Page 3
D-Link reserves the right to revise this publication and to make changes from time to time in the content hereof without any obligation to notify any person or parties of such revision or changes.
Preface Audience The target audience for this reference guide consists of: • Administrators that are responsible for configuring and managing a NetDefendOS installation. • Administrators that are responsible for troubleshooting a NetDefendOS installation. This guide assumes that the reader is familiar with NetDefendOS and understands the fundamentals of IP network security.
Page 28
Preface The following abbreviations are used throughout this reference guide: Table 1. Abbreviations Abbreviation Full name Application Layer Gateway Address Resolution Protocol DHCP Dynamic Host Configuration Protocol Domain Name System Encapsulating Security Payload File Transfer Protocol High Availability HTTP Hyper Text Transfer Protocol ICMP Internet Control Message Protocol Intrusion Detection System...
Chapter 1. Introduction • Log Message Structure, page 29 • Context Parameters, page 31 • Severity levels, page 35 This guide is a reference for all log messages generated by NetDefendOS. It is designed to be a valuable information source for both management and troubleshooting. 1.1.
Page 30
1.1. Log Message Structure Chapter 1. Introduction is never actually included in the log message. Explanation A detailed explanation of the event. Note that this information is only featured in this reference guide, and is never actually included in the log message. Gateway Action A short string, 1-3 words separated by _, of what action NetDefendOS will take.
1.2. Context Parameters Chapter 1. Introduction 1.2. Context Parameters In many cases, information regarding a certain object is featured in the log message. This can be information about, for example, a connection. In this case, the log message should, besides all the normal log message attributes, also include information about which protocol is used, source and destination IP addresses and ports (if applicable), and so on.
Page 32
1.2. Context Parameters Chapter 1. Introduction ipproto The IP Protocol. ipdatalen The IP data length. [srcport] The source port. Valid if the protocol is TCP or UDP. [destport] The destination port. Valid if the protocol is TCP or UDP. [tcphdrlen] The TCP header length.
Page 33
1.2. Context Parameters Chapter 1. Introduction connection is closing or closed. Specifies the name and a description of the signature that triggered this event. Note For IDP log messages an additional log receiver, an SMTP log receiver, can be configured. This information is only sent to log receives of that kind, and not included in the Syslog format.
Page 34
1.2. Context Parameters Chapter 1. Introduction timedout, disallowed_login, accounting and unknown. username The name of the user that triggered this event. srcip The source IP address of the user that triggered this event. OSPF Additional information about OSPF. logsection The OSPF section Possible values: packet, hello, ddesc, exchange, lsa, spf, route and unknown.
1.3. Severity levels Chapter 1. Introduction 1.3. Severity levels An event has a default severity level, based on how serious the event is. The following eight severity levels are possible, as defined by the Syslog protocol: 0 - Emergency Emergency conditions, which most likely led to the system being unusable.
2.1.5. invalid_client_http_header_received Chapter 2. Log Message Reference (ID: 00200100) ALGs or try to free up some RAM depending on the situation. Revision 2.1.5. invalid_client_http_header_received (ID: 00200100) Default Severity WARNING Log Message HTTPALG: Invalid HTTP header was received from the client. Closing Connection.
2.1.8. suspicious_data_received (ID: Chapter 2. Log Message Reference 00200106) specified that no such data should be sent. Gateway Action closing_connecion Recommended Action Research the source of this, and try to find out why the client is sending an invalid request. Revision Parameters algname...
2.1.10. invalid_server_http_header_received Chapter 2. Log Message Reference (ID: 00200108) 2.1.10. invalid_server_http_header_received (ID: 00200108) Default Severity WARNING Log Message HTTPALG: An invalid HTTP header was received from the server. Closing connection. ALG name: <algname>. Explanation An invalid HTTP header was received from the server. Gateway Action closing_connecion Recommended Action...
2.1.13. failed_create_new_session (ID: Chapter 2. Log Message Reference 00200111) Gateway Action close Recommended Action If the maximum number of HTTP sessions is too low, increase it. Revision Parameters max_sessions Context Parameters ALG Module Name 2.1.13. failed_create_new_session (ID: 00200111) Default Severity CRITICAL Log Message HTTPALG: Failed to create new HTTPALG session (out of memory)
2.1.16. wcf_override_full (ID: Chapter 2. Log Message Reference 00200114) Explanation The filetype of the file does not match the actual content type. As there is a content type mismatch, data is discarded. Gateway Action block_data Recommended Action None. Revision Parameters filename filetype contenttype...
2.1.19. blocked_filetype (ID: 00200117) Chapter 2. Log Message Reference Explanation The data received from the server exceeds the maximun allowed download file size, the request is rejected and the connection is closed. Gateway Action close Recommended Action If the configurable maximum download size is too low, increase it. Revision Parameters filename...
2.1.22. wcf_srv_connection_error (ID: Chapter 2. Log Message Reference 00200120) Default Severity CRITICAL Log Message HTTPALG: Failed to connect to web content servers Explanation Web Content Filtering was unable to connect to the Web Content Filtering servers. Verify that the unit has been configured with Internet access.
2.1.30. wcf_server_bad_reply (ID: Chapter 2. Log Message Reference 00200128) Recommended Action None. Revision Parameters failedserver Context Parameters ALG Module Name 2.1.30. wcf_server_bad_reply (ID: 00200128) Default Severity ERROR Log Message HTTPALG: Failed to parse WCF server response Explanation The WCF service could not parse the server response. The WCF transmission queue is reset and a new server connection will be established.
2.1.33. wcf_bad_sync (ID: 00200131) Chapter 2. Log Message Reference Default Severity CRITICAL Log Message HTTPALG: Failed to allocate memory Explanation The unit does not have enough available RAM. Gateway Action none Recommended Action Try to free up some RAM by changing configuration parameters. Revision Context Parameters ALG Module Name...
2.1.40. url_reclassification_request Chapter 2. Log Message Reference (ID: 00200139) Restricted Site Notice was applied. Gateway Action allow Recommended Action Disable the RESTRICTED_SITE_NOTICE mode of parameter CATEGORIES for this ALG. Revision Parameters user algname Context Parameters Connection Connection ALG Module Name ALG Session ID 2.1.40.
2.1.42. max_smtp_sessions_reached Chapter 2. Log Message Reference (ID: 00200150) Revision Context Parameters ALG Module Name 2.1.42. max_smtp_sessions_reached (ID: 00200150) Default Severity WARNING Log Message SMTPALG: Maximum number of SMTP sessions (<max_sessions>) for service reached. Closing connection Explanation The maximum number of concurrent SMTP sessions has been reached for this service.
2.1.45. failed_connect_smtp_server Chapter 2. Log Message Reference (ID: 00200153) Gateway Action close Recommended Action Decrease the maximum allowed SMTPALG sessions, or try to free some of the RAM used. Revision Context Parameters ALG Module Name 2.1.45. failed_connect_smtp_server (ID: 00200153) Default Severity ERROR Log Message SMTPALG: Failed to connect to the SMTP Server.
2.1.48. sender_email_id_mismatched Chapter 2. Log Message Reference (ID: 00200157) Recommended Action Disable the Verify E-Mail Sender ID setting if you experience that valid e-mails are being wrongly tagged. Revision Parameters sender_email_address recipient_email_addresses data_sender_address Context Parameters ALG Module Name ALG Session ID 2.1.48.
2.1.51. some_recipient_email_ids_are_in_blocklist Chapter 2. Log Message Reference (ID: 00200160) Default Severity WARNING Log Message SMTPALG: Recipient e-mail address is in Black List Explanation Since "RCPT TO:" e-mail address is in Black List, SMTP ALG rejected the client request. Gateway Action reject Recommended Action None.
2.1.56. max_email_size_reached (ID: Chapter 2. Log Message Reference 00200170) Default Severity WARNING Log Message SMTPALG: Content type mismatch in file <filename>. Identified filetype <filetype> Explanation The filetype of the file does not match the actual content type. As there is a content type mismatch, data is discarded. Gateway Action block_data Recommended Action...
2.1.58. all_recipient_email_ids_are_in_blocklist Chapter 2. Log Message Reference (ID: 00200172) Recommended Action Content type should be matched. Revision Parameters filename filetype sender_email_address recipient_email_addresses Context Parameters ALG Module Name ALG Session ID 2.1.58. all_recipient_email_ids_are_in_blocklist (ID: 00200172) Default Severity WARNING Log Message SMTPALG: All recipients e-mail addresses are in Black List Explanation Since "RCPT TO:"...
2.1.61. dnsbl_init_error (ID: 00200177) Chapter 2. Log Message Reference Log Message SMTPALG: Invalid end of mail "\\n.\\n" received. Explanation The client is sending invalid end of mail. Transaction will be terminated. Gateway Action block Recommended Action Research how the client is sending invalid end of mail. Revision Parameters sender_email_address...
2.1.70. illegal_data_direction (ID: Chapter 2. Log Message Reference 00200202) Log Message SMTPALG: Whitelist override DNSBL result for Email. Explanation Email was marked as SPAM by DNSBL. As Email Id was matched in whitelist, this mark is removed. Gateway Action none Recommended Action None.
2.1.78. illegal_command (ID: Chapter 2. Log Message Reference 00200215) Default Severity WARNING Log Message FTPALG: PORT command not allowed from <peer>. Rejecting command Explanation The client tried to issue a "PORT" command, which is not valid since the client is not allowed to do active FTP. The command will be rejected.
2.1.80. illegal_port_number (ID: Chapter 2. Log Message Reference 00200217) Recommended Action The FTP client could be compromised, and should not be trusted. Revision Parameters peer ip4addr string Context Parameters ALG Module Name ALG Session ID Connection 2.1.80. illegal_port_number (ID: 00200217) Default Severity CRITICAL Log Message...
2.1.82. illegal_command (ID: Chapter 2. Log Message Reference 00200219) ALG Session ID Connection 2.1.82. illegal_command (ID: 00200219) Default Severity WARNING Log Message FTPALG: SITE EXEC from <peer> not allowed, rejecting command Explanation The client tried to issue a "SITE EXEC" command, which is not valid since the client is not allowed to do this.
2.1.92. illegal_reply (ID: 00200231) Chapter 2. Log Message Reference string Context Parameters ALG Module Name ALG Session ID Connection 2.1.92. illegal_reply (ID: 00200231) Default Severity WARNING Log Message FTPALG: Unsolicted 227 (passive mode) response from <peer>. String=<string>. Closing connection. Explanation An illegal response was received from the server, and the connection is closed.
