sonicos log event reference guide -...

COMPREHENSIVE INTERNET SECURITY™

S o n i c WALL Internet Security Ap p l i a n c e s

SonicOS Log Event Reference Guide

Using the SonicOS Log Event Reference Guide

This reference guide lists and describes SonicOS log event messages. Reference a log event mes-sage by using the alphabetical index of log event messages. This document contains the following sections:• “SonicOS Log Event Messages Overview” on page 1• “Configuring SonicOS ‘Log’ > ‘View’” on page 4• “Referencing the SonicOS ‘Log’ > ‘View ’ Field Display” on page 7• “Index of Log Event Messages” on page 9• “Index of Syslog Tag Field Description” on page 63

SonicOS Log Event Messages OverviewDuring the operation of a SonicWALL security appliance, SonicOS software sends log event mes-sages to the ‘Log’ > ‘View’ page in the SonicWALL management interface.In Figure 1, the ‘Log’ > ‘View’ page is displayed.Figure 1 SonicOS Enhanced ‘Log’ > ‘View’ page

Event logging automatically begins when the SonicWALL security appliance is powered on and con-figured. SonicOS supports a traffic log containing entries with multiple fields. Log event messages provide operational informational and debugging information to help you diag-nose problems with communication lines, internal hardware, or your firmware configuration.

Note: For the SonicOS CLI console display, use the show log command to display log events. Refer to the SonicOS CLI Reference Guide located on the SonicWALL Web site: <http://www.sonicwall.com/support/documentation.html>

SONICOS LOG EVENT REFERENCE GUIDE 1

Note: Not all log event messages indicate operational issues with your SonicWALL security appliance.

SonicOS Log EntriesEach log entry contains the date and time of the event and a brief message describing the event. The SonicWALL manages log events in the following manner:• TCP, UDP, or ICMP packets dropped

When IP packets are dropped by the SonicWALL security appliance, dropped TCP, UDP and ICMP messages are displayed. The messages include the source and destination IP addresses of the packet. The TCP or UDP port number or the ICMP code follows the IP address. Log event messages usually include the name of the service in quotation marks.

• Web, FTP, Gopher, or Newsgroup blockedWhen a computer attempts to connect to the blocked site or newsgroup, a log event is displayed. Blocked is defined as a Web site, connection, or event that is denied access from the SonicWALL security appliance. The computer’s IP address, Ethernet address, the name of the blocked Web site, and the Content Filter List Code is displayed. Code definitions for the 12 Content Filter List categories are shown below.

• ActiveX, Java, Cookie or Code Archive blockedWhen ActiveX, Java or Web cookies are blocked, messages with the source and destination IP addresses of the connection attempt is displayed.

• Ping of Death, IP Spoof, and SYN Flood AttacksThe IP address of the machine under attack and the source of the attack is displayed. In most attacks, the source address shown is fake and does not reflect the real source of the attack.

SonicOS ‘Log View Settings’The ‘Log View Settings’ section of the ‘Log’ > ‘View’ page provides you the filtering controls to filter log event messages based on your configured log filter logic. It also contains the following log manage-ment buttons:• Refresh—Renews the ‘Log View’ table with current log event messages.• Clear Log—Empties the entries in the ‘Log View’ table.• E-mail Log—E-mails log event messages to your configured SMTP server or list of e-mail

addresses.• Export Log—Exports the log into a plain .txt or .csv file format.

1. Violence 7. Cult

2. Intimate Apparel/Swim-suit

8. Drugs/Illegal Drugs

3. Nudism 9. Criminal Skills/Illegal Skills

4. Adult/Mature Content/Pornography

10. Sex Education

5. Weapons 11. Gambling

6. Hate/Racism 12. Alcohol & Tobacco

2 SONICOS LOG EVENT REFERENCE GUIDE

SonicOS ‘Log View’ Display FormatThe ‘Log’ > ‘View’ page displays log event messages in following format for alert notification:• Time—Displays the hour and minute the event occurred.• Priority—Displays the level urgency for the event.• Category—Displays the event type.• Message—Displays a description of the event.• Source—Displays the source IP address of incoming IP packet.• Destination—Displays the destination IP address of incoming IP packet.• Note—Displays displays additional information specific to a particular event occurrence.• Rule—Displays the source and destination zones for the access rule. This field provides a link to

the access rule defined in the ‘Firewall’ > ‘Access Rules’ page.The display fields for a log event message provides you with data to verify your configurations, trou-ble-shoot your security appliance, and track IP traffic.


Configuring SonicOS ‘Log’ > ‘View’ The ‘Log’ > ‘View” page in the Web-based SonicWALL management interface allows you to export log reports, e-mail log reports, and monitor real-time Syslog data. As soon as you power on your Son-icWALL security appliance, SonicOS software sends Syslog data to your log. In the SonicWALL man-agement interface, you can navigate through the subcategories of the ‘Log’ setting for reporting and customizing log reports.In Figure 2, the ‘Log’ > ‘View’ page is displayed.Figure 2 SonicOS Enhanced ‘Log’ > ‘View’ page


Setting the Log Filter LogicBy default, the SonicOS filter logic is set to “Priority && Category && Source && Destination.” The double ampersand symbols (&&) indicate the boolean expression “and.” The default SonicOS filter logic displays all log events.In Figure 3, the ‘Log’ > ‘View’ > ‘Log View Settings’ page is displayed.Figure 3 SonicOS ‘Log View Settings’

Applying Custom Log Event Message FiltersThis section provides examples on using the ‘Log View Settings’ to filter log event messages dis-played in the ‘Log View’ page.

Configuration Example: Filtering Log Event Messages by Priority ValueTo set the log filter logic to display only log event messages with a priority level of Emergency:1. Select Emergency from the filter-Priority Value pull-down menu.

2. Click on the Apply Filters button.

Configuration Example: Filtering Log Event Messages by Category ValueTo set the log filter logic to display only log event messages with a category event type of Attacks:1. Select Attacks from the filter-Category Value pull-down menu.


Apply filters

Reset filters

Export logsDefault filter logic

Group filtersDefault filter logic value

Log Event Message Filters


Configuration Example: Filtering Log Event Messages by Source ValueTo set the log filter logic to display only log event messages associated to a source IP address:1. Enter the source IP address or select an interface from the filter-Source Value pull-down menu.


Configuration Example: Filtering Log Event Messages by Destination ValueTo set the log filter logic to display only log event messages associated to a destination IP address:1. Enter the destination IP address or select an interface from the filter-Source Value pull-down

menu. 2. Click on the Apply Filters button.

Using Group FiltersUse Group filters to change the default SonicOS filter logic (Priority && Category && Source && Des-tination) from double ampersand symbols (&&) to double pipe symbols (||) to indicate the boolean expression “or.” When using group filters, select two or more Group Filters checkboxes.

Note: If you select only one Group Filter checkbox, the filter logic will remain the same. Selecting only the Priority-Group Filter checkbox provides you with the following filter logic:

(Priority) && Category && Source && Destination

Configuration Example: Using the ‘Priority’ Group Filter and ‘Category Group’ FilterTo set the log filter logic to display log event messages with a priority level of Emergency or a category event type of Attack:1. Select the ‘Priority’ group filter checkbox.

2. Select the ‘Category’ group filter checkbox.3. Select Emergency from the filter-Priority Value pull-down menu. 4. Select Attacks from the filter-Category Value pull-down menu. Figure 4 illustrates the SonicOS filter logic updated as follows:

(Priority || Category) && Source && Destination

Figure 4 SonicOS Log Group Filters

A filter logic using the boolean expression “||” is less restrictive than the default filter logic using the boolean expression “&&”. With the boolean expression “||”, log event messages are displayed if they match either filter values. With the boolean expression “&&”, log event messages are displayed if they match both filter values.


Exporting the Logs to a FileThis section provides instructions to export your log to a file. To export the log to a file:1. Click on the Export Log button. You will be prompted to select a export file format type as

illustrated in Figure 5.Figure 5 SonicOS Export Log

2. Select a file format: Plain text format used in log and alert e-mail—Saves the log file as plain text, which can be used for alert e-mails.Comma-Separated Value (CSV) format—Saves the log file for importing into Microsoft Excel or other presentation development application.

