Embedded NGX Log Messages

Check Point Embedded NGX
Log Messages Reference
Version 6.0 - Updated March 2006

Log Messages
ID Log message Comments
10001 Error - too many established connections The web filtering service connection
table is full.
10011 DHCP server got unknown message type The DHCP server received an invalid
(<MessageType>) DHCP request.
10012 DHCP server found no free IP addresses There are no free IP addresses.
Consider increasing the size of the
DHCP address range.
10013 DHCP server can't add more leases The DHCP server has reached the
maximum amount of supported DHCP
leases.
10014 Gateway started up The gateway has been powered up or
restarted.
10015 Assigned <IP> to <MAC Address> via DHCP An IP address has been assigned to a
host.
10016 Detected static IP A host is assigned with a static IP.
10019 Failed to lease reserved IP <IP Address>, IP A DHCP client tried to request an IP
already used address that is already in use.
10020 An IP conflict was detected: The IP <IP Address> Two devices on the network are
is in use by a device with MAC address <MAC configured to use the same IP address.
Address>
10021 A MAC address conflict was detected: The MAC Two devices on the network are using
address <MAC Address> is in use by another the same MAC address.
device
10022 WAN received DHCP IP overlaps the LAN\DMZ The WAN IP address must not belong
network to one the internal networks.
10023 WAN received DHCP network that intersects with The WAN IP subnet mask must not
internal network intersect with an internal network.
10024 WAN received bad DHCP IP Your ISP assigned an invalid IP
address to this gateway.
10026 WLAN client: <MAC Address>, connected to A wireless station has connected to the
network network.
10027 WLAN client: <MAC Address>, disconnected A wireless station has disconnected
from network from the network.
10028 WLAN client: <MAC Address, failed to A wireless station has failed to
authenticate to network authenticate to the network.
10029 WLAN client: <MAC Address>, associated to A wireless station has associated with
network the network.
10030 WLAN client: <MAC Address>, disassociated A wireless station has disassociated
from network with the network.
10031 WLAN client: <MAC Address>, re-associated to A wireless station has re-associated
network with the network.
10032 DHCP relay: server on <Network Name> network The main DHCP relay server is not
failed over from <IP Address> to <IP Address> responding, the secondary DHCP relay
server was used instead.
30001 Policy error - trap <id> called with too many May indicate a mismatch between the
arguments SmartCenter policy version (libsw)
and the current firmware version.
30004 Kernel hook failed May indicate a mismatch between the
SmartCenter policy version (libsw)
30005 <Operation Type> operation on table <table id> May indicate a mismatch between the
failed SmartCenter policy version (libsw)
30009 Table <table id> not found May indicate a mismatch between the
SmartCenter policy version (libsw)
30011 Failed to install updated security policy The security policy installation has
failed. This may indicate a mismatch
between the SmartCenter policy
version (libsw) and the current
firmware version.
30012 Failed to install policy - invalid policy file The security policy received from the
service center is corrupt.
30013 Policy version is incompatible with the appliance The security policy received from the
firmware. service center is incompatible with the
current firmware version.
30015 Policy is incompatible with appliance type The security policy received from the
service center is incompatible with the
current appliance type.
30016 Wrong update version in policy. The security policy received from the
service center is incompatible with the
current firmware version.
30021 Failed to install updated user interface The downloaded GUI update file is
invalid or incompatible with this
firmware version.
30024 Failed to install updated firmware The downloaded firmware update file
is corrupt or not compatible with the
current hardware type.
30025 Failed to install policy Failed to install an updated INSPECT
security policy
30026 Failed to install updated configuration-set file The configuration-set received from
the service center is invalid.
30027 Failed to install configuration-set file Failed to install an updated
configuration set file
30028 Downloaded <n> dynamic objects. Only the first Too many dynamic objects were
<n> are installed. received from the service center.
40015 Failed to install config item The configuration-set received from
the service center is invalid.
60000 Packet logged A packet was logged or dropped. See
also the Connection Log Reasons table
below.
60001 Password changed The user has changed the password.
60002 Security level changed from <x> to <y> The firewall security level has been
(<change requested by>) changed.
60003 URL filtering mode changed <mode> Web filtering was enabled or disabled.
60004 Mail filtering mode changed <mode> Mail filtering was enabled or disabled.
60005 User interface updated The firewall GUI has been updated.
60009 Firmware changed The appliance firmware has been
updated.
60011 Update now command was issued The user requested an immediate
update of settings from the service
center.
60020 VPN site <operation>: <name> A VPN site was created or modified.
60021 Failed to establish VPN Tunnel with <server>: Failed to establish a phase-1 or phase-
<error> 2 IKE SA, due to a specified reason.
60022 You are exceeding your node limit (Node Limit You are exceeding the node count
<count>, Used Nodes <count>) allowed by your license. Please
contact your Check Point reseller for a
license upgrade.
60024 VPN mode changed <site> The VPN mode has changed for the
specified site.
60025 URL filtering override The user requested to temporarily
override web filtering.
60026 User <name> <operation> A user was created or modified in the
local user database.
60028 VPN Server <mode> VPN server enabled/disabled.
60031 User database changed. A user has logged in to the appliance.
60032 Updated configuration from Service Center A new configuration was received
from the service center.
60033 Software Updates mode changed to <mode> The software updates service was
enabled or disabled
60034 Automatic updates interval (seconds) changed to The automatic updates interval was
<interval> modified.
60035 Mail Filtering override Mail filtering was temporarily
overridden by the user
60037 Closed VPN Tunnel with <peer> A VPN tunnel was shut down or
established.
OR:
VPN Tunnel established with <peer>
60038 Internet connection terminated after <time> An Internet connection was shut down
or established.
OR:
Internet connection established, IP <IP Address>
was assigned
60040 Logging was disabled Syslog logging was configured by the

