using the sonicos log event reference guidesoftware.sonicwall.com/manual/232-001835-00_rev_a... ·...

Using the SonicOS Log Event Reference Guide

This reference guide lists and describes SonicOS log event messages. Reference a log event

message by using the alphabetical index of log event messages.

This document contains the following sections: • “Log > View” section on page 2

• “Log > Categories” section on page 5

• “Log > Syslog” section on page 9

• “Log > Automation” section on page 10

• “Log > Name Resolution” section on page 14

• “Log > Reports” section on page 16

• “Log > ViewPoint” section on page 17

• “Index of Log Event Messages” section on page 19

• “Index of Syslog Tag Field Description” section on page 57

1SonicOS Log Event Reference Guide

Log > View

Log > ViewThe SonicWALL security appliance maintains an Event log for tracking potential security threats. This log can be viewed in the Log > View page, or it can be automatically sent to an e-mail address for convenience and archiving. The log is displayed in a table and can be sorted by column.

The SonicWALL security appliance can alert you of important events, such as an attack to the SonicWALL security appliance. Alerts are immediately e-mailed, either to an e-mail address or to an e-mail pager. Each log entry contains the date and time of the event and a brief message describing the event.

Log View TableThe log is displayed in a table and is sortable by column. The log table columns include:

• Time - the date and time of the event.

• Priority - the level of priority associated with your log event. Syslog uses eight categories to characterize messages – in descending order of severity, the categories include:

– Emergency

– Alert

– Critical

– Error

– Warning

– Notice

– Informational

– Debug

Specify a priority level on a SonicWALL security appliance on the Log > Categories page to log messages for that priority level, plus all messages tagged with a higher severity. For example, select ‘error’ as the priority level to log all messages tagged as ‘error,’ as well as any messages tagged with ‘critical,’ ‘alert,’ and ‘emergency.’ Select ‘debug’ to log all messages.

Note Refer to Log Event Messages section for more information on your specific log event.

• Category - the type of traffic, such as Network Access or Authenticated Access.

• Message - provides description of the event.

• Source - displays source network and IP address.

• Destination - displays the destination network and IP address.

• Notes - provides additional information about the event.

• Rule - notes Network Access Rule affected by event.

2 SonicOS Log Event Reference Guide

Log > View

Navigating and Sorting Log View Table EntriesThe Log View table provides easy pagination for viewing large numbers of log events. You can navigate these log events by using the navigation control bar located at the top right of the Log View table. Navigation control bar includes four buttons. The far left button displays the first page of the table. The far right button displays the last page. The inside left and right arrow buttons moved the previous or next page respectively.

You can sort the entries in the table by clicking on the column header. The entries are sorted by ascending or descending order. The arrow to the right of the column entry indicates the sorting status. A down arrow means ascending order. An up arrow indicates a descending order.

RefreshTo update log messages, clicking the Refresh button near the top right corner of the page.

Clear LogTo delete the contents of the log, click the Clear Log button near the top right corner of the page.

Export LogTo export the contents of the log to a defined destination, click the Export Log button below the filter table.You can export log content to two formats:

• Plain text format--Used in log and alert e-mail.

• Comma-separated value (CSV) format--Used for importing into Excel or other presentation development applications.

E-mail LogIf you have configured the SonicWALL security appliance to e-mail log files, clicking E-mail Log near the top right corner of the page sends the current log files to the e-mail address specified in the Log > Automation > E-mail section.

Note The SonicWALL security appliance can alert you of important events, such as an attack to the SonicWALL security appliance. Alerts are immediately sent via e-mail, either to an e-mail address or to an e-mail pager. For sending alerts, you must enter your e-mail address and server information in the Log > Automation page.


Log > View

Filtering Log Records ViewedYou can filter the results to display only event logs matching certain criteria. You can filter by Priority, Category, Source (IP or Interface), and Destination (IP or Interface).

Step 1 Enter your filter criteria in the Log View Settings table.

Step 2 The fields you enter values into are combined into a search string with a logical AND. For example, if you select an interface for Source and for Destination, the search string will look for connections matching:

Source interface AND Destination interface

Step 3 Check the Group Filters box next to any two or more criteria to combine them with a logical OR.

For example, if you enter values for Source IP, Destination IP, and Protocol, and check Group Filters next to Source IP and Destination IP, the search string will look for connections matching:

(Source IP OR Destination IP) AND Protocol

Step 4 Click Apply Filter to apply the filter immediately to the Log View Settings table. Click Reset to clear the filter and display the unfiltered results again.

The following example filters for log events resulting from traffic from the WAN to the LAN:

Log Event MessagesFor a complete reference guide of log event messages, refer to the “Log Event Message Index” section on page 20.


Log > Categories

Log > CategoriesThis guide provides configuration tasks to enable you to categorize and customize the logging functions on your SonicWALL security appliance for troubleshooting and diagnostics.

Note You can extend your SonicWALL security appliance log reporting capabilities by using SonicWALL ViewPoint. ViewPoint is a Web-based graphical reporting tool for detailed and comprehensive reports. For more information on the SonicWALL ViewPoint reporting tool, refer to www.sonicwall.com.

Log Severity/PriorityThis section provides information on configuring the level of priority log messages are captured and corresponding alert messages are sent through e-mail for notification.

Logging LevelThe Logging Level control filters events by priority. Events of equal of greater priority are passed, and events of lower priority are dropped. The Logging Level menu includes the following priority scale items from highest to lowest priority:

• Emergency (highest priority)

• Alert

• Critical

• Error

• Warning

• Notice

• Informational

• Debug (lowest priority)

Alert LevelThe Alert Level control determines how E-mail Alerts are sent. An event of equal or greater priority causes an E-mail alert to be issued. Lower priority events do not cause an alert to be sent. Events are pre-filtered by the Logging Level control, so if the Logging Level control is set to a higher priority than that of the Alert Level control, only alerts at the Logging Level or higher are sent. Alert levels include:

• None (disables e-mail alerts)

• Emergency (highest priority)

• Alert

• Critical

• Error

• Warning (lowest priority)


Log > Categories

Log Redundancy FilterThe Log Redundancy Filter allows you to define the time in seconds that the same attack is logged on the Log > View page as a single entry in the SonicWALL log. Various attacks are often rapidly repeated, which can quickly fill up a log if each attack is logged. The Log Redundancy Filter has a default setting of 60 seconds.

Alert Redundancy FilterThe Alert Redundancy Filter allows you to define the time in seconds that the same attack is logged on the Log > View page as a single entry in the SonicWALL log before an alert is issued. The Alert Redundancy Filter has a default setting of 900 seconds.

Log CategoriesSonicWALL security appliances provide automatic attack protection against well known exploits. The majority of these legacy attacks were identified by telltale IP or TCP/UDP characteristics, and recognition was limited to a set of fixed layer 3 and layer 4 values. As the breadth and sophistication of attacks evolved, it has become essential to dig deeper into the traffic, and to develop the sort of adaptability that could keep pace with the new threats.

All SonicWALL security appliances, even those running SonicWALL IPS, continue to recognize these legacy port and protocol types of attacks. The current behavior on all SonicWALL security appliances devices is to automatically and holistically prevent these legacy attacks, meaning that it is not possible to disable prevention of these attacks either individually or globally.

SonicWALL security appliances now include an expanded list of attack categories that can be logged.

The View Style menu provides the following three log category views:

• All Categories - Displays both Legacy Categories and Expanded Categories.

• Legacy Categories - Displays log categories carried over from earlier SonicWALL log event categories.

• Expanded Categories - Displays the expanded listing of categories that includes the older Legacy Categories log events rearranged into the new structure.

The following table describes both the Legacy and Extended log categories.

Log Type Category Description802.11 Management Legacy Logs WLAN IEEE 802.11 connections.

Advanced Routing Expanded Logs messages related to RIPv2 and OSPF routing events.

Attacks Legacy Logs messages showing Denial of Service attacks, such as SYN Flood, Ping of Death, and IP spoofing

Authenticated Access

Expanded Logs administrator, user, and guest account activity

Blocked Java, etc. Legacy Logs Java, ActiveX, and Cookies blocked by the SonicWALL security appliance.

Blocked Web Sites Legacy Logs Web sites or newsgroups blocked by the Content Filter List or by customized filtering.

BOOTP Expanded Logs BOOTP activity

Crypto Test Expanded Logs crypto algorithm and hardware testing


Log > Categories

DDNS Expanded Logs Dynamic DNS activity

Denied LAN IP Legacy Logs all LAN IP addresses denied by the SonicWALL security appliance.

DHCP Client Expanded Logs DHCP client protocol activity

DHCP Relay Expanded Logs DHCP central and remote gateway activity

Dropped ICMP Legacy Logs blocked incoming ICMP packets.

Dropped TCP Legacy Logs blocked incoming TCP connections.

Dropped UDP Legacy Logs blocked incoming UDP packets.

Firewall Event Extended Logs internal firewall activity

Firewall Hardware Extended Logs firewall hardware error events

Firewall Logging Extended Logs general events and errors

Firewall Rule Extended Logs firewall rule modifications

GMS Extended Logs GMS status event

High Availability Extended Logs High Availability activity

IPcomp Extended Logs IP compression activity

Intrusion Prevention Extended Logs intrusion prevention related activity

L2TP Client Extended Logs L2TP client activity

L2TP Server Extended Logs L2TP server activity

Multicast Extended Logs multicast IGMP activity

Network Extended Logs network ARP, fragmentation, and MTU activity

Network Access Extended Logs network and firewall protocol access activity

Network Debug Legacy Logs NetBIOS broadcasts, ARP resolution problems, and NAT resolution problems. Also, detailed messages for VPN connections are displayed to assist the network administrator with troubleshooting problems with active VPN tunnels. Network Debug information is intended for experienced network administrators.

Network Traffic Expanded Logs network traffic reporting events

PPP Extended Logs generic PPP activity

PPP Dial-Up Extended Logs PPP dial-up activity

PPPoE Extended Logs PPPoE activity

PPTP Extended Logs PPTP activity

RBL Extended Logs real-time black list activity

RIP Extended Logs RIP activity

Remote Authentication

Extended Logs RADIUS and LDAP server activity

Security Services Extended Logs security services activity

SonicPoint Extended Logs SonicPoint activity

System Errors Legacy Logs problems with DNS or e-mail.

System Maintenance

Legacy Logs general system activity, such as system activations.

User Activity Legacy Logs successful and unsuccessful log in attempts.

VOIP Extended Logs VoIP H.323/RAS, H.323/H.225, and H.323/H.245 activity

Log Type Category Description


Log > Categories

Managing Log CategoriesThe Log Categories table displays log category information organized into the following columns:

• Category - Displays log category name.

• Description - Provides description of the log category activity type.

• Log - Provides checkbox for enabling/disabling the display of the log events in on the Log > View page.

• Alerts - Provides checkbox for enabling/disabling the sending of alerts for the category.

• Syslog - Provides checkbox for enabling/disabling the capture of the log events into the SonicWALL security appliance Syslog.

• Event Count - Displays the number of events for that category. Clicking the Refresh button updates these numbers.

You can sort the log categories in the Log Categories table by clicking on the column header. For example, clicking on the Category header sorts the log categories in descending order from the default ascending order. An up or down arrow to the left of the column name indicates whether the column is assorted in ascending or descending order.

You can enable or disable Log, Alerts, and Syslog on a category by category basis by clicking on the check box for the category in the table. You can enable or disable Log, Alerts, and Syslog for all categories by clicking the checkbox on the column header.

VPN Extended Logs VPN activity

VPN Client Extended Logs VPN client activity

VPN IKE Extended Logs VPN IKE activity

VPN IPsec Extended Logs VPN IPSec activity

VPN PKI Extended Logs VPN PKI activity

VPN Tunnel Status Legacy Logs status information on VPN tunnels.

WAN Failover Extended Logs WAN failover activity

Wireless Extended Logs wireless activity

Wlan IDS Extended Logs WLAN IDS activity

Log Type Category Description


Log > Syslog

Log > SyslogIn addition to the standard event log, the SonicWALL security appliance can send a detailed log to an external Syslog server. The SonicWALL Syslog captures all log activity and includes every connection source and destination IP address, IP service, and number of bytes transferred. The SonicWALL Syslog support requires an external server running a Syslog daemon on UDP Port 514. Syslog Analyzers such as SonicWALL ViewPoint or WebTrends Firewall Suite can be used to sort, analyze, and graph the Syslog data. Messages from the SonicWALL security appliance are then sent to the server(s). Up to three Syslog server IP addresses can be added.Syslog Settings

Syslog Facility • Syslog Facility - Allows you to select the facilities and severities of the messages based on

the syslog protocol.

Note See RCF 3164 - The BSD Syslog Protocol for more information.

• Override Syslog Settings with ViewPoint Settings - Check this box to override Syslog settings, if you’re using SonicWALL ViewPoint for your reporting solution.

Note For more information on SonicWALL ViewPoint, go to http://www.sonicwall.com.

– Syslog Event Redundancy Filter (seconds) - This setting prevents repetitive messages from being written to Syslog. If duplicate events occur during the period specified in the Syslog Event Redundancy Rate field, they are not written to Syslog as unique events. Instead, the additional events are counted, and then at the end of the period, a message is written to the Syslog that includes the number of times the event occurred. The Syslog Event Redundancy Filter default value is 60 seconds and the maximum value is 86,400 seconds (24 hours). Setting this value to 0 seconds sends all Syslog messages without filtering.

– Syslog Format - You can choose the format of the Syslog to be Default or WebTrends. If you select WebTrends, however, you must have WebTrends software installed on your system.

Note If the SonicWALL security appliance is managed by SonicWALL GMS, the Syslog Server fields cannot be configured by the administrator of the SonicWALL security appliance.

• Enable Event Rate Limiting - This control allows you to enable rate limiting of events to prevent the internal or external logging mechanism from being overwhelmed by log events.

• Enable Data Rate Limiting - This control allows you to enable rate limiting of data to prevent the internal or external logging mechanism from being overwhelmed by log events.


http://www.sonicwall.com

Log > Automation

Syslog Servers

Adding a Syslog ServerTo add syslog servers to the SonicWALL security appliance

Step 1 Click Add. The Add Syslog Server window is displayed.

Step 2 Type the Syslog server name or IP address in the Name or IP Address field. Messages from the SonicWALL security appliance are then sent to the servers.

