You are on page 1of 56

Using the SonicOS Log Event Reference Guide

This reference guide lists and describes SonicOS log event messages. Reference a log event message by using the alphabetical index of log event messages. This document contains the following sections: SonicOS Log Event Messages Overview on page 1 Configuring SonicOS Log > View on page 3 Referencing the SonicOS Log > View Field Display on page 5 Index of Log Event Messages on page 6 Index of Syslog Tag Field Description on page 53

SonicOS Log Event Messages Overview


During the operation of a SonicWALL security appliance, SonicOS software sends log event messages to the Log > View page in the SonicWALL management interface. In Figure 1, the Log > View page is displayed.
Figure 1

SonicOS Enhanced Log > View page

Event logging automatically begins when the SonicWALL security appliance is powered on and configured. SonicOS supports a traffic log containing entries with multiple fields. Log event messages provide operational informational and debugging information to help you diagnose problems with communication lines, internal hardware, or your firmware configuration.

Note: For the SonicOS CLI console display, use the show log command to display log events. Refer to the SonicOS CLI Reference Guide located on the SonicWALL Web site: <http://www.sonicwall.com/support/documentation.html> SONICOS LOG EVENT REFERENCE GUIDE
1

Note: Not all log event messages indicate operational issues with your SonicWALL security appliance.

SonicOS Log Entries


Each log entry contains the date and time of the event and a brief message describing the event. The SonicWALL manages log events in the following manner: TCP, UDP, or ICMP packets dropped When IP packets are dropped by the SonicWALL security appliance, dropped TCP, UDP and ICMP messages are displayed. The messages include the source and destination IP addresses of the packet. The TCP or UDP port number or the ICMP code follows the IP address. Log event messages usually include the name of the service in quotation marks. Web, FTP, Gopher, or Newsgroup blocked When a computer attempts to connect to the blocked site or newsgroup, a log event is displayed. Blocked is defined as a Web site, connection, or event that is denied access from the SonicWALL security appliance. The computers IP address, Ethernet address, the name of the blocked Web site, and the Content Filter List Code is displayed. Code definitions for the 12 Content Filter List categories are shown below. 1. Violence 2. Intimate Apparel/Swimsuit 3. Nudism 4. Adult/Mature Content/ Pornography 5. Weapons 6. Hate/Racism 7. Cult 8. Drugs/Illegal Drugs 9. Criminal Skills/Illegal Skills 10. Sex Education 11. Gambling 12. Alcohol & Tobacco

ActiveX, Java, Cookie or Code Archive blocked When ActiveX, Java or Web cookies are blocked, messages with the source and destination IP addresses of the connection attempt is displayed. Ping of Death, IP Spoof, and SYN Flood Attacks The IP address of the machine under attack and the source of the attack is displayed. In most attacks, the source address shown is fake and does not reflect the real source of the attack.

SonicOS Log View Settings


The Log View Settings section of the Log > View page provides you the filtering controls to filter log event messages based on your configured log filter logic. It also contains the following log management buttons: RefreshRenews the Log View table with current log event messages. Clear LogEmpties the entries in the Log View table. E-mail LogE-mails log event messages to your configured SMTP server or list of e-mail addresses. Export LogExports the log into a plain .txt or .csv file format.

SONICOS LOG EVENT REFERENCE GUIDE

SonicOS Log View Display Format


The Log > View page displays log event messages in following format for alert notification: TimeDisplays the hour and minute the event occurred. PriorityDisplays the level urgency for the event. CategoryDisplays the event type. MessageDisplays a description of the event. SourceDisplays the source IP address of incoming IP packet. DestinationDisplays the destination IP address of incoming IP packet. NoteDisplays displays additional information specific to a particular event occurrence.

RuleDisplays the source and destination zones for the access rule. This field provides a link to the access rule defined in the Firewall > Access Rules page. The display fields for a log event message provides you with data to verify your configurations, trouble-shoot your security appliance, and track IP traffic.

Configuring SonicOS Log > View


The Log > View page in the Web-based SonicWALL management interface allows you to export log reports, e-mail log reports, and monitor real-time Syslog data. As soon as you power on your SonicWALL security appliance, SonicOS software sends Syslog data to your log. In the SonicWALL management interface, you can navigate through the subcategories of the Log setting for reporting and customizing log reports. In Figure 2, the Log > View page is displayed.

Setting the Log Filter Logic


By default, the SonicOS filter logic is set to Priority && Category && Source && Destination. The double ampersand symbols (&&) indicate the boolean expression and. The default SonicOS filter logic displays all log events.
Figure 2

SonicOS Log View Settings

SONICOS LOG EVENT REFERENCE GUIDE

Applying Custom Log Event Message Filters


This section provides examples on using the Log View Settings to filter log event messages displayed in the Log View page.

Configuration Example: Filtering Log Event Messages by Priority Value


To set the log filter logic to display only log event messages with a priority level of Emergency: 1. Select Emergency from the filter-Priority Value pull-down menu. 2. Click on the Apply Filters button.

Configuration Example: Filtering Log Event Messages by Category Value


To set the log filter logic to display only log event messages with a category event type of Attacks: 1. Select Attacks from the filter-Category Value pull-down menu. 2. Click on the Apply Filters button.

Configuration Example: Filtering Log Event Messages by Source Value


To set the log filter logic to display only log event messages associated to a source IP address: 1. Enter the source IP address or select an interface from the filter-Source Value pull-down menu. 2. Click on the Apply Filters button.

Configuration Example: Filtering Log Event Messages by Destination Value


To set the log filter logic to display only log event messages associated to a destination IP address: 1. Enter the destination IP address or select an interface from the filter-Source Value pull-down menu. 2. Click on the Apply Filters button.

Using Group Filters


Use Group filters to change the default SonicOS filter logic (Priority && Category && Source && Destination) from double ampersand symbols (&&) to double pipe symbols (||) to indicate the boolean expression or. When using group filters, select two or more Group Filters checkboxes.

Note: If you select only one Group Filter checkbox, the filter logic will remain the same. Selecting only the Priority-Group Filter checkbox provides you with the following filter logic: (Priority) && Category && Source && Destination

Configuration Example: Using the Priority Group Filter and Category Group Filter
To set the log filter logic to display log event messages with a priority level of Emergency or a category event type of Attack: 1. Select the Priority group filter checkbox. 2. Select the Category group filter checkbox. 3. Select Emergency from the filter-Priority Value pull-down menu. 4. Select Attacks from the filter-Category Value pull-down menu. Figure 3 illustrates the SonicOS filter logic updated as follows:

SONICOS LOG EVENT REFERENCE GUIDE

(Priority || Category) && Source && Destination


Figure 3

SonicOS Log Group Filters

A filter logic using the boolean expression || is less restrictive than the default filter logic using the boolean expression &&. With the boolean expression ||, log event messages are displayed if they match either filter values. With the boolean expression &&, log event messages are displayed if they match both filter values.

Exporting the Logs to a File


This section provides instructions to export your log to a file. To export the log to a file: 1. Click on the Export Log button. You will be prompted to select a export file format type as illustrated in Figure 4.
Figure 4

SonicOS Export Log

2. Select a file format: Plain text format used in log and alert e-mailSaves the log file as plain text, which can be used for alert e-mails. Comma-Separated Value (CSV) formatSaves the log file for importing into Microsoft Excel or other presentation development application. 3. Click on the Export button. 4. Save the exported log file to a location on your personal computers hard drive.

Note: You can export a log to a file with applied filter settings.

Referencing the SonicOS Log > View Field Display


SonicOS 2.5 Enhanced and Standard releases and greater provide the SonicOS Log > View field display as illustrated in Figure 5. SONICOS LOG EVENT REFERENCE GUIDE
5

Figure 5

SonicOS Log > View Field Display

Referencing the SonicWALL Firmware Log > View Log Field Display
SonicWALL Firmware 6.6.0.0 release and greater provide the SonicWALL Firmware Log > View Log field display.

Index of Log Event Messages


This section contains a list of log event messages for all SonicWALL Firmware and SonicOS Software Releases, ordered alphabetically. Use your web browsers Find function to search for a command. Log Event Message Symbols Key Log Event Message
%s Ethernet Port Down The cache is full; %u open connections; some will be dropped

Symbol Description
Represents a character string. Represents a numerical string.

Context
[WAN | LAN | DMZ] Ethernet Port Down The cache is full; [40,000] open connections; some will be dropped

TCP IP Layered-Data Packet Processing and SonicOS Log Event Handling In specific cases of multi-layer packet processing, a TCP connection initially logged as "open," will be rejected by a deeper layer of packet processing. In these cases, the connection request has not been forwarded by the SonicWALL security appliance, and the initial Connection Open SonicOS log event message should be ignored in favor of the TCP Connection Dropped log event message. Each log event message described in the following table provides the following log event details: SonicOS CategoryDisplays the SonicOS Software category event type. Legacy CategoryDisplays the SonicWALL Firmware Software category event type. Priority LevelDisplays the level of urgency of the log event message. Log Message ID NumberDisplays the ID number of the log event message. SNMP Trap TypeDisplays the SNMP Trap ID number of the log event message.

Log Event Messages

SonicOS Category

Legacy Category

Priority Level

"As per Diagnostic Auto- Firewall Event --restart configuration request, restarting system" #Web site hit Network Traffic Connection Traffic
6

Info

Log Messa ge ID Numb er 1047

SNMP Log Event Type TrapT ype

---

Simple

Info

97

---

Standard HTTP Traffic Report

SONICOS LOG EVENT REFERENCE GUIDE

%s Auto-dial failed: Current Connection Model is configured as Ethernet Only %s Ethernet Port Down %s Ethernet Port Up Dumped to email at *** Alert from SonicWALL *** SonicWALL Registration Update Needed: Restore your existing security service subscriptions by clicking here. 802.11b Management A prior version of preferences was loaded because the most recent preferences file was inaccessible A SonicOS Standard to Enhanced Upgrade was performed Access attempt from host out of compliance with GSC policy Access attempt from host without Anti-Virus agent installed Access attempt from host without GSC installed Access rule added Access rule deleted Access rule modified Access rules restored to defaults Access to proxy server denied Active Backup detects Active Primary: Backup going Idle ActiveX access denied ActiveX or Java archive access denied AD Connector %s response timed-out; applying caching policy Add an attack message

PPP Dial Up

System Error Alert

1028

---

Simple Message String

Firewall Event System Error Error Firewall Event System Error Warning None None Security Services ----Maintenance Debug Debug Warning

333 332 1 3 496

641 640 -------

Simple Message String Simple Message String Unused Unused Simple

Wireless

80211bmgmt Info

518 572

--648

Firewall Event System Error Warning

Simple Destination Simple

Firewall Event Maintenance

Info

611

---

Simple

Security Services Security Services Security Services Firewall Rule Firewall Rule Firewall Rule Firewall Rule Network Access High Availability Network Access Network Access Microsoft Active Directory Firewall Event

Maintenance

Info

761

---

Standard

Maintenance

Info

123

---

Standard

Maintenance User Activity User Activity User Activity User Activity

Info Info Info Info Info

763 440 442 441 443 60 154

8627 --------705 ---

Standard Simple Rule Simple Rule String Simple Rule Unused Standard Note Blocked Unused

Blocked Sites Notice Maintenance Info

Blocked Code Notice Blocked Code Notice --Error

18 20 769

-------

Standard Note Blocked Standard Note Blocked Standard Message String Simple String

Attack

Error

143

525

SONICOS LOG EVENT REFERENCE GUIDE

Dynamic Address Objects Adding dynamic entry for Network bound MAC address Adding L2TP IP pool L2TP Server address object Failed. Adding to multicast policy Multicast list , interface : %s Adding to Multicast policy Multicast list , VPN SPI : %s Administrator logged out Authentication Access Administrator logged out - Authentication inactivity timer expired Access Administrator login Authentication allowed Access Authentication Administrator login denied due to bad Access credentials Administrator login Authentication denied from %s; logins Access disabled from this interface Administrator name Authentication changed Access Agent returned no user CIA name All DDNS associations DDNS have been deleted All preference values Firewall Event have been set to factory default values Allowed LDAP server RADIUS certificate with wrong host name Anti-Spyware detection Intrusion alert: %s Detection Anti-Spyware prevention Intrusion alert: %s Detection Anti-Spyware service Security expired Services Anti-Virus agent out-of- Security date on host Services Anti-Virus licenses Security exceeded Services Intrusion Application Filter Detection detection Alert: %s Application filters block Intrusion alert: %s Detection Application firewall alert: Network %s Access

Added host entry to dynamic address object

Maintenance

Info

911

---

Standard Destination Standard Note Ethernet Network Simple Standard Message String Standard Message String Standard Note String Standard Standard String Service Standard String Service Standard Message String

---

Info

813 603 697 699 261 262 29 30

--661 ----------560

System Error Error ----User Activity User Activity User Activity Attack Debug Debug Info Info Info Alert

Attack

Alert

35

506

Maintenance User Activity Maintenance

Info Warning Info

328 1008 783 574

------650

Standard Standard String Service Simple Simple

System Error Warning

User Activity

Warning

752

---

Standard Note String Standard As Message String Standard As Message String Simple Standard Standard Standard Message String Standard Message String Standard Application Firewall Message String

Attack Attack Maintenance Maintenance Maintenance Attack Attack User Activity

Alert Alert Warning Info Info Alert Alert Alert

795 794 796 124 408 650 649 793

6438 6437 8631 --------7241

SONICOS LOG EVENT REFERENCE GUIDE

ARP request packet Network received ARP request packet sent Network ARP response packet received ARP response packet sent ARP timeout ARP unused/spare ARS unused/spare ARS unused/spare ARS unused/spare ARS unused/spare Association Flood from WLAN station Authentication timeout during Remotely Triggered Dial-out session AV unused/spare Back orifice attack dropped Backup active Network Network Network Network Unused Unused Unused Unused WLAN IDS