3. Click on the Export button.4. Save the exported log file to a location on your personal computer’s hard drive.

Note: You can export a log to a file with applied filter settings.

Referencing the SonicOS ‘Log’ > ‘View ’ Field Display

SonicOS 2.5 Enhanced and Standard releases and greater provide the SonicOS ‘Log’ > ‘View’ field display as illustrated in Figure 6.Figure 6 SonicOS ‘Log’ > ‘View’ Field Display

Time and Date Stamp

Priority

Category

Message Descrition

Source IP Address

Destination IP

Log Event Notes

Network Rule


Referencing the SonicWALL Firmware ‘Log’ > ‘View Log’ Field DisplaySonicWALL Firmware 6.6.0.0 release and greater provide the SonicWALL Firmware ‘Log’ > ‘View Log’ field display as illustrated in Figure 7. Figure 7 SonicWALL Firmware Log’ > ‘View Log’ Field Display

Time and Date Stamp

Event Message

Source IP Address

Destination IP Address

Additional Information

Rule Number (If Applicable)


Index of Log Event MessagesThis section contains a list of log event messages for all SonicWALL Firmware and SonicOS Software Releases, ordered alphabetically. Use your web browser’s Find function to search for a command.

Log Event Message Symbols Key

TCP IP Layered-Data Packet Processing and SonicOS Log Event Handling In specific cases of multi-layer packet processing, a TCP connection initially logged as "open," will be rejected by a deeper layer of packet processing. In these cases, the connection request has not been forwarded by the SonicWALL security appliance, and the initial Connection Open SonicOS log event message should be ignored in favor of the TCP Connection Dropped log event message.

Each log event message described in the following table provides the following log event details:• SonicOS Category—Displays the SonicOS Software category event type.• Legacy Category—Displays the SonicWALL Firmware Software category event type.• Priority Level—Displays the level of urgency of the log event message.• Log Message ID Number—Displays the ID number of the log event message.• SNMP Trap Type—Displays the SNMP Trap ID number of the log event message.

Log Event Message Symbol Description Context

%s Ethernet Port Down Represents a character string. [WAN | LAN | DMZ] Ethernet Port Down

The cache is full; %u openconnections; some will be dropped

Represents a numerical string. The cache is full; [40,000] openconnections; some will be dropped

Log Event Message

SonicOS Category

Legacy Category

Priority Level

Log Message ID Number

SNMPTrapType

Log EventType

#Web site hit Network Traffic

Connection Traffic

Information 97 --- StandardHTTPTraffic

Report

%s VPN IKE User Activity Information 171 --- StandardMessage

String

%s ARS --- Information 840 --- StandardMessage

String

%s ARS --- Notice 841 --- StandardMessage

String

%s ARS --- Debug 842 --- StandardMessage

String


%s Ethernet Port Down

Firewall Event System Error Error 333 641 StandardString

Service

%s Ethernet Port Up

Firewall Event System Error Warning 332 640 StandardString

Service

%s-payload processing error

VPN IKE Debug Error 616 --- StandardMessage

String

SonicWALL Registration Update Needed: Restore your existing security service subscriptions by clicking here.

Security Services

Maintenance Warning 496 --- Simple

802.11b Management

Wireless 802.11b Management

Information 518 --- SimpleDestination

A prior version of preferences was loaded because the most recent preferences file was inaccessible

Firewall Event System Error Warning 572 648 Simple

A SonicOS Standard to Enhanced Upgrade was performed

Firewall Event Maintenance Information 611 --- Simple

Access attempt from host out of compliance with GSC policy

Security Services

Maintenance Information 761 --- Standard

Access attempt from host without Anti-Virus agent installed

Security Services


Access attempt from host without GSC installed

Security Services

Maintenance Information 763 524 Standard

Access rule added Firewall Rule User Activity Information 440 --- SimpleRule

Access rule deleted

Firewall Rule User Activity Information 442 --- SimpleRule String


Access rule modified

Firewall Rule User Activity Information 441 --- SimpleRule

Access to proxy server denied

Network Access

Blocked Sites Notice 60 705 StandardNote

Blocked

ActiveX access denied

Network Access

Blocked Code Notice 18 --- StandardNote

Blocked

ActiveX or Java archive access denied

Network Access


Blocked

AD agent %s is not responding

MS AD --- Error 769 --- StandardMessage

String

Add an attack message

Firewall Event Attack Error 143 525 SimpleString

Adding Dynamic Entry for Bound MAC Address

Network --- Information 813 --- StandardNote ENET

Adding L2TP IP pool Address object Failed

L2TP Server System Error Error 603 661 Simple

Adding to multicast policyList, interface: %s

Multicast --- Debug 697 --- StandardMessage

String

Adding to Multicast policyList, VPN SPI: %s


String

Administrator logged out

Authentication User Activity Information 261 --- Standard

Administrator logged out - inactivity timer expired


Administrator login allowed


Administrator login denied due to bad credentials

Authentication Attack Alert 30 560 Standard


Administrator login denied from %s; logins disabled from this interface

Authentication Attack Alert 35 506 StandardMessage

String

Adminstrator name changed

Authentication Maintenance Information 328 --- Standard

All DDNS associations have been deleted

DDNS Maintenance Information 783 --- Simple

All preference values have been set to factory default values


Allowed LDAP server certificate with wrong host name

RADIUS User Activity Warning 752 --- StandardNote String

Anti-Spyware Detection Alert: %s

Intrusion Detection

Attack Alert 795 576 StandardAnti-Spy

MessageString

Anti-Spyware Prevention Alert: %s

Intrusion Detection

Attack Alert 794 575 StandardAnti-Spy

MessageString

Anti-Spyware Service Expired

Security Services

Maintenance Warning 796 577 Simple

Anti-Virus agent out-of-date on host

Security Services


Anti-Virus Licenses Exceeded

Security Services


Arp request packet received


Arp request packet sent


Arp response packet received


Arp response packet sent


ARP timeout Network Debug Debug 45 --- Standard

Association Flood from wlan station

WLAN IDS WLAN IDS Alert 548 903 SimpleDestination


Authentication timeout during Remotely Triggered Dial-out session

Authentication User Activity Information 821 --- Simple

Back Orifice attack dropped

Intrusion Detection

Attack Alert 73 512 Standard

Backup active High Avaiability

System Error Information 825 --- Simple

Backup firewall being preempted by Primary

High Availability

System Error Error 152 619 Simple

Backup firewall has transitioned to Active

High Availability

Maintenance Information 145 --- Simple

Backup firewall has transitioned to Idle

High Availability


Backup going Active in preempt mode after reboot

High Availability


Backup missed heartbeats from Primary

High Availability


Backup received error signal from Primary

High Availability


Backup received reboot signal from Primary

High Availability


Backup shut down because license is expired

High Availability

System Error Error 824 --- Simple

Backup will be shut down in %s minutes

High Availability

System Error Error 823 --- StandardString

Service

Bad CRL format VPN PKI User Activity Alert 277 --- SimpleDestination

Blocked Quick Mode for Client using Default KeyId

VPN Client System Error Error 505 660 Standard


BOOTP Client IP address on LAN conflicts with remote device IP, deleting IP address from remote table

BOOTP Maintenance Information 619 --- StandardDestination

BOOTP reply relayed to local device

BOOTP Maintenance Information 620 --- StandardDestination

BOOTP Request received from remote device

BOOTP Debug Debug 621 --- StandardDestination

BOOTP server response relayed to remote device

BOOTP Debug Debug 618 --- StandardDestination

Broadcast packet dropped

Network Access

Debug Debug 46 --- StandardNote

Protocol

Cannot connect to the CRL server

VPN PKI User Activity Alert 274 --- SimpleDestination

Cannot Validate Issuer Path


Certificate on Revoked list (CRL)


CFL auto-download disabled, time problem detected

Security Services


CLI administrator logged out


CLI administrator login allowed


CLI administrator login denied due to bad credentials

Authentication User Activity Warning 200 --- Simple

Computed hash does not match hash received from peer

VPN IKE User Activity Warning 410 --- StandardDestination


Connection Closed

Note: In specific cases of multi-layer packet processing, a TCP connection initially logged as "open," will be rejected by a deeper layer of packet processing. In these cases, the connection request has not been forwarded by the SonicWALL security appliance, and the initial Connection Open SonicOS log event message should be ignored in favor of the TCP Connection Dropped log event message.