administrator.
Logging was set: Syslog IP Address is <IP
Address> and Syslog Port is <port>
60041 Management protocol mode changed HTTPS, SSH, or SNMP configuration

was changed.
60042 RADIUS server mode changed RADIUS configuration was modified.
60043 Warning; Topology overlapping The VPN topology conflicts with one
of the internal networks.
60044 Dialup Modem configuration changed The dialup modem configuration was
changed.
60045 Topology overlapping: Range <range> overlaps The VPN topology conflicts with one
with internal/DMZ IP of the internal networks.
60046 PPP Connection failed A PPP connection has failed.
60047 Network settings updated The settings for an internal network
were modified.
60048 PFS mismatch: Peer <IP Address> configured Perfect Forward Secrecy is enabled,
without PFS support but the VPN peer does not support it.
60052 Point to point connection failed to connect A PPP error has been detected on
<reason> connection.
60054 QoS Classes were reset to defaults The traffic Shaper QoS Classes were
reset to defaults.
60055 RADIUS permissions saved RADIUS permissions were modified.
60057 Internal Error An internal error has occurred.
60058 Firmware changed from version <version> to The firmware was updated.
version <version>
60059 The reserved IP <IP Address> is used with the An IP address with a MAC reservation
wrong MAC <MAC Address> has been used by a different MAC.
60060 A security certificate was generated for subject: A new certificate was created.
<subject>
60061 Printer: <type>, S/N:<serial>, connected and A new printer was attached to the print
attached to port <port number> server, and a TCP port has been
allocated.
60062 Printer: <type>, S/N:<serial >, was disconnected A printer was disconnected from the
print server.
60063 Printer: <type>, S/N:<serial >, starting print job A print job was sent to the print server.
from <IP Address>
60064 Printer: <type>, S/N:<serial>, failed print job A print job has failed.
from <IP Address>, <reason>
60065 Printer: <type>, S/N:<serial>, <message> A printer has encountered a technical
error.
60067 New configuration was saved to High Availability The HA configuration was updated.
module.
60068 High Availability module changed state from The HA module state has changed.
<state> to <state>
60069 Gateway changed status from <status> to <status> HA failed over to the secondary
gateway, or back to the primary
gateway.
60070 Printer: <type>, S/N:<serial> finished print job A print job was successfully
from <IP Address>, size <size> Kbyte completed.
60071 Printer: <type>, S/N:<serial> , reattached to port A known printer has reconnected to
<port number> the USB port.
60072 Can't attach port to printer: <type>, S/N:<serial>, You attempted to connect more than
only 4 printers are supported four printers to the print server at the
same time.
60073 Successfully authenticated user <username> The specified user has logged in to the
connecting from IP <IP Address> VPN server.
60074 Printer: <type>, S/N:<serial> , is ready The printer is ready to accept print
jobs.
60075 IKE Phase1: Completed successfully with VPN IKE phase 1 has completed
peer <peer> [Security: <encryption>/<digest>] successfully with the specified peer
Expire Time: <time> NAT-T: <NAT-T mode> and has negotiated the specified
security methods, SA expiration time,
and NAT Traversal mode.
60076 IKE Phase2: Completed successfully with VPN IKE phase 2 has completed
peer <peer> [Security: <encryption>/<digest>] successfully with the specified peer
Expire Time: <time> NAT-T: <NAT-T mode> and has negotiated the specified
security methods, SA expiration time,
and NAT Traversal mode.
60077 IKE Phase1: The VPN Peer <peer> is behind a NAT Traversal (NAT-T) has been
NAT device: NAT-T mode enabled automatically enabled, since the peer
gateway is behind NAT.
60078 IKE Phase1: This VPN gateway is behind a NAT NAT Traversal (NAT-T) has been
device: NAT-T mode enabled for VPN peer automatically enabled since this
<peer> gateway is behind NAT.
60079 Disconnected from Service Center The gateway has disconnected from
the service center.
60080 New configuration was saved to WLAN module. The wireless LAN configuration was
updated.
60081 Printer: <name>, S/N:<serial>, was reset, all A printer was reset, and all the
running print jobs were terminated remaining print jobs in the print server
for this printer were terminated.
