fortinet messages.pdf

7/25/2019 Fortinet Messages.pdf

1/642

FortiGate Log Message Reference v5.0 Patch Release10


2/642

FortiGate Log Message Reference - FortiOS 5.0.10

March13, 2015

01-510-112804-20150313

Copyright 2015 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, FortiCare and

FortiGuard, and certain other marks are registered trademarks of Fortinet, Inc., in the U.S. and

other jurisdictions, and other Fortinet names herein may also be registered and/or common law

trademarks of Fortinet. All other product or company names may be trademarks of their

respective owners. Performance and other metrics contained herein were attained in internal

lab tests under ideal conditions, and actual performance and other results may vary.

Network variables, different network environments and other conditions may affect

performance results. Nothing herein represents any binding commitment by Fortinet, and

Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet

enters a binding written contract, signed by Fortinets General Counsel, with a purchaserthat expressly warrants that the identified product will perform according to certain

expressly-identified performance metrics and, in such event, only the specific

performance metrics expressly identified in such binding written contract shall be binding on

Fortinet. For absolute clarity, any such warranty will be limited to performance in the same

ideal conditions as in Fortinets internal lab tests. In no event does Fortinet make any

commitment related to future deliverables, features or development, and circumstances may

change such that any forward-looking statements herein are not accurate. Fortinet disclaims in

full any covenants, representations, and guarantees pursuant hereto, whether express or

implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this

publication without notice, and the most current version of the publication shall be applicable.

Technical Documentation docs.fortinet.com

Knowledge Base kb.fortinet.com

Customer Service & Support support.fortinet.com

Training Services training.fortinet.com

FortiGuard fortiguard.com

Document Feedback [email protected]
http://docs.fortinet.com/http://kb.fortinet.com/https://support.fortinet.com/http://training.fortinet.com/http://www.fortiguard.com/mailto:[email protected]?Subject=Technical%20Documentation%20Feedbackmailto:[email protected]?Subject=Technical%20Documentation%20Feedbackhttp://www.fortiguard.com/http://training.fortinet.com/https://support.fortinet.com/http://kb.fortinet.com/http://docs.fortinet.com/


3/642

Change Log

Date Change Description

2013-03-20 Initial Release.

2013-09-27 Patch 4 Release.

2014-04-01 Patch 6 Release. Added Variable Event Logs Addendum.

2015-01-16 Patch 9 Release. Complete corrections of all terminology.

2015-03-13 Patch 10 Release. Added new Variable Event Logs.

Page 3


4/642

Log Field Name Changes in FortiOS 5.0

4.3 5 4.3 5

app_cat appcat pri level

app_list applist profile_group profilegroup

app_type apptype profile_type profiletype

asset_id assetid quota_exceeded quotaexceededasset_name assetname quota_max quotamax

attack_id attackid quota_used quotaused

attack_name attackname rcvd rcvdbyte

carrier_ep carrierep rcvd_pkt rcvdpkt

cat_desc catdesc rem_ip remip

class_desc classdesc rem_port remport

conn-mode connmode remote_ip remip

content_type contenttype req_type reqtype

dec_spi decspi request_name requestname

dir direction rule_data ruledata

dir_disp dirdisp rule_type ruletype

dlp_sensor dlpsensor sent sentbyte

dst dstip sent_pkt sentpkt

dst_country dstcountry shaper_drop_rcvd shaperdroprcvdbyte

dst_int dstintf shaper_drop_sent shaperdropsentbyte

dst_port dstport shaper_rcvd_name shaperrcvdname

enc_spi encspi shaper_sent_name shapersentname

end-date enddate src srcip

esp_auth espauth src_country srccountry

esp_transform esptransform src_int srcintf

filter_type filtertype src_port srcport

icmp_code icmpcode start-date startdate

icmp_id icmpid tran_disp trandisp

icmp_type icmptype tran_ip tranip

incident_serialno incidentserialno tran_port tranport

lan_in lanin tran_sip transip

lan_out lanout tran_sport transport

loc_ip locip url_type urltype

loc_port locport urlfilter_idx urlfilteridx

local_ip locip urlfilter_list urlfilterlist

log_id logid voip_proto voipproto

malform_data malformdata vpn_tunnel vpntunnel

malform_desc malformdesc vpn_type vpntype

message msg vuln_cat vulncat

message_type messagetype vuln_cnt vulncnt

os_family osfamily vuln_id vulnid

os_gen osgen vuln_ref vulnref

os_vendor osvendor wan_in wanin

out_intf outintf wan_out wanout

ovrd_id ovrdid wanopt_app_type wanoptapptypeovrd_tbl ovrdtbl xauth_group xauthgroup

