Fortigate LMR 40 mr3

FortiGate Log Message Reference
FortiOS 4.0 MR3
The FortiGate Log Message Reference is published every maintenance release, and contains only information that was gathered at the date of publication.
FortiGate Log Message Reference Version 4.0 MR3 21 November 2011 01-430-112804-20111121 Copyright 2011 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet, Inc. Trademarks ABACAS, APSecure, Dynamic Threat Prevention System (DTPS), FortiAnalyzer, FortiASIC, FortiBIOS, FortiBridge, FortiClient, FortiDB, FortiGate, FortiGate Unified Threat Management System, FortiGuard, FortiGuard-Antispam, FortiGuard-Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiMail, FortiManager, Fortinet, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiScan, FortiShield, FortiVoIP, FortiWeb, and FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Contents
Introduction
Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . How this reference is organized . . . . . . . . . . . . . . . . . . . . . . . . . . Document conventions and other information . . . . . . . . . . . . . . . . . . . . .
19
19 19 20
Traffic
2 . 3 . 4 . 5 . 6 . 7 . 8 . 9 . 10 11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
21
22 24 26 28 30 32 34 35 36 37
Event-Administration
32001 32002 32003 32004 32006 32007 32008 32010 32011 32012 32013 32014 32015 32016 32017 32020 32021 32022 32086 32087
FortiGate Log Message Reference 01-430-112804-20111121 http://docs.fortinet.com/ Feedback
39
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 40 41 41 42 43 43 44 45 47 48 50 50 51 53 53 54 54 55 55
. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .
Contents
32140 32141 32095 32101 32102 32103 32104 32105 32120 32121 32122 32123 32124 32125 32126 32127 32128 32129 32130 32131 32132 32133 32134 32135 32136 32137 32138 32139 32140 32141 32142 32143 32144 32145 32148 32149 32150 32151 32152 32153 32154 32155 32156 32157 32158 32161
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
56 57 57 59 60 62 62 62 63 67 68 72 73 74 74 75 76 77 77 78 78 80 80 81 81 82 83 83 91 92 93 96 97 98 99 100 100 101 101 101 102 102 103 103 107 107
Contents
32162 32168 32170 32171 32172 32180 32200 32301 32302 32400 32401 32545 32546 32547 32548 32549
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
108 108 109 111 113 114 114 115 115 115 116 117 117 117 118 118
Event-System
20001 20002 20003 20004 20007 20010 20031 20032 20033 20034 20035 20036 20037 20038 20039 20040 20041 20042 20043 20044 20045 20046 20047 20048 20049 20050 20051 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
119
120 122 122 123 123 123 124 124 124 124 125 125 126 126 126 127 127 127 128 128 128 128 129 129 129 129 130
Contents
20052 20053 20054 20055 20056 20057 20058 20059 20060 20061 20062 20063 20064 20065 20066 20067 20068 20069 20070 20071 20072 20073 20074 20075 20076 20077 20078 20079 20080 20081 20082 20083 20084 20090 20099 20100 20101 20110 20111 20200 20201 20202 20203 22000 22001 22002
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
130 130 130 131 131 131 131 132 132 132 132 133 133 133 133 134 134 134 135 135 135 136 136 136 136 137 137 137 137 138 138 138 139 139 139 140 140 142 142 142 143 143 144 144 145 145
Contents
22003 22004 22005 22006 22009 22010 22011 22012 22013 22100 22101 22102 22103 22200 22201 22202 22203 22800 22801 22802 22803 22804 22805 22806 22901 22902 22903 22911 22912 22913 22914
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
146 146 146 146 147 147 148 148 149 149 150 151 151 151 152 152 152 153 153 154 154 155 155 155 156 156 156 157 157 157 158
Event-DHCP service
159
26001 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 26002 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Event-Firewall authentication
38001 38002 38003 38004 38005 38010 38011 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
161
162 164 167 167 169 169 170
Contents
38012 38020 38021 38022 38026 38027
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
171 171 172 174 175 175
Event-Wireless
43520 43521 43522 43524 43525 43526 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
177
178 178 179 179 180 181
Event-IPsec negotiation
37120 37121 37122 37123 37124 37125 37126 37127 37128 37129 37130 37131 37132 37133 37134 37135 37136 37137 37138 37139 37184 37185 37186 37187 37188 37189 37190 37191 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
183
184 185 186 187 188 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 207 209 210 211 212 213 214
Contents
37192 37193 37194 37195 37196 37197 37198 37199 37200 37201 37202 37203
. . . . . . . . . . . .
. . . . . . . . . . . .
. . . . . . . . . . . .
. . . . . . . . . . . .
. . . . . . . . . . . .
. . . . . . . . . . . .
. . . . . . . . . . . .
. . . . . . . . . . . .
. . . . . . . . . . . .
. . . . . . . . . . . .
. . . . . . . . . . . .
. . . . . . . . . . . .
. . . . . . . . . . . .
. . . . . . . . . . . .
. . . . . . . . . . . .
. . . . . . . . . . . .
. . . . . . . . . . . .
. . . . . . . . . . . .
. . . . . . . . . . . .
. . . . . . . . . . . .
. . . . . . . . . . . .
. . . . . . . . . . . .
. . . . . . . . . . . .
. . . . . . . . . . . .
. . . . . . . . . . . .
. . . . . . . . . . . .
. . . . . . . . . . . .
. . . . . . . . . . . .
. . . . . . . . . . . .
. . . . . . . . . . . .
. . . . . . . . . . . .
. . . . . . . . . . . .
. . . . . . . . . . . .
. . . . . . . . . . . .
. . . . . . . . . . . .
. . . . . . . . . . . .
. . . . . . . . . . . .
215 216 217 218 219 220 221 222 223 224 225 226
Event-L2TP/PPP/PPPoE
29001 29002 29003 29004 29009 29015 29016 29022 29024 30004 30005 30006 30007 30008 30009 31004 31005 31006 31007 31008 31009 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
227
228 228 229 229 229 230 230 230 230 231 231 231 232 232 233 233 233 234 234 235 235
Event-SSL VPN
39424 39425 39426 41984 41985 41986 41987 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
237
238 239 240 240 241 241 242
Contents
41988 39936 39937 39938 39939 39940 39941 39942 39943 39944 39945 39946 39947 39948 39949 39950 39951
. . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .
