This document contains a reference of log messages for Check Point Embedded NGX, listing the log message ID, message text, and brief comments explaining the meaning or cause of each message. There are over 60 different log messages covering topics like network connections, DHCP services, wireless clients, policy updates, VPN connections, and more. The log messages provide information on system events and errors to help administrators monitor and troubleshoot the network gateway.
This document contains a reference of log messages for Check Point Embedded NGX, listing the log message ID, message text, and brief comments explaining the meaning or cause of each message. There are over 60 different log messages covering topics like network connections, DHCP services, wireless clients, policy updates, VPN connections, and more. The log messages provide information on system events and errors to help administrators monitor and troubleshoot the network gateway.
This document contains a reference of log messages for Check Point Embedded NGX, listing the log message ID, message text, and brief comments explaining the meaning or cause of each message. There are over 60 different log messages covering topics like network connections, DHCP services, wireless clients, policy updates, VPN connections, and more. The log messages provide information on system events and errors to help administrators monitor and troubleshoot the network gateway.
Log Messages ID Log message Comments 10001 Error - too many established connections The web filtering service connection table is full. 10011 DHCP server got unknown message type The DHCP server received an invalid (<MessageType>) DHCP request. 10012 DHCP server found no free IP addresses There are no free IP addresses. Consider increasing the size of the DHCP address range. 10013 DHCP server can't add more leases The DHCP server has reached the maximum amount of supported DHCP leases. 10014 Gateway started up The gateway has been powered up or restarted. 10015 Assigned <IP> to <MAC Address> via DHCP An IP address has been assigned to a host. 10016 Detected static IP A host is assigned with a static IP. 10019 Failed to lease reserved IP <IP Address>, IP A DHCP client tried to request an IP already used address that is already in use. 10020 An IP conflict was detected: The IP <IP Address> Two devices on the network are is in use by a device with MAC address <MAC configured to use the same IP address. Address> 10021 A MAC address conflict was detected: The MAC Two devices on the network are using address <MAC Address> is in use by another the same MAC address. device 10022 WAN received DHCP IP overlaps the LAN\DMZ The WAN IP address must not belong network to one the internal networks. 10023 WAN received DHCP network that intersects with The WAN IP subnet mask must not internal network intersect with an internal network. 10024 WAN received bad DHCP IP Your ISP assigned an invalid IP address to this gateway. 10026 WLAN client: <MAC Address>, connected to A wireless station has connected to the network network. 10027 WLAN client: <MAC Address>, disconnected A wireless station has disconnected from network from the network. 10028 WLAN client: <MAC Address, failed to A wireless station has failed to authenticate to network authenticate to the network. 10029 WLAN client: <MAC Address>, associated to A wireless station has associated with network the network. 10030 WLAN client: <MAC Address>, disassociated A wireless station has disassociated from network with the network. 10031 WLAN client: <MAC Address>, re-associated to A wireless station has re-associated network with the network. 10032 DHCP relay: server on <Network Name> network The main DHCP relay server is not failed over from <IP Address> to <IP Address> responding, the secondary DHCP relay server was used instead. 30001 Policy error - trap <id> called with too many May indicate a mismatch between the arguments SmartCenter policy version (libsw) and the current firmware version. 30004 Kernel hook failed May indicate a mismatch between the SmartCenter policy version (libsw) and the current firmware version. 30005 <Operation Type> operation on table <table id> May indicate a mismatch between the failed SmartCenter policy version (libsw) and the current firmware version. 30009 Table <table id> not found May indicate a mismatch between the SmartCenter policy version (libsw) and the current firmware version. 30011 Failed to install updated security policy The security policy installation has failed. This may indicate a mismatch between the SmartCenter policy version (libsw) and the current firmware version. 30012 Failed to install policy - invalid policy file The security policy received from the service center is corrupt. 30013 Policy version is incompatible with the appliance The security policy received from the firmware. service center is incompatible with the current firmware version. 