perip_drop shaperperipdropbyte xauth_user xauthuser

perip_name shaperperipname

Log Field Name Changes in FortiOS 5.0

4.3 5 4.3 5

app_cat appcat pri level

app_list applist profile_group profilegroup

app_type apptype profile_type profiletype

asset_id assetid quota_exceeded quotaexceededasset_name assetname quota_max quotamax

attack_id attackid quota_used quotaused

attack_name attackname rcvd rcvdbyte

carrier_ep carrierep rcvd_pkt rcvdpkt

cat_desc catdesc rem_ip remip

class_desc classdesc rem_port remport

conn-mode connmode remote_ip remip

content_type contenttype req_type reqtype

dec_spi decspi request_name requestname

dir direction rule_data ruledata

dir_disp dirdisp rule_type ruletype

dlp_sensor dlpsensor sent sentbyte

dst dstip sent_pkt sentpkt

dst_country dstcountry shaper_drop_rcvd shaperdroprcvdbyte

dst_int dstintf shaper_drop_sent shaperdropsentbyte

dst_port dstport shaper_rcvd_name shaperrcvdname

enc_spi encspi shaper_sent_name shapersentname

end-date enddate src srcip

esp_auth espauth src_country srccountry

esp_transform esptransform src_int srcintf

filter_type filtertype src_port srcport

icmp_code icmpcode start-date startdate

icmp_id icmpid tran_disp trandisp

icmp_type icmptype tran_ip tranip

incident_serialno incidentserialno tran_port tranport

lan_in lanin tran_sip transip

lan_out lanout tran_sport transport

loc_ip locip url_type urltype

loc_port locport urlfilter_idx urlfilteridx

local_ip locip urlfilter_list urlfilterlist

log_id logid voip_proto voipproto

malform_data malformdata vpn_tunnel vpntunnel

malform_desc malformdesc vpn_type vpntype

message msg vuln_cat vulncat

message_type messagetype vuln_cnt vulncnt

os_family osfamily vuln_id vulnid

os_gen osgen vuln_ref vulnref

os_vendor osvendor wan_in wanin

out_intf outintf wan_out wanout

ovrd_id ovrdid wanopt_app_type wanoptapptypeovrd_tbl ovrdtbl xauth_group xauthgroup

perip_drop shaperperipdropbyte xauth_user xauthuser

perip_name shaperperipname

Page 4


5/642

4.3 subtypes 5.0 subtypes

traffic allowed forward/local/multicast

webcache-traffic, wanopt-traffic, explicit-proxy-traffic forward

failed-conn, violation, other forward

event ipsec, sslvpn-user, sslvpn-admin, sslvpn-session vpn

system

dns, dhcp, l2tp/pptp/pppoe router

auth, radius user

wireless wireless

wad wad

voip moved to voip logs section

virus infected infected

filename filename

oversize oversized

scanerror scanerror

----- analytics

----- switchproto

webfilter content content

urlfilter urlfilter

ftgdbl! ftgdbl!

ftgdallow ftgdallow

ftgderr ftgderr

activexfilter activexfilter

coo!iefilter coo!iefilter

appletfilter appletfilter

ftgd"uotacounting ftgd"uotacounting

ftgd"uota ftgd"uota

----- ftgd"uotaexpired

----- webfiltercommandbloc!

