1. Manuals
  2. Brands
  3. Freedom9 Manuals
  4. Firewall
  5. freeGuard 100
  6. Reference manual

Freedom9 freeGuard 100 Reference Manual

Utm firewall log message reference
Hide thumbs Also See for freeGuard 100:
Table of Contents

Advertisement

Quick Links

Download this manual See also: Administration Manual, Installation Manual
freeGuard 100
UTM Firewall
LOG MESSAGE REFERENCE
P/N: F0025000
Rev. 1.0

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the freeGuard 100 and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Freedom9 freeGuard 100

Summary of Contents for Freedom9 freeGuard 100

  • Page 1 100 UTM Firewall LOG MESSAGE REFERENCE P/N: F0025000 Rev. 1.0...
  • Page 2 No part of this document may be photocopied, reproduced, or translated into another language without express prior to written consent of Freedom9 Inc. © Copyright 2006, freeGuard 100 and the freedom9 company logo are trademarks or registered trademarks of Freedom9 Inc. All rights reserved. Windows is a trademark or registered trademark of Microsoft Corporation.

  • Page 4: Table Of Contents

    100 Log Message Reference GENERAL INFORMATION... 1 ... 1 VERVIEW BOUT THIS DOCUMENT OCUMENT ONVENTIONS 100 D FREE UARD OCUMENTATION USTOMER SERVICE AND TECHNICAL SUPPORT LOGGING CONFIGURATION OVERVIEW... 4 ... 4 OG CONFIG 2.1.1 OG SETTING OPTIONS 2.1.2 ONFIGURING LOG SETTINGS 2.1.3...
  • Page 5 EB FILTER LOG MESSAGES 4.5.1 ...41 RLBLOCK 4.5.2 ...42 RLEXEMPT 4.5.3 ...42 ATBLOCK PAM FILTER LOG MESSAGES 4.6.1 SMTP ... 43 4.6.2 POP3... 44 4.6.3 IMAP ... 45 ONTENT ARCHIVE MESSAGES 4.7.1 HTTP... 47 4.7.2 FTP ... 47 4.7.3 SMTP ... 47 4.7.4 POP3...

  • Page 6: General Information

    1 General Information Overview You can configure the freeGuard 100 to record various types of logs to one or more locations. You can also configure alert emails to notify administrators of specified events. This guide describes the basics of the freeGuard 100 logging configuration. For more information on configuring logging please see the Log &...

  • Page 7: Freeguard 100 Documentation

    VPN. freeGuard 100 CLI Reference Guide Describes how to use the freeGuard 100 CLI and contains a reference to all freeGuard 100 CLI commands. Comments on freedom9 technical documentation Please send information about any errors or omissions in this document, or any freedom9 technical documentation, to support@freedom9.com.
  • Page 8 100 Log Message Reference You can also register the freeGuard 100 UTM Firewalls at http://www.freedom9.com and modify your registration information at any time. freedom9 email support is available from the following address: support@freedom9.com When requesting technical support, please provide the following information: •...

  • Page 9: Logging Configuration Overview

    2 Logging Configuration Overview You can configure the logging type, the logging severity level, and the logging location for the freeGuard 100 logs. You can also customize alert emails to notify administrators of selected events. This section provides a general overview of configuring logging and alert email. For more information about logging please see the Log &...

  • Page 10: Alert Email Options

    7. Repeat steps 2 through 6 to configure other logging locations. 8. Click “Apply”. 2.1.3 Alert email options You can configure the freeGuard 100 to send alert email up to three recipients when selected events occur. Use the following settings to configure alert email: Authentication Selecting authentication.

  • Page 11: Configuring Alert Email

    For each logging location you enable, you can create a customized log filter based on the log types described in the Log & Report section of the freeGuard 100 Administration Guide (Figure Note: Log locations must be enabled in Log Setting to be available for selection...

  • Page 12: Configuring Log Filters

    100 Log Message Reference Figure 1: Traffic and event log filter settings 2.1.6 Configuring log filters Configure log filters for each location to which you are saving logs. To configure log filters: 1. Go to Log&Report > Log Config > Log Filter.

  • Page 13: Log Access

    2.2.1 Viewing log messages You can view and navigate log messages saved to the freeGuard 100 memory buffer (Figure 2). Figure 2: Viewing log messages To view log messages in the freeGuard 100 memory buffer: 1.

  • Page 14: Searching Log Messages

    100 Log Message Reference Choosing columns You can customize your log messages display using the Column Settings window. The column settings apply only when the formatted (not raw) display is selected. To change the columns in the log message display: 1.
  • Page 15 3. If you want to search for log messages in a particular date range, select the From and To dates. 4. Select one of the following options: • all of the following - The message must contain all of the keywords •...