--------Debug ----------WLAN IDs

Info Info Info Info Debug Debug Debug Debug Debug Debug Alert Info

717 715 716 718 45 816 843 844 845 846 548 821

--------------------903 ---

Authentication User Activity Access

Standard Note Ethernet Network Standard Note Ethernet Network Standard Note Ethernet Network Standard Note Ethernet Network Standard Unused Unused Unused Unused Unused Simple Destination Simple

Unused Intrusion Detection High Availability Backup firewall being High preempted by Primary Availability Backup firewall has High transitioned to Active Availability Backup firewall has High transitioned to Idle Availability Backup firewall rebooting High Availability itself as it transitioned from Active to Idle while Preempt Backup going active in High preempt mode after Availability reboot Backup missed High heartbeats from Primary Availability Backup received error High signal from Primary Availability Backup received High heartbeat from wrong Availability source Backup received reboot High signal from Primary Availability Backup shut down High because license is Availability expired Backup WAN link down, High Primary going Active Availability Backup will be shut down High in %s minutes Availability

--Attack

Debug Alert

126 73 825 152 145 147 1059

--512 --619 -------

Unused Standard Simple Simple Simple Simple Simple

System Error Info System Error Error Maintenance Maintenance --Info Info Info

System Error Error

170

622

Simple

System Error Error System Error Error Maintenance Info

149 151 161

616 618 ---

Simple Simple Unused

System Error Error System Error Error

672 824

666 ---

Simple Simple

System Error Error System Error Error

219 823

633 ---

Unused Simple Message String

SONICOS LOG EVENT REFERENCE GUIDE

Bad CRL format Bind to LDAP server failed Blocked Quick Mode for Client using Default Key ID BOOTP Client IP address on LAN conflicts with remote device IP, deleting IP address from remote table BOOTP reply relayed to local device BOOTP Request received from remote device BOOTP server response relayed to remote device Broadcast packet dropped Cannot connect to the CRL server Cannot Validate Issuer Path Category: Certificate on Revoked list(CRL) CFL auto-download disabled, time problem detected Chat %s Chat completed Chat failed: %s Chat started Chat started by '%s' Chat wrote '%s' CLI administrator logged out CLI administrator login allowed CLI administrator login denied due to bad credentials Code: Computed hash does not match hash received from peer; preshared key mismatch

VPN PKI RADIUS VPN Client

User Activity

Alert

277 1009 505

----660

System Error Error System Error Error

Simple Destination Simple Note String Standard

BOOTP

Maintenance

Info

619

---

Standard Destination

BOOTP BOOTP

Maintenance Debug

Info Debug

620 621

-----

Standard Destination Standard Destination Standard Destination Standard Note Protocol Simple Destination Simple Destination Unused Simple Destination Simple

BOOTP Network Access VPN PKI VPN PKI None VPN PKI Security Services PPP Dial Up PPP Dial Up PPP Dial Up PPP Dial Up PPP Dial Up PPP Dial Up

Debug Debug User Activity User Activity --User Activity Maintenance

Debug Debug Alert Alert Debug Alert Info

618 46 274 878 485 279 268

---------------

User Activity User Activity User Activity User Activity User Activity User Activity

Info Info Info Info Info Info Info Info Warning

1022 1020 1023 1019 1032 1021 520 199 200

-------------------

Authentication User Activity Access Authentication User Activity Access Authentication User Activity Access None VPN IKE --User Activity

Standard Message String Standard Message String Standard Message String Standard Message String Standard Message String Standard Message String Simple Standard Note String Standard Note String Unused Standard Destination

Debug Warning

54 410

-----

10

SONICOS LOG EVENT REFERENCE GUIDE

Configuration mode administration session ended Configuration mode administration session started Connection closed Connection opened Connection timed out

Authentication User Activity Access Authentication User Activity Access Network Traffic Connection Traffic Network Traffic Connection VPN PKI User Activity

Info

995

---

Standard Note String Standard Note String Standard Traffic Report Standard Note Protocol Simple Destination Unused Standard String Service Simple Destination Simple Destination Simple Destination Simple Destination Simple Simple Simple Simple Standard Simple Simple Simple Simple Simple Simple Simple Simple Simple Message String Simple Message String Simple Message String Simple Message String Simple Message String

Info

994

---

Info Info Alert

537 98 273 197 21 874 270 876 877 360 361 367 369 610 366 368 362 363 370 364 1060 365 781 780 779 784 785

------631 -----------------------------------------------

Content filter subscription Security expired. Services Cookie removed Network Access CRL has expired VPN PKI CRL loaded from CRL missing - Issuer requires CRL checking. CRL validation failure for Root Certificate Crypto DES test failed Crypto DH test failed Crypto hardware 3DES test failed Crypto hardware 3DES with SHA test failed Crypto hardware AES test failed Crypto hardware DES test failed Crypto hardware DES with SHA test failed Crypto Hmac-MD5 fest failed Crypto Hmac-Sha1 test failed Crypto MD5 test failed Crypto RSA test failed Crypto SHA1 based DRNG KAT test failed Crypto Sha1 test failed DDNS association %s disabled DDNS association %s enabled DDNS association %s added DDNS association %s deactivated DDNS association %s deleted VPN PKI VPN PKI VPN PKI Crypto Test Crypto Test Crypto Test Crypto Test Crypto Test Crypto Test Crypto Test Crypto Test Crypto Test Crypto Test Crypto Test Crypto Test Crypto Test DDNS DDNS DDNS DDNS DDNS

System Error Error Blocked Code Notice User Activity User Activity User Activity User Activity Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance --Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Alert Info Alert Alert Error Error Error Error Error Error Error Error Error Error Error Error Error Info Info Info Info Info

SONICOS LOG EVENT REFERENCE GUIDE

11

DDNS Association %s put on line DDNS association %s taken Offline locally DDNS failure: provider %s DDNS failure: Provider %s DDNS failure: Provider %s DDNS update success for domain %s DDNS warning: Provider %s Deleting from Multicast policy list, interface: %s Deleting from multicast policy list, VPN SPI: %s Deleting IPsec SA Deleting IPsec SA for destination Destination IP address connection status: %s Destination: DHCP client enabled but not ready DHCP Client did not get DHCP ACK. DHCP Client failed to verify and lease has expired. Go to INIT state. DHCP Client failed to verify and lease is still valid. Go to BOUND state. DHCP Client got a new IP address lease. DHCP Client got ACK from server. DHCP Client got NACK. DHCP Client is declining address offered by the server. DHCP Client sending REQUEST and going to REBIND state. DHCP Client sending REQUEST and going to RENEW state. DHCP DECLINE received from remote device

DDNS DDNS DDNS DDNS DDNS DDNS DDNS Multicast Multicast VPN IKE VPN IKE

Maintenance Maintenance

Info Info

782 778 774 775 773 776 777 698 700 92 91 735 57 504 109 119

---------------------------------

System Error Error System Error Error System Error Error Maintenance Info

System Error Warning ----User Activity User Activity Debug Debug Info Info Info Debug Info Info Info

Simple Message String Simple Message String Simple Message String Simple Message String Simple Message String Standard Message String Simple Message String Standard Message String Standard Message String Standard Note SPI Unused Standard Message String Unused Simple Standard Standard

Firewall Event --None DHCP Client DHCP Client DHCP Client --Maintenance Maintenance Maintenance

DHCP Client

Maintenance

Info

120

---

Unused

DHCP Client DHCP Client DHCP Client DHCP Client

Maintenance Maintenance Maintenance Maintenance

Info Info Info Info

121 111 110 112

---------

Standard Destination Standard Destination Standard Standard Destination Standard Destination Standard Destination Unused

DHCP Client

Maintenance

Info

113

---

DHCP Client

Maintenance

Info

114

---

DHCP Relay

Debug

Info

475

---

12

SONICOS LOG EVENT REFERENCE GUIDE

DHCP DISCOVER received from local device DHCP DISCOVER received from remote device DHCP lease dropped. Lease from Central Gateway conflicts with Relay IP DHCP lease dropped. Lease from Central Gateway conflicts with Remote Management IP DHCP lease file in the flash is corrupted; read failed DHCP lease relayed to local device DHCP lease relayed to remote device DHCP lease to LAN device conflicts with remote device, deleting remote IP entry DHCP leases written to flash DHCP NACK received from server DHCP OFFER received from server DHCP Ranges altered automatically due to change in network settings for interface %s DHCP RELEASE received from remote device DHCP RELEASE relayed to Central Gateway DHCP REQUEST received from local device DHCP REQUEST received from remote device DHCP Server not available. Did not get any DHCP OFFER. DHCP Server: IP conflict detected DHCP Server: Received DHCP decline from client Diagnostic Auto-restart canceled

DHCP Relay

Debug

Info

479

---

Unused

DHCP Relay

Debug

Info

474

---

Standard Destination Standard Destination

DHCP Relay

Maintenance

Warning

228

---

DHCP Relay

Maintenance

Warning

484

---

Standard Destination

Firewall Event System Error Warning

833

---

Simple

DHCP Relay DHCP Relay DHCP Relay

Maintenance Debug Maintenance

Info Info Info

223 225 226

-------

Standard Destination Standard Destination Standard Destination

Firewall Event Maintenance DHCP Relay DHCP Relay Debug Debug

Info Info Info Info

835 477 476 832

---------

Simple Standard Destination Standard Destination Simple Message String

Firewall Event ---

DHCP Relay

Debug

Info

224

---

Standard Destination Standard Destination Unused

DHCP Relay DHCP Relay

Maintenance Debug

Info Info

222 480

-----

DHCP Relay

Debug

Info

473

---

Standard Destination Standard

DHCP Client

Maintenance

Info

106

---

Firewall Event --Firewall Event --Firewall Event ---

Alert Alert Info

1040 1041 1046

-------

Standard Destination Standard Destination Simple

SONICOS LOG EVENT REFERENCE GUIDE

13

Diagnostic Auto-restart Firewall Event scheduled for %s minutes from now Diagnostic Code A Firewall Hardware Diagnostic Code B Firewall Hardware Diagnostic Code C Firewall Hardware Diagnostic Code D Firewall Hardware Diagnostic Code E VPN IPsec Firewall Hardware Diagnostic Code G Firewall Hardware Diagnostic Code H Firewall Hardware Diagnostic Code I Firewall Hardware Diagnostic Code J Firewall Hardware Dial-up: Session initiated PPP Dial Up by data packet Dial-up: Traffic generated PPP Dial Up by '%s' Disconnecting L2TP L2TP Client Tunnel due to traffic timeout Disconnecting PPPoE PPPoE due to traffic timeout Disconnecting PPTP PPTP Tunnel due to traffic timeout Discovered HA %s High Firewall Availability Discovered HA Backup High Firewall Availability DNS packet allowed Network Access Drop WLAN traffic from Intrusion non-SonicPoint devices Detection Duplicate packet dropped Network Access Dynamic IPsec client VPN IPsec connected EIGRP packet dropped Network Access E-Mail fragment dropped Intrusion Detection Entering FIPS ERROR Crypto Test state Entering FIPS Error Crypto Test State. Diagnostic Code F

---

Info

1045

---

Simple Message String Simple Note String Simple Note String Simple Note String Standard Note Code Standard Note Code Simple Note String Simple Note String Simple Note String Simple Note String Simple Note String Standard Service Standard Message String Simple

System Error Error System Error Error System Error Error System Error Error System Error Error System Error Error System Error Error System Error Error System Error Error System Error Error ----Maintenance Info Info Info

93 94 95 64 61 164 599 600 601 1025 1039 1038 215

611 612 613 61--609 621 655 656 657 5423 -------

Maintenance Maintenance

Info Info

168 389

-----

Simple Simple

--Maintenance Debug Attack Debug User Activity Debug Attack Maintenance

Info Info Info Error Debug Info Notice Error Error

1044 156 602 662 51 62 714 437 359 497

------6434 ------550 --659

Simple Message String Simple Standard Policy Standard Unused Standard Destination Standard Note String Standard Unused Unused

System Error Error

14

SONICOS LOG EVENT REFERENCE GUIDE

Error initializing Hardware acceleration for VPN Error Rebooting HA Peer Firewall Error setting the IP address of the backup, please manually set to backup LAN IP Error synchronizing HA peer firewall (%s) Error updating HA peer configuration ERROR: DHCP over VPN policy is not defined. Cannot start IKE. Exceeded Max multicast address limit Failed payload validation

Firewall Hardware High Availability High Availability

Maintenance

Error

374 669 191

--663 629

Simple Simple Simple

System Error Error System Error Error

High Availability High Availability DHCP Relay

System Error Error System Error Error Maintenance Info

158 192 478

662 630 ---

Simple Message String Unused Unused

Multicast VPN IKE

--User Activity User Activity

Warning Warning Warning

703 405 404

-------

Standard Standard Note String Standard Note String

VPN IKE Failed payload verification after decryption; possible preshared key mismatch Failed to find certificate VPN PKI Failed to get CRL from Failed to Process CRL from Failed to resolve name Failed to synchronize license information with Licensing Server. Please see HTTP:// help.mySonicWALL.com/ licsyncfail.html (code: %s) Failed to synchronize Relay IP Table Failed to write DHCP leases to flash Failure to add data channel Failure to reach Interface %s probe Fan Failure VPN PKI VPN PKI Network Security Services