2.1.95. bad_ip (ID: 00200234) Chapter 2. Log Message Reference Log Message FTPALG: Bad port <port> from <peer>, should be within the range (<range>). String=<string>. Closing connection. Explanation An illegal "PORT" command was received from the server. It requests that the client should connect to a port which is out of range. This is not allowed, and the connection will be closed.
2.1.103. failure_connect_ftp_server Chapter 2. Log Message Reference (ID: 00200243) 2.1.102. failed_create_new_session (ID: 00200242) Default Severity ERROR Log Message FTPALG: Failed to create new FTPALG session (out of memory) Explanation An attempt to create a new FTPALG session failed, because the unit is out of memory.
2.1.105. failed_to_send_command (ID: Chapter 2. Log Message Reference 00200251) 2.1.105. failed_to_send_command (ID: 00200251) Default Severity NOTICE Log Message FTPALG:Failed to send the command. Explanation The command sent by the ALG to the server could not be sent. Gateway Action none Recommended Action None.
2.1.114. encode_failed (ID: 00200303) Chapter 2. Log Message Reference Default Severity WARNING Log Message H323ALG: Decoding of message from peer failed. Closing session Explanation The H.225 parser failed to decode the H.225 message. The ALG session will be closed. Gateway Action close Recommended Action None.
2.1.119. max_tcp_data_connections_exceeded Chapter 2. Log Message Reference (ID: 00200308) Explanation The H.245 encoder failed to encode the message. The ALG session will be closed. Gateway Action close Recommended Action None. Revision Parameters peer Context Parameters ALG Module Name ALG Session ID Connection 2.1.119.
2.1.121. ignoring_channel (ID: Chapter 2. Log Message Reference 00200310) Context Parameters ALG Module Name ALG Session ID Connection 2.1.121. ignoring_channel (ID: 00200310) Default Severity WARNING Log Message H323ALG: Ignoring mediaChannel info in openLogicalChannel Explanation Media channel information in the openLogicalChannel message is not handled.
2.1.124. failed_create_new_session Chapter 2. Log Message Reference (ID: 00200313) have been released. Gateway Action close Recommended Action If the maximum number of H.323 session is too low, increase it. Revision Parameters max_sessions Context Parameters ALG Module Name 2.1.124. failed_create_new_session (ID: 00200313) Default Severity WARNING Log Message...
2.1.127. failure_connect_h323_server Chapter 2. Log Message Reference (ID: 00200316) Explanation Could not create a new H.323 gatekeeper session due to lack of memory. No more sessions can be created unless the system increases the amount of free memory. Gateway Action close Recommended Action None.
2.1.143. failed_create_new_session Chapter 2. Log Message Reference (ID: 00200365) Context Parameters ALG Module Name 2.1.143. failed_create_new_session (ID: 00200365) Default Severity ERROR Log Message TFTPALG: Failed to create new TFTPALG session (out of memory) Explanation An attempt to create a new TFTPALG session failed, because the unit is out of memory.
2.1.149. options_removed (ID: Chapter 2. Log Message Reference 00200371) Log Message TFTPALG: Received bytes <received> exceeding allowed max value <maxvalue> Explanation Transferred bytes exceeding allowed value.Closing connection. Gateway Action close Recommended Action If connection should be allowed modify the filetransfersize option of the TFTP Alg configuration .
2.1.152. invalid_error_message_received Chapter 2. Log Message Reference (ID: 00200374) Default Severity ERROR Log Message TFTPALG: Failed create listening connection,internal error(<error_code>). Closing session Explanation The unit failed to create listening connection, resulting in that the ALG session could not be successfully opened. Gateway Action close Recommended Action...
2.1.154. failed_create_new_session Chapter 2. Log Message Reference (ID: 00200381) Context Parameters ALG Module Name 2.1.154. failed_create_new_session (ID: 00200381) Default Severity WARNING Log Message POP3ALG: Failed to create new POP3ALG session (out of memory) Explanation An attempt to create a new POP3ALG session failed, because the unit is out of memory.
2.1.157. blocked_filetype (ID: Chapter 2. Log Message Reference 00200384) 2.1.157. blocked_filetype (ID: 00200384) Default Severity NOTICE Log Message POP3ALG: Requested file:<filename> is blocked as this file is identified as type <filetype>, which is in block list. Explanation The file is present in the block list. It will be blocked as per configuration.
2.1.160. possible_invalid_mail_end Chapter 2. Log Message Reference (ID: 00200387) Revision Parameters filename filetype sender_email_address Context Parameters ALG Module Name ALG Session ID 2.1.160. possible_invalid_mail_end (ID: 00200387) Default Severity WARNING Log Message POP3ALG: Possible invalid end of mail "\\n.\\n" received. Explanation The client is sending possible invalid end of mail.
2.1.163. content_type_mismatch (ID: Chapter 2. Log Message Reference 00200390) Explanation The server is sending response with invalid response length. The response will be blocked. Gateway Action block Recommended Action None. Revision Parameters command" Context Parameters ALG Module Name ALG Session ID 2.1.163.
2.1.168. unexpected_mail_end (ID: Chapter 2. Log Message Reference 00200396) Recommended Action If the command are to be allowed change the Alg configuration. Revision Parameters command" Context Parameters ALG Module Name ALG Session ID 2.1.168. unexpected_mail_end (ID: 00200396) Default Severity WARNING Log Message POP3ALG: Unexpected end of mail received while parsing mail content.
2.1.174. tls_alert_received (ID: Chapter 2. Log Message Reference 00200453) Log Message TLSALG: Failed to connect to the HTTP Server. Closing connection. ALG name: <algname>. Explanation The unit failed to connect to the HTTP Server, resulting in that the ALG session could not be successfully opened. Gateway Action close Recommended Action...
2.1.176. tls_alert_sent (ID: 00200455) Chapter 2. Log Message Reference 2.1.176. tls_alert_sent (ID: 00200455) Default Severity ERROR Log Message TLSALG: Sent TLS <alert> alert to peer. Explanation A TLS error has occured that caused an alert to be sent to the peer. The TLS ALG session will be closed.
2.1.179. tls_disallowed_key_exchange Chapter 2. Log Message Reference (ID: 00200458) Recommended Action None. Revision Parameters algname Context Parameters ALG Module Name ALG Session ID 2.1.179. tls_disallowed_key_exchange (ID: 00200458) Default Severity WARNING Log Message TLSALG: Disallowed key exchange. Explanation The TLS ALG session will be closed because there are not enough resources to process any TLS key exchanges at the moment.
2.1.182. tls_no_shared_cipher_suites Chapter 2. Log Message Reference (ID: 00200461) Default Severity ERROR Log Message TLSALG: Bad TLS handshake message order. Explanation A TLS handshake message of a type that is not expected in the current state of the handshake was received. The TLS ALG session will be closed.
2.1.184. tls_failed_to_verify_finished Chapter 2. Log Message Reference (ID: 00200463) ALG Session ID 2.1.184. tls_failed_to_verify_finished (ID: 00200463) Default Severity ERROR Log Message TLSALG: Failed to verify finished message. Explanation The unit failed to verify the TLS finished message. The finished message is used to verify that the key exchange and authentication processes were successful.
2.1.192. sip_signal_timeout (ID: Chapter 2. Log Message Reference 00200507) Default Severity ALERT Log Message Registration hijack attempt detected Explanation The number of registration attempts [reg_hijack_count] has been exceeded. Gateway Action drop Recommended Action Check with the user, why he is using false authentication to register. Revision Parameters reg_hijack_count...
2.1.208. no_route_found (ID: Chapter 2. Log Message Reference 00200526) Revision Parameters transaction_state from_uri to_uri srcip srcport destip destport Context Parameters ALG Module Name 2.1.208. no_route_found (ID: 00200526) Default Severity ERROR Log Message SIPALG: Failed to find route for given host Explanation No route information found for the given host.
2.1.215. failed_to_modify_from (ID: Chapter 2. Log Message Reference 00200533) to_uri srcip srcport destip destport Context Parameters ALG Module Name 2.1.215. failed_to_modify_from (ID: 00200533) Default Severity ERROR Log Message SIPALG: Failed to modify FROM tag in message Explanation Failed to modify the FROM tag in message for [method] request. Gateway Action drop Recommended Action...
2.1.226. failed_to_modify_contact (ID: Chapter 2. Log Message Reference 00200547) Log Message Failed to do dns resolve Explanation An attempt to resolve dns failed. Reason: [reason]. Gateway Action drop Recommended Action Check if the dns servers are configured. Revision Parameters reason Context Parameters ALG Module Name 2.1.226.
2.1.240. failed_to_modify_sat_request Chapter 2. Log Message Reference (ID: 00200561) Context Parameters ALG Module Name 2.1.240. failed_to_modify_sat_request (ID: 00200561) Default Severity ERROR Log Message SIPALG: Failed to modify the SAT request Explanation Failed to modify requst ip to SAT destination IP in the [method] request.
2.1.243. failed_connect_pptp_server Chapter 2. Log Message Reference (ID: 00200603) Gateway Action close Recommended Action Decrease the maximum allowed PPTPALG sessions, or try to free some of the RAM used. Revision Context Parameters ALG Module Name 2.1.243. failed_connect_pptp_server (ID: 00200603) Default Severity ERROR Log Message PPTPALG: Failed to connect to the PPTP Server.
2.1.246. pptp_tunnel_removed_server Chapter 2. Log Message Reference (ID: 00200606) Recommended Action None. Revision Context Parameters ALG Session ID ALG Module Name 2.1.246. pptp_tunnel_removed_server (ID: 00200606) Default Severity NOTICE Log Message PPTPALG: PPTP tunnel between server and security gateway removed Explanation A PPTP tunnel has been removed betweem the PPTP server and the PPTP-ALG.
2.1.249. pptp_malformed_packet (ID: Chapter 2. Log Message Reference 00200609) Context Parameters ALG Session ID ALG Module Name 2.1.249. pptp_malformed_packet (ID: 00200609) Default Severity WARNING Log Message Malformed packet received from <remotegw> on <iface> Explanation A malformed packet was received by the PPTP-ALG. Gateway Action drop Recommended Action...
2.2.4. dnsbl_ipcache_remove (ID: Chapter 2. Log Message Reference 05900811) Revision Parameters type algname ipaddr 2.2.4. dnsbl_ipcache_remove (ID: 05900811) Default Severity NOTICE Log Message IP <ipaddr> removed from IP Cache for <algname> due to timeout Explanation An IP address was removed from the IP Cache due to timeout. Gateway Action none Recommended Action...
2.2.7. dnsbl_ipcache_add (ID: Chapter 2. Log Message Reference 05900814) Parameters type algname ipaddr 2.2.7. dnsbl_ipcache_add (ID: 05900814) Default Severity NOTICE Log Message Session for IP <ipaddr> for <algname> is done with result <result> Explanation An IP address was added to the IP Cache. Gateway Action none Recommended Action...
