service The type of protocol that was used to send and receive the traffic. This field contains any one of the following:
• http • smtp
• pop3 • imap
• ftp • mm1
• mm3 • mm4
• mm7 • im
• nntp • https
• smtps • imaps
• pop3s • http (ftp-over-http)
src The source IP address.
dst The destination IP address.
sport The source port number.
src_port The source port number.
dport The destination port number.
dst_port The destination port number.
src_int The source interface. For example, internal.
dst_int The destination interface. For example, wan1.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The serial number of the firewall session on which the event happend.
dir This field contains any one of the following:
• N/A • tx
• rx
ortiGate Log Message Reference1-430-112804-20111121 477ttp://docs.fortinet.com/ • Feedback
Antivirus
file The name of the file.
checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same checksum, the FortiGate unit assumes that they have the same content.
quarskip This field contains any one of the following:
• No skip • No quaratine for HTTP GET file pattern block
• No quarantine for oversized files
• File was not quarantined.
virus The name of the virus that was detected.
dtype The dtype information.
ref The URL reference that give more information about the virus. If you enter the URL in the address bar of the web browser, you are directed to that specific page that contains information about the virus.
url The URL address of where the file was acquired.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile that was used, for example, Antivirus_Profile.
profilegroup The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
agent This field is for FortiOS Carrier only. If the unit is not running FortiOS Carrier, this field always contains N/A.
from The sender’s email address.
to The recipient’s email address.
FortiGate Log Message Reference478 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Antivirus
F0h
8969
Message ID 8969
Log Subtype Scanerror
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The file is a nested archived file.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
msg Nested archive.
status The decision of the antivirus engine on how to treat the file. This field contains any one of the following:
• blocked • passthrough
• monitored
service The type of protocol that was used to send and receive the traffic. This field contains any one of the following:
• http • smtp
• pop3 • imap
• ftp • mm1
• mm3 • mm4
• mm7 • im
• nntp • https
• smtps • imaps
• pop3s • http (ftp-over-http)
src The source IP address.
dst The destination IP address.
sport The source port number.
src_port The source port number.
dport The destination port number.
dst_port The destination port number.
src_int The source interface. For example, internal.
dst_int The destination interface. For example, wan1.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The serial number of the firewall session on which the event happend.
dir This field contains any one of the following:
• N/A • tx
• rx
ortiGate Log Message Reference1-430-112804-20111121 479ttp://docs.fortinet.com/ • Feedback
Antivirus
file The name of the file.
checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same checksum, the FortiGate unit assumes that they have the same content.
quarskip This field contains any one of the following:
• No skip • No quaratine for HTTP GET file pattern block
• No quarantine for oversized files
• File was not quarantined.
virus The name of the virus that was detected.
dtype The dtype information.
ref The URL reference that give more information about the virus. If you enter the URL in the address bar of the web browser, you are directed to that specific page that contains information about the virus.
url The URL address of where the file was acquired.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile that was used, for example, Antivirus_Profile.
profilegroup The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
agent This field is for FortiOS Carrier only. If the unit is not running FortiOS Carrier, this field always contains N/A.
from The sender’s email address.
to The recipient’s email address.
FortiGate Log Message Reference480 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Antivirus
F0h
8970
Message ID 8970
Log Subtype Scanerror
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning The archived file is oversized.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
msg Oversize archive.
status The decision of the antivirus engine on how to treat the file. This field contains any one of the following:
• blocked • passthrough
• monitored
service The type of protocol that was used to send and receive the traffic. This field contains any one of the following:
• http • smtp
• pop3 • imap
• ftp • mm1
• mm3 • mm4
• mm7 • im
• nntp • https
• smtps • imaps
• pop3s • http (ftp-over-http)
src The source IP address.
dst The destination IP address.
sport The source port number.
src_port The source port number.
dport The destination port number.
dst_port The destination port number.
src_int The source interface. For example, internal.
dst_int The destination interface. For example, wan1.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The serial number of the firewall session on which the event happend.
dir This field contains any one of the following:
• N/A • tx
• rx
ortiGate Log Message Reference1-430-112804-20111121 481ttp://docs.fortinet.com/ • Feedback
Antivirus
file The name of the file.
checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same checksum, the FortiGate unit assumes that they have the same content.
quarskip This field contains any one of the following:
• No skip • No quaratine for HTTP GET file pattern block
• No quarantine for oversized files
• File was not quarantined.
virus The name of the virus that was detected.
dtype The dtype information.
ref The URL reference that give more information about the virus. If you enter the URL in the address bar of the web browser, you are directed to that specific page that contains information about the virus.
url The URL address of where the file was acquired.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile that was used, for example, Antivirus_Profile.
profilegroup The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
agent This field is for FortiOS Carrier only. If the unit is not running FortiOS Carrier, this field always contains N/A.
from The sender’s email address.
to The recipient’s email address.
FortiGate Log Message Reference482 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Antivirus
F0h
8971
Message ID 8971
Log Subtype Scanerror
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The archived file is oversized.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
msg Nested archive.
status The decision of the antivirus engine on how to treat the file. This field contains any one of the following:
• blocked • passthrough
• monitored
service The type of protocol that was used to send and receive the traffic. This field contains any one of the following:
• http • smtp
• pop3 • imap
• ftp • mm1
• mm3 • mm4
• mm7 • im
• nntp • https
• smtps • imaps
• pop3s • http (ftp-over-http)
src The source IP address.
dst The destination IP address.
sport The source port number.
src_port The source port number.
dport The destination port number.
dst_port The destination port number.
src_int The source interface. For example, internal.
dst_int The destination interface. For example, wan1.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The serial number of the firewall session on which the event happend.
ortiGate Log Message Reference1-430-112804-20111121 483ttp://docs.fortinet.com/ • Feedback
Antivirus
dir This field contains any one of the following:
• N/A • tx
• rx
file The name of the file.
checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same checksum, the FortiGate unit assumes that they have the same content.
quarskip This field contains any one of the following:
• No skip • No quaratine for HTTP GET file pattern block
• No quarantine for oversized files
• File was not quarantined.
virus The name of the virus that was detected.
dtype The dtype information.
ref The URL reference that give more information about the virus. If you enter the URL in the address bar of the web browser, you are directed to that specific page that contains information about the virus.
url The URL address of where the file was acquired.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile that was used, for example, Antivirus_Profile.
profilegroup The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
agent This field is for FortiOS Carrier only. If the unit is not running FortiOS Carrier, this field always contains N/A.
from The sender’s email address.
to The recipient’s email address.
FortiGate Log Message Reference484 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Antivirus
F0h
8972
Message ID 8969
Log Subtype Scanerror
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning A type of unhandled archived file.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
msg Unhandled archive.
status The decision of the antivirus engine on how to treat the file. This field contains any one of the following:
• blocked • passthrough
• monitored
service The type of protocol that was used to send and receive the traffic. This field contains any one of the following:
• http • smtp
• pop3 • imap
• ftp • mm1
• mm3 • mm4
• mm7 • im
• nntp • https
• smtps • imaps
• pop3s • http (ftp-over-http)
src The source IP address.
dst The destination IP address.
sport The source port number.
src_port The source port number.
dport The destination port number.
dst_port The destination port number.
src_int The source interface. For example, internal.
dst_int The destination interface. For example, wan1.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The serial number of the firewall session on which the event happend.
dir This field contains any one of the following:
• N/A • tx
• rx
ortiGate Log Message Reference1-430-112804-20111121 485ttp://docs.fortinet.com/ • Feedback
Antivirus
file The name of the file.
checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same checksum, the FortiGate unit assumes that they have the same content.
quarskip This field contains any one of the following:
• No skip • No quaratine for HTTP GET file pattern block
• No quarantine for oversized files
• File was not quarantined.
virus The name of the virus that was detected.
dtype The dtype information.
ref The URL reference that give more information about the virus. If you enter the URL in the address bar of the web browser, you are directed to that specific page that contains information about the virus.
url The URL address of where the file was acquired.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile that was used, for example, Antivirus_Profile.
profilegroup The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
agent This field is for FortiOS Carrier only. If the unit is not running FortiOS Carrier, this field always contains N/A.
from The sender’s email address.
to The recipient’s email address.
FortiGate Log Message Reference486 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Antivirus
F0h
8973
Message ID 8973
Log Subtype Scanerror
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning A type of unhandled archived file.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
msg Unhandled archive.
status The decision of the antivirus engine on how to treat the file. This field contains any one of the following:
• blocked • passthrough
• monitored
service The type of protocol that was used to send and receive the traffic. This field contains any one of the following:
• http • smtp
• pop3 • imap
• ftp • mm1
• mm3 • mm4
• mm7 • im
• nntp • https
• smtps • imaps
• pop3s • http (ftp-over-http)
src The source IP address.
dst The destination IP address.
sport The source port number.
src_port The source port number.
dport The destination port number.
dst_port The destination port number.
src_int The source interface. For example, internal.
dst_int The destination interface. For example, wan1.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The serial number of the firewall session on which the event happend.
dir This field contains any one of the following:
• N/A • tx
• rx
ortiGate Log Message Reference1-430-112804-20111121 487ttp://docs.fortinet.com/ • Feedback
Antivirus
file The name of the file.
checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same checksum, the FortiGate unit assumes that they have the same content.
quarskip This field contains any one of the following:
• No skip • No quaratine for HTTP GET file pattern block
• No quarantine for oversized files
• File was not quarantined.
virus The name of the virus that was detected.
dtype The dtype information.
ref The URL reference that give more information about the virus. If you enter the URL in the address bar of the web browser, you are directed to that specific page that contains information about the virus.
url The URL address of where the file was acquired.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile that was used, for example, Antivirus_Profile.
profilegroup The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
agent This field is for FortiOS Carrier only. If the unit is not running FortiOS Carrier, this field always contains N/A.
from The sender’s email address.
to The recipient’s email address.
FortiGate Log Message Reference488 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
F0h
Attack Attack log message are recorded when attacks are made against your network. These log messages provide details about the attack, such as the severity level of the attack and a reference URL link to find more information about the specified attack in the Fortinet Attack Encyclopedia. In FortiOS 4.0 MR3 and higher, attack log messages are located in UTM log file. These log messages are also viewed in the web-based manager from Log&Report > Log & Archive Access > UTM.
163841638516386184321843318434
ortiGate Log Message Reference1-430-112804-20111121 489ttp://docs.fortinet.com/ • Feedback
Attack
16384
Message ID 16384
Log Subtype Signature
Severity Alert
Firmware version FortiOS 4.0 MR3
Meaning An attack signature using UCP/TCP.
Fields Field Descriptionseverity The specified severity level of the attack. This field contains any one of
the following:
• info • low
• medium • high
• critical
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profilegroup The group that the profile is a part of. This field contains N/A if there is no profile group configure. Profile groups are only available in FortiOS Carrier.
profiletype The type of profile that was used, for example, Antivirus_Profile.
profile The name of the profile that was used to detect and take action.
src The source IP address.
dst The destination IP address.
src_int The source interface. For example, internal.
dst_int The destination interface. For example, wan1.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
serial The serial number of the firewall session on which the event happend.
status The type of action the FortiGate unit took, for example, detecting the attack. This field contains any one of the following:
• detected • dropped
• reset
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
service The service of where the event or activity occurred. For example, 139/tcp.
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
count The number of times that the attack was detected within a short period of time. This is useful when the attacks are DoS attacks.
FortiGate Log Message Reference490 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Attack
F0h
attack_name The name of the attack.
src_port The source port number. This number is either a TCP or UDP port number.
dst_port The destination port number. This number is either a TCP or UDP port number.
attack_id The identification number of the attack log message.
sensor The name of the DLP sensor that was used to detect and take action.
ref The reference URL where you can find out more information about the attack. This URL takes you directly to Fortinet’s FortiGuard Center Encyclopedia.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
incident_serialno The unique ID for this attack. This number is used for cross-referencing IPS packet logs.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
ortiGate Log Message Reference1-430-112804-20111121 491ttp://docs.fortinet.com/ • Feedback
Attack
16385
Message ID 16385
Log Subtype Signature
Severity Alert
Firmware version FortiOS 4.0 MR3
Meaning An attack signature using ICMP.
Fields Field Descriptionseverity The specified severity level of the attack. This field contains any one of
the following:
• info • low
• medium • high
• critical
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profilegroup The group that the profile is a part of. This field contains N/A if there is no profile group configure. Profile groups are only available in FortiOS Carrier.
profiletype The type of profile that was used, for example, Antivirus_Profile.
profile The name of the profile that was used to detect and take action.
src The source IP address.
dst The destination IP address.
src_int The source interface. For example, internal.
dst_int The destination interface. For example, wan1.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
serial The serial number of the firewall session on which the event happend.
status The type of action the FortiGate unit took, for example detecting the attack. This field contains any one of the following:
• detected • dropped
• reset
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
service The service of where the event or activity occurred. For example, 139/tcp.
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
count The number of times that the attack was detected within a short period of time. This is useful when the attacks are DoS attacks.
FortiGate Log Message Reference492 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Attack
F0h
attack_name The name of the attack.
icmp_id The ICMP source port number.
icmp_type The ICMP destination port number.
icmp_code The ICMP destination port number.
attack_id The identification number of the attack log message.
sensor The name of the DLP sensor that was used to detect and take action.
ref The reference URL where you can find out more information about the attack. This URL takes you directly to Fortinet’s FortiGuard Center Encyclopedia.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
incident_serialno The unique ID for this attack. This number is used for cross-referencing IPS packet logs.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
ortiGate Log Message Reference1-430-112804-20111121 493ttp://docs.fortinet.com/ • Feedback
Attack
16386
Message ID 16386
Log Subtype Signature
Severity Alert
Firmware version FortiOS 4.0 MR3
Meaning An attack signature using others.
Fields Field Descriptionseverity The specified severity level of the attack. This field contains any one of
the following:
• info • low
• medium • high
• critical
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profilegroup The group that the profile is a part of. This field contains N/A if there is no profile group configure. Profile groups are only available in FortiOS Carrier.
profiletype The type of profile that was used, for example, Antivirus_Profile.
profile The name of the profile that was used to detect and take action.
src The source IP address.
dst The destination IP address.
src_int The source interface. For example, internal.
dst_int The destination interface. For example, wan1.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
serial The serial number of the firewall session on which the event happend.
status The type of action the FortiGate unit took, for example detecting the attack. This field contains any one of the following:
• detected • dropped
• reset
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
service The service of where the event or activity occurred. For example, 139/tcp.
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
count The number of times that the attack was detected within a short period of time. This is useful when the attacks are DoS attacks.
FortiGate Log Message Reference494 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Attack
F0h
attack_name The name of the attack.
attack_id The identification number of the attack log message.
sensor The name of the DLP sensor that was used to detect and take action.
ref The reference URL where you can find out more information about the attack. This URL takes you directly to Fortinet’s FortiGuard Center Encyclopedia.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
incident_serialno The unique ID for this attack. This number is used for cross-referencing IPS packet logs.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
ortiGate Log Message Reference1-430-112804-20111121 495ttp://docs.fortinet.com/ • Feedback
Attack
18432
Message ID 18432
Log Subtype Anomaly
Severity Alert
Firmware version FortiOS 4.0 MR3
Meaning An attack anomaly using UDP/TCP
Fields Field Descriptionseverity The specified severity level of the attack. This field contains any one of
the following:
• info • low
• medium • high
• critical
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profilegroup The group that the profile is a part of. This field contains N/A if there is no profile group configure. Profile groups are only available in FortiOS Carrier.
profiletype The type of profile that was used, for example, Antivirus_Profile.
profile The name of the profile that was used to detect and take action.
src The source IP address.
dst The destination IP address.
src_int The source interface. For example, internal.
dst_int The destination interface. For example, wan1.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
serial The serial number of the firewall session on which the event happend.
status The type of action the FortiGate unit took, for example detecting the attack. This field contains any one of the following:
• detected • dropped
• reset
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
service The service of where the event or activity occurred. For example, 139/tcp.
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
count The number of times that the attack was detected within a short period of time. This is useful when the attacks are DoS attacks.
FortiGate Log Message Reference496 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Attack
F0h
attack_name The name of the attack.
src_port The source port number. This number is either a TCP or UDP port number.
dst_port The destination port number. This number is either a TCP or UDP port number.
attack_id The identification number of the attack log message.
sensor The name of the DLP sensor that was used to detect and take action.
ref The reference URL where you can find out more information about the attack. This URL takes you directly to Fortinet’s FortiGuard Center Encyclopedia.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
ortiGate Log Message Reference1-430-112804-20111121 497ttp://docs.fortinet.com/ • Feedback
Attack
18433
Message ID 18433
Log Subtype Anomaly
Severity Alert
Firmware version FortiOS 4.0 MR3
Meaning An attack anomaly using ICMP.
Fields Field Descriptionseverity The specified severity level of the attack. This field contains any one of
the following:
• info • low
• medium • high
• critical
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profilegroup The group that the profile is a part of. This field contains N/A if there is no profile group configure. Profile groups are only available in FortiOS Carrier.
profiletype The type of profile that was used, for example, Antivirus_Profile.
profile The name of the profile that was used to detect and take action.
src The source IP address.
dst The destination IP address.
src_int The source interface. For example, internal.
dst_int The destination interface. For example, wan1.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
serial The serial number of the firewall session on which the event happend.
status The type of action the FortiGate unit took, for example detecting the attack. This field contains any one of the following:
• detected • dropped
• reset
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
service The service of where the event or activity occurred. For example, 139/tcp.
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
count The number of times that the attack was detected within a short period of time. This is useful when the attacks are DoS attacks.
FortiGate Log Message Reference498 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Attack
F0h
attack_name The name of the attack.
icmp_id The ICMP source port number.
icmp_type The ICMP destination port number.
icmp_code The ICMP destination port number.
attack_id The identification number of the attack log message.
sensor The name of the DLP sensor that was used to detect and take action.
ref The reference URL where you can find out more information about the attack. This URL takes you directly to Fortinet’s FortiGuard Center Encyclopedia.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
incident_serialno The unique ID for this attack. This number is used for cross-referencing IPS packet logs.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
ortiGate Log Message Reference1-430-112804-20111121 499ttp://docs.fortinet.com/ • Feedback
Attack
18434
Message ID 18434
Log Subtype Anomaly
Severity Alert
Firmware version FortiOS 4.0 MR3
Meaning An attack anomaly using others.
Fields Field Descriptionseverity The specified severity level of the attack. This field contains any one of
the following:
• info • low
• medium • high
• critical
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profilegroup The group that the profile is a part of. This field contains N/A if there is no profile group configure. Profile groups are only available in FortiOS Carrier.
profiletype The type of profile that was used, for example, Antivirus_Profile.
profile The name of the profile that was used to detect and take action.
src The source IP address.
dst The destination IP address.
src_int The source interface. For example, internal.
dst_int The destination interface. For example, wan1.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
serial The serial number of the firewall session on which the event happend.
status The type of action the FortiGate unit took, for example detecting the attack. This field contains any one of the following:
• detected • dropped
• reset
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
service The service of where the event or activity occurred. For example, 139/tcp.
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
count The number of times that the attack was detected within a short period of time. This is useful when the attacks are DoS attacks.
FortiGate Log Message Reference500 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Attack
F0h
attack_name The name of the attack.
attack_id The identification number of the attack log message.
sensor The name of the DLP sensor that was used to detect and take action.
ref The reference URL where you can find out more information about the attack. This URL takes you directly to Fortinet’s FortiGuard Center Encyclopedia.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
incident_serialno The unique ID for this attack. This number is used for cross-referencing IPS packet logs.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
ortiGate Log Message Reference1-430-112804-20111121 501ttp://docs.fortinet.com/ • Feedback
Attack
FortiGate Log Message Reference502 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
F0h
Email filterEmail filter log messages record email protocols SMTP, POP3 and IMAP. In FortiOS 4.0 MR3 and higher, email filtering log messages are located in UTM log file. These log messages are also viewed in the web-based manager from Log&Report > Log & Archive Access > UTM.
20480204812048220483204842049120485204862048720488204892049020492204932049420495
204962049720498204992050020501205032050420505
ortiGate Log Message Reference1-430-112804-20111121 503ttp://docs.fortinet.com/ • Feedback
Email filter
20480
Message ID 20480
Log Subtype SMTP
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning An SMTP warning.
Fields Field Descriptionpolicyid The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The serial number of the firewall session on which the event happend.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
src The source IP address.
sport The source port number.
src_port The source port number.
src_int The source interface. For example, internal.
dst The destination IP address.
dport The destination port number.
dst_port The destination port number.
dst_int The destination interface. For example, wan1.
service This field contains any one of the following:
• http • smtp
• pop3 • imap
• ftp • mm1
• mm3 • mm4
• mm7 • im
• nntp • https
• smtps • imaps
• pop3s
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profile The name of the profile that was used to detect and take action.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
profiletype The type of profile that was used, for example, Antivirus_Profile.
FortiGate Log Message Reference504 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Email filter
F0h
status The type of action the FortiGate unit took, for example blocking the email message from getting through. This field contains any one of the following:
• exempted • blocked
• detected
from The sender’s email address.
to The recipient’s email address.
tracker The identification information that is associated wiith the rule or rules that were used to identify the email message as spam. This field appears only when the email message was blocked by the email filter rules, and not by other filter methods. For example, if an email message was blocked by URL filter, IP address filter and E-mail checksum filter (these filters are checked off in the FortiGuard Email Filter section of the Profile page for email filtering) this field displays.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
ortiGate Log Message Reference1-430-112804-20111121 505ttp://docs.fortinet.com/ • Feedback
Email filter
20481
Message ID 20481
Log Subtype SMTP
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning An SMTP warning.
Fields Field Descriptionpolicyid The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The serial number of the firewall session on which the event happend.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
src The source IP address.
sport The source port number.
src_port The source port number.
src_int The source interface. For example, internal.
dst The destination IP address.
dport The destination port number.
dst_port The destination port number.
dst_int The destination interface. For example, wan1.
service This field contains any one of the following:
• http • smtp
• pop3 • imap
• ftp • mm1
• mm3 • mm4
• mm7 • im
• nntp • https
• smtps • imaps
• pop3s
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profile The name of the profile that was used to detect and take action.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
profiletype The type of profile that was used, for example, Antivirus_Profile.
FortiGate Log Message Reference506 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Email filter
F0h
status The type of action the FortiGate unit took, for example blocking the email message from getting through. This field contains any one of the following:
• exempted • blocked
• detected
from The sender’s email address.
to The recipient’s email address.
tracker The identification information that is associated wiith the rule or rules that were used to identify the email message as spam. This field appears only when the email message was blocked by the email filter rules, and not by other filter methods. For example, if an email message was blocked by URL filter, IP address filter and E-mail checksum filter (these filters are checked off in the FortiGuard Email Filter section of the Profile page for email filtering) this field displays.
banword The banned word that was detected.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
ortiGate Log Message Reference1-430-112804-20111121 507ttp://docs.fortinet.com/ • Feedback
Email filter
20482
Message ID 20482
Log Subtype POP3
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning A POP3 warning.
Fields Field Descriptionpolicyid The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The serial number of the firewall session on which the event happend.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
src The source IP address.
sport The source port number.
src_port The source port number.
src_int The source interface. For example, internal.
dst The destination IP address.
dport The destination port number.
dst_port The destination port number.
dst_int The destination interface. For example, wan1.
service This field contains any one of the following:
• http • smtp
• pop3 • imap
• ftp • mm1
• mm3 • mm4
• mm7 • im
• nntp • https
• smtps • imaps
• pop3s
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profile The name of the profile that was used to detect and take action.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
profiletype The type of profile that was used, for example, Antivirus_Profile.