242 243 244 244 245 245 246 246 247 247 248 248 249 250 251 252 252
Event-VIP SSL
45001 45003 45005 45007 45009 45011 45012 45013 45015 45017 45019 45023 45027 45029 45031 45032 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
253
254 255 255 256 257 258 258 259 259 260 261 263 263 264 265 266
Event-DNS
267
44288 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
Event-config
269
44544 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270 44545 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270 44546 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
10
Contents
44547 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
Event-auth
43008 43009 43010 43011 43012 43013 43014 43015 43016 43017 43018 43019 43020 43021 43022 43023 43024 43025 43026 43027 43028 43029 43030 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
273
274 275 276 277 278 279 280 280 281 282 283 283 284 285 285 285 286 286 287 288 289 290 291
Event-wad
40960 48001 48003 48005 48007 48009 48011 48012 48013 48015 48017 48019 48023 48027 48029 48031 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
293
294 295 295 296 296 297 297 298 298 299 299 300 300 301 301 302
11
Contents
48032 48100 48101 48102 48123 48124 48127 48129 48131 48132 48200 48201 48205 48300 48301
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
303 304 304 305 305 306 307 307 308 308 309 309 310 310 311
Event-LDB-monitor
46000 46001 46002 46003 46004 46005 46100 46101 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
313
314 314 315 315 316 316 317 317
Event-nac-quarantine
319
43776 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
Event-his-performance
321
40704 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
Event-HA
37888 37889 37890 37891 37892 37893 37894 37895 37896 37897 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
323
324 324 324 325 325 326 326 326 327 327
12
Contents
37898 37899 37900 37901 37902 37903 37904
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
328 328 329 329 330 330 331
Event-pattern
333
41000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334 41001 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
Event-RADIUS
38656 38657 38658 38659 38660 38661 38662 38663 38664 38665 38666 38667 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
337
338 338 338 339 339 339 340 340 341 341 342 342
Event-notification
343
38400 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344 38401 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345 38402 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
Event-amc-intf-bypass
347
47201 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347 47202 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
Event-GTP
41216 41217 41218 41219 41220 41221
349
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350 351 353 354 355 356
13
Contents
41222 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
Event-MMS-Stats
359
43264 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Event-VoIP
44032 44033 44034 44035 44036 44037 44038 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
361
362 364 366 370 371 373 375
Data Leak Prevention

24576 24577 24578 24579 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
377
378 380 382 382 383
Application Control
28672 28673 28674 28675 28676 28677 28678 28688 28689 28690 28704 28705 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
385
386 388 390 392 394 396 398 400 402 404 406 408
Antivirus
8192 8193 8194 8195 8196 8197 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
411
412 414 416 418 420 422
14
Contents
8198 8199 8457 8458 8448 8449 8450 8451 8452 8453 8454 8455 8456 8704 8705 8706 8707 8960 8961 8962 8963 8964 8965 8966 8967 8968 8969 8970 8971 8972 8973
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
424 426 428 430 432 435 438 440 442 444 447 449 451 453 455 457 459 461 463 465 467 469 471 473 475 477 479 481 483 485 487
Attack
16384 16385 16386 18432 18433 18434 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
489
490 492 494 496 498 500
Email filter
503
20480 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504 20481 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506 20482 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508
15
Contents
20483 20484 20491 20485 20486 20487 20488 20489 20490 20492 20493 20494 20495 20496 20497 20498 20499 20500 20501 20503 20504 20505
. . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . .
510 512 514 516 518 520 522 524 526 528 530 532 534 536 538 540 542 544 546 548 550 552
Webfilter
12288 12289 12290 12291 12305 12544 12545 12546 12547 12548 12549 12550 12551 12552 12553 12554 12555 12556 12557 12558 12559 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
555
556 558 560 562 564 566 568 570 572 574 576 578 580 580 581 582 583 584 585 585 586
16
Contents
13056 13312 13313 13314 12800 12801 13601 13602 13568 13573 13584 13315 13316 12802
. . . . . . . . . . . . . .
. . . . . . . . . . . . . .
. . . . . . . . . . . . . .
. . . . . . . . . . . . . .
. . . . . . . . . . . . . .
. . . . . . . . . . . . . .
. . . . . . . . . . . . . .
. . . . . . . . . . . . . .
. . . . . . . . . . . . . .
. . . . . . . . . . . . . .
. . . . . . . . . . . . . .
. . . . . . . . . . . . . .
. . . . . . . . . . . . . .
. . . . . . . . . . . . . .
. . . . . . . . . . . . . .
. . . . . . . . . . . . . .
. . . . . . . . . . . . . .
. . . . . . . . . . . . . .
. . . . . . . . . . . . . .
. . . . . . . . . . . . . .
. . . . . . . . . . . . . .
. . . . . . . . . . . . . .
. . . . . . . . . . . . . .
. . . . . . . . . . . . . .
. . . . . . . . . . . . . .
. . . . . . . . . . . . . .
. . . . . . . . . . . . . .
. . . . . . . . . . . . . .
. . . . . . . . . . . . . .
. . . . . . . . . . . . . .
. . . . . . . . . . . . . .
. . . . . . . . . . . . . .
. . . . . . . . . . . . . .
. . . . . . . . . . . . . .
. . . . . . . . . . . . . .
. . . . . . . . . . . . . .
. . . . . . . . . . . . . .
588 590 592 594 596 598 600 602 604 606 608 610 612 614
Netscan logs
4096 4097 4098 4099 4100 4101 4102 4103 4104 4105 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
615
616 616 617 618 619 619 620 620 621 622
DLP archives
32768 32776 32770 32772 32774 32769 32782 32783 32784 32785 32786 32787 32788 32789 32790 32791 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
623
624 626 628 630 632 634 636 638 641 644 647 649 652 655 658 661
17
Contents
32792 . 32793 . 32777 . 32794 . 32795 . 32796 . 32797 . 32798 . 32800 . 328001 . 32778 . 32779 . 32780 . 32781 . 32771 . 32773 . 32775 .
. . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .
663 665 667 669 671 673 675 677 679 683 685 687 689 691 693 695 697
Appendix
Document conventions . . . . . . . . IP addresses . . . . . . . . . . . Example Network configuration . Cautions, Notes and Tips . . . . Typographical conventions . . . . CLI command syntax conventions Entering FortiOS configuration data Entering text strings (names). . Entering numeric values . . . . Selecting options from a list . . Enabling or disabling options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
700
700 700 702 703 703 703 705 705 706 706 706
Registering your Fortinet product. . . . . . . . . . . . . . . . . . . . . . . . . . . . 706 Fortinet products End User License Agreement . . . . . . . . . . . . . . . . . . . . 706 Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 707 Documentation . . . . . . . . . . . . . . . . . . . . Fortinet Tools and Documentation CD . . . . . . Fortinet Knowledge Base . . . . . . . . . . . . Comments on Fortinet technical documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 707 707 707 707
Customer service and technical support . . . . . . . . . . . . . . . . . . . . . . . . 707
18
Introduction
This reference provides detailed information about all log messages that are recorded by the FortiGate unit. It is intended for administrators that are already logging FortiGate features and require information about a specific log message that was recorded, such as an event-administration log message with the log ID 41990. This chapter includes the following topics: Before you begin Document conventions and other information
Before you begin

Before you begin using this guide, take a moment to note the following: The information in this reference applies to all FortiGate units and models currently running FortiOS 4.0 and higher. You have enabled logging of FortiGate features. If you have not chosen a log device, or have not enabled logging of FortiGate features, see the Logging and Reporting chapter in the FortiOS Handbook. Each log message is written similar to how it appears in the log viewer table, but based on the Raw format. For more information, see the Logging and Reporting chapter in the FortiOS Handbook. FortiOS Carrier log messages are included and is indicated within the table, in the Firmware version row. This reference contains detailed information for each log message field; however, this reference contains only information gathered at publication and, as a result, not every log message field contains detailed information. More detailed information will be available in future releases of this reference. The UTM-related logs, such as antivirus and IPS, are located in the new log file called UTM log. This is reflected in the web-based manager, where you can view these log messages in Log&Report > Log & Archive Access > UTM Log.
How this reference is organized

This document describes what log messages are recorded by the FortiGate unit. The following chapters are grouped by log type with the exception of the event log, and include only log messages for that log type. The event log type chapters are grouped by subtype, for example event-system, due to the large amount of subtypes associated with the event log. Traffic Event-Administration Event-System Event-DHCP service Event-Firewall authentication Event-Wireless
19
Document conventions and other information
Introduction
Event-IPsec negotiation Event-L2TP/PPP/PPPoE Event-SSL VPN Event-VIP SSL Event-DNS Event-config Event-auth Event-wad Event-LDB-monitor Event-nac-quarantine Event-his-performance Event-HA Event-pattern Event-RADIUS Event-notification Event-amc-intf-bypass Event-GTP Event-MMS-Stats Event-VoIP Data Leak Prevention Application Control Antivirus Attack Email filter Webfilter Netscan logs DLP archives
Document conventions and other information

The document conventions, as well as additional information, are located in the appendix section of this reference. See Appendix on page 700.
20
Traffic
Traffic log messages record the network traffic going through the FortiGate unit. In the policyid field of traffic log messages, the number may be zero because any policy that is automatically added by the FortiGate unit is indexed as zero. For more information, see the Fortinet Knowledge Base article, Firewall policy=0. 2 3 4 5 6 7 8 9 10 11
21
Traffic
2
Message ID Log SubType Severity Firmware version Meaning Fields status vd dir_disp 2 Allowed Notification FortiOS 4.0 MR3 Allowed traffic log message Field Description The session status. This field displays accept in this field, which indicates that the session has been allowed by the unit. The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The direction of the sessions. Org displays if a session is not a child session or the child session originated in the same direction as the master session. Reply displays if a differen direction is taken from the master session. The packet is source NAT translated (snat) or destination NAT translated (dnat). This field can also contain noop. The source IP address. The name of the source or the source IP address. The source port of the TCP or UDP traffic. The source protocol is zero for other types of traffic. The destination IP address. The destination name or destination IP address. The country name for the destination IP address. This name is used when geography-based filtering is configured for the firewall address used in the firewall policy. The destination port number of the TCP or UDP traffic. The destination port is zero for other types of traffic. The translated IP in NAT mode. For Transparent mode, it is zero. The translated port number in NAT mode. For Transparent mode, it is zero. The translated source IP address. The translated source port. The IP network service that applies to the session or packet. The services displayed correspond to the services configured in the firewall policy. The protocol number that applies to the session or packet. The protocol number in the packet header that identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA). The application or program used. If there was no program used to create the traffic, then it is empty and displays N/A. The following are the application types that can appear in this field: N/A (is unknown type) WinNY BitTorrent eDonKey Gnutella KaZaa duration rule This represents the value in seconds. The rule number. Skype AIM ICQ MSN Yahoo
tran_disp src srcname src_port dst dstname dst_country
dst_port tran_ip tran_port tran_sip tran_sport service proto
app_type
22
Traffic
policyid
The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The total number of bytes sent. The total number of bytes received. The number of sent traffic shaper bytes that were dropped. The number of received traffic shaper bytes that were dropped. The number of per-IP traffic shaper bytes that were dropped. The name of the traffic shaper sending the bytes. The name of the traffic shaper receiving the bytes. The name of the per-IP traffic shaper. The total number of packets sent during the session The total number of packets received during the session. The name of the VPN tunnel used by the traffic. The type of VPN tunnel that the traffic is flowing through. This field can be any one of the following: ipsec-static ipsec-ddns ipsec-dynamic sslvpn
custom identidx
sent rcvd shaper_drop_sent shaper_drop_rcvd perip_drop shaper_sent_name shaper_rcvd_name perip_name sent_pkt rcvd_pkt vpn vpn_type
vpn_tunnel src_int dst_int SN app app_cat user group carrier_ep
The VPN tunnel. The interface where the through traffic comes in. For outgoing traffic originating from the firewall, it is unknown. The interface where the through traffic goes to the public or Internet. The session number of the log message. The name of the application that triggered the action within the control list. For example, SSL. The application category that the application is associated with. The name of the user creating the traffic. The name of the group creating the traffic. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
23
Traffic
3
