SonicOS Log Event Reference Guide-5.8

COMPREHENSIVE INTERNET SECURITY
SonicWALL Internet Security Appliances
SonicOS Log Event Reference Guide
Using the SonicOS Log Event Reference Guide

This reference guide lists and describes SonicOS log event messages. Reference a log event message by using the alphabetical index of log event messages. This document contains the following sections: Log > View section on page 2

Log > Categories section on page 5 Log > Syslog section on page 9 Log > Automation section on page 10 Log > Name Resolution section on page 14 Log > Reports section on page 16 Log > ViewPoint section on page 17 Index of Log Event Messages section on page 19 Index of Syslog Tag Field Description section on page 57
Log > View
Log > View

The SonicWALL security appliance maintains an Event log for tracking potential security threats. This log can be viewed in the Log > View page, or it can be automatically sent to an e-mail address for convenience and archiving. The log is displayed in a table and can be sorted by column. The SonicWALL security appliance can alert you of important events, such as an attack to the SonicWALL security appliance. Alerts are immediately e-mailed, either to an e-mail address or to an e-mail pager. Each log entry contains the date and time of the event and a brief message describing the event.
Log View Table

The log is displayed in a table and is sortable by column. The log table columns include:

Time - the date and time of the event. Priority - the level of priority associated with your log event. Syslog uses eight categories to characterize messages in descending order of severity, the categories include:
Emergency Alert Critical Error Warning Notice Informational Debug
Specify a priority level on a SonicWALL security appliance on the Log > Categories page to log messages for that priority level, plus all messages tagged with a higher severity. For example, select error as the priority level to log all messages tagged as error, as well as any messages tagged with critical, alert, and emergency. Select debug to log all messages.
Note
Refer to Log Event Messages section for more information on your specific log event.

Category - the type of traffic, such as Network Access or Authenticated Access. Message - provides description of the event. Source - displays source network and IP address. Destination - displays the destination network and IP address. Notes - provides additional information about the event. Rule - notes Network Access Rule affected by event.
Log > View
Navigating and Sorting Log View Table Entries

The Log View table provides easy pagination for viewing large numbers of log events. You can navigate these log events by using the navigation control bar located at the top right of the Log View table. Navigation control bar includes four buttons. The far left button displays the first page of the table. The far right button displays the last page. The inside left and right arrow buttons moved the previous or next page respectively. You can sort the entries in the table by clicking on the column header. The entries are sorted by ascending or descending order. The arrow to the right of the column entry indicates the sorting status. A down arrow means ascending order. An up arrow indicates a descending order.
Refresh
To update log messages, clicking the Refresh button near the top right corner of the page.
Clear Log
To delete the contents of the log, click the Clear Log button near the top right corner of the page.
Export Log
To export the contents of the log to a defined destination, click the Export Log button below the filter table.You can export log content to two formats:

Plain text format--Used in log and alert e-mail. Comma-separated value (CSV) format--Used for importing into Excel or other presentation development applications.
E-mail Log
If you have configured the SonicWALL security appliance to e-mail log files, clicking E-mail Log near the top right corner of the page sends the current log files to the e-mail address specified in the Log > Automation > E-mail section.
Note
The SonicWALL security appliance can alert you of important events, such as an attack to the SonicWALL security appliance. Alerts are immediately sent via e-mail, either to an e-mail address or to an e-mail pager. For sending alerts, you must enter your e-mail address and server information in the Log > Automation page.
Log > View
Filtering Log Records Viewed

You can filter the results to display only event logs matching certain criteria. You can filter by Priority, Category, Source (IP or Interface), and Destination (IP or Interface).
Step 1 Step 2
Enter your filter criteria in the Log View Settings table. The fields you enter values into are combined into a search string with a logical AND. For example, if you select an interface for Source and for Destination, the search string will look for connections matching: Source interface AND Destination interface Check the Group Filters box next to any two or more criteria to combine them with a logical OR. For example, if you enter values for Source IP, Destination IP, and Protocol, and check Group Filters next to Source IP and Destination IP, the search string will look for connections matching: (Source IP OR Destination IP) AND Protocol Click Apply Filter to apply the filter immediately to the Log View Settings table. Click Reset to clear the filter and display the unfiltered results again. The following example filters for log events resulting from traffic from the WAN to the LAN:
Step 3
Step 4
Log Event Messages

For a complete reference guide of log event messages, refer to the Log Event Message Index section on page 20.
Log > Categories
Log > Categories

This guide provides configuration tasks to enable you to categorize and customize the logging functions on your SonicWALL security appliance for troubleshooting and diagnostics.
Note
You can extend your SonicWALL security appliance log reporting capabilities by using SonicWALL ViewPoint. ViewPoint is a Web-based graphical reporting tool for detailed and comprehensive reports. For more information on the SonicWALL ViewPoint reporting tool, refer to www.sonicwall.com.
Log Severity/Priority
This section provides information on configuring the level of priority log messages are captured and corresponding alert messages are sent through e-mail for notification.
Logging Level
The Logging Level control filters events by priority. Events of equal of greater priority are passed, and events of lower priority are dropped. The Logging Level menu includes the following priority scale items from highest to lowest priority:

Emergency (highest priority) Alert Critical Error Warning Notice Informational Debug (lowest priority)
Alert Level
The Alert Level control determines how E-mail Alerts are sent. An event of equal or greater priority causes an E-mail alert to be issued. Lower priority events do not cause an alert to be sent. Events are pre-filtered by the Logging Level control, so if the Logging Level control is set to a higher priority than that of the Alert Level control, only alerts at the Logging Level or higher are sent. Alert levels include:

None (disables e-mail alerts) Emergency (highest priority) Alert Critical Error Warning (lowest priority)
Log > Categories
Log Redundancy Filter

The Log Redundancy Filter allows you to define the time in seconds that the same attack is logged on the Log > View page as a single entry in the SonicWALL log. Various attacks are often rapidly repeated, which can quickly fill up a log if each attack is logged. The Log Redundancy Filter has a default setting of 60 seconds.
Alert Redundancy Filter

The Alert Redundancy Filter allows you to define the time in seconds that the same attack is logged on the Log > View page as a single entry in the SonicWALL log before an alert is issued. The Alert Redundancy Filter has a default setting of 900 seconds.
Log Categories
SonicWALL security appliances provide automatic attack protection against well known exploits. The majority of these legacy attacks were identified by telltale IP or TCP/UDP characteristics, and recognition was limited to a set of fixed layer 3 and layer 4 values. As the breadth and sophistication of attacks evolved, it has become essential to dig deeper into the traffic, and to develop the sort of adaptability that could keep pace with the new threats. All SonicWALL security appliances, even those running SonicWALL IPS, continue to recognize these legacy port and protocol types of attacks. The current behavior on all SonicWALL security appliances devices is to automatically and holistically prevent these legacy attacks, meaning that it is not possible to disable prevention of these attacks either individually or globally. SonicWALL security appliances now include an expanded list of attack categories that can be logged. The View Style menu provides the following three log category views:

All Categories - Displays both Legacy Categories and Expanded Categories. Legacy Categories - Displays log categories carried over from earlier SonicWALL log event categories. Expanded Categories - Displays the expanded listing of categories that includes the older Legacy Categories log events rearranged into the new structure.
The following table describes both the Legacy and Extended log categories. Log Type Advanced Routing Attacks Authenticated Access Blocked Java, etc. Blocked Web Sites BOOTP Crypto Test Category Expanded Legacy Expanded Legacy Legacy Expanded Expanded Description Logs WLAN IEEE 802.11 connections. Logs messages related to RIPv2 and OSPF routing events. Logs messages showing Denial of Service attacks, such as SYN Flood, Ping of Death, and IP spoofing Logs administrator, user, and guest account activity Logs Java, ActiveX, and Cookies blocked by the SonicWALL security appliance. Logs Web sites or newsgroups blocked by the Content Filter List or by customized filtering. Logs BOOTP activity Logs crypto algorithm and hardware testing
802.11 Management Legacy
Log > Categories
Log Type DDNS Denied LAN IP DHCP Client DHCP Relay Dropped ICMP Dropped TCP Dropped UDP Firewall Event Firewall Hardware Firewall Logging Firewall Rule GMS High Availability IPcomp L2TP Client L2TP Server Multicast Network Network Access Network Debug
Category Expanded Legacy Expanded Expanded Legacy Legacy Legacy Extended Extended Extended Extended Extended Extended Extended Extended Extended Extended Extended Extended Legacy
Description Logs Dynamic DNS activity Logs all LAN IP addresses denied by the SonicWALL security appliance. Logs DHCP client protocol activity Logs DHCP central and remote gateway activity Logs blocked incoming ICMP packets. Logs blocked incoming TCP connections. Logs blocked incoming UDP packets. Logs internal firewall activity Logs firewall hardware error events Logs general events and errors Logs firewall rule modifications Logs GMS status event Logs High Availability activity Logs IP compression activity Logs intrusion prevention related activity Logs L2TP client activity Logs L2TP server activity Logs multicast IGMP activity Logs network ARP, fragmentation, and MTU activity Logs network and firewall protocol access activity Logs NetBIOS broadcasts, ARP resolution problems, and NAT resolution problems. Also, detailed messages for VPN connections are displayed to assist the network administrator with troubleshooting problems with active VPN tunnels. Network Debug information is intended for experienced network administrators. Logs network traffic reporting events Logs generic PPP activity Logs PPP dial-up activity Logs PPPoE activity Logs PPTP activity Logs real-time black list activity Logs RIP activity Logs RADIUS and LDAP server activity Logs security services activity Logs SonicPoint activity Logs problems with DNS or e-mail. Logs general system activity, such as system activations. Logs successful and unsuccessful log in attempts. Logs VoIP H.323/RAS, H.323/H.225, and H.323/H.245 activity
Intrusion Prevention Extended
Network Traffic PPP PPP Dial-Up PPPoE PPTP RBL RIP Remote Authentication Security Services SonicPoint System Errors System Maintenance User Activity VOIP
Expanded Extended Extended Extended Extended Extended Extended Extended Extended Extended Legacy Legacy Legacy Extended
Log > Categories
Log Type VPN VPN Client VPN IKE VPN IPsec VPN PKI VPN Tunnel Status WAN Failover Wireless Wlan IDS
Category Extended Extended Extended Extended Extended Legacy Extended Extended Extended
Description Logs VPN activity Logs VPN client activity Logs VPN IKE activity Logs VPN IPSec activity Logs VPN PKI activity Logs status information on VPN tunnels. Logs WAN failover activity Logs wireless activity Logs WLAN IDS activity
Managing Log Categories

The Log Categories table displays log category information organized into the following columns:

Category - Displays log category name. Description - Provides description of the log category activity type. Log - Provides checkbox for enabling/disabling the display of the log events in on the Log > View page. Alerts - Provides checkbox for enabling/disabling the sending of alerts for the category. Syslog - Provides checkbox for enabling/disabling the capture of the log events into the SonicWALL security appliance Syslog. Event Count - Displays the number of events for that category. Clicking the Refresh button updates these numbers.
You can sort the log categories in the Log Categories table by clicking on the column header. For example, clicking on the Category header sorts the log categories in descending order from the default ascending order. An up or down arrow to the left of the column name indicates whether the column is assorted in ascending or descending order. You can enable or disable Log, Alerts, and Syslog on a category by category basis by clicking on the check box for the category in the table. You can enable or disable Log, Alerts, and Syslog for all categories by clicking the checkbox on the column header.
Log > Syslog
Log > Syslog

In addition to the standard event log, the SonicWALL security appliance can send a detailed log to an external Syslog server. The SonicWALL Syslog captures all log activity and includes every connection source and destination IP address, IP service, and number of bytes transferred. The SonicWALL Syslog support requires an external server running a Syslog daemon on UDP Port 514. Syslog Analyzers such as SonicWALL ViewPoint or WebTrends Firewall Suite can be used to sort, analyze, and graph the Syslog data. Messages from the SonicWALL security appliance are then sent to the server(s). Up to three Syslog server IP addresses can be added.Syslog Settings
Syslog Facility
Syslog Facility - Allows you to select the facilities and severities of the messages based on the syslog protocol.
Note
See RCF 3164 - The BSD Syslog Protocol for more information.
Override Syslog Settings with ViewPoint Settings - Check this box to override Syslog settings, if youre using SonicWALL ViewPoint for your reporting solution.
Note
For more information on SonicWALL ViewPoint, go to http://www.sonicwall.com.

Syslog Event Redundancy Filter (seconds) - This setting prevents repetitive messages
from being written to Syslog. If duplicate events occur during the period specified in the Syslog Event Redundancy Rate field, they are not written to Syslog as unique events. Instead, the additional events are counted, and then at the end of the period, a message is written to the Syslog that includes the number of times the event occurred. The Syslog Event Redundancy Filter default value is 60 seconds and the maximum value is 86,400 seconds (24 hours). Setting this value to 0 seconds sends all Syslog messages without filtering.
Syslog Format - You can choose the format of the Syslog to be Default or WebTrends.
If you select WebTrends, however, you must have WebTrends software installed on your system.
Note
If the SonicWALL security appliance is managed by SonicWALL GMS, the Syslog Server fields cannot be configured by the administrator of the SonicWALL security appliance.
Enable Event Rate Limiting - This control allows you to enable rate limiting of events to prevent the internal or external logging mechanism from being overwhelmed by log events. Enable Data Rate Limiting - This control allows you to enable rate limiting of data to prevent the internal or external logging mechanism from being overwhelmed by log events.
Log > Automation
Syslog Servers
Adding a Syslog Server
To add syslog servers to the SonicWALL security appliance
Step 1 Step 2 Step 3 Step 4 Step 5
Click Add. The Add Syslog Server window is displayed. Type the Syslog server name or IP address in the Name or IP Address field. Messages from the SonicWALL security appliance are then sent to the servers. If your syslog is not using the default port of 514, type the port number in the Port Number field. Click OK. Click Accept to save all Syslog Server settings.
Log > Automation

The Log > Automation page includes settings for configuring the SonicWALL to send log files using e-mail and configuring mail server settings.
E-mail Log Automation
Send Log to E-mail address - Enter your e-mail address (username@mydomain.com) in this field to receive the event log via e-mail. Once sent, the log is cleared from the SonicWALL memory. If this field is left blank, the log is not e-mailed. Send Alerts to E-mail address - Enter your e-mail address (username@mydomain.com) in the Send alerts to field to be immediately e-mailed when attacks or system errors occur. Type a standard e-mail address or an e-mail paging service. If this field is left blank, e-mail alert messages are not sent. Send Log - Determines the frequency of sending log files. The options are When Full, Weekly, or Daily. If the Weekly or Daily option is selected, then select the day of the week the log is sent in the every menu and the time of day in 24-hour format in the At field. Email Format - Specifies whether log emails will be sent in Plain Text or HTML format.
Mail Server Settings

The mail server settings allow you to specify the name or IP address of your mail server, the from e-mail address, and authentication method.