FortiGate Log Message Reference508 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Email filter
F0h
status The type of action the FortiGate unit took, for example blocking the email message from getting through. This field contains any one of the following:
• exempted • blocked
• detected
from The sender’s email address.
to The recipient’s email address.
tracker The identification information that is associated wiith the rule or rules that were used to identify the email message as spam. This field appears only when the email message was blocked by the email filter rules, and not by other filter methods. For example, if an email message was blocked by URL filter, IP address filter and E-mail checksum filter (these filters are checked off in the FortiGuard Email Filter section of the Profile page for email filtering) this field displays.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
ortiGate Log Message Reference1-430-112804-20111121 509ttp://docs.fortinet.com/ • Feedback
Email filter
20483
Message ID 20483
Log Subtype POP3
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning A POP3 notice.
Fields Field Descriptionpolicyid The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The serial number of the firewall session on which the event happend.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
src The source IP address.
sport The source port number.
src_port The source port number.
src_int The source interface. For example, internal.
dst The destination IP address.
dport The destination port number.
dst_port The destination port number.
dst_int The destination interface. For example, wan1.
service This field contains any one of the following:
• http • smtp
• pop3 • imap
• ftp • mm1
• mm3 • mm4
• mm7 • im
• nntp • https
• smtps • imaps
• pop3s
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profile The name of the profile that was used to detect and take action.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
profiletype The type of profile that was used, for example, Antivirus_Profile.
FortiGate Log Message Reference510 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Email filter
F0h
status The type of action the FortiGate unit took, for example blocking the email message from getting through. This field contains any one of the following:
• exempted • blocked
• detected
from The sender’s email address.
to The recipient’s email address.
tracker The identification information that is associated wiith the rule or rules that were used to identify the email message as spam. This field appears only when the email message was blocked by the email filter rules, and not by other filter methods. For example, if an email message was blocked by URL filter, IP address filter and E-mail checksum filter (these filters are checked off in the FortiGuard Email Filter section of the Profile page for email filtering) this field displays.
banword The banned word that was detected.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
ortiGate Log Message Reference1-430-112804-20111121 511ttp://docs.fortinet.com/ • Feedback
Email filter
20484
Message ID 20484
Log Subtype IMAP
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning An IMAP notice.
Fields Field Descriptionpolicyid The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The serial number of the firewall session on which the event happend.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
src The source IP address.
sport The source port number.
src_port The source port number.
src_int The source interface. For example, internal.
dst The destination IP address.
dport The destination port number.
dst_port The destination port number.
dst_int The destination interface. For example, wan1.
service This field contains any one of the following:
• http • smtp
• pop3 • imap
• ftp • mm1
• mm3 • mm4
• mm7 • im
• nntp • https
• smtps • imaps
• pop3s
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profile The name of the profile that was used to detect and take action.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
profiletype The type of profile that was used, for example, Antivirus_Profile.
FortiGate Log Message Reference512 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Email filter
F0h
status The type of action the FortiGate unit took, for example blocking the email message from getting through. This field contains any one of the following:
• exempted • blocked
• detected
from The sender’s email address.
to The recipient’s email address.
tracker The identification information that is associated wiith the rule or rules that were used to identify the email message as spam. This field appears only when the email message was blocked by the email filter rules, and not by other filter methods. For example, if an email message was blocked by URL filter, IP address filter and E-mail checksum filter (these filters are checked off in the FortiGuard Email Filter section of the Profile page for email filtering) this field displays.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
ortiGate Log Message Reference1-430-112804-20111121 513ttp://docs.fortinet.com/ • Feedback
Email filter
20491
Message ID 20491
Log Subtype IMAP
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning An IMAP banned word notice.
Fields Field Descriptionpolicyid The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The serial number of the firewall session on which the event happend.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
src The source IP address.
sport The source port number.
src_port The source port number.
src_int The source interface. For example, internal.
dst The destination IP address.
dport The destination port number.
dst_port The destination port number.
dst_int The destination interface. For example, wan1.
service This field contains any one of the following:
• http • smtp
• pop3 • imap
• ftp • mm1
• mm3 • mm4
• mm7 • im
• nntp • https
• smtps • imaps
• pop3s
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profile The name of the profile that was used to detect and take action.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
profiletype The type of profile that was used, for example, Antivirus_Profile.
FortiGate Log Message Reference514 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Email filter
F0h
status The type of action the FortiGate unit took, for example blocking the email message from getting through. This field contains any one of the following:
• exempted • blocked
• detected
from The sender’s email address.
to The recipient’s email address.
tracker The identification information that is associated wiith the rule or rules that were used to identify the email message as spam. This field appears only when the email message was blocked by the email filter rules, and not by other filter methods. For example, if an email message was blocked by URL filter, IP address filter and E-mail checksum filter (these filters are checked off in the FortiGuard Email Filter section of the Profile page for email filtering) this field displays.
banword The banned word that was detected.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
ortiGate Log Message Reference1-430-112804-20111121 515ttp://docs.fortinet.com/ • Feedback
Email filter
20485
Message ID 20485
Log Subtype Carrier Endpoint Filter
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning An endpoint filter warning.
Fields Field Descriptionpolicyid The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The serial number of the firewall session on which the event happend.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
src The source IP address.
sport The source port number.
src_port The source port number.
src_int The source interface. For example, internal.
dst The destination IP address.
dport The destination port number.
dst_port The destination port number.
dst_int The destination interface. For example, wan1.
service This field contains any one of the following:
• http • smtp
• pop3 • imap
• ftp • mm1
• mm3 • mm4
• mm7 • im
• nntp • https
• smtps • imaps
• pop3s
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profile The name of the profile that was used to detect and take action.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
profiletype The type of profile that was used, for example, Antivirus_Profile.
FortiGate Log Message Reference516 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Email filter
F0h
status The type of action the FortiGate unit took, for example blocking the email message from getting through. This field contains any one of the following:
• exempted • blocked
• detected
from The sender’s email address.
to The recipient’s email address.
tracker The identification information that is associated wiith the rule or rules that were used to identify the email message as spam. This field appears only when the email message was blocked by the email filter rules, and not by other filter methods. For example, if an email message was blocked by URL filter, IP address filter and E-mail checksum filter (these filters are checked off in the FortiGuard Email Filter section of the Profile page for email filtering) this field displays.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
ortiGate Log Message Reference1-430-112804-20111121 517ttp://docs.fortinet.com/ • Feedback
Email filter
20486
Message ID 20486
Log Subtype Carrier Endpoint Filter
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning An endpoint filter notice.
Fields Field Descriptionpolicyid The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The serial number of the firewall session on which the event happend.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
src The source IP address.
sport The source port number.
src_port The source port number.
src_int The source interface. For example, internal.
dst The destination IP address.
dport The destination port number.
dst_port The destination port number.
dst_int The destination interface. For example, wan1.
service This field contains any one of the following:
• http • smtp
• pop3 • imap
• ftp • mm1
• mm3 • mm4
• mm7 • im
• nntp • https
• smtps • imaps
• pop3s
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profile The name of the profile that was used to detect and take action.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
profiletype The type of profile that was used, for example, Antivirus_Profile.
FortiGate Log Message Reference518 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Email filter
F0h
status The type of action the FortiGate unit took, for example blocking the email message from getting through. This field contains any one of the following:
• exempted • blocked
• detected
from The sender’s email address.
to The recipient’s email address.
tracker The identification information that is associated wiith the rule or rules that were used to identify the email message as spam. This field appears only when the email message was blocked by the email filter rules, and not by other filter methods. For example, if an email message was blocked by URL filter, IP address filter and E-mail checksum filter (these filters are checked off in the FortiGuard Email Filter section of the Profile page for email filtering) this field displays.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
ortiGate Log Message Reference1-430-112804-20111121 519ttp://docs.fortinet.com/ • Feedback
Email filter
20487
Message ID 20487
Log Subtype Carrier Endpoint Filter
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning An MM7 warning.
Fields Field Descriptionpolicyid The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The serial number of the firewall session on which the event happend.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
src The source IP address.
sport The source port number.
src_port The source port number.
src_int The source interface. For example, internal.
dst The destination IP address.
dport The destination port number.
dst_port The destination port number.
dst_int The destination interface. For example, wan1.
service This field contains any one of the following:
• http • smtp
• pop3 • imap
• ftp • mm1
• mm3 • mm4
• mm7 • im
• nntp • https
• smtps • imaps
• pop3s
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profile The name of the profile that was used to detect and take action.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
profiletype The type of profile that was used, for example, Antivirus_Profile.
FortiGate Log Message Reference520 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Email filter
F0h
status The type of action the FortiGate unit took, for example blocking the email message from getting through. This field contains any one of the following:
• exempted • blocked
• detected
from The sender’s email address.
to The recipient’s email address.
tracker The identification information that is associated wiith the rule or rules that were used to identify the email message as spam. This field appears only when the email message was blocked by the email filter rules, and not by other filter methods. For example, if an email message was blocked by URL filter, IP address filter and E-mail checksum filter (these filters are checked off in the FortiGuard Email Filter section of the Profile page for email filtering) this field displays.
agent This field is for FortiOS Carrier only. If the unit is not running FortiOS Carrier, this field always contains N/A.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
ortiGate Log Message Reference1-430-112804-20111121 521ttp://docs.fortinet.com/ • Feedback
Email filter
20488
Message ID 20488
Log Subtype Carrier Endpoint Filter
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning An MM7 notice.
Fields Field Descriptionpolicyid The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The serial number of the firewall session on which the event happend.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
src The source IP address.
sport The source port number.
src_port The source port number.
src_int The source interface. For example, internal.
dst The destination IP address.
dport The destination port number.
dst_port The destination port number.
dst_int The destination interface. For example, wan1.
service This field contains any one of the following:
• http • smtp
• pop3 • imap
• ftp • mm1
• mm3 • mm4
• mm7 • im
• nntp • https
• smtps • imaps
• pop3s
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profile The name of the profile that was used to detect and take action.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
profiletype The type of profile that was used, for example, Antivirus_Profile.
FortiGate Log Message Reference522 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Email filter
F0h
status The type of action the FortiGate unit took, for example blocking the email message from getting through. This field contains any one of the following:
• exempted • blocked
• detected
from The sender’s email address.
to The recipient’s email address.
tracker The identification information that is associated wiith the rule or rules that were used to identify the email message as spam. This field appears only when the email message was blocked by the email filter rules, and not by other filter methods. For example, if an email message was blocked by URL filter, IP address filter and E-mail checksum filter (these filters are checked off in the FortiGuard Email Filter section of the Profile page for email filtering) this field displays.
agent This field is for FortiOS Carrier only. If the unit is not running FortiOS Carrier, this field always contains N/A.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
ortiGate Log Message Reference1-430-112804-20111121 523ttp://docs.fortinet.com/ • Feedback
Email filter
20489
Message ID 20489
Log Subtype Carrier Endpoint Filter
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning An MM1 warning.
Fields Field Descriptionpolicyid The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The serial number of the firewall session on which the event happend.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
src The source IP address.
sport The source port number.
src_port The source port number.
src_int The source interface. For example, internal.
dst The destination IP address.
dport The destination port number.
dst_port The destination port number.
dst_int The destination interface. For example, wan1.
service This field contains any one of the following:
• http • smtp
• pop3 • imap
• ftp • mm1
• mm3 • mm4
• mm7 • im
• nntp • https
• smtps • imaps
• pop3s
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profile The name of the profile that was used to detect and take action.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
profiletype The type of profile that was used, for example, Antivirus_Profile.
FortiGate Log Message Reference524 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Email filter
F0h
status The type of action the FortiGate unit took, for example blocking the email message from getting through. This field contains any one of the following:
• exempted • blocked
• detected
from The sender’s email address.
to The recipient’s email address.
tracker The identification information that is associated wiith the rule or rules that were used to identify the email message as spam. This field appears only when the email message was blocked by the email filter rules, and not by other filter methods. For example, if an email message was blocked by URL filter, IP address filter and E-mail checksum filter (these filters are checked off in the FortiGuard Email Filter section of the Profile page for email filtering) this field displays.
dir This field contains either tx or rx.
agent This field is for FortiOS Carrier only. If the unit is not running FortiOS Carrier, this field always contains N/A.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
ortiGate Log Message Reference1-430-112804-20111121 525ttp://docs.fortinet.com/ • Feedback
Email filter
20490
Message ID 20490
Log Subtype Carrier Endpoint Filter
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning An MM1 notice.
Fields Field Descriptionpolicyid The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The serial number of the firewall session on which the event happend.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
src The source IP address.
sport The source port number.
src_port The source port number.
src_int The source interface. For example, internal.
dst The destination IP address.
dport The destination port number.
dst_port The destination port number.
dst_int The destination interface. For example, wan1.
service This field contains any one of the following:
• http • smtp
• pop3 • imap
• ftp • mm1
• mm3 • mm4
• mm7 • im
• nntp • https
• smtps • imaps
• pop3s
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profile The name of the profile that was used to detect and take action.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
profiletype The type of profile that was used, for example, Antivirus_Profile.
FortiGate Log Message Reference526 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Email filter
F0h
status The type of action the FortiGate unit took, for example blocking the email message from getting through. This field contains any one of the following:
• exempted • blocked
• detected
from The sender’s email address.
to The recipient’s email address.
tracker The identification information that is associated wiith the rule or rules that were used to identify the email message as spam. This field appears only when the email message was blocked by the email filter rules, and not by other filter methods. For example, if an email message was blocked by URL filter, IP address filter and E-mail checksum filter (these filters are checked off in the FortiGuard Email Filter section of the Profile page for email filtering) this field displays.
dir This field contains either tx or rx.
agent This field is for FortiOS Carrier only. If the unit is not running FortiOS Carrier, this field always contains N/A.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
ortiGate Log Message Reference1-430-112804-20111121 527ttp://docs.fortinet.com/ • Feedback
Email filter
20492
Message ID 20492
Log Subtype Mass-MMS
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning An MM1 flood detection warning.
Fields Field Descriptionpolicyid The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The serial number of the firewall session on which the event happend.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
src The source IP address.
sport The source port number.
src_port The source port number.
src_int The source interface. For example, internal.
dst The destination IP address.
dport The destination port number.
dst_port The destination port number.
dst_int The destination interface. For example, wan1.
service This field contains any one of the following:
• http • smtp
• pop3 • imap
• ftp • mm1
• mm3 • mm4
• mm7 • im
• nntp • https
• smtps • imaps
• pop3s
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profile The name of the profile that was used to detect and take action.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
profiletype The type of profile that was used, for example, Antivirus_Profile.
FortiGate Log Message Reference528 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Email filter
F0h
status The type of action the FortiGate unit took, for example blocking the email message from getting through. This field contains any one of the following:
• exempted • blocked
• detected
from The sender’s email address.
to The recipient’s email address.
tracker The identification information that is associated wiith the rule or rules that were used to identify the email message as spam. This field appears only when the email message was blocked by the email filter rules, and not by other filter methods. For example, if an email message was blocked by URL filter, IP address filter and E-mail checksum filter (these filters are checked off in the FortiGuard Email Filter section of the Profile page for email filtering) this field displays.
dir This field contains either tx or rx.
agent This field is for FortiOS Carrier only. If the unit is not running FortiOS Carrier, this field always contains N/A.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
ortiGate Log Message Reference1-430-112804-20111121 529ttp://docs.fortinet.com/ • Feedback
Email filter
20493
Message ID 20493
Log Subtype Mass-MMS
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning An MM1 flood detection notice.
Fields Field Descriptionpolicyid The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The serial number of the firewall session on which the event happend.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
src The source IP address.
sport The source port number.
src_port The source port number.
src_int The source interface. For example, internal.
dst The destination IP address.
dport The destination port number.
dst_port The destination port number.
dst_int The destination interface. For example, wan1.
service This field contains any one of the following:
• http • smtp
• pop3 • imap
• ftp • mm1
• mm3 • mm4
• mm7 • im
• nntp • https
• smtps • imaps
• pop3s
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profile The name of the profile that was used to detect and take action.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
profiletype The type of profile that was used, for example, Antivirus_Profile.
FortiGate Log Message Reference530 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Email filter
F0h
status The type of action the FortiGate unit took, for example blocking the email message from getting through. This field contains any one of the following:
• exempted • blocked
• detected
from The sender’s email address.
to The recipient’s email address.
tracker The identification information that is associated wiith the rule or rules that were used to identify the email message as spam. This field appears only when the email message was blocked by the email filter rules, and not by other filter methods. For example, if an email message was blocked by URL filter, IP address filter and E-mail checksum filter (these filters are checked off in the FortiGuard Email Filter section of the Profile page for email filtering) this field displays.
dir This field contains either tx or rx.
agent This field is for FortiOS Carrier only. If the unit is not running FortiOS Carrier, this field always contains N/A.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
ortiGate Log Message Reference1-430-112804-20111121 531ttp://docs.fortinet.com/ • Feedback
Email filter
20494
Message ID 20494
Log Subtype Mass-MMS
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning An MM4 flood detection warning.
Fields Field Descriptionpolicyid The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The serial number of the firewall session on which the event happend.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
src The source IP address.
sport The source port number.
src_port The source port number.
src_int The source interface. For example, internal.
dst The destination IP address.
dport The destination port number.
dst_port The destination port number.
dst_int The destination interface. For example, wan1.
service This field contains any one of the following:
• http • smtp
• pop3 • imap
• ftp • mm1
• mm3 • mm4
• mm7 • im
• nntp • https
• smtps • imaps
• pop3s
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profile The name of the profile that was used to detect and take action.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
profiletype The type of profile that was used, for example, Antivirus_Profile.
FortiGate Log Message Reference532 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Email filter
F0h
status The type of action the FortiGate unit took, for example blocking the email message from getting through. This field contains any one of the following:
• exempted • blocked
• detected
from The sender’s email address.
to The recipient’s email address.
tracker The identification information that is associated wiith the rule or rules that were used to identify the email message as spam. This field appears only when the email message was blocked by the email filter rules, and not by other filter methods. For example, if an email message was blocked by URL filter, IP address filter and E-mail checksum filter (these filters are checked off in the FortiGuard Email Filter section of the Profile page for email filtering) this field displays.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
ortiGate Log Message Reference1-430-112804-20111121 533ttp://docs.fortinet.com/ • Feedback
Email filter
20495
Message ID 20495
Log Subtype Mass-MMS
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning An MM4 flood detection notice.
Fields Field Descriptionpolicyid The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The serial number of the firewall session on which the event happend.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
src The source IP address.
sport The source port number.
src_port The source port number.
src_int The source interface. For example, internal.
dst The destination IP address.
dport The destination port number.
dst_port The destination port number.
dst_int The destination interface. For example, wan1.
service This field contains any one of the following:
• http • smtp
• pop3 • imap
• ftp • mm1
• mm3 • mm4
• mm7 • im
• nntp • https
• smtps • imaps
• pop3s
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profile The name of the profile that was used to detect and take action.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
profiletype The type of profile that was used, for example, Antivirus_Profile.
FortiGate Log Message Reference534 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Email filter
F0h
status The type of action the FortiGate unit took, for example blocking the email message from getting through. This field contains any one of the following:
• exempted • blocked
• detected
from The sender’s email address.
to The recipient’s email address.
tracker The identification information that is associated wiith the rule or rules that were used to identify the email message as spam. This field appears only when the email message was blocked by the email filter rules, and not by other filter methods. For example, if an email message was blocked by URL filter, IP address filter and E-mail checksum filter (these filters are checked off in the FortiGuard Email Filter section of the Profile page for email filtering) this field displays.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
ortiGate Log Message Reference1-430-112804-20111121 535ttp://docs.fortinet.com/ • Feedback
Email filter
20496
Message ID 20496
Log Subtype Mass-MMS
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning An MM1 duplicate detection warning.
Fields Field Descriptionpolicyid The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The serial number of the firewall session on which the event happend.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
src The source IP address.
sport The source port number.
src_port The source port number.
src_int The source interface. For example, internal.
dst The destination IP address.
dport The destination port number.
dst_port The destination port number.
dst_int The destination interface. For example, wan1.
service This field contains any one of the following:
• http • smtp
• pop3 • imap
• ftp • mm1
• mm3 • mm4
• mm7 • im
• nntp • https
• smtps • imaps
• pop3s
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profile The name of the profile that was used to detect and take action.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
profiletype The type of profile that was used, for example, Antivirus_Profile.
FortiGate Log Message Reference536 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Email filter
F0h
status The type of action the FortiGate unit took, for example blocking the email message from getting through. This field contains any one of the following:
• exempted • blocked
• detected
from The sender’s email address.
to The recipient’s email address.
tracker The identification information that is associated wiith the rule or rules that were used to identify the email message as spam. This field appears only when the email message was blocked by the email filter rules, and not by other filter methods. For example, if an email message was blocked by URL filter, IP address filter and E-mail checksum filter (these filters are checked off in the FortiGuard Email Filter section of the Profile page for email filtering) this field displays.
dir This field contains either tx or rx.
agent This field is for FortiOS Carrier only. If the unit is not running FortiOS Carrier, this field always contains N/A.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
ortiGate Log Message Reference1-430-112804-20111121 537ttp://docs.fortinet.com/ • Feedback
Email filter
20497
Message ID 20497
Log Subtype Mass-MMS
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning An MM1 duplicate detection notice.
Fields Field Descriptionpolicyid The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The serial number of the firewall session on which the event happend.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
src The source IP address.
sport The source port number.
src_port The source port number.
src_int The source interface. For example, internal.
dst The destination IP address.
dport The destination port number.
dst_port The destination port number.
dst_int The destination interface. For example, wan1.
service This field contains any one of the following:
• http • smtp
• pop3 • imap
• ftp • mm1
• mm3 • mm4
• mm7 • im
• nntp • https
• smtps • imaps
• pop3s
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profile The name of the profile that was used to detect and take action.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
profiletype The type of profile that was used, for example, Antivirus_Profile.
FortiGate Log Message Reference538 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Email filter
F0h
status The type of action the FortiGate unit took, for example blocking the email message from getting through. This field contains any one of the following:
• exempted • blocked
• detected
from The sender’s email address.
to The recipient’s email address.
tracker The identification information that is associated wiith the rule or rules that were used to identify the email message as spam. This field appears only when the email message was blocked by the email filter rules, and not by other filter methods. For example, if an email message was blocked by URL filter, IP address filter and E-mail checksum filter (these filters are checked off in the FortiGuard Email Filter section of the Profile page for email filtering) this field displays.
dir This field contains either tx or rx.
agent This is for FortiOS Carrier only. If the unit is not running FortiOS Carrier, this field always contains N/A.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
ortiGate Log Message Reference1-430-112804-20111121 539ttp://docs.fortinet.com/ • Feedback
Email filter
20498
Message ID 20498
Log Subtype Mass-MMS
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning An MM4 duplicate detection warning.
Fields Field Descriptionpolicyid The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The serial number of the firewall session on which the event happend.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
src The source IP address.
sport The source port number.
src_port The source port number.
src_int The source interface. For example, internal.
dst The destination IP address.
dport The destination port number.
dst_port The destination port number.
dst_int The destination interface. For example, wan1.
service This field contains any one of the following:
• http • smtp
• pop3 • imap
• ftp • mm1
• mm3 • mm4
• mm7 • im
• nntp • https
• smtps • imaps
• pop3s
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profile The name of the profile that was used to detect and take action.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
profiletype The type of profile that was used, for example, Antivirus_Profile.