User Activity User Activity User Activity Maintenance Maintenance

Alert Alert Alert Info Warning

875 271 276 84 766

--------8628

Simple Destination Simple Destination Simple Destination Simple Destination Simple Message String

DHCP Relay

System Error Warning

234 834 49 675 576 902 901 248

632 ----6234 102 ----534

Standard Simple Standard Simple Message String Simple Simple Message String Simple Message String Standard Destination

Firewall Event System Error Warning Unused Debug Debug

High Availability Firewall Hardware FIN Flood Blacklist on IF Intrusion %s continues Detection FIN-Flooding machine Intrusion %s blacklisted Detection Forbidden E-Mail Intrusion attachment deleted Detection

System Error Error System Environment Debug Debug Attack Alert Warning Alert Error

SONICOS LOG EVENT REFERENCE GUIDE

15

Forbidden E-Mail attachment disabled Found Rogue Access Point Found Rogue Access Point Fragmented packet dropped Fraudulent Microsoft certificate found; access denied FTP: Data connection from non default port dropped FTP: PASV response bounce attack dropped. FTP: PASV response spoof attack dropped FTP: PORT bounce attack dropped. Gateway Anti-Virus Alert: %s Gateway Anti-Virus Service expired Global VPN Client connection is not allowed. Appliance is not registered. Global VPN Client License Exceeded: Connection denied. Global VPN Client version cannot enforce personal firewall. Minimum Version required is 2.1 Got DHCP OFFER. Selecting. GSC policy out-of-date on host Guest account '%s' created Guest account '%s' deleted Guest account '%s' disabled Guest account '%s' pruned Guest account '%s' reenabled Guest account '%s' regenerated

Intrusion Detection WLAN IDS WLAN IDS Network Intrusion Detection Network Access Intrusion Detection Intrusion Detection Intrusion Detection Security Services Security Services VPN Client

Attack WLAN IDs WLAN IDs TCP | UDP | ICMP Attack

Alert Alert Alert Notice Error

165 546 556 28 193

Standard Destination 901 Simple Destination 10804 Simple Destination --Standard Note Protocol 532 Standard

527

Attack

Alert

538

557

Standard

Attack Attack Attack Attack Maintenance

Alert Error Alert Alert Warning

528 446 527 809 810 529

556 551 555 8632 8633 643

Standard Note String Standard Standard Note String Standard Message String Simple Standard

System Error Info

VPN Client

System Error Info

494

658

Standard

VPN Client

User Activity

Info

604

---

Standard Destination

DHCP Client Security Services Authentication Access Authentication Access Authentication Access Authentication Access Authentication Access Authentication Access

Maintenance Maintenance User Activity User Activity User Activity User Activity User Activity User Activity

Info Info Info Info Info Info Info Info

107 762 558 559 560 562 561 563

-----------------

Standard Destination Standard Standard Message String Standard Message String Standard Message String Standard Message String Standard Message String Standard Message String

16

SONICOS LOG EVENT REFERENCE GUIDE

Guest login denied. Guest '%s' is already logged in. Please try again later. GUI administration session ended H.323/H.225 Connect H.323/H.225 Setup H.323/H.245 Address H.323/H.245 End Session H.323/RAS Admission Confirm H.323/RAS Admission Reject H.323/RAS Admission Request H.323/RAS Bandwidth Reject H.323/RAS Disengage Confirm H.323/RAS Disengage Reject H.323/RAS Gatekeeper Reject H.323/RAS Location Confirm H.323/RAS Location Reject H.323/RAS Registration Reject H.323/RAS Unknown Message Response H.323/RAS Unregistration Reject HA packet processing error HA Peer Firewall Rebooted HA Peer Firewall Synchronized Hardware Failover settings were not upgraded. Header verification failed Heartbeat received from incompatible source HTTP management port has changed HTTP method detected; examining stream for host header

Authentication User Activity Access

Info

557

---

Standard Message String

Authentication User Activity Access VOIP VOIP VOIP VOIP VOIP VOIP VOIP VOIP VOIP VOIP VOIP VOIP VOIP VOIP VOIP VOIP VOIP High Availability High Availability High Availability Firewall Event VOIP VOIP VOIP VOIP VOIP VOIP VOIP VOIP VOIP VOIP VOIP VOIP VOIP VOIP VOIP Maintenance Maintenance Maintenance Maintenance

Info Debug Debug Debug Debug Debug Debug Debug Debug Debug Debug Debug Debug Debug Debug Debug Debug Info Info Info Info

998 634 633 635 636 625 624 626 627 628 641 629 630 631 632 640 642 162 668 157 743

-------------------------------------------

Standard Note String Standard Note String Standard Note String Standard Note String Standard Note String Standard Note String Standard Note String Standard Note String Standard Note String Standard Note String Standard Note String Standard Note String Standard Note String Standard Note String Standard Note String Standard Note String Standard Note String Simple Simple Simple Simple

VPN IKE User Activity High Maintenance Availability Firewall Event Maintenance Network Access TCP

Warning Info Info Debug

587 163 340 882

---------

Standard Unused Simple Note String Standard Policy

SONICOS LOG EVENT REFERENCE GUIDE

17

HTTPS management port Firewall Event has changed ICMP checksum error Network Access ICMP packet allowed Network Access ICMP packet dropped Network due to policy Access ICMP packet dropped no Network match Access ICMP packet from LAN Network allowed Access ICMP packet from LAN Network dropped Access Firewall If not already enabled, Hardware enabling NTP is recommended IGMP packet dropped, Multicast wrong checksum received on interface %s Multicast IGMP Leave group message Received on interface %s IGMP packet dropped, Multicast decoding error IGMP Packet Not Multicast handled. Packet type : %s IGMP querier Router Multicast detected on interface %s IGMP querier Router Multicast detected on VPN tunnel , SPI %S Multicast IGMP state table entry time out, deleting interface : %s for multicast address : %s Multicast IGMP state table entry time out, deleting VPN SPI :%s for Multicast address : %s IGMP V2 client joined Multicast multicast Group : %s IGMP V2 Membership Multicast report received from interface %s IGMP V3 client joined Multicast multicast Group : %s IGMP V3 Membership Multicast report received from interface %s IGMP V3 packet Multicast dropped, unsupported Record type : %s

Maintenance UDP Debug ICMP ICMP Debug

Info Notice Info Notice Notice Info

341 886 597 38 523 598 175 540

--------------645

Simple Note String Standard Standard Policy Standard Policy Standard ICMP Service Standard ICMP Service Standard ICMP Service Simple

LAN ICMP | Notice LAN TCP System Error Warning

---

Notice

683

---

Standard Message String Standard Message String Standard Standard Message String Standard Message String Standard Message String Standard Message String

---

Info

682

---

-----

Notice Notice

686 687

-----

-----

Debug Debug

701 702

-----

---

Debug

692

---

---

Debug

693

---

Standard Message String

-----

Info Debug

676 679

-----

Standard Message String Standard Message String Standard Message String Standard Message String Standard Message String

-----

Info Debug

677 678

-----

---

Notice

688

---

18

SONICOS LOG EVENT REFERENCE GUIDE

IGMP V3 record type : Multicast %s not Handled VPN IKE IKE Initiator drop: VPN tunnel end point does not match configured VPN Policy Bound to scope IKE Initiator: Accepting VPN IKE IPsec proposal (Phase 2) IKE Initiator: Accepting VPN IKE peer lifetime. (Phase 1) IKE Initiator: Aggressive VPN IKE Mode complete (Phase 1). IKE Initiator: IKE proposal VPN IKE does not match (Phase 1) IKE Initiator: Main Mode VPN IKE complete (Phase 1) IKE Initiator: Proposed VPN IKE IKE ID mismatch IKE Initiator: Remote VPN IKE party timeout Retransmitting IKE request. VPN IKE IKE Initiator: Start Aggressive Mode negotiation (Phase 1) IKE Initiator: Start Main VPN IKE Mode negotiation (Phase 1) IKE Initiator: Start Quick VPN IKE Mode (Phase 2). IKE Initiator: Using VPN IKE secondary gateway to negotiate IKE negotiation aborted VPN IKE due to timeout IKE negotiation complete. VPN IKE Adding IPsec SA. (Phase 2) VPN IKE IKE Responder drop: VPN tunnel end point does not match configured VPN Policy Bound to scope VPN Client IKE Responder: %s policy does not allow static IP for Virtual Adapter. IKE Responder: VPN IKE Accepting IPsec proposal (Phase 2) IKE Responder: VPN IKE Aggressive Mode complete (Phase 1)

--User Activity

Debug Info

689 544

-----

Standard Message String Standard

User Activity User Activity User Activity

Info Info Info

372 445 354

-------

Standard Note String Standard Destination Standard Note String Standard Note String Standard Note String Standard Note String Standard Note String

User Activity User Activity User Activity User Activity

Warning Info Warning Info

937 353 933 930

---------

User Activity

Info

358

---

Standard Note String Standard Note String Standard Note String Standard Destination Standard Note String Standard Note String Standard

User Activity

Info

351

---

User Activity User Activity

Info Info

346 543

0 ---

User Activity User Activity

Info Info

403 89

-----

User Activity

Info

545

---

System Error Error

660

---

Standard Message String

User Activity

Info

87

---

Standard Note String Standard Note String

User Activity

Info

373

---

SONICOS LOG EVENT REFERENCE GUIDE

19

IKE Responder: AH authentication algorithm does not match IKE Responder: AH authentication key length does not match IKE Responder: AH authentication key rounds does not match IKE Responder: AH Perfect Forward Secrecy mismatch IKE Responder: Algorithms and/or keys do not match IKE Responder: Client Policy has no VPN Access Networks assigned. Check Configuration. IKE Responder: Default LAN gateway is not set but peer is proposing to use this SA as a default route IKE Responder: Default LAN gateway is set but peer is not proposing to use this SA as a default route IKE Responder: ESP authentication algorithm does not match IKE Responder: ESP authentication key length does not match IKE Responder: ESP authentication key rounds does not match IKE Responder: ESP encryption algorithm does not match IKE Responder: ESP encryption key length does not match IKE Responder: ESP encryption key rounds does not match IKE Responder: ESP Perfect Forward Secrecy mismatch IKE Responder: IKE Phase 1 exchange does not match

VPN IKE

User Activity

Warning

920

---

Standard Note String Standard Note String Standard Note String Standard Note String Standard Note String Standard Note String

VPN IKE

User Activity

Warning

923

---

VPN IKE

User Activity

Warning

926

---

VPN IKE

User Activity

Warning

258

544

VPN IKE

User Activity

Warning

260

546

VPN IKE

System Error Error

965

---

VPN IKE

Attack

Error

516

553

Standard Note String

VPN IKE

User Activity

Warning

253

539

Standard Note String

VPN IKE

User Activity

Warning

922

---

Standard Note String Standard Note String Standard Note String Standard Note String Standard Note String Standard Note String Standard Note String Standard Note String

VPN IKE

User Activity

Warning

925

---

VPN IKE

User Activity

Warning

928

---

VPN IKE

User Activity

Warning

921

---

VPN IKE

User Activity

Warning

924

---

VPN IKE

User Activity

Warning

927

---

VPN IKE

User Activity

Warning

259

545

VPN IKE

User Activity

Error

1036

---

20

SONICOS LOG EVENT REFERENCE GUIDE

IKE Responder: IKE VPN IKE proposal does not match (Phase 1) IKE Responder: IP VPN Client Address already exists in the DHCP relay table. Client traffic not allowed. IKE Responder: IP VPN IKE Compression algorithm does not match IKE Responder: IPsec VPN IKE proposal does not match (Phase 2) IKE Responder: IPsec VPN IKE protocol mismatch IKE Responder: Main VPN IKE Mode complete (Phase 1) IKE Responder: Mode VPN IKE %d - not transport mode. Xauth is required but not supported by peer. IKE Responder: Mode VPN IKE %d - not tunnel mode VPN IKE IKE Responder: No match for proposed remote network address VPN IKE IKE Responder: No matching Phase 1 ID found for proposed remote network VPN IKE IKE Responder: Peer's destination network does not match VPN policy's <b>Local Network</b> VPN IKE IKE Responder: Peer's local network does not match VPN policy's <b>Destination Network</b> IKE Responder: Phase 1 VPN IKE Authentication Method does not match IKE Responder: Phase 1 VPN IKE DH Group does not match IKE Responder: Phase 1 VPN IKE encryption algorithm does not match IKE Responder: Phase 1 VPN IKE encryption algorithm key length does not match IKE Responder: Phase 1 VPN IKE hash algorithm does not match

User Activity

Warning

402

---

Standard Note String Standard Note String

System Error Error

659

---

User Activity

Warning

929

---

Standard Note String Standard Note String Standard Note String Standard Note String Standard Message Number

User Activity

Warning

88

523

User Activity User Activity Debug

Warning Info Warning

932 357 342

-------

User Activity User Activity

Warning Warning

249 252

535 538

Standard Message Number Standard Note String Standard Note String

User Activity

Warning

250

536

User Activity

Warning

935

---

Standard Note String

User Activity

Warning

934

---

Standard Note String

User Activity

Warning

913

---

Standard Note String Standard Note String Standard Note String Standard Note String Standard Note String