Message ID Log SubType Severity Firmware version Meaning Fields status vd src srcname src_port dst dstname dst_country 3 Violation Warning FortiOS 4.0 MR3 Traffic violation log message Field Description The status of the session. This field always displays deny in this field and indicates that the session has been blocked by the unit. The virtual domain where the traffic was logged. If no virtual domains are enabled and configured, this field contains the virtual domain, root. The source IP address. The name of the source or the source IP address. The source port of the TCP or UDP traffic. The source protocol is zero for other types of traffic. The destination IP address. The destination name or destination IP address. The country name for the destination IP address. This name is used when geography-based filtering is configured for the firewall address used in the firewall policy. The destination port number of the TCP or UDP traffic. The destination port is zero for other types of traffic. The IP network service that applies to the session or packet. The services displayed correspond to the services configured in the firewall policy. The protocol number that applies to the session or packet. The protocol number in the packet header that identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA). The application or program used. If there was no program used to create the traffic, then it is empty and displays N/A. The following are the application types that can appear in this field: N/A (is unknown type) WinNY BitTorrent eDonKey Gnutella KaZaa duration rule policyid custom identidx This represents the value in seconds. The rule number. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The total number of bytes sent. The total number of bytes received. The number of sent traffic shaper bytes that were dropped. FortiGate Log Message Reference 01-430-112804-20111121 http://docs.fortinet.com/ Feedback Skype AIM ICQ MSN Yahoo
dst_port service proto
app_type
sent rcvd shaper_drop_sent
24
Traffic
shaper_drop_rcvd perip_drop shaper_sent_name shaper_rcvd_name perip_name vpn vpn_type
The number of received traffic shaper bytes that were dropped. The number of per-IP traffic shaper bytes that were dropped. The name of the traffic shaper sending the bytes. The name of the traffic shaper receiving the bytes. The name of the per-IP traffic shaper. The name of the VPN tunnel used by the traffic. The type of VPN tunnel that the traffic is flowing through. This field can be any one of the following: ipsec-static ipsec-ddns ipsec-dynamic sslvpn
vpn_tunnel
The VPN tunnel. The type of VPN tunnel that the traffic is flowing through. This field can be any one of the following:
src_int dst_int SN app app_cat user group msg carrier_ep
The interface where the through traffic comes in. For outgoing traffic originating from the firewall, it is unknown. The interface where the through traffic goes to the public or Internet. The session number of the log message. The name of the application that triggered the action within the control list. For example, SSL. The application category that the application is associated with. The name of the user creating the traffic. The name of the group creating the traffic. The log message information. This is usually a sentence and explains the activity and/or action taken. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
25
Traffic
4
Message ID Log Subtype Severity Firmware version Meaning Fields status vd src srcname src_port dst dstname dst_country 4 Traffic - Other Notification FortiOS 4.0 MR3 Traffic other log message Field Description The status of the session. This field always displays start in this field and indicates that the session has started. The virtual domain where the traffic was logged. If no virtual domains are enabled and configured, this field contains the virtual domain, root. The source IP address. The name of the source or the source IP address. The source port of the TCP or UDP traffic. The source protocol is zero for other types of traffic. The destination IP address. The destination name or destination IP address. The country name for the destination IP address. This name is used when geography-based filtering is configured for the firewall address used in the firewall policy. The destination port number of the TCP or UDP traffic. The destination port is zero for other types of traffic. The translated IP in NAT mode. For Transparent mode, it is zero. The translated port number in NAT mode. For Transparent mode, it is zero. The translated source IP address. The translated source port. The IP network service that applies to the session or packet. The services displayed corresponds to the services configured in the firewall policy. The protocol number that applies to the session or packet. The protocol number in the packet header that identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA). The application or program used. If there was no program used to create the traffic, then it is empty and displays N/A. The following are the application types that can appear in this field: NA WinNY BitTorrent eDonKey Gnutella KaZaa duration rule policyid This represents the value in seconds. The rule number. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The total number of bytes sent. Skype AIM ICQ MSN Yahoo
app_type
custom sent
26
Traffic
rcvd shaper_drop_sent shaper_drop_rcvd perip_drop shaper_sent_name shaper_rcvd_name perip_name vpn vpn_type
The total number of bytes received. The number of sent traffic shaper bytes that were dropped. The number of received traffic shaper bytes that were dropped. The number of per-IP traffic shaper bytes that were dropped. The name of the traffic shaper sending the bytes. The name of the traffic shaper receiving the bytes. The name of the per-IP traffic shaper. The name of the VPN tunnel used by the traffic. The type of VPN tunnel that the traffic is flowing through. This field can be any one of the following: ipsec-static ipsec-ddns The VPN tunnel. ipsec-dynamic sslvpn
The type of VPN tunnel that the traffic is flowing through. This field can be any one of the following: The interface where the through traffic comes in. For outgoing traffic originating from the firewall, it is unknown. The interface where the through traffic goes to the public or Internet. The session number of the log message. The name of the application that triggered the action within the control list. For example, SSL. The application category that the application is associated with. The name of the user creating the traffic. The name of the group creating the traffic. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
27
Traffic
5
Message ID Log Subtype Severity Firmware version Meaning Fields status vd dir_disp 5 Other Notification FortiOS 4.0 MR3 Traffic allowed ICMP log message Field Description The session status. This field displays accept in this field, which indicates that the session has been allowed by the unit. The virtual domain where the traffic was logged. If no virtual domains are enabled and configured, this field contains the virtual domain, root. The direction of the sessions. Org displays if a session is not a child session or the child session originated in the same direction as the master session. Reply displays if a differen direction is taken from the master session. The packet is source NAT translated (snat) or destination NAT translated (dnat). This field can also contain noop. The source IP address. The name of the source or the source IP address. The source port of the TCP or UDP traffic. The source protocol is zero for other types of traffic. The destination IP address. The destination name or destination IP address. The country name for the destination IP address. This name is used when geography-based filtering is configured for the firewall address used in the firewall policy. The destination port number of the TCP or UDP traffic. The destination port is zero for other types of traffic. The translated IP in NAT mode. For Transparent mode, it is zero. The translated port number in NAT mode. For Transparent mode, it is zero. The translated source IP address. The translated source port. The IP network service that applies to the session or packet. The services displayed corresponds to the services configured in the firewall policy. The protocol number that applies to the session or packet. The protocol number in the packet header that identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA). The application or program used. If there was no program used to create the traffic, then it is empty and displays N/A. The following are the application types that can appear in this field: NA WinNY BitTorrent eDonKey Gnutella KaZaa duration rule This represents the value in seconds. The rule number. Skype AIM ICQ MSN Yahoo