Step 3 If your syslog is not using the default port of 514, type the port number in the Port Number field.

Step 4 Click OK.

Step 5 Click Accept to save all Syslog Server settings.

Log > AutomationThe Log > Automation page includes settings for configuring the SonicWALL to send log files using e-mail and configuring mail server settings.

E-mail Log Automation • Send Log to E-mail address - Enter your e-mail address ([email protected]) in

this field to receive the event log via e-mail. Once sent, the log is cleared from the SonicWALL memory. If this field is left blank, the log is not e-mailed.

• Send Alerts to E-mail address - Enter your e-mail address ([email protected]) in the Send alerts to field to be immediately e-mailed when attacks or system errors occur. Type a standard e-mail address or an e-mail paging service. If this field is left blank, e-mail alert messages are not sent.

• Send Log - Determines the frequency of sending log files. The options are When Full, Weekly, or Daily. If the Weekly or Daily option is selected, then select the day of the week the log is sent in the every menu and the time of day in 24-hour format in the At field.

• Email Format - Specifies whether log emails will be sent in Plain Text or HTML format.

Mail Server SettingsThe mail server settings allow you to specify the name or IP address of your mail server, the from e-mail address, and authentication method.

• Mail Server (name or IP address) - Enter the IP address or FQDN of the e-mail server used to send your log e-mails in this field.

• From E-mail Address - Enter the E-mail address you want to display in the From field of the message.

• Authentication Method - You can use the default None item or select POP Before SMTP.

Note If the Mail Server (name or IP address) is left blank, log and alert messages are not e-mailed.


Log > Automation

Deep Packet ForensicsSonicWALL UTM appliances have configurable deep-packet classification capabilities that intersect with forensic and content-management products. While the SonicWALL can reliably detect and prevent any ‘interesting-content’ events, it can only provide a record of the occurrence, but not the actual data of the event.

Of equal importance are diagnostic applications where the interesting-content is traffic that is being unpredictably handled or inexplicably dropped.

Although the SonicWALL can achieve interesting-content using our Enhanced packet capture diagnostic tool, data-recorders are application-specific appliances designed to record all the packets on a network. They are highly optimized for this task, and can record network traffic without dropping a single packet.

While data-recorders are good at recording data, they lack the sort of deep-packet inspection intelligence afforded by IPS/GAV/ASPY/AF. Consider the minimal requirements of effective data analysis:

• Reliable storage of data

• Effective indexing of data

• Classification of interesting-content

Together, a UTM device (a SonicWALL appliance) and data-recorder (a Solera Networks appliance) satisfy the requirements to offer outstanding forensic and data-leakage capabilities.

Distributed Event Detection and ReplayThe Solera appliance can search its data-repository, while also allowing the administrator to define “interesting-content” events on the SonicWALL. The level of logging detail and frequency of the logging can be configured by the administrator. Nearly all events include Source IP, Source Port, Destination IP, Destination Port, and Time. SonicOS Enhanced has an extensive set of log events, including:

• Debug/Informational Events—Connection setup/tear down

• User-events—Administrative access, single sign-on activity, user logins, content filtering details

• Firewall Rule/Policy Events—Access to and from particular IP:Port combinations, also identifiable by time

• Interesting-content at the Network or Application Layer—Port-scans, SYN floods, DPI or AF signature/policy hits

The following is an example of the process of distributed event detection and replay:

1. The administrator defines the event trigger. For example, an Application Firewall policy is defined to detect and log the transmission of an official document:


Log > Automation

2. A user (at IP address 192.168.19.1) on the network retrieves the file.

3. The event is logged by the SonicWALL.

4. The administrator selects the Recorder icon from the left column of the log entry. Icon/link only appears in the logs when a NPCS is defined on the SonicWALL (e.g. IP: [192.168.169.100], Port: [443]). The defined NPCS appliance will be the link’s target. The link will include the query string parameters defining the desired connection.

5. The NPCS will (optionally) authenticate the user session.

6. The requested data will be presented to the client as a .cap file, and can be saved or viewed on the local machine.

Methods of AccessThe client and NPCS must be able to reach one another. Usually, this means the client and the NPCS will be in the same physical location, both connected to the SonicWALL appliance. In any case, the client will be able to directly reach the NPCS, or will be able to reach the NPCS through the SonicWALL. Administrators in a remote location will require some method of VPN connectivity to the internal network. Access from a centralized GMS console will have similar requirements.

Log PersistenceSonicOS currently allocates 32K to a rolling log buffer. When the log becomes full, it can be emailed to a defined recipient and flushed, or it can simply be flushed. Emailing provides a simple version of logging persistence, while GMS provides a more reliable and scalable method.

By offering the administrator the option to deliver logs as either plain-text or HTML, the administrator has an easy method to review and replay events logged.


Log > Automation

GMSTo provide the ability to identify and view events across an entire enterprise, a GMS update will be required. Device-specific interesting-content events at the GMS console appear in Reports > Log Viewer Search page, but are also found throughout the various reports, such as Top Intrusions Over Time.

Solera Capture StackSolera Networks makes a series of appliances of varying capacities and speeds designed to capture, archive, and regenerate network traffic. The Solera Networks Network Packet Capture System (NPCS) provides utilities that allow the captured data to be accessed in time sequenced playback, that is, analysis of captured data can be performed on a live network via NPCS while the device is actively capturing and archiving data.


Log > Name Resolution

To configure your SonicWALL appliance with Solera select the Enable Solera Capture Stack Integration option.

Configure the following options:

• Server - Select the host for the Solera server. You can dynamically create the host by selecting Create New Host...

• Protocol - Select either HTTP or HTTPS.

• Port - Specify the port number for connecting to the Solera server.

• Interface(s) - Specify which interfaces you want to transmit data for to the Solera server.

• User (optional) - Enter the username, if required.

• Password (optional) - Enter the password, if required.

• Confirm Password - Confirm the password.

– Mask Password - Leave this enabled to send the password as encrypted text.

Log > Name ResolutionThe Log > Name Resolution page includes settings for configuring the name servers used to resolve IP addresses and server names in the log reports.

The security appliance uses a DNS server or NetBIOS to resolve all IP addresses in log reports into server names. It stores the names/address pairs in a cache, to assist with future lookups. You can clear the cache by clicking Reset Name Cache in the top of the Log > Name Resolution page.


Log > Name Resolution

Selecting Name Resolution SettingsThe security appliance can use DNS, NetBIOS, or both to resolve IP addresses and server names.

In the Name Resolution Method list, select:

• None: The security appliance will not attempt to resolve IP addresses and Names in the log reports.

• DNS: The security appliance will use the DNS server you specify to resolve addresses and names.

• NetBIOS: The security appliance will use NetBIOS to resolve addresses and names. If you select NetBIOS, no further configuration is necessary.

• DNS then NetBIOS: The security appliance will first use the DNS server you specify to resolve addresses and names. If it cannot resolve the name, it will try again with NetBIOS.

Specifying the DNS ServerTo choose specific DNS servers or use the same servers as the WAN zone, perform the following steps:

Step 1 Select Specify DNS Servers Manually or Inherit DNS Settings Dynamically from WAN Zone. The second choice is selected by default.

Step 2 If you selected to specify a DNS server, enter the IP address for at least one DNS server on your network. You can enter up to three servers.

Step 3 Click Accept in the top right corner of the Log > Name Resolution page to make your changes take effect.


Log > Reports

Log > ReportsThe SonicWALL security appliance can perform a rolling analysis of the event log to show the top 25 most frequently accessed Web sites, the top 25 users of bandwidth by IP address, and the top 25 services consuming the most bandwidth. You can generate these reports from the Log > Reports page.

Note SonicWALL ViewPoint provides a comprehensive Web-based reporting solution for SonicWALL security appliances. For more information on SonicWALL ViewPoint, go to http://www.sonicwall.com

Data CollectionThe Reports window includes the following functions and commands:

• Start Data Collection

Click Start Data Collection to begin log analysis. When log analysis is enabled, the button label changes to Stop Data Collection.

• Reset Data

Click Reset Data to clear the report statistics and begin a new sample period. The sample period is also reset when data collection is stopped or started, and when the SonicWALL security appliance is restarted.

View DataSelect the desired report from the Report to view menu. The options are Web Site Hits, Bandwidth Usage by IP Address, and Bandwidth Usage by Service. These reports are explained below. Click Refresh Data to update the report. The length of time analyzed by the report is displayed in the Current Sample Period.

Web Site HitsSelecting Web Site Hits from the Report to view menu displays a table showing the URLs for the 25 most frequently accessed Web sites and the number of hits to a site during the current sample period.

The Web Site Hits report ensures that the majority of Web access is to appropriate Web sites. If leisure, sports, or other inappropriate sites appear in the Web Site Hits Report, you can choose to block the sites. For information on blocking inappropriate Web sites, see .

Click on the name of a Web site to open that site in a new window.

Bandwidth Usage by IP AddressSelecting Bandwidth Usage by IP Address from the Report to view menu displays a table showing the IP address of the 25 top users of Internet bandwidth and the number of megabytes transmitted during the current sample period.



Log > ViewPoint

Bandwidth Usage by ServiceSelecting Bandwidth Usage by Service from the Report to view menu displays a table showing the name of the 25 top Internet services, such as HTTP, FTP, RealAudio, etc., and the number of megabytes received from the service during the current sample period.

The Bandwidth Usage by Service report shows whether the services being used are appropriate for your organization. If services such as video or push broadcasts are consuming a large portion of the available bandwidth, you can choose to block these services.

Log > ViewPointSonicWALL ViewPoint is a Web-based graphical reporting tool that provides unprecedented security awareness and control over your network environment through detailed and comprehensive reports of your security and network activities. ViewPoint’s broad reporting capabilities allow administrators to easily monitor network access and Internet usage, enhance security, assess risks, understand more about employee Internet use and productivity, and anticipate future bandwidth needs.

ViewPoint creates dynamic, real-time and historical network summaries, providing a flexible, comprehensive view of network events and activities. Reports are based on syslog data streams received from each SonicWALL appliance through LAN, Wireless LAN, WAN or VPN connections. With ViewPoint, your organization can generate individual or aggregate reports about virtually any aspect of appliance activity, including individual user or group usage patterns, evens on specific appliances or groups of appliances, types and times of attacks, resource consumption and constraints, and more.

For more information on SonicWALL ViewPoint, go to http://www.sonicwall.com.

For complete SonicWALL ViewPoint documentation, go to the SonicWALL documentation Web site at http://www.sonicwall.com/us/support/3340.html.



http://www.sonicwall.com/us/support/3340.html

http://www.sonicwall.com/us/support/3340.html

Log > ViewPoint

Activating ViewPointThe Log > ViewPoint page allows you to activate the ViewPoint license directly from the SonicWALL Management Interface using two methods.

If you received a license activation key, enter the activation key in the Enter upgrade key field, and click Accept.

Warning You must have a mysonicwall.com account and your SonicWALL security appliance must be registered to activate SonicWALL ViewPoint for your SonicWALl security appliance.

Step 1 Click the Upgrade link in Click here to Upgrade on the Log > ViewPoint page. The mysonicwall.com Login page is displayed.

Step 2 Enter your mysonicwall.com account username and password in the User Name and Password fields, then click Submit. The System > Licenses page is displayed. If your SonicWALL security appliance is already connected to your mysonicwall.com account, the System > Licenses page appears after you click the SonicWALL Content Filtering Subscription link.

Step 3 Click Activate or Renew in the Manage Service column in the Manage Services Online table. Type in the Activation Key in the New License Key field and click Submit.

Step 4 If you activated SonicWALL ViewPoint at mysonicwall.com, the SonicWALL ViewPoint activation is automatically enabled on your SonicWALL within 24-hours or you can click the Synchronize button on the Security Services > Summary page to update your SonicWALL.

Enabling ViewPoint SettingsOnce you have installed the SonicWALL ViewPoint software, you can point the SonicWALL security appliance to the server running ViewPoint, perform the following steps:

Step 1 Check the Enable ViewPoint Settings checkbox in the Syslog Servers section of the Log > ViewPoint page.

Step 2 Click the Add button. The Add Syslog Server window is displayed.

Step 3 Enter the IP address or FQDN of the SonicWALL ViewPoint server in the Name or IP Address field.

Step 4 Enter the port number for the SonicWALL ViewPoint server traffic in the Port field or use the default port number.

Step 5 Click Accept.

Note The Override Syslog Settings with ViewPoint Settings control on the Log > Syslog page is automatically checked when you enable ViewPoint from the Log > ViewPoint page. The IP address or FQDN you entered in the Add Syslog Server window is also displayed on the Log > Syslog page as well as in the Syslog Servers table on the Log > ViewPoint page.

Clicking the Edit icon displays the Add Syslog Server window for editing the ViewPoint server information. Clicking the Delete icon, deletes the ViewPoint syslog server entry.


Index of Log Event Messages

Index of Log Event MessagesThis section contains a list of log event messages for all SonicWALL Firmware and SonicOS Software Releases, ordered alphabetically. Use your web browser’s Find function to search for a command.

Log Event Message Symbols Key

TCP IP Layered-Data Packet Processing and SonicOS Log Event Handling In specific cases of multi-layer packet processing, a TCP connection initially logged as "open," will be rejected by a deeper layer of packet processing. In these cases, the connection request has not been forwarded by the SonicWALL security appliance, and the initial Connection Open SonicOS log event message should be ignored in favor of the TCP Connection Dropped log event message.

Each log event message described in the following table provides the following log event details: • SonicOS Category—Displays the SonicOS Software category event type.

• Legacy Category—Displays the SonicWALL Firmware Software category event type.

• Priority Level—Displays the level of urgency of the log event message.

• Log Message ID Number—Displays the ID number of the log event message.

• SNMP Trap Type—Displays the SNMP Trap ID number of the log event message.