Mail Server (name or IP address) - Enter the IP address or FQDN of the e-mail server used to send your log e-mails in this field. From E-mail Address - Enter the E-mail address you want to display in the From field of the message. Authentication Method - You can use the default None item or select POP Before SMTP.
Note
If the Mail Server (name or IP address) is left blank, log and alert messages are not emailed.
10
Log > Automation
Deep Packet Forensics

SonicWALL UTM appliances have configurable deep-packet classification capabilities that intersect with forensic and content-management products. While the SonicWALL can reliably detect and prevent any interesting-content events, it can only provide a record of the occurrence, but not the actual data of the event. Of equal importance are diagnostic applications where the interesting-content is traffic that is being unpredictably handled or inexplicably dropped. Although the SonicWALL can achieve interesting-content using our Enhanced packet capture diagnostic tool, data-recorders are application-specific appliances designed to record all the packets on a network. They are highly optimized for this task, and can record network traffic without dropping a single packet. While data-recorders are good at recording data, they lack the sort of deep-packet inspection intelligence afforded by IPS/GAV/ASPY/AF. Consider the minimal requirements of effective data analysis:

Reliable storage of data Effective indexing of data Classification of interesting-content
Together, a UTM device (a SonicWALL appliance) and data-recorder (a Solera Networks appliance) satisfy the requirements to offer outstanding forensic and data-leakage capabilities.
Distributed Event Detection and Replay

The Solera appliance can search its data-repository, while also allowing the administrator to define interesting-content events on the SonicWALL. The level of logging detail and frequency of the logging can be configured by the administrator. Nearly all events include Source IP, Source Port, Destination IP, Destination Port, and Time. SonicOS Enhanced has an extensive set of log events, including:

Debug/Informational EventsConnection setup/tear down User-eventsAdministrative access, single sign-on activity, user logins, content filtering details Firewall Rule/Policy EventsAccess to and from particular IP:Port combinations, also identifiable by time Interesting-content at the Network or Application LayerPort-scans, SYN floods, DPI or AF signature/policy hits The administrator defines the event trigger. For example, an Application Firewall policy is defined to detect and log the transmission of an official document:
The following is an example of the process of distributed event detection and replay:
1.
11
Log > Automation
2. 3. 4.
A user (at IP address 192.168.19.1) on the network retrieves the file. The event is logged by the SonicWALL. The administrator selects the Recorder icon from the left column of the log entry. Icon/link only appears in the logs when a NPCS is defined on the SonicWALL (e.g. IP: [192.168.169.100], Port: [443]). The defined NPCS appliance will be the links target. The link will include the query string parameters defining the desired connection. The NPCS will (optionally) authenticate the user session. The requested data will be presented to the client as a .cap file, and can be saved or viewed on the local machine.
5. 6.
Methods of Access
The client and NPCS must be able to reach one another. Usually, this means the client and the NPCS will be in the same physical location, both connected to the SonicWALL appliance. In any case, the client will be able to directly reach the NPCS, or will be able to reach the NPCS through the SonicWALL. Administrators in a remote location will require some method of VPN connectivity to the internal network. Access from a centralized GMS console will have similar requirements.
Log Persistence
SonicOS currently allocates 32K to a rolling log buffer. When the log becomes full, it can be emailed to a defined recipient and flushed, or it can simply be flushed. Emailing provides a simple version of logging persistence, while GMS provides a more reliable and scalable method. By offering the administrator the option to deliver logs as either plain-text or HTML, the administrator has an easy method to review and replay events logged.
12
Log > Automation
GMS
To provide the ability to identify and view events across an entire enterprise, a GMS update will be required. Device-specific interesting-content events at the GMS console appear in Reports > Log Viewer Search page, but are also found throughout the various reports, such as Top Intrusions Over Time.
Solera Capture Stack

Solera Networks makes a series of appliances of varying capacities and speeds designed to capture, archive, and regenerate network traffic. The Solera Networks Network Packet Capture System (NPCS) provides utilities that allow the captured data to be accessed in time sequenced playback, that is, analysis of captured data can be performed on a live network via NPCS while the device is actively capturing and archiving data.
13
Log > Name Resolution
To configure your SonicWALL appliance with Solera select the Enable Solera Capture Stack Integration option.
Configure the following options:

Server - Select the host for the Solera server. You can dynamically create the host by selecting Create New Host... Protocol - Select either HTTP or HTTPS. Port - Specify the port number for connecting to the Solera server. Interface(s) - Specify which interfaces you want to transmit data for to the Solera server. User (optional) - Enter the username, if required. Password (optional) - Enter the password, if required. Confirm Password - Confirm the password.
Mask Password - Leave this enabled to send the password as encrypted text.

The Log > Name Resolution page includes settings for configuring the name servers used to resolve IP addresses and server names in the log reports. The security appliance uses a DNS server or NetBIOS to resolve all IP addresses in log reports into server names. It stores the names/address pairs in a cache, to assist with future lookups. You can clear the cache by clicking Reset Name Cache in the top of the Log > Name Resolution page.
14
Selecting Name Resolution Settings

The security appliance can use DNS, NetBIOS, or both to resolve IP addresses and server names. In the Name Resolution Method list, select:

None: The security appliance will not attempt to resolve IP addresses and Names in the log reports. DNS: The security appliance will use the DNS server you specify to resolve addresses and names. NetBIOS: The security appliance will use NetBIOS to resolve addresses and names. If you select NetBIOS, no further configuration is necessary. DNS then NetBIOS: The security appliance will first use the DNS server you specify to resolve addresses and names. If it cannot resolve the name, it will try again with NetBIOS.
Specifying the DNS Server

To choose specific DNS servers or use the same servers as the WAN zone, perform the following steps:
Step 1 Step 2 Step 3
Select Specify DNS Servers Manually or Inherit DNS Settings Dynamically from WAN Zone. The second choice is selected by default. If you selected to specify a DNS server, enter the IP address for at least one DNS server on your network. You can enter up to three servers. Click Accept in the top right corner of the Log > Name Resolution page to make your changes take effect.
15
Log > Reports
Log > Reports

The SonicWALL security appliance can perform a rolling analysis of the event log to show the top 25 most frequently accessed Web sites, the top 25 users of bandwidth by IP address, and the top 25 services consuming the most bandwidth. You can generate these reports from the Log > Reports page.
Note
SonicWALL ViewPoint provides a comprehensive Web-based reporting solution for SonicWALL security appliances. For more information on SonicWALL ViewPoint, go to http://www.sonicwall.com
Data Collection
The Reports window includes the following functions and commands:
Start Data Collection Click Start Data Collection to begin log analysis. When log analysis is enabled, the button label changes to Stop Data Collection.
Reset Data Click Reset Data to clear the report statistics and begin a new sample period. The sample period is also reset when data collection is stopped or started, and when the SonicWALL security appliance is restarted.
View Data
Select the desired report from the Report to view menu. The options are Web Site Hits, Bandwidth Usage by IP Address, and Bandwidth Usage by Service. These reports are explained below. Click Refresh Data to update the report. The length of time analyzed by the report is displayed in the Current Sample Period.
Web Site Hits

Selecting Web Site Hits from the Report to view menu displays a table showing the URLs for the 25 most frequently accessed Web sites and the number of hits to a site during the current sample period. The Web Site Hits report ensures that the majority of Web access is to appropriate Web sites. If leisure, sports, or other inappropriate sites appear in the Web Site Hits Report, you can choose to block the sites. For information on blocking inappropriate Web sites, see . Click on the name of a Web site to open that site in a new window.
Bandwidth Usage by IP Address

Selecting Bandwidth Usage by IP Address from the Report to view menu displays a table showing the IP address of the 25 top users of Internet bandwidth and the number of megabytes transmitted during the current sample period.
16
Log > ViewPoint
Bandwidth Usage by Service

Selecting Bandwidth Usage by Service from the Report to view menu displays a table showing the name of the 25 top Internet services, such as HTTP, FTP, RealAudio, etc., and the number of megabytes received from the service during the current sample period. The Bandwidth Usage by Service report shows whether the services being used are appropriate for your organization. If services such as video or push broadcasts are consuming a large portion of the available bandwidth, you can choose to block these services.
Log > ViewPoint

SonicWALL ViewPoint is a Web-based graphical reporting tool that provides unprecedented security awareness and control over your network environment through detailed and comprehensive reports of your security and network activities. ViewPoints broad reporting capabilities allow administrators to easily monitor network access and Internet usage, enhance security, assess risks, understand more about employee Internet use and productivity, and anticipate future bandwidth needs. ViewPoint creates dynamic, real-time and historical network summaries, providing a flexible, comprehensive view of network events and activities. Reports are based on syslog data streams received from each SonicWALL appliance through LAN, Wireless LAN, WAN or VPN connections. With ViewPoint, your organization can generate individual or aggregate reports about virtually any aspect of appliance activity, including individual user or group usage patterns, evens on specific appliances or groups of appliances, types and times of attacks, resource consumption and constraints, and more. For more information on SonicWALL ViewPoint, go to http://www.sonicwall.com. For complete SonicWALL ViewPoint documentation, go to the SonicWALL documentation Web site at http://www.sonicwall.com/us/support/3340.html.
17
Log > ViewPoint
Activating ViewPoint
The Log > ViewPoint page allows you to activate the ViewPoint license directly from the SonicWALL Management Interface using two methods. If you received a license activation key, enter the activation key in the Enter upgrade key field, and click Accept.
Warning
You must have a mysonicwall.com account and your SonicWALL security appliance must be registered to activate SonicWALL ViewPoint for your SonicWALl security appliance.
Step 1 Step 2
Click the Upgrade link in Click here to Upgrade on the Log > ViewPoint page. The mysonicwall.com Login page is displayed. Enter your mysonicwall.com account username and password in the User Name and Password fields, then click Submit. The System > Licenses page is displayed. If your SonicWALL security appliance is already connected to your mysonicwall.com account, the System > Licenses page appears after you click the SonicWALL Content Filtering Subscription link. Click Activate or Renew in the Manage Service column in the Manage Services Online table. Type in the Activation Key in the New License Key field and click Submit. If you activated SonicWALL ViewPoint at mysonicwall.com, the SonicWALL ViewPoint activation is automatically enabled on your SonicWALL within 24-hours or you can click the Synchronize button on the Security Services > Summary page to update your SonicWALL.
Step 3 Step 4
Enabling ViewPoint Settings

Once you have installed the SonicWALL ViewPoint software, you can point the SonicWALL security appliance to the server running ViewPoint, perform the following steps:
Step 1 Step 2 Step 3 Step 4 Step 5
Check the Enable ViewPoint Settings checkbox in the Syslog Servers section of the Log > ViewPoint page. Click the Add button. The Add Syslog Server window is displayed. Enter the IP address or FQDN of the SonicWALL ViewPoint server in the Name or IP Address field. Enter the port number for the SonicWALL ViewPoint server traffic in the Port field or use the default port number. Click Accept.
Note
The Override Syslog Settings with ViewPoint Settings control on the Log > Syslog page is automatically checked when you enable ViewPoint from the Log > ViewPoint page. The IP address or FQDN you entered in the Add Syslog Server window is also displayed on the Log > Syslog page as well as in the Syslog Servers table on the Log > ViewPoint page.
Clicking the Edit icon displays the Add Syslog Server window for editing the ViewPoint server information. Clicking the Delete icon, deletes the ViewPoint syslog server entry.
18
Index of Log Event Messages

This section contains a list of log event messages for all SonicWALL Firmware and SonicOS Software Releases, ordered alphabetically. Use your web browsers Find function to search for a command. Log Event Message Symbols Key Log Event Message
%s Ethernet Port Down The cache is full; %u open connections; some will be dropped
Symbol Description
Represents a character string. Represents a numerical string.
Context
[WAN | LAN | DMZ] Ethernet Port Down The cache is full; [40,000] open connections; some will be dropped
TCP IP Layered-Data Packet Processing and SonicOS Log Event Handling
In specific cases of multi-layer packet processing, a TCP connection initially logged as "open," will be rejected by a deeper layer of packet processing. In these cases, the connection request has not been forwarded by the SonicWALL security appliance, and the initial Connection Open SonicOS log event message should be ignored in favor of the TCP Connection Dropped log event message. Each log event message described in the following table provides the following log event details: SonicOS CategoryDisplays the SonicOS Software category event type.