Network Traffic

Connection Traffic

Information 537 --- StandardTraffic

Report

Connection Opened

Note: In specific cases of multi-layer packet processing, a TCP connection initially logged as "open," will be rejected by a deeper layer of packet processing. In these cases, the connection request has not been forwarded by the SonicWALL securityappliance, and the initial Connection Open SonicOS log event message should be ignored in favor of the TCP Connection Dropped log event message.

Network Traffic

Connection Information 98 --- StandardNote

Protocol

Connection timed out


Cookie removed Network Access

Blocked Code Notice 21 --- StandardString

Service

CRL has expired VPN PKI User Activity Alert 874 --- SimpleDestination

CRL loaded from VPN PKI User Activity Information 270 --- SimpleDestination

CRL missing - Issuer requires CRL checking


CRL validation failure for Root Certificate


Crypto DES test failed

Crypto Test Maintenance Error 360 --- Simple

Crypto DH test failed



Crypto Hardware 3Des test failed


Crypto Hardware 3DES with SHA test failed


Crypto Hardware AES test failed

Crypto Test Maintenance Error 610 --- Standard

Crypto hardware DES test failed


Crypto Haredware DES with SHA test failed


Crypto Hmac-MD5 fest failed


Crypto Hmac-Sha1 test failed


Crypto MD5 test failed


Crypto RSA test failed


Crypto Sha1 test failed


DDNS association %s disabled

DDNS Maintenance Information 781 --- SimpleMessage

String

DDNS association %s enabled


String

DDNS association %s added


String

DDNS association %s deactivated


String

DDNS association %s deleted


String

DDNS Association %s put on line


String


DDNS association %s taken Offline locally


String

DDNS Failure: Provider %s

DDNS System Error Error 774 --- SimpleMessage

String



String



String

DDNS Update success for domain %s

DDNS Maintenance Information 776 --- StandardMessage

String

DDNS Warning: Provider %s

DDNS System Error Warning 777 --- SimpleMessage

String

Deleting from Multicast policy list, interface : %s


String

Deleting from Multicast policy list, VPN SPI : %s


String

Deleting IPSec SA VPN IKE User Activity Information 92 --- StandardNote SPI

DHCP client enabled but not ready

DHCP Client Maintenance Information 504 --- Simple

DHCP Client did not get DHCP ACK

DHCP Client Maintenance Information 109 --- Standard

DHCP Client failed to verify and lease has expired. Go to INIT state.


DHCP Client got a new IP address lease.

DHCP Client Maintenance Information 121 --- StandardDestination

DHCP Client got ACK from server


DHCP Client got NACK



DHCP Client is declining address offered by the server.


DHCP Client sending REQUEST and going to REBIND state


DHCP Client sending REQUEST and going to RENEW state


DHCP DISCOVER received from remote device

DHCP Relay Debug Information 474 --- StandardDestination

DHCP lease dropped. Lease from Central Gateway conflicts with Relay IP

DHCP Relay Maintenance Warning 228 --- StandardDestination

DHCP lease dropped. Lease from Central Gateway conflicts with Remote Management IP

DHCP Relay Maintenance Warning 484 --- StandardDestination

DHCP lease relayed to local device

DHCP Relay Maintenance Information 223 --- StandardDestination

DHCP lease relayed to remote device


DHCP lease to LAN device conflicts with remote device, deleting remote IP entry


DHCP NAK received from server


DHCP OFFER received from server



DHCP Ranges altered automatically due to change in network settings for interface %s

Firewall Event --- Information 832 --- StandardString

Service

DHCP RELEASE received from remote device


DHCP RELEASE relayed to Central Gateway


DHCP REQUEST received from remote device


DHCP Server not available. Did not get any DHCP OFFER.


Diagnostic Code A Firewall Hardware

System Error Error 93 611 SimpleNote String

Diagnostic Code B Firewall Hardware


Diagnostic Code C Firewall Hardware


Diagnostic Code D Firewall Hardware

System Error Error 64 610 StandardNote Code

Diagnostic Code D Firewall Hardware


Diagnostic Code E VPN IPSec System Error Error 61 609 StandardNote Code

Diagnostic Code F Firewall Hardware


Diagnostic Code G Firewall Hardware


Diagnostic Code H Firewall Hardware


Diagnostic Code I Firewall Hardware


Disconnecting L2TP Tunnel due to traffic timeout

L2TP Client Maintenance Information 215 --- Simple


Disconnecting PPPoE due to traffic timeout

PPPoE Maintenance Information 168 --- Simple

Disconnecting PPTP Tunnel due to traffic timeout

PPTP Maintenance Information 389 --- Simple

Discovered HA Backup Firewall

High Availability


DNS packet allowed

Network Access

Debug Information 602 --- StandardPolicy

Drop Wlan traffic from non SonicPoint devcies

Intrusion Detection

Attack Error 662 572 Standard

Dynamic IPSec client connected

VPN IPSec User Activity Information 62 --- StandardDestination

EIGRP packet dropped

Network Access

Debug Notice 714 --- StandardNote String

E-Mail fragment dropped

Intrusion Detection


Error initializing Hardware acceleration for VPN

Firewall Hardware

Maintenance Error 374 --- Simple

Error Rebooting HA Peer Firewall

High Availability


Error setting the IP address of the backup, please manually set to backup LAN IP

High Availability


Error Synchronizing HA Peer Firewall

High Availability


Exceeded Max multicast address limit

Multicast --- Warning 703 --- Standard

Failed payload validation

VPN IKE User Activity Warning 405 --- Standard

Failed payload verification after decryption. Possible preshared key mismatch.



Failed to find certificate


Failed to get CRL from


Failed to Process CRL from


Failed to resolve name

Network Maintenance Information 84 --- SimpleDestination

Failed to synchronize Relay IP Table

DHCP Relay System Error Warning 234 632 Standard

Failure to add data channel

Unused Debug Debug 49 --- Standard

Failure to reach Interface %s probe

High Availability

System Error Error 675 647 StandardString Ser-

vice

Fan Failure Firewall Hardware

System Environment

Alert 576 102 Simple

Forbidden E-Mail attachment deleted

Intrusion Detection

Attack Error 248 534 StandardDestination

Forbidden E-Mail attachment disabled

Intrusion Detection

Attack Alert 165 527 StandardDestination

Found Rogue Access Point


Found Rogue Access Point


Fragmented packet dropped

Network TCP | UDP | ICMP

Notice 28 --- StandardNote

Protocol

Fraudulent Microsoft certificate found; access denied

Intrusion Detection


FTP: Data connection from non default port dropped

Network Access


FTP: PASV response bounce attack dropped.

Intrusion Detection

Attack Alert 528 556 StandardNote String


FTP: PASV response spoof attack dropped.

Intrusion Detection


FTP: PORT bounce attack dropped.

Intrusion Detection


Gateway Anti-Virus Alert: %s

Security Services

Attack Alert 809 --- StandardMessage

String

Gateway Anti-Virus Service expired

Security Services

Maintenance Warning 810 --- Simple

Global VPN Client connection is not allowed. Appliance is not registered.

VPN Client System Error Information 529 643 Standard

Global VPN Client License Exceeded: Connection denied.

VPN Client System Error Information 494 658 Standard

Global VPN Client version cannot enforce personal firewall. Minimum Version required is 2.1.

VPN Client User Activity Information 604 --- StandardDestination

Got DHCP OFFER. Selecting.