Log Event Message Symbol Description Context

%s Ethernet Port Down Represents a character string. [WAN | LAN | DMZ] Ethernet Port Down

The cache is full; %u open connections; some will be dropped

Represents a numerical string. The cache is full; [40,000] open connections; some will be dropped



Log Event Message Index

Log Event Message New Category Legacy Category Priority ID

SNMP Trap Type

Network Security Appliance activated Firewall Event Maintenance Alert 4 ---

Log cleared Firewall Logging Maintenance Information 5 ---

Log successfully sent via email Firewall Logging Maintenance Information 6 ---

Log full; deactivating Network Security Appliance

Firewall Logging System Error Error 7 601

New URL List loaded Security Services Maintenance Information 8 ---

No new URL List available Security Services Maintenance Information 9 ---

Problem loading the URL List; check Filter settings

Security Services System Error Error 10 602

Problem loading the URL List; check your DNS server


Problem sending log email; check log settings

Firewall Logging System Error Warning 12 604

Restarting Network Security Appliance; dumping log to email

Firewall Event Maintenance Information 13 ---

Web site access denied Network Access Blocked Sites Error 14 701

Newsgroup access denied Network Access Blocked Sites Notice 15 702

Web site access allowed Network Access Blocked Sites Notice 16 703

Newsgroup access allowed Network Access Blocked Sites Notice 17 704

ActiveX access denied Network Access Blocked Code Notice 18 ---

Java access denied Network Access Blocked Code Notice 19 ---

ActiveX or Java archive access denied Network Access Blocked Code Notice 20 ---

Cookie removed Network Access Blocked Code Notice 21 ---

Ping of death dropped Intrusion Detection Attack Alert 22 501

IP spoof dropped Intrusion Detection Attack Alert 23 502

User logged out - user disconnect detected (heartbeat timer expired)

Authenticate Access

User Activity Information 24 ---

Possible SYN flood attack detected Intrusion Detection Attack Warning 25 503

Land attack dropped Intrusion Detection Attack Alert 27 505

Fragmented packet dropped Network TCP | UDP | ICMP Notice 28 ---

Administrator login allowed Authenticate Access


Administrator login denied due to bad credentials

Authenticate Access

Attack Alert 30 560

User login from an internal zone allowed Authenticate Access


User login denied due to bad credentials Authenticate Access


User login denied due to bad credentials Authenticate Access


Login screen timed out Authenticate Access




Administrator login denied from %s; logins disabled from this interface

Authenticate Access

Attack Alert 35 506

TCP connection dropped Network Access TCP Notice 36 ---

UDP packet dropped Network Access UDP Notice 37 ---

ICMP packet dropped due to policy Network Access ICMP Notice 38 ---

PPTP packet dropped Network Access TCP | UDP | ICMP Notice 39 ---

IPsec packet dropped Network Access TCP | UDP | ICMP Notice 40 ---

Unknown protocol dropped Network Access Debug Notice 41 ---

IPsec packet dropped; waiting for pending IPsec connection

Network Access Debug Debug 42 ---

IPsec connection interrupt Network Access Debug Debug 43 ---

NAT could not remap incoming packet Unused System Error Error 44 606

ARP timeout Network Debug Debug 45 ---

Broadcast packet dropped Network Access Debug Debug 46 ---

No ICMP redirect sent Unused Debug Debug 47 ---

Out-of-order command packet dropped Network Access Debug Debug 48 ---

Failure to add data channel Unused Debug Debug 49 ---

RealAudio decode failure Unused Debug Debug 50 ---

Duplicate packet dropped Network Access Debug Debug 51 ---

No HOST tag found in HTTP request Network Access Debug Debug 52 ---

The cache is full; %u open connections; some will be dropped

Firewall Event System Error Error 53 607

License exceeded: Connection dropped because too many IP addresses are in use on your LAN


Access to proxy server denied Network Access Blocked Sites Notice 60 705

Diagnostic Code E VPN IPsec System Error Error 61 609

Dynamic IPsec client connected VPN IPsec User Activity Information 62 ---

Received fragmented packet or fragmentation needed

Network Debug Debug 63 ---

Diagnostic Code D Firewall Hardware System Error Error 64 610

Illegal IPsec SPI VPN IPsec User Activity Information 65 ---

Unknown IPsec SPI VPN IPsec Attack Error 66 507

IPsec Authentication Failed VPN IPsec Attack Error 67 508

IPsec Decryption Failed VPN IPsec Attack Error 68 509

Incompatible IPsec Security Association VPN IPsec User Activity Information 69 ---

IPsec packet from or to an illegal host VPN IPsec Attack Error 70 510

NetBus attack dropped Intrusion Detection Attack Alert 72 511

Back Orifice attack dropped Intrusion Detection Attack Alert 73 512

Net Spy attack dropped Intrusion Detection Attack Alert 74 513

Sub Seven attack dropped Intrusion Detection Attack Alert 75 514

Ripper attack dropped Intrusion Detection Attack Alert 76 515

Striker attack dropped Intrusion Detection Attack Alert 77 516

Senna Spy attack dropped Intrusion Detection Attack Alert 78 517


SNMP Trap Type



Priority attack dropped Intrusion Detection Attack Alert 79 518

Ini Killer attack dropped Intrusion Detection Attack Alert 80 519

Smurf Amplification attack dropped Intrusion Detection Attack Alert 81 520

Possible port scan detected Intrusion Detection Attack Alert 82 521

Probable port scan detected Intrusion Detection Attack Alert 83 522

Failed to resolve name Network Maintenance Information 84 ---

IKE Responder: Accepting IPsec proposal (Phase 2)

VPN IKE User Activity Information 87 ---

IKE Responder: IPsec proposal does not match (Phase 2)

VPN IKE User Activity Warning 88 523

IKE negotiation complete. Adding IPsec SA. (Phase 2)


Starting IKE negotiation VPN IKE User Activity Information 90 ---

Deleting IPsec SA for destination VPN IKE User Activity Information 91 ---

Deleting IPsec SA VPN IKE User Activity Information 92 ---

Diagnostic Code A Firewall Hardware System Error Error 93 611

Diagnostic Code B Firewall Hardware System Error Error 94 612

Diagnostic Code C Firewall Hardware System Error Error 95 613

Status GMS Maintenance Emergency 96 ---

#Web site hit Network Traffic Connection Traffic Information 97 ---

Connection Opened Network Traffic Connection Information 98 ---

Retransmitting DHCP DISCOVER. DHCP Client Maintenance Information 99 ---

Retransmitting DHCP REQUEST (Requesting).

DHCP Client Maintenance Information 100 ---

Retransmitting DHCP REQUEST (Renewing).


Retransmitting DHCP REQUEST (Rebinding).


Retransmitting DHCP REQUEST (Rebooting).


Retransmitting DHCP REQUEST (Verifying). DHCP Client Maintenance Information 104 ---

Sending DHCP DISCOVER. DHCP Client Maintenance Information 105 ---

DHCP Server not available. Did not get any DHCP OFFER.


Got DHCP OFFER. Selecting. DHCP Client Maintenance Information 107 ---

Sending DHCP REQUEST. DHCP Client Maintenance Information 108 ---

DHCP Client did not get DHCP ACK. DHCP Client Maintenance Information 109 ---

DHCP Client got NACK. DHCP Client Maintenance Information 110 ---

DHCP Client got ACK from server. DHCP Client Maintenance Information 111 ---

DHCP Client is declining address offered by the server.


DHCP Client sending REQUEST and going to REBIND state.



SNMP Trap Type



DHCP Client sending REQUEST and going to RENEW state.


Sending DHCP REQUEST (Renewing). DHCP Client Maintenance Information 115 ---

Sending DHCP REQUEST (Rebinding). DHCP Client Maintenance Information 116 ---

Sending DHCP REQUEST (Rebooting). DHCP Client Maintenance Information 117 ---

Sending DHCP REQUEST (Verifying). DHCP Client Maintenance Information 118 ---

DHCP Client failed to verify and lease has expired. Go to INIT state.


DHCP Client failed to verify and lease is still valid. Go to BOUND state.


DHCP Client got a new IP address lease. DHCP Client Maintenance Information 121 ---

Sending DHCP RELEASE. DHCP Client Maintenance Information 122 ---

Access attempt from host without Anti-Virus agent installed

Security Services Maintenance Information 123 ---

Anti-Virus agent out-of-date on host Security Services Maintenance Information 124 ---

Received AV Alert: %s Security Services Maintenance Warning 125 524

Starting PPPoE discovery PPPoE Maintenance Information 127 ---

PPPoE LCP Link Up PPPoE Maintenance Information 128 ---

PPPoE LCP Link Down PPPoE Maintenance Information 129 ---

PPPoE terminated PPPoE Maintenance Information 130 ---

PPPoE Network Connected PPPoE Maintenance Information 131 ---

PPPoE Network Disconnected PPPoE Maintenance Information 132 ---

PPPoE discovery process complete PPPoE Maintenance Information 133 ---

PPPoE starting CHAP Authentication PPPoE Maintenance Information 134 ---

PPPoE starting PAP Authentication PPPoE Maintenance Information 135 ---

PPPoE CHAP Authentication Failed PPPoE Maintenance Information 136 ---

PPPoE PAP Authentication Failed PPPoE Maintenance Information 137 ---

Wan IP Changed Firewall Event System Error Warning 138 636

XAUTH Succeeded with VPN client VPN Client User Activity Information 139 ---

XAUTH Failed with VPN client, Authentication failure

VPN Client User Activity Error 140 ---

XAUTH Failed with VPN client, Cannot Contact RADIUS Server

VPN Client User Activity Information 141 ---

Log Debug Firewall Event Debug Error 142 ---

Add an attack message Firewall Event Attack Error 143 525

Primary firewall has transitioned to Active High Availability Maintenance Alert 144 ---

Backup firewall has transitioned to Active High Availability Maintenance Alert 145 ---

Primary firewall has transitioned to Idle High Availability System Error Alert 146 614

Backup firewall has transitioned to Idle High Availability Maintenance Alert 147 ---

Primary missed heartbeats from Backup High Availability System Error Error 148 615

Backup missed heartbeats from Primary High Availability System Error Error 149 616

Primary received error signal from Backup High Availability System Error Error 150 617

Backup received error signal from Primary High Availability System Error Error 151 618

Backup firewall being preempted by Primary High Availability System Error Error 152 619


SNMP Trap Type



Primary firewall preempting Backup High Availability System Error Error 153 620

Active Backup detects Active Primary: Backup going Idle

High Availability Maintenance Information 154 ---

Imported HA hardware ID did not match this firewall


Discovered HA Backup Firewall High Availability Maintenance Information 156 ---

HA Peer Firewall Synchronized High Availability Maintenance Information 157 ---

Error synchronizing HA peer firewall (%s) High Availability System Error Error 158 662

Received AV Alert: Your Network Anti-Virus subscription has expired. %s

Security Services Maintenance Warning 159 526

Primary received heartbeat from wrong source


Backup received heartbeat from wrong source


HA packet processing error High Availability Maintenance Information 162 ---

Heartbeat received from incompatible source High Availability Maintenance Information 163 ---

Diagnostic Code F Firewall Hardware System Error Error 164 621

Forbidden E-Mail attachment disabled Intrusion Detection Attack Alert 165 527

PPPoE PAP Authentication success. PPPoE Maintenance Information 166 ---

PPPoE PAP Authentication Failed. Please verify PPPoE username and password

PPPoE Maintenance Information 167 ---

Disconnecting PPPoE due to traffic timeout PPPoE Maintenance Information 168 ---

No response from ISP Disconnecting PPPoE.


Backup going Active in preempt mode after reboot

High Availability System Error Error 170 622

VPN Log Debug VPN IKE Debug Information 172 ---

TCP connection from LAN denied Network Access LAN TCP Notice 173 ---

UDP packet from LAN dropped Network Access LAN UDP | LAN TCP

Notice 174 ---

ICMP packet from LAN dropped Network Access LAN ICMP | LAN TCP

Notice 175 ---

Probable TCP FIN scan detected Intrusion Detection Attack Alert 177 528

Probable TCP XMAS scan detected Intrusion Detection Attack Alert 178 529

Probable TCP NULL scan detected Intrusion Detection Attack Alert 179 530

IPsec Replay Detected VPN IPsec Attack Alert 180 531

TCP FIN packet dropped Network Debug Debug 181 ---

Received a path MTU icmp message from router/gateway

Network User Activity Information 182 ---

Problem loading the URL List; Appliance not registered.


Problem loading the URL List; Subscription expired.


Problem loading the URL List; Try loading it again.



SNMP Trap Type



Problem loading the URL List; Retrying later. Security Services System Error Error 186 626

Problem loading the URL List; Flash write failure.


Received a path MTU icmp message from router/gateway

Network User Activity Information 188 ---

The loaded content URL List has expired. Security Services System Error Error 190 628

Error setting the IP address of the backup, please manually set to backup LAN IP


Error updating HA peer configuration High Availability System Error Error 192 630

Fraudulent Microsoft certificate found; access denied

Intrusion Detection Attack Error 193 532

VPN TCP SYN VPN VPN Statistics Information 194 ---

VPN TCP FIN VPN VPN Statistics Information 195 ---

VPN TCP PSH VPN VPN Statistics Information 196 ---

Content filter subscription expired. Security Services System Error Error 197 631

New firmware available. Firewall Event Maintenance Information 198 ---

CLI administrator login allowed Authenticate Access


CLI administrator login denied due to bad credentials

Authenticate Access

User Activity Warning 200 ---

L2TP Tunnel Negotiation Started L2TP Client Maintenance Information 201 ---

L2TP Session Negotiation Started L2TP Client Maintenance Information 202 ---

L2TP Max Retransmission Exceeded L2TP Client Maintenance Information 203 ---

L2TP Tunnel Established L2TP Client Maintenance Information 204 ---

L2TP Tunnel Disconnect from Remote L2TP Client Maintenance Information 205 ---

L2TP Session Established L2TP Client Maintenance Information 206 ---

L2TP Session Disconnect from Remote L2TP Client Maintenance Information 207 ---

L2TP PPP Negotiation Started L2TP Client Maintenance Information 208 ---

L2TP LCP Down L2TP Client Maintenance Information 209 ---

L2TP PPP Session Up L2TP Client Maintenance Information 210 ---

L2TP PPP Down L2TP Client Maintenance Information 211 ---

L2TP PPP Authentication Failed L2TP Client Maintenance Information 212 ---

L2TP LCP Up L2TP Client Maintenance Information 213 ---

L2TP Disconnect Initiated by the User L2TP Client Maintenance Information 214 ---

Disconnecting L2TP Tunnel due to traffic timeout

L2TP Client Maintenance Information 215 ---

L2TP Connect Initiated by the User L2TP Client Maintenance Information 216 ---

L2TP PPP link down L2TP Client Maintenance Information 217 ---

Primary WAN link down, Primary going Idle High Availability Maintenance Information 218 ---