30015 Policy is incompatible with appliance type The security policy received from the service center is incompatible with the current appliance type. 30016 Wrong update version in policy. The security policy received from the service center is incompatible with the current firmware version. 30021 Failed to install updated user interface The downloaded GUI update file is invalid or incompatible with this firmware version. 30024 Failed to install updated firmware The downloaded firmware update file is corrupt or not compatible with the current hardware type. 30025 Failed to install policy Failed to install an updated INSPECT security policy 30026 Failed to install updated configuration-set file The configuration-set received from the service center is invalid. 30027 Failed to install configuration-set file Failed to install an updated configuration set file 30028 Downloaded <n> dynamic objects. Only the first Too many dynamic objects were <n> are installed. received from the service center. 40015 Failed to install config item The configuration-set received from the service center is invalid. 60000 Packet logged A packet was logged or dropped. See also the Connection Log Reasons table below. 60001 Password changed The user has changed the password. 60002 Security level changed from <x> to <y> The firewall security level has been (<change requested by>) changed. 60003 URL filtering mode changed <mode> Web filtering was enabled or disabled. 60004 Mail filtering mode changed <mode> Mail filtering was enabled or disabled. 60005 User interface updated The firewall GUI has been updated. 60009 Firmware changed The appliance firmware has been updated. 60011 Update now command was issued The user requested an immediate update of settings from the service center. 60020 VPN site <operation>: <name> A VPN site was created or modified. 60021 Failed to establish VPN Tunnel with <server>: Failed to establish a phase-1 or phase- <error> 2 IKE SA, due to a specified reason. 60022 You are exceeding your node limit (Node Limit You are exceeding the node count <count>, Used Nodes <count>) allowed by your license. Please contact your Check Point reseller for a license upgrade. 60024 VPN mode changed <site> The VPN mode has changed for the specified site. 60025 URL filtering override The user requested to temporarily override web filtering. 60026 User <name> <operation> A user was created or modified in the local user database. 60028 VPN Server <mode> VPN server enabled/disabled. 60031 User database changed. A user has logged in to the appliance. 60032 Updated configuration from Service Center A new configuration was received from the service center. 60033 Software Updates mode changed to <mode> The software updates service was enabled or disabled 60034 Automatic updates interval (seconds) changed to The automatic updates interval was <interval> modified. 60035 Mail Filtering override Mail filtering was temporarily overridden by the user 60037 Closed VPN Tunnel with <peer> A VPN tunnel was shut down or established. OR: VPN Tunnel established with <peer> 60038 Internet connection terminated after <time> An Internet connection was shut down or established. OR: Internet connection established, IP <IP Address> was assigned
60040 Logging was disabled Syslog logging was configured by the
administrator. Logging was set: Syslog IP Address is <IP Address> and Syslog Port is <port>
60041 Management protocol mode changed HTTPS, SSH, or SNMP configuration
was changed. 60042 RADIUS server mode changed RADIUS configuration was modified. 60043 Warning; Topology overlapping The VPN topology conflicts with one of the internal networks. 60044 Dialup Modem configuration changed The dialup modem configuration was changed. 60045 Topology overlapping: Range <range> overlaps The VPN topology conflicts with one with internal/DMZ IP of the internal networks. 60046 PPP Connection failed A PPP connection has failed. 60047 Network settings updated The settings for an internal network were modified. 60048 PFS mismatch: Peer <IP Address> configured Perfect Forward Secrecy is enabled, without PFS support but the VPN peer does not support it. 60052 Point to point connection failed to connect A PPP error has been detected on <reason> connection. 60054 QoS Classes were reset to defaults The traffic Shaper QoS Classes were reset to defaults. 60055 RADIUS permissions saved RADIUS permissions were modified. 60057 Internal Error An internal error has occurred. 60058 Firmware changed from version <version> to The firmware was updated. version <version> 60059 The reserved IP <IP Address> is used with the An IP address with a MAC reservation wrong MAC <MAC Address> has been used by a different MAC. 60060 A security certificate was generated for subject: A new certificate was created. <subject> 60061 Printer: <type>, S/N:<serial>, connected and A new printer was attached to the print attached to port <port number> server, and a TCP port has been allocated. 60062 Printer: <type>, S/N:<serial >, was disconnected A printer was disconnected from the print server. 