Legacy CategoryDisplays the SonicWALL Firmware Software category event type. Priority LevelDisplays the level of urgency of the log event message. Log Message ID NumberDisplays the ID number of the log event message. SNMP Trap TypeDisplays the SNMP Trap ID number of the log event message.
19
Log Event Message Index

SNMP Trap Type ------601 ----602 603 604 --701 702 703 704 --------501 502 --503 505 ----560 ---------
Log Event Message Network Security Appliance activated Log cleared Log successfully sent via email Log full; deactivating Network Security Appliance New URL List loaded No new URL List available Problem loading the URL List; check Filter settings Problem loading the URL List; check your DNS server Problem sending log email; check log settings Restarting Network Security Appliance; dumping log to email Web site access denied Newsgroup access denied Web site access allowed Newsgroup access allowed ActiveX access denied Java access denied ActiveX or Java archive access denied Cookie removed Ping of death dropped IP spoof dropped User logged out - user disconnect detected (heartbeat timer expired) Possible SYN flood attack detected Land attack dropped Fragmented packet dropped Administrator login allowed Administrator login denied due to bad credentials User login from an internal zone allowed User login denied due to bad credentials User login denied due to bad credentials Login screen timed out
New Category Firewall Event Firewall Logging Firewall Logging Firewall Logging Security Services Security Services Security Services Security Services Firewall Logging Firewall Event Network Access Network Access Network Access Network Access Network Access Network Access Network Access Network Access Intrusion Detection Intrusion Detection Authenticate Access Intrusion Detection Intrusion Detection Network Authenticate Access Authenticate Access Authenticate Access Authenticate Access Authenticate Access Authenticate Access
Legacy Category Maintenance Maintenance Maintenance System Error Maintenance Maintenance System Error System Error System Error Maintenance Blocked Sites Blocked Sites Blocked Sites Blocked Sites Blocked Code Blocked Code Blocked Code Blocked Code Attack Attack User Activity Attack Attack TCP | UDP | ICMP User Activity Attack User Activity User Activity User Activity User Activity
Priority Alert Information Information Error Information Information Error Error Warning Information Error Notice Notice Notice Notice Notice Notice Notice Alert Alert Information Warning Alert Notice Information Alert Information Information Information Information
ID 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 27 28 29 30 31 32 33 34
20
Log Event Message Administrator login denied from %s; logins disabled from this interface TCP connection dropped UDP packet dropped ICMP packet dropped due to policy PPTP packet dropped IPsec packet dropped Unknown protocol dropped IPsec packet dropped; waiting for pending IPsec connection IPsec connection interrupt NAT could not remap incoming packet ARP timeout Broadcast packet dropped No ICMP redirect sent Out-of-order command packet dropped Failure to add data channel RealAudio decode failure Duplicate packet dropped No HOST tag found in HTTP request The cache is full; %u open connections; some will be dropped License exceeded: Connection dropped because too many IP addresses are in use on your LAN Access to proxy server denied Diagnostic Code E Dynamic IPsec client connected Received fragmented packet or fragmentation needed Diagnostic Code D Illegal IPsec SPI Unknown IPsec SPI IPsec Authentication Failed IPsec Decryption Failed Incompatible IPsec Security Association IPsec packet from or to an illegal host NetBus attack dropped Back Orifice attack dropped Net Spy attack dropped Sub Seven attack dropped Ripper attack dropped Striker attack dropped Senna Spy attack dropped
New Category Authenticate Access Network Access Network Access Network Access Network Access Network Access Network Access Network Access Network Access Unused Network Network Access Unused Network Access Unused Unused Network Access Network Access Firewall Event Firewall Event
Legacy Category Priority Attack Alert TCP UDP ICMP TCP | UDP | ICMP TCP | UDP | ICMP Debug Debug Debug System Error Debug Debug Debug Debug Debug Debug Debug Debug System Error System Error Notice Notice Notice Notice Notice Notice Debug Debug Error Debug Debug Debug Debug Debug Debug Debug Debug Error Error
ID 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 58
SNMP Trap Type 506 ----------------606 ----------------607 608
Network Access VPN IPsec VPN IPsec Network Firewall Hardware VPN IPsec VPN IPsec VPN IPsec VPN IPsec VPN IPsec VPN IPsec Intrusion Detection Intrusion Detection Intrusion Detection Intrusion Detection Intrusion Detection Intrusion Detection Intrusion Detection
Blocked Sites System Error User Activity Debug System Error User Activity Attack Attack Attack User Activity Attack Attack Attack Attack Attack Attack Attack Attack
Notice Error Information Debug Error Information Error Error Error Information Error Alert Alert Alert Alert Alert Alert Alert
60 61 62 63 64 65 66 67 68 69 70 72 73 74 75 76 77 78
705 609 ----610 --507 508 509 --510 511 512 513 514 515 516 517
21
Log Event Message Priority attack dropped Ini Killer attack dropped Smurf Amplification attack dropped Possible port scan detected Probable port scan detected Failed to resolve name IKE Responder: Accepting IPsec proposal (Phase 2) IKE Responder: IPsec proposal does not match (Phase 2) IKE negotiation complete. Adding IPsec SA. (Phase 2) Starting IKE negotiation Deleting IPsec SA for destination Deleting IPsec SA Diagnostic Code A Diagnostic Code B Diagnostic Code C Status #Web site hit Connection Opened Retransmitting DHCP DISCOVER. Retransmitting DHCP REQUEST (Requesting). Retransmitting DHCP REQUEST (Renewing). Retransmitting DHCP REQUEST (Rebinding). Retransmitting DHCP REQUEST (Rebooting). Retransmitting DHCP REQUEST (Verifying). Sending DHCP DISCOVER. DHCP Server not available. Did not get any DHCP OFFER. Got DHCP OFFER. Selecting. Sending DHCP REQUEST. DHCP Client did not get DHCP ACK. DHCP Client got NACK. DHCP Client got ACK from server. DHCP Client is declining address offered by the server. DHCP Client sending REQUEST and going to REBIND state.
New Category Intrusion Detection Intrusion Detection Intrusion Detection Intrusion Detection Intrusion Detection Network VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE Firewall Hardware Firewall Hardware Firewall Hardware GMS Network Traffic Network Traffic DHCP Client DHCP Client DHCP Client DHCP Client DHCP Client DHCP Client DHCP Client DHCP Client DHCP Client DHCP Client DHCP Client DHCP Client DHCP Client DHCP Client DHCP Client
Legacy Category Attack Attack Attack Attack Attack Maintenance User Activity User Activity User Activity User Activity User Activity User Activity System Error System Error System Error Maintenance Connection Traffic Connection Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance
Priority Alert Alert Alert Alert Alert Information Information Warning Information Information Information Information Error Error Error Emergency Information Information Information Information Information Information Information Information Information Information Information Information Information Information Information Information Information
ID 79 80 81 82 83 84 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113
SNMP Trap Type 518 519 520 521 522 ----523 --------611 612 613 -------------------------------------
22
Log Event Message DHCP Client sending REQUEST and going to RENEW state. Sending DHCP REQUEST (Renewing). Sending DHCP REQUEST (Rebinding). Sending DHCP REQUEST (Rebooting). Sending DHCP REQUEST (Verifying). DHCP Client failed to verify and lease has expired. Go to INIT state. DHCP Client failed to verify and lease is still valid. Go to BOUND state. DHCP Client got a new IP address lease. Sending DHCP RELEASE. Access attempt from host without Anti-Virus agent installed Anti-Virus agent out-of-date on host Received AV Alert: %s Starting PPPoE discovery PPPoE LCP Link Up PPPoE LCP Link Down PPPoE terminated PPPoE Network Connected PPPoE Network Disconnected PPPoE discovery process complete PPPoE starting CHAP Authentication PPPoE starting PAP Authentication PPPoE CHAP Authentication Failed PPPoE PAP Authentication Failed Wan IP Changed XAUTH Succeeded with VPN client XAUTH Failed with VPN client, Authentication failure XAUTH Failed with VPN client, Cannot Contact RADIUS Server Log Debug Add an attack message Primary firewall has transitioned to Active Backup firewall has transitioned to Active Primary firewall has transitioned to Idle Backup firewall has transitioned to Idle Primary missed heartbeats from Backup Backup missed heartbeats from Primary Primary received error signal from Backup Backup received error signal from Primary Backup firewall being preempted by Primary
New Category DHCP Client DHCP Client DHCP Client DHCP Client DHCP Client DHCP Client DHCP Client DHCP Client DHCP Client Security Services Security Services Security Services PPPoE PPPoE PPPoE PPPoE PPPoE PPPoE PPPoE PPPoE PPPoE PPPoE PPPoE Firewall Event VPN Client VPN Client VPN Client Firewall Event Firewall Event High Availability High Availability High Availability High Availability High Availability High Availability High Availability High Availability High Availability
Legacy Category Priority Maintenance Information Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance System Error User Activity User Activity User Activity Debug Attack Maintenance Maintenance System Error Maintenance System Error System Error System Error System Error System Error Information Information Information Information Information Information Information Information Information Information Warning Information Information Information Information Information Information Information Information Information Information Information Warning Information Error Information Error Error Alert Alert Alert Alert Error Error Error Error Error
ID 114 115 116 117 118 119 120 121 122 123 124 125 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152
SNMP Trap Type ----------------------524 ----------------------636 --------525 ----614 --615 616 617 618 619
23
Log Event Message Primary firewall preempting Backup Active Backup detects Active Primary: Backup going Idle Imported HA hardware ID did not match this firewall Discovered HA Backup Firewall HA Peer Firewall Synchronized Error synchronizing HA peer firewall (%s) Received AV Alert: Your Network Anti-Virus subscription has expired. %s Primary received heartbeat from wrong source Backup received heartbeat from wrong source HA packet processing error Heartbeat received from incompatible source Diagnostic Code F Forbidden E-Mail attachment disabled PPPoE PAP Authentication success. PPPoE PAP Authentication Failed. Please verify PPPoE username and password Disconnecting PPPoE due to traffic timeout No response from ISP Disconnecting PPPoE. Backup going Active in preempt mode after reboot VPN Log Debug TCP connection from LAN denied UDP packet from LAN dropped ICMP packet from LAN dropped Probable TCP FIN scan detected Probable TCP XMAS scan detected Probable TCP NULL scan detected IPsec Replay Detected TCP FIN packet dropped Received a path MTU icmp message from router/gateway Problem loading the URL List; Appliance not registered. Problem loading the URL List; Subscription expired. Problem loading the URL List; Try loading it again.
New Category High Availability High Availability High Availability High Availability High Availability High Availability Security Services High Availability High Availability High Availability High Availability Firewall Hardware Intrusion Detection PPPoE PPPoE PPPoE PPPoE High Availability VPN IKE Network Access Network Access Network Access Intrusion Detection Intrusion Detection Intrusion Detection VPN IPsec Network Network Security Services Security Services Security Services
Legacy Category Priority System Error Error Maintenance Information Maintenance Maintenance Maintenance System Error Maintenance Maintenance Maintenance Maintenance Maintenance System Error Attack Maintenance Maintenance Maintenance Maintenance System Error Debug LAN TCP LAN UDP | LAN TCP LAN ICMP | LAN TCP Attack Attack Attack Attack Debug User Activity System Error System Error System Error Information Information Information Error Warning Information Information Information Information Error Alert Information Information Information Information Error Information Notice Notice Notice Alert Alert Alert Alert Debug Information Error Error Error
ID 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 172 173 174 175 177 178 179 180 181 182 183 184 185
SNMP Trap Type 620 --------662 526 --------621 527 --------622 --------528 529 530 531 ----623 624 625
24
Log Event Message Problem loading the URL List; Retrying later. Problem loading the URL List; Flash write failure. Received a path MTU icmp message from router/gateway The loaded content URL List has expired. Error setting the IP address of the backup, please manually set to backup LAN IP Error updating HA peer configuration Fraudulent Microsoft certificate found; access denied VPN TCP SYN VPN TCP FIN VPN TCP PSH Content filter subscription expired. New firmware available. CLI administrator login allowed CLI administrator login denied due to bad credentials L2TP Tunnel Negotiation Started L2TP Session Negotiation Started L2TP Max Retransmission Exceeded L2TP Tunnel Established L2TP Tunnel Disconnect from Remote L2TP Session Established L2TP Session Disconnect from Remote L2TP PPP Negotiation Started L2TP LCP Down L2TP PPP Session Up L2TP PPP Down L2TP PPP Authentication Failed L2TP LCP Up L2TP Disconnect Initiated by the User Disconnecting L2TP Tunnel due to traffic timeout L2TP Connect Initiated by the User L2TP PPP link down Primary WAN link down, Primary going Idle Backup WAN link down, Primary going Active Primary WAN link down, Backup going Active Primary WAN link up, preempting Backup
New Category Security Services Security Services Network Security Services High Availability High Availability Intrusion Detection VPN VPN VPN Security Services Firewall Event Authenticate Access Authenticate Access L2TP Client L2TP Client L2TP Client L2TP Client L2TP Client L2TP Client L2TP Client L2TP Client L2TP Client L2TP Client L2TP Client L2TP Client L2TP Client L2TP Client L2TP Client L2TP Client L2TP Client High Availability High Availability High Availability High Availability
Legacy Category Priority System Error Error System Error Error User Activity System Error System Error System Error Attack VPN Statistics VPN Statistics VPN Statistics System Error Maintenance User Activity User Activity Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance System Error System Error Maintenance Information Error Error Error Error Information Information Information Error Information Information Warning Information Information Information Information Information Information Information Information Information Information Information Information Information Information Information Information Information Information Error Error Information
ID 186 187 188 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221
SNMP Trap Type 626 627 --628 629 630 532 ------631 ------------------------------------------633 634 ---
25
Log Event Message DHCP RELEASE relayed to Central Gateway DHCP lease relayed to local device DHCP RELEASE received from remote device DHCP lease relayed to remote device DHCP lease to LAN device conflicts with remote device, deleting remote IP entry WARNING: DHCP lease relayed from Central Gateway conflicts with IP in Static Devices list DHCP lease dropped. Lease from Central Gateway conflicts with Relay IP IP spoof detected on packet to Central Gateway, packet dropped Request for Relay IP Table from Central Gateway Requesting Relay IP Table from Remote Gateway Sent Relay IP Table to Central Gateway Obtained Relay IP Table from Remote Gateway Failed to synchronize Relay IP Table VPN zone administrator login allowed WAN zone administrator login allowed VPN zone remote user login allowed WAN zone remote user login allowed NAT Discovery : Peer IPsec Security Gateway behind a NAT/NAPT Device NAT Discovery : Local IPsec Security Gateway behind a NAT/NAPT Device NAT Discovery : No NAT/NAPT device detected between IPsec Security gateways NAT Discovery : Peer IPsec Security Gateway doesn't support VPN NAT Traversal User login denied - RADIUS authentication failure User login denied - RADIUS server timeout User login denied - RADIUS configuration error
New Category DHCP Relay DHCP Relay DHCP Relay DHCP Relay DHCP Relay DHCP Relay
Legacy Category Priority Maintenance Information Maintenance Debug Debug Maintenance Maintenance Information Information Information Information Information
ID 222 223 224 225 226 227
SNMP Trap Type -------------
DHCP Relay DHCP Relay DHCP Relay DHCP Relay DHCP Relay DHCP Relay DHCP Relay Authenticate Access Authenticate Access Authenticate Access Authenticate Access VPN IKE VPN IKE VPN IKE VPN IKE
Maintenance Attack Maintenance Maintenance Maintenance Maintenance System Error User Activity User Activity User Activity User Activity User Activity User Activity User Activity User Activity
Warning Error Information Information Information Information Warning Information Information Information Information Information Information Information Information
228 229 230 231 232 233 234 235 236 237 238 239 240 241 242
--533 --------632 -----------------
RADIUS RADIUS RADIUS
User Activity User Activity User Activity
Information Warning Warning
243 244 245
-------
26
Log Event Message User login denied - User has no privileges for login from that location IPsec packet from an illegal host Forbidden E-Mail attachment deleted IKE Responder: Mode %d - not tunnel mode IKE Responder: No matching Phase 1 ID found for proposed remote network IKE Responder: Proposed remote network is 0.0.0.0 but not DHCP relay nor default route IKE Responder: No match for proposed remote network address IKE Responder: Default LAN gateway is set but peer is not proposing to use this SA as a default route IKE Responder: Tunnel terminates outside firewall but proposed local network is not NAT public address IKE Responder: Tunnel terminates inside firewall but proposed local network is not inside firewall IKE Responder: Tunnel terminates on DMZ but proposed local network is on LAN IKE Responder: Tunnel terminates on LAN but proposed local network is on DMZ IKE Responder: AH Perfect Forward Secrecy mismatch IKE Responder: ESP Perfect Forward Secrecy mismatch IKE Responder: Algorithms and/or keys do not match Administrator logged out Administrator logged out - inactivity timer expired User logged out User logged out - max session time exceeded User logged out - inactivity timer expired NAT device may not support IPsec AH passthrough TCP Xmas Tree dropped CFL auto-download disabled, time problem detected Requesting CRL from
New Category Authenticate Access VPN IPsec Intrusion Detection VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE
Legacy Category Priority User Activity Information Maintenance Attack User Activity User Activity User Activity User Activity User Activity Information Error Warning Warning Warning Warning Warning
ID 246 247 248 249 250 251 252 253
SNMP Trap Type ----534 535 536 537 538 539
VPN IKE
User Activity
Warning
254
540
VPN IKE
User Activity
Warning
255
541
VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE Authenticate Access Authenticate Access Authenticate Access Authenticate Access Authenticate Access VPN IPsec Intrusion Detection Security Services VPN PKI
User Activity User Activity User Activity User Activity User Activity User Activity User Activity User Activity User Activity User Activity Maintenance Attack Maintenance User Activity
Warning Warning Warning Warning Warning Information Information Information Information Information Information Alert Information Information
256 257 258 259 260 261 262 263 264 265 266 267 268 269
542 543 544 545 546 ------------547 -----
27
Log Event Message CRL loaded from Failed to get CRL from Not enough memory to hold the CRL Connection timed out Cannot connect to the CRL server Unknown reason Failed to Process CRL from Bad CRL format Issuer match failed Certificate on Revoked list(CRL) No Certificate for PPP Dial-Up: Dialing: %s PPP Dial-Up: No dialtone detected - check phone-line connection PPP Dial-Up: No link carrier detected - check phone number PPP Dial-Up: Dialed number is busy PPP Dial-Up: Dialed number did not answer PPP Dial-Up: Connected at %s bps - starting PPP PPP Dial-Up: Unknown dialing failure PPP Dial-Up: Link carrier lost PPP: Authentication successful PPP: PAP Authentication failed - check username / password PPP: CHAP authentication failed - check username / password PPP: MS-CHAP authentication failed - check username / password PPP: Starting MS-CHAP authentication PPP: Starting CHAP authentication PPP: Starting PAP authentication PPP Dial-Up: PPP negotiation failed disconnecting PPP Dial-Up: Idle time limit exceeded disconnecting PPP Dial-Up: Failed to get IP address PPP Dial-Up: Received new IP address PPP Dial-Up: PPP link established PPP Dial-Up: PPP link down PPP Dial-Up: Shutting down link PPP Dial-Up: Initialization : %s PPP Dial-Up: User requested disconnect PPP Dial-Up: User requested connect
New Category VPN PKI VPN PKI VPN PKI VPN PKI VPN PKI VPN PKI VPN PKI VPN PKI VPN PKI VPN PKI VPN PKI PPP Dial Up PPP Dial Up PPP Dial Up PPP Dial Up PPP Dial Up PPP Dial Up PPP Dial Up PPP Dial Up PPP PPP PPP PPP PPP PPP PPP PPP Dial Up PPP Dial Up PPP Dial Up PPP Dial Up PPP Dial Up PPP Dial Up PPP Dial Up PPP Dial Up PPP Dial Up PPP Dial Up
Legacy Category User Activity User Activity User Activity User Activity User Activity User Activity User Activity User Activity User Activity User Activity User Activity User Activity User Activity User Activity User Activity User Activity User Activity User Activity User Activity --------------User Activity User Activity User Activity User Activity User Activity User Activity User Activity User Activity User Activity User Activity
Priority Information Alert Warning Alert Alert Error Alert Alert Alert Alert Alert Information Information Information Information Information Information Information Information Information Information Information Information Information Information Information Information Information Information Information Information Information Information Information Information Information