Backup WAN link down, Primary going Active


Primary WAN link down, Backup going Active


Primary WAN link up, preempting Backup High Availability Maintenance Information 221 ---


SNMP Trap Type



DHCP RELEASE relayed to Central Gateway

DHCP Relay Maintenance Information 222 ---

DHCP lease relayed to local device DHCP Relay Maintenance Information 223 ---

DHCP RELEASE received from remote device

DHCP Relay Debug Information 224 ---

DHCP lease relayed to remote device DHCP Relay Debug Information 225 ---

DHCP lease to LAN device conflicts with remote device, deleting remote IP entry


WARNING: DHCP lease relayed from Central Gateway conflicts with IP in Static Devices list


DHCP lease dropped. Lease from Central Gateway conflicts with Relay IP

DHCP Relay Maintenance Warning 228 ---

IP spoof detected on packet to Central Gateway, packet dropped

DHCP Relay Attack Error 229 533

Request for Relay IP Table from Central Gateway


Requesting Relay IP Table from Remote Gateway


Sent Relay IP Table to Central Gateway DHCP Relay Maintenance Information 232 ---

Obtained Relay IP Table from Remote Gateway


Failed to synchronize Relay IP Table DHCP Relay System Error Warning 234 632

VPN zone administrator login allowed Authenticate Access


WAN zone administrator login allowed Authenticate Access


VPN zone remote user login allowed Authenticate Access


WAN zone remote user login allowed Authenticate Access


NAT Discovery : Peer IPsec Security Gateway behind a NAT/NAPT Device


NAT Discovery : Local IPsec Security Gateway behind a NAT/NAPT Device


NAT Discovery : No NAT/NAPT device detected between IPsec Security gateways


NAT Discovery : Peer IPsec Security Gateway doesn't support VPN NAT Traversal


User login denied - RADIUS authentication failure

RADIUS User Activity Information 243 ---

User login denied - RADIUS server timeout RADIUS User Activity Warning 244 ---

User login denied - RADIUS configuration error

RADIUS User Activity Warning 245 ---


SNMP Trap Type



User login denied - User has no privileges for login from that location

Authenticate Access


IPsec packet from an illegal host VPN IPsec Maintenance Information 247 ---

Forbidden E-Mail attachment deleted Intrusion Detection Attack Error 248 534

IKE Responder: Mode %d - not tunnel mode VPN IKE User Activity Warning 249 535

IKE Responder: No matching Phase 1 ID found for proposed remote network


IKE Responder: Proposed remote network is 0.0.0.0 but not DHCP relay nor default route


IKE Responder: No match for proposed remote network address


IKE Responder: Default LAN gateway is set but peer is not proposing to use this SA as a default route


IKE Responder: Tunnel terminates outside firewall but proposed local network is not NAT public address


IKE Responder: Tunnel terminates inside firewall but proposed local network is not inside firewall


IKE Responder: Tunnel terminates on DMZ but proposed local network is on LAN


IKE Responder: Tunnel terminates on LAN but proposed local network is on DMZ


IKE Responder: AH Perfect Forward Secrecy mismatch


IKE Responder: ESP Perfect Forward Secrecy mismatch


IKE Responder: Algorithms and/or keys do not match


Administrator logged out Authenticate Access


Administrator logged out - inactivity timer expired

Authenticate Access


User logged out Authenticate Access


User logged out - max session time exceeded

Authenticate Access


User logged out - inactivity timer expired Authenticate Access


NAT device may not support IPsec AH passthrough

VPN IPsec Maintenance Information 266 ---

TCP Xmas Tree dropped Intrusion Detection Attack Alert 267 547

CFL auto-download disabled, time problem detected


Requesting CRL from VPN PKI User Activity Information 269 ---


SNMP Trap Type



CRL loaded from VPN PKI User Activity Information 270 ---

Failed to get CRL from VPN PKI User Activity Alert 271 ---

Not enough memory to hold the CRL VPN PKI User Activity Warning 272 ---

Connection timed out VPN PKI User Activity Alert 273 ---

Cannot connect to the CRL server VPN PKI User Activity Alert 274 ---

Unknown reason VPN PKI User Activity Error 275 ---

Failed to Process CRL from VPN PKI User Activity Alert 276 ---

Bad CRL format VPN PKI User Activity Alert 277 ---

Issuer match failed VPN PKI User Activity Alert 278 ---

Certificate on Revoked list(CRL) VPN PKI User Activity Alert 279 ---

No Certificate for VPN PKI User Activity Alert 280 ---

PPP Dial-Up: Dialing: %s PPP Dial Up User Activity Information 281 ---

PPP Dial-Up: No dialtone detected - check phone-line connection

PPP Dial Up User Activity Information 282 ---

PPP Dial-Up: No link carrier detected - check phone number


PPP Dial-Up: Dialed number is busy PPP Dial Up User Activity Information 284 ---

PPP Dial-Up: Dialed number did not answer PPP Dial Up User Activity Information 285 ---

PPP Dial-Up: Connected at %s bps - starting PPP


PPP Dial-Up: Unknown dialing failure PPP Dial Up User Activity Information 287 ---

PPP Dial-Up: Link carrier lost PPP Dial Up User Activity Information 288 ---

PPP: Authentication successful PPP --- Information 289 ---

PPP: PAP Authentication failed - check username / password

PPP --- Information 290 ---

PPP: CHAP authentication failed - check username / password


PPP: MS-CHAP authentication failed - check username / password


PPP: Starting MS-CHAP authentication PPP --- Information 293 ---

PPP: Starting CHAP authentication PPP --- Information 294 ---

PPP: Starting PAP authentication PPP --- Information 295 ---

PPP Dial-Up: PPP negotiation failed - disconnecting


PPP Dial-Up: Idle time limit exceeded - disconnecting


PPP Dial-Up: Failed to get IP address PPP Dial Up User Activity Information 298 ---

PPP Dial-Up: Received new IP address PPP Dial Up User Activity Information 299 ---

PPP Dial-Up: PPP link established PPP Dial Up User Activity Information 300 ---

PPP Dial-Up: PPP link down PPP Dial Up User Activity Information 301 ---

PPP Dial-Up: Shutting down link PPP Dial Up User Activity Information 302 ---

PPP Dial-Up: Initialization : %s PPP Dial Up User Activity Information 303 ---

PPP Dial-Up: User requested disconnect PPP Dial Up User Activity Information 304 ---

PPP Dial-Up: User requested connect PPP Dial Up User Activity Information 305 ---


SNMP Trap Type



PPP Dial-Up: Connect request canceled PPP Dial Up User Activity Information 306 ---

The network connection in use is %s WAN Failover System Error Warning 307 639

L2TP Server : L2TP Tunnel Established. L2TP Server Maintenance Information 308 ---

L2TP Server : L2TP Session Established. L2TP Server Maintenance Information 309 ---

L2TP Server : L2TP PPP Session Established.

L2TP Server Maintenance Information 310 ---

L2TP Server: RADIUS/LDAP reports Authentication Failure


L2TP Server: Local Authentication Failure L2TP Server Maintenance Information 312 ---

L2TP Server: RADIUS/LDAP server not assigned IP address


L2TP Server: No IP address available in the Local IP Pool


L2TP Server: L2TP Tunnel Disconnect from the Remote.


L2TP Server: L2TP Session Disconnect from the Remote.


L2TP Server: L2TP Remote terminated the PPP session


L2TP Server: Local Authentication Success.


L2TP Server: RADIUS/LDAP Authentication Success


L2TP Server: Keep alive Failure. Closing Tunnel


PPP Dial-Up: Manual intervention needed. Check Primary Profile or Profile details


PPP Dial-Up: Trying to failover but Primary Profile is manual


PPP Dial-Up: Startup without Ethernet cable, will try to dial on outbound traffic


PPP Dial-Up: Dial initiated by %s PPP Dial Up Maintenance Information 324 ---

The current WAN interface is not ready to route packets.


Probing failure on %s WAN Failover System Error Alert 326 637

PPP Dial-Up: Maximum connection time exceeded - disconnecting


Administrator name changed Authenticate Access

Maintenance Information 328 ---

User login failure rate exceeded - logins from user IP address denied

Authenticate Access

Attack Error 329 561

PPP Dial-Up: The profile in use disabled VPN networking.

PPP Dial Up Maintenance Information 330 ---

PPP Dial-Up: VPN networking restored. PPP Dial Up Maintenance Information 331 ---

%s Ethernet Port Up Firewall Event System Error Warning 332 640

%s Ethernet Port Down Firewall Event System Error Error 333 641


SNMP Trap Type



L2TP Server: Call Disconnect from Remote. L2TP Server Maintenance Information 334 ---

L2TP Server: Tunnel Disconnect from Remote.


L2TP Server : Deleting the Tunnel L2TP Server Maintenance Information 336 ---

L2TP Server : Deleting the L2TP active Session


L2TP Server : Retransmission Timeout, Deleting the Tunnel


NAT translated packet exceeds size limit, packet dropped


HTTP management port has changed Firewall Event Maintenance Information 340 ---

HTTPS management port has changed Firewall Event Maintenance Information 341 ---

IKE Responder: Mode %d - not transport mode. Xauth is required but not supported by peer.

VPN IKE Debug Warning 342 ---

L2TP Server : Access from L2TP VPN Client Privilege not enabled for Radius Users.


L2TP Server : User Name authentication Failure locally.


IKE Responder: Tunnel terminates outside firewall but proposed remote network is not NAT public address


IKE Initiator: Start Quick Mode (Phase 2). VPN IKE User Activity Information 346 ---

Port configured to receive IPsec protocol ONLY; drop packet received in the clear

Network Access TCP | UDP | ICMP Warning 347 ---

Imported VPN SA is invalid - disabled Firewall Event Maintenance Warning 348 ---

IPsec SA lifetime expired. VPN IPsec User Activity Information 349 ---

IKE SA lifetime expired. VPN IKE User Activity Information 350 ---

IKE Initiator: Start Main Mode negotiation (Phase 1)


IKE Responder: Received Quick Mode Request (Phase 2)


IKE Initiator: Main Mode complete (Phase 1) VPN IKE User Activity Information 353 ---

IKE Initiator: Aggressive Mode complete (Phase 1).


IKE Responder: Received Main Mode request (Phase 1)


IKE Responder: Received Aggressive Mode request (Phase 1)


IKE Responder: Main Mode complete (Phase 1)


IKE Initiator: Start Aggressive Mode negotiation (Phase 1)


Entering FIPS ERROR state Crypto Test Maintenance Error 359 ---

Crypto DES test failed Crypto Test Maintenance Error 360 ---

Crypto DH test failed Crypto Test Maintenance Error 361 ---


SNMP Trap Type



Crypto Hmac-MD5 fest failed Crypto Test Maintenance Error 362 ---

Crypto Hmac-Sha1 test failed Crypto Test Maintenance Error 363 ---

Crypto RSA test failed Crypto Test Maintenance Error 364 ---

Crypto Sha1 test failed Crypto Test Maintenance Error 365 ---

Crypto hardware DES test failed Crypto Test Maintenance Error 366 ---

Crypto hardware 3DES test failed Crypto Test Maintenance Error 367 ---

Crypto hardware DES with SHA test failed Crypto Test Maintenance Error 368 ---

Crypto Hardware 3DES with SHA test failed Crypto Test Maintenance Error 369 ---

Crypto MD5 test failed Crypto Test Maintenance Error 370 ---

VPN Client Policy Provisioning VPN Client User Activity Information 371 ---

IKE Initiator: Accepting IPsec proposal (Phase 2)


IKE Responder: Aggressive Mode complete (Phase 1)


Error initializing Hardware acceleration for VPN

Firewall Hardware Maintenance Error 374 ---

PPTP Control Connection Negotiation Started

PPTP Maintenance Information 375 ---

PPTP Session Negotiation Started PPTP Maintenance Information 376 ---

PPTP Max Retransmission Exceeded PPTP Maintenance Information 377 ---

PPTP Control Connection Established PPTP Maintenance Information 378 ---

PPTP Tunnel Disconnect from Remote PPTP Maintenance Information 379 ---

PPTP Session Established PPTP Maintenance Information 380 ---

PPTP Session Disconnect from Remote PPTP Maintenance Information 381 ---

PPTP PPP Negotiation Started PPTP Maintenance Information 382 ---

PPTP LCP Down PPTP Maintenance Information 383 ---

PPTP PPP Session Up PPTP Maintenance Information 384 ---

PPTP PPP Down PPTP Maintenance Information 385 ---

PPTP PPP Authentication Failed PPTP Maintenance Information 386 ---

PPTP LCP Up PPTP Maintenance Information 387 ---

PPTP Disconnect Initiated by the User PPTP Maintenance Information 388 ---

Disconnecting PPTP Tunnel due to traffic timeout


PPTP Connect Initiated by the User PPTP Maintenance Information 390 ---

PPTP PPP link down PPTP Maintenance Information 391 ---

PPTP starting CHAP Authentication PPTP Maintenance Information 392 ---

PPTP starting PAP Authentication PPTP Maintenance Information 393 ---

PPTP CHAP Authentication Failed. Please verify PPTP username and password


PPTP PAP Authentication Failed PPTP Maintenance Information 395 ---

PPTP PAP Authentication success. PPTP Maintenance Information 396 ---

PPTP PAP Authentication Failed. Please verify PPTP username and password


PPTP PPP Link Up PPTP Maintenance Information 398 ---


SNMP Trap Type



PPTP PPP Link down PPTP Maintenance Information 399 ---

PPTP PPP Link Finished PPTP Maintenance Information 400 ---

Received notify. NO_PROPOSAL_CHOSEN VPN IKE User Activity Warning 401 ---

IKE Responder: IKE proposal does not match (Phase 1)