ips signature signature

anomaly anomaly

emailfiltermsn-hotmail msn

yahoo-mail yahoo

smtp smtp

pop# pop#

imap imap

carrier-endpoint-filter endpointfilter

mass-mms mms

----- google

----- mapi

ha, gtp, nac-"uarantine, config, notification, perf-historical, forticlient, mms-stats, amc-intf-bypass,admin, ldb-monitor, pattern

LogSubtypeName Changes in FortiOS 5.0

Page 5


6/642

netscan discovery discovery

vulnerability vulnerability

dlp dlp dlp

----- dlp-docsource

app-ctrl app-ctrl-all app-ctrl-all

content http http

ftp ftp

smtp smtp

pop# pop#

imap imap

https https

im-all im-all

nntp nntp

voip voip

mm1 mm1

mm# mm#

mm$ mm$

mm% mm%

smtps smtps

pop#s pop#s

imaps imaps

voip ----- voip

Page 6


7/642

Page 7


8/642

Traffic

2

Message ID: 000002

Message Description: allowed message

Type (type): traffic

Subtype (subtype): forward

Level/Severity: notice

Log field Meaning

type traffic

subtype forward

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

status The status of the traffic.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

trandisp Whether the packet is source NAT translated (snat) or destination NAT translated (dnat), both (snat+dnat) or neither

(noop).

srcip The source IP.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

dstip The destination IP.

dstname The destination name. This can be a name or an IP address.

dstcountry Destination country.

srccountry Source country.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

tranip The translated IP in NAT mode. For Transparent mode, it is zero.

tranport The translated port number in NAT mode. For Transparent mode, it is zero.

transip The translated source IP in NAT mode. For Transparent mode, it is zero.

transport The translated source port number in NAT mode. For Transparent mode, it is zero.

service The service where the event or activity occurred.

proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that

identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).

duration Time value in seconds.

Page 8


9/642

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an

identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched.

This number is not globally unique, it is only locally unique within a given firewall policy.

sentbyte The number of sent bytes related to the log message.

rcvdbyte The number of received bytes related to the log message.

shaperdropsentbyte Shaper dropped sent bytes.

shaperdroprcvdbyte Shaper dropped received bytes.

shaperperipdropbyte PerIP dropped bytes.

shapersentname The name of the traff ic shaper sending the bytes.

shaperrcvdname The name of the traff ic shaper receiving the bytes.

shaperperipname The perIP shaper name.

sentpkt The number of sent packets related to the log message.

rcvdpkt The number of received packets related to the log message.

vpn The name of the VPN tunnel used by the traffic.

vpntype The type of VPN tunnel that the traffic is flowing through. This field can be any one of the following: ipsec-static,

ipsec-dynamic, ipsec-ddns, sslvpn.

vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstintf The destination interface.

sessionid Session ID.

appid Application ID.

app The name of the application that triggered the action within the control list. For example, SSL.

appcat The application category that the application is associated with.

applist The name of the application control list that was used to detect and take action.

appact Application action.

user User name.

group The group name.

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

crscore Client Reputation score.

craction Client Reputation action.

Page 9


10/642

3

Message ID: 000003

Message Description: violation message


Subtype (subtype): invalid

Level/Severity: warning

Log field Meaning

type traffic

subtype invalid

level warning



























Page 10


11/642


















user User name.








Page 11


12/642

4

Message ID: 000004

Message Description: other message




Log field Meaning

type traffic

subtype invalid

level notice



























Page 12


13/642






















user User name.








Page 13


14/642

5

Message ID: 000005

Message Description: allowed icmp message




Log field Meaning

type traffic

subtype invalid

level notice






(noop).














proto The protocol number that applies to the session or packet. This is the protocol number in the packet header thatidentifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).







Page 14


15/642























user User name.








Page 15


16/642

6

Message ID: 000006

Message Description: deny internal icmp message




Log field Meaning

type traffic

subtype invalid

level warning



























Page 16


17/642


















user User name.








Page 17


18/642

7

Message ID: 000007

Message Description: deny external icmp message




Log field Meaning

type traffic

subtype invalid

level warning



























Page 18


19/642


















user User name.