GSC policy out-of-date on host

Security Services


Guest account '%s' created

Authentication User Activity Information 558 --- StandardMessage

String

Guest account '%s' deleted


String

Guest account '%s' disabled


String

Guest account '%s' pruned


String

Guest account '%s' re-enabled


String


Guest account '%s' re-generated


String

Guest login denied. Guest '%s' is already logged in. Please try again later.


String

H.323/H.225 Connect

VoIP VoIP Debug 634 --- StandardNote String

H.323/H.225 Setup VoIP VoIP Debug 633 --- StandardNote String

H.323/H.245 Address


H.323/H.245 End Session


H.323/RAS Admission Confirm


H.323/RAS Admission Reject


H.323/RAS Admission Request


H.323/RAS Bandwidth Reject


H.323/RAS Disengage Confirm


H.323/RAS Disengage Reject


H.323/RAS Gatekeeper Reject


H.323/RAS Location Confirm


H.323/RAS Location Reject


H.323/RAS Registration Reject


H.323/RAS Unknown Message Response



H.323/RAS Unregistration Reject


HA packet processing error

High Availability


Hardware Failover settings were not upgraded


Header verification failed


HTTP management port has changed

Firewall Event Maintenance Information 340 --- SimpleNote String

HTTPS management port has changed

Firewall Event Maintenance Information 341 --- SimpleNote String

ICMP checksum error

Network Access

UDP Notice 886 --- Standard

ICMP packet allowed

Network Access

Debug Information 597 --- StandardPolicy

ICMP packet dropped

Network Access

ICMP Notice 38 --- StandardPolicy

ICMP packet dropped

Network Access

ICMP Notice 523 --- StandardICMP

Service

ICMP packet from LAN allowed

Network Access

Debug Information 598 --- StandardICMP

Service

ICMP packet from LAN dropped

Network Access

LAN ICMP | LAN TCP

Notice 175 --- StandardICMP

Service

If not already enabled, enabling NTP is recommended

Firewall Hardware

System Error Warning 540 645 Simple

IGMP packet dropped, wrong checksum received on interface %s

Multicast --- Notice 683 --- StandardMessage

String

IGMP Leave group message Received on interface %s

Multicast --- Information 682 --- StandardMessage

String


IGMP packet dropped, decoding error

Multicast --- Notice 686 --- Standard

IGMP Packet Not handled. Packet type : %s


String

IGMP querier Router detected on interface %s


String

IGMP querier Router detected on VPN tunnel , SPI %S


String

IGMP state table entry time out,deleting interface : %s for multicast address : %s


String

IGMP state table entry time out,deleting VPN SPI :%s for Multicast address : %s


String

IGMP V2 client joined multicast Group : %s


String

IGMP V2 Membership report received from interface %s


String

IGMP V3 client joined multicast Group : %s


String

IGMP V3 Membership report received from interface %s


String

IGMP V3 packet dropped, unsupported Record type : %s


String


IGMP V3 reord type : %s not Handled


String

IKE ID mismatch %s

VPN IKE Debug Debug 658 --- StandardString

Service

IKE Initiator drop: Packet dest address does not match selected local interface address

VPN IKE User Activity Information 544 --- Standard

IKE Initiator: Accepting IPSec proposal (Phase 2)

VPN IKE User Activity Information 372 --- StandardNote String

IKE Initiator: Accepting peer lifetime (Phase 1)

VPN IKE User Activity Information 445 --- StandardDestination

IKE Initiator: Aggressive Mode complete (Phase 1)


IKE Initiator: Main Mode complete (Phase 1)


IKE Initiator: Received notify. NO_PROPOSAL_CHOSEN


IKE Initiator: Start Aggressive Mode negotiation (Phase 1)


IKE Initiator: Start Main Mode negotiation (Phase 1)


IKE Initiator: Start Quick Mode (Phase 2)


IKE Initiator: Using secondary gateway to negotiate



IKE negotiation aborted due to timeout


IKE negotiation complete. Adding IPSec SA. (Phase 2)


IKE Responder drop: Packet dest address does not match selected local interface address


IKE Responder: %s policy does not allow static IP for Virtual Adapter.

VPN Client System Error Error 660 --- StandardMessage

String

IKE Responder: Accepting IPSec proposal (Phase 2)


IKE Responder: Aggressive Mode complete (Phase 1)


IKE Responder: AH Perfect Forward Secrecy mismatch

VPN IKE User Activity Warning 258 544 Standard

IKE Responder: Algorithms and/or keys do not match


IKE Responder: Default LAN gateway is not set but peer is propos-ing to use this SA as a default route

VPN IKE Attack Error 516 553 StandardNote String

IKE Responder: Default LAN gateway is set but peer is not proposing to use this SA as a default route

VPN IKE User Activity Warning 253 539 StandardNote String


IKE Responder: ESP Perfect Forward Secrecy mismatch


IKE Responder: IKE proposal does not match(Phase 1)


IKE Responder: IP Address already exists in the DHCP relay table. Client traffic not allowed.

VPN Client System Error Error 659 --- StandardNote String

IKE Responder: IPSec proposal does not match (Phase 2)


IKE Responder: Main Mode complete (Phase 1)


IKE Responder: Mode %d - not transport mode. Xauth is required but not supported by peer.

VPN IKE Debug Warning 342 --- StandardMessageNumber

IKE Responder: Mode %d - not tunnel mode

VPN IKE User Activity Warning 249 535 StandardMessageNumber

IKE Responder: No match for proposed remote network address


IKE Responder: No matching Phase 1 ID found for proposed remote network


IKE Responder: Proposed local network is 0.0.0.0 but SA has no LAN Default Gateway



IKE Responder: Proposed remote network is 0.0.0.0 but not DHCP relay nor default route


IKE Responder: Received Aggressive Mode request (Phase 1)


IKE Responder: Received Main Mode request (Phase 1)


IKE Responder: Received Quick Mode Request (Phase 2)


IKE Responder: Tunnel terminates inside firewall but proposed local network is not inside firewall


IKE Responder: Tunnel terminates on DMZ but proposed local network is on LAN


IKE Responder: Tunnel terminates on LAN but proposed local network is on DMZ


IKE Responder: Tunnel terminates outside firewall but proposed local network is not NAT public address


IKE Responder: Tunnel terminates outside firewall but proposed remote network is not NAT public address



IKE SA lifetime expired.