tran_disp src srcname src_port dst dstname dst_country
app_type
28
Traffic
policyid
The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The total number of bytes sent. The total number of bytes received. The number of sent traffic shaper bytes that were dropped. The number of received traffic shaper bytes that were dropped. The number of per-IP traffic shaper bytes that were dropped. The name of the traffic shaper sending the bytes. The name of the traffic shaper receiving the bytes. The name of the per-IP traffic shaper. The number of sent packets. The number of received packets. The name of the VPN tunnel used by the traffic. The type of VPN tunnel that the traffic is flowing through. This field can be any one of the following: ipsec-static ipsec-ddns ipsec-dynamic sslvpn
custom identidx
sent rcvd shaper_drop_sent shaper_drop_rcvd perip_drop shaper_sent_name shaper_rcvd_name perip_name sent_pkt rcvd_pkt vpn vpn_type
The VPN tunnel. The interface where the through traffic comes in. For outgoing traffic originating from the firewall, it is unknown. The interface where the through traffic goes to the public or Internet. The session number of the log message. The name of the application that triggered the action within the control list. For example, SSL. The application category that the application is associated with. The name of the user creating the traffic. The name of the group creating the traffic. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
29
Traffic
6
Message ID Log Subtype Severity Firmware version Meaning Fields status vd src srcname src_port dst dstname dst_country 6 Other Notification FortiOS 4.0 MR3 Deny internal ICMP log message Field Description The status of the session. This field always displays deny in this field and indicates that the session has been blocked by the unit. The virtual domain where the traffic was logged. If no virtual domains are enabled and configured, this field contains the virtual domain, root. The source IP address. The name of the source or the source IP address. The source port of the TCP or UDP traffic. The source protocol is zero for other types of traffic. The destination IP address. The destination name or destination IP address. The country name for the destination IP address. This name is used when geography-based filtering is configured for the firewall address used in the firewall policy. The destination port number of the TCP or UDP traffic. The destination port is zero for other types of traffic. The IP network service that applies to the session or packet. The services displayed corresponds to the services configured in the firewall policy. The protocol number that applies to the session or packet. The protocol number in the packet header that identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA). The application or program used. If there was no program used to create the traffic, then it is empty and displays N/A. The following are the application types that can appear in this field: NA WinNY BitTorrent eDonKey Gnutella KaZaa duration rule policyid This represents the value in seconds. The rule number. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The total number of bytes sent. The total number of bytes received. Skype AIM ICQ MSN Yahoo
dst_port service proto
app_type
custom identidx
sent rcvd
30
Traffic
shaper_drop_sent shaper_drop_rcvd perip_drop shaper_sent_name shaper_rcvd_name perip_name vpn vpn_type
The number of sent traffic shaper bytes that were dropped. The number of received traffic shaper bytes that were dropped. The number of per-IP traffic shaper bytes that were dropped. The name of the traffic shaper sending the bytes. The name of the traffic shaper receiving the bytes. The name of the per-IP traffic shaper. The name of the VPN tunnel used by the traffic. The type of VPN tunnel that the traffic is flowing through. This field can be any one of the following: ipsec-static ipsec-ddns ipsec-dynamic sslvpn
vpn_tunnel src_int dst_int SN app app_cat user group msg carrier_ep
The VPN tunnel. The interface where the through traffic comes in. For outgoing traffic originating from the firewall, it is unknown. The interface where the through traffic goes to the public or Internet. The session number of the log message. The name of the application that triggered the action within the control list. For example, SSL. The application category that the application is associated with. The name of the user creating the traffic. The name of the group creating the traffic. The log message information. This is usually a sentence and explains the activity and/or action taken. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
31
Traffic
7
Message ID Log Subtype Severity Firmware version Meaning Fields status vd src srcname src_port dst dstname dst_country 7 Other Warning FortiOS 4.0 MR3 Deny external ICMP log message Field Description The status of the session. This field always displays deny in this field and indicates that the session has been blocked by the unit. The virtual domain where the traffic was logged. If no virtual domains are enabled and configured, this field contains the virtual domain, root. The source IP address. The name of the source or the source IP address. The source port of the TCP or UDP traffic. The source protocol is zero for other types of traffic. The destination IP address. The destination name or destination IP address. The country name for the destination IP address. This name is used when geography-based filtering is configured for the firewall address used in the firewall policy. The destination port number of the TCP or UDP traffic. The destination port is zero for other types of traffic. The translated IP in NAT mode. For Transparent mode, it is zero. The translated port number in NAT mode. For Transparent mode, it is zero. The IP network service that applies to the session or packet. The services displayed corresponds to the services configured in the firewall policy. The protocol number that applies to the session or packet. The protocol number in the packet header that identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA). The application or program used. If there was no program used to create the traffic, then it is empty and displays N/A. The following are the application types that can appear in this field: NA WinNY BitTorrent eDonKey Gnutella KaZaa duration rule policyid This represents the value in seconds. The rule number. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an idenity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. Skype AIM ICQ MSN Yahoo
dst_port tran_ip tran_port service proto
app_type
custom identidx
32
Traffic
sent rcvd shaper_drop_sent shaper_drop_rcvd perip_drop shaper_sent_name shaper_rcvd_name perip_name vpn vpn_type
The total number of bytes sent. The total number of bytes received. The number of sent traffic shaper bytes that were dropped. The number of received traffic shaper bytes that were dropped. The number of per-IP traffic shaper bytes that were dropped. The name of the traffic shaper sending the bytes. The name of the traffic shaper receiving the bytes. The name of the per-IP traffic shaper. The name of the VPN tunnel used by the traffic. The type of VPN tunnel that the traffic is flowing through. This field can be any one of the following: ipsec-static ipsec-ddns ipsec-dynamic sslvpn
vpn_tunnel src_int dst_int SN app app_cat user group msg carrier_ep
The VPN tunnel. The interface where the through traffic comes in. For outgoing traffic originating from the firewall, it is unknown. The interface where the through traffic goes to the public or Internet. The session number of the log message. The name of the application that triggered the action within the control list. For example, SSL. The application category that the application is associated with. The name of the user creating the traffic. The name of the group creating the traffic. The log message information. This is usually a sentence and explains the activity and/or action taken. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.