ID 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305
SNMP Trap Type -------------------------------------------------------------------------
28
Log Event Message PPP Dial-Up: Connect request canceled The network connection in use is %s L2TP Server : L2TP Tunnel Established. L2TP Server : L2TP Session Established. L2TP Server : L2TP PPP Session Established. L2TP Server: RADIUS/LDAP reports Authentication Failure L2TP Server: Local Authentication Failure L2TP Server: RADIUS/LDAP server not assigned IP address L2TP Server: No IP address available in the Local IP Pool L2TP Server: L2TP Tunnel Disconnect from the Remote. L2TP Server: L2TP Session Disconnect from the Remote. L2TP Server: L2TP Remote terminated the PPP session L2TP Server: Local Authentication Success. L2TP Server: RADIUS/LDAP Authentication Success L2TP Server: Keep alive Failure. Closing Tunnel PPP Dial-Up: Manual intervention needed. Check Primary Profile or Profile details PPP Dial-Up: Trying to failover but Primary Profile is manual PPP Dial-Up: Startup without Ethernet cable, will try to dial on outbound traffic PPP Dial-Up: Dial initiated by %s The current WAN interface is not ready to route packets. Probing failure on %s PPP Dial-Up: Maximum connection time exceeded - disconnecting Administrator name changed
New Category PPP Dial Up WAN Failover L2TP Server L2TP Server L2TP Server L2TP Server L2TP Server L2TP Server L2TP Server L2TP Server L2TP Server L2TP Server L2TP Server L2TP Server L2TP Server PPP Dial Up PPP Dial Up PPP Dial Up PPP Dial Up Firewall Event WAN Failover PPP Dial Up
Legacy Category User Activity System Error Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance User Activity User Activity User Activity Maintenance System Error System Error User Activity Maintenance Attack Maintenance Maintenance System Error System Error
Priority Information Warning Information Information Information Information Information Information Information Information Information Information Information Information Information Information Information Information Information Error Alert Information Information Error Information Information Warning Error
ID 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333
SNMP Trap Type --639 ----------------------------------635 637 ----561 ----640 641
Authenticate Access User login failure rate exceeded - logins from Authenticate user IP address denied Access PPP Dial-Up: The profile in use disabled PPP Dial Up VPN networking. PPP Dial-Up: VPN networking restored. PPP Dial Up %s Ethernet Port Up Firewall Event %s Ethernet Port Down Firewall Event
29
Log Event Message L2TP Server: Call Disconnect from Remote. L2TP Server: Tunnel Disconnect from Remote. L2TP Server : Deleting the Tunnel L2TP Server : Deleting the L2TP active Session L2TP Server : Retransmission Timeout, Deleting the Tunnel NAT translated packet exceeds size limit, packet dropped HTTP management port has changed HTTPS management port has changed IKE Responder: Mode %d - not transport mode. Xauth is required but not supported by peer. L2TP Server : Access from L2TP VPN Client Privilege not enabled for Radius Users. L2TP Server : User Name authentication Failure locally. IKE Responder: Tunnel terminates outside firewall but proposed remote network is not NAT public address IKE Initiator: Start Quick Mode (Phase 2). Port configured to receive IPsec protocol ONLY; drop packet received in the clear Imported VPN SA is invalid - disabled IPsec SA lifetime expired. IKE SA lifetime expired. IKE Initiator: Start Main Mode negotiation (Phase 1) IKE Responder: Received Quick Mode Request (Phase 2) IKE Initiator: Main Mode complete (Phase 1) IKE Initiator: Aggressive Mode complete (Phase 1). IKE Responder: Received Main Mode request (Phase 1) IKE Responder: Received Aggressive Mode request (Phase 1) IKE Responder: Main Mode complete (Phase 1) IKE Initiator: Start Aggressive Mode negotiation (Phase 1) Entering FIPS ERROR state Crypto DES test failed Crypto DH test failed
New Category L2TP Server L2TP Server L2TP Server L2TP Server L2TP Server Network Firewall Event Firewall Event VPN IKE
Legacy Category Priority Maintenance Information Maintenance Information Maintenance Maintenance Maintenance Debug Maintenance Maintenance Debug Information Information Information Debug Information Information Warning
ID 334 335 336 337 338 339 340 341 342
SNMP Trap Type -------------------
L2TP Server L2TP Server VPN IKE
Maintenance Maintenance User Activity
Information Information Warning
343 344 345
----548
VPN IKE Network Access Firewall Event VPN IPsec VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE Crypto Test Crypto Test Crypto Test
User Activity Information TCP | UDP | ICMP Warning Maintenance User Activity User Activity User Activity User Activity User Activity User Activity User Activity User Activity User Activity User Activity Maintenance Maintenance Maintenance Warning Information Information Information Information Information Information Information Information Information Information Error Error Error
346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361
---------------------------------
30
Log Event Message Crypto Hmac-MD5 fest failed Crypto Hmac-Sha1 test failed Crypto RSA test failed Crypto Sha1 test failed Crypto hardware DES test failed Crypto hardware 3DES test failed Crypto hardware DES with SHA test failed Crypto Hardware 3DES with SHA test failed Crypto MD5 test failed VPN Client Policy Provisioning IKE Initiator: Accepting IPsec proposal (Phase 2) IKE Responder: Aggressive Mode complete (Phase 1) Error initializing Hardware acceleration for VPN PPTP Control Connection Negotiation Started PPTP Session Negotiation Started PPTP Max Retransmission Exceeded PPTP Control Connection Established PPTP Tunnel Disconnect from Remote PPTP Session Established PPTP Session Disconnect from Remote PPTP PPP Negotiation Started PPTP LCP Down PPTP PPP Session Up PPTP PPP Down PPTP PPP Authentication Failed PPTP LCP Up PPTP Disconnect Initiated by the User Disconnecting PPTP Tunnel due to traffic timeout PPTP Connect Initiated by the User PPTP PPP link down PPTP starting CHAP Authentication PPTP starting PAP Authentication PPTP CHAP Authentication Failed. Please verify PPTP username and password PPTP PAP Authentication Failed PPTP PAP Authentication success. PPTP PAP Authentication Failed. Please verify PPTP username and password PPTP PPP Link Up
New Category Crypto Test Crypto Test Crypto Test Crypto Test Crypto Test Crypto Test Crypto Test Crypto Test Crypto Test VPN Client VPN IKE VPN IKE Firewall Hardware PPTP PPTP PPTP PPTP PPTP PPTP PPTP PPTP PPTP PPTP PPTP PPTP PPTP PPTP PPTP PPTP PPTP PPTP PPTP PPTP PPTP PPTP PPTP PPTP
Legacy Category Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance User Activity User Activity User Activity Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance
Priority Error Error Error Error Error Error Error Error Error Information Information Information Error Information Information Information Information Information Information Information Information Information Information Information Information Information Information Information Information Information Information Information Information Information Information Information Information
ID 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398
SNMP Trap Type ---------------------------------------------------------------------------
31
Log Event Message PPTP PPP Link down PPTP PPP Link Finished Received notify. NO_PROPOSAL_CHOSEN IKE Responder: IKE proposal does not match (Phase 1) IKE negotiation aborted due to timeout Failed payload verification after decryption; possible preshared key mismatch Failed payload validation Received packet retransmission. Drop duplicate packet SA is disabled. Check VPN SA settings Anti-Virus Licenses Exceeded Received notify: ISAKMP_AUTH_FAILED Computed hash does not match hash received from peer; preshared key mismatch Received notify: PAYLOAD_MALFORMED Received IPsec SA delete request Received IKE SA delete request Received notify: INVALID_COOKIES Received notify: RESPONDER_LIFETIME Received notify: INVALID_SPI PKI Error: IKE Responder: Proposed local network is 0.0.0.0 but SA has no LAN Default Gateway RIP disabled on interface %s RIPv1 enabled on interface %s RIPv2 enabled on interface %s RIPv2 compatibility (broadcast) mode enabled on interface %s RIP disabled on DMZ interface RIPv1 enabled on DMZ interface RIPv2 enabled on DMZ interface RIPv2 compatibility (broadcast) mode enabled on DMZ interface IPsecTunnel status changed Source routed IP packet dropped No response from server to Echo Requests, disconnecting PPTP Tunnel No response from PPTP server to control connection requests No response from PPTP server to call requests
New Category PPTP PPTP VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE Security Services VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE VPN PKI VPN IKE RIP RIP RIP RIP RIP RIP RIP RIP VPN Intrusion Detection PPTP PPTP PPTP
Legacy Category Maintenance Maintenance User Activity User Activity User Activity User Activity User Activity User Activity User Activity Maintenance User Activity User Activity User Activity User Activity User Activity User Activity User Activity User Activity Maintenance User Activity Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance VPN Tunnel Status Debug Maintenance Maintenance Maintenance
Priority Information Information Warning Warning Information Warning Warning Warning Information Information Warning Warning Warning Information Information Information Information Information Error Warning Information Information Information Information Information Information Information Information Information Warning Information Information Information
ID 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431
SNMP Trap Type --------------------------------------549 8401 8402 8403 8404 8405 8406 8407 8408 801 ---------
32
Log Event Message PPTP server rejected control connection PPTP server rejected the call request PPP Dial-Up: Trying to failover but Alternate Profile is manual WLB Failback initiated by %s Probing succeeded on %s E-Mail fragment dropped Locked-out user logins allowed - lockout period expired Locked-out user logins allowed by administrator Access rule added Access rule modified Access rule deleted Access rules restored to defaults PPTP Server is not responding, check if the server is UP and running. IKE Initiator: Accepting peer lifetime. (Phase 1) FTP: PASV response spoof attack dropped PKI Failure PKI Failure: Output buffer too small PKI Failure: Cannot alloc memory PKI Failure: Reached the limit for local certs, cant load any more PKI Failure: Import failed PKI Failure: Incorrect admin password PKI Failure: CA certificates store exceeded. Cannot verify this Local Certificate PKI Failure: Improper file format. Please select PKCS#12 (*.p12) file PKI Failure: Certificate's ID does not match this Network Security Appliance PKI Failure: public-private key mismatch PKI Failure: Duplicate local certificate name PKI Failure: Duplicate local certificate PKI Failure: No CA certificates yet loaded PKI Failure: Internal error PKI Failure: Temporary memory shortage, try again PKI Failure: The certificate chain is circular PKI Failure: The certificate chain is incomplete PKI Failure: The certificate chain has no root
New Category PPTP PPTP WAN Failover WAN Failover WAN Failover Intrusion Detection Authenticate Access Authenticate Access Firewall Rule Firewall Rule Firewall Rule Firewall Rule PPTP VPN IKE Intrusion Detection VPN PKI VPN PKI VPN PKI VPN PKI VPN PKI VPN PKI VPN PKI VPN PKI VPN PKI VPN PKI VPN PKI VPN PKI VPN PKI VPN PKI VPN PKI VPN PKI VPN PKI VPN PKI
Legacy Category Maintenance Maintenance User Activity System Error System Error Attack User Activity User Activity User Activity User Activity User Activity User Activity Maintenance User Activity Attack Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance
Priority Information Information Information Alert Alert Error Information Information Information Information Information Information Information Information Error Error Error Error Error Error Error Error Error Error Error Error Error Error Error Error Error Error Error
ID 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464
SNMP Trap Type ------652 638 550 ----------------551 -------------------------------------
33
Log Event Message PKI Failure: The certificate or a certificate in the chain has expired PKI Failure: The certificate or a certificate in the chain has a validity period in the future PKI Failure: The certificate or a certificate in the chain is corrupt PKI Failure: The certificate or a certificate in the chain has a bad signature PKI Failure: Loaded but could not verify certificate PKI Failure: Loaded the certificate but could not verify it's chain VPN Cleanup: Dynamic network settings change WARNING: Central Gateway does not have a Relay IP Address. DHCP message dropped. DHCP REQUEST received from remote device DHCP DISCOVER received from remote device DHCP DECLINE received from remote device DHCP OFFER received from server DHCP NACK received from server ERROR: DHCP over VPN policy is not defined. Cannot start IKE. DHCP DISCOVER received from local device DHCP REQUEST received from local device PPP Dial-Up: No peer IP address from DialUp ISP, local and remote IPs will be the same Received AV Alert: Your Network Anti-Virus subscription will expire in 7 days. %s Received notify: INVALID_ID_INFO DHCP lease dropped. Lease from Central Gateway conflicts with Remote Management IP Category: User login denied - User has no privileges for guest service WLAN firmware image has been updated Packet dropped by guest check Received CFS Alert: Your Content Filtering subscription will expire in 7 days.
New Category VPN PKI VPN PKI VPN PKI VPN PKI VPN PKI VPN PKI VPN DHCP Relay
Legacy Category Priority Maintenance Error Maintenance Maintenance Maintenance Maintenance Maintenance User Activity Maintenance Error Error Error Error Error Information Information
ID 465 466 467 468 469 470 471 472
SNMP Trap Type -----------------
DHCP Relay DHCP Relay DHCP Relay DHCP Relay DHCP Relay DHCP Relay DHCP Relay DHCP Relay PPP Dial Up
Debug Debug Debug Debug Debug Maintenance Debug Debug Maintenance
Information Information Information Information Information Information Information Information Information
473 474 475 476 477 478 479 480 481
-------------------
Security Services VPN IPsec DHCP Relay
Maintenance User Activity Maintenance
Warning Warning Warning
482 483 484
552 -----
None Authenticate Access Wireless Network Access Security Services
--User Activity
Debug Information
485 486 487 488 489
--------562
Maintenance Information TCP | UDP | ICMP Warning Maintenance Warning
34
Log Event Message Received CFS Alert: Your Content Filtering subscription has expired. Received E-Mail Filter Alert: Your E-Mail Filtering subscription will expire in 7 days. Received E-Mail Filter Alert: Your E-Mail Filtering subscription has expired. ISDN Driver Firmware successfully updated Global VPN Client License Exceeded: Connection denied. Packet dropped by WLAN vpn traversal check Registration Update Needed: Restore your existing security service subscriptions by clicking here. Entering FIPS Error State. WAN Interface not setup PPPoE enabled but not ready L2TP enabled but not ready PPTP enabled but not ready WAN not ready VPN disabled for active dial up DHCP client enabled but not ready Blocked Quick Mode for Client using Default KeyId VPN disabled by administrator
New Category Security Services Security Services Security Services Firewall Event VPN Client Wireless Security Services
Legacy Category Priority Maintenance Warning Maintenance Maintenance Maintenance System Error Warning Warning Information Information
ID 490 491 492 493 494 495 496
SNMP Trap Type 563 564 565 --658 -----
TCP | UDP | ICMP Warning Maintenance Warning
Crypto Test Firewall Event PPPoE Unused PPTP Firewall Event Unused DHCP Client VPN Client
System Error Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance System Error Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance User Activity User Activity
Error Information Information Information Information Information Information Information Error Information Information Information Information Information Information Information Information Information Information
497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515
659 --------------660 ---------------------
Authenticate Access VPN enabled by administrator Authenticate Access WLAN disabled by administrator Authenticate Access WLAN enabled by administrator Authenticate Access WiFiSec Enforcement disabled by Authenticate administrator Access WiFiSec Enforcement enabled by Authenticate administrator Access Wireless MAC Filter List enabled by Authenticate administrator Access Wireless MAC Filter List disabled by Authenticate administrator Access PPPoE user name changed by Administrator Authenticate Access PPPoE password changed by Administrator Authenticate Access
35
Log Event Message IKE Responder: Default LAN gateway is not set but peer is proposing to use this SA as a default route WLAN Reboot 802.11 Management WLAN recovery CLI administrator logged out Network Security Appliance initializing Malformed or unhandled IP packet dropped ICMP packet dropped no match Web access request dropped Web management request allowed FTP: PORT bounce attack dropped. FTP: PASV response bounce attack dropped. Global VPN Client connection is not allowed. Appliance is not registered. Network Modem Mode Enabled: turning off NAT Network Modem Mode Disabled: re-enabling NAT Internet Access restricted to authorized users. Dropped packet received in the clear. IPsec (ESP) packet dropped IPsec (AH) packet dropped IPsec (ESP) packet dropped; waiting for pending IPsec connection IPsec (AH) packet dropped; waiting for pending IPsec connection Connection Closed FTP: Data connection from non default port dropped Real time clock battery failure Time values may be incorrect If not already enabled, enabling NTP is recommended Maximum number of Bandwidth Managed rules exceeded upon upgrade to this version. Some Bandwith settings ignored. PPP Dial-Up: Previous session was connected for %s IKE Initiator: Using secondary gateway to negotiate
New Category VPN IKE
Legacy Category Priority Attack Error
ID 516
SNMP Trap Type 553
Firewall Hardware Wireless Wireless Authenticate Access Firewall Event Network Access Network Access Network Access Network Access Intrusion Detection Intrusion Detection VPN Client PPP Dial Up PPP Dial Up Wireless VPN IPsec VPN IPsec VPN IPsec VPN IPsec Network Traffic Network Access Firewall Hardware Firewall Hardware Firewall Event
System Error 802.11b Management Maintenance User Activity Maintenance Debug ICMP TCP User Activity Attack Attack System Error Maintenance Maintenance
Error Information Information Information Information Alert Notice Notice Notice Alert Alert Information Information Information
517 518 519 520 521 522 523 524 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541
642 --------554 ------555 556 643 ----------------557 644 645 ---
TCP | UDP | ICMP Warning TCP | UDP | ICMP Notice TCP | UDP | ICMP Notice Debug Debug Debug Debug
Connection Traffic Information Attack Alert System Error System Error Maintenance Warning Warning Notice
PPP Dial Up VPN IKE
User Activity User Activity
Information Information
542 543
-----
36
Log Event Message IKE Initiator drop: VPN tunnel end point does not match configured VPN Policy Bound to scope IKE Responder drop: VPN tunnel end point does not match configured VPN Policy Bound to scope Found Rogue Access Point WLAN sequence number out of order Association Flood from WLAN station User login failed - Guest service limit reached Guest Session Timeout Guest Account Timeout RIP disabled on WAN interface RIPv1 enabled on WAN interface RIPv2 enabled on WAN interface RIPv2 compatibility (broadcast) mode enabled on WAN interface Found Rogue Access Point Guest login denied. Guest '%s' is already logged in. Please try again later. Guest account '%s' created Guest account '%s' deleted Guest account '%s' disabled Guest account '%s' re-enabled Guest account '%s' pruned Guest account '%s' re-generated Guest Idle Timeout Interface %s Link Is Up Interface %s Link Is Down Interface IP Assignment changed: Shutting down %s Interface IP Assignment : Binding and initializing %s Network for interface %s overlaps with another interface.
New Category VPN IKE
Legacy Category Priority User Activity Information
ID 544
SNMP Trap Type ---
VPN IKE
User Activity
Information
545
---
WLAN IDS WLAN IDS WLAN IDS Authenticate Access Authenticate Access Authenticate Access RIP RIP RIP RIP WLAN IDS Authenticate Access Authenticate Access Authenticate Access Authenticate Access Authenticate Access Authenticate Access Authenticate Access Authenticate Access Firewall Event Firewall Event Firewall Event Firewall Event Firewall Event
WLAN IDS WLAN IDS WLAN IDS User Activity User Activity User Activity Maintenance Maintenance Maintenance Maintenance WLAN IDS User Activity User Activity User Activity User Activity User Activity User Activity User Activity User Activity System Error System Error Maintenance Maintenance Maintenance
Alert Warning Alert Information Information Information Information Information Information Information Alert Information Information Information Information Information Information Information Information Warning Error Information Information Information
546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569
901 902 903 ------8409 8410 8411 8412 10804 ----------------646 647 -------
37
Log Event Message Please connect interface %s to another network to function properly RIP Broadcasts for LAN Network %s are being broadcast over dialup-connection A prior version of preferences was loaded because the most recent preferences file was inaccessible The preferences file is too large to be saved in available flash memory All preference values have been set to factory default values Voltages Out of Tolerance Fan Failure Thermal Yellow Thermal Red Thermal Red Timer Exceeded TCP Syn/Fin packet dropped WLB Spill-over started, configured threshold exceeded WLB Spill-over stopped User login disabled from %s
New Category Firewall Event RIP Firewall Event
Legacy Category Priority Maintenance Information Maintenance System Error Information Warning
ID 570 571 572
SNMP Trap Type --8413 648