2.2.13. dnsbl_record_truncated (ID: Chapter 2. Log Message Reference 05900820) algname ipaddr 2.2.13. dnsbl_record_truncated (ID: 05900820) Default Severity WARNING Log Message DNSBL name not fit buffer for Session with IP <ipaddr> for <algname> Explanation DNSBL name will not fit the string buffer and will be truncated. Gateway Action none Recommended Action...
2.3. ANTIVIRUS Chapter 2. Log Message Reference 2.3. ANTIVIRUS These log messages refer to the ANTIVIRUS (Anti-virus related events) category. 2.3.1. virus_found (ID: 05800001) Default Severity WARNING Log Message Virus found in file <filename>. Virus Name: <virusname>. Signature: <virussig>. Advisory ID: <advisoryid>. Explanation A virus has been detected in a data stream.
2.3.3. excluded_file (ID: 05800003) Chapter 2. Log Message Reference 2.3.3. excluded_file (ID: 05800003) Default Severity NOTICE Log Message File <filename> is excluded from scanning. Identified filetype: <filetype>. Explanation The named file will be excluded from anti-virus scanning. The filetype is present in the anti-virus scan exclusion list. Gateway Action allow_data_without_scan Recommended Action...
2.3.6. compression_ratio_violation Chapter 2. Log Message Reference (ID: 05800006) Explanation The file could not be scanned by the anti-virus module since the decompression of the compressed file failed. Since anti-virus is running in audit mode, the data transfer will be allowed to continue. Gateway Action allow_data Recommended Action...
2.3.10. out_of_memory (ID: 05800010) Chapter 2. Log Message Reference Context Parameters ALG Module Name ALG Session ID Connection 2.3.10. out_of_memory (ID: 05800010) Default Severity ERROR Log Message Out of memory Explanation Memory allocation failed. Since anti-virus is running in protect mode, the data transfer will be aborted in order to protect the receiver.
2.3.13. no_valid_license (ID: Chapter 2. Log Message Reference 05800015) Log Message Anti-virus scan engine failed for the file: <filename> Explanation An error occured in the anti-virus scan engine. Since anti-virus is running in audit mode, the data transfer will be allowed to continue. Gateway Action allow_data Recommended Action...
2.3.16. out_of_memory (ID: 05800018) Chapter 2. Log Message Reference Default Severity CRITICAL Log Message AVSE: Virus scanning aborted. General error occured during initialization. Explanation Anti-virus scanning is aborted since the scan engine returned a general error during initialization. Gateway Action av_scanning_aborted Recommended Action Try to restart the unit in order to solve this issue.
2.3.18. decompression_failed_encrypted_file Chapter 2. Log Message Reference (ID: 05800025) ALG Session ID Connection 2.3.18. decompression_failed_encrypted_file (ID: 05800025) Default Severity WARNING Log Message Decompression failed for file <filename>. The file is encrypted. Explanation The file could not be scanned by the anti-virus module since the compressed file is encrypted with password protection.
2.3.21. unknown_encoding (ID: Chapter 2. Log Message Reference 05800184) Default Severity WARNING Log Message SMTPALG: Content transfer encoding is unknown or not present. Explanation Antivirus module cannot scan the attachment since the transfer encoding is missing or unknown. Fail Mode is allow so data is allowed without scanning.
2.4. ARP Chapter 2. Log Message Reference 2.4. ARP These log messages refer to the ARP (ARP events) category. 2.4.1. already_exists (ID: 00300001) Default Severity NOTICE Log Message An entry for this IP address already exists Explanation The entry was not added as a previous entry for this IP address already exists in the ARP table.
2.4.4. arp_response_broadcast (ID: Chapter 2. Log Message Reference 00300004) 2.4.4. arp_response_broadcast (ID: 00300004) Default Severity NOTICE Log Message ARP response is a broadcast address Explanation The ARP response has a sender address which is a broadcast address. Allowing. Gateway Action allow Recommended Action If this is not the desired behaviour, modify the configuration.
2.4.8. hwaddr_change (ID: 00300008) Chapter 2. Log Message Reference 2.4.7. mismatching_hwaddrs_drop (ID: 00300007) Default Severity NOTICE Log Message ARP hw sender does not match Ethernet hw sender. Dropping Explanation The hardware sender address specified in the ARP data does not match the Ethernet hardware sender address.
2.4.17. hwaddr_change_drop (ID: Chapter 2. Log Message Reference 00300055) 2.4.16. arp_collides_with_static (ID: 00300054) Default Severity WARNING Log Message Known entry is <knowntype> <knownip>=<knownhw>. Dropping Explanation The hardware sender address does not match the static entry in the ARP table. Static ARP changes are not allowed. Dropping packet. Gateway Action drop Recommended Action...
2.5. AVUPDATE Chapter 2. Log Message Reference 2.5. AVUPDATE These log messages refer to the AVUPDATE (Antivirus Signature update) category. 2.5.1. av_db_update_failure (ID: 05000001) Default Severity ALERT Log Message Update of the Anti-virus database failed, because of <reason> Explanation The unit tried to update the anti-virus database, but failed. The reason for this is specified in the "reason"...
2.5.5. av_detects_invalid_system_time Chapter 2. Log Message Reference (ID: 05000005) Log Message Anti-virus database could not be updated, as no valid subscription exist Explanation The current license does not allow the anti-virus database to be updated. Gateway Action None Recommended Action Check the system's time and/or purchase a subscription.
2.6. BLACKLIST Chapter 2. Log Message Reference 2.6. BLACKLIST These log messages refer to the BLACKLIST (Blacklist events) category. 2.6.1. failed_to_write_list_of_blocked_hosts_to_media (ID: 04600001) Default Severity CRITICAL Log Message Failed to write list of blocked hosts to media Explanation Failed to write list of blocked hosts to media. The media might be corrupted.
2.6.5. packet_blacklisted (ID: Chapter 2. Log Message Reference 04600005) Default Severity NOTICE Log Message Found <blacklisted_host> in blacklist. Triggered rule <rule>, description: <description>. Protocol: <proto>, IP: <ip>, Port: <port>. Explanation A blacklist entry was added which matched the IP address of this connection.
Page 160
2.6.6. packet_blacklisted (ID: Chapter 2. Log Message Reference 04600006) Recommended Action Investigate threshold or IntrusionDetection rules that could have triggered dynamic blacklisting. Revision Parameters rule description proto port...
2.8.7. out_of_connections (ID: Chapter 2. Log Message Reference 00600011) 2.8.7. out_of_connections (ID: 00600011) Default Severity WARNING Log Message Out of connections. Dropping connection attempt Explanation The connection table is currently full, and this new connection attempt will be dropped. Gateway Action drop Recommended Action None.
2.8.10. no_return_route (ID: 00600014) Chapter 2. Log Message Reference Parameters protocol Context Parameters Rule Name Packet Buffer 2.8.10. no_return_route (ID: 00600014) Default Severity WARNING Log Message Failed to open a new connection since a return route to the sender address cant be found. Dropping packet Explanation There was no return route found to the sender address of the packet.
2.8.13. udp_src_port_0_illegal (ID: Chapter 2. Log Message Reference 00600021) Recommended Action None. Revision Context Parameters Rule Name Packet Buffer 2.8.13. udp_src_port_0_illegal (ID: 00600021) Default Severity WARNING Log Message UDP source port is set to 0. Dropping Explanation The UDP source port was set to 0. This can be used by UDP streams not expecting return traffic.
2.9. DHCP Chapter 2. Log Message Reference 2.9. DHCP These log messages refer to the DHCP (DHCP client events) category. 2.9.1. offered_ip_occupied (ID: 00700001) Default Severity NOTICE Log Message Interface <iface> received a lease with an offered IP that appear to be occupied (<ip4addr>) Explanation Received a DHCP lease which appears to be in use by someone else.
2.9.13. ip_collision (ID: 00700014) Chapter 2. Log Message Reference Default Severity WARNING Log Message Interface <iface> received a lease where the offered broadcast equals the offered gateway Explanation An interface received a lease where the offered broadcast address is equal with the offered gateway address. Gateway Action drop Recommended Action...
2.10. DHCPRELAY Chapter 2. Log Message Reference 2.10. DHCPRELAY These log messages refer to the DHCPRELAY (DHCP relayer events) category. 2.10.1. unable_to_save_dhcp_relay_list (ID: 00800001) Default Severity WARNING Log Message Unable to auto save the DHCP relay list to disk Explanation Unable to autosave the DHCP relay list to disk.
2.10.14. bad_inform_pkt_with_mismatching_source_ip_and_client_ip Chapter 2. Log Message Reference (ID: 00800014) Context Parameters Rule Name Packet Buffer 2.10.14. bad_inform_pkt_with_mismatching_source_ip_and_client_ip (ID: 00800014) Default Severity WARNING Log Message INFORM packet did not pass through a relayer but the packet source ip and the client ip doesnt match. Dropping Explanation Received non relayed INFORM DHCP packet with illegally mismatching source and client IP.
2.10.23. assigned_ip_not_allowed (ID: Chapter 2. Log Message Reference 00800023) Default Severity WARNING Log Message Received reply for client <client_hw> on a non security equivalent interface. Dropping Explanation Received a reply for a client on a non security equivalent interface. Gateway Action drop Recommended Action Verify security-equivalent-interface setting.
2.10.25. ambiguous_host_route (ID: Chapter 2. Log Message Reference 00800025) Context Parameters Rule Name Packet Buffer 2.10.25. ambiguous_host_route (ID: 00800025) Default Severity WARNING Log Message A host route for <dest_ip> already exists which points to another interface. Dropping Explanation An ambiguous host route indicating another interface was detected trying to setup a dynamic hostroute for a client.
2.11. DHCPSERVER Chapter 2. Log Message Reference 2.11. DHCPSERVER These log messages refer to the DHCPSERVER (DHCP server events) category. 2.11.1. unable_to_send_response (ID: 00900001) Default Severity WARNING Log Message Failed to get buffer for sending. Unable to reply Explanation Unable to get a buffer for sending. Gateway Action None Recommended Action...
2.12. DYNROUTING Chapter 2. Log Message Reference 2.12. DYNROUTING These log messages refer to the DYNROUTING (Dynamic routing) category. 2.12.1. failed_to_export_route_to_ospf_process_failed_to_alloc (ID: 01100001) Default Severity CRITICAL Log Message Failed to export route to OSPF process (unable to alloc export node) Explanation Unable to export route to a OSPF process since out of memory.