User Activity

Warning

919

---

User Activity

Warning

914

---

User Activity

Warning

915

---

User Activity

Warning

916

---

SONICOS LOG EVENT REFERENCE GUIDE

21

IKE Responder: Phase 1 XAUTH required but policy has no user name IKE Responder: Phase 1 XAUTH required but policy has no user password IKE Responder: Proposed IKE ID mismatch IKE Responder: Proposed local network is 0.0.0.0 but SA has no LAN Default Gateway IKE Responder: Proposed remote network is 0.0.0.0 but not DHCP relay nor default route IKE Responder: Received Aggressive Mode request (Phase 1) IKE Responder: Received Main Mode request (Phase 1) IKE Responder: Received Quick Mode Request (Phase 2) IKE Responder: Remote party timeout Retransmitting IKE request. IKE Responder: Route table overrides VPN policy IKE Responder: Tunnel terminates inside firewall but proposed local network is not inside firewall IKE Responder: Tunnel terminates on DMZ but proposed local network is on LAN IKE Responder: Tunnel terminates on LAN but proposed local network is on DMZ IKE Responder: Tunnel terminates outside firewall but proposed local network is not NAT public address

VPN IKE

User Activity

Warning

917

---

Standard Note String Standard Note String

VPN IKE

User Activity

Warning

918

---

VPN IKE

System Error Warning

658

---

Standard Note String Standard Note String

VPN IKE

User Activity

Warning

418

549

VPN IKE

User Activity

Warning

251

537

Standard Note String

VPN IKE

User Activity

Info

356

---

Standard Note String Standard Note String Standard Note String Standard Note String

VPN IKE

User Activity

Info

355

---

VPN IKE

User Activity

Info

352

---

VPN IKE

User Activity

Info

931

---

VPN IKE

User Activity

Warning

936

---

Standard Note String Standard Note String

VPN IKE

User Activity

Warning

255

541

VPN IKE

User Activity

Warning

256

542

Standard Note String

VPN IKE

User Activity

Warning

257

543

Standard Note String

VPN IKE

User Activity

Warning

254

540

Standard Note String

22

SONICOS LOG EVENT REFERENCE GUIDE

IKE Responder: Tunnel terminates outside firewall but proposed remote network is not NAT public address IKE SA lifetime expired. IKEv2 Accept IKE SA Proposal IKEv2 Accept IPsec SA Proposal IKEv2 Authentication successful IKEv2 Decrypt packet failed IKEv2 Function sendto() failed to transmit packet. IKEv2 IKE attribute not found IKEv2 IKE proposal does not match IKEv2 Initiator: Negotiations failed. Extra payloads present. IKEv2 Initiator: Negotiations failed. Invalid input state. IKEv2 Initiator: Negotiations failed. Invalid output state. IKEv2 Initiator: Negotiations failed. Missing required payloads. IKEv2 Initiator: Proposed IKE ID mismatch IKEv2 Initiator: Received CREATE CHILD SA response IKEv2 Initiator: Received IKE AUTH response IKEv2 Initiator: Received IKE SA INT response IKEv2 Initiator: Remote party timeout Retransmitting IKEv2 request. IKEv2 Initiator: Send CREATE CHILD SA request IKEv2 Initiator: Send IKE AUTH request IKEv2 Initiator: Send IKE SA INIT request

VPN IKE

User Activity

Warning

345

548

Standard Note String

VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE

User Activity User Activity User Activity User Activity User Activity User Activity User Activity User Activity User Activity

Info Info Info Info Warning Error Warning Warning Warning

350 943 944 942 960 979 970 981 954

-------------------

Standard Note String Standard Note String Standard Note String Standard Note String Standard Note String Standard Note String Standard Note String Standard Note String Standard Note String Standard Note String Standard Note String Standard Note String

VPN IKE

User Activity

Warning

956

---

VPN IKE

User Activity

Warning

957

---

VPN IKE

User Activity

Warning

955

---

VPN IKE VPN IKE

User Activity User Activity

Warning Info

980 975

-----

Standard Note String Standard Note String Standard Note String Standard Note String Standard Note String

VPN IKE VPN IKE VPN IKE

User Activity User Activity User Activity

Info Info Info

974 973 972

-------

VPN IKE

User Activity

Info

945

---

Standard Note String Standard Note String Standard Note String

VPN IKE VPN IKE

User Activity User Activity

Info Info

940 938

-----

SONICOS LOG EVENT REFERENCE GUIDE

23

IKEv2 Invalid SPI size IKEv2 Invalid state IKEv2 IPsec attribute not found IKEv2 IPsec proposal does not match IKEv2 NAT device detected between negotiating peers IKEv2 negotiation complete IKEv2 No NAT device detected between negotiating peers IKEv2 Out of memory IKEv2 Payload processing error IKEv2 Payload validation failed. IKEv2 Peer is not responding. Negotiation aborted. IKEv2 Process Message queue failed IKEv2 Received delete IKE SA request IKEv2 Received delete IKE SA response IKEv2 Received delete IPsec SA request IKEv2 Received delete IPsec SA response IKEv2 Received notify error payload IKEv2 Received notify status payload IKEv2 Responder: Peer's destination network does not match VPN policy's <b>Local Network</b> IKEv2 Responder: Peer's local network does not match VPN policy's <b>Destination Network</b> IKEv2 Responder: Policy for remote IKE ID not found IKEv2 Responder: Received CREATE CHILD SA request

VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE

User Activity User Activity User Activity User Activity User Activity

Warning Warning Warning Warning Info

966 964 969 968 985

-----------

Standard Note String Standard Note String Standard Note String Standard Note String Standard Note String Standard Note String Standard Note String Standard Note String Standard Note String Standard Note String Standard Note String Standard Note String Standard Note String Standard Note String Standard Note String Standard Note String Standard Note String Standard Note String Standard Note String

VPN IKE VPN IKE

User Activity User Activity

Info Info

978 984

-----

VPN IKE VPN IKE VPN IKE VPN IKE

User Activity User Activity User Activity User Activity

Warning Warning Warning Warning

961 953 958 971

---------

VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE

User Activity User Activity User Activity User Activity User Activity User Activity User Activity User Activity

Warning Info Info Info Info Warning Info Info

963 948 1015 950 1016 983 982 951

-----------------

VPN IKE

User Activity

Info

952

---

Standard Note String

VPN IKE

User Activity

Error

962

---

Standard Note String Standard Note String

VPN IKE

User Activity

Info

946

---

24

SONICOS LOG EVENT REFERENCE GUIDE

IKEv2 Responder: Received IKE AUTH request IKEv2 Responder: Received IKE SA INIT request IKEv2 Responder: Send CREATE CHILD SA response IKEv2 Responder: Send IKE AUTH response IKEv2 Responder: Send IKE SA INIT response IKEv2 Send delete IKE SA request IKEv2 Send delete IKE SA response IKEv2 Send delete IPsec SA request IKEv2 Send delete IPsec SA response IKEv2 Unable to find IKE SA IKEv2 VPN Policy not found Illegal IPsec SPI Imported HA hardware ID did not match this firewall Imported VPN SA is invalid - disabled Inbound connection from RBL-listed SMTP server dropped Incoming call received for Remotely Triggered Dialout session Incompatible IPsec Security Association Incorrect authentication received for Remotely Triggered Dial-out Ini Killer attack dropped Interface %s Link Is Down Interface %s Link Is Up

VPN IKE

User Activity

Info

941

---

Standard Note String Standard Note String Standard Note String Standard Note String Standard Note String Standard Note String Standard Note String Standard Note String Standard Note String Standard Note String Standard Note String Standard Destination Unused Standard Note String Standard

VPN IKE

User Activity

Info

939

---

VPN IKE

User Activity

Info

1012

---

VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE VPN IPsec

User Activity User Activity User Activity User Activity User Activity User Activity User Activity User Activity User Activity

Info Info Info Info Info Info Warning Warning Info Info Warning Notice

977 976 947 1013 949 1014 959 967 65 155 348 798

-------------------------

High Maintenance Availability Firewall Event Maintenance RBL ---

Authentication User Activity Access VPN IPsec User Activity

Info

817

---

Simple

Info Info

69 819

-----

Authentication User Activity Access

Standard Destination Simple

Intrusion Attack Alert Detection Firewall Event System Error Error Firewall Event System Error Warning Info

80 566 565 568

519 647 646 ---

Standard Simple Message String Simple Message String Simple Message String Simple Message String

Interface IP Assignment : Firewall Event Maintenance Binding and initializing %s Interface IP Assignment Firewall Event Maintenance changed: Shutting down %s

Info

567

---

SONICOS LOG EVENT REFERENCE GUIDE

25

Interface statistics report GMS Internet Access restricted to authorized users. Dropped packet received in the clear. Invalid Product Code Upgrade request received: %s Invalid VLAN packet dropped IP address conflict detected from Ethernet address %s IP Header checksum error IP spoof detected on packet to Central Gateway, packet dropped IP spoof dropped Wireless

--TCP | UDP | ICMP

Info Warning

805 532

-----

Simple Interface Stats Unused

Firewall Event ---

Error

704

---

Standard Message String Standard Note String Standard Message String Standard Standard Note Ethernet Network Standard Note Ethernet Network Standard Message String Standard Standard Note String Standard

Network Network

--Maintenance

Alert Warning

836 847

-----

Network Access DHCP Relay

TCP|UDP Attack

Notice Error

883 229

--533

IP type %s packet dropped IP Comp connection interrupt IP Comp packet dropped IP Comp

Intrusion Detection Network Access IP Comp

Attack LAN UDP | LAN TCP Debug TCP | UDP | ICMP Debug

Alert Notice Debug Notice Debug

23 590 651 652 653

502 ---------

IP Comp packet dropped; IP Comp waiting for pending IP Comp connection IPS Detection Alert: %s Intrusion Detection IPS Detection Alert: %s Intrusion Detection IPS Prevention Alert: %s Intrusion Detection IPS Prevention Alert: %s Intrusion Detection IPsec (AH) packet VPN IPsec dropped IPsec (AH) packet VPN IPsec dropped; waiting for pending IPsec connection IPsec (ESP) packet VPN IPsec dropped IPsec (ESP) packet VPN IPsec dropped; waiting for pending IPsec connection IPsec Authentication Failed IPsec connection interrupt IPsec Decryption Failed VPN IPsec Network Access VPN IPsec
26

Attack Attack Attack Attack TCP | UDP | ICMP Debug

Alert Alert Alert Alert Notice Debug

608 789 609 790 534 536

569 6435 570 6436 -----

Standard IDP Message String Standard Message String Standard IDP Message String Standard Message String Standard Note String Standard

TCP | UDP | ICMP Debug

Notice Debug

533 535

-----

Standard Note String Standard

Attack Debug Attack

Error Debug Error

67 43 68

508 --509

Standard Destination Standard Standard Destination

SONICOS LOG EVENT REFERENCE GUIDE

Network Access IPsec packet dropped; Network waiting for pending IPsec Access connection IPsec packet from an VPN IPsec illegal host IPsec packet from or to VPN IPsec an illegal host IPsec Replay Detected VPN IPsec IPsec SA lifetime expired. VPN IPsec IPsec Tunnel status changed ISDN Driver Firmware successfully updated Issuer match failed Java access denied L2TP Connect Initiated by the User L2TP Disconnect Initiated by the User L2TP enabled but not ready L2TP LCP Down L2TP LCP Up L2TP Max Retransmission Exceeded L2TP PPP Authentication Failed L2TP PPP Down L2TP PPP link down L2TP PPP Negotiation Started L2TP PPP Session Up L2TP Server: Access from L2TP VPN Client Privilege not enabled for RADIUS Users. L2TP Server : Deleting the L2TP active Session L2TP Server: Deleting the Tunnel L2TP Server: L2TP PPP Session Established. L2TP Server: L2TP Session Established. L2TP Server: L2TP Tunnel Established. L2TP Server : Retransmission Timeout, Deleting the Tunnel VPN

IPsec packet dropped

TCP | UDP | ICMP Debug

Notice Debug

40 42

-----

Standard Standard

Maintenance Attack Attack User Activity

Info Error Alert Info Info Info Alert

247 70 180 349 427 493 278 19 216 214 500 209 213 203

--510 531 --801 -------------------

Standard Destination Standard Destination Standard Note String Unused Simple Simple Simple Destination Standard Note Blocked Unused Unused Simple Unused Unused Simple

VPN Tunnel Status Firewall Event Maintenance VPN PKI Network Access L2TP Client L2TP Client Unused L2TP Client L2TP Client L2TP Client User Activity

Blocked Code Notice Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Info Info Info Info Info Info

L2TP Client L2TP Client L2TP Client L2TP Client L2TP Client L2TP Server

Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance

Info Info Info Info Info Info

212 211 217 208 210 343

-------------

Simple Simple Simple Simple Simple Unused

L2TP Server L2TP Server L2TP Server L2TP Server L2TP Server L2TP Server

Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance

Info Info Info Info Info Info

337 336 310 309 308 338

-------------

Standard Destination Standard Destination Unused Standard Destination Standard Destination Standard Destination

SONICOS LOG EVENT REFERENCE GUIDE

27

L2TP Server: User Name authentication Failure locally. L2TP Server: Keep alive Failure. Closing Tunnel L2TP Server: L2TP Remote terminated the PPP session L2TP Server: L2TP Session Disconnect from the Remote. L2TP Server: L2TP Tunnel Disconnect from the Remote. L2TP Server: Local Authentication Failure L2TP Server: Local Authentication Success. L2TP Server: No IP address available in the Local IP Pool L2TP Server: RADIUS/ LDAP Authentication Success L2TP Server: RADIUS/ LDAP reports Authentication Failure L2TP Server: RADIUS/ LDAP server not assigned IP address L2TP Server: Call Disconnect from Remote. L2TP Server: Tunnel Disconnect from Remote. L2TP Session Disconnect from Remote L2TP Session Established L2TP Session Negotiation Started L2TP Tunnel Disconnect from Remote L2TP Tunnel Established L2TP Tunnel Negotiation Started LAN Subnet configurations were not upgraded. Land attack dropped LDAP server does not allow CHAP