33
Traffic
8
Message ID Log Subtype Severity Firmware version Meaning Fields vd src srcname src_port dst dstname dst_country 8 Traffic - WAN opt Notification FortiOS 4.0 MR3 WAN optimization traffic log message Field Description The virtual domain where the traffic was logged. If no virtual domains are enabled and configured, this field contains the virtual domain, root. The source IP address. The name of the source or the IP address. The source port of the TCP or UDP traffic. The source protocol is zero for other types of traffic. The destination IP address. The destination name or destination IP address. The country name for the destination IP address. This name is used when geography-based filtering is configured for the firewall address used in the firewall policy. The destination port number of the TCP or UDP traffic. The destination port is zero for other types of traffic. The type of WAN optimization that was used. This field can contain any one of the following: web-cache cifs tcp web-proxy duration rule policyid The rule number. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. identity index. This field always displays WAN in. This field always displays WAN out. This field always displays LAN in. This field always displays LAN out. The name of the interface used by the source. The name of the interface used by the destination. The name of the user creating the traffic. The name of the group creating the traffic. ftp mapi http ftp-proxy
dst_port wanopt_app_type
This represents the value in seconds.
identidx
wan_in wan_out lan_in lan_out src_int dst_int user group
34
Traffic
9
Message ID Log Subtype Severity Firmware version Meaning Fields vd src srcname src_port dst dstname dst_country 9 Web cache Notification FortiOS 4.0 MR3 Web cache traffic log message Field Description The virtual domain where the traffic was logged. If no virtual domains are enabled and configured, this field contains the virtual domain, root. The source IP address. The name of the source or the source IP address. The source port of the TCP or UDP traffic. The source protocol is zero for other types of traffic. The destination IP address. The destination name or destination IP address. The country name for the destination IP address. This name is used when geography-based filtering is configured for the firewall address used in the firewall policy. The destination port number of the TCP or UDP traffic. The destination port is zero for other types of traffic. The WAN Opt application type. duration rule policyid web-cache tcp mapi web-proxy cifs ftp http ftp-proxy
dst_port wanopt_app_type
This represents the value in seconds. The rule number. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. This field always displays WAN in. This field always displays WAN out. This field always displays LAN in. This field always displays LAN out. The name of the interface used by the source. The name of the interface used by the destination. The name of the user creating the traffic. The name of the group creating the traffic.
identidx
35
Traffic
10
Message ID Log Subtype Severity Firmware version Meaning Fields vd src srcname src_port dst dstname dst_port wanopt_app_type 10 explicit-proxy-traffic Notification FortiOS 4.0 MR3 Explicit proxy traffic log message Field Description The virtual domain where the traffic was logged. If no virtual domains are enabled and configured, this field contains the virtual domain, root. The source IP address. The name of the source or the source IP address. The source port of the TCP or UDP traffic. The source protocol is zero for other types of traffic. The destination IP address. The destination name or destination IP address. The destination port number of the TCP or UDP traffic. The destination port is zero for other types of traffic. The type of WAN Opt application. This can be any one of the following: web-cache tfp mapi web-proxy duration rule policyid This represents the value in seconds. The rule number. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. This field always displays WAN in. This field always displays WAN out. This field always displays LAN in. This field always displays LAN out. The name of the interface used by the source. The name of the interface used by the destination. The name of the user creating the traffic. The name of the group creating the traffic. cifs ftp http
identidx
36
Traffic
11
Message ID Log Subtype Severity Firmware version Meaning Fields vd src srcname src_port src_int dst dstname dst_port dst_int policyid 11 failed-conn Warning FortiOS 4.0 MR3 Failed connection attempts Field Description The virtual domain where the traffic was logged. If no virtual domains are enabled and configured, this field contains the virtual domain, root. The source IP address. The name of the source or the source IP address. The source port of the TCP or UDP traffic. The source protocol is zero for other types of traffic. The source interface name. The destination IP address. The destination name or destination IP address. The destination port number of the TCP or UDP traffic. The destination port is zero for other types of traffic. The destination interface name. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The action that was taken by the unit. This can be any one of the following: dns a DNS lookup url a URL connection SN user group The session number of the log message. The name of the user creating the traffic. The name of the group creating the traffic. ip an IP connection
custom action
37
Traffic
38
Event-Administration log messages record what administration users are configuring on the FortiGate unit, and what is occurring on the FortiGate unit. For example, memory storage is becoming full. 32001 32003 32004 32008 32010 32010 32011 32012 32013 32014 32015 32016 32017 32020 32021 32022 32095 32101 32102 32103 32104 32105 32016 32017 32120 32121 32122 32086 32087 32123 32124 32125 32126 32127 32128 32129 32130 32131 32132 32133 32134 32135 32136 32137 32138 32139 32140 32141 32142 32143 32144 32145 32148 32149 32150 32151 32152 32153 32155 32156 32157 32158 32161 32162 32168 32170 32171 32172 32180 32200 32545 32546 32547 32548 32549
39
32001
Message ID Log Subtype Severity Firmware version Meaning Fields user ui 32001 Admin Information FortiOS 4.0 MR3 An administrator successfully logged into the FortiGate unit. Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their pointof-entry in this field, GUI(10.10.20.5). This field always contains login. This field always contains success. The reason for the event. This field is either timeout or exit, depending on the action taken. The administrators access profile. Administrator <admin_name> logged in successfully from <ui(<ip_address>).