VPN IKE User Activity Warning 402 ---

IKE negotiation aborted due to timeout VPN IKE User Activity Information 403 ---

Failed payload verification after decryption; possible preshared key mismatch


Failed payload validation VPN IKE User Activity Warning 405 ---

Received packet retransmission. Drop duplicate packet


SA is disabled. Check VPN SA settings VPN IKE User Activity Information 407 ---

Anti-Virus Licenses Exceeded Security Services Maintenance Information 408 ---

Received notify: ISAKMP_AUTH_FAILED VPN IKE User Activity Warning 409 ---

Computed hash does not match hash received from peer; preshared key mismatch


Received notify: PAYLOAD_MALFORMED VPN IKE User Activity Warning 411 ---

Received IPsec SA delete request VPN IKE User Activity Information 412 ---

Received IKE SA delete request VPN IKE User Activity Information 413 ---

Received notify: INVALID_COOKIES VPN IKE User Activity Information 414 ---

Received notify: RESPONDER_LIFETIME VPN IKE User Activity Information 415 ---

Received notify: INVALID_SPI VPN IKE User Activity Information 416 ---

PKI Error: VPN PKI Maintenance Error 417 ---

IKE Responder: Proposed local network is 0.0.0.0 but SA has no LAN Default Gateway


RIP disabled on interface %s RIP Maintenance Information 419 8401

RIPv1 enabled on interface %s RIP Maintenance Information 420 8402

RIPv2 enabled on interface %s RIP Maintenance Information 421 8403

RIPv2 compatibility (broadcast) mode enabled on interface %s

RIP Maintenance Information 422 8404

RIP disabled on DMZ interface RIP Maintenance Information 423 8405

RIPv1 enabled on DMZ interface RIP Maintenance Information 424 8406

RIPv2 enabled on DMZ interface RIP Maintenance Information 425 8407

RIPv2 compatibility (broadcast) mode enabled on DMZ interface


IPsecTunnel status changed VPN VPN Tunnel Status

Information 427 801

Source routed IP packet dropped Intrusion Detection Debug Warning 428 ---

No response from server to Echo Requests, disconnecting PPTP Tunnel


No response from PPTP server to control connection requests


No response from PPTP server to call requests



SNMP Trap Type



PPTP server rejected control connection PPTP Maintenance Information 432 ---

PPTP server rejected the call request PPTP Maintenance Information 433 ---

PPP Dial-Up: Trying to failover but Alternate Profile is manual

WAN Failover User Activity Information 434 ---

WLB Failback initiated by %s WAN Failover System Error Alert 435 652

Probing succeeded on %s WAN Failover System Error Alert 436 638

E-Mail fragment dropped Intrusion Detection Attack Error 437 550

Locked-out user logins allowed - lockout period expired

Authenticate Access


Locked-out user logins allowed by administrator

Authenticate Access


Access rule added Firewall Rule User Activity Information 440 ---

Access rule modified Firewall Rule User Activity Information 441 ---

Access rule deleted Firewall Rule User Activity Information 442 ---

Access rules restored to defaults Firewall Rule User Activity Information 443 ---

PPTP Server is not responding, check if the server is UP and running.


IKE Initiator: Accepting peer lifetime. (Phase 1)


FTP: PASV response spoof attack dropped Intrusion Detection Attack Error 446 551

PKI Failure VPN PKI Maintenance Error 447 ---

PKI Failure: Output buffer too small VPN PKI Maintenance Error 448 ---

PKI Failure: Cannot alloc memory VPN PKI Maintenance Error 449 ---

PKI Failure: Reached the limit for local certs, cant load any more

VPN PKI Maintenance Error 450 ---

PKI Failure: Import failed VPN PKI Maintenance Error 451 ---

PKI Failure: Incorrect admin password VPN PKI Maintenance Error 452 ---

PKI Failure: CA certificates store exceeded. Cannot verify this Local Certificate


PKI Failure: Improper file format. Please select PKCS#12 (*.p12) file


PKI Failure: Certificate's ID does not match this Network Security Appliance


PKI Failure: public-private key mismatch VPN PKI Maintenance Error 456 ---

PKI Failure: Duplicate local certificate name VPN PKI Maintenance Error 457 ---

PKI Failure: Duplicate local certificate VPN PKI Maintenance Error 458 ---

PKI Failure: No CA certificates yet loaded VPN PKI Maintenance Error 459 ---

PKI Failure: Internal error VPN PKI Maintenance Error 460 ---

PKI Failure: Temporary memory shortage, try again


PKI Failure: The certificate chain is circular VPN PKI Maintenance Error 462 ---

PKI Failure: The certificate chain is incomplete


PKI Failure: The certificate chain has no root VPN PKI Maintenance Error 464 ---


SNMP Trap Type



PKI Failure: The certificate or a certificate in the chain has expired


PKI Failure: The certificate or a certificate in the chain has a validity period in the future


PKI Failure: The certificate or a certificate in the chain is corrupt


PKI Failure: The certificate or a certificate in the chain has a bad signature


PKI Failure: Loaded but could not verify certificate


PKI Failure: Loaded the certificate but could not verify it's chain


VPN Cleanup: Dynamic network settings change

VPN User Activity Information 471 ---

WARNING: Central Gateway does not have a Relay IP Address. DHCP message dropped.


DHCP REQUEST received from remote device


DHCP DISCOVER received from remote device


DHCP DECLINE received from remote device


DHCP OFFER received from server DHCP Relay Debug Information 476 ---

DHCP NACK received from server DHCP Relay Debug Information 477 ---

ERROR: DHCP over VPN policy is not defined. Cannot start IKE.


DHCP DISCOVER received from local device


DHCP REQUEST received from local device DHCP Relay Debug Information 480 ---

PPP Dial-Up: No peer IP address from Dial-Up ISP, local and remote IPs will be the same


Received AV Alert: Your Network Anti-Virus subscription will expire in 7 days. %s


Received notify: INVALID_ID_INFO VPN IPsec User Activity Warning 483 ---

DHCP lease dropped. Lease from Central Gateway conflicts with Remote Management IP

DHCP Relay Maintenance Warning 484 ---

Category: None --- Debug 485 ---

User login denied - User has no privileges for guest service

Authenticate Access


WLAN firmware image has been updated Wireless Maintenance Information 487 ---

Packet dropped by guest check Network Access TCP | UDP | ICMP Warning 488 ---

Received CFS Alert: Your Content Filtering subscription will expire in 7 days.



SNMP Trap Type



Received CFS Alert: Your Content Filtering subscription has expired.


Received E-Mail Filter Alert: Your E-Mail Filtering subscription will expire in 7 days.


Received E-Mail Filter Alert: Your E-Mail Filtering subscription has expired.


ISDN Driver Firmware successfully updated Firewall Event Maintenance Information 493 ---

Global VPN Client License Exceeded: Connection denied.

VPN Client System Error Information 494 658

Packet dropped by WLAN vpn traversal check

Wireless TCP | UDP | ICMP Warning 495 ---

Registration Update Needed: Restore your existing security service subscriptions by clicking here.

Security Services Maintenance Warning 496 ---

Entering FIPS Error State. Crypto Test System Error Error 497 659

WAN Interface not setup Firewall Event Maintenance Information 498 ---

PPPoE enabled but not ready PPPoE Maintenance Information 499 ---

L2TP enabled but not ready Unused Maintenance Information 500 ---

PPTP enabled but not ready PPTP Maintenance Information 501 ---

WAN not ready Firewall Event Maintenance Information 502 ---

VPN disabled for active dial up Unused Maintenance Information 503 ---

DHCP client enabled but not ready DHCP Client Maintenance Information 504 ---

Blocked Quick Mode for Client using Default KeyId

VPN Client System Error Error 505 660

VPN disabled by administrator Authenticate Access


VPN enabled by administrator Authenticate Access


WLAN disabled by administrator Authenticate Access


WLAN enabled by administrator Authenticate Access


WiFiSec Enforcement disabled by administrator

Authenticate Access


WiFiSec Enforcement enabled by administrator

Authenticate Access


Wireless MAC Filter List enabled by administrator

Authenticate Access


Wireless MAC Filter List disabled by administrator

Authenticate Access


PPPoE user name changed by Administrator Authenticate Access


PPPoE password changed by Administrator Authenticate Access



SNMP Trap Type



IKE Responder: Default LAN gateway is not set but peer is proposing to use this SA as a default route

VPN IKE Attack Error 516 553

WLAN Reboot Firewall Hardware System Error Error 517 642

802.11 Management Wireless 802.11b Management

Information 518 ---

WLAN recovery Wireless Maintenance Information 519 ---

CLI administrator logged out Authenticate Access


Network Security Appliance initializing Firewall Event Maintenance Information 521 ---

Malformed or unhandled IP packet dropped Network Access Debug Alert 522 554

ICMP packet dropped no match Network Access ICMP Notice 523 ---

Web access request dropped Network Access TCP Notice 524 ---

Web management request allowed Network Access User Activity Notice 526 ---

FTP: PORT bounce attack dropped. Intrusion Detection Attack Alert 527 555

FTP: PASV response bounce attack dropped.

Intrusion Detection Attack Alert 528 556

Global VPN Client connection is not allowed. Appliance is not registered.

VPN Client System Error Information 529 643

Network Modem Mode Enabled: turning off NAT


Network Modem Mode Disabled: re-enabling NAT


Internet Access restricted to authorized users. Dropped packet received in the clear.


IPsec (ESP) packet dropped VPN IPsec TCP | UDP | ICMP Notice 533 ---

IPsec (AH) packet dropped VPN IPsec TCP | UDP | ICMP Notice 534 ---

IPsec (ESP) packet dropped; waiting for pending IPsec connection

VPN IPsec Debug Debug 535 ---

IPsec (AH) packet dropped; waiting for pending IPsec connection

VPN IPsec Debug Debug 536 ---

Connection Closed Network Traffic Connection Traffic Information 537 ---

FTP: Data connection from non default port dropped

Network Access Attack Alert 538 557

Real time clock battery failure Time values may be incorrect

Firewall Hardware System Error Warning 539 644

If not already enabled, enabling NTP is recommended

Firewall Hardware System Error Warning 540 645

Maximum number of Bandwidth Managed rules exceeded upon upgrade to this version. Some Bandwith settings ignored.

Firewall Event Maintenance Notice 541 ---

PPP Dial-Up: Previous session was connected for %s


IKE Initiator: Using secondary gateway to negotiate



SNMP Trap Type



IKE Initiator drop: VPN tunnel end point does not match configured VPN Policy Bound to scope


IKE Responder drop: VPN tunnel end point does not match configured VPN Policy Bound to scope


Found Rogue Access Point WLAN IDS WLAN IDS Alert 546 901

WLAN sequence number out of order WLAN IDS WLAN IDS Warning 547 902

Association Flood from WLAN station WLAN IDS WLAN IDS Alert 548 903

User login failed - Guest service limit reached

Authenticate Access


Guest Session Timeout Authenticate Access


Guest Account Timeout Authenticate Access


RIP disabled on WAN interface RIP Maintenance Information 552 8409

RIPv1 enabled on WAN interface RIP Maintenance Information 553 8410

RIPv2 enabled on WAN interface RIP Maintenance Information 554 8411

RIPv2 compatibility (broadcast) mode enabled on WAN interface


Found Rogue Access Point WLAN IDS WLAN IDS Alert 556 10804

Guest login denied. Guest '%s' is already logged in. Please try again later.

Authenticate Access


Guest account '%s' created Authenticate Access


Guest account '%s' deleted Authenticate Access


Guest account '%s' disabled Authenticate Access


Guest account '%s' re-enabled Authenticate Access


Guest account '%s' pruned Authenticate Access


Guest account '%s' re-generated Authenticate Access


Guest Idle Timeout Authenticate Access


Interface %s Link Is Up Firewall Event System Error Warning 565 646

Interface %s Link Is Down Firewall Event System Error Error 566 647

Interface IP Assignment changed: Shutting down %s


Interface IP Assignment : Binding and initializing %s


Network for interface %s overlaps with another interface.



SNMP Trap Type



Please connect interface %s to another network to function properly


RIP Broadcasts for LAN Network %s are being broadcast over dialup-connection


A prior version of preferences was loaded because the most recent preferences file was inaccessible

Firewall Event System Error Warning 572 648

The preferences file is too large to be saved in available flash memory


All preference values have been set to factory default values


Voltages Out of Tolerance Firewall Hardware System Environment

Error 575 101

Fan Failure Firewall Hardware System Environment

Alert 576 102

Thermal Yellow Firewall Hardware System Environment

Alert 577 103

Thermal Red Firewall Hardware System Environment

Alert 578 104

Thermal Red Timer Exceeded Firewall Hardware System Environment

Alert 579 105

TCP Syn/Fin packet dropped Network Access Attack Alert 580 558

WLB Spill-over started, configured threshold exceeded

WAN Failover Maintenance Warning 581 ---

WLB Spill-over stopped WAN Failover Maintenance Warning 582 ---

User login disabled from %s Authenticate Access

Attack Error 583 559

WLB Failover in progress WAN Failover System Error Alert 584 651

WLB Resource is now available WAN Failover System Error Alert 585 653

WLB Resource failed WAN Failover System Error Alert 586 654

Header verification failed VPN IKE User Activity Warning 587 ---

Received DHCP offer packet has errors DHCP Client Maintenance Information 588 ---

Received response packet for DHCP request has errors


IP type %s packet dropped Network Access LAN UDP | LAN TCP

Notice 590 ---

Maximum sequential failed dial attempts (10) to a single dial-up number: %s

PPP Dial Up Attack Error 591 566

Regulatory requirements prohibit %s from being re-dialed for 30 minutes

PPP Dial Up Attack Error 592 567

Received PPPoE Active Discovery Offer PPPoE Maintenance Information 593 ---

Received PPPoE Active Discovery Session_confirmation


Sending PPPoE Active Discovery Request PPPoE Maintenance Information 595 ---

PPTP decode failure PPTP Debug Debug 596 ---

ICMP packet allowed Network Access Debug Information 597 ---


SNMP Trap Type



ICMP packet from LAN allowed Network Access Debug Information 598 ---

Diagnostic Code G Firewall Hardware System Error Error 599 655

Diagnostic Code H Firewall Hardware System Error Error 600 656

Diagnostic Code I Firewall Hardware System Error Error 601 657

DNS packet allowed Network Access Debug Information 602 ---

Adding L2TP IP pool Address object Failed. L2TP Server System Error Error 603 661

Global VPN Client version cannot enforce personal firewall. Minimum Version required is 2.1

VPN Client User Activity Information 604 ---

Received unencrypted packet in crypto active state


Spank attack multicast packet dropped Intrusion Detection Attack Alert 606 568

Received ISAKMP packet destined to port %s

VPN IKE Debug | UDP Information 607 ---

IPS Detection Alert: %s Intrusion Detection Attack Alert 608 569

IPS Prevention Alert: %s Intrusion Detection Attack Alert 609 570

Crypto Hardware AES test failed Crypto Test Maintenance Error 610 ---

A SonicOS Standard to Enhanced Upgrade was performed


Not all configurations may have been completely upgraded


Please manually check all system configurations for correctness of Upgrade


Received IPS Alert: Your Intrusion Prevention (IDP) subscription has expired.