60063 Printer: <type>, S/N:<serial >, starting print job A print job was sent to the print server. from <IP Address> 60064 Printer: <type>, S/N:<serial>, failed print job A print job has failed. from <IP Address>, <reason> 60065 Printer: <type>, S/N:<serial>, <message> A printer has encountered a technical error. 60067 New configuration was saved to High Availability The HA configuration was updated. module. 60068 High Availability module changed state from The HA module state has changed. <state> to <state> 60069 Gateway changed status from <status> to <status> HA failed over to the secondary gateway, or back to the primary gateway. 60070 Printer: <type>, S/N:<serial> finished print job A print job was successfully from <IP Address>, size <size> Kbyte completed. 60071 Printer: <type>, S/N:<serial> , reattached to port A known printer has reconnected to <port number> the USB port. 60072 Can't attach port to printer: <type>, S/N:<serial>, You attempted to connect more than only 4 printers are supported four printers to the print server at the same time. 60073 Successfully authenticated user <username> The specified user has logged in to the connecting from IP <IP Address> VPN server. 60074 Printer: <type>, S/N:<serial> , is ready The printer is ready to accept print jobs. 60075 IKE Phase1: Completed successfully with VPN IKE phase 1 has completed peer <peer> [Security: <encryption>/<digest>] successfully with the specified peer Expire Time: <time> NAT-T: <NAT-T mode> and has negotiated the specified security methods, SA expiration time, and NAT Traversal mode. 60076 IKE Phase2: Completed successfully with VPN IKE phase 2 has completed peer <peer> [Security: <encryption>/<digest>] successfully with the specified peer Expire Time: <time> NAT-T: <NAT-T mode> and has negotiated the specified security methods, SA expiration time, and NAT Traversal mode. 60077 IKE Phase1: The VPN Peer <peer> is behind a NAT Traversal (NAT-T) has been NAT device: NAT-T mode enabled automatically enabled, since the peer gateway is behind NAT. 60078 IKE Phase1: This VPN gateway is behind a NAT NAT Traversal (NAT-T) has been device: NAT-T mode enabled for VPN peer automatically enabled since this <peer> gateway is behind NAT. 60079 Disconnected from Service Center The gateway has disconnected from the service center. 60080 New configuration was saved to WLAN module. The wireless LAN configuration was updated. 60081 Printer: <name>, S/N:<serial>, was reset, all A printer was reset, and all the running print jobs were terminated remaining print jobs in the print server for this printer were terminated. 60082 Resolved peer IP for <peer> is: <IP Address> VPN Interface resolving has resolve the specified IP as the reachable interface of a VPN peer 60083 Warning: Your certificate is about to expire. This is a reminder that the currently Expiry date is <date> installed security certificate of this gateway is nearly expired. 60084 Warning: Your CA certificate is about to expire. This is a reminder that the currently Expiry date is <date> installed CA (Certificate Authority) security certificate is nearly expired. 60085 Swapped user rules at indexes <n> and <n> The specified firewall rule has been reordered in the local security policy. 60086 Internet connection probing status change Internet probing has detected that a specified Internet connection is in non operational or operational status. 60087 Firmware check failed: unrecognized image Attempted to install an invalid firmware image. 60088 Firmware check failed: firmware version is not Attempted to install a firmware compatible with the hardware revision of this version incompatible with the gateway hardware revision of this gateway. 60089 Mail AntiSpam mode changed <mode> EMail AntiSpam mode has changed to enabled or disabled. 60090 New configuration was saved to HotSpot module. The HotSpot configuration has been updated. 60091 HotSpot user <username> <action> <source> A user has logged in or logged out from a Secure HotSpot enabled network. 60092 HotSpot user <username> <action> <source> A user has logged in or logged out from a Secure HotSpot enabled network that does not require user authentication. 60093 NTP updated time by <n> seconds Synchronization of time with the NTP (Network Time Protocol) server has caused time to be updated. 60094 Received invalid SofaWare specific RADIUS The RADIUS server can instruct the attribute gateway to override the default permission set for a user, by sending a vendor specific attribute in the response. For the list of RADIUS vendor specific attributes supported by Embedded NGX and their allowed values, refer to the whitepaper “Configuring the RADIUS Vendor- Specific Attribute” 60095 Received invalid SofaWare specific RADIUS The RADIUS server can instruct the value (<name>) for <name> attribute gateway to override the default permission set for a user, by sending a vendor specific attribute in the response. For the list of RADIUS vendor specific attributes supported by Embedded NGX and their allowed values, refer to the whitepaper “Configuring the RADIUS Vendor- Specific Attribute” 60096 Received invalid SofaWare specific RADIUS The RADIUS server can instruct the attribute type: <name> gateway to override the default permission set for a user, by sending a vendor specific attribute in the response. For the list of RADIUS vendor specific attributes supported by Embedded NGX and their allowed values, refer to the whitepaper “Configuring the RADIUS Vendor- Specific Attribute” 60097 Internet connection probe status changed The status of the specified Internet connection probing IP address has changed. 