60082 Resolved peer IP for <peer> is: <IP Address> VPN Interface resolving has resolve
the specified IP as the reachable
interface of a VPN peer
60083 Warning: Your certificate is about to expire. This is a reminder that the currently
Expiry date is <date> installed security certificate of this
gateway is nearly expired.
60084 Warning: Your CA certificate is about to expire. This is a reminder that the currently
Expiry date is <date> installed CA (Certificate Authority)
security certificate is nearly expired.
60085 Swapped user rules at indexes <n> and <n> The specified firewall rule has been
reordered in the local security policy.
60086 Internet connection probing status change Internet probing has detected that a
specified Internet connection is in non
operational or operational status.
60087 Firmware check failed: unrecognized image Attempted to install an invalid
firmware image.
60088 Firmware check failed: firmware version is not Attempted to install a firmware
compatible with the hardware revision of this version incompatible with the
gateway hardware revision of this gateway.
60089 Mail AntiSpam mode changed <mode> EMail AntiSpam mode has changed to
enabled or disabled.
60090 New configuration was saved to HotSpot module. The HotSpot configuration has been
updated.
60091 HotSpot user <username> <action> <source> A user has logged in or logged out
from a Secure HotSpot enabled
network.
60092 HotSpot user <username> <action> <source> A user has logged in or logged out
from a Secure HotSpot enabled
network that does not require user
authentication.
60093 NTP updated time by <n> seconds Synchronization of time with the NTP
(Network Time Protocol) server has
caused time to be updated.
60094 Received invalid SofaWare specific RADIUS The RADIUS server can instruct the
attribute gateway to override the default
permission set for a user, by sending a
vendor specific attribute in the
response.
For the list of RADIUS vendor
specific attributes supported by
Embedded NGX and their allowed
values, refer to the whitepaper
“Configuring the RADIUS Vendor-
Specific Attribute”
value (<name>) for <name> attribute gateway to override the default
response.
attribute type: <name> gateway to override the default
response.
60097 Internet connection probe status changed The status of the specified Internet
connection probing IP address has
changed.
60098 Swapped antivirus rules at indexes <index> and The specified antivirus rule has been
<index> reordered in the local AV policy.
60099 Start sniffing <n> network The packet capture tool was started by
the user.
60100 Failed to start sniffer An internal error occurred – packet
capture cannot be performed.
60101 Sniffer was stopped, <n> packets were captured The packet capturing session has been
stopped by the user.
60102 Sniffer was cancelled The packet capturing session has been
cancelled by the user.
60103 Connection blocked by VStream A connection has been blocked by
VStream antivirus.
60104 VStream antivirus <new status> VStream antivirus scanning has been
enabled or disabled.
60105 Warning: No signatures database is installed. No antivirus signatures database is
VStream antivirus scanning will not be performed. installed; therefore antivirus scanning
will not be performed.
60106 Your certificate has expired. Expiry date is <date> The currently installed certificate is no
longer valid. It should be renewed.
60107 Your CA certificate has expired. Expiry date is The currently installed CA certificate
<date> is no longer valid. It should be
renewed.
60108 Sniffer buffer is full, <n> packets were captured The packet capture has been stopped,
since the capture buffer is full.
60109 Sniffer stopped The packet capture has been stopped
by the user.
60110 Failed to load VStream signatures databases An invalid signatures database was
received from the service center.
60117 VStream Error: <message> An Error has occurred in VStream
Antivirus processing.
60118 Low free memory (User:<n> Kb, Kernel:<n> Kb, The gateway is low on memory
FW:<n> Kb) resources. If this warning message
appears frequently, please contact
support.
60119 VStream database was installed successfully The antivirus signatures database has
been updates.
60120 Warning: Some of the QoS settings are invalid, Invalid QoS settings were received
therefore QoS is temporarily disabled from the service center.
Connection Log Reasons