action status reason profile msg
32002
Message ID Log Subtype Severity Firmware version Meaning 32002 Admin Alert FortiOS 4.0 MR3 Depending on what is in the msg field, the meaning can be any one of the following: There is alarm testing occurring. The administrator failed to log in. Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their pointof-entry in this field, GUI(10.10.20.5). Note: If this is an alarm test, this field will contain cli. This field always contains login. This field always contains failed The reason for the event. This field always contains test. The administrators access profile. This field contains any one of the following: Alarm testing Administrator <admin_name> login failed from <ui>
Fields user ui
40
32003
Message ID Log Subtype Severity Firmware version Meaning 32003 Admin Information FortiOS 4.0 MR3 Depending on what the msg field contains, the meaning can be any one of the following: An administrator was successfully logged out because of inactivity. The FortiGate unit automatically logged them out. An administrator successfully logged out of the user interface. Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their pointof-entry in this field, GUI(10.10.20.5). This field always contains logout. This field always contains success. The reason for the event. This field is either timeout or exit, depending on the action taken. This field contains any one of the following: Administrator <admin_name> timed out from <ui(<ip_address>)> Administrator <admin_name> logged out from <ui<ip_address>)> The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The priority level. This field always contains information.
Fields user ui
action status reason msg
vd pri
32004
Message ID Log Subtype Severity Firmware version Meaning 32004 Admin Information FortiOS 4.0 MR3 The meaning can be one of the following, depending on the msg field: Alarm testing is occurring on the FortiGate unit. System has entered error-mode. Field Description This field always contains error-mode. The reason for the trigger. This field can contain self-test if the log message is about alarm testing. This field contains any one of the following: Alarm testing is occurring on the FortiGate unit System enters error mode due to <string>
Fields action reason msg
41
32006
Message ID Log Subtype Severity Firmware version Meaning 32006 Admin Information FortiOS 4.0 MR3 Depending on what is in the msg field, the meaning can be any one of the following: The user has entered the specified virtual domain. The FortiGate unit s system has started. Field Description The name of the user creating the traffic. In this log message, it is an administrator, or an administrator that has the super_admin profile. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 access the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their pointof-entry in this field, GUI(10.10.20.5). This field always contains vdom-switch. This field always contains none. This field contains any one of the following: User <user_name> has entered the virtual domain <virtual_domain_name>. FortiGate started 32006 Admin Information FortiOS 4.0 MR3 The FortiGate unit has started. Field Description Fortigate started. The name of the virtual domain where the action occurred in. If no virtual domain exist, this field always contains root. The priority level. This field always contains information.
Fields user ui
action reason msg
Message ID Log Subtype Severity Firmware version Meaning Fields msg vd pri
42
32007
Message ID Log Subtype Severity Firmware version Meaning Fields user ui 32007 Admin Information FortiOS 4.0 MR3 The super admin has left the specified virtual domain. Field Description The name of the user creating the traffic. In this log message, it is an administrator, or an administrator that has the super_admin profile. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their pointof-entry in this field, GUI(10.10.20.5). This field always contains vdom-switch. This field always contains none. User <user_name> has left the virtual domain <virtual_domain_name> 32007 Admin Critical FortiOS 4.0 MR3 The FortiGate unit cannot store the configuration file because the local drive does not have enough space left. Field Description Cannot store config due to short of flash space: require <number_blocks> blocks, only <number_blocks> free blocks left on flash disk.
action reason msg Message ID Log Subtype Severity Firmware version Meaning Fields msg
32008
Message ID Log Subtype Severity Firmware version Meaning Fields user ui 32008 Admin Information FortiOS 4.0 MR3 The specified user has viewed the specified log files in memory or on the disk. Field Description The name of the user creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their pointof-entry in this field, GUI(10.10.20.5). The name of the log file. This field can be any of the following: User <user_name. has viewed the memory logs from <ui>. User <user_name> has viewed disk logs from <ui>
log msg
43
32010
Message ID Log Subtype Severity Firmware version Meaning 32010 Admin Emergency FortiOS 4.0 MR3 Depending on the content in the msg field, the meaning can be any one of the following: The log roll has reach the maximum number. The amount of logs exceeds the disk size and the rolled log file was deleted. The log disk has reached a specific percentage point that, once passed, the system will either overwrite the logs or stop logging. The log is full. The space in memory for logs is full. Field Description This field contains any of the following: Disk has rolled the max number of times, it will not roll logs again until deleting of the old rolled logs Disk log exceeds <percentage> of disk size. Deleted rolled log file name <log_name> DLP archive is <percentage> full.System will overwrite old DLP archive. Log disk is <percentage> full. System will stop logging. Log is <percentage> full. Memory <percentage> log is <percentage> full. Disk logs exceeed full final warning threshold. Deleted rolled log file <file name> Disk logs exceed full final warning threshold. Deleted rolled packet directory <directory> Disk logs eceeed full final warning threshold. Deleted rolled dlp-archive directory <directory> 32010 Admin Information FortiOS 4.0 MR3 Depending on the content in the msg field, the meaning can be any one of the following: The system uploads the oldest log files because the storage is to capacity. The system deletes the oldest log files, then uploads another group of log files. The system deletes the uploaded log files. Field Description This field always contains delete. This only appears when the system has deleted uploaded logs. This field contains any of the following: <string> is <string> full.System will upload oldest <number> logs. <string> is <string> full.System will delete oldest <number> uploaded logs, and upload another oldest <number> un-uploaded logs. System deleted logs that are uploaded
Fields msg
Message ID Log Subtype Severity Firmware version Meaning
Fields action msg
44
32011
Message ID Log Subtype Severity Firmware version Meaning Fields action reason log msg vd pri log Message ID Log Subtype Severity Firmware version Meaning Fields action reason log msg Message ID Log Subtype Severity Firmware version Meaning Fields action reason log msg Message ID Log Subtype Severity Firmware version 32011 Admin Notification FortiOS 4.0 MR3 The disk log has rolled. Field Description The action the FortiGate unit took. This field always contains roll-log. The reason for rolling the log file. This field contains schedule because the log was rolled at a specified date and time that was previously configured. The type of log that was rolled. This field contains all. Disk log has rolled. The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The level of priority. This field always contains notice. This field always contains all. 32011 Admin Notification FortiOS 4.0 MR3 The disk log has rolled. Field Description The action the FortiGate unit took. This field always contains roll-log. The reason for rolling the log file. This field contains file-size. The type of log that was rolled. Disk log has rolled. 32011 Admin Notification FortiOS 4.0 MR3 The disk log has rolled. Field Description The action the FortiGate unit took. This field always contains roll-log. The reason for rolling the log file. This field contains log-format-change. The type of log that was rolled. Disk log has rolled. 32011 Admin Emergency FortiOS 4.0 MR3
45
Meaning
Depending on the content in the msg field, this field contains any one of the following: The systems memory is full and that is why the system entered error mode. The disk is filled to capacity with log files, and that is why the system entered error mode. The system entered error mode but it is unclear as to why. Field Description The action the FortiGate unit took. This field always contains error-mode The reason for rolling the log file. This field contains memory-log-full, disklog full or unknown. This field contains any one of the following: CC error: Memory logs are full. System entered error mode. CC error: Disk logs are full. System entered error mode. CC error: Unknown. System entered error mode.