Illegal IPSec SPI VPN IPSec User Activity Information 65 --- StandardDestination

Imported VPN SA is invalid - disabled

Firewall Event Maintenance Warning 348 --- StandardNote String

Inbound connection from RBL-listed SMTP server dropped

RBL --- Notice 798 --- Standard

Incoming call received for Remotely Triggered Dial-out session


Incompatible IPSec Security Association

VPN IPSec User Activity Information 69 --- StandardDestination

Incorrect authentication received for Remotely Triggered Dial-out


Ini Killer attack dropped

Intrusion Detection


Interface %s Link Is Down

Firewall Event System Error Error 566 647 StandardString

Service

Interface %s Link Is Up

Firewall Event System Error Warning 565 646 StandardString

Service

Interface IP Assignment : Binding and initializing %s

Firewall Event Maintenance Information 568 --- StandardString

Service

Interface IP Assignment changed: Shutting down %s


Service

Interface statistics report

GMS --- Information 805 --- SimpleInterfaceStatistics


Invalid TCP flags on an incomplete connection

Network Access

--- Notice 760 --- StandardNote String

Invalid VLAN packet dropped

Network --- Alert 836 --- StandardNote String

IP Header checksum error

Network Access

TCP | UDP Notice 883 --- Standard

IP spoof detected on packet to Central Gateway, packet dropped

DHCP Relay Attack Error 229 533 StandardNote ENET

IP spoof dropped Intrusion Detection

Attack Alert 23 502 StandardNote ENET

IP type %s packet dropped

Network Access

LAN UDP | LAN TCP

Notice 590 --- StandardMessage

String

IPS Detection Alert: %s

Intrusion Detection

Attack Alert 608 569 StandardIDP

MessageString

IPS Detection Alert: %s

Intrusion Detection

Attack Alert 789 573 StandardMessage

String

IPS Prevention Alert: %s

Intrusion Detection

Attack Alert 609 570 StandardIDP

MessageString

IPS Prevention Alert: %s

Intrusion Detection

Attack Alert 790 574 StandardMessage

String

IPSec (AH) packet dropped

VPN IPSec TCP | UDP | ICMP

Notice 534 --- StandardNote String

IPSec (AH) packet dropped; waiting for pending IPSec connection

VPN IPSec Debug Debug 536 --- Standard

IPSec (ESP) packet dropped

VPN IPSec TCP | UDP | ICMP

Notice 533 --- StandardNote String

IPSec (ESP) packet dropped; waiting for pending IPSec connection

VPN IPSec Debug Debug 535 --- Standard


IPSec Authentication Failed

VPN IPSec Attack Error 67 508 StandardDestination

IPSec connection interrupt

Network Access

Debug Debug 43 --- Standard

IPSec Decryption Failed


IPSec packet dropped

Network Access

TCP | UDP | ICMP

Notice 40 --- Standard

IPSec packet dropped; waiting for pending IPSec connection

Network Access


IPSec packet from an illegal host

VPN IPSec Maintenance Information 247 --- StandardDestination

IPSec packet from or to an illegal host


IPSEC Replay Detected

VPN IPSec Attack Alert 180 531 StandardNote String

IPSecTunnel status changed

VPN VPN Tunnel Status

Information 427 801 Simple

ISDN Driver Firmware successfully updated


Issuer match failed VPN PKI User Activity Alert 278 --- SimpleDestination

Java access denied

Network Access


Blocked

L2TP enabled but not ready

Unused Maintenance Information 500 --- Simple

L2TP Max Retransmission Exceeded


L2TP PPP Authentication Failed


L2TP PPP Down L2TP Client Maintenance Information 211 --- Simple

L2TP PPP link down



L2TP PPP Negotiation Started


L2TP PPP Session Up


L2TP Server : Deleting the L2TP active Session

L2TP Server Maintenance Information 337 --- StandardDestination

L2TP Server : Deleting the Tunnel


L2TP Server : L2TP Session Estab-lished.


L2TP Server : L2TP Tunnel Estab-lished.


L2TP Server : Retransmission Timeout, Deleting the Tunnel


L2TP Server : User Name authentication Failure locally.


L2TP Server: Local Authentication Failure


L2TP Server: Local Authentication Success.


L2TP Server: Radius Authentication Success


L2TP Server: Radius reports Authentication Failure


L2TP Server: Radius server not assigned IP address



L2TP Server: Call Disconnect from Remote.


L2TP Server: Tunnel Disconnect from Remote.


L2TP Session Disconnect from Remote


L2TP Session Established


L2TP Session Negotiation Started


L2TP Tunnel Disconnect from Remote


L2TP Tunnel Established


L2TP Tunnel Negotiation Started


LAN Subnet configurations were not upgraded.


Land attack dropped

Intrusion Detection


License exceeded: Connection dropped because too many IP addresses are in use on your LAN

Firewall Event System Error Error 58 608 Standard

License of HA pair doesn't match

High Availability


Local user login allowed

Authentication User Activity Information 31 --- StandardString

Service

Local user login denied due to bad credentials


Service

Locked-out user logins allowed - lockout period expired

Authentication User Activity Information 438 --- StandardNote String


Locked-out user logins allowed by administrator


Log Cleared Firewall Logging


Log Debug Firewall Event Debug Error 142 --- SimpleString

Log successfully sent via email

Firewall Logging


Login screen timed out


Service

MAC address collides with Static ARP Entry with Bound MAC address; packet dropped

Network --- Notice 814 --- StandardNote ENET

Machine %s removed from SYN flood blacklist

Intrusion Detection

--- Alert 865 --- StandardString

Service

Malformed or unhandled IP packet dropped

Network Access

Attack Alert 522 554 StandardDestination

Maximum events per second threshold exceeded

Firewall Logging

System Error Critical 654 --- Simple

Maximum sequential failed dial attempts (10) to a single dial-up number: %s

PPP Dial-up Attack Error 591 566 StandardMessage

String

Maximum syslog data per second threshold exceeded

Firewall Logging

System Error Critical 655 --- Simple

Multicast application %s not supported


String

Multicast packet dropped, Invalid src IP received on interface : %s

Multicast --- Alert 685 --- StandardMessage

String


Multicast packet dropped, wrong MAC address receieved on interface : %s

Multicast --- Alert 684 --- StandardMessage

String

Multicast TCP packet dropped


Multicast UDP packet dropped, no state entry


Multicast UDP packet dropped, RTCP stateful failed


Multicast UDP packet dropped, RTP stateful failed


NAT device may not support IPSec AH passthrough

VPN IPSec Maintenance Information 266 --- Simple

NAT Discovery : No NAT/NAPT device detected between IPSec Security gateways


NAT Discovery : Local IPSec Security Gateway behind a NAT/NAPT Device


NAT Discovery : Peer IPSec Security Gateway behind a NAT/NAPT Device


NAT Discovery : Peer IPSec Security Gateway doesn't support VPN NAT Traversal


NAT translated packet exceeds size limit, packet dropped

Network Debug Debug 339 --- Standard


Net Spy attack dropped

Intrusion Detection


NetBIOS settings were not upgraded. Use Network>IP Helper to configure NetBIOS support


NetBus attack dropped

Intrusion Detection


Network for interface %s overlaps with another interface.


Service

Network Modem Mode Disabled: re-enabling NAT

PPP Dial-up Maintenance Information 531 --- Simple

Network Modem Mode Enabled: turning off NAT


New URL List loaded

Security Services


Newsgroup access allowed

Network Access


Blocked

Newsgroup access denied

Network Access


Blocked

No Certificate for VPN PKI User Activity Alert 280 --- SimpleDestination

No new URL List available

Security Services


No response from ISP Disconnecting PPPoE.


No response from PPTP server to call requests


No response from PPTP server to control connection requests



No response from server to Echo Requests, disconnecting PPTP Tunnel


No valid DNS server specified for RBL lookups

RBL --- Error 800 --- Simple

Not all configurations may have been completely upgraded


Not enough memory to hold the CRL

VPN PKI User Activity Warning 272 --- SimpleDestination

Obtained Relay IP Table from Remote Gateway

DHCP Relay Maintenance Information 233 --- Standard

OCSP Failed to Resolve Domain Name.

VPN PKI User Activity Error 853 --- StandardNote String

OCSP Internal error handling received response.


OCSP received response error.


OCSP received response.

VPN PKI User Activity Information 850 --- StandardNote String

OCSP Resolved Domain Name.


OCSP send request message failed.


OCSP sending request.


Outbound connection to RBL-listed SMTP server dropped

RBL --- Notice 797 --- Standard

Out-of-order command packet dropped

Network Access



Packet dropped by wlan guest check

Wireless TCP | UDP | ICMP

Warning 488 --- StandardDestination

Packet dropped by wlan vpn traversal check

Wireless TCP | UDP | ICMP


Packet dropped. No firewall rule associated with VPN policy.

VPN System Error Alert 739 --- StandardNote String

Ping of death dropped

Intrusion Detection


PKI Failure: CA certificates store exceeded. Cannot verify this Local Certificate

VPN PKI Maintenance Error 453 --- Simple

PKI Failure: Cannot alloc memory


PKI Failure: Certificate's ID does not match this SonicWall


PKI Failure: Duplicate local certificate


PKI Failure: Duplicate local certificate name


PKI Failure: Import failed


PKI Failure: Improper file format. Please select PKCS#12 (*.p12) file


PKI Failure: Incorrect admin password


PKI Failure: Internal error


PKI Failure: Loaded but could not verify certificate



PKI Failure: Loaded the certificate but could not verify it's chain


PKI Failure: No CA certificates yet loaded


PKI Failure: Output buffer too small


PKI Failure: public-private key mismatch


PKI Failure: Reached the limit for local certs, cant load any more


PKI Failure: Temporary memory shortage, try again


PKI Failure: The certificate chain has no root


PKI Failure: The certificate chain is circular


PKI Failure: The certificate chain is incomplete


PKI Failure: The certificate or a certificate in the chain has a bad signature


PKI Failure: The certificate or a certificate in the chain has a validity period in the future


PKI Failure: The certificate or a certificate in the chain has expired



PKI Failure: The certificate or a certificate in the chain is corrupt


Please connect interface %s to another network to function properly


Service

Please manually check all system configurations for correctness of Upgrade


Port configured to receive IPSEC ONLY. Drop packet received in the clear.