WLAN client null probing WLAN IDS WLAN IDS Warning 615 904

Payload processing failed VPN IKE Debug Error 616 ---

WLAN not in AP mode, DHCP server will not provide lease to clients on WLAN

Wireless Maintenance Information 617 ---

BOOTP server response relayed to remote device

BOOTP Debug Debug 618 ---

BOOTP Client IP address on LAN conflicts with remote device IP, deleting IP address from remote table

BOOTP Maintenance Information 619 ---

BOOTP reply relayed to local device BOOTP Maintenance Information 620 ---

BOOTP Request received from remote device

BOOTP Debug Debug 621 ---

VoIP Call Connected VoIP VoIP Information 622 ---

VoIP Call Disconnected VoIP VoIP Information 623 ---

H.323/RAS Admission Reject VoIP VoIP Debug 624 ---

H.323/RAS Admission Confirm VoIP VoIP Debug 625 ---

H.323/RAS Admission Request VoIP VoIP Debug 626 ---

H.323/RAS Bandwidth Reject VoIP VoIP Debug 627 ---

H.323/RAS Disengage Confirm VoIP VoIP Debug 628 ---

H.323/RAS Gatekeeper Reject VoIP VoIP Debug 629 ---


SNMP Trap Type



H.323/RAS Location Confirm VoIP VoIP Debug 630 ---

H.323/RAS Location Reject VoIP VoIP Debug 631 ---

H.323/RAS Registration Reject VoIP VoIP Debug 632 ---

H.323/H.225 Setup VoIP VoIP Debug 633 ---

H.323/H.225 Connect VoIP VoIP Debug 634 ---

H.323/H.245 Address VoIP VoIP Debug 635 ---

H.323/H.245 End Session VoIP VoIP Debug 636 ---

VoIP %s Endpoint added VoIP VoIP Debug 637 ---

VoIP %s Endpoint removed VoIP VoIP Debug 638 ---

VoIP %s Endpoint not added - configured 'public' endpoint limit reached

VoIP VoIP Warning 639 ---

H.323/RAS Unknown Message Response VoIP VoIP Debug 640 ---

H.323/RAS Disengage Reject VoIP VoIP Debug 641 ---

H.323/RAS Unregistration Reject VoIP VoIP Debug 642 ---

SIP Request VoIP VoIP Debug 643 ---

SIP Response VoIP VoIP Debug 644 ---

SIP Register expiration exceeds configured Signaling inactivity time out

VoIP VoIP Warning 645 ---

Packet dropped; connection limit for this source IP address has been reached

Firewall Event System Error Alert 646 5238

Packet dropped; connection limit for this destination IP address has been reached

Firewall Event System Error Alert 647 5239

Packet destination not in VPN Access list VPN IPsec Attack Error 648 572

Application Filters Block Alert: %s Intrusion Detection Attack Alert 649 ---

Application Filter Detection Alert: %s Intrusion Detection Attack Alert 650 ---

IPComp connection interrupt IPComp Debug Debug 651 ---

IPComp packet dropped IPComp TCP | UDP | ICMP Notice 652 ---

IPComp packet dropped; waiting for pending IPComp connection

IPComp Debug Debug 653 ---

Maximum events per second threshold exceeded

Firewall Logging System Error Critical 654 ---

Maximum syslog data per second threshold exceeded

Firewall Logging System Error Critical 655 ---

SMTP POP-Before-SMTP authentication failed

Firewall Logging System Error Warning 656 ---

Syslog Server cannot be reached Network Maintenance Information 657 ---

IKE Responder: Proposed IKE ID mismatch VPN IKE System Error Warning 658 ---

IKE Responder: IP Address already exists in the DHCP relay table. Client traffic not allowed.

VPN Client System Error Error 659 ---

IKE Responder: %s policy does not allow static IP for Virtual Adapter.

VPN Client System Error Error 660 ---

Received notify: INVALID_PAYLOAD VPN IKE User Activity Error 661 ---

Drop WLAN traffic from non-SonicPoint devices

Intrusion Detection Attack Error 662 6434


SNMP Trap Type



WPA MIC Failure Wireless 802.11b Management

Warning 663 ---

WPA Radius Server Timeout Wireless 802.11b Management

Information 664 ---

PPP Dial-Up: Dialing not allowed by schedule. %s

PPP Dial Up --- Information 665 ---

PPP Dial-Up: Connection disconnected as scheduled.

PPP Dial Up --- Information 666 ---

SonicPoint Status SonicPoint SonicPoint Information 667 ---

HA Peer Firewall Rebooted High Availability Maintenance Information 668 ---

Error Rebooting HA Peer Firewall High Availability System Error Error 669 663

License of HA pair doesn't match: %s High Availability System Error Error 670 664

Primary received reboot signal from Backup High Availability System Error Error 671 665

Backup received reboot signal from Primary High Availability System Error Error 672 666

Synchronizing preferences to HA Peer Firewall


Success to reach Interface %s probe High Availability System Error Information 674 ---

Failure to reach Interface %s probe High Availability System Error Error 675 6234

IGMP V2 client joined multicast Group : %s Multicast --- Information 676 ---

IGMP V3 client joined multicast Group : %s Multicast --- Information 677 ---

IGMP V3 Membership report received from interface %s

Multicast --- Debug 678 ---

IGMP V2 Membership report received from interface %s


Router IGMP General query received on interface %s


Router IGMP Membership query received on interface %s


IGMP Leave group message Received on interface %s

Multicast --- Information 682 ---

IGMP packet dropped, wrong checksum received on interface %s

Multicast --- Notice 683 ---

Multicast packet dropped, wrong MAC address received on interface : %s

Multicast --- Alert 684 ---

Multicast packet dropped, Invalid src IP received on interface : %s

Multicast --- Alert 685 ---

IGMP packet dropped, decoding error Multicast --- Notice 686 ---

IGMP Packet Not handled. Packet type : %s Multicast --- Notice 687 ---

IGMP V3 packet dropped, unsupported Record type : %s


IGMP V3 reord type : %s not Handled Multicast --- Debug 689 ---

Multicast UDP packet dropped, no state entry


Multicast TCP packet dropped Multicast --- Notice 691 ---


SNMP Trap Type



IGMP state table entry time out,deleting interface : %s for multicast address : %s


IGMP state table entry time out,deleting VPN SPI :%s for Multicast address : %s


Multicast UDP packet dropped, RTP stateful failed

Multicast --- Warning 694 ---

Multicast UDP packet dropped, RTCP stateful failed

Multicast --- Warning 695 ---

Multicast application %s not supported Multicast --- Information 696 ---

Adding to multicast policyList , interface : %s Multicast --- Debug 697 ---

Deleting from Multicast policy list, interface : %s


Adding to Multicast policyList , VPN SPI : %s Multicast --- Debug 699 ---

Deleting from Multicast policy list, VPN SPI : %s


IGMP querier Router detected on interface %s


IGMP querier Router detected on VPN tunnel , SPI %S


Exceeded Max multicast address limit Multicast --- Warning 703 ---

Invalid Product Code Upgrade request received: %s

Firewall Event --- Error 704 ---

Overriding Product Code Upgrade to: %s Firewall Event --- Error 705 ---

Network Monitor: Host %s is offline Network Monitor --- Alert 706 14005

Network Monitor: Host %s is online Network Monitor --- Alert 707 14006

TCP packet received with invalid SEQ number; TCP packet dropped


TCP packet received with invalid ACK number; TCP packet dropped


TCP stateful inspection: Invalid flag; TCP packet dropped

Network Debug Information 710 ---

TCP stateful inspection: Bad header; TCP packet dropped


TCP connection reject received; TCP connection dropped


TCP connection abort received; TCP connection dropped


EIGRP packet dropped Network Access Debug Notice 714 ---

ARP request packet sent Network --- Information 715 ---

ARP response packet received Network --- Information 716 ---

ARP request packet received Network --- Information 717 ---

ARP response packet sent Network --- Information 718 ---

VPN policy count received exceeds the limit; %s

VPN System Error Error 719 ---

Sending LCP Echo Request PPPoE Maintenance Information 720 ---


SNMP Trap Type



Received LCP Echo Request PPPoE Maintenance Information 721 ---

Sending LCP Echo Reply PPPoE Maintenance Information 722 ---

Received LCP Echo Reply PPPoE Maintenance Information 723 ---

Guest Services drop traffic to deny network Network Access --- Information 724 ---

Guest Services pass traffic to access allow network

Network Access --- Information 725 ---

WLAN max concurrent users reached already

Network Access --- Information 726 ---

SonicPoint Provision SonicPoint SonicPoint Information 727 ---

WLAN disabled by schedule Authenticate Access


WLAN enabled by schedule Authenticate Access


Virtual Access Point is enabled SonicPoint 802.11b Management

Information 730 ---

Virtual Access Point is disabled SonicPoint 802.11b Management

Information 731 ---

Packet dropped by WLAN SSL-VPN enforcement check


SSL-VPN enforcement Wireless Maintenance Information 733 ---

Source IP address connection status: %s Firewall Event --- Information 734 ---

Destination IP address connection status: %s

Firewall Event --- Information 735 ---

SMTP authentication problem:%s Firewall Logging System Error Warning 737 ---

PPPoE Client: Previous session was connected for %s


Packet dropped. No firewall rule associated with VPN policy.

VPN System Error Alert 739 ---

NetBIOS settings were not upgraded. Use Network>IP Helper to configure NetBIOS support


LAN Subnet configurations were not upgraded.


Time of day settings for firewall policies were not upgraded.


Hardware Failover settings were not upgraded.


User login denied - RADIUS communication problem


User login denied - LDAP authentication failure


User login denied - LDAP server timeout RADIUS User Activity Warning 746 ---

User login denied - LDAP server down or misconfigured


User login denied - LDAP communication problem



SNMP Trap Type



User login denied - invalid credentials on LDAP server


User login denied - insufficient access on LDAP server


User login denied - LDAP schema mismatch RADIUS User Activity Warning 751 ---

Allowed LDAP server certificate with wrong host name


User login denied - LDAP server name resolution failed


User login denied - RADIUS server name resolution failed


User login denied - LDAP server certificate not valid


User login denied - TLS or local certificate problem


User login denied - LDAP directory mismatch RADIUS User Activity Warning 757 ---

LDAP server does not allow CHAP RADIUS User Activity Warning 758 ---

User login denied - user already logged in Authenticate Access


TCP handshake violation detected; TCP connection dropped

Network Access --- Notice 760 ---

Access attempt from host out of compliance with GSC policy


GSC policy out-of-date on host Security Services Maintenance Information 762 ---

Access attempt from host without GSC installed

Security Services Maintenance Information 763 8627

Failed to synchronize license information with Licensing Server. Please see http://help.mysonicwall.com/licsyncfail.html (code: %s)


ADConnector %s response timed-out; applying caching policy

Microsoft AD --- Error 769 ---

DDNS Failure: Provider %s DDNS System Error Error 773 ---



DDNS Update success for domain %s DDNS Maintenance Information 776 ---

DDNS Warning: Provider %s DDNS System Error Warning 777 ---

DDNS association %s taken Offline locally DDNS Maintenance Information 778 ---

DDNS association %s added DDNS Maintenance Information 779 ---

DDNS association %s enabled DDNS Maintenance Information 780 ---

DDNS association %s disabled DDNS Maintenance Information 781 ---

DDNS Association %s put on line DDNS Maintenance Information 782 ---

All DDNS associations have been deleted DDNS Maintenance Information 783 ---

DDNS association %s deactivated DDNS Maintenance Information 784 ---

DDNS association %s deleted DDNS Maintenance Information 785 ---


SNMP Trap Type



DDNS association %s updated DDNS --- Information 786 ---

IPS Detection Alert: %s Intrusion Detection Attack Alert 789 6435

IPS Prevention Alert: %s Intrusion Detection Attack Alert 790 6436

DPI-SSL: %s DPI SSL Network Access Information 791 ---

Application Firewall Alert: %s Application Firewall User Activity Alert 793 13201

Anti-Spyware Prevention Alert: %s Intrusion Detection Attack Alert 794 6437

Anti-Spyware Detection Alert: %s Intrusion Detection Attack Alert 795 6438

Anti-Spyware Service Expired Security Services Maintenance Warning 796 8631

Outbound connection to RBL-listed SMTP server dropped

RBL --- Notice 797 ---

Inbound connection from RBL-listed SMTP server dropped

RBL --- Notice 798 ---

SMTP server found on RBL blacklist RBL --- Notice 799 ---

No valid DNS server specified for RBL lookups

RBL --- Error 800 ---

Interface statistics report GMS --- Information 805 ---

SonicPoint statistics report GMS --- Information 806 ---

Gateway Anti-Virus Alert: %s Security Services Attack Alert 809 8632

Gateway Anti-Virus Service expired Security Services Maintenance Warning 810 8633

PPP Dial-Up: Invalid DNS IP address returned from Dial-Up ISP; overriding using dial-up profile settings


WAN node exceeded: Connection dropped because too many IP addresses are in use on your LAN

Firewall Event System Error Error 812 ---

Adding Dynamic Entry for Bound MAC Address

Network --- Information 813 ---

MAC address collides with Static ARP Entry with Bound MAC address; packet dropped

Network --- Notice 814 ---

Too many gratuitous ARPs detected Network --- Warning 815 ---

ARP unused/spare Network --- Debug 816 ---

Incoming call received for Remotely Triggered Dial-out session

Authenticate Access


Remotely Triggered Dial-out session started. Requesting authentication

Authenticate Access


Incorrect authentication received for Remotely Triggered Dial-out

Authenticate Access


Successful authentication received for Remotely Triggered Dial-out

Authenticate Access


Authentication timeout during Remotely Triggered Dial-out session

Authenticate Access


Remotely Triggered Dial-out session ended. Valid WAN bound data found. Normal dial-up sequence will commence

Authenticate Access


Backup will be shut down in %s minutes High Availability System Error Error 823 ---


SNMP Trap Type



Backup shut down because license is expired

High Availability System Error Error 824 ---

Backup active High Availability System Error Information 825 ---

DHCP Scopes altered automatically due to change in network settings for interface %s


DHCP lease file in the flash is corrupted; read failed

Firewall Event System Error Warning 833 ---

Failed to write DHCP leases to flash Firewall Event System Error Warning 834 ---

DHCP leases written to flash Firewall Event Maintenance Information 835 ---

Invalid VLAN packet dropped Network --- Alert 836 ---

IP address conflict detected from ethernet address %s

Network Maintenance Warning 847 ---

OCSP sending request. VPN PKI User Activity Information 848 ---

OCSP send request message failed. VPN PKI User Activity Error 849 ---

OCSP received response. VPN PKI User Activity Information 850 ---

OCSP received response error. VPN PKI User Activity Error 851 ---

OCSP Resolved Domain Name. VPN PKI User Activity Information 852 ---

OCSP Failed to Resolve Domain Name. VPN PKI User Activity Error 853 ---

OCSP Internal error handling received response.