L2TP Server

Maintenance

Info

344

---

Standard Destination Unused Unused

L2TP Server L2TP Server

Maintenance Maintenance

Info Info

320 317

-----

L2TP Server

Maintenance

Info

316

---

Unused

L2TP Server

Maintenance

Info

315

---

Unused

L2TP Server L2TP Server L2TP Server

Maintenance Maintenance Maintenance

Info Info Info

312 318 314

-------

Standard Destination Standard Destination Unused

L2TP Server

Maintenance

Info

319

---

Standard Destination Standard Destination Standard Destination Standard Destination Standard Destination Simple Simple Simple Simple Simple Simple Simple

L2TP Server

Maintenance

Info

311

---

L2TP Server

Maintenance

Info

313

---

L2TP Server L2TP Server L2TP Client L2TP Client L2TP Client L2TP Client L2TP Client L2TP Client

Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance

Info Info Info Info Info Info Info Info Info

334 335 207 206 202 205 204 201 741

-------------------

Firewall Event Maintenance

Intrusion Detection RADIUS

Attack User Activity

Alert Warning

27 758

505 ---

Standard Standard String Service

28

SONICOS LOG EVENT REFERENCE GUIDE

High Availability None Authentication Access Local user login denied - Authentication user already logged in Access Local user login denied Authentication due to bad credentials Access Authentication Locked-out user logins allowed - lockout period Access expired Locked-out user logins Authentication allowed by administrator Access Log (part None Log Cleared Firewall Logging Log Debug Firewall Event Log file from SonicWALL None Log full; deactivating Firewall SonicWALL Logging Log successfully sent via Firewall email Logging Login screen timed out Authentication Access Network MAC address collides with Static ARP Entry with Bound MAC address; packet dropped Machine %s removed Intrusion from FIN flood blacklist Detection Machine %s removed Intrusion from RST flood blacklist Detection Machine %s removed Intrusion from SYN flood blacklist Detection Malformed or unhandled Network IP packet dropped Access Maximum events per Firewall second threshold Logging exceeded

LDAP using nonadministrative account VPN client user will not be able to change passwords License exceeded: Connection dropped because too many IP addresses are in use on your LAN License of HA pair doesn't match: %s local range: Local user login allowed

RADIUS

System Error Warning

1011

---

Simple Note String

Firewall Event System Error Error

58

608

Standard

System Error Error --User Activity User Activity User Activity User Activity Debug Info Info Info Info

670 85 31 759 32 438

664 -----------

Simple Message String Unused Standard String Service Standard String Service Standard String Service Standard Note String Standard Note String Unused Simple Simple String Unused Unused Simple Standard String Service Standard Note Ethernet Network

User Activity --Maintenance

Info Debug Info

439 0 5 142 2 7 6 34 814

----------601 -------

Debug Error --Debug System Error Error Maintenance User Activity --Info Info Notice

Debug Debug Debug Debug

Alert Alert Alert Alert

903 900 865 522 654

------554 ---

System Error Critical

Simple Message String Simple Message String Simple Message String Standard Destination Simple

SONICOS LOG EVENT REFERENCE GUIDE

29

Maximum number of Firewall Event Bandwidth Managed rules exceeded upon upgrade to this version. Some Bandwidth settings ignored. Maximum sequential PPP Dial Up failed dial attempts (10) to a single dial-up number: %s Maximum syslog data per Firewall second threshold Logging exceeded MTU: None Multicast application %s Multicast not supported Multicast packet dropped, Multicast Invalid src IP received on interface : %s Multicast packet dropped, Multicast wrong MAC address received on interface : %s Multicast TCP packet Multicast dropped Multicast UDP packet Multicast dropped, no state entry Multicast UDP packet Multicast dropped, RTCP stateful failed Multicast UDP packet Multicast dropped, RTP stateful failed NAT could not remap Unused incoming packet NAT device may not VPN IPsec support IPsec AH passthrough NAT Discovery : No NAT/ VPN IKE NAPT device detected between IPsec Security gateways VPN IKE NAT Discovery : Local IPsec Security Gateway behind a NAT/NAPT Device NAT Discovery : Peer VPN IKE IPsec Security Gateway behind a NAT/NAPT Device VPN IKE NAT Discovery : Peer IPsec Security Gateway doesn't support VPN NAT Traversal

Maintenance

Notice

541

---

Unused

Attack

Error

591

566

Standard Message String

System Error Critical

655

---

Simple

-------

Debug Info Alert

189 696 685

-------

Unused Standard Message String Standard Message String Standard Message String Standard Standard Standard

---

Alert

684

---

-------

Notice Notice Warning

691 690 695

-------

---

Warning

694

---

Standard

System Error Error Maintenance Info

44 266

606 ---

Unused Simple

User Activity

Info

241

---

Standard Note String

User Activity

Info

240

---

Standard Note String

User Activity

Info

239

---

Standard Note String

User Activity

Info

242

---

Standard Note String

30

SONICOS LOG EVENT REFERENCE GUIDE

NAT translated packet Network exceeds size limit, packet dropped Net Spy attack dropped Intrusion Detection NetBIOS settings were Firewall Event not upgraded. Use Network>IP Helper to configure NetBIOS support NetBus attack dropped Intrusion Detection Network for interface %s Firewall Event overlaps with another interface. Network Modem Mode PPP Dial Up Disabled: re-enabling NAT Network Modem Mode PPP Dial Up Enabled: turning off NAT Network Monitor: Host Firewall Event %s is offline Network Monitor: Host Firewall Event %s is online New firmware available. Firewall Event New URL List loaded Security Services Newsgroup access Network allowed Access Newsgroup access Network denied Access No Certificate for VPN PKI No HOST tag found in HTTP request No ICMP redirect sent No new URL List available No response from ISP Disconnecting PPPoE. No response from PPTP server to call requests No response from PPTP server to control connection requests No response from server to Echo Requests, disconnecting PPTP Tunnel No valid DNS server specified for RBL lookups Non-config mode GUI administration session started Network Access Unused Security Services PPPoE PPTP PPTP

Debug

Debug

339

---

Standard

Attack Maintenance

Alert Info

74 740

513 ---

Standard Simple

Attack Maintenance

Alert Info

72 569

511 ---

Standard Simple Message String Simple

Maintenance

Info

531

---

Maintenance Connection Connection Maintenance Maintenance

Info Alert Alert Info Info

530 706 707 198 8 17 15 280 52 47 9 169 431 430

----------704 702 ---------------

Simple Simple Message String Simple Message String Unused Simple Standard Note Blocked Standard Note Blocked Simple Destination Unused Unused Simple Simple Simple Simple

Blocked Sites Notice Blocked Sites Notice User Activity Debug Debug Maintenance Maintenance Maintenance Maintenance Alert Debug Debug Info Info Info Info

PPTP

Maintenance

Info

429

---

Simple

RBL

---

Error Info

800 997

-----

Simple Standard Note String

Authentication User Activity Access

SONICOS LOG EVENT REFERENCE GUIDE

31

Not all configurations may have been completely upgraded Not enough memory to hold the CRL Obtained Relay IP Table from Remote Gateway OCSP Failed to Resolve Domain Name. OCSP Internal error handling received response. OCSP received response error. OCSP received response. OCSP Resolved Domain Name. OCSP send request message failed. OCSP sending request. OCSP unused/spare Outbound connection to RBL-listed SMTP server dropped Out-of-order command packet dropped Overriding Product Code Upgrade to: %s Packet destination not in VPN Access list Packet Dropped - IP TTL expired Packet dropped by WLAN guest check Packet dropped by WLAN SSL-VPN enforcement check Packet dropped by WLAN vpn traversal check Packet dropped. No firewall rule associated with VPN policy. Packet dropped; connection limit for this destination IP address has been reached Packet dropped; connection limit for this source IP address has been reached Payload processing failed

Firewall Event Maintenance

Info

612

---

Simple

VPN PKI DHCP Relay VPN PKI VPN PKI

User Activity Maintenance User Activity User Activity

Warning Info Error Error

272 233 853 854

---------

Simple Destination Standard Standard Note String Standard Note String Standard Note String Standard Note String Standard Note String Standard Note String Standard Note String Unused Standard

VPN PKI VPN PKI VPN PKI VPN PKI VPN PKI Unused RBL

User Activity User Activity User Activity User Activity User Activity -----

Error Info Info Error Info Debug Notice

851 850 852 849 848 855 797

---------------

Network Debug Access Firewall Event --VPN IPsec Network Wireless Wireless Attack Debug TCP | UDP | ICMP TCP | UDP | ICMP TCP | UDP | ICMP

Debug Error Error Warning Warning Warning

48 705 648 910 488 732

----572 -------

Standard Standard Message String Standard Destination Standard Note String Standard Destination Standard Destination Standard Destination Standard Note String Standard Note String

Wireless

Warning

495

---

VPN

System Error Alert

739

---

Firewall Event System Error Alert

647

5239

Firewall Event System Error Alert

646

5238

Standard Note String

VPN IKE

Debug

Error

616

Standard Note String

32

SONICOS LOG EVENT REFERENCE GUIDE

PC Card inserted. Rebooting. PC Card removed. Rebooting. PC Card: No device detected Peer firewall rebooting (%s) Physical environment normal Ping of death dropped PKI Error: PKI Failure PKI Failure: CA certificates store exceeded. Cannot verify this Local Certificate PKI Failure: Cannot allocate memory PKI Failure: Certificate's ID does not match this SonicWALL PKI Failure: Duplicate local certificate PKI Failure: Duplicate local certificate name PKI Failure: Import failed PKI Failure: Improper file format. Please select PKCS#12 (*.p12) file PKI Failure: Incorrect admin password PKI Failure: Internal error PKI Failure: Loaded but could not verify certificate PKI Failure: Loaded the certificate but could not verify it's chain PKI Failure: No CA certificates yet loaded PKI Failure: Output buffer too small PKI Failure: public-private key mismatch PKI Failure: Reached the limit for local certificates, cant load any more PKI Failure: Temporary memory shortage, try again PKI Failure: The certificate chain has no root

Firewall Hardware Firewall Hardware Firewall Hardware High Availability Firewall Hardware Intrusion Detection VPN PKI VPN PKI VPN PKI

----------Attack Maintenance Maintenance Maintenance

Alert Alert Alert Info Info Alert Error Error Error

1054 1053 1056 1057 1042 22 417 447 453

5419 5418 ----5424 501 -------

Simple Message String Simple Message String Simple Message String Simple Message String Simple Standard Unused Unused Simple

VPN PKI VPN PKI

Maintenance Maintenance

Error Error

449 455

-----

Simple Simple

VPN PKI VPN PKI VPN PKI VPN PKI

Maintenance Maintenance Maintenance Maintenance

Error Error Error Error

458 457 451 454

---------

Simple Simple Simple Simple

VPN PKI VPN PKI VPN PKI VPN PKI

Maintenance Maintenance Maintenance Maintenance

Error Error Error Error

452 460 469 470

---------

Simple Simple Simple Simple

VPN PKI VPN PKI VPN PKI VPN PKI

Maintenance Maintenance Maintenance Maintenance

Error Error Error Error

459 448 456 450

---------

Simple Simple Simple Simple

VPN PKI

Maintenance

Error

461

---

Simple

VPN PKI

Maintenance

Error

464

---

Simple

SONICOS LOG EVENT REFERENCE GUIDE

33

PKI Failure: The VPN PKI certificate chain is circular PKI Failure: The certificate chain is incomplete PKI Failure: The certificate or a certificate in the chain has a bad signature PKI Failure: The certificate or a certificate in the chain has a validity period in the future PKI Failure: The certificate or a certificate in the chain has expired PKI Failure: The certificate or a certificate in the chain is corrupt Please connect interface %s to another network to function properly Please manually check all system configurations for correctness of Upgrade Port configured to receive IPsec protocol ONLY; drop packet received in the clear Possible FIN Flood on IF %s Possible FIN Flood on IF %s continues Possible FIN Flood on IF %s has ceased Possible port scan detected Possible RST Flood on IF %s Possible RST Flood on IF %s continues Possible RST Flood on IF %s has ceased Possible SYN flood attack detected Possible SYN flood detected on WAN IF %s switching to connectionproxy mode Possible SYN Flood on IF %s Possible SYN Flood on IF %s continues VPN PKI

Maintenance

Error

462

---

Simple

Maintenance

Error

463

---

Simple

VPN PKI

Maintenance

Error

468

---

Simple

VPN PKI

Maintenance

Error

466

---

Simple

VPN PKI

Maintenance

Error

465

---

Simple

VPN PKI

Maintenance

Error

467

---

Simple

Firewall Event Maintenance

Info

570

---

Simple Message String Simple

Firewall Event Maintenance

Info

613

---

Network Access

TCP | UDP | ICMP

Warning

347

---

Standard Destination

Intrusion Detection Intrusion Detection Intrusion Detection Intrusion Detection Intrusion Detection Intrusion Detection Intrusion Detection Intrusion Detection Intrusion Detection

Debug Debug Debug Attack Debug Debug Debug Attack Debug

Alert Warning Alert Alert Alert Warning Alert Warning Alert

905 909 907 82 904 908 906 25 859

------521 ------503 ---

Simple Message String Simple Message String Simple Message String Standard Note String Simple Message String Simple Message String Simple Message String Standard Simple Message String