  • Page 16: Log Formats

    Traffic log messages only. SN = the session number referenced in a traffic log message. 3.1.1 Log types and sub-types The freeGuard 100 log messages are divided into the following types and sub-types which correspond to the settings you selected when configuring the Log Setting. Log type...

  • Page 17: Logging Severity Levels

    (Content Archive) 3.1.2 Logging severity levels The freeGuard 100 logs all messages at and above the logging severity level you select. For example, if you select Error, the unit logs Error, Critical, Alert and Emergency level messages. Level name...

  • Page 18: Log Header Format Variations

    100 Log Message Reference Critical Functionality is affected. Critical level log messages include virus detection, out of memory, out of range, and routing problem messages. Error An error condition exists and functionality is probably affected. Warning Functionality might be affected. Warning level log messages include packet timer, and interface problem messages, limit messages, and major configuration change messages.

  • Page 19: Traffic Log Body

    3.2.1 Traffic log body With traffic logging enabled, the freeGuard 100 records all the traffic to and through the freeGuard 100 interfaces. For information on how to enable traffic logging, see “Enabling traffic logging”. An example traffic log body contains the following information: rule=<value_webtrend>...

  • Page 20: Event Log Body

    100 Log Message Reference The packet is source NAT translated or destination NAT translated. tran_disp For descriptions of traffic log messages, see “Traffic log messages”. 3.2.2 Event log body Event logs record system activity, IPSec, DHCP, PPP, administration, high availability (HA) and firewall related events.

  • Page 21: Attack Log Body

    For descriptions of virus log messages, see “Antivirus log messages”. 3.2.5 Attack log body Attack logs record attacks detected by the freeGuard 100 intrusion prevention and detection systems. Each attack log message records the date and time at which the attack was made, the type of attack, and the source and destination IP addresses of the attack.

  • Page 22: Log Messages

    100 Log Message Reference 4 Log messages This section describes the following log messages: • Traffic log messages • Event log messages • Antivirus log messages • Attack log messages • Web filter log messages • Spam filter log messages Note: You can search for a specific message using the message ID, which is the last 5 digits of the log_id from the log message.

  • Page 23: Event Log Messages

    Message ID: Severity: Information Message: modem: Redial limit exceeded... giving up Meaning: The freeGuard 100 has attempted to redial the ISP from the modem and could not connect. Action: Reset the modem to attempt to the connection. Message ID: 20002...
  • Page 24 100 Log Message Reference Message ID: 20032 Severity: Critical Message: Interface <interface_name> not found in <memory_sector> Meaning: The freeGuard 100 cannot find the specified interface. Action: Check configuration of the interface and check any physical connections. 20033 Message ID: Severity: Information Message:...
  • Page 25 Meaning: The value to be placed in MTU options sent by the router must be either zero or between the specified range for the specified interface. A value of zero indicates that no MTU options are sent. Reconfigure router according to range. Action: Message ID: 20039...
  • Page 26 100 Log Message Reference Action: As above. Message ID: 20045 Severity: Critical Message: invalid prefix length for <string> Meaning: Prefix length is too long Action: Adjust packet prefix length. Message ID: 20046 Severity: Critical Message: AdvValidLifetime must be greater than AdvPreferredLifetime for <string>...
  • Page 27 Severity: Information Message: radvd receive signal=<value_signal>\n Meaning: The IPv6 router advertisement daemon received the specified signal and isgoing to exit. Action: None. Message ID: 20055 Severity: Critical Message: Can not create query to interface at <string>:<string>:<value>! Meaning: The IPv6 router advertisement daemon cannot create query to interface by using cmf_query_create().
  • Page 28 Message: our AdvCurHopLimit on <interface_name> doesn't agree with <interface_name> Meaning: The AdvCurHopLimit on the specified freeGuard 100 interface does not agree with the value on the specified remote interface. A value of zero means unspecified (by this router). Action: Configure the interfaces with the same AdvCurHopLimit value.
  • Page 29 Message: our AdvRetransTimer on <interface_name> doesn't agree with <interface_name> Meaning: The AdvRetransTimer value on the specified freeGuard 100 interface does not agree with the value on the specified remote interface. A value of zero means unspecified (by this router). Action: Configure the interfaces with the same AdvRetransTimer value.
  • Page 30 AdvPreferredLifetime on <interface_name> for <value> doesn't agree with <interface_name> Meaning: The AdvPreferredLifetime value on the specified freeGuard 100 interface does not agree with the value on the specified remote interface. Configure the interfaces with the same AdvPreferredLifetime value. Action:...
  • Page 31 Severity: Critical Message: freeGuard 100 category is updated Meaning: freeGuard 100 category is updated. None Action: Message ID: 20101 Severity: Notification Message: act=upload status=<status> file=<file_name> user=<user_name> server=<server_name> port=<port_number> Meaning: Status of file upload. Action: None 20101 Message ID: Severity: Variable Message: act=upload error=<string>...