2.13. FRAG Chapter 2. Log Message Reference 2.13. FRAG These log messages refer to the FRAG (Fragmentation events) category. 2.13.1. individual_frag_timeout (ID: 02000001) Default Severity WARNING Log Message Individual fragment timed out. Explanation A fragment of an IP packet timed out, and is dropped. Gateway Action drop Recommended Action...
2.13.14. frag_offset_plus_length_not_in_range Chapter 2. Log Message Reference (ID: 02000014) 2.13.13. drop_duplicate_frag (ID: 02000013) Default Severity WARNING Log Message Dropping duplicate fragment Explanation A duplicate fragment of an IP packet was received. Dropping the duplicate fragment. Gateway Action drop Recommended Action None.
2.13.29. fragments_available_freeing Chapter 2. Log Message Reference (ID: 02000100) Default Severity WARNING Log Message Dropping fragment of illegal packet Explanation A fragment of an illegal IP packet is dropped. Gateway Action drop Recommended Action None. Revision Context Parameters Rule Name Packet Buffer 2.13.29.
2.14. GRE Chapter 2. Log Message Reference 2.14. GRE These log messages refer to the GRE (GRE events) category. 2.14.1. failed_to_setup_gre_tunnel (ID: 02200001) Default Severity WARNING Log Message Failed to setup open tunnel from <local_ip> to <remote_ip> Explanation Unable to setup GRE tunnel with endpoint. Gateway Action drop Recommended Action...
2.15. HA Chapter 2. Log Message Reference 2.15. HA These log messages refer to the HA (High Availability events) category. 2.15.1. peer_gone (ID: 01200001) Default Severity NOTICE Log Message Peer firewall disappeared. Going active Explanation The peer gateway (which was active) is not available anymore. This gateway will now go active instead.
2.15.5. peer_has_lower_local_load Chapter 2. Log Message Reference (ID: 01200005) Explanation Both memebrs are active, but the peer has higher local load. This gateway will stay active. Gateway Action stay_active Recommended Action None. Revision 2.15.5. peer_has_lower_local_load (ID: 01200005) Default Severity NOTICE Log Message Both active, peer has lower local load;...
2.15.9. peer_has_more_connections Chapter 2. Log Message Reference (ID: 01200009) Default Severity NOTICE Log Message Conflict: Both peers are inactive! Resolving... Explanation A conflict occured as both peers are inactive at the same time. The conflict will automatically be resolved. Gateway Action None Recommended Action None.
2.15.12. heartbeat_from_unknown (ID: Chapter 2. Log Message Reference 01200043) Revision 2.15.12. heartbeat_from_unknown (ID: 01200043) Default Severity WARNING Log Message Received HA heartbeat from unknown IP. Dropping Explanation The received HA heartbeat packet was originating from an unknown IP. The packet will be dropped. Gateway Action drop Recommended Action...
2.15.16. ha_commit_error (ID: Chapter 2. Log Message Reference 01200052) 2.15.15. merge_failed (ID: 01200051) Default Severity WARNING Log Message Failed to merge configuration from HA partner Explanation The gateway failed to merge the configuration that was received from the peer. Gateway Action ha_merge_conf Recommended Action None.
2.15.23. hasync_connection_failed_timeout Chapter 2. Log Message Reference (ID: 01200202) 2.15.22. hasync_connection_disconnected_lifetime_expired (ID: 01200201) Default Severity NOTICE Log Message HASync connection lifetime expired. Reconnecting... Explanation The HA syncronization connection lifetime has expired. A new connection will be establised by reconnecting to the peer. Gateway Action reconnect Recommended Action...
2.15.26. sync_packet_on_nonsync_iface Chapter 2. Log Message Reference (ID: 01200410) Gateway Action drop Recommended Action None. Revision Context Parameters Rule Name Packet Buffer 2.15.26. sync_packet_on_nonsync_iface (ID: 01200410) Default Severity WARNING Log Message Received state sync packet on non-sync iface. Dropping Explanation A HA state sync packet was recieved on a non-sync interface.
2.15.29. config_sync_failure (ID: Chapter 2. Log Message Reference 01200500) Recommended Action None. Revision Context Parameters Rule Name Packet Buffer 2.15.29. config_sync_failure (ID: 01200500) Default Severity CRITICAL Log Message Tried to synchronize configuration to peer 3 times without success. Giving up. Explanation The gateway tried to synchronize the configuration to peer three times, but failed.
2.16. HWM Chapter 2. Log Message Reference 2.16. HWM These log messages refer to the HWM (Hardware monitor events) category. 2.16.1. temperature_alarm (ID: 04000011) Default Severity WARNING Log Message Temperature monitor <index> (<name>) is outside the specified limit. Current value is <current_temp> <unit>, lower limit is <min_limit>, upper limit is <max_limit>...
2.16.4. voltage_normal (ID: 04000022) Chapter 2. Log Message Reference Log Message Voltage monitor <index> (<name>) is outside the specified limit. Current value is <current_voltage> <unit>, lower limit is <min_limit>, upper limit is <max_limit> Explanation The powersupply of this unit may be failing. Gateway Action none Recommended Action...
2.16.6. fanrpm_normal (ID: 04000032) Chapter 2. Log Message Reference Parameters index name unit current_fanrpm min_limit max_limit 2.16.6. fanrpm_normal (ID: 04000032) Default Severity WARNING Log Message Fan RPM monitor <index> (<name>) is outside the specified limit. Current value is <current_fanrpm> <unit>, lower limit is <min_limit>, upper limit is <max_limit>...
2.16.9. free_memory_warning_level Chapter 2. Log Message Reference (ID: 04000101) Default Severity WARNING Log Message Temperature monitor <index> (<name>) is outside the specified limit. Current value is <current_gpio> <unit>, lower limit is <min_limit>, upper limit is <max_limit> Explanation The sensor reports that the GPIO value is back inte the normal range. Gateway Action None Recommended Action...
2.16.11. free_memory_normal_level Chapter 2. Log Message Reference (ID: 04000103) memory consumption. Revision Parameters limit_megabyte total_mem free_mem free_percentage severity 2.16.11. free_memory_normal_level (ID: 04000103) Default Severity NOTICE Log Message The amount of free memory is in the normal range, free <free_mem> MB of total <total_mem> MB, percentage free <free_percentage> Explanation The memory usage is in the normal range.
2.17.14. idp_outofmem (ID: 01300014) Chapter 2. Log Message Reference <destport>. Closing connection. Explanation The unit failed to scan data. The reason for this is due to low amount of memory. Gateway Action close Recommended Action Review your configuration. Revision Parameters idrule srcip srcport...
2.18.7. conn_idp_piped (ID: 06100007) Chapter 2. Log Message Reference Parameters limit Context Parameters Connection 2.18.7. conn_idp_piped (ID: 06100007) Default Severity WARNING Log Message IDP dynamic pipe state found. Throughput limited to <limit> Explanation A new connection is piped to [limit] kbps since either the source or destination IP is dynamically throttled by IDP dynamic pipe state.
2.19.5. idp_detects_invalid_system_time Chapter 2. Log Message Reference (ID: 01400005) Default Severity NOTICE Log Message Intrusion Detection & Prevention database could not be updated, as no valid subscription exist Explanation The current license does not allow Intrusion Detection & Prevention database to be updated. Gateway Action None Recommended Action...
Page 239
2.19.7. unsynced_databases (ID: Chapter 2. Log Message Reference 01400009) Explanation The IDP hardware and software databases are not synchronized. A full update is automatically initiated. Gateway Action downloading_new_database Recommended Action None. Revision...
2.21. IPPOOL Chapter 2. Log Message Reference 2.21. IPPOOL These log messages refer to the IPPOOL (IPPool events) category. 2.21.1. no_offer_received (ID: 01900001) Default Severity ERROR Log Message No offers were received Explanation No DHCP offers where received by the IP pool general query. Gateway Action None Recommended Action...
2.21.5. lease_disallowed_by_server_filter Chapter 2. Log Message Reference (ID: 01900005) 2.21.4. lease_disallowed_by_lease_filter (ID: 01900004) Default Severity WARNING Log Message The lease was rejected due to a lease filter Explanation A lease was rejected by a lease filter. Gateway Action lease_rejected Recommended Action Verify the lease filters.
2.21.8. lease_have_bad_offered_broadcast Chapter 2. Log Message Reference (ID: 01900008) Default Severity WARNING Log Message The lease was rejected due to a bad offered netmask address Explanation A lease was rejected due to a bad offered netmask address. Gateway Action lease_rejected Recommended Action Check DHCP server configuration.
2.21.11. lease_ip_is_already_occupied Chapter 2. Log Message Reference (ID: 01900011) Log Message The lease was rejected due to a bad offered gateway address Explanation A lease was rejected due to a bad offered gateway address. Gateway Action lease_rejected Recommended Action Check DHCP server configuration. Revision Parameters gateway_ip...
2.21.14. pool_reached_max_dhcp_clients Chapter 2. Log Message Reference (ID: 01900014) Explanation A lease was rejected since the offered IP already exists in the pool. Gateway Action lease_rejected Recommended Action Check IP pool configuration. Revision Parameters client_ip Context Parameters Rule Name 2.21.14. pool_reached_max_dhcp_clients (ID: 01900014) Default Severity ERROR Log Message...
2.21.17. ip_returned_to_pool (ID: Chapter 2. Log Message Reference 01900017) Revision Parameters client_ip subsystem Context Parameters Rule Name 2.21.17. ip_returned_to_pool (ID: 01900017) Default Severity NOTICE Log Message Subsystem returned an IP to the pool Explanation A subsystem returned an IP to the pool. Gateway Action inform Recommended Action...
2.22.38. failed_to_add_rules (ID: Chapter 2. Log Message Reference 01800313) Parameters gateway ipsectunnel 2.22.38. failed_to_add_rules (ID: 01800313) Default Severity ERROR Log Message Failed to add rules after remote gw: <gateway> have been resolved by DNS for IPsec tunnel: <ipsectunnel> Explanation Failed to add rules to tunnel after remote gateway have been resolved by DNS.
2.22.48. Failed_to_set_xauth (ID: Chapter 2. Log Message Reference 01800328) Explanation Failed to create local authorization object. configured remote access groups will not be posible to use. Gateway Action IPsec_disabled Recommended Action None. Revision 2.22.48. Failed_to_set_xauth (ID: 01800328) Default Severity ERROR Log Message Failed set XAuth for tunnel <tunnel>...