Intrusion Detection Intrusion Detection


34

Debug Debug

Alert Warning

860 866

-----

Simple Message String Simple Message String

SONICOS LOG EVENT REFERENCE GUIDE

Possible SYN Flood on IF %s has ceased Power supply without redundancy PPP Dial-Up: Connect request canceled PPP Dial-Up: Connected at %s bps - starting PPP PPP Dial-Up: Connection disconnected as scheduled. PPP Dial-Up: Dial initiated by %s PPP Dial-Up: Dialed number did not answer PPP Dial-Up: Dialed number is busy PPP Dial-Up: Dialing not allowed by schedule. %s PPP Dial-Up: Dialing: %s PPP Dial-Up: Failed to get IP address PPP Dial-Up: Idle time limit exceeded disconnecting PPP Dial-Up: Initialization : %s PPP Dial-Up: Invalid DNS IP address returned from Dial-Up ISP; overriding using dial-up profile settings PPP Dial-Up: Link carrier lost PPP Dial-Up: Manual intervention needed. Check Primary Profile or Profile details PPP Dial-Up: Maximum connection time exceeded - disconnecting PPP Dial-Up: No dialtone detected - check phoneline connection PPP Dial-Up: No link carrier detected - check phone number PPP Dial-Up: No peer IP address from Dial-Up ISP, local and remote IPs will be the same PPP Dial-Up: PPP link down

Intrusion Detection Firewall Hardware PPP Dial Up PPP Dial Up PPP Dial Up

Debug --User Activity User Activity ---

Alert Error Info Info Info

867 1043 306 286 666

--5425 -------

Simple Message String Simple Simple Simple Message String Standard

PPP Dial Up PPP Dial Up PPP Dial Up PPP Dial Up PPP Dial Up PPP Dial Up PPP Dial Up

Maintenance User Activity User Activity --User Activity User Activity User Activity

Info Info Info Info Info Info Info

324 285 284 665 281 298 297

---------------

Standard Message String Simple Simple Standard Message String Simple Message String Unused Simple

PPP Dial Up PPP Dial Up

User Activity Maintenance

Info Info

303 811

-----

Simple Message String Simple

PPP Dial Up PPP Dial Up

User Activity User Activity

Info Info

288 321

-----

Simple Simple

PPP Dial Up

User Activity

Info

327

---

Simple

PPP Dial Up

User Activity

Info

282

---

Simple

PPP Dial Up

User Activity

Info

283

---

Simple

PPP Dial Up

Maintenance

Info

481

---

Simple

PPP Dial Up

User Activity

Info

301

---

Simple

SONICOS LOG EVENT REFERENCE GUIDE

35

PPP Dial-Up: PPP link established PPP Dial-Up: PPP negotiation failed disconnecting PPP Dial-Up: Previous session was connected for %s PPP Dial-Up: Received new IP address PPP Dial-Up: Shutting down link PPP Dial-Up: Starting PPP PPP Dial-Up: Startup without Ethernet cable, will try to dial on outbound traffic PPP Dial-Up: The profile in use disabled VPN networking. PPP Dial-Up: Trying to failover but Alternate Profile is manual PPP Dial-Up: Trying to failover but Primary Profile is manual PPP Dial-Up: Unknown dialing failure PPP Dial-Up: User requested connect PPP Dial-Up: User requested disconnect PPP Dial-Up: VPN networking restored. PPP message: %s PPP: Authentication successful PPP: CHAP authentication failed check username / password PPP: MS-CHAP authentication failed check username / password PPP: PAP authentication failed - check username / password PPP: Starting CHAP authentication PPP: Starting MS-CHAP authentication

PPP Dial Up PPP Dial Up

User Activity User Activity

Info Info

300 296

-----

Simple Unused

PPP Dial Up

User Activity

Info

542

---

Simple Message String Standard Simple Simple Message String Unused

PPP Dial Up PPP Dial Up PPP Dial Up PPP Dial Up

User Activity User Activity --User Activity

Info Info Info Info

299 302 1037 323

---------

PPP Dial Up

Maintenance

Info

330

---

Simple

WAN Failover

User Activity

Info

434

---

Simple

PPP Dial Up

User Activity

Info

322

---

Simple

PPP Dial Up PPP Dial Up PPP Dial Up PPP Dial Up PPP PPP PPP

User Activity User Activity User Activity Maintenance System Environment User Activity User Activity

Info Info Info Info Info Info Info

287 305 304 331 1018 289 291

---------------

Simple Simple Simple Simple Standard Message String Simple Simple

PPP

User Activity

Info

292

---

Simple

PPP

User Activity

Info

290

---

Simple

PPP PPP

User Activity User Activity

Info Info

294 293

-----

Simple Simple

36

SONICOS LOG EVENT REFERENCE GUIDE

PPP: Starting PAP authentication PPPoE terminated PPPoE CHAP authentication failed PPPoE Client: Previous session was connected for %s PPPoE discovery process complete PPPoE enabled but not ready PPPoE LCP link down PPPoE LCP link up PPPoE network connected PPPoE network disconnected PPPoE PAP authentication Failed PPPoE PAP authentication Failed. Please verify PPPoE username and password PPPoE PAP authentication success. PPPoE password changed by administrator PPPoE starting CHAP authentication PPPoE starting PAP authentication PPPoE user name changed by Administrator PPTP enabled but not ready PPTP CHAP authentication failed. Please verify PPTP username and password PPTP connect initiated by the User PPTP control connection Established PPTP control connection negotiation started PPTP decode failure PPTP disconnect initiated by the user PPTP LCP down PPTP LCP up PPTP Max Retransmission Exceeded

PPP PPPoE PPPoE PPPoE

User Activity Maintenance Maintenance Maintenance

Info Info Info Info

295 130 136 738

---------

Simple Simple Unused Simple Message String Simple Simple Simple Simple Simple Simple Unused Unused

PPPoE PPPoE PPPoE PPPoE PPPoE PPPoE PPPoE PPPoE

Maintenance Maintenance

Info Info

133 499 129 128 131 132 137 167

-----------------

Maintenance Info Maintenance Info Maintenance Info Maintenance Maintenance Maintenance Info Info Info

PPPoE

Maintenance

Info Info Info Info Info Info Info

166 515 134 135 514 501 394

---------------

Unused Unused Simple Unused Unused Simple Unused

Authentication User Activity Access PPPoE Maintenance PPPoE Maintenance

Authentication User Activity Access PPTP Maintenance PPTP Maintenance

PPTP PPTP PPTP PPTP PPTP PPTP PPTP PPTP

Maintenance Maintenance Maintenance Debug Maintenance Maintenance Maintenance Maintenance

Info Info Info Debug Info Info Info Info

390 378 375 596 388 383 387 377

-----------------

Standard Destination Simple Simple Standard Standard Destination Unused Unused Unused

SONICOS LOG EVENT REFERENCE GUIDE

37

Network Access PPTP PAP authentication PPTP failed PPTP PAP authentication PPTP failed. Please verify PPTP username and password PPTP PAP authentication PPTP success. PPTP PPP authentication PPTP failed PPTP PPP down PPTP PPTP PPP link down PPTP PPTP PPP link down PPTP PPTP PPP link finished PPTP PPTP PPP link up PPTP PPTP PPP negotiation PPTP started PPTP PPP session up PPTP PPTP PPTP server is not responding, check if the server is UP and running. PPTP server rejected PPTP control connection PPTP server rejected the PPTP call request PPTP session disconnect PPTP from Remote PPTP session PPTP established PPTP session negotiation PPTP started PPTP starting CHAP PPTP authentication PPTP starting PAP PPTP authentication PPTP tunnel disconnect PPTP from Remote Primary firewall has High transitioned to Active Availability Primary firewall has High transitioned to Idle Availability Primary firewall High preempting backup Availability Primary firewall rebooting High Availability itself as it transitioned from active to idle while preempt Primary missed High heartbeats from Backup Availability Primary received error High signal from Backup Availability

PPTP packet dropped

TCP | UDP | ICMP Maintenance Maintenance

Notice Info Info

39 395 397

-------

Unused Unused Unused

Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance

Info Info Info Info Info Info Info Info Info Info

396 386 385 391 399 400 398 382 384 444

---------------------

Simple Unused Simple Unused Simple Simple Simple Simple Simple Simple

Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance

Info Info Info Info Info Info Info Info Info

432 433 381 380 376 392 393 379 144 146 153 1058

------------------614 620 ---

Simple Simple Simple Simple Simple Simple Simple Simple Simple Simple Simple Simple

System Error Error System Error Error --Info

System Error Error System Error Error

148 150

615 617

Simple Simple

38

SONICOS LOG EVENT REFERENCE GUIDE

Primary received heartbeat from wrong source Primary received reboot signal from Backup Primary WAN link down, Backup going Active Primary WAN link down, Primary going Idle Primary WAN link up, preempting Backup Priority attack dropped Probable port scan detected Probable TCP FIN scan detected Probable TCP NULL scan detected Probable TCP XMAS scan detected Probing failure on %s Probing succeeded on %s Problem loading the URL list; Appliance not registered. Problem loading the URL list; check Filter settings Problem loading the URL list; check your DNS server Problem loading the URL list; Flash write failure. Problem loading the URL list; Retrying later. Problem loading the URL list; Subscription expired. Problem loading the URL list; Try loading it again. Problem occurred during user group membership retrieval Problem sending log email; check log settings Protocol: Read-only mode GUI administration session started Real time clock battery failure Time values may be incorrect RealAudio decode failure

High Availability High Availability High Availability High Availability High Availability Intrusion Detection Intrusion Detection Intrusion Detection Intrusion Detection Intrusion Detection WAN Failover WAN Failover Security Services Security Services Security Services Security Services Security Services Security Services

Maintenance

Info

160

---

Unused

System Error Error System Error Error Maintenance Maintenance Attack Attack Attack Attack Attack Info Info Alert Alert Alert Alert Alert

671 220 218 221 79 83 177 179 178 326 436 183

665 634 ----518 522 528 530 529 637 638 623

Simple Unused Unused Unused Standard Standard Note String Standard Note String Standard Note String Standard Note String Standard Message String Standard Message String Simple

System Error Alert System Error Alert System Error Error

System Error Error System Error Error

10 11

602 603

Standard Note Code Simple

System Error Error System Error Error System Error Error

187 186 184

627 626 624

Simple Standard Standard

Security System Error Error Services Authentication User Activity Warning Access Firewall System Error Warning Logging None --Debug Authentication User Activity Info Access Firewall Hardware Unused System Error Warning

185 1033

625 ---

Simple Standard Note String Simple Unused Standard Note String Simple

12 525 996

604 -----

539

644

Debug

Debug

50
39

---

Unused

SONICOS LOG EVENT REFERENCE GUIDE

Security Services Received AV Alert: Your Security SonicWALL Network Services Anti-Virus subscription has expired. %s Received AV Alert: Your Security SonicWALL Network Services Anti-Virus subscription will expire in 7 days. %s Received CFS Alert: Your Security SonicWALL content Services filtering subscription has expired. Received CFS Alert: Your Security SonicWALL content Services filtering subscription will expire in 7 days. Received DHCP offer DHCP Client packet has errors Security Received E-Mail filter alert: Your SonicWALL E- Services Mail filtering subscription has expired. Security Received E-Mail filter alert: Your SonicWALL E- Services Mail filtering subscription will expire in 7 days. Received fragmented Network packet or fragmentation needed Received IKE SA delete VPN IKE request Received IPS alert: Your Security SonicWALL Intrusion Services Prevention (IDP) subscription has expired. Received IPsec SA VPN IKE delete request Received ISAKMP packet VPN IKE destined to port %s Received LCP Echo PPPoE Reply
40

Received a path MTU ICMP message from router/gateway Received a path MTU ICMP message from router/gateway Received Application Firewall alert: Your SonicWALL Application Firewall (AF) subscription has expired. Received AV Alert: %s

Network

User Activity

Info

182

---

Standard Note SPI Standard Note Mtu Simple

Network

User Activity

Info

188

---

Security Services

Maintenance

Warning

1034

8635

Maintenance Maintenance

Warning Warning

125 159

524 526

Simple Message String Simple Message String

Maintenance

Warning

482

552

Simple Message String

Maintenance

Warning

490

563

Simple

Maintenance

Warning

489

562

Simple

Maintenance Maintenance

Info Warning

588 492

--565

Standard Destination Simple

Maintenance

Warning

491

564

Simple

Debug

Debug

63

---

Standard

User Activity Maintenance

Info Warning

413 614

--571

Standard Note String Simple

User Activity

Info

412 607 723

-------

Debug | UDP Info Maintenance Info

Standard Destination Standard Message String Simple

SONICOS LOG EVENT REFERENCE GUIDE

Received LCP Echo PPPoE Request Received notify. NO VPN IKE PROPOSAL CHOSEN Received notify: INVALID VPN IKE COOKIES Received notify: INVALID VPN IPsec ID INFO Received notify: INVALID VPN IKE PAYLOAD Received notify: INVALID VPN IKE SPI Received notify: ISAKMP VPN IKE AUTH FAILED Received notify: VPN IKE PAYLOAD MALFORMED Received notify: VPN IKE RESPONDER LIFETIME Received packet VPN IKE retransmission. Drop duplicate packet Received PPPoE active PPPoE discovery Offer Received PPPoE active PPPoE discovery session confirmation Received response DHCP Client packet for DHCP request has errors Received unencrypted VPN IKE packet in crypto active state Regulatory requirements PPP Dial Up prohibit %s from being redialed for 30 minutes remote range: None Remotely triggered dial- Authentication out session ended. Valid Access WAN bound data found. Normal dial-up sequence will commence Remotely triggered dial- Authentication Access out session started. Requesting authentication Removed host entry from Dynamic dynamic address object Address Objects Request for relay IP table DHCP Relay from central gateway Requesting CRL from VPN PKI