60098 Swapped antivirus rules at indexes <index> and The specified antivirus rule has been <index> reordered in the local AV policy. 60099 Start sniffing <n> network The packet capture tool was started by the user. 60100 Failed to start sniffer An internal error occurred – packet capture cannot be performed. 60101 Sniffer was stopped, <n> packets were captured The packet capturing session has been stopped by the user. 60102 Sniffer was cancelled The packet capturing session has been cancelled by the user. 60103 Connection blocked by VStream A connection has been blocked by VStream antivirus. 60104 VStream antivirus <new status> VStream antivirus scanning has been enabled or disabled. 60105 Warning: No signatures database is installed. No antivirus signatures database is VStream antivirus scanning will not be performed. installed; therefore antivirus scanning will not be performed. 60106 Your certificate has expired. Expiry date is <date> The currently installed certificate is no longer valid. It should be renewed. 60107 Your CA certificate has expired. Expiry date is The currently installed CA certificate <date> is no longer valid. It should be renewed. 60108 Sniffer buffer is full, <n> packets were captured The packet capture has been stopped, since the capture buffer is full. 60109 Sniffer stopped The packet capture has been stopped by the user. 60110 Failed to load VStream signatures databases An invalid signatures database was received from the service center. 60117 VStream Error: <message> An Error has occurred in VStream Antivirus processing. 60118 Low free memory (User:<n> Kb, Kernel:<n> Kb, The gateway is low on memory FW:<n> Kb) resources. If this warning message appears frequently, please contact support. 60119 VStream database was installed successfully The antivirus signatures database has been updates. 60120 Warning: Some of the QoS settings are invalid, Invalid QoS settings were received therefore QoS is temporarily disabled from the service center.
Connection Log Reasons
ID Log message Comments 0 Policy rule A connection has been logged by an INSPECT firewall policy rule on your gateway. This may be the default security policy shipped with your appliance, or a customized policy downloaded from your service center. 1 Custom rule A connection has been logged by a custom firewall rule defined locally your gateway. To view your custom policy, connect to the “My Firewall” web interface, and click Security > Rules. 2 Short fragment SmartDefense: An IP fragment is too short.
When an IP packet is too big to be transported on a
given network, it is split into several smaller IP packets and transmitted in fragments. In an attempt to conceal an attack or exploit, an attacker might break the data section of a single packet into several fragmented packets. This log message indicates that a fragment was found that is too short to be valid according to the IP protocol specifications. 3 Long fragment SmartDefense: An IP fragment is too long.
When an IP packet is too big to be transported on a
given network, it is split into several smaller IP packets and transmitted in fragments. In an attempt to conceal an attack or exploit, an attacker might break the data section of a single packet into several fragmented packets. This log message indicates that a fragment was found that is too long to be valid according to the IP protocol specifications 4 Ping of Death SmartDefense: Ping of Death detected
PING [ICMP echo request]; is a program that uses
ICMP protocol to check whether a remote machine is up. The “Ping of Death” is a malformed PING request that some operating systems are unable to correctly process. The attacker sends a fragmented PING request that exceeds the maximum IP packet size (64KB), causing vulnerable systems to crash. 5 LAND Attack SmartDefense: LAND Attack detected Some implementations of TCP/IP are vulnerable to SYN packets in which the source address and port are the same as the destination, i.e; spoofed. LAND is a widely available attack tool that exploits this vulnerability. 6 Overlapping Fragment SmartDefense: Overlapping Fragments detected
When an IP packet is too big to be transported on a
given network, it is split into several smaller IP packets and transmitted in fragments. Some implementations of the TCP/IP protocol stack do not properly handle the reassembly of overlapping IP fragments. Sending two IP fragments, with one fragment entirely contained inside the other, causes these faulty implementations to allocate too much memory and crash the server on which they run. 7 Teardrop SmartDefense: Teardrop Attack detected.