2.22.61. Recieved_plaintext_packet_for_disabled_IPsec_interface Chapter 2. Log Message Reference (ID: 01800502) 2.22.61. Recieved_plaintext_packet_for_disabled_IPsec_interface (ID: 01800502) Default Severity WARNING Log Message IPsec tunnel <ipsec_connection> is disabled. Packet will be dropped Explanation A packed was dropped due to the IPsec interface being disabled. Gateway Action packet_will_be_dropped Recommended Action This is usualy a consequence of low memory or a bad configuration.
2.22.68. sa_write_congestion (ID: Chapter 2. Log Message Reference 01801337) Parameters remotepeer 2.22.68. sa_write_congestion (ID: 01801337) Default Severity INFORMATIONAL Log Message Failed to write SA to Nitrox II due to congestion. <dir> SPI <spi> Explanation There was not enough free buffers to write the SA to Nitrox II. Every new packet on the SA will trigger a new try.
2.22.72. malformed_packet (ID: Chapter 2. Log Message Reference 01802003) Default Severity WARNING Log Message The rule is not in the active configuration. Dropping request for policy Explanation The rule is not in the active configuration, dropping request. Gateway Action dropping_request Recommended Action None.
2.22.78. ike_sa_negotiation_failed (ID: Chapter 2. Log Message Reference 01802031) Explanation No IKE SA negotiations done because of authentication problems. Gateway Action no_ike_sa Recommended Action None. Revision 2.22.78. ike_sa_negotiation_failed (ID: 01802031) Default Severity WARNING Log Message Type of the local ID <localid> is not KEY-ID for the mamros-pskeyext negotiation.
2.22.91. create_rules_failed (ID: Chapter 2. Log Message Reference 01802081) protocol. Gateway Action VPN_tunnel_disabled Recommended Action Reconfigure_IPsec. Revision 2.22.91. create_rules_failed (ID: 01802081) Default Severity ERROR Log Message Cannot insert this rule, the forced NAT protocol type does not match rule protocol Explanation Failed to insert rule since forced NAT protocol do not match rule protocol.
2.22.94. invalid_configuration_of_force_open Chapter 2. Log Message Reference (ID: 01802104) 2.22.94. invalid_configuration_of_force_open (ID: 01802104) Default Severity ERROR Log Message Auto-start rule does not specify single IP address or domain name for its remote peer Explanation Can not use Auto-start rule (force open) for roaming tunnels. Gateway Action VPN_tunnel_disabled Recommended Action...
2.22.108. invalid_tunnel_configuration Chapter 2. Log Message Reference (ID: 01802210) Parameters tunnel 2.22.108. invalid_tunnel_configuration (ID: 01802210) Default Severity ERROR Log Message Both `auto-start' and `dont-initiate' specified for tunnel <tunnel> Explanation Both `auto-start' and `dont-initiate' can not be specified for a tunnel. Gateway Action VPN_tunnel_disabled Recommended Action...
2.22.123. could_not_decode_certificate Chapter 2. Log Message Reference (ID: 01802600) 2.22.122. max_active_quickmode_negotiation_reached (ID: 01802403) Default Severity NOTICE Log Message The maximum number of active Quick-Mode negotiations reached Explanation Maximum number of active Quick-Mode negotiations reached. Gateway Action quick-mode_not_done Recommended Action None. Revision 2.22.123.
2.22.126. could_not_set_cert_to_non_CRL_issuer Chapter 2. Log Message Reference (ID: 01802603) Gateway Action certificate_not_trusted Recommended Action None. Revision 2.22.126. could_not_set_cert_to_non_CRL_issuer (ID: 01802603) Default Severity WARNING Log Message Could not set CA certificate to non-CRL issuer. This may cause authentication errors if valid CRLs are not available Explanation Could not set CA certificate to non-CRL issuer.
2.22.130. could_not_decode_certificate Chapter 2. Log Message Reference (ID: 01802607) Default Severity ERROR Log Message Can not insert CA certificate into local database Explanation Can not insert CA certificate into local database. Gateway Action certificate_disabled Recommended Action None. Revision 2.22.130. could_not_decode_certificate (ID: 01802607) Default Severity WARNING Log Message...
2.22.134. ike_sa_negotiation_completed Chapter 2. Log Message Reference (ID: 01802703) 2.22.133. could_not_decode_crl (ID: 01802610) Default Severity WARNING Log Message Could not decode CRL. The certificate may be corrupted or it was given in unrecognized format. File format may be wrong Explanation Could_not_decode_CRL.
2.23. IP_ERROR Chapter 2. Log Message Reference 2.23. IP_ERROR These log messages refer to the IP_ERROR (Packet discarded due to IP header error(s)) category. 2.23.1. too_small_packet (ID: 01500001) Default Severity WARNING Log Message Packet is too small to contain IPv4 header Explanation The received packet is too small to contain an IPv4 header, and will be dropped.
2.23.4. invalid_ip_length (ID: Chapter 2. Log Message Reference 01500004) Revision Parameters iptotlen iphdrlen Context Parameters Rule Name Packet Buffer 2.23.4. invalid_ip_length (ID: 01500004) Default Severity WARNING Log Message Invalid IP header length, IPTotLen=<iptotlen>, RecvLen=<recvlen> Explanation The received packet IP total length is larger than the received transport data.
2.24. IP_FLAG Chapter 2. Log Message Reference 2.24. IP_FLAG These log messages refer to the IP_FLAG (Events concerning the IP header flags) category. 2.24.1. ttl_low (ID: 01600001) Default Severity WARNING Log Message Received packet with too low TTL of <ttl>. Min TTL is <ttlmin>. Ignoring Explanation The received packet has a TTL (Time-To-Live) field which is too low.
2.25. IP_OPT Chapter 2. Log Message Reference 2.25. IP_OPT These log messages refer to the IP_OPT (Events concerning the IP header options) category. 2.25.1. source_route (ID: 01700001) Default Severity NOTICE Log Message Packet has a source route Explanation The packet has a source route. Ignoring. Gateway Action ignore Recommended Action...
2.26. IP_PROTO Chapter 2. Log Message Reference 2.26. IP_PROTO These log messages refer to the IP_PROTO (IP Protocol verification events) category. 2.26.1. multicast_ethernet_ip_address_missmatch (ID: 07000011) Default Severity WARNING Log Message Received packet with a destination IP address <ip_multicast_addr> that does match Ethernet multicast...
2.26.4. ttl_low (ID: 07000014) Chapter 2. Log Message Reference Explanation A packet was received with a TTL (Time-To-Live) field set to zero, which is not allowed. Dropping packet. Gateway Action drop Recommended Action None. Revision Context Parameters Rule Name Packet Buffer 2.26.4.
2.26.7. invalid_tcp_header (ID: Chapter 2. Log Message Reference 07000019) Explanation The configured size limit for the TCP protocol was exceeded. Dropping packet. Gateway Action drop Recommended Action This can be changed under the Advanced Settings section. Revision Parameters proto Context Parameters Rule Name Packet Buffer 2.26.7.
2.26.12. multicast_ethernet_ip_address_missmatch Chapter 2. Log Message Reference (ID: 07000033) Packet Buffer 2.26.12. multicast_ethernet_ip_address_missmatch (ID: 07000033) Default Severity WARNING Log Message Received packet with a destination IP address <ip_multicast_addr> that does match Ethernet multicast address <eth_multicast_addr> Explanation A packet was received with an IP multicast Ethernet address as destination address, but the IP address in the IP header does however not match it.
2.26.18. oversize_ipip (ID: 07000055) Chapter 2. Log Message Reference Log Message Configured size limit for the OSPF protocol exceeded. Dropping Explanation The configured size limit for the OSPF protocol was exceeded. Dropping packet. Gateway Action drop Recommended Action This can be changed under the Advanced Settings section. Revision Parameters proto...
2.26.21. oversize_ip (ID: 07000058) Chapter 2. Log Message Reference Default Severity WARNING Log Message Configured size limit for the L2TP protocol exceeded. Dropping Explanation The configured size limit for the L2TP protocol was exceeded. Dropping packet. Gateway Action drop Recommended Action This can be changed under the Advanced Settings section.
2.26.24. invalid_icmp_data_ip_ver (ID: Chapter 2. Log Message Reference 07000072) 2.26.23. invalid_icmp_data_too_small (ID: 07000071) Default Severity WARNING Log Message Invalid ICMP data length. ICMPDataLen=<icmpdatalen> ICMPIPHdrMinLen=<icmpiphdrminlen>. Dropping Explanation The ICMP data is not large enough to contain an IPv4 Header. Dropping packet. Gateway Action drop Recommended Action...
2.27. L2TP Chapter 2. Log Message Reference 2.27. L2TP These log messages refer to the L2TP (L2TP tunnel events) category. 2.27.1. l2tpclient_resolve_successful (ID: 02800001) Default Severity NOTICE Log Message L2TP client <iface> resolved <remotegwname> to <remotegw> Explanation The L2TP client successfully resolved the DNS name of the remote gateway.
2.27.10. l2tp_session_request (ID: Chapter 2. Log Message Reference 02800010) Recommended Action Make sure the peer is capable of MPPE encryption, or disable the MPPE requirement. Revision Parameters iface sessionid remotegw 2.27.10. l2tp_session_request (ID: 02800010) Default Severity NOTICE Log Message L2TP session request sent. Tunnel ID: <tunnelid> Explanation An L2TP session request has been sent over the specified L2TP tunnel.
2.28. NATPOOL Chapter 2. Log Message Reference 2.28. NATPOOL These log messages refer to the NATPOOL (Events related to NAT Pools) category. 2.28.1. uninitialized_ippool (ID: 05600001) Default Severity ERROR Log Message NATPool <poolname> has not been initialized Explanation The NATPool is not initialized. This can happen if the NATPool contains no valid IP addresses.
2.28.4. out_of_memory (ID: 05600005) Chapter 2. Log Message Reference Revision Parameters address poolname Context Parameters Connection 2.28.4. out_of_memory (ID: 05600005) Default Severity ERROR Log Message Out of memory while allocating NATPool state for <poolname> Explanation A state could not be allocated since the unit is out of memory. Gateway Action drop Recommended Action...
2.28.7. proxyarp_failed (ID: 05600008) Chapter 2. Log Message Reference Parameters poolname 2.28.7. proxyarp_failed (ID: 05600008) Default Severity ERROR Log Message Could not add dynamic ProxyARP route. NATPool <poolname> Explanation It was not possible to dynamically add a core route for the given IP address.
2.28.10. registerip_failed (ID: Chapter 2. Log Message Reference 05600011) concurrent states are wanted. Revision Parameters poolname num_states replacedip 2.28.10. registerip_failed (ID: 05600011) Default Severity WARNING Log Message Request to activate already active Translation IP address <ip> in pool <poolname> Explanation Attempt to activate an already active Translation IP.