Maintenance User Activity User Activity User Activity User Activity User Activity User Activity User Activity User Activity User Activity

Info Warning Info Warning Error Info Warning Warning Info Warning

721 401 414 483 661 416 409 411 415 406

---------------------

Simple Standard Note String Standard Destination Standard Note String Standard Note String Standard Destination Standard Destination Standard Destination Standard Destination Standard Note String Simple Simple

Maintenance Maintenance

Info Info

593 594

-----

Maintenance

Info

589

---

Standard Destination Standard Note String Standard Message String Unused Simple

User Activity

Warning

605

---

Attack

Error

592

567

--User Activity

Debug Info

86 822

-----

User Activity

Info

818

---

Simple

Maintenance

Info

912

---

Standard Destination Standard

Maintenance

Info

230

---

User Activity

Info

269

---

Simple Destination

SONICOS LOG EVENT REFERENCE GUIDE

41

Requesting relay IP table DHCP Relay from remote gateway Restarting SonicWALL; dumping log to email Retransmitting DHCP discover Retransmitting DHCP request (Rebinding). Retransmitting DHCP request (Rebooting). Retransmitting DHCP request (Renewing). Retransmitting DHCP request (Requesting). Retransmitting DHCP request (Verifying). RIP Broadcasts for LAN Network %s are being broadcast over Dial Upconnection RIP disabled on DMZ interface RIP disabled on interface %s RIP disabled on WAN interface Ripper attack dropped RIPv1 enabled on DMZ interface RIPv1 enabled on interface %s RIPv1 enabled on WAN interface RIPv2 compatibility (broadcast) mode enabled on DMZ interface RIPv2 compatibility (broadcast) mode enabled on interface %s RIPv2 compatibility (broadcast) mode enabled on WAN interface RIPv2 enabled on DMZ interface RIPv2 enabled on interface %s RIPv2 enabled on WAN interface Router IGMP General query received on interface %s

Maintenance

Info

231

---

Standard

Firewall Event Maintenance DHCP Client DHCP Client DHCP Client DHCP Client DHCP Client DHCP Client Rip Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance

Info Info Info Info Info Info Info Info

13 99 102 103 101 100 104 571

-----------------

Unused Standard Destination Standard Destination Standard Destination Standard Destination Standard Destination Standard Destination Unused

Rip Rip Rip Intrusion Detection Rip Rip Rip Rip

Maintenance Maintenance Maintenance Attack Maintenance Maintenance Maintenance Maintenance

Info Info Info Alert Info Info Info Info

423 419 552 76 424 420 553 426

------515 ---------

Unused Simple Message String Unused Standard Unused Simple Message String Unused Unused

Rip

Maintenance

Info

422

---

Simple Message String Unused

Rip

Maintenance

Info

555

---

Rip Rip Rip Multicast

Maintenance Maintenance Maintenance ---

Info Info Info Debug

425 421 554 680

---------

Unused Simple Message String Unused Standard Message String

42

SONICOS LOG EVENT REFERENCE GUIDE

Router IGMP membership query received on interface %s RST flood blacklist on IF %s continues RST-flooding machine %s blacklisted Rule SA is disabled. Check VPN SA settings Sending DHCP discover. Sending DHCP request Sending DHCP request (Rebinding). Sending DHCP request (Rebooting). Sending DHCP request (Renewing). Sending DHCP request (Verifying). Sending DHCP request Sending LCP echo reply Sending LCP echo request Sending PPPoE Active Discovery Request Senna Spy attack dropped Sent relay IP Table to central gateway Settings Import: %s SIP register expiration exceeds configured Signaling inactivity time out SIP request SIP response SMTP authentication problem:%s SMTP POP-BeforeSMTP authentication failed SMTP server found on RBL blacklist Smurf amplification attack dropped SonicPoint Provision SonicPoint statistics report

Multicast

---

Debug

681

---

Standard Message String Simple Message String Simple Message String Unused Unused Standard Destination Standard Destination Standard Destination Standard Destination Standard Destination Standard Destination Standard Destination Simple Simple Simple Standard Standard Simple Message String Standard Note String

Intrusion Detection Intrusion Detection None VPN IKE DHCP Client DHCP Client DHCP Client DHCP Client DHCP Client DHCP Client DHCP Client PPPoE PPPoE PPPoE Intrusion Detection DHCP Relay

Debug Debug --User Activity Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Attack Maintenance

Warning Alert Debug Info Info Info Info Info Info Info Info Info Info Info Alert Info Info Warning

899 898 59 407 105 122 116 117 115 118 108 722 720 595 78 232 1049 645

----------------------------517 -------

Firewall Event --VOIP VOIP

VOIP VOIP Firewall Logging Firewall Logging RBL Intrusion Detection SonicPoint GMS

VOIP VOIP

Debug Debug

643 644 737 656

---------

System Error Warning System Error Warning

Standard Note String Standard Note String Standard Message String Simple

--Attack SonicPoint ---

Notice Alert Info Info

799 81 727 806


43

--520 -----

Standard Note String Standard Simple Destination Simple SonicPoint Stats

SONICOS LOG EVENT REFERENCE GUIDE

SonicPoint Status SonicWALL activated SonicWALL initializing SonicWALL SSO agent returned domain name too long SonicWALL SSO agent returned user name too long Source IP address connection status: %s Source routed IP packet dropped Source: Spank attack multicast packet dropped SPI: SSL Control: Certificate chain not complete SSL Control: Certificate with invalid date SSL Control: Failed to decode Server Hello SSL Control: HTTPS via SSL2 SSL Control: Self-signed certificate SSL Control: Untrusted CA SSL Control: Weak cipher being used SSL Control: Website found in blacklist SSL Control: Website found in whitelist SSL-VPN enforcement Starting IKE negotiation

SonicPoint

SonicPoint

Info Alert Info Warning

667 4 521 993

---------

Firewall Event Maintenance Firewall Event Maintenance CIA User Activity

Simple Destination Simple Simple Standard Note String Standard Note String Standard Message String Standard Unused Standard Unused Standard Note String Standard Note String Standard Note String Standard Note String Standard Note String Standard Note String Standard Note String Standard Note String Standard Note String Simple Destination Standard Note String Simple Simple GMS Status Standard Standard Simple Message String Simple

CIA

User Activity

Warning

992

---

Firewall Event --Intrusion Detection None Intrusion Detection None Network Access Network Access Network Access Network Access Network Access Network Access Network Access Network Access Network Access Wireless VPN IKE Debug --Attack

Info Warning Debug Alert

734 428 56 606 71 1006 1002 1007 1001 1003 1005 1004 999 1000 733 90

------568 ----------------------------516 514 -----

--Debug Blocked Sites Info Blocked Sites Info Blocked Sites Info Blocked Sites Info Blocked Sites Info Blocked Sites Info Blocked Sites Info Blocked Sites Info Blocked Sites Info Maintenance User Activity Maintenance Maintenance Attack Attack Info Info

Starting PPPoE discovery PPPoE Status GMS Intrusion Detection Sub seven attack Intrusion dropped Detection Success to reach High Interface %s probe Availability Successful authentication Authentication received for Remotely Access Triggered Dial-out SYN flood blacklist on IF Intrusion %s continues Detection SYN flood blacklisting Intrusion disabled by user Detection
44

StrIKEr attack dropped

Info 127 Emergenc 96 y Alert 77 Alert 75 674 820

System Error Info User Activity Info

Debug Debug

Warning Warning

868 863

-----

Simple Message String Standard

SONICOS LOG EVENT REFERENCE GUIDE

SYN flood blacklisting enabled by user SYN flood ceased or flooding machines blacklisted - connection proxy disabled SYN Flood Mode changed by user to: Always proxy WAN connections SYN Flood Mode changed by user to: Watch and proxy WAN connections when under attack SYN Flood Mode changed by user to: Watch and report possible SYN floods SYN unused/spare SYN unused/spare Synchronizing preferences to HA Peer Firewall SYN-Flooding machine %s blacklisted Syslog Server cannot be reached System clock manually updated TCP checksum error

Intrusion Detection Intrusion Detection

Debug Debug

Warning Alert

862 861

-----

Standard Standard

Intrusion Detection

Debug

Warning

858

---

Standard

Intrusion Detection

Debug

Warning

857

---

Standard

Intrusion Detection

Debug

Warning

856

---

Standard

Unused Unused High Availability Intrusion Detection Network Firewall Logging Network Access Network

----Maintenance

Debug Debug Info

870 871 673

-------

Unused Unused Simple

Debug Maintenance --TCP Debug

Alert Info Notice Notice Debug

864 657 881 884 713

-----------

Simple Message String Standard Simple Note String Standard Standard Note String Standard Policy Standard Service Standard Note String Standard Standard Note String Standard Note String Standard Note String

TCP connection abort received; TCP connection dropped TCP connection dropped Network Access TCP connection from Network LAN denied Access TCP connection reject Network received; TCP connection dropped TCP FIN packet dropped Network TCP handshake violation Network detected; TCP Access connection dropped TCP packet received on a Network closing connection; TCP packet dropped TCP packet received on Network non-existent/closed connection; TCP packet dropped

TCP LAN TCP Debug

Notice Notice Debug

36 173 712

-------

Debug ---

Debug Notice

181 760

-----

Debug

Debug

891

---

Debug

Debug

888

---

SONICOS LOG EVENT REFERENCE GUIDE

45

TCP packet received with invalid ACK number; TCP packet dropped TCP packet received with invalid header length; TCP packet dropped TCP packet received with invalid MSS option length; TCP packet dropped TCP packet received with invalid option length; TCP packet dropped TCP packet received with invalid SACK option length; TCP packet dropped TCP packet received with invalid SEQ number; TCP packet dropped TCP packet received with invalid source port; TCP packet dropped TCP packet received with invalid SYN Flood cookie; TCP packet dropped TCP packet received with invalid window scale option length; TCP packet dropped TCP packet received with invalid window scale option value; TCP packet dropped TCP packet received with non-permitted option; TCP packet dropped TCP packet received with SYN flag on an existing connection; TCP packet dropped TCP packet received without mandatory ACK flag; TCP packet dropped TCP packet received without mandatory SYN flag; TCP packet dropped TCP stateful inspection: Bad header; TCP packet dropped TCP stateful inspection: Invalid flag; TCP packet dropped TCP SYN received

Network

Debug

Debug

709

---

Standard Note String Standard Note String Standard Note String

Network

Debug

Debug

887

---

Network

Debug

Debug

894

---

Network

Debug

Debug

895

---

Standard Note String Standard Note String

Network

Debug

Debug

893

---

Network

Debug

Debug

708

---

Standard Note String Standard Note String Standard Note String Standard Note String

Network

Debug

Debug

896

---

Network

Debug

Info

897

---

Network

Debug

Debug

1030

---

Network

Debug

Debug

1031

---

Standard Note String

Network

Debug

Debug

1029

---

Standard Note String Standard Note String

Network

Debug

Info

892

---

Network

Debug

Debug

890

---

Standard Note String Standard Note String Unused

Network

Debug

Debug

889

---

Network

Debug

Debug

711

---

Network

Debug

Info

710

---

Unused

Intrusion Detection
46

Debug

Debug

869

---

Standard

SONICOS LOG EVENT REFERENCE GUIDE

TCP Syn/Fin packet Network dropped Access TCP Xmas Tree dropped Intrusion Detection The cache is full; %u Firewall Event open connections; some will be dropped The current WAN Firewall Event interface is not ready to route packets. The loaded content URL Security List has expired. Services The network connection WAN Failover in use is %s The preferences file is too Firewall Event large to be saved in available flash memory Thermal Red Firewall Hardware Thermal Red Timer Firewall Exceeded Hardware Thermal Yellow Firewall Hardware Time of day settings for Firewall Event firewall policies were not upgraded. Too many gratuitous Network ARPs detected Type: None UDP checksum error Network Access UDP packet dropped Network Access UDP packet from LAN Network dropped Access Unable to download IPS/ Unused GAV/Anti-Spyware Signature database. Firewall must first be restarted to free memory used by downloaded firmware. Unable to resolve Dynamic dynamic address object Address Objects Unable to send message PPP Dial Up to dial-up task Unknown IPsec SPI VPN IPsec Unknown protocol Network dropped Access Unknown reason VPN PKI User logged out

Attack Attack

Alert Alert

580 267 53

558 547 607

Standard Note String Standard Standard Message Number Unused

System Error Error

System Error Error

325

635

System Error Error System Error Warning System Error Warning

190 307 573

628 639 649

Simple Standard Message String Simple

System Environment System Environment System Environment Maintenance

Alert Alert Alert Info

578 579 577 742

104 105 103 ---

Simple Simple Simple Simple

----UDP UDP LAN UDP | LAN TCP ---

Warning Debug Notice Notice Notice Warning

815 55 885 37 174 873

-------------

Simple Unused Standard Standard Policy Standard Service Simple

Maintenance

Info

880

---

Standard Destination Simple Message String Unused Standard Note String Simple Destination Standard String Service

System Error Error Attack Debug User Activity Error Notice Error Info

1024 66 41 275 263

--507 -------

Authentication User Activity Access

SONICOS LOG EVENT REFERENCE GUIDE

47

User logged out inactivity timer expired User logged out - max session time exceeded User logged out - user disconnect detected (heartbeat timer expired) User login denied insufficient access on LDAP server User login denied - invalid credentials on LDAP server User login denied - LDAP authentication failure User login denied - LDAP communication problem User login denied - LDAP directory mismatch User login denied - LDAP schema mismatch User login denied - LDAP server certificate not valid User login denied - LDAP server down or misconfigured User login denied - LDAP server name resolution failed User login denied - LDAP server timeout User login denied - not allowed by policy rule User login denied - not found locally User login denied password doesn't meet constraints User login denied password expired User login denied RADIUS authentication failure User login denied RADIUS communication problem User login denied RADIUS configuration error User login denied RADIUS server name resolution failed User login denied RADIUS server timeout