  • Page 32: Ipsec

    The following log messages are generated by IPSec negotiation events. Message ID: 23001 Severity: Critical Message: freeGuard 100 report: replay packet is detected, <ip_address_source>- ><ip_address_dest>, seq=%ld Meaning: IPsec negotiation daemon has detected a replay packet from the specifiedsource to the specified destination. Action: Ensure replay packet is legitimate.

  • Page 33: Dhcp

    Severity: Notification Message: loc_ip=<ip_address> loc_port=<port_num> rem_ip=<ip_address>rem_port=<port_num> out_if=<string> vpn_tunnel=<vpn_name>action=negotiate init=<string> mode={aggressive | main} stage=<value_ipsec_stage> dir={inbound | outbound} status={success | failure} msg="<string>" Meaning: IPsec negotiation progress report. Action: None Message ID: 23005 Severity: Notification loc_ip=<ip_address> loc_port=<port_num> rem_ip=<ip_address>rem_port=<port_num> out_if=<string> vpn_tunnel=<vpn_name>status=packet_replay, spi=<value_index>-.8x, Message: seqno=%u msg=”<string>" Meaning: IPsec negotiation replay report.

  • Page 34: Ppp

    100 Log Message Reference Message: dhcp_msg={Discover | Offer | Request | Ack | Release} dir={<sent> | <received>} mac=<mac_address> ip=<ip_address> lease=<lease_time> msg={A client broadcasts a DHCPDISCOVER message | Server responds with offer of configuration parameters | Client requests IP address/configuration...
  • Page 35 Critical Message: vfid-<vdom_id> is bigger than the table-<value>\n The returned ID of the virtual domain is invalid. Meaning: Action: Ensure the virtual domain of that name is configured in the freeGuard 100. Message ID: 29021 Severity: Information Message: pptp of domain-<domain_name> is not configured Meaning: PPTP for the specified domain is not configured.

  • Page 36: Admin

    100 Log Message Reference Message ID: 29022 Severity: Warning Message: All IP address of pptp in domain-<domain_name> are assigned There are no more available IP addresses for the specified domain. Meaning: Action: Reassign IP addresses or increase the range.
  • Page 37 The specified user has failed to log in after three attempts from either a network address or via a console connection. After five failed login attempts, the freedom9 device automatically terminates the connection. Action: Ensure administrators and users have the correct login information.
  • Page 38 None Action: Message ID: 32104 Severity: Critical Message: <string> msg="freeGuard 100 update failed" Meaning: The freeGuard 100 update has failed. Action: Try the update again. Message ID: 32120 Notification Severity: Message: user=<user_name> ui={GUI | CLI | console | LCD} intf=<interface_name>...
  • Page 39 Message: user=<user_name> ui={GUI | CLI | console | LCD} seq=<value_order> old_device={internal | external | dmz | <other> | ... } old_distance=<value_hops> old_dst=<ip_address> old_status={up | down} new_device={internal | external | dmz | <other> | ... } new_distance=<value_hops> new_dst=<ip_address> new_status={up | down} msg="User <user_name>...
  • Page 40 100 Log Message Reference Message: user=<user_name> ui={GUI | CLI | console | LCD} name=<user_name>status={enable | disable} msg="User <user_name> added a local user from{GUI | CLI | console | LCD}" The user added a new local user. Meaning: Action: None.
  • Page 41 | CLI | console | LCD} action=reboot msg=\"User <user_name> rebooted the device from {GUI | CLI | console | LCD}" Meaning: The user rebooted the freeGuard 100. The user shut down the freeGuard 100. Action: None. Message ID:...
  • Page 42 100 Log Message Reference Message: user=<user_name> ui={GUI | CLI | console | LCD} action=factory-reset msg=\"User <user_name> reset to the factory settings from {GUI | CLI | console | LCD}" user=<user_name> ui={GUI | CLI | console | LCD} action=restore-image msg=\"User <user_name> restored the image from {GUI | CLI | console | LCD}"...
  • Page 43 Message: user=<user_name> ui={GUI | CLI | console | LCD} field=mode | virtual-domain | hostname | ip-overlap | auth-timeout | detection- intervalold_value=<value_ip_overlap> new_value=<value> msg="User <user_name> changed global setting from {GUI | CLI | console | LCD}" Meaning: The user has changed the global setting specified in the 'field' field. Action: None.

  • Page 44: Auth

    100 Log Message Reference HA master became slave HA move to standby state Detected HA member dead Detected new joined HA member Meaning: As described in message. Action: None Message ID: 35001 Severity: Warning Message: ip=<ip_address> ha-prio=%d msg=<string> Meaning: HA monitor port report as described in message.