FortiGate Log Message Reference540 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Email filter
F0h
status The type of action the FortiGate unit took, for example blocking the email message from getting through. This field contains any one of the following:
• exempted • blocked
• detected
from The sender’s email address.
to The recipient’s email address.
tracker The identification information that is associated wiith the rule or rules that were used to identify the email message as spam. This field appears only when the email message was blocked by the email filter rules, and not by other filter methods. For example, if an email message was blocked by URL filter, IP address filter and E-mail checksum filter (these filters are checked off in the FortiGuard Email Filter section of the Profile page for email filtering) this field displays.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
ortiGate Log Message Reference1-430-112804-20111121 541ttp://docs.fortinet.com/ • Feedback
Email filter
20499
Message ID 20499
Log Subtype Mass-MMS
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning An MM4 duplicate detection notice.
Fields Field Descriptionpolicyid The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The serial number of the firewall session on which the event happend.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
src The source IP address.
sport The source port number.
src_port The source port number.
src_int The source interface. For example, internal.
dst The destination IP address.
dport The destination port number.
dst_port The destination port number.
dst_int The destination interface. For example, wan1.
service This field contains any one of the following:
• http • smtp
• pop3 • imap
• ftp • mm1
• mm3 • mm4
• mm7 • im
• nntp • https
• smtps • imaps
• pop3s
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profile The name of the profile that was used to detect and take action.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
profiletype The type of profile that was used, for example, Antivirus_Profile.
FortiGate Log Message Reference542 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Email filter
F0h
status The type of action the FortiGate unit took, for example blocking the email message from getting through. This field contains any one of the following:
• exempted • blocked
• detected
from The sender’s email address.
to The recipient’s email address.
tracker The identification information that is associated wiith the rule or rules that were used to identify the email message as spam. This field appears only when the email message was blocked by the email filter rules, and not by other filter methods. For example, if an email message was blocked by URL filter, IP address filter and E-mail checksum filter (these filters are checked off in the FortiGuard Email Filter section of the Profile page for email filtering) this field displays.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
ortiGate Log Message Reference1-430-112804-20111121 543ttp://docs.fortinet.com/ • Feedback
Email filter
20500
Message ID 20500
Log Subtype msn-hotmail
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning An MSN Hotmail email message.
Fields Field Descriptionpolicyid The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The serial number of the firewall session on which the event happend.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
src The source IP address.
sport The source port number.
src_port The source port number.
src_int The source interface. For example, internal.
dst The destination IP address.
dport The destination port number.
dst_port The destination port number.
dst_int The destination interface. For example, wan1.
service This field contains any one of the following:
• http • smtp
• pop3 • imap
• ftp • mm1
• mm3 • mm4
• mm7 • im
• nntp • https
• smtps • imaps
• pop3s
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profile The name of the profile that was used to detect and take action.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
profiletype The type of profile that was used, for example, Antivirus_Profile.
FortiGate Log Message Reference544 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Email filter
F0h
status The type of action the FortiGate unit took, for example blocking the email message from getting through. This field contains any one of the following:
• exempted • blocked
• detected
from The sender’s email address.
to The recipient’s email address.
tracker The identification information that is associated wiith the rule or rules that were used to identify the email message as spam. This field appears only when the email message was blocked by the email filter rules, and not by other filter methods. For example, if an email message was blocked by URL filter, IP address filter and E-mail checksum filter (these filters are checked off in the FortiGuard Email Filter section of the Profile page for email filtering) this field displays.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
subject The subject line of the email message.
size The email message’s size.
attachment Indicates whether the email message includes an attachment or not. This log field contains either yes, that an attachment is included, or no, that an attachment is not included.
ortiGate Log Message Reference1-430-112804-20111121 545ttp://docs.fortinet.com/ • Feedback
Email filter
20501
Message ID 20501
Log Subtype yahoo-hotmail
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning A Yahoo! email message.
Fields Field Descriptionpolicyid The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The serial number of the firewall session on which the event happend.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
src The source IP address.
sport The source port number.
src_port The source port number.
src_int The source interface. For example, internal.
dst The destination IP address.
dport The destination port number.
dst_port The destination port number.
dst_int The destination interface. For example, wan1.
service This field contains any one of the following:
• http • smtp
• pop3 • imap
• ftp • mm1
• mm3 • mm4
• mm7 • im
• nntp • https
• smtps • imaps
• pop3s
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profile The name of the profile that was used to detect and take action.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
profiletype The type of profile that was used, for example, Antivirus_Profile.
FortiGate Log Message Reference546 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Email filter
F0h
status The type of action the FortiGate unit took, for example blocking the email message from getting through. This field contains any one of the following:
• exempted • blocked
• detected
from The sender’s email address.
to The recipient’s email address.
tracker The identification information that is associated wiith the rule or rules that were used to identify the email message as spam. This field appears only when the email message was blocked by the email filter rules, and not by other filter methods. For example, if an email message was blocked by URL filter, IP address filter and E-mail checksum filter (these filters are checked off in the FortiGuard Email Filter section of the Profile page for email filtering) this field displays.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
subject The subject line of the email message.
size The email message’s size.
attachment Indicates whether the email message includes an attachment or not. This log field contains either yes, that an attachment is included, or no, that an attachment is not included.
ortiGate Log Message Reference1-430-112804-20111121 547ttp://docs.fortinet.com/ • Feedback
Email filter
20503
Message ID 20503
Log Subtype smtp
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning An SMTP warning.
Fields Field Descriptionpolicyid The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The serial number of the firewall session on which the event happend.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
src The source IP address.
sport The source port number.
src_port The source port number.
src_int The source interface. For example, internal.
dst The destination IP address.
dport The destination port number.
dst_port The destination port number.
dst_int The destination interface. For example, wan1.
service This field contains any one of the following:
• http • smtp
• pop3 • imap
• ftp • mm1
• mm3 • mm4
• mm7 • im
• nntp • https
• smtps • imaps
• pop3s
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profile The name of the profile that was used to detect and take action.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
profiletype The type of profile that was used, for example, Antivirus_Profile.
FortiGate Log Message Reference548 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Email filter
F0h
status The type of action the FortiGate unit took, for example blocking the email message from getting through. This field contains any one of the following:
• exempted • blocked
• detected
from The sender’s email address.
to The recipient’s email address.
tracker The identification information that is associated wiith the rule or rules that were used to identify the email message as spam. This field appears only when the email message was blocked by the email filter rules, and not by other filter methods. For example, if an email message was blocked by URL filter, IP address filter and E-mail checksum filter (these filters are checked off in the FortiGuard Email Filter section of the Profile page for email filtering) this field displays.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
subject The subject line of the email message.
size The email message’s size.
attachment Indicates whether the email message includes an attachment or not. This log field contains either yes, that an attachment is included, or no, that an attachment is not included.
ortiGate Log Message Reference1-430-112804-20111121 549ttp://docs.fortinet.com/ • Feedback
Email filter
20504
Message ID 20504
Log Subtype POP3
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning A POP3 warning.
Fields Field Descriptionpolicyid The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The serial number of the firewall session on which the event happend.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
src The source IP address.
sport The source port number.
src_port The source port number.
src_int The source interface. For example, internal.
dst The destination IP address.
dport The destination port number.
dst_port The destination port number.
dst_int The destination interface. For example, wan1.
service This field contains any one of the following:
• http • smtp
• pop3 • imap
• ftp • mm1
• mm3 • mm4
• mm7 • im
• nntp • https
• smtps • imaps
• pop3s
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profile The name of the profile that was used to detect and take action.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
profiletype The type of profile that was used, for example, Antivirus_Profile.
FortiGate Log Message Reference550 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Email filter
F0h
status The type of action the FortiGate unit took, for example blocking the email message from getting through. This field contains any one of the following:
• exempted • blocked
• detected
from The sender’s email address.
to The recipient’s email address.
tracker The identification information that is associated wiith the rule or rules that were used to identify the email message as spam. This field appears only when the email message was blocked by the email filter rules, and not by other filter methods. For example, if an email message was blocked by URL filter, IP address filter and E-mail checksum filter (these filters are checked off in the FortiGuard Email Filter section of the Profile page for email filtering) this field displays.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
subject The subject line of the email message.
size The email message’s size.
attachment Indicates whether the email message includes an attachment or not. This log field contains either yes, that an attachment is included, or no, that an attachment is not included.
ortiGate Log Message Reference1-430-112804-20111121 551ttp://docs.fortinet.com/ • Feedback
Email filter
20505
Message ID 20505
Log Subtype IMAP
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning An IMAP notice.
Fields Field Descriptionpolicyid The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The serial number of the firewall session on which the event happend.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
src The source IP address.
sport The source port number.
src_port The source port number.
src_int The source interface. For example, internal.
dst The destination IP address.
dport The destination port number.
dst_port The destination port number.
dst_int The destination interface. For example, wan1.
service This field contains any one of the following:
• http • smtp
• pop3 • imap
• ftp • mm1
• mm3 • mm4
• mm7 • im
• nntp • https
• smtps • imaps
• pop3s
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profile The name of the profile that was used to detect and take action.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
profiletype The type of profile that was used, for example, Antivirus_Profile.
FortiGate Log Message Reference552 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Email filter
F0h
status The type of action the FortiGate unit took, for example blocking the email message from getting through. This field contains any one of the following:
• exempted • blocked
• detected
from The sender’s email address.
to The recipient’s email address.
tracker The identification information that is associated wiith the rule or rules that were used to identify the email message as spam. This field appears only when the email message was blocked by the email filter rules, and not by other filter methods. For example, if an email message was blocked by URL filter, IP address filter and E-mail checksum filter (these filters are checked off in the FortiGuard Email Filter section of the Profile page for email filtering) this field displays.
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
subject The subject line of the email message.
size The email message’s size.
attachment Indicates whether the email message includes an attachment or not. This log field contains either yes, that an attachment is included, or no, that an attachment is not included.
ortiGate Log Message Reference1-430-112804-20111121 553ttp://docs.fortinet.com/ • Feedback
Email filter
FortiGate Log Message Reference554 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
F0h
Webfilter Web filter log messages record URL activity as well as filters, such as a blocked URL because it was found in the URL black list. In FortiOS 4.0 MR3 and higher, web filtering log messages are located in UTM log file. These log messages are also viewed in the web-based manager from Log&Report > Log & Archive Access > UTM.
122881228912290122911254412545125461254712548125491255012551125521255312554125551255612557
12558130561305613312133131331412800128011356813601136021357313584133151331612802
ortiGate Log Message Reference1-430-112804-20111121 555ttp://docs.fortinet.com/ • Feedback
Webfilter
12288
Message ID 12288
Log Subtype Content
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning A web content banned word was found.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The session number identification.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
src The source IP address.
sport The source port number.
src_port The source port number.
src_int The source interface. For example, internal.
dst The destination IP address.
dport The destination port number.
dst_port The destination port number.
dst_int The destination interface. For example, wan1.
service This field contains any one of the following:
• http • https
• smtp • pop3
• imap • ftp
• mm1 • mm3
• mm4 • mm7
• nntp • im
• smtps • pop3s
• imaps
hostname The name of the website that was accessed.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profiletype The type of profile that was used, for example, Antivirus_Profile.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
FortiGate Log Message Reference556 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Webfilter
F0h
profile The name of the profile that was used to detect and take action.
req_type The type of request, which can be one of the following: • referral – if the HTTP transaction is requested from a parent web
site, such as selecting a link on a web page• direct – a direct connection to a web page, such as typing in the
URL address manually.
url The URL address.
status This field contains any one of the following:
• blocked • exempted
• allowed • passthrough
• filtered • DLP
agent This field is for FortiOS carrier only. If the unit is not running FortiOS Carrier, this field always contains N/A.
from The sender’s information.
to The recipient’s information.
banword The banned word that was detected.
msg URL was blocked because it contained banned word(s).
ortiGate Log Message Reference1-430-112804-20111121 557ttp://docs.fortinet.com/ • Feedback
Webfilter
12289
Message ID 12289
Log Subtype Content
Severity Warning
Firmware version FortiOS Carrier 4.0 MR2
Meaning A web content MMS banned word was found.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The session number identification.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
src The source IP address.
sport The source port number.
src_port The source port number.
src_int The source interface. For example, internal.
dst The destination IP address.
dport The destination port number.
dst_port The destination port number.
dst_int The destination interface. For example, wan1.
service This field contains any one of the following:
• http • https
• smtp • pop3
• imap • ftp
• mm1 • mm3
• mm4 • mm7
• nntp • im
• smtps • pop3s
• imaps
hostname The name of the website that was accessed.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profiletype The type of profile that was used, for example, Antivirus_Profile.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
FortiGate Log Message Reference558 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Webfilter
F0h
profile The name of the profile that was used to detect and take action.
req_type The type of request, which can be one of the following: • referral – if the HTTP transaction is requested from a parent web site,
such as selecting a link on a web page• direct – a direct connection to a web page, such as typing in the URL
address manually.
url The URL address.
status This field contains any one of the following:
• blocked • exempted
• allowed • passthrough
• filtered • DLP
dir This field contains any one of the following:
• n/a • TX
• RX
agent This field is for FortiOS Carrier only. If the unit is not running FortiOS Caririer, this field always contains N/A.
from The sender’s information.
to The recipient’s information.
banword The banned word that was detected.
msg Message was blocked because it contained a banned word.
ortiGate Log Message Reference1-430-112804-20111121 559ttp://docs.fortinet.com/ • Feedback
Webfilter
12290
Message ID 12290
Log Subtype Content
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning A web content exempt word was found.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The session number identification.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
src The source IP address.
sport The source port number.
src_port The source port number.
src_int The source interface. For example, internal.
dst The destination IP address.
dport The destination port number.
dst_port The destination port number.
dst_int The destination interface. For example, wan1.
service This field contains any one of the following:
• http • https
• smtp • pop3
• imap • ftp
• mm1 • mm3
• mm4 • mm7
• nntp • im
• smtps • pop3s
• imaps
hostname The name of the website that was accessed.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profiletype The type of profile that was used, for example, Antivirus_Profile.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
FortiGate Log Message Reference560 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Webfilter
F0h
profile The name of the profile that was used to detect and take action.
req_type The type of request, which can be one of the following: • referral – if the HTTP transaction is requested from a parent web
site, such as selecting a link on a web page• direct – a direct connection to a web page, such as typing in the
URL address manually.
url The URL address.
status This field contains any one of the following:
• blocked • exempted
• allowed • passthrough
• filtered • DLP
agent This field is for FortiOS Carrier only. If the unit is not running FortiOS Carrier, this field always contains N/A.
from The sender’s information.
to The recipient’s information.
banword The banned word that was detected.
msg URL was exempted because it contained exempt word(s).
ortiGate Log Message Reference1-430-112804-20111121 561ttp://docs.fortinet.com/ • Feedback
Webfilter
12291
Message ID 12291
Log Subtype Content
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning A web content MMS exempt word was found.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The session number identification.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
src The source IP address.
sport The source port number.
src_port The source port number.
src_int The source interface. For example, internal.
dst The destination IP address.
dport The destination port number.
dst_port The destination port number.
dst_int The destination interface. For example, wan1.
service This field contains any one of the following:
• http • https
• smtp • pop3
• imap • ftp
• mm1 • mm3
• mm4 • mm7
• nntp • im
• smtps • pop3s
• imaps
hostname The name of the website that was accessed.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profiletype The type of profile that was used, for example, Antivirus_Profile.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
FortiGate Log Message Reference562 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Webfilter
F0h
profile The name of the profile that was used to detect and take action.
req_type The type of request, which can be one of the following: • referral – if the HTTP transaction is requested from a parent web
site, such as selecting a link on a web page• direct – a direct connection to a web page, such as typing in the
URL address manually.
url The URL address.
status This field contains any one of the following:
• blocked • exempted
• allowed • passthrough
• filtered • DLP
dir This field contains any one of the following:
• n/a • TX
• RX
agent This field is for FortiOS Carrier only. If the unit is not running FortiOS Carrier, this field always contains N/A.
from The sender’s information.
to The recipient’s information.
banword The banned word that was detected.
msg Message was exempted because it contained an exempt word.
ortiGate Log Message Reference1-430-112804-20111121 563ttp://docs.fortinet.com/ • Feedback
Webfilter
12305
Message ID 12305
Log Subtype Content
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning A web content MMS banned word.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The session number identification.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
src The source IP address.
sport The source port number.
src_port The source port number.
src_int The source interface. For example, internal.
dst The destination IP address.
dport The destination port number.
dst_port The destination port number.
dst_int The destination interface. For example, wan1.
service This field contains any one of the following:
• http • https
• smtp • pop3
• imap • ftp
• mm1 • mm3
• mm4 • mm7
• nntp • im
• smtps • pop3s
• imaps
hostname The name of the website that was accessed.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profiletype The type of profile that was used, for example, Antivirus_Profile.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile gorups are only available in FortiOS Carrier.
FortiGate Log Message Reference564 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Webfilter
F0h
profile The name of the profile that was used to detect and take action.
req_type The type of request, which can be one of the following: • referral – if the HTTP transaction is requested from a parent web
site, such as selecting a link on a web page• direct – a direct connection to a web page, such as typing in the
URL address manually.
url The URL address.
status This field contains any one of the following:
• blocked • exempted
• allowed • passthrough
• filtered • DLP
dir This field contains any one of the following:
• n/a • TX
• RX
agent This field is for FortiOS Carrier only. If the unit is not running FortiOS Carrier, this field always contains N/A.
from The sender’s information.
to The recipient’s information.
banword The banned word that was detected.
msg Message was logged because it contained a banned word.
ortiGate Log Message Reference1-430-112804-20111121 565ttp://docs.fortinet.com/ • Feedback
Webfilter
12544
Message ID 12544
Log Subtype URL Filter
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning The URL address was blocked because it was found in the URL filter list.
Fields Field Descriptionurlfilter_idx The index number that identifies the URL filter in the URL filter list.
urlfilter_list The name of the URL filter list.
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The session number identification.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
src The source IP address.
sport The source port number.
src_port The source port number.
src_int The source interface. For example, internal.
dst The destination IP address.
dport The destination port number.
dst_port The destination port number.
dst_int The destination interface. For example, wan1.
service This field contains any one of the following:
• http • https
• smtp • pop3
• imap • ftp
• mm1 • mm3
• mm4 • mm7
• nntp • im
• smtps • pop3s
• imaps
hostname The name of the website that was accessed.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profiletype The type of profile that was used, for example, Antivirus_Profile.
FortiGate Log Message Reference566 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Webfilter
F0h
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile gorups are only available in FortiOS Carrier.
profile The name of the profile that was used to detect and take action.
status This field contains any one of the following:
• blocked • exempted
• allowed • passthrough
• filtered • DLP
req_type The type of request, which can be one of the following: • referral – if the HTTP transaction is requested from a parent web site, such
as selecting a link on a web page• direct – a direct connection to a web page, such as typing in the URL
address manually.
url The URL address.
msg URL was blocked becaue it is in the URL filter list.
ortiGate Log Message Reference1-430-112804-20111121 567ttp://docs.fortinet.com/ • Feedback
Webfilter
12545
Message ID 12545
Log Subtype URL Filter
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning The URL address was exempted because it was found in the URL filter list.
Fields Field Descriptionurlfilter_idx The index number that identifies the URL filter in the URL filter list.
urlfilter_list The name of the URL filter list.
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The session number identification.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
src The source IP address.
sport The source port number.
src_port The source port number.
src_int The source interface. For example, internal.
dst The destination IP address.
dport The destination port number.
dst_port The destination port number.
dst_int The destination interface. For example, wan1.
service This field contains any one of the following:
• http • https
• smtp • pop3
• imap • ftp
• mm1 • mm3
• mm4 • mm7
• nntp • im
• smtps • pop3s
• imaps
hostname The name of the website that was accessed.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profiletype The type of profile that was used, for example, Antivirus_Profile.
FortiGate Log Message Reference568 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Webfilter
F0h
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile gorups are only available in FortiOS Carrier.
profile The name of the profile that was used to detect and take action.
status This field contains any one of the following:
• blocked • exempted
• allowed • passthrough
• filtered • DLP
req_type The type of request, which can be one of the following: • referral – if the HTTP transaction is requested from a parent web site,
such as selecting a link on a web page• direct – a direct connection to a web page, such as typing in the URL
address manually.
url The URL address.
msg URL was exempted because it is in the URL filter list.
ortiGate Log Message Reference1-430-112804-20111121 569ttp://docs.fortinet.com/ • Feedback
Webfilter
12546
Message ID 12546
Log Subtype URL Filter
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning The URL address was allowed because it was found in the URL filter list.
Fields Field Descriptionurlfilter_idx The index number that identifies the URL filter in the URL filter list.
urlfilter_list The name of the URL filter list.
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The session number identification.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
src The source IP address.
sport The source port number.
src_port The source port number.
src_int The source interface. For example, internal.
dst The destination IP address.
dport The destination port number.
dst_port The destination port number.
dst_int The destination interface. For example, wan1.
service This field contains any one of the following:
• http • https
• smtp • pop3
• imap • ftp
• mm1 • mm3
• mm4 • mm7
• nntp • im
• smtps • pop3s
• imaps
hostname The name of the website that was accessed.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profiletype The type of profile that was used, for example, Antivirus_Profile.
FortiGate Log Message Reference570 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Webfilter
F0h
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile gorups are only available in FortiOS Carrier.
profile The name of the profile that was used to detect and take action.
status This field contains any one of the following:
• blocked • exempted
• allowed • passthrough
• filtered • DLP
req_type The type of request, which can be one of the following: • referral – if the HTTP transaction is requested from a parent web site,
such as selecting a link on a web page• direct – a direct connection to a web page, such as typing in the URL
address manually.
url The URL address.
msg URL was allowed because it is in the URL filter list.
ortiGate Log Message Reference1-430-112804-20111121 571ttp://docs.fortinet.com/ • Feedback
Webfilter
12547
Message ID 12547
Log Subtype URL Filter
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The request contained an invalid domain name.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The session number identification.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
src The source IP address.
sport The source port number.
src_port The source port number.
src_int The source interface. For example, internal.
dst The destination IP address.
dport The destination port number.
dst_port The destination port number.
dst_int The destination interface. For example, wan1.
service This field contains any one of the following:
• http • https
• smtp • pop3
• imap • ftp
• mm1 • mm3
• mm4 • mm7
• nntp • im
• smtps • pop3s
• imaps
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profiletype The type of profile that was used, for example, Antivirus_Profile.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
profile The name of the profile that was used to detect and take action.
FortiGate Log Message Reference572 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Webfilter
F0h
status This field contains any one of the following:
• blocked • exempted
• allowed • passthrough
• filtered • DLP
req_type The type of request, which can be one of the following: • referral – if the HTTP transaction is requested from a parent web site,
such as selecting a link on a web page• direct – a direct connection to a web page, such as typing in the URL
address manually.
msg The HTTP request contained an invalid domain name.
ortiGate Log Message Reference1-430-112804-20111121 573ttp://docs.fortinet.com/ • Feedback
Webfilter
12548
Message ID 12548
Log Subtype URL Filter
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning A HTTP certificate request contained an invalid domain name.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The session number identification.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
src The source IP address.
sport The source port number.
src_port The source port number.
src_int The source interface. For example, internal.
dst The destination IP address.
dport The destination port number.
dst_port The destination port number.
dst_int The destination interface. For example, wan1.
service This field contains any one of the following:
• http • https
• smtp • pop3
• imap • ftp
• mm1 • mm3
• mm4 • mm7
• nntp • im
• smtps • pop3s
• imaps
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profiletype The type of profile that was used, for example, Antivirus_Profile.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
profile The name of the profile that was used to detect and take action.