When an IP packet is too big to be transported on a
given network, it is split into several smaller IP packets and transmitted in fragments. Some implementations of the TCP/IP protocol stack do not properly handle the reassembly of overlapping IP fragments. Sending two IP fragments, with one fragment entirely contained inside the other, causes these faulty implementations to allocate too much memory and crash the server on which they run. TearDrop is a widely available attack tool that exploits this vulnerability. Because proper reassembly is required for normal network operation, SmartDefense blocks attacks based on overlapping IP fragments even if the checkbox is deselected. By default, blocked attacks will be logged as “Overlapping fragment”. 8 Spoofed IP SmartDefense: IP Spoofing detected
IP address spoofing is a technique by which an intruder
attempts to gain unauthorized access by altering a packet’s source IP address to make it appear as though the packet originated in a part of the network with higher access privileges. For example, a packet originating on an external network may be disguised as a local packet. If undetected, this packet will be processed by the rule base as having originated inside the firewall (i.e., possibly circumventing access controls). As such, it is important to verify where the packets originated. Anti-spoofing verifies that packets are coming from, and going to, the correct interfaces on the gateway. It confirms that packets claiming to be from an internal network are actually coming from the internal network interface. It also verifies that, once a packet is routed, it is going through the proper interface. A Check Point enforcement point will block an illegal address. For example, an IP address from an external interface should not have a source address of an internal network. Legal addresses that are allowed to enter a Check Point enforcement point interface are determined by the topology of the network. 10 HotSpot Secure HotSpot authentication is required
Secure HotSpot facilitates the creation of managed guest
access networks (either wireless or wired) with configurable Web-based authentication, temporary user accounts and RADIUS integration. A connection was block since Secure HotSpot mode is enabled for the selected network. 11 TCP out of state SmartDefense: TCP connection without corresponding SYN. Strict TCP controls the way the firewall handles all out- of-state TCP packets. Out-of-state packets are SYN- ACK or data packets that arrive out of order, before the TCP SYN packet. If you wish to have an extra strict policy, set Strict TCP action to 'block'. 12 SYN attack SmartDefense: A suspected SYN attack was detected.
A TCP denial of service attack, which occurs when an
attacker sends many SYN packets without finishing the TCP 3-way handshake. A successful SYN Attack will cause the attacked host to be unable to accept new connections. 13 Duplicate fragments SmartDefense: Too many duplicate fragments were detected. When an IP packet is too big to be transported on a given network, it is split into several smaller IP packets and transmitted in fragments. Some implementations of the TCP/IP protocol stack do not properly handle the reassembly of a large amount of duplicate IP fragments. When SmartDefense detects an excessive amount of duplicate IP fragments, it logs this event as ‘Duplicate Fragments’. 14 Too many incomplete packets SmartDefense: Virtual Defragmentation: Too many incomplete fragmented packets. When an IP packet is too big to be transported on a given network, it is split into several smaller IP packets and transmitted in fragments. In an attempt to conceal an attack or exploit, an attacker might break the data section of a single packet into several fragmented packets. Without reassembling the fragments, it is not always possible to detect such an attack. As a result, malicious content that is split across fragments can traverse some firewalls. In contrast, a Check Point enforcement point collects and reassembles all the fragments of a given IP packet, verifying that the options for the fragments are consistent (e.g. TTL is the same for all fragments), so that security checks can be run against the complete packet contents. An attacker may try to overload the defragmentation system by sending a large amount of incomplete packets. Such attempts are detected by SmartDefense and logged as “Too many incomplete packets” 15 Incomplete packet SmartDefense: A packet was dropped since not all the fragments were received. When an IP packet is too big to be transported on a given network, it is split into several smaller IP packets and transmitted in fragments. In an attempt to conceal an attack or exploit, an attacker might break the data section of a single packet into several fragmented packets. Without reassembling the fragments, it is not always possible to detect such an attack. As a result, malicious content that is split across fragments can traverse some firewalls. In contrast, a Check Point enforcement point collects and reassembles all the fragments of a given IP packet, verifying that the options for the fragments are consistent (e.g. TTL is the same for all fragments), so that security checks can be run against the complete packet contents. If some of the fragments of a certain fragmented packet are lost in transit, the packet is blocked by the firewall, and logged as an “Incomplete packet”.