ID Log message Comments
0 Policy rule A connection has been logged by an INSPECT firewall
policy rule on your gateway. This may be the default
security policy shipped with your appliance, or a
customized policy downloaded from your service center.
1 Custom rule A connection has been logged by a custom firewall rule
defined locally your gateway.
To view your custom policy, connect to the “My
Firewall” web interface, and click Security > Rules.
2 Short fragment SmartDefense: An IP fragment is too short.
When an IP packet is too big to be transported on a

given network, it is split into several smaller IP packets
and transmitted in fragments. In an attempt to conceal
an attack or exploit, an attacker might break the data
section of a single packet into several fragmented
packets.
This log message indicates that a fragment was found
that is too short to be valid according to the IP protocol
specifications.
3 Long fragment SmartDefense: An IP fragment is too long.

and transmitted in fragments. In an attempt to conceal
an attack or exploit, an attacker might break the data
section of a single packet into several fragmented
packets.
This log message indicates that a fragment was found
that is too long to be valid according to the IP protocol
specifications
4 Ping of Death SmartDefense: Ping of Death detected
PING [ICMP echo request]; is a program that uses

ICMP protocol to check whether a remote machine is up.
The “Ping of Death” is a malformed PING request that
some operating systems are unable to correctly process.
The attacker sends a fragmented PING request that
exceeds the maximum IP packet size (64KB), causing
vulnerable systems to crash.
5 LAND Attack SmartDefense: LAND Attack detected
Some implementations of TCP/IP are vulnerable to SYN
packets in which the source address and port are the
same as the destination, i.e; spoofed. LAND is a widely
available attack tool that exploits this vulnerability.
6 Overlapping Fragment SmartDefense: Overlapping Fragments detected

and transmitted in fragments.
Some implementations of the TCP/IP protocol stack do
not properly handle the reassembly of overlapping IP
fragments. Sending two IP fragments, with one fragment
entirely contained inside the other, causes these faulty
implementations to allocate too much memory and crash
the server on which they run.
7 Teardrop SmartDefense: Teardrop Attack detected.

not properly handle the reassembly of overlapping IP
fragments. Sending two IP fragments, with one fragment
entirely contained inside the other, causes these faulty
implementations to allocate too much memory and crash
the server on which they run. TearDrop is a widely
available attack tool that exploits this vulnerability.
Because proper reassembly is required for normal
network operation, SmartDefense blocks attacks based
on overlapping IP fragments even if the checkbox is
deselected. By default, blocked attacks will be logged as
“Overlapping fragment”.
8 Spoofed IP SmartDefense: IP Spoofing detected
IP address spoofing is a technique by which an intruder