Network Access

TCP | UDP | ICMP


Possible port scan dropped

Intrusion Detection


Possible SYN flood attack detected

Intrusion Detection

Attack Warning 25 503 Standard

Possible SYN flood detected on WAN IF %s - switching to connection-proxy mode

Intrusion Detection


Service

Possible SYN Flood on IF %s

Intrusion Detection


Service

Possible SYN Flood on IF %s continues

Intrusion Detection

--- Warning 866 --- StandardString

Service

Possible SYN Flood on IF %s has ceased

Intrusion Detection


Service

PPP Dial-Up: Connect request canceled

PPP Dial-up User Activity Information 306 --- Simple

PPP Dial-Up: Connected at %s bps - starting PPP

PPP Dial-up User Activity Information 286 --- StandardString

Service


PPP Dial-Up: Connection disconnected as scheduled.

PPP Dial-up --- Information 666 --- Standard

PPP Dial-Up: Dial initiated by %s

PPP Dial-up Maintenance Information 324 --- StandardMessage

String

PPP Dial-Up: Dialed number did not answer


PPP Dial-Up: Dialed number is busy


PPP Dial-Up: Dialing not allowed by schedule. %s

PPP Dial-up --- Information 665 --- StandardMessage

String

PPP Dial-Up: Dialing: %s


Service

PPP Dial-Up: Idle time limit exceeded - disconnecting


PPP Dial-Up: Initialization : %s


Service

PPP Dial-Up: Link carrier lost


PPP Dial-Up: Manual intervention needed. Check Primary Profile or Profile details


PPP Dial-Up: Maximum connection time exceeded - disconnecting


PPP Dial-Up: No dialtone detected - check phone-line connection



PPP Dial-Up: No link carrier detected - check phone number


PPP Dial-Up: No peer IP address from Dial-Up ISP, local and remote IPs will be the same


PPP Dial-Up: PPP link down


PPP Dial-Up: PPP link established


PPP Dial-Up: Previous session was connected for %s


Service

PPP Dial-Up: Received new IP address

PPP Dial-up User Activity Information 299 --- Standard

PPP Dial-Up: Shutting down link


PPP Dial-Up: The profile in use disabled VPN networking.


PPP Dial-Up: Trying to failover but Alternate Profile is manual

WAN Failover User Activity Information 434 --- Simple

PPP Dial-Up: Trying to failover but Primary Profile is manual


PPP Dial-Up: Unknown dialing failure


PPP Dial-Up: User requested connect



PPP Dial-Up: User requested disconnect


PPP Dial-Up: VPN networking restored.


PPP: Authentication successful

PPP User Activity Information 289 --- Simple

PPP: CHAP authentication failed - check username / password


PPP: MS-CHAP authentication failed - check username / password


PPP: PAP Authentication failed - check username / password


PPP: Starting CHAP authentication


PPP: Starting MS-CHAP authentication


PPP: Starting PAP authentication


PPPoE terminated PPPoE Maintenance Information 130 --- Simple

PPPoE discovery process complete


PPPoE enabled but not ready


PPPoE LCP Link Down


PPPoE LCP Link Up


PPPoE Network Connected



PPPoE Network Disconnected


PPPoE starting CHAP Authentication


PPTP enabled but not ready


PPTP Connect Initiated by the User

PPTP Maintenance Information 390 --- StandardDestination

PPTP Control Connection Established


PPTP Control Connection Negotiation Started


PPTP decode failure

PPTP Debug Debug 596 --- Standard

PPTP Disconnect Initiated by the User

PPTP Maintenance Information 388 --- StandardDestination

PPTP PAP Authentication success.


PPTP PPP Down PPTP Maintenance Information 385 --- Simple

PPTP PPP Link down


PPTP PPP Link Finished


PPTP PPP Link Up PPTP Maintenance Information 398 --- Simple

PPTP PPP Negotiation Started


PPTP PPP Session Up


PPTP Server is not responding, check if the server is UP and running.


PPTP server rejected control connection



PPTP server rejected the call request


PPTP Session Disconnect from Remote


PPTP Session Established


PPTP Session Negotiation Started


PPTP starting CHAP Authentication


PPTP starting PAP Authentication


PPTP Tunnel Disconnect from Remote


Primary firewall has transitioned to Active

High Availabil-ity


Primary firewall has transitioned to Idle

High Availabil-ity


Primary firewall preempting Backup

High Availability


Primary missed heartbeats from Backup

High Availability


Primary received error signal from Backup

High Availability


Primary received reboot signal from Backup

High Availability


Priority attack dropped

Intrusion Detection


Probable port scan dropped

Intrusion Detection


Probable TCP FIN scan dropped

Intrusion Detection



Probable TCP NULL scan dropped

Intrusion Detection


Probable TCP XMAS scan dropped

Intrusion Detection


Probing failure on %s

WAN Failover System Error Alert 326 637 StandardMessage

String

Probing succeeded on %s


String

Problem loading the URL List; Appliance not registered.

Security Services


Problem loading the URL List;check Filter settings

Security Services

System Error Error 10 602 StandardNote Code

Problem loading the URL List; check your DNS server

Security Services


Problem loading the URL List; Flash write failure.

Security Services


Problem loading the URL List; Retrying later.

Security Services

System Error Error 186 626 Standard

Problem loading the URL List; Subscription expired.

Security Services

System Error Error 184 624 Standard

Problem loading the URL List; Try loading it again.

Security Services


Problem sending log email; check log settings.

Firewall Logging


Real time clock battery failure. Time values may be incorrect.

Firewall Hardware



Received a path MTU icmp message from router/gateway

Network User Activity Information 182 --- StandardNote SPI

Received a path MTU icmp message from router/gateway

Network User Activity Information 188 --- StandardNote MTU

Received AV Alert: %s

Security Services

Maintenance Warning 125 524 StandardString

Service

Received AV Alert: Your SonicWALL Network Anti-Virus subscription has expired. %s

SecurityServices


Service

Received AV Alert: Your SonicWALL Network Anti-Virus subscription will expire in 7 days. %s

Security Services


Service

Received CFS Alert: Your SonicWALL Content Filtering subscription has expired.

Security Services


Received CFS Alert: Your SonicWALL Content Filtering subscription will expire in 7 days.

Security Services


Received DHCP offer packet has errors


Received E-Mail Filter Alert: Your SonicWALL E-Mail Filtering subscription has expired.

Security Services



Received E-Mail Filter Alert: Your SonicWALL E-Mail Filtering subscription will expire in 7 days.

Security Services


Received fragmented packet or fragmentation needed


Received IKE SA delete request


Received IPS Alert: Your SonicWALL Intrusion Prevention (IDP) subscription has expired.