16 Ping too big SmartDefense: A Ping packet is too large.
PING [ICMP echo request]; is a program that uses
ICMP protocol to check whether a remote machine is up. A request is sent by the client, and the server responds with a reply echoing the client's data. An attacker might echo the client with a large amount of data, for example, causing a buffer overflow. 17 Null payload SmartDefense: Null payload ping attack. PING [ICMP echo request]; is a program that uses ICMP protocol to check whether a remote machine is up. Some worms, such as Sasser, use ICMP echo request packets with null payload to detect potentially vulnerable hosts. When this protection is enabled, SmartDefense will identify and drop the null payload ping packets. 18 Welchia SmartDefense: Welchia DoS attack detected.
The Welchia worm uses the Microsoft DCOM
vulnerability or a WebDAV vulnerability. After infecting a computer, the worm begins searching for other live computers to infect. It does so by sending a specific ping packet to a target and waiting for the reply that signals that the target is alive. This flood of pings may disrupt network connectivity. 19 Christmas packet SmartDefense: Christmas packet attack detected.
A Christmas packet is an IP packet with every single
option set. Christmas Tree packets can be used as a method of collecting intelligence on a specific TCP/IP stack, by sending Christmas packets and performing analysis on the response. This can allow an attacker to detect the specific operating system in use. If a Christmas packet is detected by SmartDefense, it is automatically blocked and logged. 20 Cisco IOS DoS SmartDefense: Cisco IOS denial of service attack.
Cisco routers are configured to process and accept
Internet Protocol version 4 [IPv4] packets by default. A specially-crafted sequence of IPv4 packets with protocol type 53 - SWIPE, 55 - IP Mobility, 77 - Sun ND, or 103 - Protocol Independent Multicast - PIM, which is handled by the processor on a Cisco IOS device, can cause the router to stop processing inbound traffic on that interface. 21 Fragmented packet SmartDefense: Policy forbids fragmented packets.
An attacker might break the data section of a single
packet into several fragmented packets, trying to conceal known attacks and exploits. Without reassembling the fragments, it is not always possible to detect such an attack. Therefore, by default, Embedded NGX reassembles all fragments prior to inspecting the packets. However if you set “Forbid IP Fragments” to “True” in the SmartDefense > IP Fragments tab, all IP fragments will be forbidden and blocked. 22 Network Quota SmartDefense: Network Quota exceeded.
Network Quota enforces a limit upon the number of
connections that are allowed from the same source IP address, to protect against Denial Of Service [DoS] attacks. When a certain source exceeds the number of allowed connections, Network Quota can either block all new connection attempts from that source, or track the event. 23 Stateless ICMP SmartDefense: ICMP response with no ICMP request.
ICMP allows one network node to ping, or send an echo
request to, other network nodes to determine their operational status. This capability can be used to perpetrate a “Smurf” DoS attack. The Smurf attack is possible because standard ICMP does not match requests to responses. Therefore, an attacker can send a ping with a spoofed source IP address to an IP broadcast address. The IP broadcast address reaches all IP addresses in a given network. All machines within the pinged network send echo replies to the spoofed, and innocent, IP source. Too many pings and responses can flood the spoofed network and deny access for legitimate traffic. This type of attack can be blocked by dropping replies that don’t match requests, as performed by Check Point’s Stateful ICMP. These packets are logged as “Stateless ICMP”.
24 FTP Bounce SmartDefense: FTP bounce attack.
When connecting to an FTP server, the client sends a PORT command specifying the IP address and port to which the FTP server should connect and send data. An FTP Bounce attack is when an attacker sends a PORT command specifying the IP address of a third party instead of the attacker's own IP address. The FTP server then sends data to the victim machine. 25 FTP port overflow SmartDefense: FTP port overflow attack.
FTP clients send PORT commands when connecting to the
FTP sever. A PORT command consists of a series of numbers between 0 and 255, separated by commas. Block Port Overflow rejects PORT commands that contain a number greater than 255. 26 FTP known port SmartDefense: FTP known port attack.
When connecting to an FTP server, the client sends a
PORT command specifying the IP address and port to which the FTP server should connect and send data. An FTP Bounce attack is when an attacker sends a PORT command specifying the IP address of a third party instead of the attacker's own IP address. The FTP server then sends data to the victim machine. By enabling the “FTP Known Port” protection, you can specify whether to allow the FTP server to connect to well- known ports. This provides a second protection against certain FTP bounce attacks. The server will not let the bounce connect to any port running a known service. 27 FTP Illegal command SmartDefense: Blocked FTP Command Using the “Blocked FTP Commands” SmartDefense protection, you can select which FTP commands are allowed to pass through the firewall. This log message indicates that SmartDefense detected an attempt to use an FTP command that was not in the list of allowed FTP commands configured by user. 28 Non TCP flooding SmartDefense: Non TCP flooding attack.