2.29.7. area_mismatch (ID: 02400007) Chapter 2. Log Message Reference Log Message Sender source <srcip> not within interface range (<ifacerange>) Explanation Received OSPF data from a neighboring router not within the receive interface range. Gateway Action drop Recommended Action Make sure all locally attached OSPF routes are on the same network. Revision Parameters srcip...
2.29.9. hello_interval_mismatch (ID: Chapter 2. Log Message Reference 02400009) Packet Buffer 2.29.9. hello_interval_mismatch (ID: 02400009) Default Severity WARNING Log Message Hello interval mismatch. Received was <recv_interval>, mine is <my_interval>. Dropping Explanation Received OSPF data from a neighboring router with a mismatching hello interval.
2.29.15. auth_mismatch (ID: 02400050) Chapter 2. Log Message Reference Default Severity WARNING Log Message Unknown LSA type <lsatype>. Dropping Explanation Received OSPF data from a neighbor which contained a unknown LSA. Gateway Action drop Recommended Action Check the configuration on the neighboring router. Revision Parameters lsatype...
2.29.18. bad_auth_crypto_seq_number Chapter 2. Log Message Reference (ID: 02400053) Default Severity WARNING Log Message Authentication mismatch. Bad crypto key id. Received was <recv_id>, mine is <my_id> Explanation Authentication failed due to a bad crypto key id. Gateway Action drop Recommended Action Verify that the neighboring OSPF router share the same crypto key id.
2.29.21. dd_mtu_exceeds_interface_mtu Chapter 2. Log Message Reference (ID: 02400100) Default Severity WARNING Log Message Checksum mismatch. Received was <recv_chksum>, mine is <my_chksum> Explanation Received OSPF data from neighbor with mismatching checksum. Gateway Action drop Recommended Action Check network equipment for problems. Revision Parameters recv_chksum...
2.29.27. as_ext_on_stub (ID: Chapter 2. Log Message Reference 02400106) 2.29.26. non_dup_dd (ID: 02400105) Default Severity WARNING Log Message Neighbor <neighbor> sent a non dup DD from a higher state then exchange. Restarting exchange Explanation Received a non dup database descriptor from a neighbor in a higher state then exchange.
2.29.36. received_selforg_for_unknown_lsa_type Chapter 2. Log Message Reference (ID: 02400155) Log Message Received AS-EXT LSA on stub. LSA is discarded Explanation Received AS external LSA which is illegal on a stub area. Gateway Action discard Recommended Action None. Revision Context Parameters Rule Name 2.29.36.
2.29.48. internal_error_unable_to_map_identifier Chapter 2. Log Message Reference (ID: 02400301) Default Severity WARNING Log Message Unable to find transport area <area> for VLINK <vlink> when building router LSA. Iface skipped Explanation Unable to find transport area for a vlink. Gateway Action skip_iface Recommended Action Check OSPF area configuration.
2.29.50. memory_usage_exceeded_70_percent_of_max_allowed Chapter 2. Log Message Reference (ID: 02400303) 2.29.50. memory_usage_exceeded_70_percent_of_max_allowed (ID: 02400303) Default Severity WARNING Log Message Memory usage for OSPF process <ospfproc> have now exceeded 70 percent of the maximum allowed Explanation The memory usage for a OSPF process have exceeded 70 percent of the maximum allowed.
2.30. PPP Chapter 2. Log Message Reference 2.30. PPP These log messages refer to the PPP (PPP tunnel events) category. 2.30.1. ip_pool_empty (ID: 02500001) Default Severity WARNING Log Message IPCP can not assign IP address to peer because the IP address pool is empty Explanation IPCP can not assign an IP address to the peer because there are no free...
2.30.4. seconday_dns_address_required_but_not_received Chapter 2. Log Message Reference (ID: 02500004) Revision Parameters tunnel_type 2.30.4. seconday_dns_address_required_but_not_received (ID: 02500004) Default Severity WARNING Log Message Secondary DNS address required but not received. PPP terminated Explanation Peer refuses to give out a secondary DNS address. Since reception of a secondary DNS address is required, PPP is terminated.
2.30.13. username_too_long (ID: Chapter 2. Log Message Reference 02500151) 2.30.13. username_too_long (ID: 02500151) Default Severity WARNING Log Message PPP CHAP username was truncated because it was too long Explanation PPP CHAP username was truncated because it was too long. Gateway Action chap_username_truncated Recommended Action Reconfigure the endpoints to use a shorter username.
2.30.17. password_too_long (ID: Chapter 2. Log Message Reference 02500351) Gateway Action pap_username_truncated Recommended Action Reconfigure the endpoints to use a shorter username. Revision Parameters tunnel_type 2.30.17. password_too_long (ID: 02500351) Default Severity WARNING Log Message PPP PAP password was truncated because it was too long Explanation PPP PAP password was truncated because it was too long.
2.30.20. authdb_error (ID: 02500502) Chapter 2. Log Message Reference 2.30.20. authdb_error (ID: 02500502) Default Severity ERROR Log Message Local database authentication error. PPP Authentication terminated Explanation There was an error while authenticating using a local user database. PPP Authentication terminated. Gateway Action authentication_terminated Recommended Action...
2.31. PPPOE Chapter 2. Log Message Reference 2.31. PPPOE These log messages refer to the PPPOE (PPPoE tunnel events) category. 2.31.1. pppoe_tunnel_up (ID: 02600001) Default Severity NOTICE Log Message PPPoE tunnel on <iface> established to <pppoeserver>. Auth: <auth>, IfaceIP: <ifaceip>, Downtime: <downtime> Explanation The PPPoE tunnel for the interface have been established.
2.32.4. unknown_pptp_auth_source Chapter 2. Log Message Reference (ID: 02700004) Revision Parameters rule remotegw callid 2.32.4. unknown_pptp_auth_source (ID: 02700004) Default Severity WARNING Log Message Unknown PPTP authentication source for <rule>! Remote gateway: <remotegw>, Call ID: <callid> Explanation The authentication source for the specified userauth rule found in the new configuration is unknown to the PPTP server.
2.32.7. mppe_required (ID: 02700007) Chapter 2. Log Message Reference interface by a route that was either manually configured or set up by another subsystem. Traffic can only be sent out on the PPTP server using the dynamic routes set up by the interface itself. Gateway Action drop Recommended Action...
2.32.10. unsupported_message (ID: Chapter 2. Log Message Reference 02700010) Log Message PPTP session request sent on control connection to <remotegw> Explanation An PPTP session request has been sent on the control connection to the specified remote gateway. Gateway Action None Recommended Action None.
2.32.13. pptp_session_up (ID: Chapter 2. Log Message Reference 02700013) Default Severity WARNING Log Message PPP negotiation completed for session <callid> to <remotegw> on <iface>. User: <user>, Auth: <auth>, MPPE: <mppe>, Assigned IP: <assigned_ip> Explanation The PPP negotiation has completed successfully for this session. The specified interface, remote gateway and call ID identify the specific session.
2.32.15. session_idle_timeout (ID: Chapter 2. Log Message Reference 02700015) Recommended Action None. Revision Parameters iface remotegw 2.32.15. session_idle_timeout (ID: 02700015) Default Severity WARNING Log Message PPTP session <callid> to <remotegw> on <iface> has been idle for too long. Closing it. Explanation A PPTP session has been idle for too long.
2.32.24. pptp_no_userauth_rule_found Chapter 2. Log Message Reference (ID: 02700026) Revision Parameters rule iface remotegw 2.32.24. pptp_no_userauth_rule_found (ID: 02700026) Default Severity WARNING Log Message Did not find a matching userauth rule for the incoming PPTP connection. Interface: <iface>, Remote gateway: <remotegw>. Explanation The PPTP server was unsuccessful trying to find a userauth rule matching the incoming PPTP connection.
Page 382
2.32.26. waiting_for_ip_to_listen_on Chapter 2. Log Message Reference (ID: 02700050) server interface. If the PPTP server is supposed to listen on an IP assigned by a DHCP server, make sure that the DHCP server is working properly. Revision Parameters iface...
2.33. REASSEMBLY Chapter 2. Log Message Reference 2.33. REASSEMBLY These log messages refer to the REASSEMBLY (Events concerning data reassembly) category. 2.33.1. ack_of_not_transmitted_data (ID: 04800002) Default Severity INFORMATIONAL Log Message TCP segment acknowledges data not yet transmitted Explanation A TCP segment that acknowledges data not yet transmitted was received.
2.33.4. memory_allocation_failure (ID: Chapter 2. Log Message Reference 04800005) Revision Context Parameters Connection 2.33.4. memory_allocation_failure (ID: 04800005) Default Severity ERROR Log Message Can't allocate memory to keep track of a packet Explanation The gateway is unable to allocate memory to keep track of packet that was received.
2.33.8. maximum_connections_limit_reached Chapter 2. Log Message Reference (ID: 04800010) Default Severity NOTICE Log Message Maximum processing memory limit reached Explanation The reassembly subsystem has reached the maximum limit set on its processing memory. This will decrease the performance of connections that are processed by the reassembly subsystem.
2.35. RULE Chapter 2. Log Message Reference 2.35. RULE These log messages refer to the RULE (Events triggered by rules) category. 2.35.1. ruleset_fwdfast (ID: 06000003) Default Severity NOTICE Log Message Packet statelessly forwarded (fwdfast) Explanation The packet matches a rule with a "fwdfast" action, and is statelessly forwarded.
2.35.4. rule_match (ID: 06000007) Chapter 2. Log Message Reference Rule Information Packet Buffer 2.35.4. rule_match (ID: 06000007) Default Severity DEBUG Log Message RETURN action trigged Explanation A rule with a special RETURN action was trigged by an IP-rule lookup. This log message only appears if you explicitly requested it for the rule in question, and it is considered of DEBUG severity.
2.35.7. block127net (ID: 06000012) Chapter 2. Log Message Reference Context Parameters Rule Name Packet Buffer 2.35.7. block127net (ID: 06000012) Default Severity WARNING Log Message Destination address is the 127.* net. Dropping Explanation The destination address was the 127.* net, which is not allowed according to the configuration.
2.35.10. directed_broadcasts (ID: Chapter 2. Log Message Reference 06000031) Context Parameters Rule Name 2.35.10. directed_broadcasts (ID: 06000031) Default Severity NOTICE Log Message Packet directed to the broadcast address of the destination network. Dropping Explanation The packet was directed to the broadcast address of the destination network, and the unit is configured to disallow this.
2.35.13. ruleset_drop_packet (ID: Chapter 2. Log Message Reference 06000051) 2.35.13. ruleset_drop_packet (ID: 06000051) Default Severity WARNING Log Message Packet dropped by rule-set. Dropping Explanation The rule-set is configured to drop this packet. Gateway Action drop Recommended Action If this is not the indended behaviour, modify the rule-set. Revision Context Parameters Rule Information...