Security Services


Received IPSEC SA delete request


Received ISAKMP packet destined to port %s

VPN IKE Debug | UDP Information 607 --- StandardMessage

String

Received LCP Echo Reply


Received LCP Echo Request


Received notify: INVALID_COOKIES


Received notify: INVALID_ID_INFO

VPN IPSec User Activity Warning 483 --- Standard

Received notify: INVALID_PAYLOAD

VPN IKE User Activity Error 661 --- Standard

Received notify: INVALID_SPI


Received notify: ISAKMP_AUTH_FAILED


Received notify: PAYLOAD_MALFORMED



Received notify: RESPONDER_LIFETIME


Received packet retransmission. Drop duplicate packet


Received PPPoE Active Discovery Offer


Received PPPoE Active Discovery Session_confirmation


Received response packet for DHCP request has errors


Received unencrypted packet while crypto active


Regulatory requirements prohibit %s from being re-dialed for 30 minutes

PPP Dial-up Attack Error 592 567 StandardMessage

String

Remotely Triggered Dial-out session ended. Valid WAN bound data found. Normal dial-up sequence will commence


Remotely Triggered Dial-out session started. Requesting authentication


Request for Relay IP Table from Central Gateway


Requesting CRL from

VPN PKI User Activity Information 269 --- SimpleDestination


Requesting Relay IP Table from Remote Gateway


Retransmitting DHCP DISCOVER


Retransmitting DHCP REQUEST (Rebinding)


Retransmitting DHCP REQUEST (Rebooting)


Retransmitting DHCP REQUEST (Renewing)


Retransmitting DHCP REQUEST (Requesting)


Retransmitting DHCP REQUEST (Verifying)


RIP disabled on interface %s

RIP Maintenance Information 419 --- StandardString

Service

Ripper attack dropped

Intrusion Detection


RIPv1 enabled on interface %s


Service

RIPv2compatibility (broadcast) mode enabled on interface %s


Service

RIPv2 enabled on interface %s


Service

Router IGMP General query received oninterface %s


String

Router IGMP Membership query received on interface %s


String


Sending DHCP DISCOVER.


Sending DHCP RELEASE.


Sending DHCP REQUEST (Rebinding).


Sending DHCP REQUEST (Rebooting).


Sending DHCP REQUEST (Renewing).


Sending DHCP REQUEST (Verifying).


Sending DHCP REQUEST.


Sending LCP Echo Reply


Sending LCP Echo Request


Sending PPPoE Active Discovery Request


Senna Spy attack dropped

Intrusion Detection


Sent Relay IP Table to Central Gateway


SIP Register expi-ration exceeds configured Signalinginactivity time out

VoIP VoIP Warning 645 --- StandardNote String

SIP Request VoIP VoIP Debug 643 --- StandardNote String

SIP Response VoIP VoIP Debug 644 --- StandardNote String

SMTP POP-Before-SMTP authentication failed

Firewall Logging

System Error Warning 656 --- Simple


SMTP server found on RBL blacklist

RBL --- Notice 799 --- StandardNote String

Smurf Amplification attack dropped

Intrusion Detection


SonicPoint Provision

SonicPoint SonicPoint Information 727 --- SimpleDestination

SonicPoint statistics report

GMS --- Information 806 --- SimpleSonicPoint

Statistics

SonicPoint Status SonicPoint SonicPoint Information 667 --- SimpleDestination

SonicWALL activated

Firewall Event Maintenance Alert 4 --- Simple

SonicWALLinitializing


Source routed IP packet dropped

Intrusion Detection

Debug Warning 428 --- Standard

Spank attack multicast packet dropped

Intrusion Detection


Starting IKE negotiation


Starting PPPoE discovery


Status GMS Maintenance Emergency 96 --- SimpleGMS

Status

Striker attack dropped

Intrusion Detection


Sub Seven attack dropped

Intrusion Detection


Success to reach Interface %s probe

High Availability

System Error Information 674 --- StandardString

Service

Successful authentication received for Remotely Triggered Dial-out



SYN Flood Blacklist on IF %s continues

Intrusion Detection

--- Warning 868 --- StandardString

Service

SYN Floodblacklistingdisabled by user

Intrusion Detection

--- Warning 863 --- Standard

SYN Flood blacklisting enabled by user

Intrusion Detection


SYN flood ceased or flooding machines blacklisted - connection proxy disabled

Intrusion Detection

--- Alert 861 --- Standard

SYN Flood Mode changed by user to: Always proxy WAN connections

Intrusion Detection


SYN Flood Mode changed by user to: Watch and proxy WAN connections when under attack

Intrusion Detection


SYN Flood Mode changed by user to: Watch and report possible SYN floods

Intrusion Detection


Synchronizing preferences to HA Peer Firewall

High Availability


SYN-Flooding machine %s blacklisted

Intrusion Detection


Service

TCP checksum error

Network Access


TCP connection dropped

Network Access

UDP Notice 36 --- StandardPolicy

TCP connection from LAN denied

Network Access

LAN TCP Notice 173 --- StandardService

TCP FIN packet dropped



TCP stateful inspection enforcement: Bad header dropped


TCP stateful inspection enforcement: Connection aborted


TCP stateful inspectionenforcement: Connection refused


TCP stateful inspection enforcement: Invalid ack dropped


TCP stateful inspection enforcement: Invalid flag dropped

Network Debug Information 710 --- Standard

TCP stateful inspection enforcement: Invalid sequence dropped


TCP SYN received Intrusion Detection

--- Debug 869 --- Standard

TCP Syn/Fin packet dropped

Network Access


TCP Xmas Tree dropped

Intrusion Detection


The cache is full; %u open connections; some will be dropped

Firewall Event System Error Error 53 607 StandardMessageNumber

The loaded content URL List has expired

Security Services



The network connection in use is %s

WAN Failover System Error Warning 307 639 StandardMessage

String

The preferences file is too large to be saved inavailable flash memory


Thermal Red Firewall Hardware

System Environment


Thermal Red Timer Exceeded

Firewall Hardware

System Environment


Thermal Yellow Firewall Hardware

System Environment


Time of day settings for fire-wall policies were not upgraded.


UDP checksum error

Network Access


UDP packet dropped

Network Access


UDP packet from LAN dropped

Network Access

LAN UDP | LAN TCP

Notice 174 --- StandardService

Unable to download IPS/GAV/Aspy Signature database. Firewall must first be restarted to free memory used by downloaded firmware.

Unused --- Warning 873 --- Simple

Unknown protocol dropped

Network Access

Debug Notice 41 --- StandardNote String

Unknown reason VPN PKI User Activity Error 275 --- SimpleDestination

User logged out Authentication User Activity Information 263 --- StandardString

Service

User logged out - inactivity timer expired



User logged out - max session time exceeded


User logged out - user disconnect detected (heartbeat timer expired)


User login denied - insufficient access on LDAP server

RADIUS User Activity Warning 750 --- StandardString Ser-

vice

User login denied - invalid credentials on LDAP server

RADIUS User Activity Warning 749 --- StandardString Ser-

vice

User login denied - LDAP authentication fail-ure

RADIUS User Activity Information 745 --- StandardString Ser-

vice

User login denied - LDAP communication problem

RADIUS User Activity Warning 748 --- StandardString

Service

User login denied - LDAP directory mismatch


Service

User login denied - LDAP schema mismatch


Service

User login denied - LDAP server certificate not valid


Service

User login denied - LDAP server down or misconfigured


Service

User login denied - LDAP server name resolution failed


Service

User login denied - LDAP server timeout


Service

User login denied - RADIUS authentication failure

RADIUS User Activity Information 243 --- StandardString

Service


User login denied - RADIUS communication problem


Service

User login denied - RADIUS configuration error


Service

User login denied - RADIUS server name resolution failed


Service

User login denied - RADIUS server timeout


Service

User login denied - TLS or localcertificate problem


Service

User login denied - User has no privileges for login from that location


Service

User login denied - User has no privileges for WLAN guest service

Authentication User Activity Information 486 --- StandardDestination

User login denied due to bad credentials


Service

User login disabled from %s

Authentication Attack Error 583 559 StandardMessage

String

User login failed - Guest service limit reached


User login failure rate exceeded - logins from user IP address denied

Authentication Attack Error 329 561 StandardDestination

Virtual Access Point is disabled

SonicPoint 802.11b Management


Virtual Access Point is enabled

SonicPoint 802.11b Management



VoIP %s Endpoint added

VoIP VoIP Debug 637 --- StandardString

Service

VoIP %s Endpoint not added - configured 'public' endpoint limit reached

VoIP VoIP Warning 639 --- StandardString

Service

VoIP %s Endpoint removed

VoIP VoIP Debug 638 --- StandardString

Service

VoIP Call Connected

VoIP VoIP Information 622 --- StandardNote String

VoIP Call Disconnected

VoIP VoIP Information 623 --- StandardNote String

Voltages Out of Tolerance

Firewall Hard-ware

System Envi-ronment

Error 575 101 Simple

VPN Cleanup: Dynamic network settings change

VPN User Activity Information 471 --- Standard

VPN Client Policy Provisioning


VPN disabled by administrator

Authentication Maintenance Information 506 --- Simple

VPN disabled for active dial up

Unused Maintenance Information 503 --- Simple

VPN enabled by administrator


VPN Log Debug VPN IKE Debug Information 172 --- SimpleString

VPN policy count received exceeds the limit; %s

VPN System Error Error 719 --- StandardString

Service

VPN zone administrator login allowed


VPN zone remote user login allowed


Service

WAN Interface not setup


WAN IP Changed Firewall Event System Error Warning 138 636 Standard


WAN not ready Firewall Event Maintenance Information 502 --- Simple

WAN zone administrator login allowed


WAN zone remote user login allowed

Authentication User Activity Information 238 --- StandardString Ser-

vice

WARNING: DHCP lease relayed from Central Gateway conflicts with IP in Static Devices list