FortiGate Log Message Reference574 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Webfilter
F0h
status This field contains any one of the following:
• blocked • exempted
• allowed • passthrough
• filtered • DLP
req_type The type of request, which can be one of the following: • referral – if the HTTP transaction is requested from a parent web site,
such as selecting a link on a web page• direct – a direct connection to a web page, such as typing in the URL
address manually.
msg The certificate for the HTTPS session contained an invalid domain name.
ortiGate Log Message Reference1-430-112804-20111121 575ttp://docs.fortinet.com/ • Feedback
Webfilter
12549
Message ID 12549
Log Subtype URL Filter
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning A HTTP request contained an invalid name so the session has been filtered by IP only.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The session number identification.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
src The source IP address.
sport The source port number.
src_port The source port number.
src_int The source interface. For example, internal.
dst The destination IP address.
dport The destination port number.
dst_port The destination port number.
dst_int The destination interface. For example, wan1.
service This field contains any one of the following:
• http • https
• smtp • pop3
• imap • ftp
• mm1 • mm3
• mm4 • mm7
• nntp • im
• smtps • pop3s
• imaps
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profiletype The type of profile that was used, for example, Antivirus_Profile.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
FortiGate Log Message Reference576 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Webfilter
F0h
profile The name of the profile that was used to detect and take action.
status This field contains any one of the following:
• blocked • exempted
• allowed • passthrough
• filtered • DLP
req_type The type of request, which can be one of the following: • referral – if the HTTP transaction is requested from a parent web site,
such as selecting a link on a web page• direct – a direct connection to a web page, such as typing in the URL
address manually.
msg The HTTP request contained an invalid domain name. The session has been filtered by IP only.
ortiGate Log Message Reference1-430-112804-20111121 577ttp://docs.fortinet.com/ • Feedback
Webfilter
12550
Message ID 12550
Log Subtype URL Filter
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning A HTTPS request contained an invalid name so the session has been filtered by IP only.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The session number identification.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
src The source IP address.
sport The source port number.
src_port The source port number.
src_int The source interface. For example, internal.
dst The destination IP address.
dport The destination port number.
dst_port The destination port number.
dst_int The destination interface. For example, wan1.
service This field contains any one of the following:
• http • https
• smtp • pop3
• imap • ftp
• mm1 • mm3
• mm4 • mm7
• nntp • im
• smtps • pop3s
• imaps
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profiletype The type of profile that was used, for example, Antivirus_Profile.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
FortiGate Log Message Reference578 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Webfilter
F0h
profile The name of the profile that was used to detect and take action.
status This field contains any one of the following:
• blocked • exempted
• allowed • passthrough
• filtered • DLP
req_type The type of request, which can be one of the following: • referral – if the HTTP transaction is requested from a parent web site,
such as selecting a link on a web page• direct – a direct connection to a web page, such as typing in the URL
address manually.
msg The certificate for the HTTP Ssession contained an invalid domain name. The session has been filtered by IP only.
ortiGate Log Message Reference1-430-112804-20111121 579ttp://docs.fortinet.com/ • Feedback
Webfilter
12551
12552
Message ID 12551
Log Subtype URL Filter
Severity Critical
Firmware version FortiOS 4.0 MR3
Meaning There are insufficient resources.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
error The webfilter error information.
msg Insufficient resources.
Message ID 12552
Log Subtype URL Filter
Severity Critical
Firmware version FortiOS 4.0 MR3
Meaning Getting the host name failed.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
hostname The name of the website that was accessed.
error The webfilter error information.
msg gethostbyname() failed.
FortiGate Log Message Reference580 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Webfilter
F0h
12553
Message ID 12553
Log Subtype URL Filter
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning A server certificate validation failed.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The session number identification.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
src The source IP address.
sport The source port number.
src_port The source port number.
src_int The source interface. For example, internal.
dst The destination IP address.
dport The destination port number.
dst_port The destination port number.
dst_int The destination interface. For example, wan1.
service This field contains any one of the following:
• http • https
• smtp • pop3
• imap • ftp
• mm1 • mm3
• mm4 • mm7
• nntp • im
• smtps • pop3s
• imaps
msg The server certificate valiadation failed.
profiletype The type of profile that was used, for example, Antivirus_Profile.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile gorups are only available in FortiOS Carrier.
profile The name of the profile that was used to detect and take action.
ortiGate Log Message Reference1-430-112804-20111121 581ttp://docs.fortinet.com/ • Feedback
Webfilter
12554
Message ID 12554
Log Subtype URL Filter
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The SSL session was blocked because its identification number was not known.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The session number identification.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
src The source IP address.
sport The source port number.
src_port The source port number.
src_int The source interface. For example, internal.
dst The destination IP address.
dport The destination port number.
dst_port The destination port number.
dst_int The destination interface. For example, wan1.
service This field contains any one of the following:
• http • https
• smtp • pop3
• imap • ftp
• mm1 • mm3
• mm4 • mm7
• nntp • im
• smtps • pop3s
• imaps
status This field contains any one of the following:
• blocked • exempted
• allowed • passthrough
• filtered • DLP
msg The SSL session was blocked because the session ID was unknown.
FortiGate Log Message Reference582 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Webfilter
F0h
12555
Message ID 12555
Log Subtype URL Filter
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The SSL session was blocked, either because the server certificate was missing or because the server certificate was invalid.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The session number identification.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
src The source IP address.
sport The source port number.
src_port The source port number.
src_int The source interface. For example, internal.
dst The destination IP address.
dport The destination port number.
dst_port The destination port number.
dst_int The destination interface. For example, wan1.
service This field contains any one of the following:
• http • https
• smtp • pop3
• imap • ftp
• mm1 • mm3
• mm4 • mm7
• nntp • im
• smtps • pop3s
• imaps
status This field contains any one of the following:
• blocked • exempted
• allowed • passthrough
• filtered • DLP
msg The SSL session was blocked because the server certificate was missing or invalid.
ortiGate Log Message Reference1-430-112804-20111121 583ttp://docs.fortinet.com/ • Feedback
Webfilter
12556
Message ID 12556
Log Subtype URL Filter
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The SSL session was ignored, either because the server certificate was missing, or the server certificate was invalid.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The session number identification.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
src The source IP address.
sport The source port number.
src_port The source port number.
src_int The source interface. For example, internal.
dst The destination IP address.
dport The destination port number.
dst_port The destination port number.
dst_int The destination interface. For example, wan1.
service This field contains any one of the following:
• http • https
• smtp • pop3
• imap • ftp
• mm1 • mm3
• mm4 • mm7
• nntp • im
• smtps • pop3s
• imaps
status This field contains any one of the following:
• blocked • exempted
• allowed • passthrough
• filtered • DLP
msg The SSL session was blocked because the server certificate was missing or invalid.
FortiGate Log Message Reference584 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Webfilter
F0h
12557
12558
Message ID 12557
Log Subtype URL Filter
Severity Critical
Firmware version FortiOS 4.0 MR3
Meaning The FortiGuard Analysis and Management Service is not active. You must enable this service, after subscribing to the service, in System > Maintenance > FortiGuard.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg FortiGate is enabled in the protection profile but the FortiGuard service is not enabled.
Message ID 12558
Log Subtype URL Filter
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning A rating error occurred.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
user The name of the user creating the traffic.
src The source IP address.
sport The source port number.
src_port The source port number.
dst The destination IP address.
dport The destination port number.
dst_port The destination port number.
url_type This field contains any one of the following:
• http • https
• ftp • telnet
hostname The name of the website that was accessed.
status This field contains any one of the following:
• blocked • exempted
• allowed • passthrough
• filtered • DLP
error The webfilter error information.
url The URL address.
msg Policy allows URLs when a rating error occurs.
ortiGate Log Message Reference1-430-112804-20111121 585ttp://docs.fortinet.com/ • Feedback
Webfilter
12559
Message ID 12559
Log Subtype URL Filter
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning A URL was passed because it was in the URL filter list.
Fields Field Descriptionurlfilter_idx The index number that identifies the URL filter in the URL filter list.
urlfilter_list The name of the URL filter list.
vd The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The session number identification.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
src The source IP address.
sport The source port number.
src_port The source port number.
src_int The source interface. For example, internal.
dst The destination IP address.
dport The destination port number.
dst_port The destination port number.
dst_int The destination interface. For example, wan1.
service This field contains any one of the following:
• http • https
• smtp • pop3
• imap • ftp
• mm1 • mm3
• mm4 • mm7
• nntp • im
• smtps • pop3s
• imaps
hostname The name of the website that was accessed.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profiletype The type of profile that was used, for example Antivirus_Profile.
FortiGate Log Message Reference586 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Webfilter
F0h
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
profile The name of the profile that was used to detect and take action.
status This field contains any one of the following:
• blocked • exempted
• allowed • passthrough
• filtered • DLP
req_type The type of request, which can be one of the following: • referral – if the HTTP transaction is requested from a parent web site,
such as selecting a link on a web page• direct – a direct connection to a web page, such as typing in the URL
address manually.
url The URL address.
msg URL was passed becaused it is in the URL filter list.
ortiGate Log Message Reference1-430-112804-20111121 587ttp://docs.fortinet.com/ • Feedback
Webfilter
13056
Message ID 13056
Log Subtype ftgd_blk
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The URL belongs to an blocked category within the firewall policy.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The session number identification.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
src The source IP address.
sport The source port number.
src_port The source port number.
src_int The source interface. For example, internal.
dst The destination IP address.
dport The destination port number.
dst_port The destination port number.
dst_int The destination interface. For example, wan1.
service This field contains any one of the following:
• http • https
• smtp • pop3
• imap • ftp
• mm1 • mm3
• mm4 • mm7
• nntp • im
• smtps • pop3s
• imaps
hostname The name of the website that was accessed.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profiletype The type of profile that was used, for example Antivirus_Profile.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
FortiGate Log Message Reference588 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Webfilter
F0h
profile The name of the profile that was used to detect and take action.
status This field contains any one of the following:
• blocked • exempted
• allowed • passthrough
• filtered • DLP
req_type The type of request, which can be one of the following: • referral – if the HTTP transaction is requested from a parent web site,
such as selecting a link on a web page• direct – a direct connection to a web page, such as typing in the URL
address manually.
url The URL address.
msg URL belongs to a denied category in policy.
method This field contains either ip or domain
class The class the URL belongs to.
class_desc The class description that the URL belongs to.
cat The category that the URL belongs to.
cat_desc The category description that the URL belongs to.
ortiGate Log Message Reference1-430-112804-20111121 589ttp://docs.fortinet.com/ • Feedback
Webfilter
13312
Message ID 13312
Log Subtype ftgd_allow
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The URL belongs to an allowed category within the firewall policy.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The session number identification.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
src The source IP address.
sport The source port number.
src_port The source port number.
src_int The source interface. For example, internal.
dst The destination IP address.
dport The destination port number.
dst_port The destination port number.
dst_int The destination interface. For example, wan1.
service This field contains any one of the following:
• http • https
• smtp • pop3
• imap • ftp
• mm1 • mm3
• mm4 • mm7
• nntp • im
• smtps • pop3s
• imaps
hostname The name of the website that was accessed.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profiletype The type of profile that was used, for example Antivirus_Profile.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
FortiGate Log Message Reference590 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Webfilter
F0h
profile The name of the profile that was used to detect and take action.
status This field contains any one of the following:
• blocked • exempted
• allowed • passthrough
• filtered • DLP
req_type The type of request, which can be one of the following: • referral – if the HTTP transaction is requested from a parent web site,
such as selecting a link on a web page• direct – a direct connection to a web page, such as typing in the URL
address manually.
url The URL address.
msg URL belongs to an allowed category in policy.
method This field contains either ip or domain
class The class the URL belongs to.
class_desc The class description that the URL belongs to.
cat The category that the URL belongs to.
cat_desc The category description that the URL belongs to.
ortiGate Log Message Reference1-430-112804-20111121 591ttp://docs.fortinet.com/ • Feedback
Webfilter
13313
Message ID 13313
Log Subtype ftgd_allow
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The URL belongs to an override rule.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The session number identification.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
src The source IP address.
sport The source port number.
src_port The source port number.
src_int The source interface. For example, internal.
dst The destination IP address.
dport The destination port number.
dst_port The destination port number.
dst_int The destination interface. For example, wan1.
service This field contains any one of the following:
• http • https
• smtp • pop3
• imap • ftp
• mm1 • mm3
• mm4 • mm7
• nntp • im
• smtps • pop3s
• imaps
hostname The name of the website that was accessed.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profiletype The type of profile that was used, for example Antivirus_Profile.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
FortiGate Log Message Reference592 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Webfilter
F0h
profile The name of the profile that was used to detect and take action.
status This field contains any one of the following:
• blocked • exempted
• allowed • passthrough
• filtered • DLP
req_type The type of request, which can be one of the following: • referral – if the HTTP transaction is requested from a parent web site,
such as selecting a link on a web page• direct – a direct connection to a web page, such as typing in the URL
address manually.
url The URL address.
msg URL belongs to an override rule.
method This field contains either ip or domain.
class The class the URL belongs to.
class_desc The class description that the URL belongs to.
cat The category that the URL belongs to.
cat_desc The category description that the URL belongs to.
mode This field contains rule.
rule_type This field contains any one of the following:
• directory • domain
• rating
rule_data The rule data information.
ovrd_tbl The override table information .
ovrd_id The override identification number.
ortiGate Log Message Reference1-430-112804-20111121 593ttp://docs.fortinet.com/ • Feedback
Webfilter
13314
Message Id 13314
Log Subtype ftgd_allow
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning The URL belongs to an override rule.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The session number identification.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
src The source IP address.
sport The source port number.
src_port The source port number.
src_int The source interface. For example, internal.
dst The destination IP address.
dport The destination port number.
dst_port The destination port number.
dst_int The destination interface. For example, wan1.
service This field contains any one of the following:
• http • https
• smtp • pop3
• imap • ftp
• mm1 • mm3
• mm4 • mm7
• nntp • im
• smtps • pop3s
• imaps
hostname The name of the website that was accessed.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profiletype The type of profile that was used, for example Antivirus_Profile.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
FortiGate Log Message Reference594 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Webfilter
F0h
profile The name of the profile that was used to detect and take action.
status This field contains any one of the following:
• blocked • exempted
• allowed • passthrough
• filtered • DLP
req_type The type of request, which can be one of the following: • referral –if the HTTP transaction is requested from a parent web site,
such as selecting a link on a web page• direct – a direct connection to a web page, such as typing in the URL
address manually.
url The URL address.
msg URL belongs to an override rule.
method This field contains either ip or domain
class The class the URL belongs to.
class_desc The class description that the URL belongs to.
cat The category that the URL belongs to.
cat_desc The category description that the URL belongs to.
mode This field contains offsite.
rule_type This field contains any one of the following:
• directory • domain
• rating
rule_data The rule data information.
ovrd_tbl The override table information .
ovrd_id The override identification number.
ortiGate Log Message Reference1-430-112804-20111121 595ttp://docs.fortinet.com/ • Feedback
Webfilter
12800
Message Id 12800
Log Subtype ftgd_err
Severity Error
Firmware version FortiOS 4.0 MR3
Meaning A FortiGuard Web Filter error.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The session number identification.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
src The source IP address.
sport The source port number.
src_port The source port number.
src_int The source interface. For example, internal.
dst The destination IP address.
dport The destination port number.
dst_port The destination port number.
dst_int The destination interface. For example, wan1.
service This field contains any one of the following:
• http • https
• smtp • pop3
• imap • ftp
• mm1 • mm3
• mm4 • mm7
• nntp • im
• smtps • pop3s
• imaps • ftp (ftp-over-http)
hostname The name of the website that was accessed.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profiletype The type of profile that was used, for example Antivirus_Profile.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
FortiGate Log Message Reference596 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Webfilter
F0h
profile The name of the profile that was used to detect and take action.
status This field contains any one of the following:
• blocked • exempted
• allowed • passthrough
• filtered • DLP
req_type The type of request, which can be one of the following: • referral –if the HTTP transaction is requested from a parent web site,
such as selecting a link on a web page• direct – a direct connection to a web page, such as typing in the URL
address manually.
url The URL address.
sent The total number of bytes sent.
rcvd The total number of bytes received.
msg A rating error occurs.
error The web filter error information.
ortiGate Log Message Reference1-430-112804-20111121 597ttp://docs.fortinet.com/ • Feedback
Webfilter
12801
Message Id 12801
Log Subtype ftgd_err
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning A FortiGuard Web Filter error.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The session number identification.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
src The source IP address.
sport The source port number.
src_port The source port number.
src_int The source interface. For example, internal.
dst The destination IP address.
dport The destination port number.
dst_port The destination port number.
dst_int The destination interface. For example, wan1.
service This field contains any one of the following:
• http • https
• smtp • pop3
• imap • ftp
• mm1 • mm3
• mm4 • mm7
• nntp • im
• smtps • pop3s
• imaps • ftp (ftp-over-http)
hostname The name of the website that was accessed.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profiletype The type of profile that was used, for example Antivirus_Profile.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
FortiGate Log Message Reference598 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Webfilter
F0h
profile The name of the profile that was used to detect and take action.
status This field contains any one of the following:
• blocked • exempted
• allowed • passthrough
• filtered • DLP
req_type The type of request, which can be one of the following: • referral –if the HTTP transaction is requested from a parent web site,
such as selecting a link on a web page• direct – a direct connection to a web page, such as typing in the URL
address manually.
url The URL address.
sent The total number of bytes sent.
rcvd The total number of bytes received.
msg A rating error occurs.
error The web filter error information.
ortiGate Log Message Reference1-430-112804-20111121 599ttp://docs.fortinet.com/ • Feedback
Webfilter
13601
Message Id 13601
Log Subtype cookiefilter
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning A FortiGuard web filter cookie log message.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The session number identification.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
src The source IP address.
sport The source port number.
src_port The source port number.
src_int The source interface. For example, internal.
dst The destination IP address.
dport The destination port number.
dst_port The destination port number.
dst_int The destination interface. For example, wan1.
service This field contains any one of the following:
• http • https
• smtp • pop3
• imap • ftp
• mm1 • mm3
• mm4 • mm7
• nntp • im
• smtps • pop3s
• imaps • ftp (ftp-over-http)
hostname The name of the website that was accessed.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profiletype The type of profile that was used, for example Antivirus_Profile.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
FortiGate Log Message Reference600 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Webfilter
F0h
profile The name of the profile that was used to detect and take action.
status This field contains any one of the following:
• blocked • exempted
• allowed • passthrough
• filtered • DLP
req_type The type of request, which can be one of the following: • referral –if the HTTP transaction is requested from a parent web site,
such as selecting a link on a web page• direct – a direct connection to a web page, such as typing in the URL
address manually.
url The URL address.
sent The total number of bytes sent.
rcvd The total number of bytes received.
msg The cookie was removed entirely.
count The number of times the same event was detected within a short period of time.
filter_type The script filter type. This field contains any one of the following:
• n/a • jscript
• javascript • vbscript
• unknown
ortiGate Log Message Reference1-430-112804-20111121 601ttp://docs.fortinet.com/ • Feedback
Webfilter
13602
Message Id 13602
Log Subtype cookiefilter
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning A web reference filter log message.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The session number identification.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
src The source IP address.
sport The source port number.
src_port The source port number.
src_int The source interface. For example, internal.
dst The destination IP address.
dport The destination port number.
dst_port The destination port number.
dst_int The destination interface. For example, wan1.
service This field contains any one of the following:
• http • https
• smtp • pop3
• imap • ftp
• mm1 • mm3
• mm4 • mm7
• nntp • im
• smtps • pop3s
• imaps • ftp (ftp-over-http)
hostname The name of the website that was accessed.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profiletype The type of profile that was used, for example Antivirus_Profile.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
FortiGate Log Message Reference602 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Webfilter
F0h
profile The name of the profile that was used to detect and take action.
status This field contains any one of the following:
• blocked • exempted
• allowed • passthrough
• filtered • DLP
req_type The type of request, which can be one of the following: • referral –if the HTTP transaction is requested from a parent web site,
such as selecting a link on a web page• direct – a direct connection to a web page, such as typing in the URL
address manually.
url The URL address.
sent The total number of bytes sent.
rcvd The total number of bytes received.
msg Reference was removed from request.
count The number of times the same event was detected within a short period of time.
filter_type The script filter type. This field contains any one of the following:
• n/a • jscript
• javascript • vbscript
• unknown
ortiGate Log Message Reference1-430-112804-20111121 603ttp://docs.fortinet.com/ • Feedback
Webfilter
13568
Message ID 13568
Log Subtype activexfilter
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning An ActiveX script was removed.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The session number identification.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
src The source IP address.
sport The source port number.
src_port The source port number.
src_int The source interface. For example, internal.
dst The destination IP address.
dport The destination port number.
dst_port The destination port number.
dst_int The destination interface. For example, wan1.
service This field contains any one of the following:
• http • https
• smtp • pop3
• imap • ftp
• mm1 • mm3
• mm4 • mm7
• nntp • im
• smtps • pop3s
• imaps • ftp (ftp-over-http)
hostname The name of the website that was accessed.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profiletype The type of profile that was used, for example Antivirus_Profile.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
FortiGate Log Message Reference604 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Webfilter
F0h
profile The name of the profile that was used to detect and take action.
status This field contains any one of the following:
• blocked • exempted
• allowed • passthrough
• filtered • DLP
req_type The type of request, which can be one of the following: • referral – if the HTTP transaction is requested from a parent web site,
such as selecting a link on a web page• direct – a direct connection to a web page, such as typing in the URL
address manually.
url The URL address.
msg activex script was removed
count The number of times the same event was detected within a short period of time.
ortiGate Log Message Reference1-430-112804-20111121 605ttp://docs.fortinet.com/ • Feedback
Webfilter
13573
Message ID 13573
Log Subtype cookiefilter
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning A cookie was removed.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The session number identification.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
src The source IP address.
sport The source port number.
src_port The source port number.
src_int The source interface. For example, internal.
dst The destination IP address.
dport The destination port number.
dst_port The destination port number.
dst_int The destination interface. For example, wan1.
service This field contains any one of the following:
• http • https
• smtp • pop3
• imap • ftp
• mm1 • mm3
• mm4 • mm7
• nntp • im
• smtps • pop3s
• imaps • ftp (ftp-over-http)
hostname The name of the website that was accessed.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profiletype The type of profile that was used, for example Antivirus_Profile.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
FortiGate Log Message Reference606 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Webfilter
F0h
profile The name of the profile that was used to detect and take action.
status This field contains any one of the following:
• blocked • exempted
• allowed • passthrough
• filtered • DLP
req_type The type of request, which can be one of the following: • referral – if the HTTP transaction is requested from a parent web site,
such as selecting a link on a web page• direct – a direct connection to a web page, such as typing in the URL
address manually.
url The URL address.
msg cookie was removed
ortiGate Log Message Reference1-430-112804-20111121 607ttp://docs.fortinet.com/ • Feedback
Webfilter
13584
Message ID 13584
Log Subtype appletfilter
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning A Java applet was removed.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The session number identification.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
src The source IP address.
sport The source port number.
src_port The source port number.
src_int The source interface. For example, internal.
dst The destination IP address.
dport The destination port number.
dst_port The destination port number.
dst_int The destination interface. For example, wan1.
service This field contains any one of the following:
• http • https
• smtp • pop3
• imap • ftp
• mm1 • mm3
• mm4 • mm7
• nntp • im
• smtps • pop3s
• imaps • ftp (ftp-over-http)
hostname The name of the website that was accessed.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profiletype The type of profile that was used, for example Antivirus_Profile.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
FortiGate Log Message Reference608 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Webfilter
F0h
profile The name of the profile that was used to detect and take action.