2.36.16. sesmgr_techsupport (ID: Chapter 2. Log Message Reference 04900018) Recommended Action Check available memory. Revision 2.36.16. sesmgr_techsupport (ID: 04900018) Default Severity NOTICE Log Message Sending technical support file. Explanation Technical support file created and is being sent to user. Gateway Action techsupport_created Recommended Action None.
2.37. SLB Chapter 2. Log Message Reference 2.37. SLB These log messages refer to the SLB (SLB events) category. 2.37.1. server_online (ID: 02900001) Default Severity NOTICE Log Message SLB Server <server_ip> is online according to monitor Explanation A disabled server has been determined to be alive again. Gateway Action Adding this server to the active servers list.
2.38. SMTPLOG Chapter 2. Log Message Reference 2.38. SMTPLOG These log messages refer to the SMTPLOG (SMTPLOG events) category. 2.38.1. unable_to_establish_connection (ID: 03000001) Default Severity WARNING Log Message Unable to establish connection to SMTP server <smtp_server>. Send aborted Explanation The unit failed to establish a connection to the SMTP server. No SMTP Log will be sent.
2.38.4. receive_timeout (ID: 03000005) Chapter 2. Log Message Reference 2.38.4. receive_timeout (ID: 03000005) Default Severity WARNING Log Message Receive timeout from SMTP server <smtp_server>. Send aborted Explanation The unit timed out while receiving data from the SMTP server. No SMTP Log will be sent. Gateway Action abort_sending Recommended Action...
2.38.8. rejected_recipient (ID: Chapter 2. Log Message Reference 03000009) Default Severity WARNING Log Message SMTP server <smtp_server> rejected sender <sender>. Send aborted Explanation The SMTP server rejected the sender. No SMTP Log will be sent. Gateway Action abort_sending Recommended Action Verify that the SMTP server is configured to accept this sender.
2.39. SNMP Chapter 2. Log Message Reference 2.39. SNMP These log messages refer to the SNMP (Allowed and disallowed SNMP accesses) category. 2.39.1. disallowed_sender (ID: 03100001) Default Severity NOTICE Log Message Disallowed SNMP from <peer>, disallowed sender IP Explanation The sender IP address is not allowed to send SNMP data to the unit. Dropping packet.
2.40. SSHD Chapter 2. Log Message Reference 2.40. SSHD These log messages refer to the SSHD (SSH Server events) category. 2.40.1. out_of_mem (ID: 04700001) Default Severity ERROR Log Message Out of memory Explanation Memory Allocation Failure. System is running low on RAM memory. Gateway Action close Recommended Action...
2.40.5. invalid_mac (ID: 04700007) Chapter 2. Log Message Reference Default Severity ERROR Log Message <error> occurred with the connection from client <client>. Explanation An error occurred, and the connection will be closed. Gateway Action close Recommended Action None. Revision Parameters error client 2.40.5.
2.40.8. invalid_username_change (ID: Chapter 2. Log Message Reference 04700025) Gateway Action close Recommended Action None. Revision Parameters fromname toname client 2.40.8. invalid_username_change (ID: 04700025) Default Severity WARNING Log Message Service change is not allowed. From serivce <fromservice> to <toservice>. Client: <client> Explanation User changed the service between two authentication phases, which is not allowed.
2.40.11. ssh_inactive_timeout_expired Chapter 2. Log Message Reference (ID: 04700036) Gateway Action close Recommended Action Increase the grace timeout value if it is set too low. Revision Parameters gracetime client 2.40.11. ssh_inactive_timeout_expired (ID: 04700036) Default Severity WARNING Log Message SSH session inactivity limit (<inactivetime>) has been reached. Closing connection.
2.40.14. key_algo_not_supported. (ID: Chapter 2. Log Message Reference 04700055) Revision Parameters client 2.40.14. key_algo_not_supported. (ID: 04700055) Default Severity ERROR Log Message The authentication algorithm type <keytype> is not supported. Client <client> Explanation The authentication algorithm that the client uses is not supported. Closing connection.
2.41.5. unknown_sslvpn_auth_source Chapter 2. Log Message Reference (ID: 06300204) Default Severity WARNING Log Message SSL VPN connection from <remotegw> disallowed according to rule <rule>! Explanation The SSL VPN connection is disallowed by the new configuration according to the specified userauth rule. Closing down the SSL VPN connection.
2.41.8. unknown_sslvpn_auth_source Chapter 2. Log Message Reference (ID: 06300225) Default Severity WARNING Log Message SSL VPN connection from <remotegw> disallowed according to rule <rule>. Interface: <iface>. Explanation The SSL VPN connection is disallowed according to the specified userauth rule. Gateway Action None Recommended Action Make sure the userauth rules are configured correctly.
2.42.2. demo_mode (ID: 03200021) Default Severity ALERT Log Message This copy of D-Link Firewall is in DEMO mode. Firewall core will halt in <time> seconds Explanation The unit is running in DEMO mode, and will eventually expire. Install a license in order to avoid this.
2.42.11. port_hlm_conversion (ID: Chapter 2. Log Message Reference 03200302) Explanation Failed to allocate a dynamic port, as all ports are in use. Gateway Action None Recommended Action None. Revision Parameters reason localip destip port_base port_end 2.42.11. port_hlm_conversion (ID: 03200302) Default Severity NOTICE Log Message Using High Load Mode for Local IP <localip>...
2.42.14. log_messages_lost_due_to_log_buffer_exhaust Chapter 2. Log Message Reference (ID: 03200401) Default Severity WARNING Log Message <logcnt> messages lost due to throttling Explanation Due to extensive logging, a number of log messages was not sent. Gateway Action None Recommended Action Examine why the unit sent such a large amount of log messages. If this is normal activity, the "LogSendPerSec"...
2.42.17. disk_cannot_remove_file (ID: Chapter 2. Log Message Reference 03200601) Gateway Action None Recommended Action Verify that the new configuration file does not contain errors that would cause bi-directional communication failure. Revision Parameters localcfgver remotecfgver timeout 2.42.17. disk_cannot_remove_file (ID: 03200601) Default Severity CRITICAL Log Message Failed to remove <file>, bi-directional communication will now...
2.42.20. disk_cannot_rename (ID: Chapter 2. Log Message Reference 03200604) protected. Revision Parameters old_cfg 2.42.20. disk_cannot_rename (ID: 03200604) Default Severity ERROR Log Message Failed to rename <cfg_new> to <cfg_real> Explanation The unit failed to rename the new configuration file to the real configuration file name.
2.42.23. bidir_ok (ID: 03200607) Chapter 2. Log Message Reference Revision 2.42.23. bidir_ok (ID: 03200607) Default Severity NOTICE Log Message Configuration <localcfgver><remotecfgver> verified for bi-directional communication Explanation The new configuration has been verified for communication back to peer, and will now be used as the active configuration. Gateway Action None Recommended Action...
2.42.26. shutdown (ID: 03201011) Chapter 2. Log Message Reference 2.42.26. shutdown (ID: 03201011) Default Severity NOTICE Log Message Shutdown aborted. Core file <core> missing Explanation The unit was issued a shutdown command, but no core executable file is seen. The shutdown process is aborted. Gateway Action shutdown_gateway_aborted Recommended Action...
2.42.35. sslvpnuser_login (ID: Chapter 2. Log Message Reference 03203004) Default Severity WARNING Log Message Administrative user <username> failed to log in via <authsystem>, because of bad credentials Explanation An adminsitrative user failed to log in to configuration system. This is most likely due to an invalid entered username or password.
2.42.40. admin_timeout (ID: 03206000) Chapter 2. Log Message Reference Recommended Action None. Revision Parameters authsystem user pre_change_date_time post_change_date_time 2.42.40. admin_timeout (ID: 03206000) Default Severity NOTICE Log Message Administrative user <username> timed out from <authsystem> Explanation The administrative user has been inactive for too long, and has been automatically logged out.
Page 433
2.42.42. admin_login_internal_error Chapter 2. Log Message Reference (ID: 03206002) Log Message Internal error occured when administrative user <username> tried to login, not allowed access via <authsystem> Explanation An internal error occured when the user tried to log in, and as a result has not been given administration access.
2.43. TCP_FLAG Chapter 2. Log Message Reference 2.43. TCP_FLAG These log messages refer to the TCP_FLAG (Events concerning the TCP header flags) category. 2.43.1. tcp_flags_set (ID: 03300001) Default Severity NOTICE Log Message The TCP <good_flag> and <bad_flag> flags are set. Allowing Explanation The possible combinations for these flags are: SYN URG, SYN PSH, SYN RST, SYN FIN and FIN URG.
2.43.7. tcp_flag_set (ID: 03300009) Chapter 2. Log Message Reference SYN RST, SYN FIN and FIN URG. Gateway Action drop Recommended Action If any of these combinations should either be ignored or having the bad flag stripped, specify this in configuration, in the "Settings" sub system.
2.43.12. rst_out_of_bounds (ID: Chapter 2. Log Message Reference 03300015) Parameters seqno expectseqno Context Parameters Rule Name Connection Packet Buffer 2.43.12. rst_out_of_bounds (ID: 03300015) Default Severity WARNING Log Message Originator RST seq <seqno> is not in window <winstart>...<winend>. Dropping Explanation The RST flag sequence number is not within the receiver window. Dropping packet.
2.43.15. rst_without_ack (ID: Chapter 2. Log Message Reference 03300018) Default Severity NOTICE Log Message TCP acknowledgement <ack> is not in the acceptable range <accstart>-<accend>. Dropping Explanation A TCP segment with an unacceptable acknowledgement number was received during state SYN_SENT. The packet will be dropped. Gateway Action drop Recommended Action...
2.43.17. tcp_recv_windows_drained Chapter 2. Log Message Reference (ID: 03300022) Parameters seqno accstart accend Context Parameters Rule Name Connection Packet Buffer 2.43.17. tcp_recv_windows_drained (ID: 03300022) Default Severity CRITICAL Log Message large receive windows. Maximum windows: <max_windows>. Triggered <num_events> times last 10 seconds. Explanation The TCP stack could not accept incomming data since it has run out of large TCP receive windows.
2.43.20. tcp_seqno_too_low_with_syn Chapter 2. Log Message Reference (ID: 03300025) Explanation The TCP stack could not get a free socket. This event was triggered [num_events] times during the last 10 seconds. Gateway Action None Recommended Action None. Revision 2.43.20. tcp_seqno_too_low_with_syn (ID: 03300025) Default Severity DEBUG Log Message...