attempts to gain unauthorized access by altering a
packet’s source IP address to make it appear as though
the packet originated in a part of the network with higher
access privileges. For example, a packet originating on
an external network may be disguised as a local packet.
If undetected, this packet will be processed by the rule
base as having originated inside the firewall (i.e.,
possibly circumventing access controls). As such, it is
important to verify where the packets originated.
Anti-spoofing verifies that packets are coming from, and
going to, the correct interfaces on the gateway. It
confirms that packets claiming to be from an internal
network are actually coming from the internal network
interface. It also verifies that, once a packet is routed, it
is going through the proper interface.
A Check Point enforcement point will block an illegal
address. For example, an IP address from an external
interface should not have a source address of an internal
network. Legal addresses that are allowed to enter a
Check Point enforcement point interface are determined
by the topology of the network.
10 HotSpot Secure HotSpot authentication is required
Secure HotSpot facilitates the creation of managed guest

access networks (either wireless or wired) with
configurable Web-based authentication, temporary user
accounts and RADIUS integration.
A connection was block since Secure HotSpot mode is
enabled for the selected network.
11 TCP out of state SmartDefense: TCP connection without corresponding
SYN.
Strict TCP controls the way the firewall handles all out-
of-state TCP packets. Out-of-state packets are SYN-
ACK or data packets that arrive out of order, before the
TCP SYN packet. If you wish to have an extra strict
policy, set Strict TCP action to 'block'.
12 SYN attack SmartDefense: A suspected SYN attack was detected.
A TCP denial of service attack, which occurs when an

attacker sends many SYN packets without finishing the
TCP 3-way handshake. A successful SYN Attack will
cause the attacked host to be unable to accept new
connections.
13 Duplicate fragments SmartDefense: Too many duplicate fragments were
detected.
not properly handle the reassembly of a large amount of
duplicate IP fragments. When SmartDefense detects an
excessive amount of duplicate IP fragments, it logs this
event as ‘Duplicate Fragments’.
14 Too many incomplete packets SmartDefense: Virtual Defragmentation: Too many
incomplete fragmented packets.
In an attempt to conceal an attack or exploit, an attacker
might break the data section of a single packet into
several fragmented packets.
Without reassembling the fragments, it is not always
possible to detect such an attack. As a result, malicious
content that is split across fragments can traverse some
firewalls. In contrast, a Check Point enforcement point
collects and reassembles all the fragments of a given IP
packet, verifying that the options for the fragments are
consistent (e.g. TTL is the same for all fragments), so
that security checks can be run against the complete
packet contents.
An attacker may try to overload the defragmentation
system by sending a large amount of incomplete packets.
Such attempts are detected by SmartDefense and logged
as “Too many incomplete packets”
15 Incomplete packet SmartDefense: A packet was dropped since not all the
fragments were received.
In an attempt to conceal an attack or exploit, an attacker
might break the data section of a single packet into
several fragmented packets.
Without reassembling the fragments, it is not always
possible to detect such an attack. As a result, malicious
content that is split across fragments can traverse some
firewalls. In contrast, a Check Point enforcement point
collects and reassembles all the fragments of a given IP
packet, verifying that the options for the fragments are
consistent (e.g. TTL is the same for all fragments), so
that security checks can be run against the complete
packet contents.
If some of the fragments of a certain fragmented packet
are lost in transit, the packet is blocked by the firewall,
and logged as an “Incomplete packet”.
16 Ping too big SmartDefense: A Ping packet is too large.

A request is sent by the client, and the server responds
with a reply echoing the client's data.
An attacker might echo the client with a large amount of
data, for example, causing a buffer overflow.
17 Null payload SmartDefense: Null payload ping attack.
Some worms, such as Sasser, use ICMP echo request
packets with null payload to detect potentially vulnerable
hosts.
When this protection is enabled, SmartDefense will
identify and drop the null payload ping packets.
18 Welchia SmartDefense: Welchia DoS attack detected.
The Welchia worm uses the Microsoft DCOM

vulnerability or a WebDAV vulnerability. After
infecting a computer, the worm begins searching for
other live computers to infect. It does so by sending a
specific ping packet to a target and waiting for the reply
that signals that the target is alive. This flood of pings
may disrupt network connectivity.
19 Christmas packet SmartDefense: Christmas packet attack detected.
A Christmas packet is an IP packet with every single

option set. Christmas Tree packets can be used as a
method of collecting intelligence on a specific TCP/IP
stack, by sending Christmas packets and performing
analysis on the response. This can allow an attacker to
detect the specific operating system in use. If a
Christmas packet is detected by SmartDefense, it is
automatically blocked and logged.
20 Cisco IOS DoS SmartDefense: Cisco IOS denial of service attack.
Cisco routers are configured to process and accept