Hackers directly target security devices such as firewalls.
In advanced firewalls, state information about connections is maintained in a State table. The State table includes connection-oriented TCP and connectionless non-TCP protocols. Hackers can send high volumes of non-TCP traffic, in an effort to fill up a firewall State table. This prevents the firewall from accepting new connections and results in a Denial of Service [DoS]. SmartDefense can restrict non-TCP traffic from occupying more than a pre-defined percentage of a enforcement point’s state table. This eliminates the possibility of this type of attack. 29 Small PMTU SmartDefense: Small PMTU DoS attack. Small PMTU is a bandwidth attack in which, the client fools the server into sending large amounts of data using small packets. Each packet has a large overhead that creates a "bottleneck" on the server. 30 KaZaa SmartDefense: KaZaa blocked/logged due to user policy. SmartDefense can block or log Kazaa. Kazaa is a popular Peer to Peer file sharing Protocol, running over TCP port 1214 or over HTTP. 31 Skype SmartDefense: Skype blocked/logged due to user policy. SmartDefense can block or log Skype traffic by identifying Skype fingerprints and HTTP headers. SmartDefense is able to detect instant messaging traffic regardless of the TCP port being used to initiate the peer to peer session. Skype uses UDP or TCP port 1024 and higher or HTTP for peer to peer telephony. 32 BitTorrent SmartDefense: BitTorrent blocked/logged due to user policy. SmartDefense can block or log BitTorrent, a file distribution network using Peer to Peer connections. BitTorrent uses ports from within the TCP port 6881 - TCP port 6889 range for file transfer. 33 eMule SmartDefense: eMule blocked/logged due to user policy. SmartDefense can block or log eMule, a popular Peer to Peer Protocol, used by various Peer to Peer clients, such as eMule, iMesh and others. 34 Gnutella SmartDefense: Gnutella blocked/logged due to user policy. SmartDefense can block or log Gnutella, one of the most popular Peer to Peer protocols, used by applications such as Gnutella, BearShare, Shareaza, Morpheus and iMesh. 35 ICQ SmartDefense: ICQ blocked/logged due to user policy. SmartDefense can block or log ICQ traffic by identifying ICQ's fingerprints and HTTP headers. SmartDefense is able to detect instant messaging traffic regardless of the TCP port that is being used to initiate the peer to peer session. ICQ uses TCP port 5190 to connect. File transfer and sharing is done through TCP port 3574/7320. 36 Yahoo! Messenger SmartDefense: Yahoo Messenger blocked/logged due to user policy. SmartDefense can block Yahoo! Messenger traffic by identifying fingerprints and HTTP headers. SmartDefense is able to detect instant messaging traffic regardless of the TCP port that is being used to initiate the peer to peer session. Yahoo! Messenger uses port TCP port 5050 and TCP port 80 for messaging, TCP port 5100 for video, TCP port 5000 for voice and TCP port 5010 for file transfer. 37 Packet too small SmartDefense: IP packet is too small. SmartDefense packet sanity protection option performs several Layer 3 and Layer 4 sanity checks. These include verifying packet size, UDP and TCP header lengths, dropping IP options, and verifying the TCP flags. This log message indicates that packet sanity detected an IP packet that is too small to be valid. 38 Length mismatch SmartDefense: IP packet validation failed due to wrong length. SmartDefense packet sanity protection option performs several Layer 3 and Layer 4 sanity checks. These include verifying packet size, UDP and TCP header lengths, dropping IP options, and verifying the TCP flags. This log message indicates that packet sanity detected a corrupt or invalid IP packet with an invalid length field. 39 Port 0 SmartDefense: Connection to Port 0. Port 0 is not a legitimate destination port for TCP and UDP packets. If SmartDefense detects a packet with the destination port of 0, the packet is dropped and logged as “Port 0”.