Firewall Event Firewall Event Firewall Hardware Firewall Hardware Firewall Hardware Firewall Hardware Firewall Hardware Network Access WAN Failover
System Error System Error System Environment System Environment System Environment System Environment System Environment Attack Maintenance Maintenance Attack System Error System Error System Error User Activity Maintenance Maintenance LAN UDP | LAN TCP Attack Attack Maintenance Maintenance Maintenance Debug Debug
Warning Warning Error Alert Alert Alert Alert Alert Warning Warning Error Alert Alert Alert Warning Information Information Notice Error Error Information Information Information Debug Information
573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597
649 650 101 102 103 104 105 558 ----559 651 653 654 --------566 567 -----------
WAN Failover Authenticate Access WLB Failover in progress WAN Failover WLB Resource is now available WAN Failover WLB Resource failed WAN Failover Header verification failed VPN IKE Received DHCP offer packet has errors DHCP Client Received response packet for DHCP request DHCP Client has errors IP type %s packet dropped Network Access Maximum sequential failed dial attempts (10) to a single dial-up number: %s Regulatory requirements prohibit %s from being re-dialed for 30 minutes Received PPPoE Active Discovery Offer Received PPPoE Active Discovery Session_confirmation Sending PPPoE Active Discovery Request PPTP decode failure ICMP packet allowed PPP Dial Up PPP Dial Up PPPoE PPPoE PPPoE PPTP Network Access
38
Log Event Message ICMP packet from LAN allowed Diagnostic Code G Diagnostic Code H Diagnostic Code I DNS packet allowed Adding L2TP IP pool Address object Failed. Global VPN Client version cannot enforce personal firewall. Minimum Version required is 2.1 Received unencrypted packet in crypto active state Spank attack multicast packet dropped Received ISAKMP packet destined to port %s IPS Detection Alert: %s IPS Prevention Alert: %s Crypto Hardware AES test failed A SonicOS Standard to Enhanced Upgrade was performed Not all configurations may have been completely upgraded Please manually check all system configurations for correctness of Upgrade Received IPS Alert: Your Intrusion Prevention (IDP) subscription has expired. WLAN client null probing Payload processing failed WLAN not in AP mode, DHCP server will not provide lease to clients on WLAN BOOTP server response relayed to remote device BOOTP Client IP address on LAN conflicts with remote device IP, deleting IP address from remote table BOOTP reply relayed to local device BOOTP Request received from remote device VoIP Call Connected VoIP Call Disconnected H.323/RAS Admission Reject H.323/RAS Admission Confirm H.323/RAS Admission Request H.323/RAS Bandwidth Reject H.323/RAS Disengage Confirm H.323/RAS Gatekeeper Reject
New Category Network Access Firewall Hardware Firewall Hardware Firewall Hardware Network Access L2TP Server VPN Client
Legacy Category Debug System Error System Error System Error Debug System Error User Activity
Priority Information Error Error Error Information Error Information
ID 598 599 600 601 602 603 604
SNMP Trap Type --655 656 657 --661 ---
VPN IKE Intrusion Detection VPN IKE Intrusion Detection Intrusion Detection Crypto Test Firewall Event Firewall Event Firewall Event Security Services WLAN IDS VPN IKE Wireless BOOTP BOOTP
User Activity Attack Debug | UDP Attack Attack Maintenance Maintenance Maintenance Maintenance Maintenance WLAN IDS Debug Maintenance Debug Maintenance
Warning Alert Information Alert Alert Error Information Information Information Warning Warning Error Information Debug Information
605 606 607 608 609 610 611 612 613 614 615 616 617 618 619
--568 --569 570 --------571 904 ---------
BOOTP BOOTP VoIP VoIP VoIP VoIP VoIP VoIP VoIP VoIP
Maintenance Debug VoIP VoIP VoIP VoIP VoIP VoIP VoIP VoIP
Information Debug Information Information Debug Debug Debug Debug Debug Debug
620 621 622 623 624 625 626 627 628 629
---------------------
39
Log Event Message H.323/RAS Location Confirm H.323/RAS Location Reject H.323/RAS Registration Reject H.323/H.225 Setup H.323/H.225 Connect H.323/H.245 Address H.323/H.245 End Session VoIP %s Endpoint added VoIP %s Endpoint removed VoIP %s Endpoint not added - configured 'public' endpoint limit reached H.323/RAS Unknown Message Response H.323/RAS Disengage Reject H.323/RAS Unregistration Reject SIP Request SIP Response SIP Register expiration exceeds configured Signaling inactivity time out Packet dropped; connection limit for this source IP address has been reached Packet dropped; connection limit for this destination IP address has been reached Packet destination not in VPN Access list Application Filters Block Alert: %s Application Filter Detection Alert: %s IPComp connection interrupt IPComp packet dropped IPComp packet dropped; waiting for pending IPComp connection Maximum events per second threshold exceeded Maximum syslog data per second threshold exceeded SMTP POP-Before-SMTP authentication failed Syslog Server cannot be reached IKE Responder: Proposed IKE ID mismatch IKE Responder: IP Address already exists in the DHCP relay table. Client traffic not allowed. IKE Responder: %s policy does not allow static IP for Virtual Adapter. Received notify: INVALID_PAYLOAD Drop WLAN traffic from non-SonicPoint devices
New Category VoIP VoIP VoIP VoIP VoIP VoIP VoIP VoIP VoIP VoIP VoIP VoIP VoIP VoIP VoIP VoIP Firewall Event Firewall Event VPN IPsec Intrusion Detection Intrusion Detection IPComp IPComp IPComp Firewall Logging Firewall Logging Firewall Logging Network VPN IKE VPN Client
Legacy Category VoIP VoIP VoIP VoIP VoIP VoIP VoIP VoIP VoIP VoIP VoIP VoIP VoIP VoIP VoIP VoIP System Error System Error Attack Attack Attack Debug TCP | UDP | ICMP Debug System Error System Error System Error Maintenance System Error System Error
Priority Debug Debug Debug Debug Debug Debug Debug Debug Debug Warning Debug Debug Debug Debug Debug Warning Alert Alert Error Alert Alert Debug Notice Debug Critical Critical Warning Information Warning Error
ID 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659
SNMP Trap Type --------------------------------5238 5239 572 -----------------------
VPN Client VPN IKE Intrusion Detection
System Error User Activity Attack
Error Error Error
660 661 662
----6434
40
Log Event Message WPA MIC Failure WPA Radius Server Timeout PPP Dial-Up: Dialing not allowed by schedule. %s PPP Dial-Up: Connection disconnected as scheduled. SonicPoint Status HA Peer Firewall Rebooted Error Rebooting HA Peer Firewall License of HA pair doesn't match: %s Primary received reboot signal from Backup Backup received reboot signal from Primary Synchronizing preferences to HA Peer Firewall Success to reach Interface %s probe Failure to reach Interface %s probe IGMP V2 client joined multicast Group : %s IGMP V3 client joined multicast Group : %s IGMP V3 Membership report received from interface %s IGMP V2 Membership report received from interface %s Router IGMP General query received on interface %s Router IGMP Membership query received on interface %s IGMP Leave group message Received on interface %s IGMP packet dropped, wrong checksum received on interface %s Multicast packet dropped, wrong MAC address received on interface : %s Multicast packet dropped, Invalid src IP received on interface : %s IGMP packet dropped, decoding error IGMP Packet Not handled. Packet type : %s IGMP V3 packet dropped, unsupported Record type : %s IGMP V3 reord type : %s not Handled Multicast UDP packet dropped, no state entry Multicast TCP packet dropped
New Category Wireless Wireless PPP Dial Up PPP Dial Up SonicPoint High Availability High Availability High Availability High Availability High Availability High Availability High Availability High Availability Multicast Multicast Multicast Multicast Multicast Multicast Multicast Multicast Multicast Multicast Multicast Multicast Multicast Multicast Multicast Multicast
Legacy Category 802.11b Management 802.11b Management ----SonicPoint Maintenance System Error System Error System Error System Error Maintenance System Error System Error ---------------------------------
Priority Warning Information Information Information Information Information Error Error Error Error Information Information Error Information Information Debug Debug Debug Debug Information Notice Alert Alert Notice Notice Notice Debug Notice Notice
ID 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691
SNMP Trap Type ------------663 664 665 666 ----6234 ---------------------------------
41
Log Event Message IGMP state table entry time out,deleting interface : %s for multicast address : %s IGMP state table entry time out,deleting VPN SPI :%s for Multicast address : %s Multicast UDP packet dropped, RTP stateful failed Multicast UDP packet dropped, RTCP stateful failed Multicast application %s not supported Adding to multicast policyList , interface : %s Deleting from Multicast policy list, interface : %s Adding to Multicast policyList , VPN SPI : %s Deleting from Multicast policy list, VPN SPI : %s IGMP querier Router detected on interface %s IGMP querier Router detected on VPN tunnel , SPI %S Exceeded Max multicast address limit Invalid Product Code Upgrade request received: %s Overriding Product Code Upgrade to: %s Network Monitor: Host %s is offline Network Monitor: Host %s is online TCP packet received with invalid SEQ number; TCP packet dropped TCP packet received with invalid ACK number; TCP packet dropped TCP stateful inspection: Invalid flag; TCP packet dropped TCP stateful inspection: Bad header; TCP packet dropped TCP connection reject received; TCP connection dropped TCP connection abort received; TCP connection dropped EIGRP packet dropped ARP request packet sent ARP response packet received ARP request packet received ARP response packet sent VPN policy count received exceeds the limit; %s Sending LCP Echo Request
New Category Multicast Multicast Multicast Multicast Multicast Multicast Multicast Multicast Multicast Multicast Multicast Multicast Firewall Event Firewall Event Network Monitor Network Monitor Network Network Network Network Network Network Network Access Network Network Network Network VPN PPPoE
Legacy Category Priority --Debug ------------------------------Debug Debug Debug Debug Debug Debug Debug --------System Error Maintenance Debug Warning Warning Information Debug Debug Debug Debug Debug Debug Warning Error Error Alert Alert Debug Debug Information Debug Debug Debug Notice Information Information Information Information Error Information
ID 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720
SNMP Trap Type ----------------------------14005 14006 ---------------------------
42
Log Event Message Received LCP Echo Request Sending LCP Echo Reply Received LCP Echo Reply Guest Services drop traffic to deny network Guest Services pass traffic to access allow network WLAN max concurrent users reached already SonicPoint Provision WLAN disabled by schedule WLAN enabled by schedule Virtual Access Point is enabled Virtual Access Point is disabled Packet dropped by WLAN SSL-VPN enforcement check SSL-VPN enforcement Source IP address connection status: %s Destination IP address connection status: %s SMTP authentication problem:%s PPPoE Client: Previous session was connected for %s Packet dropped. No firewall rule associated with VPN policy. NetBIOS settings were not upgraded. Use Network>IP Helper to configure NetBIOS support LAN Subnet configurations were not upgraded. Time of day settings for firewall policies were not upgraded. Hardware Failover settings were not upgraded. User login denied - RADIUS communication problem User login denied - LDAP authentication failure User login denied - LDAP server timeout User login denied - LDAP server down or misconfigured User login denied - LDAP communication problem
New Category PPPoE PPPoE PPPoE Network Access Network Access Network Access SonicPoint Authenticate Access Authenticate Access SonicPoint SonicPoint Wireless Wireless Firewall Event Firewall Event Firewall Logging PPPoE VPN Firewall Event
Legacy Category Maintenance Maintenance Maintenance ------SonicPoint Maintenance Maintenance
Priority Information Information Information Information Information Information Information Information Information
ID 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 737 738 739 740
SNMP Trap Type ---------------------------------------
802.11b Information Management 802.11b Information Management TCP | UDP | ICMP Warning Maintenance ----System Error Maintenance System Error Maintenance Information Information Information Warning Information Alert Information
Firewall Event Firewall Event Firewall Event RADIUS RADIUS RADIUS RADIUS RADIUS
Maintenance Maintenance Maintenance User Activity User Activity User Activity User Activity User Activity
Information Information Information Warning Information Warning Warning Warning
741 742 743 744 745 746 747 748
-----------------
43
Log Event Message User login denied - invalid credentials on LDAP server User login denied - insufficient access on LDAP server User login denied - LDAP schema mismatch Allowed LDAP server certificate with wrong host name User login denied - LDAP server name resolution failed User login denied - RADIUS server name resolution failed User login denied - LDAP server certificate not valid User login denied - TLS or local certificate problem User login denied - LDAP directory mismatch LDAP server does not allow CHAP User login denied - user already logged in TCP handshake violation detected; TCP connection dropped Access attempt from host out of compliance with GSC policy GSC policy out-of-date on host Access attempt from host without GSC installed Failed to synchronize license information with Licensing Server. Please see http:// help.mysonicwall.com/licsyncfail.html (code: %s) ADConnector %s response timed-out; applying caching policy DDNS Failure: Provider %s DDNS Failure: Provider %s DDNS Failure: Provider %s DDNS Update success for domain %s DDNS Warning: Provider %s DDNS association %s taken Offline locally DDNS association %s added DDNS association %s enabled DDNS association %s disabled DDNS Association %s put on line All DDNS associations have been deleted DDNS association %s deactivated DDNS association %s deleted
New Category RADIUS RADIUS RADIUS RADIUS RADIUS RADIUS RADIUS RADIUS RADIUS RADIUS Authenticate Access Network Access Security Services Security Services Security Services Security Services
Legacy Category Priority User Activity Warning User Activity User Activity User Activity User Activity User Activity User Activity User Activity User Activity User Activity User Activity --Maintenance Maintenance Maintenance Maintenance Warning Warning Warning Warning Warning Warning Warning Warning Warning Information Notice Information Information Information Warning
ID 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 766
SNMP Trap Type ----------------------------8627 8628
Microsoft AD DDNS DDNS DDNS DDNS DDNS DDNS DDNS DDNS DDNS DDNS DDNS DDNS DDNS
--System Error System Error System Error Maintenance System Error Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance
Error Error Error Error Information Warning Information Information Information Information Information Information Information Information
769 773 774 775 776 777 778 779 780 781 782 783 784 785
-----------------------------
44
Log Event Message DDNS association %s updated IPS Detection Alert: %s IPS Prevention Alert: %s DPI-SSL: %s Application Firewall Alert: %s Anti-Spyware Prevention Alert: %s Anti-Spyware Detection Alert: %s Anti-Spyware Service Expired Outbound connection to RBL-listed SMTP server dropped Inbound connection from RBL-listed SMTP server dropped SMTP server found on RBL blacklist No valid DNS server specified for RBL lookups Interface statistics report SonicPoint statistics report Gateway Anti-Virus Alert: %s Gateway Anti-Virus Service expired PPP Dial-Up: Invalid DNS IP address returned from Dial-Up ISP; overriding using dial-up profile settings WAN node exceeded: Connection dropped because too many IP addresses are in use on your LAN Adding Dynamic Entry for Bound MAC Address MAC address collides with Static ARP Entry with Bound MAC address; packet dropped Too many gratuitous ARPs detected ARP unused/spare Incoming call received for Remotely Triggered Dial-out session Remotely Triggered Dial-out session started. Requesting authentication Incorrect authentication received for Remotely Triggered Dial-out Successful authentication received for Remotely Triggered Dial-out Authentication timeout during Remotely Triggered Dial-out session Remotely Triggered Dial-out session ended. Valid WAN bound data found. Normal dialup sequence will commence Backup will be shut down in %s minutes
New Category DDNS Intrusion Detection Intrusion Detection DPI SSL Application Firewall Intrusion Detection Intrusion Detection Security Services RBL RBL RBL RBL GMS GMS Security Services Security Services PPP Dial Up
Legacy Category --Attack Attack Network Access User Activity Attack Attack Maintenance ------------Attack Maintenance Maintenance
Priority Information Alert Alert Information Alert Alert Alert Warning Notice Notice Notice Error Information Information Alert Warning Information
ID 786 789 790 791 793 794 795 796 797 798 799 800 805 806 809 810 811
SNMP Trap Type --6435 6436 --13201 6437 6438 8631 ------------8632 8633 ---
Firewall Event
System Error
Error
812
---
Network Network Network Network Authenticate Access Authenticate Access Authenticate Access Authenticate Access Authenticate Access Authenticate Access High Availability
--------User Activity User Activity User Activity User Activity User Activity User Activity
Information Notice Warning Debug Information Information Information Information Information Information
813 814 815 816 817 818 819 820 821 822
---------------------
System Error
Error
823
---
45
Log Event Message Backup shut down because license is expired Backup active DHCP Scopes altered automatically due to change in network settings for interface %s DHCP lease file in the flash is corrupted; read failed Failed to write DHCP leases to flash DHCP leases written to flash Invalid VLAN packet dropped IP address conflict detected from ethernet address %s OCSP sending request. OCSP send request message failed. OCSP received response. OCSP received response error. OCSP Resolved Domain Name. OCSP Failed to Resolve Domain Name. OCSP Internal error handling received response. SYN Flood Mode changed by user to: Watch and report possible SYN floods SYN Flood Mode changed by user to: Watch and proxy WAN connections when under attack SYN Flood Mode changed by user to: Always proxy WAN connections Possible SYN flood detected on WAN IF %s - switching to connection-proxy mode Possible SYN Flood on IF %s SYN flood ceased or flooding machines blacklisted - connection proxy disabled SYN Flood blacklisting enabled by user SYN Flood blacklisting disabled by user SYN-Flooding machine %s blacklisted Machine %s removed from SYN flood blacklist Possible SYN Flood on IF %s continues Possible SYN Flood on IF %s has ceased SYN Flood Blacklist on IF %s continues TCP SYN received CRL has expired Failed to find certificate CRL missing - Issuer requires CRL checking. CRL validation failure for Root Certificate
New Category High Availability High Availability Firewall Event Firewall Event Firewall Event Firewall Event Network Network VPN PKI VPN PKI VPN PKI VPN PKI VPN PKI VPN PKI VPN PKI Intrusion Detection Intrusion Detection
Legacy Category Priority System Error Error System Error --System Error System Error Maintenance --Maintenance User Activity User Activity User Activity User Activity User Activity User Activity User Activity Debug Debug Information Information Warning Warning Information Alert Warning Information Error Information Error Information Error Error Warning Warning
ID 824 825 832 833 834 835 836 847 848 849 850 851 852 853 854 856 857
SNMP Trap Type -----------------------------------
Intrusion Detection Intrusion Detection Intrusion Detection Intrusion Detection Intrusion Detection Intrusion Detection Intrusion Detection Intrusion Detection Intrusion Detection Intrusion Detection Intrusion Detection Intrusion Detection VPN PKI VPN PKI VPN PKI VPN PKI
Debug Debug Debug Debug Debug Debug Debug Debug Debug Debug Debug Debug User Activity User Activity User Activity User Activity
Warning Alert Alert Alert Warning Warning Alert Alert Warning Alert Warning Debug Alert Alert Alert Alert
858 859 860 861 862 863 864 865 866 867 868 869 874 875 876 877
---------------------------------
46
Log Event Message Cannot Validate Issuer Path WLAN radio frequency threat detected Unable to resolve dynamic address object System clock manually updated HTTP method detected; examining stream for host header IP Header checksum error; packet dropped TCP checksum error; packet dropped UDP checksum error; packet dropped ICMP checksum error; packet dropped TCP packet received with invalid header length; TCP packet dropped TCP packet received on non-existent/closed connection; TCP packet dropped TCP packet received without mandatory SYN flag; TCP packet dropped TCP packet received without mandatory ACK flag; TCP packet dropped TCP packet received on a closing connection; TCP packet dropped TCP packet received with SYN flag on an existing connection; TCP packet dropped TCP packet received with invalid SACK option length; TCP packet dropped TCP packet received with invalid MSS option length; TCP packet dropped TCP packet received with invalid option length; TCP packet dropped TCP packet received with invalid source port; TCP packet dropped TCP packet received with invalid SYN Flood cookie; TCP packet dropped RST-Flooding machine %s blacklisted RST Flood Blacklist on IF %s continues Machine %s removed from RST flood blacklist FIN-Flooding machine %s blacklisted FIN Flood Blacklist on IF %s continues Machine %s removed from FIN flood blacklist Possible RST Flood on IF %s Possible FIN Flood on IF %s Possible RST Flood on IF %s has ceased Possible FIN Flood on IF %s has ceased
New Category VPN PKI RF Management Dynamic Address Objects Firewall Logging Network Access Network Access Network Access Network Access Network Access Network Network Network Network Network Network Network Network Network Network Network Intrusion Detection Intrusion Detection Intrusion Detection Intrusion Detection Intrusion Detection Intrusion Detection Intrusion Detection Intrusion Detection Intrusion Detection Intrusion Detection