Page 19


20/642

8

Message ID: 000008

Message Description: WAN optimization traffic




Log field Meaning

type traffic

subtype forward

level notice












wanoptapptype WANOpt app type. One of: web-cache, cifs, tcp, ftp, mapi, http, web-proxy, ftp-proxy.


policyid The ID number of the f irewall policy that applies to the session or packet.


identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This

number is not globally unique, it is only locally unique within a given firewall policy.

wanin WAN in.

wanout WAN out.

lanin LAN in.

lanout LAN out.






Page 20


21/642


Page 21


22/642

9

Message ID: 000009

Message Description: webcache traffic




Log field Meaning

type traffic

subtype forward

level notice


















wanin WAN in.

wanout WAN out.

lanin LAN in.

lanout LAN out.






Page 22


23/642


Page 23


24/642

10

Message ID: 000010

Message Description: explicit proxy traffic




Log field Meaning

type traffic

subtype forward

level notice


















wanin WAN in.

wanout WAN out.

lanin LAN in.

lanout LAN out.






Page 24


25/642


Page 25


26/642

11

Message ID: 000011

Message Description: failed connection attempts




Log field Meaning

type traffic

subtype invalid

level warning
















user User name.




Page 26


27/642

12

Message ID: 000012

Message Description: multicast allowed message


Subtype (subtype): multicast


Log field Meaning

type traffic

subtype multicast

level notice






(noop).





















Page 27


28/642























user User name.








Page 28


29/642

13

Message ID: 000013

Message Description: traffic forward message




Log field Meaning

type traffic

subtype forward

level notice






(noop).





















Page 29


30/642























user User name.






utmaction The UTM action taken by the system.

filename The name of the file that was transferred.

virus The name of the virus detected.

attack ATTACK

hostname The hostname information.

catdesc The category description.

sender SENDER

recipient RECIPIENT

mailcount MAILCOUNT

Page 30


31/642

spamcount SPAMCOUNT

dlprule DLP rule.

utmevent The type of UTM event taking place.

utmseverity UTM severity.

sha256 SHA256 hash.

analyticssubmit Whether analytics were submitted or not. Can be false or true.



Page 31


32/642

14

Message ID: 000014

Message Description: traffic local message


Subtype (subtype): local


Log field Meaning

type traffic

subtype local

level notice






(noop).





















Page 32


33/642























user User name.








Page 33


34/642

15

Message ID: 000015

Message Description: start forward message




Log field Meaning

type traffic

subtype forward

level notice






(noop).





















Page 34


35/642























user User name.








Page 35


36/642

16

Message ID: 000016

Message Description: start local message


Subtype (subtype): local


Log field Meaning

type traffic

subtype local

level notice



























Page 36


37/642






















user User name.








Page 37


38/642

Netscan

4096

Message ID: 004096

Message Description: Network scan performed

Type (type): utm

Subtype (subtype): netscan

Event Type (eventtype): vulnerability


Log field Meaning

type utm

subtype netscan

eventtype vulnerability

level notice




action The nature of the netscan event. Scan, vuln-detection, host-detection, os-scan, port-detection, service-detection, vuln-count.

start GMT epoch time the scan started.

end GMT epoch time the scan ended.

status Scan status: start, stop, pause, resume, complete.

engine Version of the netscan engine.

plugin Version of the netscan plugin.

Page 38


39/642

4097

Message ID: 004097

Message Description: Network scan performed

Type (type): utm


Event Type (eventtype): discovery


Log field Meaning

type utm

subtype netscan

eventtype discovery

level notice





start GMT epoch time the scan started.

end GMT epoch time the scan ended.

status Scan status: start, stop, pause, resume, complete.

engine Version of the netscan engine.

plugin Version of the netscan plugin.

Page 39


40/642

4098

Message ID: 004098

Message Description: Netscan vulnerability detected

Type (type): utm




Log field Meaning

type utm

subtype netscan


level notice






vuln Name of the detected vulnerability.

vulncat Category of the detected vulnerability.

vulnid ID of the detected vulnerability.

vulnref Reference to the detected vulnerability in FortiGuard.

severity The priority level of the attack log. Can be info, low, medium, high, or critical.

vulnscore NIST score of the detected vulnerability.

proto Protocol. Either TCP or UDP.