status This field contains any one of the following:
• blocked • exempted
• allowed • passthrough
• filtered • DLP
req_type The type of request, which can be one of the following: • referral – if the HTTP transaction is requested from a parent web site,
such as selecting a link on a web page• direct – a direct connection to a web page, such as typing in the URL
address manually.
url The URL address.
msg java applet was removed
count The number of times the same event was detected within a short period of time.
ortiGate Log Message Reference1-430-112804-20111121 609ttp://docs.fortinet.com/ • Feedback
Webfilter
13315
Message ID 13315
Log Subtype ftgd_quota_counting
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning A FortiGuard web filter category quota counting log message.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The session number identification.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
src The source IP address.
sport The source port number.
src_port The source port number.
src_int The source interface. For example, internal.
dst The destination IP address.
dport The destination port number.
dst_port The destination port number.
dst_int The destination interface. For example, wan1.
service This field contains any one of the following:
• http • https
• smtp • pop3
• imap • ftp
• mm1 • mm3
• mm4 • mm7
• nntp • im
• smtps • pop3s
• imaps • fp (ftp-over-http)
hostname The name of the website that was accessed.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profiletype The type of profile that was used, for example Antivirus_Profile.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
FortiGate Log Message Reference610 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Webfilter
F0h
profile The name of the profile that was used to detect and take action.
status This field contains any one of the following:
• blocked • exempted
• allowed • passthrough
• filtered • DLP
req_type The type of request, which can be one of the following: • referral – if the HTTP transaction is requested from a parent web site,
such as selecting a link on a web page• direct – a direct connection to a web page, such as typing in the URL
address manually.
url The URL address.
msg Webfilter wuota has begun counting
method This field contains either ip or domain
class The class the URL belongs to.
class_desc The class description that the URL belongs to.
cat The category that the URL belongs to.
cat_desc The category description that the URL belongs to.
quota_used The number of times the quota was used by the user, in seconds.
qutoa_max The maximum number of times quota time wa allowed, in seconds.
ortiGate Log Message Reference1-430-112804-20111121 611ttp://docs.fortinet.com/ • Feedback
Webfilter
13316
Message ID 13316
Log Subtype ftgd_quota_expired
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning A FortiGuard web filter category quota expired log message.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
custom The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
serial The session number identification.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
src The source IP address.
sport The source port number.
src_port The source port number.
src_int The source interface. For example, internal.
dst The destination IP address.
dport The destination port number.
dst_port The destination port number.
dst_int The destination interface. For example, wan1.
service This field contains any one of the following:
• http • https
• smtp • pop3
• imap • ftp
• mm1 • mm3
• mm4 • mm7
• nntp • im
• smtps • pop3s
• imaps • ftp (ftps-over-http)
hostname The name of the website that was accessed.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profiletype The type of profile that was used, for example Antivirus_Profile.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
FortiGate Log Message Reference612 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Webfilter
F0h
profile The name of the profile that was used to detect and take action.
status This field contains any one of the following:
• blocked • exempted
• allowed • passthrough
• filtered • DLP
req_type The type of request, which can be one of the following: • referral – if the HTTP transaction is requested from a parent web site,
such as selecting a link on a web page• direct – a direct connection to a web page, such as typing in the URL
address manually.
url The URL address.
msg Webfilter quota for category has expired
method This field contains either ip or domain
class The class the URL belongs to.
class_desc The class description that the URL belongs to.
cat The category that the URL belongs to.
cat_desc The category description that the URL belongs to.
quota_used The number of times the quota was used by the user, in seconds.
qutoa_max The maximum number of times quota time wa allowed, in seconds.
ortiGate Log Message Reference1-430-112804-20111121 613ttp://docs.fortinet.com/ • Feedback
Webfilter
12802
Message ID 12802
Log Subtype ftgd_quota
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning The daily FortiGuard quota status.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
quota Indicates whether the quota was exceeded or not. This field contains either no or yes.
quota_used The quota time used, in seconds.
quota_max The maximum quota time that is allowed, in seconds.
cat_desc The category description.
user The name of the user.
profile The name of the profile that was used to detect and take action.
FortiGate Log Message Reference614 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
F0h
Netscan logsNetscan logs record network scanning activities that were preformed by the FortiGate unit.
4096409740984099410041014102410341044105
ortiGate Log Message Reference1-430-112804-20111121 615ttp://docs.fortinet.com/ • Feedback
Netscan logs
4096
4097
Message ID 4096
Log Subtype Vulnerability
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning A network scan was performed.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field contains root.
action This field contains any one of the following:
• scan • host-detection
• vuln-detection • service-detection
• os-scan • port-detection
• vuln-count
start The GMT start time, indicating when the scan began.
end The GMT end time, indicating when the scan stopped.
status The status of the scan. This field contains any one of the following:
• start • stop
• pause • resume
• complete
engine The version number of the netscan engine
plugin The version number of the netscan plugin.
Message ID 4097
Log Subtype Discovery
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning A network scan was performed.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field contains root.
action This field contains any one of the following:
• scan • host-detection
• vuln-detection • service-detection
• os-scan • port-detection
• vuln-count
start The GMT start time, indicating when the scan began.
end The GMT end time, indicating when the scan stopped.
engine The version number of the netscan engine
plugin The version number of the netscan plugin.
FortiGate Log Message Reference616 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Netscan logs
F0h
4098
Message ID 4098
Log Subtype Vulnerability
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning A network scan vulnerabilty was detected.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field contains root.
action This field contains any one of the following:
• scan • host-detection
• vuln-detection • service-detection
• os-scan • port-detection
• vuln-count
ip The host IP address.
vuln The name of the detected vulnerabilty.
vuln_cat The category of the detected vulnerability.
vuln_id The identification number of the detected vulnerability.
vuln_ref The link that redirects you to the vulnerability listed in FortiGuard.
severity The severity level of the detected vulnerabiltiy. This field contains any one of the following:
• cirticial • high
• medium • low
• info
proto The protocol that was used, which is either TCP or UDP.
port The port number.
ortiGate Log Message Reference1-430-112804-20111121 617ttp://docs.fortinet.com/ • Feedback
Netscan logs
4099
Message ID 4099
Log Subtype Discovery
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning A network scan was performed.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field contains root.
action This field contains any one of the following:
• scan • host-detection
• vuln-detection • service-detection
• os-scan • port-detection
• vuln-count
ip The host’s IP address.
os The name of the operating system.
os_family The name of the operating system’s family.
os_gen The operating system’s generation.
os_vender The name of the vendor for that operating system. For example, Microsoft.
FortiGate Log Message Reference618 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Netscan logs
F0h
4100
4101
Message ID 4100
Log Subtype Discovery
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning A network scan was performed.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field contains root.
action This field contains any one of the following:
• scan • host-detection
• vuln-detection • service-detection
• os-scan • port-detection
• vuln-count
ip The host’s IP address.
service The name of the detected service.
proto This field can be either tcp or udp, depending on the protocol that was used.
port The port number.
Message ID 4101
Log Subtype Vulnerability
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning A network scan notification.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field contains root.
action This field contains any one of the following:
• scan • host-detection
• vuln-detection • service-detection
• os-scan • port-detection
• vuln-count
msg The log message information. This is usually a sentence and explains the activity and/or action taken.
ortiGate Log Message Reference1-430-112804-20111121 619ttp://docs.fortinet.com/ • Feedback
Netscan logs
4102
4103
Message ID 4102
Log Subtype Discovery
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning A network scan was performed.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field contains root.
action This field contains any one of the following:
• scan • host-detection
• vuln-detection • service-detection
• os-scan • port-detection
• vuln-count
message The log message information. This is usually a sentence and explains the activity and/or action taken.
Message ID 4103
Log Subtype Vulnerability
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning The number of vulnerabilities that netscan detected.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field contains root.
action This field contains any one of the following:
• scan • host-detection
• vuln-detection • service-detection
• os-scan • port-detection
• vuln-count •
ip The host’s IP address.
vuln_count The total number of vulnerabilities.
FortiGate Log Message Reference620 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Netscan logs
F0h
4104
Message ID 4104
Log Subtype Discovery
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning A netscan host was detected.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field contains root.
action This field contains any one of the following:
• scan • host-detection
• vuln-detection • service-detection
• os-scan • port-detection
• vuln-count •
ip The host’s IP address.
method The discovery method that was used. This field contains any one of the following:
• ARP • ICMP
• TCP • UDP
asset_id The asset definition fro this host.
asset_name The asset definition name for this host.
vuln_count The total number of vulnerabilities.
ortiGate Log Message Reference1-430-112804-20111121 621ttp://docs.fortinet.com/ • Feedback
Netscan logs
4105
Message ID 4105
Log Subtype Discovery
Severity Notification
Firmware version FortiOS 4.0 MR3
Meaning A netscan port was detected.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field contains root.
action This field contains any one of the following:
• scan • host-detection
• vuln-detection • service-detection
• os-scan • port-detection
• vuln-count •
ip The host’s IP address.
proto This field can be either tcp or udp, depending on the protocol that was used.
port The port number.
FortiGate Log Message Reference622 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
F0h
DLP archivesDLP archive log messages are log messages that are sent to the FortiAnalyzer unit, FortiGate hard disk, or FortiGuard Analysis server. These log messages include email, FTP activities, IM events, VoIP events, and web filter events. You can configure your FortiGate unit to send archives to a FortiGuard Analysis server if you have subscribe to the FortiGuard Analysis and Management Service.
327683277632770327723277432769327823278332784327853278632787327883278932790327913279232793
3277732794327953279632797327983280032778327793278032781327713277332775
ortiGate Log Message Reference1-430-112804-20111121 623ttp://docs.fortinet.com/ • Feedback
DLP archives
32768
Message ID 32768
Log Subtype HTTP
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning The HTTP log archive.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
clogver The content log version number.
epoch The time period in seconds.
eventid The event identification number or serial number.
cstatus The status of the content log. This field contains any one of the following:
• clean • infected
• heuristic • banned_word
• blocked • exempt
• oversize • carrier_endpoint_filter
• mass_mms • dlp
• fragmented • spam
• im_summary • im_message
• im_file_request • im_file_accept
• im_file_cancel • im_video
• im_photo_share_request • im_voice
• im_photo_share_cancel • im_photo_share_accept
• im_photo_xref • im_photo_share_stop
• error • voip
infection This field contains any one of the following:
• block • fileexempt
• file intercept • mms block
• carrier end point filter • mms flood
• mms duplicate • virus
• virusrm • heuristic
• html script • script filter
• banned word • exempt word
• oversize • virus
• heuristic • worm
• mime block • fragmented
• exempt • ip blacklist
• dnsbl • FortiGuard - Antispam ip blacklist
• helo • emailblacklist
• mimeheader • dns
• FortiGuard - AntiSpam ase block
• banned word
FortiGate Log Message Reference624 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
DLP archives
F0h
• ipwhitelist • emailwhitelist
• fewhitelist • headerwhitelist
• dlp • dlpban
• pass • mms content checksum
virus The name of the virus that was detected.
SN The session number of the log message.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profiletype The type of profile that was used, for example, Antivirus_Profile.
profile The name of the profile that was used to detect and take action.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer.
client The internal IP address of the FortiGate unit.
server The IP address of the server.
rcvd The total number of bytes transferred on server side.
sent The total number of bytes transferred on client side.
dlp_sensor The name of the DLP sensor that was used to detect and take action. For example, the default sensor Content_Archive.
method The HTTP/HTTPS command.
hostname The HTTP/HTTPS host name.
url The HTTP/HTTPS URL address.
cat The HTTP/HTTPS category.
cat_desc The HTTP/HTTPS description of the category.
ortiGate Log Message Reference1-430-112804-20111121 625ttp://docs.fortinet.com/ • Feedback
DLP archives
32776
Message ID 32776
Log Subtype FTP
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning The FTP log archive
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
clogver The content log version number.
epoch The time period in seconds.
eventid The event identification number or serial number.
cstatus The status of the content log. This field contains any one of the following:
• clean • infected
• heuristic • banned_word
• blocked • exempt
• oversize • carrier_endpoint_filter
• mass_mms • dlp
• fragmented • spam
• im_summary • im_message
• im_file_request • im_file_accept
• im_file_cancel • im_video
• im_photo_share_request • im_voice
• im_photo_share_cancel • im_photo_share_accept
• im_photo_xref • im_photo_share_stop
• error • voip
infection This field contains any one of the following:
• block • fileexempt
• file intercept • mms block
• carrier end point filter • mms flood
• mms duplicate • virus
• virusrm • heuristic
• html script • script filter
• banned word • exempt word
• oversize • virus
• heuristic • worm
• mime block • fragmented
• exempt • ip blacklist
• dnsbl • FortiGuard - Antispam ip blacklist
• helo • emailblacklist
• mimeheader • dns
• FortiGuard - AntiSpam ase block
• banned word
FortiGate Log Message Reference626 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
DLP archives
F0h
• ipwhitelist • emailwhitelist
• fewhitelist • headerwhitelist
• dlp • dlpban
• pass • mms content checksum
virus The name of the virus detected.
SN The session number of the log message.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profiletype The type of profile that was used, for example, Antivirus_Profile.
profile The name of the profile that was used to detect and take action.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer.
client The internal IP address of the FortiGate unit.
server The IP address of the server.
rcvd The total number of bytes transferred on server side.
sent The total number of bytes transferred on client side.
dlp_sensor The name of the DLP sensor that was used to detect and take action. For example, the default sensor Content_Archive.
ftpcmd This field contains any one of the following:
• NONE • USER
• PASS • ACCT
• STOR • RETR
• QUIT
file The name of the file that was uploaded to the server.
ortiGate Log Message Reference1-430-112804-20111121 627ttp://docs.fortinet.com/ • Feedback
DLP archives
32770
Message ID 32770
Log Subtype SMTP
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning The SMTP log archive
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
clogver The content log version number.
epoch The time period in seconds.
eventid The event identification number or serial number.
cstatus The status of the content log. This field contains any one of the following:
• clean • infected
• heuristic • banned_word
• blocked • exempt
• oversize • carrier_endpoint_filter
• mass_mms • dlp
• fragmented • spam
• im_summary • im_message
• im_file_request • im_file_accept
• im_file_cancel • im_video
• im_photo_share_request • im_voice
• im_photo_share_cancel • im_photo_share_accept
• im_photo_xref • im_photo_share_stop
• error • voip
infection This field contains any one of the following:
• block • fileexempt
• file intercept • mms block
• carrier end point filter • mms flood
• mms duplicate • virus
• virusrm • heuristic
• html script • script filter
• banned word • exempt word
• oversize • virus
• heuristic • worm
• mime block • fragmented
• exempt • ip blacklist
• dnsbl • FortiGuard - Antispam ip blacklist
• helo • emailblacklist
• mimeheader • dns
• FortiGuard - AntiSpam ase block
• banned word
FortiGate Log Message Reference628 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
DLP archives
F0h
• ipwhitelist • emailwhitelist
• fewhitelist • headerwhitelist
• dlp • dlpban
• pass • mms content checksum
virus The name of the virus detected.
SN The session number of the log message.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profiletype The type of profile that was used, for example, Antivirus_Profile.
profile The name of the profile that was used to detect and take action.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer.
client The internal IP address of the FortiGate unit.
server The IP address of the server.
rcvd The total number of bytes transferred on server side.
sent The total number of bytes transferred on client side.
dlp_sensor The name of the DLP sensor that was used to detect and take action. For example, the default sensor Content_Archive.
to The recipient’s email address.
from The sender’s email address.
subject The subject line of the email message.
attachment The number of attachments that are present within the email. If there are no attachments, zero displays.
ortiGate Log Message Reference1-430-112804-20111121 629ttp://docs.fortinet.com/ • Feedback
DLP archives
32772
Message ID 32772
Log Subtype POP3
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning The POP3 log archive.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
clogver The content log version number.
epoch The time period in seconds.
eventid The event identification number or serial number.
cstatus The status of the content log. This field contains any one of the following:
• clean • infected
• heuristic • banned_word
• blocked • exempt
• oversize • carrier_endpoint_filter
• mass_mms • dlp
• fragmented • spam
• im_summary • im_message
• im_file_request • im_file_accept
• im_file_cancel • im_video
• im_photo_share_request • im_voice
• im_photo_share_cancel • im_photo_share_accept
• im_photo_xref • im_photo_share_stop
• error • voip
infection This field contains any one of the following:
• block • fileexempt
• file intercept • mms block
• carrier end point filter • mms flood
• mms duplicate • virus
• virusrm • heuristic
• html script • script filter
• banned word • exempt word
• oversize • virus
• heuristic • worm
• mime block • fragmented
• exempt • ip blacklist
• dnsbl • FortiGuard - Antispam ip blacklist
• helo • emailblacklist
• mimeheader • dns
• FortiGuard - AntiSpam ase block
• banned word
FortiGate Log Message Reference630 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
DLP archives
F0h
• ipwhitelist • emailwhitelist
• fewhitelist • headerwhitelist
• dlp • dlpban
• pass • mms content checksum
virus The name of the virus detected.
SN The session number of the log message.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profiletype The type of profile that was used, for example, Antivirus_Profile.
profile The name of the profile that was used to detect and take action.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer.
client The internal IP address of the FortiGate unit.
server The IP address of the server.
rcvd The total number of bytes transferred on server side.
sent The total number of bytes transferred on client side.
dlp_sensor The name of the DLP sensor that was used to detect and take action. For example, the default sensor Content_Archive.
to The recipient’s email address.
from The sender’s email address.
subject The subject line of the email message.
attachment The number of attachments that are present within the email. If there are no attachments, zero displays.
ortiGate Log Message Reference1-430-112804-20111121 631ttp://docs.fortinet.com/ • Feedback
DLP archives
32774
Message ID 32774
Log Subtype IMAP
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning The IMAP content archive
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
clogver The content log version number.
epoch The time period in seconds.
eventid The event identification number or serial number.
cstatus The status of the content log. This field contains any one of the following:
• clean • infected
• heuristic • banned_word
• blocked • exempt
• oversize • carrier_endpoint_filter
• mass_mms • dlp
• fragmented • spam
• im_summary • im_message
• im_file_request • im_file_accept
• im_file_cancel • im_video
• im_photo_share_request • im_voice
• im_photo_share_cancel • im_photo_share_accept
• im_photo_xref • im_photo_share_stop
• error • voip
infection This field contains any one of the following:
• block • fileexempt
• file intercept • mms block
• carrier end point filter • mms flood
• mms duplicate • virus
• virusrm • heuristic
• html script • script filter
• banned word • exempt word
• oversize • virus
• heuristic • worm
• mime block • fragmented
• exempt • ip blacklist
• dnsbl • FortiGuard - Antispam ip blacklist
• helo • emailblacklist
• mimeheader • dns
• FortiGuard - AntiSpam ase block
• banned word
FortiGate Log Message Reference632 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
DLP archives
F0h
• ipwhitelist • emailwhitelist
• fewhitelist • headerwhitelist
• dlp • dlpban
• pass • mms content checksum
virus The name of the virus detected.
SN The session number of the log message.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profiletype The type of profile that was used, for example, Antivirus_Profile.
profile The name of the profile that was used to detect and take action.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer.
client The internal IP address of the FortiGate unit.
server The IP address of the server.
rcvd The total number of bytes transferred on server side.
sent The total number of bytes transferred on client side.
dlp_sensor The name of the DLP sensor that was used to detect and take action. For example, the default sensor Content_Archive.
to The recipient’s email address.
from The sender’s email address.
subject The subject line of the email.
attachment The number of attachments that are present within the email. If there are no attachments, zero displays.
ortiGate Log Message Reference1-430-112804-20111121 633ttp://docs.fortinet.com/ • Feedback
DLP archives
32769
Message ID 32769
Log Subtype HTTPS
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning The HTTPS log archive.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
clogver The content log version number.
epoch The time period in seconds.
eventid The event identification number or serial number.
cstatus The status of the content log. This field contains any one of the following:
• clean • infected
• heuristic • banned_word
• blocked • exempt
• oversize • carrier_endpoint_filter
• mass_mms • dlp
• fragmented • spam
• im_summary • im_message
• im_file_request • im_file_accept
• im_file_cancel • im_video
• im_photo_share_request • im_voice
• im_photo_share_cancel • im_photo_share_accept
• im_photo_xref • im_photo_share_stop
• error • voip
infection This field contains any one of the following:
• block • fileexempt
• file intercept • mms block
• carrier end point filter • mms flood
• mms duplicate • virus
• virusrm • heuristic
• html script • script filter
• banned word • exempt word
• oversize • virus
• heuristic • worm
• mime block • fragmented
• exempt • ip blacklist
• dnsbl • FortiGuard - Antispam ip blacklist
• helo • emailblacklist
• mimeheader • dns
• FortiGuard - AntiSpam ase block
• banned word
FortiGate Log Message Reference634 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
DLP archives
F0h
• ipwhitelist • emailwhitelist
• fewhitelist • headerwhitelist
• dlp • dlpban
• pass • mms content checksum
virus The name of the virus detected.