Authentication User Activity Access Authentication User Activity Access Authentication User Activity Access RADIUS User Activity

Info Info Info

265 264 24

-------

Standard Note String Standard Note String Standard Note String Standard String Service Standard String Service Standard String Service Standard String Service Standard String Service Standard String Service Standard String Service Standard String Service Standard String Service Standard String Service Standard Note String Standard Note String Standard String Service Standard String Service Standard String Service Standard String Service Standard String Service Standard String Service Standard String Service

Warning

750

---

RADIUS

User Activity

Warning

749

---

RADIUS RADIUS RADIUS RADIUS RADIUS RADIUS

User Activity User Activity User Activity User Activity User Activity User Activity

Info Warning Warning Warning Warning Warning

745 748 757 751 755 747

-------------

RADIUS

User Activity

Warning

753

---

RADIUS

User Activity

Warning Warning Warning Warning

746 986 987 1048

---------

Authentication User Activity Access Authentication User Activity Access Authentication 0 Access Authentication User Activity Access RADIUS User Activity

Warning Info

1035 243

-----

RADIUS

User Activity

Warning

744

---

RADIUS

User Activity

Info

245

---

RADIUS

User Activity

Warning

754

---

RADIUS

User Activity

Info

244

---

48

SONICOS LOG EVENT REFERENCE GUIDE

User login denied SonicWALL SSO agent communication problem User login denied SonicWALL SSO agent configuration error User login denied SonicWALL SSO agent name resolution failed User login denied SonicWALL SSO agent timeout User login denied - TLS or local certificate problem User login denied - User has no privileges for login from that location User login denied - User has no privileges for WLAN guest service User login denied due to bad credentials User login disabled from %s User login failed - Guest service limit reached User login failure rate exceeded - logins from user IP address denied Using LDAP without TLS highly insecure Virtual access point is disabled Virtual access point is enabled VLAN unused/spare VLAN unused/spare VLAN unused/spare VOIP %s endpoint added VOIP %s endpoint not added - configured 'public' endpoint limit reached VOIP %s endpoint removed VOIP call connected VOIP call disconnected

CIA

User Activity

Warning

990

---

Standard Service

CIA

User Activity

Warning

989

---

Standard Service

CIA

User Activity

Warning

991

---

Standard Service

CIA

User Activity

Warning

988

---

Standard Service

RADIUS

User Activity

Warning

756

---

Standard String Service Standard String Service Standard Destination Standard String Service Standard Message String Standard Note String Standard Destination Simple

Authentication User Activity Access Authentication User Activity Access Authentication Access Authentication Access Authentication Access Authentication Access RADIUS User Activity Attack User Activity Attack

Info

246

---

Info

486

---

Info Error Info Error

33 583 549 329

--559 --561

System Error Alert

1010

---

SonicPoint SonicPoint Unused Unused Unused VOIP VOIP

80211bmgmt Info 80211bmgmt Info ------VOIP VOIP Debug Debug Debug Debug Warning

731 730 837 838 839 637 639

---------------

Simple Destination Simple Destination Unused Unused Unused Simple Message String Simple Message String

VOIP VOIP VOIP

VOIP VOIP VOIP System Environment

Debug Info Info Error

638 622 623 575

------101

Voltages out of tolerance Firewall Hardware

Simple Message String Standard Note String Standard Note String Simple

SONICOS LOG EVENT REFERENCE GUIDE

49

VPN Cleanup: Dynamic network settings change VPN client policy provisioning VPN disabled by administrator VPN disabled for active dial up VPN enabled by administrator VPN log debug VPN policy added VPN policy count received exceeds the limit; %s VPN Policy Deleted VPN Policy Modified VPN TCP FIN VPN TCP PSH VPN TCP SYN VPN zone administrator login allowed VPN zone remote user login allowed WAN Interface not setup Wan IP Changed WAN node exceeded: Connection dropped because too many IP addresses are in use on your LAN WAN not ready WAN zone administrator login allowed WAN zone remote user login allowed WARNING: Central gateway does not have a relay IP Address. DHCP message dropped. WARNING: DHCP lease relayed from central gateway conflicts with IP in Static devices list Web access request dropped Web management request allowed Web site access allowed

VPN VPN Client

User Activity User Activity

Info Info Info Info Info Info Info

471 371 506 503 507 172 1050 719

-----------------

Standard Standard Destination Simple Simple Simple Standard Message String Standard Note String Simple Message String Standard Note String Standard Note String Unused Unused Unused Standard String Service Standard String Service Simple Standard Standard

Authentication Maintenance Access Unused Maintenance Authentication Maintenance Access VPN IKE Debug VPN VPN ---

System Error Error

VPN VPN VPN VPN VPN Authentication Access Authentication Access Firewall Event Firewall Event Firewall Event

----VPN Stat VPN Stat VPN Stat User Activity User Activity

Info Info Info Info Info Info Info

1051 1052 195 196 194 235 237 498 138 812

----------------636 ---

Maintenance Info System Error Warning System Error Error

Firewall Event Authentication Access Authentication Access DHCP Relay

Maintenance User Activity User Activity Maintenance

Info Info Info Info

502 236 238 472

---------

Simple Standard String Service Standard String Service Unused

DHCP Relay

Maintenance

Info

227

---

Standard Destination

Network Access Network Access Network Access

TCP User Activity

Notice Notice

524 526 16

----703

Standard Policy Standard Service Standard Note Blocked

Blocked Sites Notice

50

SONICOS LOG EVENT REFERENCE GUIDE

Web site access denied WiFiSec enforcement disabled by administrator WiFiSec enforcement enabled by administrator Wireless MAC filter list disabled by administrator Wireless MAC filter list enabled by administrator WLAN client null probing WLAN disabled by administrator WLAN disabled by schedule WLAN drop traffic to deny network WLAN enabled by administrator WLAN enabled by schedule WLAN firmware image has been updated WLAN guest session timeout WLAN guest session timeout WLAN guest session timeout WLAN max concurrent users reached already WLAN not in AP mode, DHCP server will not provide lease to clients on WLAN WLAN pass traffic to access allow network WLAN radio frequency threat detected WLAN reboot

Network Access Authentication Access Authentication Access Authentication Access Authentication Access WLAN IDS Authentication Access Authentication Access Network Access Authentication Access Authentication Access Wireless Authentication Access Authentication Access Authentication Access Network Access Wireless

Blocked Sites Error Maintenance Maintenance Maintenance Maintenance WLAN IDs Maintenance Maintenance --Maintenance Maintenance Maintenance User Activity User Activity User Activity --Maintenance Info Info Info Info Warning Info Info Info Info Info Info Info Info Info Info Info

14 510 511 513 512 615 508 728 724 509 729 487 551 564 550 726 617

701 --------904 -----------------------

Standard Note Blocked Unused Unused Simple Simple Standard Destination Simple Simple Standard Note String Simple Simple Simple String Standard Note String Standard Note String Standard Note String Standard Note String Simple

Network Access RF Management Firewall Hardware WLAN recovery Wireless WLAN sequence number WLAN IDS out of order WLB fail back initiated by WAN Failover %s WLB failover in progress WAN Failover WLB resource failed WAN Failover WLB resource is now WAN Failover available WLB SPIll-over started, WAN Failover configured threshold exceeded WLB SPIll-over stopped WAN Failover

-----

Info Warning

725 879 517 519 547 435 584 586 585 581

----642 --902 652 651 654 653 ---

Standard Note String Simple Destination

System Error Error Maintenance WLAN IDs Info Warning

System Error Alert System Error Alert System Error Alert System Error Alert Maintenance Warning

Simple String Simple Destination Standard Message String Standard Standard Standard Simple

Maintenance

Warning

582
51

---

Simple

SONICOS LOG EVENT REFERENCE GUIDE

WPA MIC Failure WPA RADIUS Server Timeout WWAN %s %s device detected WWAN Dial-up: %s.

Wireless Wireless Firewall Hardware PPP Dial Up

80211bmgmt Warning 80211bmgmt Info System Environment User Activity User Activity Info Alert Alert

663 664 1017 1026 1027

--------7643

WWAN Dial-up: data PPP Dial Up usage limit reached for the '%s' billing cycle. Disconnecting the WWAN session. WWAN: No SIM detected Firewall Hardware XAUTH failed with VPN VPN Client client, Authentication failure XAUTH failed with VPN VPN Client client, Cannot Contact RADIUS Server XAUTH succeeded with VPN Client VPN client

Simple Destination Simple Destination Simple Message String Simple Message String Simple Message String

--User Activity

Alert Error

1055 140

-----

Simple Message String Standard Destination Standard Destination Standard Destination

User Activity

Info

141

---

User Activity

Info

139

---

52

SONICOS LOG EVENT REFERENCE GUIDE

Index of Syslog Tag Field Description


This section provides an alphabetical listing of Syslog tags and the associated field description. Tag <ddd> Field Syslog message prefix Description The beginning of each syslog message has a string of the form <ddd> where ddd is a decimal number indicating facility and priority of the message. (See [1] Section 4.1.1) Used to render a URL: arg represents the URL path name part. Displays the broadcast packets received Displays the broadcast packets transmitted Displays the bytes received Displays the bytes transmitted Indicates the legacy category number (Note: We are not currently sending new category information.) Displays the basename of the firewall web page that performed the last configuration change Indicates the CFS block code category Indicates the ICMP code Indicates the number of connections in use Displays the CPU utilization (not in use) Destination IP address, and optionally, port, network interface, and resolved name. Displays the URL of web site hit and other legacy destination strings Used to render a URL: dstname represents the URL host part Displays the HA and dialup connection state (rendered as h.d where h is n (not enabled), b (backup), or p (primary) and d is 1 (enabled) or 0 (disabled)) Indicates the WAN IP Address Indicates the LAN zone IP address Indicates the well formed bytes recevied Indicates the well formed bytes transmitted

arg

URL

bcastRx bcastTx bytesRx bytesTx c

Interface statistics report Interface statistics report Interface statistics report Interface statistics report Message category (legacy only)

change

Configuration change webpage

code code conns cpuUtil dst

Blocking code ICMP type and code Firewall status report Firewall status report Destination

dstname

Destination URL

dstname

URL

dyn

Firewall status report

fw fwlan goodRxBytes goodTxBytes

Firewall WAN IP Firewall status report SonicPoint statistics report SonicPoint statistics report

SONICOS LOG EVENT REFERENCE GUIDE

53

i id=firewall

Firewall status report Webtrends prefix

Displays the GMS message interval in seconds Syntactic sugar for WebTrends (and GMS by habit) Displays the interface on which statistics are reported Displays the IPS category Displays the IPS priority Indicates the number of licenses for firewalls with limited modes Provides the message ID number Provides the MAC address Displays the event message (from spreadsheet) Displays a dynamically defined message string Displays a message using the predefined message string containing a %s and a dynamic string argument. Displays a message using the predefined string string containing a %s and a dynamic numeric argument. Displays a message using the predefined message string containing a %s and a dynamic string argument. Displays the event message (from spreadsheet) Indicates the number of times event occurs Displays the HTTP operation (GET, POST, etc.) of web site hit Displays the event priority level (0=emergency..7=debug) Indicates the IP protocol and detail information Displays the protocol information (rendered as proto/service) Displays the protocol information (rendered as proto/service) Displays the HTTP/HTTPS management port (rendered as hhh.sss) Displays the SonicPoint radio on which event occurred Displays the RAM utilization (not in use)

if

Interface statistics report

ipscat ipspri lic

IPS message IPS message Firewall status report

m mac msg msg msg

Message ID MAC address Static message Dynamically-defined message Static message with dynamic string

msg

Static message with dynamic number

msg

IPS message

msg n op

Anti-Spyware message Message count HTTP OP code

pri

Message priority

proto proto

IP protocol Protocol and service

proto

Protocol and service

pt

Firewall status report

radio

SonicPoint statistics report

ramUtil

Firewall status report


54

SONICOS LOG EVENT REFERENCE GUIDE

rcvd

Bytes received

Indicates the number of bytes received within connection Displays the HTTP result code (200, 403, etc.) of web site hit Displays the Access Rule number causing packet drop Displays the number of bytes sent within connection Provides the IPS signature ID Provides the AntiSpyware signature ID Indicates the device serial number Displays the antiSpyware category Displays the AntiSpyware priority Indicates the source IP address, and optionally, port, network interface, and resolved name. Displays the client (station) on which event occurred Reports the time of event Indicates the ICMP type Displays the unicast packets received Displays the unicast packets transmitted Reports the time since last local change in seconds Displays whether standby SA is in use (1 or 0) for GMS management Displays the user name (user is the tag used by WebTrends) Displays the VPN policy name of event

result

HTTP Result code

rule

Rule ID

sent

Bytes sent

sid sid sn spycat spypri src

IPS message Anti-Spyware message Firewall serial number Anti-Spyware message Anti-Spyware message Source

station

SonicPoint statistics report

time type ucastRx ucastTx unsynched

Time ICMP type and code Interface statistics report Interface statistics report Firewall status report

usesstandbysa

Firewall status report

usr (or user)

User

vpnpolicy

VPN policy name

SONICOS LOG EVENT REFERENCE GUIDE

55

56

SONICOS LOG EVENT REFERENCE GUIDE