Internet Protocol version 4 [IPv4] packets by default. A
specially-crafted sequence of IPv4 packets with protocol
type 53 - SWIPE, 55 - IP Mobility, 77 - Sun ND, or 103
- Protocol Independent Multicast - PIM, which is
handled by the processor on a Cisco IOS device, can
cause the router to stop processing inbound traffic on
that interface.
21 Fragmented packet SmartDefense: Policy forbids fragmented packets.
An attacker might break the data section of a single

packet into several fragmented packets, trying to conceal
known attacks and exploits. Without reassembling the
fragments, it is not always possible to detect such an
attack. Therefore, by default, Embedded NGX
reassembles all fragments prior to inspecting the packets.
However if you set “Forbid IP Fragments” to “True” in
the SmartDefense > IP Fragments tab, all IP fragments
will be forbidden and blocked.
22 Network Quota SmartDefense: Network Quota exceeded.
Network Quota enforces a limit upon the number of

connections that are allowed from the same source IP
address, to protect against Denial Of Service [DoS]
attacks.
When a certain source exceeds the number of allowed
connections, Network Quota can either block all new
connection attempts from that source, or track the event.
23 Stateless ICMP SmartDefense: ICMP response with no ICMP request.
ICMP allows one network node to ping, or send an echo

request to, other network nodes to determine their
operational status. This capability can be used to
perpetrate a “Smurf” DoS attack. The Smurf attack is
possible because standard ICMP does not match requests
to responses.
Therefore, an attacker can send a ping with a spoofed
source IP address to an IP broadcast address. The IP
broadcast address reaches all IP addresses in a given
network. All machines within the pinged network send
echo replies to the spoofed, and innocent, IP source. Too
many pings and responses can flood the spoofed network
and deny access for legitimate traffic. This type of attack
can be blocked by dropping replies that don’t match
requests, as performed by Check Point’s Stateful ICMP.
These packets are logged as “Stateless ICMP”.
24 FTP Bounce SmartDefense: FTP bounce attack.

When connecting to an FTP server, the client sends a
PORT command specifying the IP address and port to
which the FTP server should connect and send data. An
FTP Bounce attack is when an attacker sends a PORT
command specifying the IP address of a third party
instead of the attacker's own IP address. The FTP server
then sends data to the victim machine.
25 FTP port overflow SmartDefense: FTP port overflow attack.
FTP clients send PORT commands when connecting to the

FTP sever. A PORT command consists of a series of
numbers between 0 and 255, separated by commas.
Block Port Overflow rejects PORT commands that
contain a number greater than 255.
26 FTP known port SmartDefense: FTP known port attack.
When connecting to an FTP server, the client sends a

PORT command specifying the IP address and port to
which the FTP server should connect and send data. An
FTP Bounce attack is when an attacker sends a PORT
command specifying the IP address of a third party instead
of the attacker's own IP address. The FTP server then
sends data to the victim machine.
By enabling the “FTP Known Port” protection, you can
specify whether to allow the FTP server to connect to well-
known ports.
This provides a second protection against certain FTP
bounce attacks. The server will not let the bounce connect
to any port running a known service.
27 FTP Illegal command SmartDefense: Blocked FTP Command
Using the “Blocked FTP Commands” SmartDefense
protection, you can select which FTP commands are
allowed to pass through the firewall. This log message
indicates that SmartDefense detected an attempt to use an
FTP command that was not in the list of allowed FTP
commands configured by user.
28 Non TCP flooding SmartDefense: Non TCP flooding attack.
Hackers directly target security devices such as firewalls.