SN The session number of the log message.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profiletype The type of profile that was used, for example, Antivirus_Profile.
profile The name of the profile that was used to detect and take action.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer.
client The internal IP address of the FortiGate unit.
server The IP address of the server.
rcvd The total number of bytes transferred on server side.
sent The total number of bytes transferred on client side.
dlp_sensor The name of the DLP sensor that was used to detect and take action. For example, the default sensor Content_Archive.
method The HTTP/HTTPS command.
hostname The HTTP/HTTPS host name.
url The HTTP/HTTPS URL address.
cat The HTTP/HTTPS category.
cat_desc The HTTP/HTTPS description of the category.
ortiGate Log Message Reference1-430-112804-20111121 635ttp://docs.fortinet.com/ • Feedback
DLP archives
32782
Message ID 32782
Log Subtype im-all
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning The IM chat summary log archive.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
clogver The content log version number.
epoch The time period in seconds.
eventid The event identification number or serial number.
cstatus The status of the content log. This field contains any one of the following:
• clean • infected
• heuristic • banned_word
• blocked • exempt
• oversize • carrier_endpoint_filter
• mass_mms • dlp
• fragmented • spam
• im_summary • im_message
• im_file_request • im_file_accept
• im_file_cancel • im_video
• im_photo_share_request • im_voice
• im_photo_share_cancel • im_photo_share_accept
• im_photo_xref • im_photo_share_stop
• error • voip
infection This field contains any one of the following:
• block • fileexempt
• file intercept • mms block
• carrier end point filter • mms flood
• mms duplicate • virus
• virusrm • heuristic
• html script • script filter
• banned word • exempt word
• oversize • virus
• heuristic • worm
• mime block • fragmented
• exempt • ip blacklist
• dnsbl • FortiGuard - Antispam ip blacklist
• helo • emailblacklist
• mimeheader • dns
• FortiGuard - AntiSpam ase block
• banned word
FortiGate Log Message Reference636 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
DLP archives
F0h
• ipwhitelist • emailwhitelist
• fewhitelist • headerwhitelist
• dlp • dlpban
• pass • mms content checksum
SN The session number of the log message.
profiletype The type of profile that was used, for example, Antivirus_Profile.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
profile The name of the profile that was used to detect and take action.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profile The name of the profile that was used to detect and take action.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer.
profiletype The type of profile that was used, for example, Antivirus_Profile.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
identidx The identity-based policy identification number. This field displays zero is the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
kind This field contains any one of the following:
• summary • chat
• file • photo
• photo-xref • audio
• oversize • fileblock
• fileexempt • virus
• dlp • call-block
• call-info • call
• register • unregister
laddr The local IP address.
raddr The remote IP address.
local The local user.
remote The remote user.
messages The number of chat messages.
start-date The local start date.
end-date The local end date.
ortiGate Log Message Reference1-430-112804-20111121 637ttp://docs.fortinet.com/ • Feedback
DLP archives
32783
Message Id 32783
Log Subtype im-all
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning The IM chat message log archive.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
clogver The content log version number.
epoch The time period in seconds.
eventid The event identification number or serial number.
cstatus The status of the content log. This field contains any one of the following:
• clean • infected
• heuristic • banned_word
• blocked • exempt
• oversize • carrier_endpoint_filter
• mass_mms • dlp
• fragmented • spam
• im_summary • im_message
• im_file_request • im_file_accept
• im_file_cancel • im_video
• im_photo_share_request • im_voice
• im_photo_share_cancel • im_photo_share_accept
• im_photo_xref • im_photo_share_stop
• error • voip
infection This field contains any one of the following:
• block • fileexempt
• file intercept • mms block
• carrier end point filter • mms flood
• mms duplicate • virus
• virusrm • heuristic
• html script • script filter
• banned word • exempt word
• oversize • virus
• heuristic • worm
• mime block • fragmented
• exempt • ip blacklist
• dnsbl • FortiGuard - Antispam ip blacklist
• helo • emailblacklist
• mimeheader • dns
• FortiGuard - AntiSpam ase block
• banned word
FortiGate Log Message Reference638 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
DLP archives
F0h
• ipwhitelist • emailwhitelist
• fewhitelist • headerwhitelist
• dlp • dlpban
• pass • mms content checksum
SN The session number of the log message.
profiletype The type of profile that was used, for example, Antivirus_Profile.
profilegroup The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are available only in FortiOS Carrier.
profile The name of the profile that was used to detect and take action.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profile The name of the profile that was used to detect and take action.
profilegroup The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer.
profiletype The type of profile that was used, for example, Antivirus_Profile.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
identidx The identity-based policy identification number. This field displays zero is the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
kind This field contains any one of the following:
• summary • chat
• file • photo
• photo-xref • audio
• oversize • fileblock
• fileexempt • virus
• dlp • call-block
• call-info • call
• register • unregister
• video
laddr The local IP address.
raddr The remote IP address.
local The local user.
remote The remote user.
ortiGate Log Message Reference1-430-112804-20111121 639ttp://docs.fortinet.com/ • Feedback
DLP archives
action This field contains any one of the following:
• permit • block
• monitor • kickout
• encrypt-kickout • cm-reject
• exempt • ban
• ban-im-user • log-only
dir The direction of the traffic. This field contains either outbound or inbound.
messages The number of chat messages.
content The content of the IM chat message.
FortiGate Log Message Reference640 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
DLP archives
F0h
32784
Message Id 32784
Log Subtype im-all
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning An IM file transfer log archive.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
clogver The content log version number.
epoch The time period in seconds.
eventid The event identification number or serial number.
cstatus The status of the content log. This field contains any one of the following:
• clean • infected
• heuristic • banned_word
• blocked • exempt
• oversize • carrier_endpoint_filter
• mass_mms • dlp
• fragmented • spam
• im_summary • im_message
• im_file_request • im_file_accept
• im_file_cancel • im_video
• im_photo_share_request • im_voice
• im_photo_share_cancel • im_photo_share_accept
• im_photo_xref • im_photo_share_stop
• error • voip
infection This field contains any one of the following:
• block • fileexempt
• file intercept • mms block
• carrier end point filter • mms flood
• mms duplicate • virus
• virusrm • heuristic
• html script • script filter
• banned word • exempt word
• oversize • virus
• heuristic • worm
• mime block • fragmented
• exempt • ip blacklist
• dnsbl • FortiGuard - Antispam ip blacklist
• helo • emailblacklist
• mimeheader • dns
• FortiGuard - AntiSpam ase block
• banned word
ortiGate Log Message Reference1-430-112804-20111121 641ttp://docs.fortinet.com/ • Feedback
DLP archives
• ipwhitelist • emailwhitelist
• fewhitelist • headerwhitelist
• dlp • dlpban
• pass • mms content checksum
SN The session number of the log message.
profiletype The type of profile that was used, for example Antivirus_Profile.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
profile The name of the profile that was used to detect and take action.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profile The name of the profile that was used to detect and take action.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer.
profiletype The type of profile that was used, for example Antivirus_Profile.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
identidx The identity-based policy identification number. This field displays zero is the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
kind This field contains any one of the following:
• summary • chat
• file • photo
• photo-xref • audio
• oversize • fileblock
• fileexempt • virus
• dlp • call-block
• call-info • call
• register • unregister
• video
laddr The local IP address.
raddr The remote IP address.
local The local user.
remote The remote user.
FortiGate Log Message Reference642 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
DLP archives
F0h
action This field contains any one of the following:
• permit • block
• monitor • kickout
• encrypt-kickout • cm-reject
• exempt • ban
• ban-im-user • log-only
dir The direction of the traffic. This field contains either outbound or inbound.
status The IM status.
filename The name of the file that was transferred.
filesize The size of the file that was transferred.
message The number of chat messages.
ortiGate Log Message Reference1-430-112804-20111121 643ttp://docs.fortinet.com/ • Feedback
DLP archives
32785
Message ID 32785
Log Subtype im-all
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning An IM photo sharing log archive.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
clogver The content log version number.
epoch The time period in seconds.
eventid The event identification number or serial number.
cstatus The status of the content log. This field contains any one of the following:
• clean • infected
• heuristic • banned_word
• blocked • exempt
• oversize • carrier_endpoint_filter
• mass_mms • dlp
• fragmented • spam
• im_summary • im_message
• im_file_request • im_file_accept
• im_file_cancel • im_video
• im_photo_share_request • im_voice
• im_photo_share_cancel • im_photo_share_accept
• im_photo_xref • im_photo_share_stop
• error • voip
infection This field contains any one of the following:
• block • fileexempt
• file intercept • mms block
• carrier end point filter • mms flood
• mms duplicate • virus
• virusrm • heuristic
• html script • script filter
• banned word • exempt word
• oversize • virus
• heuristic • worm
• mime block • fragmented
• exempt • ip blacklist
• dnsbl • FortiGuard - Antispam ip blacklist
• helo • emailblacklist
• mimeheader • dns
• FortiGuard - AntiSpam ase block
• banned word
FortiGate Log Message Reference644 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
DLP archives
F0h
• ipwhitelist • emailwhitelist
• fewhitelist • headerwhitelist
• dlp • dlpban
• pass • mms content checksum
SN The session number of the log message.
profiletype The type of profile that was used, for example, Antivirus_Profile.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer.
profile The name of the profile that was used to detect and take action.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profile The name of the profile that was used to detect and take action.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured.
profiletype The type of profile that was used, for example Antivirus_Profile.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
identidx The identity-based policy identification number. This field displays zero is the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
kind This field contains any one of the following:
• summary • chat
• file • photo
• photo-xref • audio
• oversize • fileblock
• fileexempt • virus
• dlp • call-block
• call-info • call
• register • unregister
• video
laddr The local IP address.
raddr The remote IP address.
local The local user.
remote The remote user.
ortiGate Log Message Reference1-430-112804-20111121 645ttp://docs.fortinet.com/ • Feedback
DLP archives
action This field contains any one of the following:
• permit • block
• monitor • kickout
• encrypt-kickout • cm-reject
• exempt • ban
• ban-im-user • log-only
dir The direction of the traffic. This field contains either outbound or inbound.
status The IM status.
FortiGate Log Message Reference646 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
DLP archives
F0h
32786
Message ID 32786
Log Subtype im-all
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning An IM photo transfer log archive.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
clogver The content log version number.
epoch The time period in seconds.
eventid The event identification number or serial number.
cstatus The status of the content log. This field contains any one of the following:
• clean • infected
• heuristic • banned_word
• blocked • exempt
• oversize • carrier_endpoint_filter
• mass_mms • dlp
• fragmented • spam
• im_summary • im_message
• im_file_request • im_file_accept
• im_file_cancel • im_video
• im_photo_share_request • im_voice
• im_photo_share_cancel • im_photo_share_accept
• im_photo_xref • im_photo_share_stop
• error • voip
infection This field contains any one of the following:
• block • fileexempt
• file intercept • mms block
• carrier end point filter • mms flood
• mms duplicate • virus
• virusrm • heuristic
• html script • script filter
• banned word • exempt word
• oversize • virus
• heuristic • worm
• mime block • fragmented
• exempt • ip blacklist
• dnsbl • FortiGuard - Antispam ip blacklist
• helo • emailblacklist
• mimeheader • dns
• FortiGuard - AntiSpam ase block
• banned word
ortiGate Log Message Reference1-430-112804-20111121 647ttp://docs.fortinet.com/ • Feedback
DLP archives
• ipwhitelist • emailwhitelist
• fewhitelist • headerwhitelist
• dlp • dlpban
• pass • mms content checksum
SN The session number of the log message.
profiletype The type of profile that was used, for example, Antivirus_Profile.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer.
profile The name of the profile that was used to detect and take action.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profile The name of the profile that was used to detect and take action.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured.
profiletype The type of profile that was used, for example Antivirus_Profile.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
identidx The identity-based policy identification number. This field displays zero is the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
kind This field contains any one of the following:
• summary • chat
• file • photo
• photo-xref • audio
• oversize • fileblock
• fileexempt • virus
• dlp • call-block
• call-info • call
• register • unregister
• video
laddr The local IP address.
raddr The remote IP address.
local The local user.
remote The remote user.
dir The direction of the traffic. This field contains either outbound or inbound.
conn-mode The mode information.
FortiGate Log Message Reference648 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
DLP archives
F0h
32787
Message ID 32787
Log Subtype im-all
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning An IM voice chat log archive.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
clogver The content log version number.
epoch The time period in seconds.
eventid The event identification number or serial number.
cstatus The status of the content log. This field contains any one of the following:
• clean • infected
• heuristic • banned_word
• blocked • exempt
• oversize • carrier_endpoint_filter
• mass_mms • dlp
• fragmented • spam
• im_summary • im_message
• im_file_request • im_file_accept
• im_file_cancel • im_video
• im_photo_share_request • im_voice
• im_photo_share_cancel • im_photo_share_accept
• im_photo_xref • im_photo_share_stop
• error • voip
infection This field contains any one of the following:
• block • fileexempt
• file intercept • mms block
• carrier end point filter • mms flood
• mms duplicate • virus
• virusrm • heuristic
• html script • script filter
• banned word • exempt word
• oversize • virus
• heuristic • worm
• mime block • fragmented
• exempt • ip blacklist
• dnsbl • FortiGuard - Antispam ip blacklist
• helo • emailblacklist
• mimeheader • dns
• FortiGuard - AntiSpam ase block
• banned word
ortiGate Log Message Reference1-430-112804-20111121 649ttp://docs.fortinet.com/ • Feedback
DLP archives
• ipwhitelist • emailwhitelist
• fewhitelist • headerwhitelist
• dlp • dlpban
• pass • mms content checksum
SN The session number of the log message.
profiletype The type of profile that was used, for example Antivirus_Profile.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer.
profile The name of the profile that was used to detect and take action.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profile The name of the profile that was used to detect and take action.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer.
profiletype The type of profile that was used, for example Antivirus_Profile.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
identidx The identity-based policy identification number. This field displays zero is the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
kind This field contains any one of the following:
• summary • chat
• file • photo
• photo-xref • audio
• oversize • fileblock
• fileexempt • virus
• dlp • call-block
• call-info • call
• register • unregister
• video
laddr The local IP address.
raddr The remote IP address.
local The local user.
remote The remote user.
FortiGate Log Message Reference650 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
DLP archives
F0h
action This field contains any one of the following:
• permit • block
• monitor • kickout
• encrypt-kickout • cm-reject
• exempt • ban
• ban-im-user • log-only
dir The direction of the traffic. This field contains either outbound or inbound.
status The IM status.
ortiGate Log Message Reference1-430-112804-20111121 651ttp://docs.fortinet.com/ • Feedback
DLP archives
32788
Message ID 32788
Log Subtype im-all
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning An IM virus log archive.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
clogver The content log version number.
epoch The time period in seconds.
eventid The event identification number or serial number.
cstatus The status of the content log. This field contains any one of the following:
• clean • infected
• heuristic • banned_word
• blocked • exempt
• oversize • carrier_endpoint_filter
• mass_mms • dlp
• fragmented • spam
• im_summary • im_message
• im_file_request • im_file_accept
• im_file_cancel • im_video
• im_photo_share_request • im_voice
• im_photo_share_cancel • im_photo_share_accept
• im_photo_xref • im_photo_share_stop
• error • voip
infection This field contains any one of the following:
• block • fileexempt
• file intercept • mms block
• carrier end point filter • mms flood
• mms duplicate • virus
• virusrm • heuristic
• html script • script filter
• banned word • exempt word
• oversize • virus
• heuristic • worm
• mime block • fragmented
• exempt • ip blacklist
• dnsbl • FortiGuard - Antispam ip blacklist
• helo • emailblacklist
• mimeheader • dns
• FortiGuard - AntiSpam ase block
• banned word
FortiGate Log Message Reference652 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
DLP archives
F0h
• ipwhitelist • emailwhitelist
• fewhitelist • headerwhitelist
• dlp • dlpban
• pass • mms content checksum
SN The session number of the log message.
profiletype The type of profile that was used, for example Antivirus_Profile.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer.
profile The name of the profile that was used to detect and take action.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profile The name of the profile that was used to detect and take action.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer.
profiletype The type of profile that was used, for example Antivirus_Profile.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
identidx The identity-based policy identification number. This field displays zero is the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
kind This field contains any one of the following:
• summary • chat
• file • photo
• photo-xref • audio
• oversize • fileblock
• fileexempt • virus
• dlp • call-block
• call-info • call
• register • unregister
• video
laddr The local IP address.
raddr The remote IP address.
local The local user.
remote The remote user.
ortiGate Log Message Reference1-430-112804-20111121 653ttp://docs.fortinet.com/ • Feedback
DLP archives
action This field contains any one of the following:
• permit • block
• monitor • kickout
• encrypt-kickout • cm-reject
• exempt • ban
• ban-im-user • log-only
dir The direction of the traffic. This field contains either outbound or inbound.
filename The name of the file that was transferred.
virus The name of the virus detected.
heuristic The information regarding heuristics.
FortiGate Log Message Reference654 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
DLP archives
F0h
32789
Message ID 32789
Log Subtype im-all
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning An IM file oversize log archive.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
clogver The content log version number.
epoch The time period in seconds.
eventid The event identification number or serial number.
cstatus The status of the content log. This field contains any one of the following:
• clean • infected
• heuristic • banned_word
• blocked • exempt
• oversize • carrier_endpoint_filter
• mass_mms • dlp
• fragmented • spam
• im_summary • im_message
• im_file_request • im_file_accept
• im_file_cancel • im_video
• im_photo_share_request • im_voice
• im_photo_share_cancel • im_photo_share_accept
• im_photo_xref • im_photo_share_stop
• error • voip
infection This field contains any one of the following:
• block • fileexempt
• file intercept • mms block
• carrier end point filter • mms flood
• mms duplicate • virus
• virusrm • heuristic
• html script • script filter
• banned word • exempt word
• oversize • virus
• heuristic • worm
• mime block • fragmented
• exempt • ip blacklist
• dnsbl • FortiGuard - Antispam ip blacklist
• helo • emailblacklist
• mimeheader • dns
• FortiGuard - AntiSpam ase block
• banned word
ortiGate Log Message Reference1-430-112804-20111121 655ttp://docs.fortinet.com/ • Feedback
DLP archives
• ipwhitelist • emailwhitelist
• fewhitelist • headerwhitelist
• dlp • dlpban
• pass • mms content checksum
SN The session number of the log message.
profiletype The type of profile that was used, for example Antivirus_Profile.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer.
profile The name of the profile that was used to detect and take action.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profile The name of the profile that was used to detect and take action.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer.
profiletype The type of profile that was used, for example Antivirus_Profile.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
identidx The identity-based policy identification number. This field displays zero is the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
kind This field contains any one of the following:
• summary • chat
• file • photo
• photo-xref • audio
• oversize • fileblock
• fileexempt • virus
• dlp • call-block
• call-info • call
• register • unregister
• video
laddr The local IP address.
raddr The remote IP address.
local The local user.
remote The remote user.
FortiGate Log Message Reference656 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
DLP archives
F0h
action This field contains any one of the following:
• permit • block
• monitor • kickout
• encrypt-kickout • cm-reject
• exempt • ban
• ban-im-user • log-only
dir The direction of the traffic. This field contains either outbound or inbound.
filename The name of the file that was transferred.
ortiGate Log Message Reference1-430-112804-20111121 657ttp://docs.fortinet.com/ • Feedback
DLP archives
32790
Message ID 32790
Log Subtype im-all
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning An IM file block log archive.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
clogver The content log version number.
epoch The time period in seconds.
eventid The event identification number or serial number.
cstatus The status of the content log. This field contains any one of the following:
• clean • infected
• heuristic • banned_word
• blocked • exempt
• oversize • carrier_endpoint_filter
• mass_mms • dlp
• fragmented • spam
• im_summary • im_message
• im_file_request • im_file_accept
• im_file_cancel • im_video
• im_photo_share_request • im_voice
• im_photo_share_cancel • im_photo_share_accept
• im_photo_xref • im_photo_share_stop
• error • voip
infection This field contains any one of the following:
• block • fileexempt
• file intercept • mms block
• carrier end point filter • mms flood
• mms duplicate • virus
• virusrm • heuristic
• html script • script filter
• banned word • exempt word
• oversize • virus
• heuristic • worm
• mime block • fragmented
• exempt • ip blacklist
• dnsbl • FortiGuard - Antispam ip blacklist
• helo • emailblacklist
• mimeheader • dns
• FortiGuard - AntiSpam ase block
• banned word
FortiGate Log Message Reference658 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
DLP archives
F0h
• ipwhitelist • emailwhitelist
• fewhitelist • headerwhitelist
• dlp • dlpban
• pass • mms content checksum
SN The session number of the log message.
profiletype The type of profile that was used, for example, Antivirus_Profile.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer.
profile The name of the profile that was used to detect and take action.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profile The name of the profile that was used to detect and take action.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer.
profiletype The type of profile that was used, for example Antivirus_Profile.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
identidx The identity-based policy identification number. This field displays zero is the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
kind This field contains any one of the following:
• summary • chat
• file • photo
• photo-xref • audio
• oversize • fileblock
• fileexempt • virus
• dlp • call-block
• call-info • call
• register • unregister
• video
laddr The local IP address.
raddr The remote IP address.
local The local user.
remote The remote user.
ortiGate Log Message Reference1-430-112804-20111121 659ttp://docs.fortinet.com/ • Feedback
DLP archives
action This field contains any one of the following:
• permit • block
• monitor • kickout
• encrypt-kickout • cm-reject
• exempt • ban
• ban-im-user • log-only
dir The direction of the traffic. This field contains either outbound or inbound.
filename The name of the file that was transferred.
FortiGate Log Message Reference660 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
DLP archives
F0h
32791
Message ID 32791
Log Subtype im-all
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning An IM file exempt log archive.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
clogver The content log version number.
epoch The time period in seconds.
eventid The event identification number or serial number.
cstatus The status of the content log. This field contains any one of the following:
• clean • infected
• heuristic • banned_word
• blocked • exempt
• oversize • carrier_endpoint_filter
• mass_mms • dlp
• fragmented • spam
• im_summary • im_message
• im_file_request • im_file_accept
• im_file_cancel • im_video
• im_photo_share_request • im_voice
• im_photo_share_cancel • im_photo_share_accept
• im_photo_xref • im_photo_share_stop
• error • voip
SN The session number of the log message.
profiletype The type of profile that was used, for example, Antivirus_Profiile.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer.
profile The name of the profile that was used to detect and take action.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profile The name of the profile that was used to detect and take action.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured.
profiletype The type of profile that was used, for example, Antivirus _Profile.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
ortiGate Log Message Reference1-430-112804-20111121 661ttp://docs.fortinet.com/ • Feedback
DLP archives
identidx The identity-based policy identification number. This field displays zero is the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
kind This field contains any one of the following:
• summary • chat
• file • photo
• photo-xref • audio
• oversize • fileblock
• fileexempt • virus
• dlp • call-block
• call-info • call
• register • unregister
• video
laddr The local IP address.
raddr The remote IP address.
local The local user.
remote The remote user.
action This field contains any one of the following:
• permit • block
• monitor • kickout
• encrypt-kickout • cm-reject
• exempt • ban
• ban-im-user • log-only
dir The direction of the traffic. This field contains either outbound or inbound.
filename The name of the file that was transferred.
FortiGate Log Message Reference662 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
DLP archives
F0h
32792
Message ID 32792
Log Subtype im-all
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning An IM DLP information log archive.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
clogver The content log version number.
epoch The time period in seconds.
eventid The event identification number or serial number.
cstatus The status of the content log. This field contains any one of the following:
• clean • infected
• heuristic • banned_word
• blocked • exempt
• oversize • carrier_endpoint_filter
• mass_mms • dlp
• fragmented • spam
• im_summary • im_message
• im_file_request • im_file_accept
• im_file_cancel • im_video
• im_photo_share_request • im_voice
• im_photo_share_cancel • im_photo_share_accept
• im_photo_xref • im_photo_share_stop
• error • voip
SN The session number of the log message.
profiletype The type of profile that was used, for example, Antivirus_Profile.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer.
profile The name of the profile that was used to detect and take action.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profile The name of the profile that was used to detect and take action.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer.
profiletype The type of profile that was used, for example, Antivirus_Profile.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
ortiGate Log Message Reference1-430-112804-20111121 663ttp://docs.fortinet.com/ • Feedback
DLP archives
identidx The identity-based policy identification number. This field displays zero is the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
kind This field contains any one of the following:
• summary • chat
• file • photo
• photo-xref • audio
• oversize • fileblock
• fileexempt • virus
• dlp • call-block
• call-info • call
• register • unregister
• video
laddr The local IP address.
raddr The remote IP address.
local The local user.
remote The remote user.
action This field contains any one of the following:
• permit • block
• monitor • kickout
• encrypt-kickout • cm-reject
• exempt • ban
• ban-im-user • log-only
dir The direction of the traffic. This field contains either outbound or inbound.
filename The name of the file that was transferred.
filesize The size of the file that was transferred.
FortiGate Log Message Reference664 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
DLP archives
F0h
32793
Message ID 32793
Log Subtype im-all
Severity Warning
Firmware version FortiOS 4.0 MR3
Meaning An IM DLP warning log archive.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
clogver The content log version number.
epoch The time period in seconds.
eventid The event identification number or serial number.
cstatus The status of the content log. This field contains any one of the following:
• clean • infected
• heuristic • banned_word
• blocked • exempt
• oversize • carrier_endpoint_filter
• mass_mms • dlp
• fragmented • spam
• im_summary • im_message
• im_file_request • im_file_accept
• im_file_cancel • im_video
• im_photo_share_request • im_voice
• im_photo_share_cancel • im_photo_share_accept
• im_photo_xref • im_photo_share_stop
• error • voip
SN The session number of the log message.
profiletype The type of profile that was used, for example Antivirus_Profile.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer.
profile The name of the profile that was used to detect and take action.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profile The name of the profile that was used to detect and take action.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer.
profiletype The type of profile that was used, for example Antivirus_Profile.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
ortiGate Log Message Reference1-430-112804-20111121 665ttp://docs.fortinet.com/ • Feedback
DLP archives
identidx The identity-based policy identification number. This field displays zero is the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
kind This field contains any one of the following:
• summary • chat
• file • photo
• photo-xref • audio
• oversize • fileblock
• fileexempt • virus
• dlp • call-block
• call-info • call
• register • unregister
• video
laddr The local IP address.
raddr The remote IP address.
local The local user.
remote The remote user.
action This field contains any one of the following:
• permit • block
• monitor • kickout
• encrypt-kickout • cm-reject
• exempt • ban
• ban-im-user • log-only
dir The direction of the traffic. This field contains either outbound or inbound.
filename The name of the file that was transferred.
filesize The size of the file that was transferred.