2.44.15. multiple_tcp_ws_options (ID: Chapter 2. Log Message Reference 03400017) Explanation The packet has no SYN, ACK, FIN or RST flag set. Dropping packet. Gateway Action drop Recommended Action None. Revision Context Parameters Rule Name Packet Buffer 2.44.15. multiple_tcp_ws_options (ID: 03400017) Default Severity WARNING Log Message...
Page 448
2.44.17. mismatching_tcp_window_scale Chapter 2. Log Message Reference (ID: 03400019) Explanation TCP segment with a window scale option specifying a different shift count than previous segments was received. The lower of the two values will be used. Gateway Action adjust Recommended Action None.
2.45.4. failed_to_keep_connection_count Chapter 2. Log Message Reference (ID: 05300200) Recommended Action Investigate worms and DoS attacks. Revision Parameters description threshold srcip Context Parameters Rule Name 2.45.4. failed_to_keep_connection_count (ID: 05300200) Default Severity ERROR Log Message Failed to keep connection count. Reason: Out of memory Explanation The device was unable to allocate resources needed to include the connection in the connection count kept by threshold rules.
2.45.7. threshold_conns_from_srcip_exceeded Chapter 2. Log Message Reference (ID: 05300211) Explanation The number of connections matching the threshold rule and originating from a single host exceeds the configured threshold. Note: This log message is rate limited via an exponential back-off procedure. Gateway Action none Recommended Action...
2.45.9. threshold_conns_from_filter_exceeded Chapter 2. Log Message Reference (ID: 05300213) Revision Parameters threshold srcip [username] Context Parameters Rule Name 2.45.9. threshold_conns_from_filter_exceeded (ID: 05300213) Default Severity NOTICE Log Message The number of connections matching the rule exceeds <threshold>. The Offending host is <srcip>. Explanation The number of connections matching the threshold rule exceeds the configured threshold.
2.46. TIMESYNC Chapter 2. Log Message Reference 2.46. TIMESYNC These log messages refer to the TIMESYNC (Firewall time synchronization events) category. 2.46.1. synced_clock (ID: 03500001) Default Severity NOTICE Log Message The clock at <oldtime>, was off by <clockdrift> second(s) and synchronized with <timeserver>...
2.47. TRANSPARENCY Chapter 2. Log Message Reference 2.47. TRANSPARENCY These log messages refer to the TRANSPARENCY (Events concerning the Transparent Mode feature) category. 2.47.1. impossible_hw_sender_address (ID: 04400410) Default Severity WARNING Log Message Impossible hardware sender address 0000:0000:0000. Dropping. Explanation Some equipment on the network is sending packets with a source MAC address of 0000:0000:0000.
2.47.10. invalid_stp_frame (ID: Chapter 2. Log Message Reference 04400419) Recommended Action None. Revision Parameters recvif 2.47.10. invalid_stp_frame (ID: 04400419) Default Severity WARNING Log Message Incomming STP frame from <recvif> dropped. Reason: <reason> Explanation An incomming Spanning-Tree frame has been dropped since it is either malformed or its type is unknown.
2.48. USERAUTH Chapter 2. Log Message Reference 2.48. USERAUTH These log messages refer to the USERAUTH (User authentication (e.g. RADIUS) events) category. 2.48.1. accounting_start (ID: 03700001) Default Severity INFORMATIONAL Log Message Successfully received RADIUS Accounting START response from RADIUS Accounting server Explanation The unit received a valid response to an Accounting-Start event from the Accounting Server.
2.48.4. invalid_accounting_start_server_response Chapter 2. Log Message Reference (ID: 03700004) Recommended Action Verify that the RADIUS Accounting server daemon is running on the Accounting Server. Revision Context Parameters User Authentication 2.48.4. invalid_accounting_start_server_response (ID: 03700004) Default Severity ALERT Log Message Received an invalid RADIUS Accounting START response from RADIUS Accounting server.
2.48.7. failed_to_send_accounting_stop Chapter 2. Log Message Reference (ID: 03700007) Explanation The authenticated user is logged out as an invalid response to the Accounting-Start event was received from the Accounting Server. Gateway Action logout_user Recommended Action Verify that the RADIUS Accounting server is properly configured. Revision Context Parameters User Authentication...
2.48.10. no_accounting_stop_server_response Chapter 2. Log Message Reference (ID: 03700010) 2.48.9. invalid_accounting_stop_server_response (ID: 03700009) Default Severity WARNING Log Message Received a RADIUS Accounting STOP response with an Identifier mismatch. Ignoring this packet Explanation The unit received a response with an invalid Identifier mismatch. This can be the result of a busy network, causing accounting event re-sends.
2.48.12. failure_init_radius_accounting Chapter 2. Log Message Reference (ID: 03700012) Recommended Action Verify that the RADIUS Accounting server is properly configured. Revision Context Parameters User Authentication 2.48.12. failure_init_radius_accounting (ID: 03700012) Default Severity ALERT Log Message Failed to send Accounting Start to RADIUS Accounting Server. Accounting will be disabled Explanation The unit failed to send an Accounting-Start event to the Accounting...
2.48.15. user_timeout (ID: 03700020) Chapter 2. Log Message Reference Gateway Action accounting_disabled Recommended Action Verify that a route exists from the unit to the RADIUS Accounting server, and that it is properly configured. Revision Context Parameters User Authentication 2.48.15. user_timeout (ID: 03700020) Default Severity NOTICE Log Message...
2.48.18. accounting_alive (ID: Chapter 2. Log Message Reference 03700050) Recommended Action Lower the number of groups that this user belongs to. Revision Parameters username 2.48.18. accounting_alive (ID: 03700050) Default Severity NOTICE Log Message Successfully received RADIUS Accounting Interim response from RADIUS Accounting server.
2.48.21. invalid_accounting_interim_server_response Chapter 2. Log Message Reference (ID: 03700053) 2.48.20. no_accounting_interim_server_response (ID: 03700052) Default Severity ALERT Log Message Did not receive a RADIUS Accounting Interim response. User statistics might not have been updated on the Accounting Server Explanation The unit did not receive a response to an Accounting-Interim event from the Accounting Server.
2.48.23. relogin_from_new_srcip (ID: Chapter 2. Log Message Reference 03700100) Recommended Action None. Revision Context Parameters User Authentication 2.48.23. relogin_from_new_srcip (ID: 03700100) Default Severity WARNING Log Message User with the same username is logging in from another IP address, logging out current instance Explanation A user with the same username as an already authenticated user is logging in.
2.48.26. bad_user_credentials (ID: Chapter 2. Log Message Reference 03700104) Parameters idle_timeout session_timeout [groups] Context Parameters User Authentication 2.48.26. bad_user_credentials (ID: 03700104) Default Severity NOTICE Log Message Unknown user or invalid password Explanation A user failed to log in. The entered username or password was invalid. Gateway Action None Recommended Action...
2.48.29. userauthrules_disallowed (ID: Chapter 2. Log Message Reference 03700107) 2.48.29. userauthrules_disallowed (ID: 03700107) Default Severity WARNING Log Message Denied access according to UserAuthRules rule-set Explanation The user is not allowed to authenticate according to the UserAuthRules rule-set. Gateway Action None Recommended Action None.
2.48.43. disallow_clientkeyexchange Chapter 2. Log Message Reference (ID: 03700501) Gateway Action ssl_close Recommended Action Make sure that the client and unit share atleast one cipher. Revision Parameters client_ip 2.48.43. disallow_clientkeyexchange (ID: 03700501) Default Severity ERROR Log Message SSL Handshake: Disallow ClientKeyExchange. Closing down SSL connection Explanation The SSL connection will be closed because there are not enough...
2.48.46. bad_changecipher_msg (ID: Chapter 2. Log Message Reference 03700504) is invalid, and the SSL connection is closed. Gateway Action ssl_close Recommended Action None. Revision Parameters client_ip 2.48.46. bad_changecipher_msg (ID: 03700504) Default Severity ERROR Log Message SSL Handshake: Bad ChangeCipher message. Closing down SSL connection Explanation The ChangeCipher message (which is a part of a SSL handshake) is...
2.48.49. bad_alert_msg (ID: 03700507) Chapter 2. Log Message Reference Gateway Action ssl_close Recommended Action None. Revision Parameters client_ip 2.48.49. bad_alert_msg (ID: 03700507) Default Severity ERROR Log Message Bad Alert message. Closing down SSL connection Explanation The Alert message (which can be a part of a SSL handshake) is invalid, and the SSL connection is closed.
2.48.52. received_sslalert (ID: Chapter 2. Log Message Reference 03700510) Recommended Action Change ciphers and/or certificate. Revision Parameters client_ip 2.48.52. received_sslalert (ID: 03700510) Default Severity ERROR Log Message Received SSL Alert. Closing down SSL connection Explanation A SSL Alert message was received during an established SSL connection, and the SSL connection will be closed.
2.49.4. odm_execute_action_none (ID: Chapter 2. Log Message Reference 05200004) Revision Parameters filename description 2.49.4. odm_execute_action_none (ID: 05200004) Default Severity NOTICE Log Message Uploaded file (<filename>) could not be recognized as a known type. Explanation An uploaded file could not be recognized as a known type. Gateway Action None Recommended Action...
2.49.7. upload_certificate_fail (ID: Chapter 2. Log Message Reference 05200007) 2.49.7. upload_certificate_fail (ID: 05200007) Default Severity NOTICE Log Message Certificate data in file <filename>, could not be added to the configuration Explanation Certificate data could not be added to the configuration. Gateway Action None Recommended Action...
2.50.5. out_of_mac_profiles (ID: Chapter 2. Log Message Reference 03800005) Default Severity WARNING Log Message Unable to accommodate block request since out of IP profiles on <switch> Explanation There are no free IP profiles left on the switch. No more hosts can be be blocked/excluded on this switch.
2.50.8. failed_writing_zonededense_state_to_media Chapter 2. Log Message Reference (ID: 03800008) Log Message No response from switch <switch> while trying to create <type> rule in profile <profile> Explanation Several attempts to create a rule in the switch has timed out. No more attempts will be made.
2.50.11. failed_to_erase_profile (ID: Chapter 2. Log Message Reference 03800011) Log Message No response from switch <switch> while trying to erase <type> profile <profile> Explanation Several attempts to erase a profile in the switch has timed out. No more attempts will be made. Gateway Action task_ignored Recommended Action...
2.50.14. zd_block (ID: 03800014) Chapter 2. Log Message Reference Explanation Several attempts to save the configuration in the switch has timed out. No more attempts will be made. Gateway Action task_ignored Recommended Action Verify that the firewall is able to communicate with the switch. Revision Parameters switch...