In advanced firewalls, state information about connections
is maintained in a State table. The State table includes
connection-oriented TCP and connectionless non-TCP
protocols. Hackers can send high volumes of non-TCP
traffic, in an effort to fill up a firewall State table. This
prevents the firewall from accepting new connections and
results in a Denial of Service [DoS].
SmartDefense can restrict non-TCP traffic from occupying
more than a pre-defined percentage of a enforcement
point’s state table. This eliminates the possibility of this
type of attack.
29 Small PMTU SmartDefense: Small PMTU DoS attack.
Small PMTU is a bandwidth attack in which, the client
fools the server into sending large amounts of data using
small packets. Each packet has a large overhead that
creates a "bottleneck" on the server.
30 KaZaa SmartDefense: KaZaa blocked/logged due to user policy.
SmartDefense can block or log Kazaa. Kazaa is a popular
Peer to Peer file sharing Protocol, running over TCP port
1214 or over HTTP.
31 Skype SmartDefense: Skype blocked/logged due to user policy.
SmartDefense can block or log Skype traffic by identifying
Skype fingerprints and HTTP headers. SmartDefense is
able to detect instant messaging traffic regardless of the
TCP port being used to initiate the peer to peer session.
Skype uses UDP or TCP port 1024 and higher or HTTP for
peer to peer telephony.
32 BitTorrent SmartDefense: BitTorrent blocked/logged due to user
policy.
SmartDefense can block or log BitTorrent, a file
distribution network using Peer to Peer connections.
BitTorrent uses ports from within the TCP port 6881 -
TCP port 6889 range for file transfer.
33 eMule SmartDefense: eMule blocked/logged due to user policy.
SmartDefense can block or log eMule, a popular Peer to
Peer Protocol, used by various Peer to Peer clients, such as
eMule, iMesh and others.
34 Gnutella SmartDefense: Gnutella blocked/logged due to user policy.
SmartDefense can block or log Gnutella, one of the most
popular Peer to Peer protocols, used by applications such
as Gnutella, BearShare, Shareaza, Morpheus and iMesh.
35 ICQ SmartDefense: ICQ blocked/logged due to user policy.
SmartDefense can block or log ICQ traffic by identifying
ICQ's fingerprints and HTTP headers. SmartDefense is
able to detect instant messaging traffic regardless of the
TCP port that is being used to initiate the peer to peer
session. ICQ uses TCP port 5190 to connect. File transfer
and sharing is done through TCP port 3574/7320.
36 Yahoo! Messenger SmartDefense: Yahoo Messenger blocked/logged due to
user policy.
SmartDefense can block Yahoo! Messenger traffic by
identifying fingerprints and HTTP headers. SmartDefense
is able to detect instant messaging traffic regardless of the
TCP port that is being used to initiate the peer to peer
session. Yahoo! Messenger uses port TCP port 5050 and
TCP port 80 for messaging, TCP port 5100 for video, TCP
port 5000 for voice and TCP port 5010 for file transfer.
37 Packet too small SmartDefense: IP packet is too small.
SmartDefense packet sanity protection option performs
several Layer 3 and Layer 4 sanity checks. These include
verifying packet size, UDP and TCP header lengths,
dropping IP options, and verifying the TCP flags. This log
message indicates that packet sanity detected an IP packet
that is too small to be valid.
38 Length mismatch SmartDefense: IP packet validation failed due to wrong
length.
message indicates that packet sanity detected a corrupt or
invalid IP packet with an invalid length field.
39 Port 0 SmartDefense: Connection to Port 0.
Port 0 is not a legitimate destination port for TCP and UDP
packets. If SmartDefense detects a packet with the
destination port of 0, the packet is dropped and logged as
“Port 0”.
40 Small TCP offset SmartDefense: Invalid TCP packet.

message indicates that packet sanity detected a TCP packet
with an invalid TCP offset field.
41 Large TCP offset SmartDefense: Invalid TCP packet.
with an invalid TCP offset field.
42 Bad source IP SmartDefense: Invalid source IP address.
message indicates that packet sanity detected a packet with
an invalid source IP address, such as a multicast address, a
broadcast address, or a loopback address.
43 Corrupt TCP options SmartDefense: TCP options are invalid.
with an invalid set of TCP options.
44 Short IGMP packet SmartDefense: IGMP packet is truncated.
IGMP is used by hosts and routers to dynamically register

and discover multicast group membership. Attacks on the
IGMP protocol usually target vulnerabilities in the
multicast routing software/hardware used, by sending
specially crafted IGMP packets. This log message
indicates the detection of an IGMP packet that it too short
to be valid.
45 IGMP TTL is not 1 SmartDefense: IGMP Time To Live must be 1.