FortiGate Log Message Reference666 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
DLP archives
F0h
32777
Message ID 32777
Log Subtype NNTP
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning An NNTP log archive.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
clogver The content log version number.
epoch The time period in seconds.
eventid The event identification number or serial number.
cstatus The status of the content log. This field contains any one of the following:
• clean • infected
• heuristic • banned_word
• blocked • exempt
• oversize • carrier_endpoint_filter
• mass_mms • dlp
• fragmented • spam
• im_summary • im_message
• im_file_request • im_file_accept
• im_file_cancel • im_video
• im_photo_share_request • im_voice
• im_photo_share_cancel • im_photo_share_accept
• im_photo_xref • im_photo_share_stop
• error • voip
infection The type of infection. This field contains any one of the following:
• block • fileexempt
• file intercept • mms block
• carrier end point filter • mms flood
• mms duplicate • virus
• virusrm • heuristic
• html script • script filter
• banned word • exempt word
• oversize • virus
• heuristic • worm
• mime block • fragmented
• exempt • ip blacklist
• dnsbl • FortiGuard - Antispam ip blacklist
• helo • emailblacklist
• mimeheader • dns
• FortiGuard - AntiSpam ase block
• banned word
ortiGate Log Message Reference1-430-112804-20111121 667ttp://docs.fortinet.com/ • Feedback
DLP archives
• ipwhitelist • emailwhitelist
• fewhitelist • headerwhitelist
• dlp • dlpban
• pass • mms content checksum
virus The name of the virus that was detected.
SN The session number of the log message.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profiletype The type of profile that was used, for example Antivirus_Profile.
profile The name of the profile that was used to detect and take action.
profilegroup The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer.
client The internal IP address of the FortiGate unit.
server The IP address of the server.
rcvd The total number of bytes transferred on server side.
sent The total number of bytes transferred on client side.
FortiGate Log Message Reference668 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
DLP archives
F0h
32794
Message ID 32794
Log Subtype VOIP
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning A VoIP SIP log archive.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
clogver The content log version number.
epoch The time period in seconds.
eventid The event identification number or serial number.
cstatus The status of the content log. This field contains any one of the following:
• clean • infected
• heuristic • banned_word
• blocked • exempt
• oversize • carrier_endpoint_filter
• mass_mms • dlp
• fragmented • spam
• im_summary • im_message
• im_file_request • im_file_accept
• im_file_cancel • im_video
• im_photo_share_request • im_voice
• im_photo_share_cancel • im_photo_share_accept
• im_photo_xref • im_photo_share_stop
• error • voip
SN The session number of the log message.
profile The name of the profile applied to the firewall policy and used during the detection process.
profiletype The type of profile that was used, for example Antivirus_Profile.
profilegroup The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
carrier_ep The carrier endpoint identification number. This field contains N/A unless FortiOS Carrier is running on the unit.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile that was used, for example, Antivirus_Profile.
profilegroup The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer.
identidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
ortiGate Log Message Reference1-430-112804-20111121 669ttp://docs.fortinet.com/ • Feedback
DLP archives
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the next level protocol. Protocol numbers are assigned by the Intenet Assigned Number Authority (IANA).
kind This field contains any one of the following:
• summary • chat
• file • photo
• photo-xref • audio
• oversize • fileblock
• fileexempt • virus
• dlp • call-block
• call-info • call
• register • unregister
• video
action This field contains any one of the following:
• permit • block
• monitor • kickout
• encrypt-kickout • cm-reject
• exempt • ban
• ban-im-user • log-only
status The IM status.
src The source IP address.
dst The destination IP address.
src_port The source port number.
dst_port The destination port number.
dir The direction of the traffic. This field contains either outbound or inbound.
duration This represents the value in seconds.
from The sender’s email address.
to The recipient’s email address.
FortiGate Log Message Reference670 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
DLP archives
F0h
32795
Message ID 32795
Log Subtype VOIP
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning A VOIP SCCP register log archive.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
clogver The content log version number.
epoch The time period in seconds.
eventid The event identification number or serial number.
cstatus The status of the content log. This field contains any one of the following:
• clean • infected
• heuristic • banned_word
• blocked • exempt
• oversize • carrier_endpoint_filter
• mass_mms • dlp
• fragmented • spam
• im_summary • im_message
• im_file_request • im_file_accept
• im_file_cancel • im_video
• im_photo_share_request • im_voice
• im_photo_share_cancel • im_photo_share_accept
• im_photo_xref • im_photo_share_stop
• error • voip
SN The session number of the log message.
profile The name of the profile applied to the firewall policy and used during the detection process.
profiletype The type of profile that was used, for example Antivirus_Profile.
profilegroup The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile that was used, for example, Antivirus_Profile.
profilegroup The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
ortiGate Log Message Reference1-430-112804-20111121 671ttp://docs.fortinet.com/ • Feedback
DLP archives
identidx The identity-based policy identification number. This field displays zero is the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
kind This field contains any one of the following:
• summary • chat
• file • photo
• photo-xref • audio
• oversize • fileblock
• fileexempt • virus
• dlp • call-block
• call-info • call
• register • unregister
• video
action This field contains any one of the following:
• permit • block
• monitor • kickout
• encrypt-kickout • cm-reject
• exempt • ban
• ban-im-user • log-only
status The IM status.
phone The phone number.
src The source IP address.
from The sender’s information.
to The receiver’s information.
FortiGate Log Message Reference672 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
DLP archives
F0h
32796
Message ID 32796
Log Subtype VOIP
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning A VOIP SCCP unregister log archive.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
clogver The content log version number.
epoch The time period in seconds.
eventid The event identification number or serial number.
cstatus The status of the content log. This field contains any one of the following:
• clean • infected
• heuristic • banned_word
• blocked • exempt
• oversize • carrier_endpoint_filter
• mass_mms • dlp
• fragmented • spam
• im_summary • im_message
• im_file_request • im_file_accept
• im_file_cancel • im_video
• im_photo_share_request • im_voice
• im_photo_share_cancel • im_photo_share_accept
• im_photo_xref • im_photo_share_stop
• error • voip
SN The session number of the log message.
profile The name of the profile applied to the firewall policy and used during the detection process.
profiletype The type of profile that was used, for example Antivirus_Profile.
profilegroup The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile that was used, for example, Antivirus_Profile.
profilegroup The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
ortiGate Log Message Reference1-430-112804-20111121 673ttp://docs.fortinet.com/ • Feedback
DLP archives
identidx The identity-based policy identification number. This field displays zero is the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
kind This field contains any one of the following:
• summary • chat
• file • photo
• photo-xref • audio
• oversize • fileblock
• fileexempt • virus
• dlp • call-block
• call-info • call
• register • unregister
• video
action This field contains any one of the following:
• permit • block
• monitor • kickout
• encrypt-kickout • cm-reject
• exempt • ban
• ban-im-user • log-only
status The IM status.
phone The phone information.
src The source IP address.
reason The information about why the trigger occurred.
FortiGate Log Message Reference674 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
DLP archives
F0h
32797
Message ID 32797
Log Subtype VOIP
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning A VOIP SCCP call block log archive.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
clogver The content log version number.
epoch The time period in seconds.
eventid The event identification number or serial number.
cstatus The status of the content log. This field contains any one of the following:
• clean • infected
• heuristic • banned_word
• blocked • exempt
• oversize • carrier_endpoint_filter
• mass_mms • dlp
• fragmented • spam
• im_summary • im_message
• im_file_request • im_file_accept
• im_file_cancel • im_video
• im_photo_share_request • im_voice
• im_photo_share_cancel • im_photo_share_accept
• im_photo_xref • im_photo_share_stop
• error • voip
SN The session number of the log message.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile that was used, for example Antivirus_Profile.
profilegroup The grou pthat the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile that was used, for example Antivirus_Profile.
profilegroup The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
ortiGate Log Message Reference1-430-112804-20111121 675ttp://docs.fortinet.com/ • Feedback
DLP archives
identidx The identity-based policy identification number. This field displays zero is the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
kind This field contains any one of the following:
• summary • chat
• file • photo
• photo-xref • audio
• oversize • fileblock
• fileexempt • virus
• dlp • call-block
• call-info • call
• register • unregister
• video
action This field contains any one of the following:
• permit • block
• monitor • kickout
• encrypt-kickout • cm-reject
• exempt • ban
• ban-im-user • log-only
status The IM status.
phone The phone information.
src The source IP address.
reason The reason as to why the trigger occurred.
from The sender’s information.
to The receiver’s information.
FortiGate Log Message Reference676 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
DLP archives
F0h
32798
Message ID 32798
Log Subtype VOIP
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning A VOIP SCCP call information log archive.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
clogver The content log version number.
epoch The time period in seconds.
eventid The event identification number or serial number.
cstatus The status of the content log. This field contains any one of the following:
• clean • infected
• heuristic • banned_word
• blocked • exempt
• oversize • carrier_endpoint_filter
• mass_mms • dlp
• fragmented • spam
• im_summary • im_message
• im_file_request • im_file_accept
• im_file_cancel • im_video
• im_photo_share_request • im_voice
• im_photo_share_cancel • im_photo_share_accept
• im_photo_xref • im_photo_share_stop
• error • voip
SN The session number of the log message.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile that was used, for example Antivirus_Profile.
profilegroup The group that the profile is a part of. This field contains N/A if there is no profile group configured.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile that was used, for example Antivirus_Profile.
profilegroup The grou pthat the profile is a part of. This field contains N/A if there is no profile group configured.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
ortiGate Log Message Reference1-430-112804-20111121 677ttp://docs.fortinet.com/ • Feedback
DLP archives
identidx The identity-based policy identification number. This field displays zero is the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
kind This field contains any one of the following:
• summary • chat
• file • photo
• photo-xref • audio
• oversize • fileblock
• fileexempt • virus
• dlp • call-block
• call-info • call
• register • unregister
• video
action This field contains any one of the following:
• permit • block
• monitor • kickout
• encrypt-kickout • cm-reject
• exempt • ban
• ban-im-user • log-only
status The IM status.
phone The phone information.
src The source IP address.
dst The destination IP address.
src_port The source port number.
dst_port The destination port number.
duration This represents the value in seconds.
from The sender’s information.
to The receipient’s information.
FortiGate Log Message Reference678 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
DLP archives
F0h
32800
Message ID 32800
Log Subtype VOIP
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning A VOIP SIP fuzzing log archive.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual domains
exist, this field always contains root.
clogver The content log version number.
epoch The time period in seconds.
eventid The event identification number or serial number.
cstatus The status of the content log. This field contains any one of the following:
• clean • infected
• heuristic • banned_word
• blocked • exempt
• oversize • carrier_endpoint_filter
• mass_mms • dlp
• fragmented • spam
• im_summary • im_message
• im_file_request • im_file_accept
• im_file_cancel • im_video
• im_photo_share_request • im_voice
• im_photo_share_cancel • im_photo_share_accept
• im_photo_xref • im_photo_share_stop
• error • voip
SN The session number of the log message.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile that was used, for example Antivirus_Profile.
profilegroup The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile that was used, for example Antivirus_Profile.
profilegroup The grou pthat the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
identidx The identity-based policy identification number. This field displays zero is the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
ortiGate Log Message Reference1-430-112804-20111121 679ttp://docs.fortinet.com/ • Feedback
DLP archives
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
kind This field contains any one of the following:
• summary • chat
• file • photo
• photo-xref • audio
• oversize • fileblock
• fileexempt • virus
• dlp • call-block
• call-info • call
• register • unregister
• video
action This field contains any one of the following:
• permit • block
• monitor • kickout
• encrypt-kickout • cm-reject
• exempt • ban
• ban-im-user • log-only
status The IM status.
src The source IP address.
dst The destination IP address.
src_port The source port number.
dst_port The destination port number.
dir The direction of the traffic. This field contains either outbound or inbound.
duration This represents the value in seconds.
message_type This field contains either request or response.
request_name The request name.
malform_desc The description of the malformed header. This field contains any one of the following;
• unexpected-character • invalid-quoting-character
• trailing-bytes • header-line-oversize
• msg-body-oversize • domain-name-oversize
• domain-label-oversize • syntax-malformed
• duplicated-sip-header • space-violation
• invalid-ipv4-address • invalid-ipv6-address
• invalid-port • invalid-fqdn
• no-matching-double-quote • empty-quoted-string
• invalid-<user_info> • invalid-escape-encoding-in-<userinfo>
• invalid-escape-encoding-in-uri-parameter
• invalid-escape-encoding-in-uri-header
• invalid-escape-encoding-in-<reason-phrase>
• port-expected
• port-not-allowed • domain-name-invalid
• <gen-value>-expected • invalid-<gen-value>
FortiGate Log Message Reference680 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
DLP archives
F0h
• invalid-<quoted-string>-in-<gen-value>
• ip4-address-expected
• ipv6-address-expected • uri-expected
• invalid-transport-uri-parameter • invalid-user-uri-parameter
• invalid-method-uri-parameter • invalid-ttl-uri-parameter
• invalid-uri-parameter-pname • invalid-uri-parameter-value
• uri-parameter-repeat • invalid-uri-header-name
• invalid-uri-header-value • invalid-uri-header-name-value-pair
• invalid-quoted-string-in-display-name
• left-angle-braket-is-mandatory
• right-angle-bracket-not-found • invalid-status-code
• no-METHOD-on-request-time • uri-parameters-not-allowed-by-RFC
• unknown-scheme • whitespace-expected
• LWS-expected • invalid-<SIP-Version>-on-request-line
• invalid-<protocol-name> • invalid-<protocol-version>
• invalid-<transport> • no-SLASH-after-<protocol_name>
• no-SLASH-after-<protocol-version> • header-parameter-expected
• invalid-ttl-parameter • invalid-maddr-parameter
• invalid-received-parameter • invalid-branch-parameter
• invalid-rport-parameter • via-parameter-repeat
• <seq>-number-expected • <method>-expected
• <method>-does-not-match-the-request-line
• <response-num>-expected
• <CSeq-num>-expected • <Method>-expected-after-<CSeq-num>
• expires-header-repeated • <delta-seconds>-expected
• invalid-max-forwards • token-expected
• invalid-expires-parameter • invalid-q-parameter
• <generic-param>-with-invalid-<gen-value>
• <m-type>-expected
• SLASH-expected-after-<m-type> • <m-subtype>-expected
• <m-attribute>-expected-after-SEMI • boundary-parameter-appears-more-than-once
• EQUAL-expected-after-<m-attribute>
• invalid-<quoted-string>-in-<m-value>
• invalid-<m-value> • multipart-Content-Type-has-no-boundary
• digits-expected • IN-expected
• IP-expected • IP4-or-IP6-expected
• IPv4-or-IPv6-address-expected • line-order-error
• z-line-not-allowed-on-media-level • <time>-expected
• <typed-time>-expected • r-line-not-allowed-on-media-level
• <repeat-interval>-expected • <bwtype>-expected
• colon-expected • <bandwidth>-expected
• t-line-not-allowed-on-media-level • invalid-<start-time>
• invalid-<stop-time> • too-many-i-lines
• <text>-expected • too-many-c-lines
ortiGate Log Message Reference1-430-112804-20111121 681ttp://docs.fortinet.com/ • Feedback
DLP archives
• too-many-v-line • v-line-not-allowed-on-media-level
• too-many-o-lines • o-line-not-allowed-on-media-level
• <username>-expected • <sess-id>-expected
• <sess-version>-expected • too-many-s-lines
• s-line-not-allowed-on-media-level • too-many-m-lines
• <media>-expected • <integer>-expected
• <proto>-expected • <token>-expected-in-<proto>-after-slash
• <fmt>-expected • <att-field>-expected
• <att-value>-expected • <payload-type>-expected-in-rtpmap
• <encording-name>-expected-in-rtpmap
• slash-expected-after-<encoding-name>-in-rtpmap
• invalid-<clock-rate>-in-rtpmap • invalid-<encoding--parameters>-in-rtpmap
• invalid-candidate-line • sdp-candidtae-line-before-m-line
• sip-Yahoo-candidate-invalid-protocol
• invalid-port-after-ip-address-in-candidate-line
• too-many-candidate-lines • sdp-invalid-alt-line
• sdp-alt-line-before-m-line • invalid-port-after-ip-address-in-alt-line
• sdp-rtcp-line-before-m-line • invalid-port-in-rtcp-line
• too-many-rtcp-lines • <callid>-expected
• <word>-expected • invalid-tag-parameter
• no-tag-parameter • sdp-v-o-s-t-lines-are-madatory
• unknown-header • end-of-line-error
• sip-udp-message-truncated • missing-mandatory-field
malform_data The malformed data number.
line The line information.
column The column number.
from The sender’s information.
to The receipient’s information.
FortiGate Log Message Reference682 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
DLP archives
F0h
328001
Message ID 328001
Log Subtype im-all
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning An IM video chat log archive.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
clogver The content log version number.
epoch The time period in seconds.
eventid The event identification number or serial number.
cstatus The status of the content log. This field contains any one of the following:
• clean • infected
• heuristic • banned_word
• blocked • exempt
• oversize • carrier_endpoint_filter
• mass_mms • dlp
• fragmented • spam
• im_summary • im_message
• im_file_request • im_file_accept
• im_file_cancel • im_video
• im_photo_share_request • im_voice
• im_photo_share_cancel • im_photo_share_accept
• im_photo_xref • im_photo_share_stop
• error • voip
SN The session number of the log message.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile that was used, for example Antivirus_Profile.
profilegroup The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile that was used, for example Antivirus_Profile.
profilegroup The grou pthat the profile is a part of. This field contains N/A if there is no profile group configured.Profile groups are only available in FortiOS Carrer.
policyid The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
ortiGate Log Message Reference1-430-112804-20111121 683ttp://docs.fortinet.com/ • Feedback
DLP archives
identidx The identity-based policy identification number. This field displays zero is the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
kind This field contains any one of the following:
• summary • chat
• file • photo
• photo-xref • audio
• oversize • fileblock
• fileexempt • virus
• dlp • call-block
• call-info • call
• register • unregister
• video
laddr The local IP address.
raddr The remote IP address.
local The local user.
remote The remote user.
action This field contains any one of the following:
• permit • block
• monitor • kickout
• encrypt-kickout • cm-reject
• exempt • ban
• ban-im-user • log-only
dir The direction of the traffic. This field contains either outbound or inbound.
status The IM status.
FortiGate Log Message Reference684 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
DLP archives
F0h
32778
Message ID 32778
Log Subtype MM1
Severity Information
Firmware version FortiOS Carrier 4.0 MR2
Meaning An MM1 log archive.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
clogver The content log version number.
epoch The time period in seconds.
eventid The event identification number or serial number.
cstatus The status of the content log. This field contains any one of the following:
• clean • infected
• heuristic • banned_word
• blocked • exempt
• oversize • carrier_endpoint_filter
• mass_mms • dlp
• fragmented • spam
• im_summary • im_message
• im_file_request • im_file_accept
• im_file_cancel • im_video
• im_photo_share_request • im_voice
• im_photo_share_cancel • im_photo_share_accept
• im_photo_xref • im_photo_share_stop
• error • voip
infection The type of infection. This field contains any one of the following:
• block • fileexempt
• file intercept • mms block
• carrier end point filter • mms flood
• mms duplicate • virus
• virusrm • heuristic
• html script • script filter
• banned word • exempt word
• oversize • virus
• heuristic • worm
• mime block • fragmented
• exempt • ip blacklist
• dnsbl • FortiGuard - Antispam ip blacklist
• helo • emailblacklist
• mimeheader • dns
• FortiGuard - AntiSpam ase block
• banned word
ortiGate Log Message Reference1-430-112804-20111121 685ttp://docs.fortinet.com/ • Feedback
DLP archives
• ipwhitelist • emailwhitelist
• fewhitelist • headerwhitelist
• dlp • dlpban
• pass • mms content checksum
virus The name of the virus detected.
SN The session number of the log message.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profiletype The type of profile that was used, for example Antivirus_Profile.
profile The name of the profile that was used to detect and take action.
profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer.
client The internal IP address of the FortiGate unit.
server The IP address of the server.
rcvd The total number of bytes transferred on server side.
sent The total number of bytes transferred on client side.
to The recipient’s email address or MSISDN.
from The recipient’s email address or MSISDN.
subject The subject line of the email address.
direction This field contains any one of the following:
• n/a • TX
• RX
FortiGate Log Message Reference686 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
DLP archives
F0h
32779
Message ID 32779
Log Subtype MM3
Severity Information
Firmware version FortiOS Carrier 4.0 MR2
Meaning An MM3 log archive.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
clogver The content log version number.
epoch The time period in seconds.
eventid The event identification number or serial number.
cstatus The status of the content log. This field contains any one of the following:
• clean • infected
• heuristic • banned_word
• blocked • exempt
• oversize • carrier_endpoint_filter
• mass_mms • dlp
• fragmented • spam
• im_summary • im_message
• im_file_request • im_file_accept
• im_file_cancel • im_video
• im_photo_share_request • im_voice
• im_photo_share_cancel • im_photo_share_accept
• im_photo_xref • im_photo_share_stop
• error • voip
infection This field contains any one of the following:
• block • fileexempt
• file intercept • mms block
• carrier end point filter • mms flood
• mms duplicate • virus
• virusrm • heuristic
• html script • script filter
• banned word • exempt word
• oversize • virus
• heuristic • worm
• mime block • fragmented
• exempt • ip blacklist
• dnsbl • FortiGuard - Antispam ip blacklist
• helo • emailblacklist
• mimeheader • dns
• FortiGuard - AntiSpam ase block
• banned word
ortiGate Log Message Reference1-430-112804-20111121 687ttp://docs.fortinet.com/ • Feedback
DLP archives
• ipwhitelist • emailwhitelist
• fewhitelist • headerwhitelist
• dlp • dlpban
• pass • mms content checksum
virus The name of the virus that was detected.
SN The session number of the log message.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profiletype The type of profile that was used, for example Antivirus_Profile.
profile The name of the profile that was used to detect and take action.
profilegroup The name of the profile group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer.
client The internal IP address of the FortiGate unit.
server The IP address of the server.
rcvd The total number of bytes transferred on server side.
sent The total number of bytes transferred on client side.
dlp_sensor The name of the DLP sensor that was used to detect and take action. For example, the default sensor Content_Archive.
to The recipient’s email address or MSISDN.
from The recipient’s email address or MSISDN.
subject The subject line of the email address.