VPN PKI User Activity Error 854 ---

SYN Flood Mode changed by user to: Watch and report possible SYN floods

Intrusion Detection Debug Warning 856 ---

SYN Flood Mode changed by user to: Watch and proxy WAN connections when under attack


SYN Flood Mode changed by user to: Always proxy WAN connections


Possible SYN flood detected on WAN IF %s - switching to connection-proxy mode

Intrusion Detection Debug Alert 859 ---

Possible SYN Flood on IF %s Intrusion Detection Debug Alert 860 ---

SYN flood ceased or flooding machines blacklisted - connection proxy disabled


SYN Flood blacklisting enabled by user Intrusion Detection Debug Warning 862 ---

SYN Flood blacklisting disabled by user Intrusion Detection Debug Warning 863 ---

SYN-Flooding machine %s blacklisted Intrusion Detection Debug Alert 864 ---

Machine %s removed from SYN flood blacklist


Possible SYN Flood on IF %s continues Intrusion Detection Debug Warning 866 ---

Possible SYN Flood on IF %s has ceased Intrusion Detection Debug Alert 867 ---

SYN Flood Blacklist on IF %s continues Intrusion Detection Debug Warning 868 ---

TCP SYN received Intrusion Detection Debug Debug 869 ---

CRL has expired VPN PKI User Activity Alert 874 ---

Failed to find certificate VPN PKI User Activity Alert 875 ---

CRL missing - Issuer requires CRL checking. VPN PKI User Activity Alert 876 ---

CRL validation failure for Root Certificate VPN PKI User Activity Alert 877 ---


SNMP Trap Type



Cannot Validate Issuer Path VPN PKI User Activity Alert 878 ---

WLAN radio frequency threat detected RF Management --- Warning 879 ---

Unable to resolve dynamic address object Dynamic Address Objects


System clock manually updated Firewall Logging --- Notice 881 ---

HTTP method detected; examining stream for host header

Network Access TCP Debug 882 ---

IP Header checksum error; packet dropped Network Access TCP|UDP Notice 883 ---

TCP checksum error; packet dropped Network Access TCP Notice 884 ---

UDP checksum error; packet dropped Network Access UDP Notice 885 ---

ICMP checksum error; packet dropped Network Access UDP Notice 886 ---

TCP packet received with invalid header length; TCP packet dropped


TCP packet received on non-existent/closed connection; TCP packet dropped


TCP packet received without mandatory SYN flag; TCP packet dropped


TCP packet received without mandatory ACK flag; TCP packet dropped


TCP packet received on a closing connection; TCP packet dropped


TCP packet received with SYN flag on an existing connection; TCP packet dropped


TCP packet received with invalid SACK option length; TCP packet dropped


TCP packet received with invalid MSS option length; TCP packet dropped


TCP packet received with invalid option length; TCP packet dropped


TCP packet received with invalid source port; TCP packet dropped


TCP packet received with invalid SYN Flood cookie; TCP packet dropped


RST-Flooding machine %s blacklisted Intrusion Detection Debug Alert 898 ---

RST Flood Blacklist on IF %s continues Intrusion Detection Debug Warning 899 ---

Machine %s removed from RST flood blacklist


FIN-Flooding machine %s blacklisted Intrusion Detection Debug Alert 901 ---

FIN Flood Blacklist on IF %s continues Intrusion Detection Debug Warning 902 ---

Machine %s removed from FIN flood blacklist


Possible RST Flood on IF %s Intrusion Detection Debug Alert 904 ---

Possible FIN Flood on IF %s Intrusion Detection Debug Alert 905 ---

Possible RST Flood on IF %s has ceased Intrusion Detection Debug Alert 906 ---

Possible FIN Flood on IF %s has ceased Intrusion Detection Debug Alert 907 ---


SNMP Trap Type



Possible RST Flood on IF %s continues Intrusion Detection Debug Warning 908 ---

Possible FIN Flood on IF %s continues Intrusion Detection Debug Warning 909 ---

Packet Dropped - IP TTL expired Network Debug Warning 910 ---

Added host entry to dynamic address object Dynamic Address Objects


Removed host entry from dynamic address object

Dynamic Address Objects


IKE Responder: Phase 1 Authentication Method does not match


IKE Responder: Phase 1 encryption algorithm does not match


IKE Responder: Phase 1 encryption algorithm keylength does not match


IKE Responder: Phase 1 hash algorithm does not match


IKE Responder: Phase 1 XAUTH required but policy has no user name


IKE Responder: Phase 1 XAUTH required but policy has no user password


IKE Responder: Phase 1 DH Group does not match


IKE Responder: AH authentication algorithm does not match


IKE Responder: ESP encryption algorithm does not match


IKE Responder: ESP authentication algorithm does not match


IKE Responder: AH authentication key length does not match


IKE Responder: ESP encryption key length does not match


IKE Responder: ESP authentication key length does not match


IKE Responder: AH authentication key rounds does not match


IKE Responder: ESP encryption key rounds does not match


IKE Responder: ESP authentication key rounds does not match


IKE Responder: IP Compression algorithm does not match


IKE Initiator: Remote party timeout - Retransmitting IKE request.


IKE Responder: Remote party timeout - Retransmitting IKE request.


IKE Responder: IPsec protocol mismatch VPN IKE User Activity Warning 932 ---


SNMP Trap Type


IKE Initiator: Proposed IKE ID mismatch VPN IKE User Activity Warning 933 ---

IKE Responder: Peer's local network does not match VPN policy's Destination Network


IKE Responder: Peer's destination network does not match VPN policy's Local Network


IKE Responder: Route table overrides VPN policy


IKE Initiator: IKE proposal does not match (Phase 1)


IKEv2 Initiator: Send IKE_SA_INIT request VPN IKE User Activity Information 938 ---

IKEv2 Responder: Received IKE_SA_INIT request


IKEv2 Initiator: Send IKE_AUTH request VPN IKE User Activity Information 940 ---

IKEv2 Responder: Received IKE_AUTH request


IKEv2 Authentication successful VPN IKE User Activity Information 942 ---

IKEv2 Accept IKE SA Proposal VPN IKE User Activity Information 943 ---

IKEv2 Accept IPsec SA Proposal VPN IKE User Activity Information 944 ---

IKEv2 Initiator: Send CREATE_CHILD_SA request


IKEv2 Responder: Received CREATE_CHILD_SA request


IKEv2 Send delete IKE SA request VPN IKE User Activity Information 947 ---

IKEv2 Received delete IKE SA request VPN IKE User Activity Information 948 ---

IKEv2 Send delete IPsec SA request VPN IKE User Activity Information 949 ---

IKEv2 Received delete IPsec SA request VPN IKE User Activity Information 950 ---

IKEv2 Responder: Peer's destination network does not match VPN policy's Local Network


IKEv2 Responder: Peer's local network does not match VPN policy's Destination Network


IKEv2 Payload processing error VPN IKE User Activity Warning 953 ---

IKEv2 Initiator: Negotiations failed. Extra payloads present.


IKEv2 Initiator: Negotiations failed. Missing required payloads.


IKEv2 Initiator: Negotiations failed. Invalid input state.


IKEv2 Initiator: Negotiations failed. Invalid output state.


IKEv2 Payload validation failed. VPN IKE User Activity Warning 958 ---

IKEv2 Unable to find IKE SA VPN IKE User Activity Warning 959 ---

IKEv2 Decrypt packet failed VPN IKE User Activity Warning 960 ---


SNMP Trap Type


IKEv2 Out of memory VPN IKE User Activity Warning 961 ---

IKEv2 Responder: Policy for remote IKE ID not found

VPN IKE User Activity Error 962 ---

IKEv2 Process Message queue failed VPN IKE User Activity Warning 963 ---

IKEv2 Invalid state VPN IKE User Activity Warning 964 ---

IKE Responder: Client Policy has no VPN Access Networks assigned. Check Configuration.

VPN IKE System Error Error 965 ---

IKEv2 Invalid SPI size VPN IKE User Activity Warning 966 ---

IKEv2 VPN Policy not found VPN IKE User Activity Warning 967 ---

IKEv2 IPsec proposal does not match VPN IKE User Activity Warning 968 ---

IKEv2 IPsec attribute not found VPN IKE User Activity Warning 969 ---

IKEv2 IKE attribute not found VPN IKE User Activity Warning 970 ---

IKEv2 Peer is not responding. Negotiation aborted.


IKEv2 Initiator: Remote party timeout - Retransmitting IKEv2 request.


IKEv2 Initiator: Received IKE_SA_INT response


IKEv2 Initiator: Received IKE_AUTH response


IKEv2 Initiator: Received CREATE_CHILD_SA response


IKEv2 Responder: Send IKE_SA_INIT response


IKEv2 Responder: Send IKE_AUTH response


IKEv2 negotiation complete VPN IKE User Activity Information 978 ---

IKEv2 Function sendto() failed to transmit packet.


IKEv2 Initiator: Proposed IKE ID mismatch VPN IKE User Activity Warning 980 ---

IKEv2 IKE proposal does not match VPN IKE User Activity Warning 981 ---

IKEv2 Received notify status payload VPN IKE User Activity Information 982 ---

IKEv2 Received notify error payload VPN IKE User Activity Warning 983 ---

IKEv2 No NAT device detected between negotiating peers


IKEv2 NAT device detected between negotiating peers


User login denied - not allowed by policy rule Authenticate Access


User login denied - not found locally Authenticate Access


User login denied - SSO agent timeout Authenticate Access



SNMP Trap Type



User login denied - SSO agent configuration error

Authenticate Access


User login denied - SSO agent communication problem

Authenticate Access


User login denied - SSO agent name resolution failed

Authenticate Access


SSO returned a user name that is too long SSO User Activity Warning 992 ---

SSO returned a domain name that is too long

SSO User Activity Warning 993 ---

Configuration mode administration session started

Authenticate Access


Configuration mode administration session ended

Authenticate Access


Read-only mode GUI administration session started

Authenticate Access


Non-config mode GUI administration session started

Authenticate Access


GUI administration session ended Authenticate Access


SSL Control: Website found in blacklist Network Access Blocked Sites Information 999 ---

SSL Control: Website found in whitelist Network Access Blocked Sites Information 1000 ---

SSL Control: HTTPS via SSL2 Network Access Blocked Sites Information 1001 ---

SSL Control: Certificate with invalid date Network Access Blocked Sites Information 1002 ---

SSL Control: Self-signed certificate Network Access Blocked Sites Information 1003 ---

SSL Control: Weak cipher being used Network Access Blocked Sites Information 1004 ---

SSL Control: Untrusted CA Network Access Blocked Sites Information 1005 ---

SSL Control: Certificate chain not complete Network Access Blocked Sites Information 1006 ---

SSL Control: Failed to decode Server Hello Network Access Blocked Sites Information 1007 ---

User logged out - logout detected by SSO Authenticate Access


Bind to LDAP server failed RADIUS System Error Error 1009 ---

Using LDAP without TLS - highly insecure RADIUS System Error Alert 1010 ---

LDAP using non-administrative account - VPN client user will not be able to change passwords

RADIUS System Error Warning 1011 ---

IKEv2 Responder: Send CREATE_CHILD_SA response


IKEv2 Send delete IKE SA response VPN IKE User Activity Information 1013 ---

IKEv2 Send delete IPsec SA response VPN IKE User Activity Information 1014 ---

IKEv2 Received delete IKE SA response VPN IKE User Activity Information 1015 ---

IKEv2 Received delete IPsec SA response VPN IKE User Activity Information 1016 ---

3G %s device detected Firewall Hardware System Environment

Information 1017 ---

PPP message: %s PPP --- Information 1018 ---

Chat started PPP Dial Up User Activity Information 1019 ---


SNMP Trap Type



Chat completed PPP Dial Up User Activity Information 1020 ---

Chat wrote '%s' PPP Dial Up User Activity Information 1021 ---

Chat %s PPP Dial Up User Activity Information 1022 ---

Chat failed: %s PPP Dial Up User Activity Information 1023 ---

Unable to send message to dial-up task PPP Dial Up System Error Error 1024 ---

Diagnostic Code J Firewall Hardware System Error Error 1025 5423

3G Dial-up: %s. PPP Dial Up User Activity Alert 1026 ---

3G Dial-up: data usage limit reached for the '%s' billing cycle. Disconnecting the 3G session.

PPP Dial Up User Activity Alert 1027 7643

%s auto-dial failed: Current Connection Model is configured as Ethernet Only

PPP Dial Up System Error Alert 1028 ---

TCP packet received with non-permitted option; TCP packet dropped


TCP packet received with invalid Window Scale option length; TCP packet dropped


TCP packet received with invalid Window Scale option value; TCP packet dropped


Chat started by '%s' PPP Dial Up User Activity Information 1032 ---

Problem occurred during user group membership retrieval

Authenticate Access


Received AF Alert: Your Application Firewall (AF) subscription has expired.