  • Page 45: Antivirus Log Messages

    Severity: Warning File <file name> is infected. Message: Meaning: The specified file is infected with a virus detected by the freeGuard 100. Action: Ensure virus is cleaned and alerts issued. Attack log messages 4.4.1 Signature The following log message is generated when an attack signature is found.

  • Page 46: Anomaly

    A rating error occurred and the policy allows URLs when a rating error occurs Action: None Message ID: 93006 Critical Severity: Message: hostname=<url> msg="gethostbyname() failed: <hostname>” Meaning: Cannot resolve the name of the freeGuard 100 server. Action: Check settings. Message ID: 93007 Critical Severity:...

  • Page 47: Urlexempt

    Delete logs to free some memory. Message ID: 93009 Severity: Critical Message: hostname=<url> msg="gethostbyname() failed: <hostname>” Meaning: Cannot resolve the name of the freeGuard 100 server. Check settings. Action: Message ID: 93013 Severity: Critical Message: Category block is enabled but no rating server is enabled.

  • Page 48: Spam Filter Log Messages

    100 Log Message Reference None Action: Message ID: 99502 Severity: Information Message: src=<ip_address> dst=<ip_address> src_int=<interface_name> dst_int=<interface_name> service=http status=<string>profile=<prot_profile> cat=<category_num> cat_desc=<string> url=<url>msg=<string> A Web site was monitored by the Web category filtering service. The Meaning: clientand server addresses, the protection profile applied, and the category and URL that was monitored are listed in the log message.

  • Page 49: Pop3

    The email message from the specified source was blocked because the Meaning: source email address is marked as spam by the email address list. Action: None Message ID: 80004 Severity: Notification Message: src=<ip_address> dst=<ip_address> src_int=<interface_name> dst_int=<interface_name> service=SMTP status=detected msg="the email contains banned header"...

  • Page 50: Imap

    100 Log Message Reference The email message from the specified source was blocked because the Meaning: source IP address is on an DNSBL or an ORDBL. Action: None Message ID: 83002 Severity: Notification Message: src=<ip_address> dst=<ip_address> src_int=<interface_name> dst_int=<interface_name> service=POP3 status=detected msg="smtphelo/ehlo domain name DNS check failed."...
  • Page 51 86000 Message ID: Severity: Notification Message: src=<ip_address> dst=<ip_address> src_int=<interface_name> dst_int=<interface_name> service=POP3 status=detected msg="from ip is in ip blacklist" Meaning: The email message from the specified source was blocked because the source IP address is marked as spam by the IP address list. Action: None Message ID:...

  • Page 52: Content Archive Messages

    The email message from the specified source was blocked because it contains a word from the banned word list. Action: None Content archive messages The freeGuard 100 archives content meta-data for web and email traffic content. 4.7.1 HTTP The following message is generated when archiving HTTP meta-data. Message ID: 06250...

  • Page 53: Pop3

    4.7.4 POP3 The following message is generated when archiving POP3 meta-data. Message ID: 06280 Severity: Information Message: <ContLogVersionNo>:<SessionNo>:<clientIP><- ><serverIP>:<infectionStatus>: <SizeSent>:f/t=<from/to>:<attachment(1=yes, 0=no) Action: None 4.7.5 IMAP The following message is generated when archiving IMAP meta-data. Message ID: 06290 Severity: Information Message: <ContLogVersionNo>:<SessionNo>:<clientIP><- ><serverIP>:<infectionStatus>: <SizeSent>:f/t=<from/to>:<attachment(1=yes, 0=no)

  • Page 54: Glossary

    10 Mbps. Ethernet is one of the most widely implemented LAN standards. A newer version of Ethernet, called 100 Base-T (or Fast Ethernet), supports data transfer rates of 100 Mbps. And the newest version, Gigabit Ethernet, supports data rates of 1 gigabit (1,000 megabits) per second.
  • Page 55 ISPs to operate Virtual Private Networks (VPNs). L2TP merges PPTP from Microsoft and L2F from Cisco Systems. To create an L2TP VPN, your ISP’s routers must support L2TP. Internet Protocol Security (IPSec): A set of protocols that support secure exchange of packets at the IP layer.
  • Page 56 IP addresses have the same prefix. For example, all devices with IP addresses that start with 100.100.100. would be part of the same subnet. Dividing a network into subnets is useful for both security and performance reasons. IP networks are divided using a subnet mask.

  • Page 57: Certifications

    6 Certifications This equipment has been tested and found to comply with Part 15 of the FCC Rules. Operation is subject to the following two conditions: (1) This device may not cause harmful interference (2) This device must accept any interference received. Including interference that may cause undesired operation.

Table of Contents