Page 40


41/642

4099

Message ID: 004099

Message Description: Netscan OS detected

Type (type): utm




Log field Meaning

type utm

subtype netscan

eventtype discovery

level notice






os Operating system name.

osfamily OS family.

osgen OS generation.

osvendor OS vendor.

Page 41


42/642

4100

Message ID: 004100

Message Description: Netscan service detected

Type (type): utm




Log field Meaning

type utm

subtype netscan

eventtype discovery

level notice









Page 42


43/642

4101

Message ID: 004101

Message Description: Notification message

Type (type): utm




Log field Meaning

type utm

subtype netscan


level notice





Page 43


44/642

4102

Message ID: 004102

Message Description: Notification message

Type (type): utm




Log field Meaning

type utm

subtype netscan

eventtype discovery

level notice





Page 44


45/642

4103

Message ID: 004103

Message Description: Netscan number of vulnerabilities detected

Type (type): utm




Log field Meaning

type utm

subtype netscan


level notice






vulncnt Vulnerability count.

Page 45


46/642

4104

Message ID: 004104

Message Description: Netscan host detected

Type (type): utm




Log field Meaning

type utm

subtype netscan

eventtype discovery

level notice






method The method information.

assetid Asset ID for this host.

assetname Asset definition for this host.

Page 46


47/642

4105

Message ID: 004105

Message Description: Netscan port detected

Type (type): utm




Log field Meaning

type utm

subtype netscan

eventtype discovery

level notice








Page 47


48/642

Virus

8192

Message ID: 008192

Message Description: virus infected block

Type (type): utm

Subtype (subtype): virus

Event Type (eventtype): infected


Log field Meaning

type utm

subtype virus

eventtype infected

level warning




status The status of the virus or packet: blocked, passthrough, monitored, analytics.














direction Message direction. One of: N/A, TX, or RX.

file The name of the file.

checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same

checksum, the FortiGate unit assumes that they have the same content.

Page 48


49/642

quarskip Quarantine skip explanation: notskip (file quarantined), filepattern (not quarantined due to HTTP GET file pattern

block), oversized (not quarantined due to no oversize rule), unknown (not quarantined for other reason).


dtype Dtype.

ref URL of the FortiGuard IPS database entry for the attack.

url The URL address.

profile The name of the profile that was used to detect and take action.

profiletype The type of profile responsible for the UTM action taken.

user User name.







agent Agent.

from Source identifier.

to Destination identifier.

sha256 SHA256 hash.


msg "File is infected."

Page 49


50/642

8193

Message ID: 008193

Message Description: virus infected pass

Type (type): utm




Log field Meaning

type utm

subtype virus

eventtype infected

level notice

























dtype Dtype.

Page 50


51/642





user User name.







agent Agent.



sha256 SHA256 hash.



Page 51


52/642

8194

Message ID: 008194

Message Description: virus infected mime block

Type (type): utm




Log field Meaning

type utm

subtype virus

eventtype infected

level warning

























dtype Dtype.

Page 52


53/642





user User name.







agent Agent.



sha256 SHA256 hash.



Page 53


54/642

8195

Message ID: 008195

Message Description: virus infected mime pass

Type (type): utm




Log field Meaning

type utm

subtype virus

eventtype infected

level notice

























dtype Dtype.

Page 54


55/642





user User name.







agent Agent.



sha256 SHA256 hash.


msg "File submitted to FortiGuard Analytics."

Page 55


56/642

8196

Message ID: 008196

Message Description: virus infected worm block

Type (type): utm




Log field Meaning

type utm

subtype virus

eventtype infected

level warning














indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based

policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally

unique, it is only locally unique within a given firewall policy.



dtype Dtype.




user User name.


Page 56


57/642

msg "Worm detected."

Page 57


58/642

8197

Message ID: 008197

Message Description: virus infected worm monitor

Type (type): utm




Log field Meaning

type utm

subtype virus

eventtype infected

level notice














indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-bas

fortinet messages.pdf

Documents