Web access request dropped

Network Access


Web management request allowed

Network Access

User Activity Notice 526 --- StandardService

Web site access allowed

Network Access


Blocked

Web site access denied

Network Access


Blocked

Wireless MAC Filter List disabled by administrator


Wireless MAC Filter List enabled by administrator


WLAN client null probing

WLAN IDS WLAN IDS Warning 615 904 StandardDestination

WLAN disabled by administrator


WLAN disabled by schedule


Wlan drop traffic to deny network

Network Access

--- Information 724 --- StandardNote String

WLAN enabled by administrator


WLAN enabled by schedule



WLAN firmware image has been updated

Wireless Maintenance Information 487 --- SimpleString

WLAN Guest Account Timeout


WLAN Guest Idle Timeout


WLAN Guest Session Timeout


WLAN max concurrent users reached already

Network Access


WLAN not in AP mode, DHCP server will not provide lease to clients on WLAN

Wireless Maintenance Information 617 --- Simple

WLAN pass traffic to access allow network

Network Access


WLAN recovery Wireless Maintenance Information 519 --- SimpleString

WLAN sequence number out of order

WLAN IDS WLAN IDS Warning 547 902 SimpleDestination

WLB Failback initiated by %s


String

WLB Failover in progress

WAN Failover System Error Alert 584 651 Standard

WLB Resource failed


WLB Resource is now available


WLB Spill-over started, configured threshold exceeded

WAN Failover Maintenance Warning 581 --- Simple

WLB Spill-over stopped

WAN Failover Maintenance Warning 582 --- Simple


WPA MIC Failure Wireless 802.11b Management

Warning 663 --- SimpleDestination

WPA Radius Server Timeout

Wireless 802.11b Management


XAUTH Failed with VPN client, Authentication failure


XAUTH Failed with VPN client, Cannot Contact RADIUS Server


XAUTH Succeeded with VPN client



Index of Syslog Tag Field DescriptionThis section provides an alphabetical listing of Syslog tags and the associated field description.

Tag Field Description

<ddd> Syslog message prefix The beginning of each syslog message has a string of the form <ddd> where ddd is a decimal number indicating facility and priority of the mes-sage. (See [1] Section 4.1.1)

arg URL Used to render a URL: arg represents the URL path name part.

bcastRx Interface statistics report Displays the broadcast packets received

bcastTx Interface statistics report Displays the broadcast packets transmitted

bytesRx Interface statistics report Displays the bytes received

bytesTx Interface statistics report Displays the bytes transmitted

c Message category (legacy only) Indicates the legacy category number (Note: We are not currently sending new category informa-tion.)

change Configuration change webpage Displays the basename of the firewall web page that performed the last configuration change

code Blocking code Indicates the CFS block code category

code ICMP type and code Indicates the ICMP code

conns Firewall status report Indicates the number of connections in use

cpuUtil Firewall status report Displays the CPU utilization (not in use)

dst Destination Destination IP address, and optionally, port, net-work interface, and resolved name.

dstname Destination URL Displays the URL of web site hit and other legacy destination strings

dstname URL Used to render a URL: dstname represents the URL host part

dyn Firewall status report Displays the HA and dialup connection state (ren-dered as “h.d” where “h” is “n” (not enabled), “b” (backup), or “p” (primary) and “d” is “1” (enabled) or “0” (disabled))

fw Firewall WAN IP Indicates the WAN IP Address

fwlan Firewall status report Indicates the LAN zone IP address

goodRxBytes SonicPoint statistics report Indicates the well formed bytes recevied

goodTxBytes SonicPoint statistics report Indicates the well formed bytes transmitted


i Firewall status report Displays the GMS message interval in seconds

id=firewall Webtrends prefix Syntactic sugar for WebTrends (and GMS by habit)

if Interface statistics report Displays the interface on which statistics are reported

ipscat IPS message Displays the IPS category

ipspri IPS message Displays the IPS priority

lic Firewall status report Indicates the number of licenses for firewalls with limited modes

m Message ID Provides the message ID number

mac MAC address Provides the MAC address

msg Static message Displays the event message (from spreadsheet)

msg Dynamically-defined message Displays a dynamically defined message string

msg Static message with dynamic string Displays a message using the predefined mes-sage string containing a “%s” and a dynamic string argument.

msg Static message with dynamic num-ber

Displays a message using the predefined string string containing a “%s” and a dynamic numeric argument.

msg IPS message Displays a message using the predefined mes-sage string containing a “%s” and a dynamic string argument.

msg Anti-Spyware message Displays the event message (from spreadsheet)

n Message count Indicates the number of times event occurs

op HTTP OP code Displays the HTTP operation (GET, POST, etc.) of web site hit

pri Message priority Displays the event priority level (0=emer-gency..7=debug)

proto IP protocol Indicates the IP protocol and detail information

proto Protocol and service Displays the protocol information (rendered as “proto/service”)

proto Protocol and service Displays the protocol information (rendered as “proto/service”)

pt Firewall status report Displays the HTTP/HTTPS management port (rendered as “hhh.sss”)

radio SonicPoint statistics report Displays the SonicPoint radio on which event occurred

ramUtil Firewall status report Displays the RAM utilization (not in use)


rcvd Bytes received Indicates the number of bytes received within connection

result HTTP Result code Displays the HTTP result code (200, 403, etc.) of web site hit

rule Rule ID Displays the Access Rule number causing packet drop

sent Bytes sent Displays the number of bytes sent within connec-tion

sid IPS message Provides the IPS signature ID

sid Anti-Spyware message Provides the AntiSpyware signature ID

sn Firewall serial number Indicates the device serial number

spycat Anti-Spyware message Displays the antiSpyware category

spypri Anti-Spyware message Displays the AntiSpyware priority

src Source Indicates the source IP address, and optionally, port, network interface, and resolved name.

station SonicPoint statistics report Displays the client (station) on which event occurred

time Time Reports the time of event

type ICMP type and code Indicates the ICMP type

ucastRx Interface statistics report Displays the unicast packets received

ucastTx Interface statistics report Displays the unicast packets transmitted

unsynched Firewall status report Reports the time since last local change in sec-onds

usesstandbysa Firewall status report Displays whether standby SA is in use (“1” or “0”) for GMS management

usr (or user) User Displays the user name (“user” is the tag used by WebTrends)

vpnpolicy VPN policy name Displays the VPN policy name of event


© 2002 SonicWALL, I n c . SonicWALL is a registered trademark of SonicWALL, I n c . Other product and company names mentioned herein may bet rademarks and/ or registered trademarks of their respective companies. Specifications and descriptions subject to change with out notice.

T: 408.745.9600F: 408.745.9300

www.sonicwall.comSonicWALL,Inc.1143 Borregas AvenueSunnyvale,CA 94089-1306

P/ N 232-000827-00Rev B 6/05

sonicos log event reference guide -...

Documents