40 Small TCP offset SmartDefense: Invalid TCP packet.
SmartDefense packet sanity protection option performs several Layer 3 and Layer 4 sanity checks. These include verifying packet size, UDP and TCP header lengths, dropping IP options, and verifying the TCP flags. This log message indicates that packet sanity detected a TCP packet with an invalid TCP offset field. 41 Large TCP offset SmartDefense: Invalid TCP packet. SmartDefense packet sanity protection option performs several Layer 3 and Layer 4 sanity checks. These include verifying packet size, UDP and TCP header lengths, dropping IP options, and verifying the TCP flags. This log message indicates that packet sanity detected a TCP packet with an invalid TCP offset field. 42 Bad source IP SmartDefense: Invalid source IP address. SmartDefense packet sanity protection option performs several Layer 3 and Layer 4 sanity checks. These include verifying packet size, UDP and TCP header lengths, dropping IP options, and verifying the TCP flags. This log message indicates that packet sanity detected a packet with an invalid source IP address, such as a multicast address, a broadcast address, or a loopback address. 43 Corrupt TCP options SmartDefense: TCP options are invalid. SmartDefense packet sanity protection option performs several Layer 3 and Layer 4 sanity checks. These include verifying packet size, UDP and TCP header lengths, dropping IP options, and verifying the TCP flags. This log message indicates that packet sanity detected a TCP packet with an invalid set of TCP options. 44 Short IGMP packet SmartDefense: IGMP packet is truncated.
IGMP is used by hosts and routers to dynamically register
and discover multicast group membership. Attacks on the IGMP protocol usually target vulnerabilities in the multicast routing software/hardware used, by sending specially crafted IGMP packets. This log message indicates the detection of an IGMP packet that it too short to be valid. 45 IGMP TTL is not 1 SmartDefense: IGMP Time To Live must be 1.
IGMP is used by hosts and routers to dynamically register
and discover multicast group membership. Attacks on the IGMP protocol usually target vulnerabilities in the multicast routing software/hardware used, by sending specially crafted IGMP packets. This log message indicates an IGMP packet that had a TTL (Time to Live) value other than 1. 46 IGMP to unicast IP SmartDefense: IGMP to Unicast IP addresses in invalid.
IGMP is used by hosts and routers to dynamically register
and discover multicast group membership. Attacks on the IGMP protocol usually target a vulnerabilities in the multicast routing software/hardware used, by sending specially crafted IGMP packets. This log message indicates that an IGMP packet was sent to a unicast IP address. 47 Encryption mismatch VPN: A cleartext packet was received from an IP address in the encryption domain. This log message indicates that a packet was received in clear text, when it was expected to be encrypted. This may either indicate an unauthorized attempt to access your VPN network, or a problem in your VPN setup which caused the two peers in a VPN link to disagree on which packets should be encrypted. 48 CIFS password buffer overrun SmartDefense: Microsoft File Sharing attack.
A worm is a self-replicating malware malicious software
that propagates by actively sending itself to new machines. CIFS, The Common Internet File System sometimes called SMB is a protocol for sharing files and printers. The protocol is implemented and widely used by Microsoft operating systems, as well as by Samba clients. Many worms, once they have infected a host, use CIFS as their means of propagation. 58 Host port scan SmartDefense: Host Port Scan detected.
This log message indicates that a Host Port Scan was
detected. A host port scan is directed at a specific host or network. A scan can determine which services a host offers. For example, a host port scan could discover that a certain host has TCP ports 23, 25, and 110 open, meaning it offers the Telnet, SMTP, and POP3 services, respectively. 59 IP sweep scan SmartDefense: IP Sweep scanning detected. This log message indicates that an IP address sweep Scan was detected. An IP Sweep Scan looks for a specific open port and determines which hosts are listening in on that port. For example, IP Sweep Scans are used by network worms trying to find machines that they can propagate themselves. For example, the Blaster worm looks for the RPC service—searching the entire network looking for that single open service. 60 CIFS Worm SmartDefense: A worm is trying to spread via Microsoft File Sharing.
A worm is a self-replicating malware malicious software
that propagates by actively sending itself to new machines. CIFS, The Common Internet File System sometimes called SMB is a protocol for sharing files and printers. The protocol is implemented and widely used by Microsoft operating systems, as well as by Samba clients. Many worms, once they have infected a host, use CIFS as their means of propagation. 63 HTTP Worm Catcher SmartDefense: A worm is trying to spread via HTTP.
A worm is a self-replicating malware [malicious software]
that propagates by actively sending itself to new machines. Some worms propagate by using security vulnerabilities in the HTTP protocol. This SmartDefense protection allows you to detect and block worms based on pre-defined patterns.