User login denied - password expired Authenticate Access


IKE Responder: IKE Phase 1 exchange does not match


PPP Dial-Up: Starting PPP PPP Dial Up --- Information 1037 ---

Dial-up: Traffic generated by '%s' PPP Dial Up --- Information 1038 ---

Dial-up: Session initiated by data packet PPP Dial Up --- Information 1039 ---

DHCP Server: IP conflict detected Firewall Event --- Alert 1040 ---

DHCP Server: Received DHCP decline from client

Firewall Event --- Alert 1041 ---

Physical environment normal Firewall Hardware --- Information 1042 5424

Power supply without redundancy Firewall Hardware --- Error 1043 5425

Discovered HA %s Firewall High Availability --- Information 1044 ---

Diagnostic Auto-restart scheduled for %s minutes from now


Diagnostic Auto-restart canceled Firewall Event --- Information 1046 ---

"As per Diagnostic Auto-restart configuration request, restarting system"


User login denied - password doesn't meet constraints

Authenticate Access

--- Information 1048 ---

Settings Import: %s Firewall Event --- Information 1049 ---

VPN Policy Added VPN --- Information 1050 ---


SNMP Trap Type



VPN Policy Deleted VPN --- Information 1051 ---

VPN Policy Modified VPN --- Information 1052 ---

PC Card removed. Firewall Hardware --- Alert 1053 5418

PC Card inserted. Firewall Hardware --- Alert 1054 5419

3G: No SIM detected Firewall Hardware --- Alert 1055 ---

PC Card: No device detected Firewall Hardware --- Alert 1056 ---

Peer firewall rebooting (%s) High Availability --- Information 1057 ---

Primary firewall rebooting itself as it transitioned from Active to Idle while Preempt

High Availability --- Information 1058 ---

Backup firewall rebooting itself as it transitioned from Active to Idle while Preempt


Crypto SHA1 based DRNG KAT test failed Crypto Test --- Error 1060 ---

Successfully sent Preference file to remote backup server


Failed to send Preference file to remote backup server, Error: %s


Successfully sent TSR file to remote backup server


Failed to send TSR file to remote backup server, Error: %s


Successfully sent %s file to remote backup server


Failed to send file to remote backup server, Error: %s


System shutdown by administrator. Power cycle required.

Firewall Event --- Alert 1067 5242

Multiple DHCP Servers are detected on network

Firewall Event --- Warning 1068 ---

External Web Server Host Resolution Failed %s

Authenticate Access

--- Error 1069 ---

Invalid DNS Server will not be accepted by the dynamic client


DHCP Server sanity check passed %s Firewall Event --- Critical 1071 ---

DHCP Server sanity check failed %s Firewall Event --- Critical 1072 ---

SSO agent returned error SSO User Activity Warning 1073 ---

L2TP Tunnel Negotiation %s L2TP Client --- Information 1074 ---

SSO agent is down SSO User Activity Alert 1075 ---

SSO agent is up SSO User Activity Alert 1076 ---

SonicPointN Status SonicPoint-N --- Information 1077 ---

SonicPointN Provision SonicPoint-N --- Information 1078 ---

SSLVPN zone remote user login allowed Authenticate Access



SNMP Trap Type



SSL Control: Certificate with MD5 Digest Signature Algorithm

Network Access Blocked Sites Information 1081 ---

%s is operational. Anti-Spam --- Warning 1082 13801

%s is unavailable. Anti-Spam --- Warning 1083 13802

Anti-Spam service is enabled by administrator.

Anti-Spam --- Information 1084 13803

Anti-Spam service is disabled by administrator.


Your Anti-Spam Service subscription has expired.

Anti-Spam --- Warning 1086 13805

SMTP connection limit is reached. Connection is dropped.

Anti-Spam --- Warning 1087 13806

Anti-Spam Startup Failure - %s Anti-Spam --- Warning 1088 13807

Anti-Spam Teardown Failure - %s Anti-Spam --- Warning 1089 13808

DHCP Server: Received DHCP message from untrusted relay agent

Firewall Event --- Notice 1090 ---

Outbound connection to GRID-listed SMTP server dropped

Anti-Spam --- Notice 1091 13809

Inbound connection from GRID-listed SMTP server dropped

Anti-Spam --- Notice 1092 13810

SMTP server found on Reject List Anti-Spam --- Notice 1093 13811

No valid DNS server specified for GRID lookups

Anti-Spam --- Error 1094 13812

Unprocessed email received from MTA on Inbound SMTP port


Processed Email received from Email Security Service


SCEP Client: %s VPN PKI --- Notice 1097 ---

Possible DNS rebind attack detected Intrusion Detection --- Alert 1098 6465

DNS rebind attack blocked Intrusion Detection --- Alert 1099 6466

Network Monitor: Policy %s status is UP Network Monitor --- Alert 1100 14001

Network Monitor: Policy %s status is DOWN Network Monitor --- Alert 1101 14002

Network Monitor: Policy %s status is UNKNOWN

Network Monitor --- Alert 1102 14003

Network Monitor: Host %s status is UNKNOWN

Network Monitor --- Alert 1103 14004

Network Monitor Policy %s Added Network Monitor --- Information 1104 ---

Network Monitor Policy %s Deleted Network Monitor --- Information 1105 ---

Network Monitor Policy %s Modified Network Monitor --- Information 1106 ---

Message blocked by Real-Time Email Scanner

Anti-Spam --- Information 1108 ---

CSR Generation: %s VPN PKI --- Information 1109 ---

Assigned IP address %s DHCP Server --- Information 1110 ---

Released IP address %s DHCP Server --- Information 1111 ---

Ftp server accepted the connection FTP --- Debug 1112 ---


SNMP Trap Type



Ftp client user name was sent FTP --- Debug 1113 ---

Ftp client user logged in successfully FTP --- Debug 1114 ---

Ftp client user logged in failed FTP --- Debug 1115 ---

Ftp client user logged out FTP --- Debug 1116 ---

User login denied - SSO probe failed Authenticate Access


User login denied - Mail Address(From/to) or SMTP Server is not configured

Authenticate Access


RADIUS user cannot use One Time Password - no mail address set for equivalent local user

Authenticate Access


User login denied - Terminal Services agent timeout

Authenticate Access


User login denied - Terminal Services agent name resolution failed

Authenticate Access


User login denied - No name received from Terminal Services agent

Authenticate Access


User login denied - Terminal Services agent communication problem

Authenticate Access


User logged out - logout reported by Terminal Services agent

Authenticate Access


High Availability has been enabled and Dial-Up device(s) are not supported in High Availability processing.


The High Availability monitoring IP configuration of Interface %s is incorrect.

High Availability --- Error 1126 ---

IKE Responder: ESP mode mismatch Local - Tunnel Remote - Transport


IKE Responder: ESP mode mismatch Local - Transport Remote - Tunnel


WAN DHCPC IP Changed Firewall Event System Error Warning 1129 ---

WLAN DHCPC IP Changed Firewall Event System Error Warning 1130 ---

Probe Response Success - %s Anti-Spam --- Debug 1131 ---

Probe Response Failure - %s Anti-Spam --- Debug 1132 ---

Peer HA firewall has stateful license but this firewall is not yet registered

High Availability System Error Alert 1136 ---

The stateful license of HA peer firewall is not activated

High Availability System Error Alert 1137 ---

Received unauthenticathed GRID response Anti-Spam --- Debug 1138 ---

Invalid key or serial number used for GRID response

Anti-Spam --- Debug 1139 ---

Invalid key version used for GRID response Anti-Spam --- Debug 1140 ---

Host IP address not in GRID List Anti-Spam --- Debug 1141 ---

No response received from DNS server Anti-Spam --- Debug 1142 ---

Not blacklisted as per configuration Anti-Spam --- Debug 1143 ---


SNMP Trap Type



Default to not blacklisted Anti-Spam --- Debug 1144 ---

Failed to insert entry into GRID result IP cached table

Anti-Spam --- Debug 1145 ---

Resolved ES Cloud - %s Anti-Spam --- Debug 1146 ---

Updated ES Cloud Address - %s Anti-Spam --- Debug 1147 ---

Your Active/Active Clustering subscription has expired.

High Availability --- Warning 1149 ---

Terminal Services agent is down SSO User Activity Alert 1150 ---

Terminal Services agent is up SSO User Activity Alert 1151 ---

Active/Active Clustering license is not activated on the following cluster units: %s

High Availability --- Error 1152 ---

SSLVPN Traffic SSL VPN Connection Traffic Information 1153 ---

Application Control Detection Alert: %s App-Control Detection

--- Alert 1154 15001

Application Control Prevention Alert: %s App-Control Detection

--- Alert 1155 15002

GMS or syslog server name lookup failed - try again in 60 secs.

Firewall Event --- Error 1156 ---

User account '%s' expired and disabled Authenticate Access


User account '%s' expired and pruned Authenticate Access


Received Alert: Your Firewall Visualization Control subscription has expired.

Security Services --- Warning 1159 ---

Attempt to contact Remote backup server for upload approval failed

Firewall Event Maintenance Debug 1160 ---

Backup remote server did not approve upload request

Firewall Event Maintenance Debug 1161 ---

Modules attached to HA units do not match: %s

High Availability System Error Alert 1162 664

Malformed DNS packet detected Network Access Debug Alert 1177 ---

A high percentage of the system packet buffers are held waiting for SSO

SSO User Activity Alert 1178 ---

A user has a very high number of connections waiting for SSO

SSO User Activity Alert 1179 ---

DOS protection on WAN begins %s Intrusion Detection Debug Alert 1180 ---

DOS protection on WAN %s Intrusion Detection Debug Warning 1181 ---

DOS protection on WAN %s Intrusion Detection Debug Alert 1182 ---

Deleting IPsec SA (Phase 2) VPN IKE User Activity Debug 1183 ---

Delete invalid scope because port ip in the range of this DHCP scope.

DHCP Server --- Warning 1184 ---

IKE Responder: Peer's network does not match VPN policy's Network


Added new LDAP mirror user group: %s RADIUS User Activity Information 1190 ---

Deleted LDAP mirror user group: %s RADIUS User Activity Information 1191 ---


SNMP Trap Type


Index of Syslog Tag Field Description

Index of Syslog Tag Field DescriptionThis section provides an alphabetical listing of Syslog tags and the associated field description.

Added a new member to an LDAP mirror user group


Removed a member from an LDAP mirror user group


Monitoring probe out interface mismatch %s High Availability --- Error 1194 ---


SNMP Trap Type

Tag Field Description

<ddd> Syslog message prefix The beginning of each syslog message has a string of the form <ddd> where ddd is a decimal number indicating facility and priority of the mes-sage. (See [1] Section 4.1.1)

arg URL Used to render a URL: arg represents the URL path name part.

bcastRx Interface statistics report Displays the broadcast packets received

bcastTx Interface statistics report Displays the broadcast packets transmitted

bytesRx Interface statistics report Displays the bytes received

bytesTx Interface statistics report Displays the bytes transmitted

c Message category (legacy only) Indicates the legacy category number (Note: We are not currently sending new category informa-tion.)

change Configuration change webpage Displays the basename of the firewall web page that performed the last configuration change

code Blocking code Indicates the CFS block code category

code ICMP type and code Indicates the ICMP code

conns Firewall status report Indicates the number of connections in use

cpuUtil Firewall status report Displays the CPU utilization (not in use)

dst Destination Destination IP address, and optionally, port, net-work interface, and resolved name.

dstname Destination URL Displays the URL of web site hit and other legacy destination strings

dstname URL Used to render a URL: dstname represents the URL host part


dyn Firewall status report Displays the HA and dialup connection state (ren-dered as “h.d” where “h” is “n” (not enabled), “b” (backup), or “p” (primary) and “d” is “1” (enabled) or “0” (disabled))

fw Firewall WAN IP Indicates the WAN IP Address

fwlan Firewall status report Indicates the LAN zone IP address

goodRxBytes SonicPoint statistics report Indicates the well formed bytes recevied

goodTxBytes SonicPoint statistics report Indicates the well formed bytes transmitted

i Firewall status report Displays the GMS message interval in seconds

id=firewall Webtrends prefix Syntactic sugar for WebTrends (and GMS by habit)

if Interface statistics report Displays the interface on which statistics are reported

ipscat IPS message Displays the IPS category

ipspri IPS message Displays the IPS priority

lic Firewall status report Indicates the number of licenses for firewalls with limited modes

m Message ID Provides the message ID number

mac MAC address Provides the MAC address

msg Static message Displays the event message (from spreadsheet)

msg Dynamically-defined message Displays a dynamically defined message string

msg Static message with dynamic string Displays a message using the predefined mes-sage string containing a “%s” and a dynamic string argument.

msg Static message with dynamic num-ber

Displays a message using the predefined string string containing a “%s” and a dynamic numeric argument.

msg IPS message Displays a message using the predefined mes-sage string containing a “%s” and a dynamic string argument.

msg Anti-Spyware message Displays the event message (from spreadsheet)

n Message count Indicates the number of times event occurs

op HTTP OP code Displays the HTTP operation (GET, POST, etc.) of web site hit

pri Message priority Displays the event priority level (0=emer-gency..7=debug)



proto IP protocol Indicates the IP protocol and detail information

proto Protocol and service Displays the protocol information (rendered as “proto/service”)

proto Protocol and service Displays the protocol information (rendered as “proto/service”)

pt Firewall status report Displays the HTTP/HTTPS management port (rendered as “hhh.sss”)

radio SonicPoint statistics report Displays the SonicPoint radio on which event occurred

ramUtil Firewall status report Displays the RAM utilization (not in use)

rcvd Bytes received Indicates the number of bytes received within connection

result HTTP Result code Displays the HTTP result code (200, 403, etc.) of web site hit

rule Rule ID Displays the Access Rule number causing packet drop

sent Bytes sent Displays the number of bytes sent within connec-tion

sid IPS message Provides the IPS signature ID

sid Anti-Spyware message Provides the AntiSpyware signature ID

sn Firewall serial number Indicates the device serial number

spycat Anti-Spyware message Displays the antiSpyware category

spypri Anti-Spyware message Displays the AntiSpyware priority

src Source Indicates the source IP address, and optionally, port, network interface, and resolved name.

station SonicPoint statistics report Displays the client (station) on which event occurred

time Time Reports the time of event

type ICMP type and code Indicates the ICMP type

ucastRx Interface statistics report Displays the unicast packets received

ucastTx Interface statistics report Displays the unicast packets transmitted

unsynched Firewall status report Reports the time since last local change in sec-onds

usesstandbysa Firewall status report Displays whether standby SA is in use (“1” or “0”) for GMS management



usr (or user) User Displays the user name (“user” is the tag used by WebTrends)

vpnpolicy VPN policy name Displays the VPN policy name of event

60 SonicOS Log Event Reference Guide 232-001835-00_Rev_A

using the sonicos log event reference guidesoftware.sonicwall.com/manual/232-001835-00_rev_a... ·...

Documents