Legacy Category User Activity --Maintenance --TCP TCP|UDP TCP UDP UDP Debug Debug Debug Debug Debug Debug Debug Debug Debug Debug Debug Debug Debug Debug Debug Debug Debug Debug Debug Debug Debug
Priority Alert Warning Information Notice Debug Notice Notice Notice Notice Debug Debug Debug Debug Debug Information Debug Debug Debug Debug Information Alert Warning Alert Alert Warning Alert Alert Alert Alert Alert
ID 878 879 880 881 882 883 884 885 886 887 888 889 890 891 892 893 894 895 896 897 898 899 900 901 902 903 904 905 906 907
SNMP Trap Type -------------------------------------------------------------
47
Log Event Message Possible RST Flood on IF %s continues Possible FIN Flood on IF %s continues Packet Dropped - IP TTL expired Added host entry to dynamic address object Removed host entry from dynamic address object IKE Responder: Phase 1 Authentication Method does not match IKE Responder: Phase 1 encryption algorithm does not match IKE Responder: Phase 1 encryption algorithm keylength does not match IKE Responder: Phase 1 hash algorithm does not match IKE Responder: Phase 1 XAUTH required but policy has no user name IKE Responder: Phase 1 XAUTH required but policy has no user password IKE Responder: Phase 1 DH Group does not match IKE Responder: AH authentication algorithm does not match IKE Responder: ESP encryption algorithm does not match IKE Responder: ESP authentication algorithm does not match IKE Responder: AH authentication key length does not match IKE Responder: ESP encryption key length does not match IKE Responder: ESP authentication key length does not match IKE Responder: AH authentication key rounds does not match IKE Responder: ESP encryption key rounds does not match IKE Responder: ESP authentication key rounds does not match IKE Responder: IP Compression algorithm does not match IKE Initiator: Remote party timeout Retransmitting IKE request. IKE Responder: Remote party timeout Retransmitting IKE request. IKE Responder: IPsec protocol mismatch
New Category Intrusion Detection Intrusion Detection Network Dynamic Address Objects Dynamic Address Objects VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE
Legacy Category Debug Debug Debug Maintenance Maintenance User Activity User Activity User Activity User Activity User Activity User Activity User Activity User Activity User Activity User Activity User Activity User Activity User Activity User Activity User Activity User Activity User Activity User Activity User Activity User Activity
Priority Warning Warning Warning Information Information Warning Warning Warning Warning Warning Warning Warning Warning Warning Warning Warning Warning Warning Warning Warning Warning Warning Information Information Warning
ID 908 909 910 911 912 913 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932
SNMP Trap Type ---------------------------------------------------
48
Log Event Message IKE Initiator: Proposed IKE ID mismatch IKE Responder: Peer's local network does not match VPN policy's Destination Network IKE Responder: Peer's destination network does not match VPN policy's Local Network IKE Responder: Route table overrides VPN policy IKE Initiator: IKE proposal does not match (Phase 1) IKEv2 Initiator: Send IKE_SA_INIT request IKEv2 Responder: Received IKE_SA_INIT request IKEv2 Initiator: Send IKE_AUTH request IKEv2 Responder: Received IKE_AUTH request IKEv2 Authentication successful IKEv2 Accept IKE SA Proposal IKEv2 Accept IPsec SA Proposal IKEv2 Initiator: Send CREATE_CHILD_SA request IKEv2 Responder: Received CREATE_CHILD_SA request IKEv2 Send delete IKE SA request IKEv2 Received delete IKE SA request IKEv2 Send delete IPsec SA request IKEv2 Received delete IPsec SA request IKEv2 Responder: Peer's destination network does not match VPN policy's Local Network IKEv2 Responder: Peer's local network does not match VPN policy's Destination Network IKEv2 Payload processing error IKEv2 Initiator: Negotiations failed. Extra payloads present. IKEv2 Initiator: Negotiations failed. Missing required payloads. IKEv2 Initiator: Negotiations failed. Invalid input state. IKEv2 Initiator: Negotiations failed. Invalid output state. IKEv2 Payload validation failed. IKEv2 Unable to find IKE SA IKEv2 Decrypt packet failed
New Category VPN IKE VPN IKE
Legacy Category Priority User Activity Warning User Activity Warning
ID 933 934
SNMP Trap Type -----
VPN IKE
User Activity
Warning
935
---
VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE
User Activity User Activity User Activity User Activity User Activity User Activity User Activity User Activity User Activity User Activity User Activity User Activity User Activity User Activity User Activity User Activity
Warning Warning Information Information Information Information Information Information Information Information Information Information Information Information Information Information
936 937 938 939 940 941 942 943 944 945 946 947 948 949 950 951
---------------------------------
VPN IKE
User Activity
Information
952
---
VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE
User Activity User Activity User Activity User Activity User Activity User Activity User Activity User Activity
Warning Warning Warning Warning Warning Warning Warning Warning
953 954 955 956 957 958 959 960
-----------------
49
Log Event Message IKEv2 Out of memory IKEv2 Responder: Policy for remote IKE ID not found IKEv2 Process Message queue failed IKEv2 Invalid state IKE Responder: Client Policy has no VPN Access Networks assigned. Check Configuration. IKEv2 Invalid SPI size IKEv2 VPN Policy not found IKEv2 IPsec proposal does not match IKEv2 IPsec attribute not found IKEv2 IKE attribute not found IKEv2 Peer is not responding. Negotiation aborted. IKEv2 Initiator: Remote party timeout Retransmitting IKEv2 request. IKEv2 Initiator: Received IKE_SA_INT response IKEv2 Initiator: Received IKE_AUTH response IKEv2 Initiator: Received CREATE_CHILD_SA response IKEv2 Responder: Send IKE_SA_INIT response IKEv2 Responder: Send IKE_AUTH response IKEv2 negotiation complete IKEv2 Function sendto() failed to transmit packet. IKEv2 Initiator: Proposed IKE ID mismatch IKEv2 IKE proposal does not match IKEv2 Received notify status payload IKEv2 Received notify error payload IKEv2 No NAT device detected between negotiating peers IKEv2 NAT device detected between negotiating peers User login denied - not allowed by policy rule User login denied - not found locally User login denied - SSO agent timeout
New Category VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE
Legacy Category Priority User Activity Warning User Activity Error User Activity User Activity System Error Warning Warning Error
ID 961 962 963 964 965
SNMP Trap Type -----------
VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE Authenticate Access Authenticate Access Authenticate Access
User Activity User Activity User Activity User Activity User Activity User Activity User Activity User Activity User Activity User Activity User Activity User Activity User Activity User Activity User Activity User Activity User Activity User Activity User Activity User Activity User Activity User Activity User Activity
Warning Warning Warning Warning Warning Warning Information Information Information Information Information Information Information Error Warning Warning Information Warning Information Information Information Information Warning
966 967 968 969 970 971 972 973 974 975 976 977 978 979 980 981 982 983 984 985 986 987 988
-----------------------------------------------
50
Log Event Message User login denied - SSO agent configuration error User login denied - SSO agent communication problem User login denied - SSO agent name resolution failed SSO returned a user name that is too long SSO returned a domain name that is too long Configuration mode administration session started Configuration mode administration session ended Read-only mode GUI administration session started Non-config mode GUI administration session started GUI administration session ended SSL Control: Website found in blacklist SSL Control: Website found in whitelist SSL Control: HTTPS via SSL2 SSL Control: Certificate with invalid date SSL Control: Self-signed certificate SSL Control: Weak cipher being used SSL Control: Untrusted CA SSL Control: Certificate chain not complete SSL Control: Failed to decode Server Hello User logged out - logout detected by SSO Bind to LDAP server failed Using LDAP without TLS - highly insecure LDAP using non-administrative account VPN client user will not be able to change passwords IKEv2 Responder: Send CREATE_CHILD_SA response IKEv2 Send delete IKE SA response IKEv2 Send delete IPsec SA response IKEv2 Received delete IKE SA response IKEv2 Received delete IPsec SA response 3G %s device detected PPP message: %s Chat started
New Category Authenticate Access Authenticate Access Authenticate Access SSO SSO Authenticate Access Authenticate Access Authenticate Access Authenticate Access Authenticate Access Network Access Network Access Network Access Network Access Network Access Network Access Network Access Network Access Network Access Authenticate Access RADIUS RADIUS RADIUS
Legacy Category Priority User Activity Warning User Activity User Activity User Activity User Activity User Activity User Activity User Activity User Activity User Activity Blocked Sites Blocked Sites Blocked Sites Blocked Sites Blocked Sites Blocked Sites Blocked Sites Blocked Sites Blocked Sites User Activity System Error System Error System Error Warning Warning Warning Warning Information Information Information Information Information Information Information Information Information Information Information Information Information Information Information Error Alert Warning
ID 989 990 991 992 993 994 995 996 997 998 999 1000 1001 1002 1003 1004 1005 1006 1007 1008
SNMP Trap Type -----------------------------------------
1009 --1010 --1011 ---
VPN IKE VPN IKE VPN IKE VPN IKE VPN IKE Firewall Hardware PPP PPP Dial Up
User Activity User Activity User Activity User Activity User Activity System Environment --User Activity
Information Information Information Information Information Information Information Information
1012 --1013 1014 1015 1016 1017 -----------
1018 --1019 ---
51
Log Event Message Chat completed Chat wrote '%s' Chat %s Chat failed: %s Unable to send message to dial-up task Diagnostic Code J 3G Dial-up: %s. 3G Dial-up: data usage limit reached for the '%s' billing cycle. Disconnecting the 3G session. %s auto-dial failed: Current Connection Model is configured as Ethernet Only TCP packet received with non-permitted option; TCP packet dropped TCP packet received with invalid Window Scale option length; TCP packet dropped TCP packet received with invalid Window Scale option value; TCP packet dropped Chat started by '%s' Problem occurred during user group membership retrieval Received AF Alert: Your Application Firewall (AF) subscription has expired. User login denied - password expired
New Category PPP Dial Up PPP Dial Up PPP Dial Up PPP Dial Up PPP Dial Up Firewall Hardware PPP Dial Up PPP Dial Up
Legacy Category User Activity User Activity User Activity User Activity System Error System Error User Activity User Activity
Priority Information Information Information Information Error Error Alert Alert
ID 1020 1021 1022 1023 1024 1025 1026 1027
SNMP Trap Type ----------5423 --7643
PPP Dial Up Network Network Network PPP Dial Up Authenticate Access Security Services
System Error Debug Debug Debug User Activity User Activity Maintenance User Activity User Activity -----------------------------
Alert Debug Debug Debug Information Warning Warning Information Error Information Information Information Alert Alert Information Error Information Information Information Information Information Information Information
1028 --1029 --1030 --1031 --1032 --1033 --1034 8635 1035 --1036 --1037 1038 1039 1040 1041 1042 1043 1044 1045 ----------5424 5425 -----
Authenticate Access IKE Responder: IKE Phase 1 exchange does VPN IKE not match PPP Dial-Up: Starting PPP PPP Dial Up Dial-up: Traffic generated by '%s' PPP Dial Up Dial-up: Session initiated by data packet PPP Dial Up DHCP Server: IP conflict detected Firewall Event DHCP Server: Received DHCP decline from Firewall Event client Physical environment normal Firewall Hardware Power supply without redundancy Firewall Hardware Discovered HA %s Firewall High Availability Diagnostic Auto-restart scheduled for %s Firewall Event minutes from now Diagnostic Auto-restart canceled Firewall Event "As per Diagnostic Auto-restart configuration Firewall Event request, restarting system" User login denied - password doesn't meet Authenticate constraints Access Settings Import: %s Firewall Event VPN Policy Added VPN
1046 --1047 --1048 --1049 --1050 ---
52
Log Event Message VPN Policy Deleted VPN Policy Modified PC Card removed. PC Card inserted. 3G: No SIM detected PC Card: No device detected Peer firewall rebooting (%s) Primary firewall rebooting itself as it transitioned from Active to Idle while Preempt Backup firewall rebooting itself as it transitioned from Active to Idle while Preempt Crypto SHA1 based DRNG KAT test failed Successfully sent Preference file to remote backup server Failed to send Preference file to remote backup server, Error: %s Successfully sent TSR file to remote backup server Failed to send TSR file to remote backup server, Error: %s Successfully sent %s file to remote backup server Failed to send file to remote backup server, Error: %s System shutdown by administrator. Power cycle required. Multiple DHCP Servers are detected on network External Web Server Host Resolution Failed %s Invalid DNS Server will not be accepted by the dynamic client DHCP Server sanity check passed %s DHCP Server sanity check failed %s SSO agent returned error L2TP Tunnel Negotiation %s SSO agent is down SSO agent is up SonicPointN Status SonicPointN Provision SSLVPN zone remote user login allowed
New Category VPN VPN Firewall Hardware Firewall Hardware Firewall Hardware Firewall Hardware High Availability High Availability
Legacy Category -----------------
Priority Information Information Alert Alert Alert Alert Information Information
ID 1051 1052 1053 1054 1055 1056 1057 1058
SNMP Trap Type ----5418 5419 ---------
High Availability
---
Information
1059 ---
Crypto Test Firewall Event Firewall Event Firewall Event Firewall Event Firewall Event Firewall Event Firewall Event Firewall Event Authenticate Access Firewall Event Firewall Event Firewall Event SSO L2TP Client SSO SSO SonicPoint-N SonicPoint-N Authenticate Access
--Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance ------------User Activity --User Activity User Activity ----User Activity
Error Information Information Information Information Information Information Alert Warning Error Information Critical Critical Warning Information Alert Alert Information Information Information
1060 --1061 --1062 --1063 --1064 --1065 --1066 --1067 5242 1068 --1069 --1070 --1071 1072 1073 1074 1075 1076 1077 1078 1080 -------------------
53
Log Event Message SSL Control: Certificate with MD5 Digest Signature Algorithm %s is operational. %s is unavailable. Anti-Spam service is enabled by administrator. Anti-Spam service is disabled by administrator. Your Anti-Spam Service subscription has expired. SMTP connection limit is reached. Connection is dropped. Anti-Spam Startup Failure - %s Anti-Spam Teardown Failure - %s DHCP Server: Received DHCP message from untrusted relay agent Outbound connection to GRID-listed SMTP server dropped Inbound connection from GRID-listed SMTP server dropped SMTP server found on Reject List No valid DNS server specified for GRID lookups Unprocessed email received from MTA on Inbound SMTP port Processed Email received from Email Security Service SCEP Client: %s Possible DNS rebind attack detected DNS rebind attack blocked Network Monitor: Policy %s status is UP Network Monitor: Policy %s status is DOWN Network Monitor: Policy %s status is UNKNOWN Network Monitor: Host %s status is UNKNOWN Network Monitor Policy %s Added Network Monitor Policy %s Deleted Network Monitor Policy %s Modified Message blocked by Real-Time Email Scanner CSR Generation: %s Assigned IP address %s Released IP address %s Ftp server accepted the connection
New Category Network Access Anti-Spam Anti-Spam Anti-Spam Anti-Spam Anti-Spam Anti-Spam Anti-Spam Anti-Spam Firewall Event Anti-Spam Anti-Spam Anti-Spam Anti-Spam Anti-Spam Anti-Spam VPN PKI Intrusion Detection Intrusion Detection Network Monitor Network Monitor Network Monitor Network Monitor Network Monitor Network Monitor Network Monitor Anti-Spam VPN PKI DHCP Server DHCP Server FTP
Legacy Category Priority Blocked Sites Information ------------------------------------------------------------Warning Warning Information Information Warning Warning Warning Warning Notice Notice Notice Notice Error Information Information Notice Alert Alert Alert Alert Alert Alert Information Information Information Information Information Information Information Debug
SNMP Trap Type ID 1081 --1082 13801 1083 13802 1084 13803 1085 13804 1086 13805 1087 13806 1088 13807 1089 13808 1090 --1091 13809 1092 13810 1093 13811 1094 13812 1095 13813 1096 13814 1097 1098 1099 1100 1101 1102 --6465 6466 14001 14002 14003
1103 14004 1104 1105 1106 1108 1109 1110 1111 1112 -----------------
54
New Category FTP FTP FTP FTP Authenticate Access User login denied - Mail Address(From/to) or Authenticate SMTP Server is not configured Access RADIUS user cannot use One Time Authenticate Password - no mail address set for Access equivalent local user User login denied - Terminal Services agent Authenticate timeout Access User login denied - Terminal Services agent Authenticate name resolution failed Access User login denied - No name received from Authenticate Terminal Services agent Access User login denied - Terminal Services agent Authenticate communication problem Access User logged out - logout reported by Authenticate Terminal Services agent Access High Availability has been enabled and Dial- High Availability Up device(s) are not supported in High Availability processing. The High Availability monitoring IP High Availability configuration of Interface %s is incorrect. IKE Responder: ESP mode mismatch Local VPN IKE - Tunnel Remote - Transport IKE Responder: ESP mode mismatch Local VPN IKE - Transport Remote - Tunnel WAN DHCPC IP Changed Firewall Event WLAN DHCPC IP Changed Firewall Event Probe Response Success - %s Anti-Spam Probe Response Failure - %s Anti-Spam Peer HA firewall has stateful license but this High Availability firewall is not yet registered The stateful license of HA peer firewall is not High Availability activated Received unauthenticathed GRID response Anti-Spam Invalid key or serial number used for GRID Anti-Spam response Invalid key version used for GRID response Anti-Spam Host IP address not in GRID List Anti-Spam No response received from DNS server Anti-Spam Not blacklisted as per configuration Anti-Spam
Log Event Message Ftp client user name was sent Ftp client user logged in successfully Ftp client user logged in failed Ftp client user logged out User login denied - SSO probe failed
Legacy Category --------User Activity User Activity User Activity
Priority Debug Debug Debug Debug Warning Information Information
ID 1113 1114 1115 1116 1117
SNMP Trap Type -----------
1118 --1119 ---
User Activity User Activity User Activity User Activity User Activity ---
Warning Warning Warning Warning Information Information
1120 --1121 --1122 --1123 --1124 --1125 ---
--User Activity User Activity System Error System Error ----System Error System Error -------------
Error Warning Warning Warning Warning Debug Debug Alert Alert Debug Debug Debug Debug Debug Debug
1126 --1127 --1128 --1129 1130 1131 1132 1136 -----------
1137 --1138 --1139 --1140 1141 1142 1143 ---------
55
Log Event Message Default to not blacklisted Failed to insert entry into GRID result IP cached table Resolved ES Cloud - %s Updated ES Cloud Address - %s Your Active/Active Clustering subscription has expired. Terminal Services agent is down Terminal Services agent is up Active/Active Clustering license is not activated on the following cluster units: %s SSLVPN Traffic Application Control Detection Alert: %s Application Control Prevention Alert: %s GMS or syslog server name lookup failed try again in 60 secs. User account '%s' expired and disabled User account '%s' expired and pruned Received Alert: Your Firewall Visualization Control subscription has expired. Attempt to contact Remote backup server for upload approval failed Backup remote server did not approve upload request Modules attached to HA units do not match: %s Malformed DNS packet detected A high percentage of the system packet buffers are held waiting for SSO A user has a very high number of connections waiting for SSO DOS protection on WAN begins %s DOS protection on WAN %s DOS protection on WAN %s Deleting IPsec SA (Phase 2) Delete invalid scope because port ip in the range of this DHCP scope. IKE Responder: Peer's network does not match VPN policy's Network Added new LDAP mirror user group: %s Deleted LDAP mirror user group: %s
New Category Anti-Spam Anti-Spam Anti-Spam Anti-Spam High Availability SSO SSO High Availability SSL VPN App-Control Detection App-Control Detection Firewall Event Authenticate Access Authenticate Access Security Services Firewall Event Firewall Event High Availability Network Access SSO SSO Intrusion Detection Intrusion Detection Intrusion Detection VPN IKE DHCP Server VPN IKE RADIUS RADIUS
Legacy Category Priority --Debug --Debug ------User Activity User Activity --Debug Debug Warning Alert Alert Error
SNMP Trap Type ID 1144 --1145 --1146 --1147 --1149 --1150 --1151 --1152 --1153 --1154 15001 1155 15002 1156 --1157 --1158 --1159 --1160 --1161 --1162 664 1177 --1178 --1179 --1180 1181 1182 1183 1184 -----------
Connection Traffic Information --Alert ----User Activity User Activity --Maintenance Maintenance System Error Debug User Activity User Activity Debug Debug Debug User Activity --User Activity User Activity User Activity Alert Error Information Information Warning Debug Debug Alert Alert Alert Alert Alert Warning Alert Debug Warning Warning Information Information
1189 --1190 --1191 ---
56
Index of Syslog Tag Field Description
Log Event Message Added a new member to an LDAP mirror user group Removed a member from an LDAP mirror user group Monitoring probe out interface mismatch %s
New Category RADIUS RADIUS High Availability
Legacy Category Priority User Activity Information User Activity --Information Error
SNMP Trap Type ID 1192 --1193 --1194 ---