FortiGate Log Message Reference688 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
DLP archives
F0h
32780
Message ID 32780
Log Subtype MM4
Severity Information
Firmware version FortiOS Carrier 4.0 MR2
Meaning An MM4 log archive.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
clogver The content log version number.
epoch The time period in seconds.
eventid The event identification number or serial number.
cstatus The status of the content log. This field contains any one of the following:
• clean • infected
• heuristic • banned_word
• blocked • exempt
• oversize • carrier_endpoint_filter
• mass_mms • dlp
• fragmented • spam
• im_summary • im_message
• im_file_request • im_file_accept
• im_file_cancel • im_video
• im_photo_share_request • im_voice
• im_photo_share_cancel • im_photo_share_accept
• im_photo_xref • im_photo_share_stop
• error • voip
infection This field contains any one of the following:
• block • fileexempt
• file intercept • mms block
• carrier end point filter • mms flood
• mms duplicate • virus
• virusrm • heuristic
• html script • script filter
• banned word • exempt word
• oversize • virus
• heuristic • worm
• mime block • fragmented
• exempt • ip blacklist
• dnsbl • FortiGuard - Antispam ip blacklist
• helo • emailblacklist
• mimeheader • dns
• FortiGuard - AntiSpam ase block
• banned word
ortiGate Log Message Reference1-430-112804-20111121 689ttp://docs.fortinet.com/ • Feedback
DLP archives
• ipwhitelist • emailwhitelist
• fewhitelist • headerwhitelist
• dlp • dlpban
• pass • mms content checksum
virus The name of the virus that was detected.
SN The session number of the log message.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profiletype The type of profile that was used, for example Antivirus_Profile.
profile The name of the profile that was used to detect and take action.
profilegroup The name of the profile group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer.
client The internal IP address of the FortiGate unit.
server The IP address of the server.
rcvd The total number of bytes transferred on server side.
sent The total number of bytes transferred on client side.
dlp_sensor The name of the DLP sensor that was used to detect and take action. For example, the default sensor Content_Archive.
to The recipient’s email address or MSISDN.
from The recipient’s email address or MSISDN.
subject The subject line of the email message.
FortiGate Log Message Reference690 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
DLP archives
F0h
32781
Message ID 32781
Log Subtype MM7
Severity Information
Firmware version FortiOS Carrier 4.0 MR2
Meaning An MM7 log archive.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
clogver The content log version number.
epoch The time period in seconds.
eventid The event identification number or serial number.
cstatus The status of the content log. This field contains any one of the following:
• clean • infected
• heuristic • banned_word
• blocked • exempt
• oversize • carrier_endpoint_filter
• mass_mms • dlp
• fragmented • spam
• im_summary • im_message
• im_file_request • im_file_accept
• im_file_cancel • im_video
• im_photo_share_request • im_voice
• im_photo_share_cancel • im_photo_share_accept
• im_photo_xref • im_photo_share_stop
• error • voip
infection This field contains any one of the following:
• block • fileexempt
• file intercept • mms block
• carrier end point filter • mms flood
• mms duplicate • virus
• virusrm • heuristic
• html script • script filter
• banned word • exempt word
• oversize • virus
• heuristic • worm
• mime block • fragmented
• exempt • ip blacklist
• dnsbl • FortiGuard - Antispam ip blacklist
• helo • emailblacklist
• mimeheader • dns
• FortiGuard - AntiSpam ase block
• banned word
ortiGate Log Message Reference1-430-112804-20111121 691ttp://docs.fortinet.com/ • Feedback
DLP archives
• ipwhitelist • emailwhitelist
• fewhitelist • headerwhitelist
• dlp • dlpban
• pass • mms content checksum
virus The name of the virus that was detected.
SN The session number of the log message.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profiletype The type of profile that was used, for example Antivirus_Profile.
profile The name of the profile that was used to detect and take action.
profilegroup The name of the profile group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer.
client The internal IP address of the FortiGate unit.
server The IP address of the server.
rcvd The total number of bytes transferred on server side.
sent The total number of bytes transferred on client side.
to The recipient’s email address or MSISDN.
from The recipient’s email address or MSISDN.
subject The subject line of the email address.
FortiGate Log Message Reference692 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
DLP archives
F0h
32771
Message ID 32771
Log Subtype SMTPS
Severity Information
Firmware version FortiOS 4.0 MR2
Meaning An SMTPS log archive
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
clogver The content log version number.
epoch The time period in seconds.
eventid The event identification number or serial number.
cstatus The status of the content log. This field contains any one of the following:
• clean • infected
• heuristic • banned_word
• blocked • exempt
• oversize • carrier_endpoint_filter
• mass_mms • dlp
• fragmented • spam
• im_summary • im_message
• im_file_request • im_file_accept
• im_file_cancel • im_video
• im_photo_share_request • im_voice
• im_photo_share_cancel • im_photo_share_accept
• im_photo_xref • im_photo_share_stop
• error • voip
infection This field contains any one of the following:
• block • fileexempt
• file intercept • mms block
• carrier end point filter • mms flood
• mms duplicate • virus
• virusrm • heuristic
• html script • script filter
• banned word • exempt word
• oversize • virus
• heuristic • worm
• mime block • fragmented
• exempt • ip blacklist
• dnsbl • FortiGuard - Antispam ip blacklist
• helo • emailblacklist
• mimeheader • dns
• FortiGuard - AntiSpam ase block
• banned word
ortiGate Log Message Reference1-430-112804-20111121 693ttp://docs.fortinet.com/ • Feedback
DLP archives
• ipwhitelist • emailwhitelist
• fewhitelist • headerwhitelist
• dlp • dlpban
• pass • mms content checksum
virus The name of the virus that was detected.
SN The session number of the log message.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profiletype The type of profile that was used, for example Antivirus_Profile.
profile The name of the profile that was used to detect and take action.
profilegroup The name of the profile group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer.
client The internal IP address of the FortiGate unit.
server The IP address of the server.
rcvd The total number of bytes transferred on server side.
sent The total number of bytes transferred on client side.
dlp_sensor The name of the DLP sensor that was used to detect and take action. For example, the default sensor Content_Archive.
to The recipient’s email address.
from The recipient’s email address.
subject The subject line of the email message.
attachment The number of attachments that are present within the email. If there are no attachments, zero displays.
FortiGate Log Message Reference694 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
DLP archives
F0h
32773
Message ID 32773
Log Subtype POP3S
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning A POP3S log archive.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
clogver The content log version number.
epoch The time period in seconds.
eventid The event identification number or serial number.
cstatus The status of the content log. This field contains any one of the following:
• clean • infected
• heuristic • banned_word
• blocked • exempt
• oversize • carrier_endpoint_filter
• mass_mms • dlp
• fragmented • spam
• im_summary • im_message
• im_file_request • im_file_accept
• im_file_cancel • im_video
• im_photo_share_request • im_voice
• im_photo_share_cancel • im_photo_share_accept
• im_photo_xref • im_photo_share_stop
• error • voip
infection This field contains any one of the following:
• block • fileexempt
• file intercept • mms block
• carrier end point filter • mms flood
• mms duplicate • virus
• virusrm • heuristic
• html script • script filter
• banned word • exempt word
• oversize • virus
• heuristic • worm
• mime block • fragmented
• exempt • ip blacklist
• dnsbl • FortiGuard - Antispam ip blacklist
• helo • emailblacklist
• mimeheader • dns
• FortiGuard - AntiSpam ase block
• banned word
ortiGate Log Message Reference1-430-112804-20111121 695ttp://docs.fortinet.com/ • Feedback
DLP archives
• ipwhitelist • emailwhitelist
• fewhitelist • headerwhitelist
• dlp • dlpban
• pass • mms content checksum
virus The name of the virus that was detected.
SN The session number of the log message.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profiletype The type of profile that was used, for example Antivirus_Profile.
profile The name of the profile that was used to detect and take action.
profilegroup The name of the profile group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer.
client The internal IP address of the FortiGate unit.
server The IP address of the server.
rcvd The total number of bytes transferred on server side.
sent The total number of bytes transferred on client side.
dlp_sensor The name of the DLP sensor that was used to detect and take action. For example, the default sensor Content_Archive.
to The recipient’s email address.
from The recipient’s email address.
subject The subject line of the email message.
attachment The number of attachments that are present within the email. If there are no attachments, zero displays.
FortiGate Log Message Reference696 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
DLP archives
F0h
32775
Message ID 32775
Log Subtype IMAPS
Severity Information
Firmware version FortiOS 4.0 MR3
Meaning An IMAPS log archive.
Fields Field Descriptionvd The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
clogver The content log version number.
epoch The time period in seconds.
eventid The event identification number or serial number.
cstatus The status of the content log. This field contains any one of the following:
• clean • infected
• heuristic • banned_word
• blocked • exempt
• oversize • carrier_endpoint_filter
• mass_mms • dlp
• fragmented • spam
• im_summary • im_message
• im_file_request • im_file_accept
• im_file_cancel • im_video
• im_photo_share_request • im_voice
• im_photo_share_cancel • im_photo_share_accept
• im_photo_xref • im_photo_share_stop
• error • voip
infection This field contains any one of the following:
• block • fileexempt
• file intercept • mms block
• carrier end point filter • mms flood
• mms duplicate • virus
• virusrm • heuristic
• html script • script filter
• banned word • exempt word
• oversize • virus
• heuristic • worm
• mime block • fragmented
• exempt • ip blacklist
• dnsbl • FortiGuard - Antispam ip blacklist
• helo • emailblacklist
• mimeheader • dns
• FortiGuard - AntiSpam ase block
• banned word
ortiGate Log Message Reference1-430-112804-20111121 697ttp://docs.fortinet.com/ • Feedback
DLP archives
• ipwhitelist • emailwhitelist
• fewhitelist • headerwhitelist
• dlp • dlpban
• pass • mms content checksum
virus The name of the virus that was detected.
SN The session number of the log message.
user The name of the user creating the traffic.
group The name of the group creating the traffic.
carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
profiletype The type of profile that was used, for example Antivirus_Profile.
profile The name of the profile that was used to detect and take action.
profilegroup The name of the profile group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer.
client The internal IP address of the FortiGate unit.
server The IP address of the server.
rcvd The total number of bytes transferred on server side.
sent The total number of bytes transferred on client side.
dlp_sensor The name of the DLP sensor that was used to detect and take action. For example, the default sensor Content_Archive.
to The sender’s email address.
from The recipient’s email address..
subject The subject line of the email message.
attachment The number of attachments that are present within the email. If there are no attachments, zero displays.
FortiGate Log Message Reference698 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
DLP archives
F0h
ortiGate Log Message Reference1-430-112804-20111121 699ttp://docs.fortinet.com/ • Feedback
Document conventions Appendix
AppendixDocument conventions
Fortinet technical documentation uses the conventions described below.
IP addressesTo avoid publication of public IP addresses that belong to Fortinet or any other organization, the IP addresses used in Fortinet technical documentation are fictional and follow the documentation guidelines specific to Fortinet. The addresses used are from the private IP address ranges defined in RFC 1918: Address Allocation for Private Internets, available at http://ietf.org/rfc/rfc1918.txt?number-1918.Most of the examples in this document use the following IP addressing:• IP addresses are made up of A.B.C.D• A - can be one of 192, 172, or 10 - the non-public addresses covered in RFC 1918.• B - 168, or the branch / device / virtual device number.
• Branch number can be 0xx, 1xx, 2xx - 0 is Head office, 1 is remote, 2 is other.• Device or virtual device - allows multiple FortiGate units in this address space
(VDOMs).• Devices can be from x01 to x99.
• C - interface - FortiGate units can have up to 40 interfaces, potentially more than one on the same subnet • 001 - 099- physical address ports, and non -virtual interfaces• 100-255 - VLANs, tunnels, aggregate links, redundant links, vdom-links, etc.
FortiGate Log Message Reference700 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Appendix Document conventions
F0h
• D - usage based addresses, this part is determined by what device is doing• The following gives 16 reserved, 140 users, and 100 servers in the subnet.• 001 - 009 - reserved for networking hardware, like routers, gateways, etc.• 010 - 099 - DHCP range - users• 100 - 109 - FortiGate devices - typically only use 100• 110 - 199 - servers in general (see later for details)• 200 - 249 - static range - users• 250 - 255 - reserved (255 is broadcast, 000 not used)• The D segment servers can be farther broken down into:
• 110 - 119 - Email servers• 120 - 129 - Web servers• 130 - 139 - Syslog servers• 140 - 149 - Authentication (RADIUS, LDAP, TACACS+, FSAE, etc)• 150 - 159 - VoIP / SIP servers / managers• 160 - 169 - FortiAnalyzers• 170 - 179 - FortiManagers• 180 - 189 - Other Fortinet products (FortiScan, FortiDB, etc.)• 190 - 199 - Other non-Fortinet servers (NAS, SQL, DNS, DDNS, etc.)• Fortinet products, non-FortiGate, are found from 160 - 189.
The following table shows some examples of how to choose an IP number for a device based on the information given. For internal and dmz, it is assumed in this case there is only one interface being used.
Table 1: Examples of the IP numbering
Location and device Internal Dmz ExternalHead Office, one FortiGate 10.011.101.100 10.011.201.100 172.20.120.191
Head Office, second FortiGate 10.012.101.100 10.012.201.100 172.20.120.192
Branch Office, one FortiGate 10.021.101.100 10.021.201.100 172.20.120.193
Office 7, one FortiGate with 9 VDOMs
10.079.101.100 10.079.101.100 172.20.120.194
Office 3, one FortiGate, web server
n/a 10.031.201.110 n/a
Bob in accounting on the corporate user network (dhcp) at Head Office, one FortiGate
10.0.11.101.200 n/a n/a
Router outside the FortiGate n/a n/a 172.20.120.195
ortiGate Log Message Reference1-430-112804-20111121 701ttp://docs.fortinet.com/ • Feedback
Document conventions Appendix
Example Network configurationThe network configuration shown in Figure 1 or variations on it is used for many of the examples in this document. In this example, the 172.20.120.0 network is equivalent to the Internet. The network consists of a head office and two branch offices.
Figure 1: Example network configuration
FortiGate Log Message Reference702 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Appendix Document conventions
F0h
Cautions, Notes and TipsFortinet technical documentation uses the following guidance and styles for cautions, notes and tips.
Typographical conventionsFortinet documentation uses the following typographical conventions:
CLI command syntax conventionsThis guide uses the following conventions to describe the syntax to use when entering commands in the Command Line Interface (CLI).Brackets, braces, and pipes are used to denote valid permutations of the syntax. Constraint notations, such as <address_ipv4>, indicate which data types or string patterns are acceptable value input.
Caution: Warns you about commands or procedures that could have unexpected or undesirable results including loss of data or damage to equipment.
Note: Presents useful information, but usually focused on an alternative, optional method, such as a shortcut, to perform a step.
Tip: Highlights useful additional information, often tailored to your workplace activity.
Table 2: Typographical conventions in Fortinet technical documentation
Convention ExampleButton, menu, text box, field, or check box label
From Minimum log level, select Notification.
CLI input config system dnsset primary <address_ipv4>
end
CLI output FGT-602803030703 # get system settingscomments : (null)opmode : nat
Emphasis HTTP connections are not secure and can be intercepted by a third party.
File content <HTML><HEAD><TITLE>Firewall Authentication</TITLE></HEAD><BODY><H4>You must authenticate to use this service.</H4>
Hyperlink Visit the Fortinet Technical Support web site, https://support.fortinet.com.
Keyboard entry Type a name for the remote VPN peer or client, such as Central_Office_1.
Navigation Go to VPN > IPSEC > Auto Key (IKE).
Publication For details, see the FortiOS Handbook.
ortiGate Log Message Reference1-430-112804-20111121 703ttp://docs.fortinet.com/ • Feedback
Document conventions Appendix
Table 3: Command syntax notation
Convention DescriptionSquare brackets [ ] A non-required word or series of words. For example:
[verbose {1 | 2 | 3}]indicates that you may either omit or type both the verbose word and its accompanying option, such as:verbose 3
Angle brackets < > A word constrained by data type.To define acceptable input, the angled brackets contain a descriptive name followed by an underscore ( _ ) and suffix that indicates the valid data type. For example:<retries_int>indicates that you should enter a number of retries, such as 5.Data types include:• <xxx_name>: A name referring to another part of the
configuration, such as policy_A.• <xxx_index>: An index number referring to another part of the
configuration, such as 0 for the first static route.• <xxx_pattern>: A regular expression or word with wild cards
that matches possible variations, such as *@example.com to match all email addresses ending in @example.com.
• <xxx_fqdn>: A fully qualified domain name (FQDN), such as mail.example.com.
• <xxx_email>: An email address, such as [email protected].
• <xxx_url>: A uniform resource locator (URL) and its associated protocol and host name prefix, which together form a uniform resource identifier (URI), such as http://www.fortinet./com/.
• <xxx_ipv4>: An IPv4 address, such as 192.168.1.99.• <xxx_v4mask>: A dotted decimal IPv4 netmask, such as
255.255.255.0.• <xxx_ipv4mask>: A dotted decimal IPv4 address and netmask
separated by a space, such as 192.168.1.99 255.255.255.0.
• <xxx_ipv4/mask>: A dotted decimal IPv4 address and CIDR-notation netmask separated by a slash, such as such as 192.168.1.99/24.
• <xxx_ipv6>: A colon( : )-delimited hexadecimal IPv6 address, such as 3f2e:6a8b:78a3:0d82:1725:6a2f:0370:6234.
• <xxx_v6mask>: An IPv6 netmask, such as /96.• <xxx_ipv6mask>: An IPv6 address and netmask separated by a
space.• <xxx_str>: A string of characters that is not another data type,
such as P@ssw0rd. Strings containing spaces or special characters must be surrounded in quotes or use escape sequences.
• <xxx_int>: An integer number that is not another data type, such as 15 for the number of minutes.
FortiGate Log Message Reference704 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Appendix Entering FortiOS 4.0 MR3 configuration data
F0h
Entering FortiOS 4.0 MR3 configuration dataThe configuration of a FortiGate unit is stored as a series of configuration settings in the FortiOS 4.0 MR3 configuration database. To change the configuration you can use the web-based manager or CLI to add, delete or change configuration settings. These configuration changes are stored in the configuration database as they are made. Individual settings in the configuration database can be text strings, numeric values, selections from a list of allowed options, or on/off (enable/disable).
Entering text strings (names)Text strings are used to name entities in the configuration. For example, the name of a firewall address, administrative user, and so on. You can enter any character in a FortiGate configuration text string except, to prevent Cross-Site Scripting (XSS) vulnerabilities, text strings in FortiGate configuration names cannot include the following characters:
" (double quote), & (ampersand), ' (single quote), < (less than) and < (greater than)You can determine the limit to the number of characters that are allowed in a text string by determining how many characters the web-based manager or CLI allows for a given name field. From the CLI, you can also use the tree command to view the number of characters that are allowed. For example, firewall address names can contain up to 64 characters. When you add a firewall address to the web-based manager you are limited to entering 64 characters in the firewall address name field. From the CLI you can do the following to confirm that the firewall address name field allows 64 characters.
config firewall addresstree-- [address] --*name (64) |- subnet |- type |- start-ip |- end-ip
Curly braces { } A word or series of words that is constrained to a set of options delimited by either vertical bars or spaces.You must enter at least one of the options, unless the set of options is surrounded by square brackets [ ].
Options delimited by vertical bars |
Mutually exclusive options. For example:{enable | disable}indicates that you must enter either enable or disable, but must not enter both.
Options delimited by spaces
Non-mutually exclusive options. For example:{http https ping snmp ssh telnet}indicates that you may enter all or a subset of those options, in any order, in a space-delimited list, such as:ping https sshNote: To change the options, you must re-type the entire list. For example, to add snmp to the previous example, you would type:ping https snmp sshIf the option adds to or subtracts from the existing list of options, instead of replacing it, or if the list is comma-delimited, the exception will be noted.
Table 3: Command syntax notation (Continued)
Convention Description
ortiGate Log Message Reference1-430-112804-20111121 705ttp://docs.fortinet.com/ • Feedback
Registering your Fortinet product Appendix
|- fqdn (256) |- cache-ttl (0,86400) |- wildcard |- comment (64 xss) |- associated-interface (16) +- color (0,32)
Note that the tree command output also shows the number of characters allowed for other firewall address name settings. For example, the fully-qualified domain name (fqdn) field can contain up to 256 characters.
Entering numeric valuesNumeric values are used to configure various sizes, rates, numeric addresses, or other numeric values. For example, a static routing priority of 10, a port number of 8080, or an IP address of 10.10.10.1. Numeric values can be entered as a series of digits without spaces or commas (for example, 10 or 64400), in dotted decimal format (for example the IP address 10.10.10.1) or as in the case of MAC or IPv6 addresses separated by colons (for example, the MAC address 00:09:0F:B7:37:00). Most numeric values are standard base-10 numbers, but some fields (again such as MAC addresses) require hexadecimal numbers.Most web-based manager numeric value configuration fields limit the number of numeric digits that you can add or contain extra information to make it easier to add the acceptable number of digits and to add numbers in the allowed range. CLI help includes information about allowed numeric value ranges. Both the web-based manager and the CLI prevent you from entering invalid numbers.
Selecting options from a listIf a configuration field can only contain one of a number of selected options, the web-based manager and CLI present you a list of acceptable options and you can select one from the list. No other input is allowed. From the CLI you must spell the selection name correctly.
Enabling or disabling optionsIf a configuration field can only be on or off (enabled or disabled) the web-based manager presents a check box or other control that can only be enabled or disabled. From the CLI you can set the option to enable or disable.
Registering your Fortinet productBefore you begin configuring and customizing features, take a moment to register your Fortinet product at the Fortinet Technical Support web site, https://support.fortinet.com.Many Fortinet customer services, such as firmware updates, technical support, and FortiGuard Antivirus and other FortiGuard services, require product registration.For more information, see the Fortinet Knowledge Center article Registration Frequently Asked Questions.
Fortinet products End User License AgreementSee the Fortinet products End User License Agreement.
FortiGate Log Message Reference706 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Appendix Training
F0h
TrainingFortinet Training Services provides courses that orient you quickly to your new equipment, and certifications to verify your knowledge level. Fortinet provides a variety of training programs to serve the needs of our customers and partners world-wide.To learn about the training services that Fortinet provides, visit the Fortinet Training Services web site at http://campus.training.fortinet.com, or email [email protected].
Documentation The Fortinet Technical Documentation web site, http://docs.fortinet.com, provides the most up-to-date versions of Fortinet publications, as well as additional technical documentation such as technical notes.In addition to the Fortinet Technical Documentation web site, you can find Fortinet technical documentation on the Fortinet Tools and Documentation CD, and on the Fortinet Knowledge Center.
Fortinet Tools and Documentation CDMany Fortinet publications are available on the Fortinet Tools and Documentation CD shipped with your Fortinet product. The documents on this CD are current at shipping time. For current versions of Fortinet documentation, visit the Fortinet Technical Documentation web site, http://docs.fortinet.com.
Fortinet Knowledge Base The Fortinet Knowledge Base provides additional Fortinet technical documentation, such as troubleshooting and how-to-articles, examples, FAQs, technical notes, a glossary, and more. Visit the Fortinet Knowledge Base at http://kb.fortinet.com.
Comments on Fortinet technical documentation Please send information about any errors or omissions in this or any Fortinet technical document to [email protected].
Customer service and technical supportFortinet Technical Support provides services designed to make sure that your Fortinet products install quickly, configure easily, and operate reliably in your network. To learn about the technical support services that Fortinet provides, visit the Fortinet Technical Support web site at https://support.fortinet.com.You can dramatically improve the time that it takes to resolve your technical support ticket by providing your configuration file, a network diagram, and other specific information. For a list of required information, see the Fortinet Knowledge Base article FortiGate Troubleshooting Guide - Technical Support Requirements.
ortiGate Log Message Reference1-430-112804-20111121 707ttp://docs.fortinet.com/ • Feedback
Customer service and technical support Appendix
FortiGate Log Message Reference708 01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
www.fortinet.com
www.fortinet.com