IGMP protocol usually target vulnerabilities in the
indicates an IGMP packet that had a TTL (Time to Live)
value other than 1.
46 IGMP to unicast IP SmartDefense: IGMP to Unicast IP addresses in invalid.

IGMP protocol usually target a vulnerabilities in the
indicates that an IGMP packet was sent to a unicast IP
address.
47 Encryption mismatch VPN: A cleartext packet was received from an IP address
in the encryption domain.
This log message indicates that a packet was received in
clear text, when it was expected to be encrypted. This may
either indicate an unauthorized attempt to access your
VPN network, or a problem in your VPN setup which
caused the two peers in a VPN link to disagree on which
packets should be encrypted.
48 CIFS password buffer overrun SmartDefense: Microsoft File Sharing attack.
A worm is a self-replicating malware malicious software

that propagates by actively sending itself to new machines.
CIFS, The Common Internet File System sometimes called
SMB is a protocol for sharing files and printers. The
protocol is implemented and widely used by Microsoft
operating systems, as well as by Samba clients. Many
worms, once they have infected a host, use CIFS as their
means of propagation.
58 Host port scan SmartDefense: Host Port Scan detected.
This log message indicates that a Host Port Scan was

detected. A host port scan is directed at a specific host or
network. A scan can determine which services a host
offers. For example, a host port scan could discover that
a certain host has TCP ports 23, 25, and 110 open,
meaning it offers the Telnet, SMTP, and
POP3 services, respectively.
59 IP sweep scan SmartDefense: IP Sweep scanning detected.
This log message indicates that an IP address sweep Scan
was detected. An IP Sweep Scan looks for a specific open
port and determines which hosts are listening in
on that port. For example, IP Sweep Scans are used by
network worms trying to find machines that they can
propagate themselves. For example, the Blaster worm
looks for the RPC service—searching the entire network
looking for that single open service.
60 CIFS Worm SmartDefense: A worm is trying to spread via Microsoft
File Sharing.
A worm is a self-replicating malware malicious software

CIFS, The Common Internet File System sometimes called
SMB is a protocol for sharing files and printers. The
protocol is implemented and widely used by Microsoft
operating systems, as well as by Samba clients. Many
worms, once they have infected a host, use CIFS as their
means of propagation.
63 HTTP Worm Catcher SmartDefense: A worm is trying to spread via HTTP.
A worm is a self-replicating malware [malicious software]

Some worms propagate by using security vulnerabilities in
the HTTP protocol. This SmartDefense protection allows
you to detect and block worms based on pre-defined
patterns.

Embedded NGX Log Messages

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Embedded NGX Log Messages

Hochgeladen von

Copyright:

Verfügbare Formate

Check Point Embedded NGX

Log Messages Reference

Version 6.0 - Updated March 2006

60040 Logging was disabled Syslog logging was configured by the

60041 Management protocol mode changed HTTPS, SSH, or SNMP configuration

Connection Log Reasons

When an IP packet is too big to be transported on a

When an IP packet is too big to be transported on a

PING [ICMP echo request]; is a program that uses

When an IP packet is too big to be transported on a

When an IP packet is too big to be transported on a

IP address spoofing is a technique by which an intruder

Secure HotSpot facilitates the creation of managed guest

A TCP denial of service attack, which occurs when an

16 Ping too big SmartDefense: A Ping packet is too large.

PING [ICMP echo request]; is a program that uses

The Welchia worm uses the Microsoft DCOM

A Christmas packet is an IP packet with every single

Cisco routers are configured to process and accept

An attacker might break the data section of a single

Network Quota enforces a limit upon the number of

ICMP allows one network node to ping, or send an echo

24 FTP Bounce SmartDefense: FTP bounce attack.

FTP clients send PORT commands when connecting to the

When connecting to an FTP server, the client sends a

Hackers directly target security devices such as firewalls.

40 Small TCP offset SmartDefense: Invalid TCP packet.

IGMP is used by hosts and routers to dynamically register

IGMP is used by hosts and routers to dynamically register

IGMP is used by hosts and routers to dynamically register

A worm is a self-replicating malware malicious software

This log message indicates that a Host Port Scan was

A worm is a self-replicating malware malicious software

A worm is a self-replicating malware [malicious software]

Das könnte Ihnen auch gefallen