This section provides an alphabetical listing of Syslog tags and the associated field description. Tag <ddd> Field Syslog message prefix Description The beginning of each syslog message has a string of the form <ddd> where ddd is a decimal number indicating facility and priority of the message. (See [1] Section 4.1.1) Used to render a URL: arg represents the URL path name part. Displays the broadcast packets received Displays the broadcast packets transmitted Displays the bytes received Displays the bytes transmitted Indicates the legacy category number (Note: We are not currently sending new category information.) Displays the basename of the firewall web page that performed the last configuration change Indicates the CFS block code category Indicates the ICMP code Indicates the number of connections in use Displays the CPU utilization (not in use) Destination IP address, and optionally, port, network interface, and resolved name. Displays the URL of web site hit and other legacy destination strings Used to render a URL: dstname represents the URL host part
arg
URL
bcastRx bcastTx bytesRx bytesTx c
Interface statistics report Interface statistics report Interface statistics report Interface statistics report Message category (legacy only)
change
Configuration change webpage
code code conns cpuUtil dst
Blocking code ICMP type and code Firewall status report Firewall status report Destination
dstname
Destination URL
dstname
URL
57
dyn
Firewall status report
Displays the HA and dialup connection state (rendered as h.d where h is n (not enabled), b (backup), or p (primary) and d is 1 (enabled) or 0 (disabled)) Indicates the WAN IP Address Indicates the LAN zone IP address Indicates the well formed bytes recevied Indicates the well formed bytes transmitted Displays the GMS message interval in seconds Syntactic sugar for WebTrends (and GMS by habit) Displays the interface on which statistics are reported Displays the IPS category Displays the IPS priority Indicates the number of licenses for firewalls with limited modes Provides the message ID number Provides the MAC address Displays the event message (from spreadsheet) Displays a dynamically defined message string Displays a message using the predefined message string containing a %s and a dynamic string argument. Displays a message using the predefined string string containing a %s and a dynamic numeric argument. Displays a message using the predefined message string containing a %s and a dynamic string argument. Displays the event message (from spreadsheet) Indicates the number of times event occurs Displays the HTTP operation (GET, POST, etc.) of web site hit Displays the event priority level (0=emergency..7=debug)
fw fwlan goodRxBytes goodTxBytes i id=firewall
Firewall WAN IP Firewall status report SonicPoint statistics report SonicPoint statistics report Firewall status report Webtrends prefix
if
Interface statistics report
ipscat ipspri lic
IPS message IPS message Firewall status report
m mac msg msg msg
Message ID MAC address Static message Dynamically-defined message Static message with dynamic string
msg
Static message with dynamic number
msg
IPS message
msg n op
Anti-Spyware message Message count HTTP OP code
pri
Message priority
58
proto proto
IP protocol Protocol and service
Indicates the IP protocol and detail information Displays the protocol information (rendered as proto/service) Displays the protocol information (rendered as proto/service) Displays the HTTP/HTTPS management port (rendered as hhh.sss) Displays the SonicPoint radio on which event occurred Displays the RAM utilization (not in use) Indicates the number of bytes received within connection Displays the HTTP result code (200, 403, etc.) of web site hit Displays the Access Rule number causing packet drop Displays the number of bytes sent within connection Provides the IPS signature ID Provides the AntiSpyware signature ID Indicates the device serial number Displays the antiSpyware category Displays the AntiSpyware priority Indicates the source IP address, and optionally, port, network interface, and resolved name. Displays the client (station) on which event occurred Reports the time of event Indicates the ICMP type Displays the unicast packets received Displays the unicast packets transmitted Reports the time since last local change in seconds Displays whether standby SA is in use (1 or 0) for GMS management
proto
Protocol and service
pt
radio
SonicPoint statistics report
ramUtil rcvd
Firewall status report Bytes received
result
HTTP Result code
rule
Rule ID
sent
Bytes sent
sid sid sn spycat spypri src
IPS message Anti-Spyware message Firewall serial number Anti-Spyware message Anti-Spyware message Source
station
SonicPoint statistics report
time type ucastRx ucastTx unsynched
Time ICMP type and code Interface statistics report Interface statistics report Firewall status report
usesstandbysa
59
usr (or user)
User
Displays the user name (user is the tag used by WebTrends) Displays the VPN policy name of event
vpnpolicy
VPN policy name
60
SonicWALL, Inc. 2001Logic Drive San Jose CA 95124 P/N: 232-001835-00 Rev A, 06/11 T +1 408.745.9600 F +1 408.745.9300 www.sonicwall.com San
PROTECTION AT THE SPEED OF BUSINESS
2009 SonicWALL, Inc. is a registered trademark of SonicWALL, Inc. Other product names mentioned herein may be trademarks and/or registered trademarks of their respective companies. Specifications and descriptions subject to change without notice. 07/07 SW 145

SonicOS Log Event Reference Guide-5.8

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

SonicOS Log Event Reference Guide-5.8

Hochgeladen von

Copyright:

Verfügbare Formate

COMPREHENSIVE INTERNET SECURITY

SonicWALL Internet Security Appliances

SonicOS Log Event Reference Guide

Using the SonicOS Log Event Reference Guide

SonicOS Log Event Reference Guide

Log > View

Log > View

Log View Table

SonicOS Log Event Reference Guide

Log > View

Navigating and Sorting Log View Table Entries

SonicOS Log Event Reference Guide

Log > View

Filtering Log Records Viewed

Log Event Messages

SonicOS Log Event Reference Guide

Log > Categories

Log > Categories

SonicOS Log Event Reference Guide

Log > Categories

Log Redundancy Filter

Alert Redundancy Filter

802.11 Management Legacy

SonicOS Log Event Reference Guide

Log > Categories

Intrusion Prevention Extended

SonicOS Log Event Reference Guide

Log > Categories

Managing Log Categories

SonicOS Log Event Reference Guide

Log > Syslog

Log > Syslog

For more information on SonicWALL ViewPoint, go to http://www.sonicwall.com.

SonicOS Log Event Reference Guide

Log > Automation

Log > Automation

E-mail Log Automation

Mail Server Settings

SonicOS Log Event Reference Guide

Log > Automation

Deep Packet Forensics

Reliable storage of data Effective indexing of data Classification of interesting-content

Distributed Event Detection and Replay

SonicOS Log Event Reference Guide

Log > Automation

SonicOS Log Event Reference Guide

Log > Automation

Solera Capture Stack

SonicOS Log Event Reference Guide

Log > Name Resolution

Configure the following options:

Log > Name Resolution

SonicOS Log Event Reference Guide

Log > Name Resolution

Selecting Name Resolution Settings

Specifying the DNS Server

SonicOS Log Event Reference Guide

Log > Reports

Log > Reports

Web Site Hits

Bandwidth Usage by IP Address

SonicOS Log Event Reference Guide

Log > ViewPoint