Fields action reason msg
46
32012
Message ID Log Subtype Severity Firmware version Meaning Fields action msg Message ID Log Subtype Severity Firmware version Meaning Fields msg 32012 Admin Information FortiOS 4.0 MR3 The FortiGate system is exiting out of error mode. Field Description The action the FortiGate unit took. This field always contains exit-errormode. System existing out of error mode. 32012 Admin Notification FortiOS 4.0 MR3 The log disk is almost full, and will resume archiving log data. Field Description Log disk is under <string> full. System will resume logging content archive data.
47
32013
Message ID Log Subtype Severity Firmware version Meaning Fields user log msg Message ID Log Subtype Severity Firmware version Meaning 32013 Admin Information FortiOS 4.0 MR3 A user has cleared the disk log from either the web-based manager or CLI. Field Description The name of the user creating the traffic. The log identification number. User <user_name> has cleared disk log from <ui> 32013 Admin Information FortiOS 4.0 MR3 Depending on what appears in the msg field, the meaning can be any one of the following: A user has deleted rolled log files. A user cleared all current logs. A user has cleared FortiGuard Analysis Service logs from the specified location. A user has removed filtered data from memory logs. A user cleared logs associated with the FortiGuard Analysis Service. A user has removed filtered data from disk logs. A user has deleted one rolled log file from either the web-based manager or CLI. A user has cleared current logs from the disk. Field Description The name of the user creating the traffic. For this log message, it can be user or administrator. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their pointof-entry in this field, GUI(10.10.20.5). The periods information. This field does not always show in all 32013 log messages. The log identification number. This field contains any one of the following: User <user_name> has deleted rolled <integer> log files from <ui> User <user_name> has cleared all current logs <percentage_memory> from <ui> User <user_name> has cleared logs (FortiGuard Log) from <ui> A user has cleared FortiGuard logs from the specified location. User <administrator_name> has cleared logs (FortiGuard Analysis Service) from <ui> User <user_name> has removed filtered data from memory logs from <ui> User <user_name> has cleared logs (FortiGuard Analysis Service) from <ui> FortiGate Log Message Reference 01-430-112804-20111121 http://docs.fortinet.com/ Feedback
Fields user ui
period log msg
48
User <user_name> has removed filtered data from disk logs from <ui> User <user_name> has deleted 1 rolled <rolled_interger> log file (<log_file_name>) from <ui> User has deleted 1 rolled <string> log (disk) from <ui> User <user_name> has cleared current <string> log (disk) from <ui>
49
32014
Message ID Log Subtype Severity Firmware version Meaning 32014 Admin Information FortiOS 4.0 MR3 Depending on what appears in the msg field, the meaning can be any one of the following: The FDS support license is expiring. The FDS AV license is expiring. The FDS IPS license is expiring. The FortiGuard customer support license expires in the specified number of days. The FortiGuard Antivirus update license will expire in the specified number of days. The FortiGuard IPS update license will expire in the specified number of days. The FortiGuard web filtering license will expire in the specified number of days. The FortiGuard anti-spam license will expire in the specified number of days. The FortiGuard Analysis Service license will expire in the specified number of days. The FortiGuard Management Service license will expire in the specified number of days Field Description This field contains any one of the following: FDS support license will expire in <integer> day(s) FDS AV license will expire in <integer> day(s) FDS IPS license will expire in <integer> day(s) FortiGuard customer support license will expire in <value> day(s) FortiGuard AV update license will expire in <value> day(s) FortiGuard IPS update license will expire in <value> day(s) FortiGuard web filtering license will expire in <value> day(s) FortiGuard anti-spam license will expire in <value> day(s) FortiGuard analysis service license will expire in <value> day(s) FortiGuard management service license will expire in <value> day(s)
Fields msg
32015
Message ID Log Subtype Severity Firmware version Meaning Fields msg 32015 Admin Warning FortiOS 4.0 MR3 Log disk is full. Field Description Log disk is <percentage> full
50
32016
Message ID Log Subtype Severity Firmware version Meaning Fields msg 32016 Admin Warning FortiOS 4.0 MR3 The FortiGuard disk quota is full and the system will either overwrite or stop logging when the quota is used. Field Description FortiGuard disk quota is <value> use. System will {overwrite | no log} once passed all quota is used. 32016 Admin Emergency FortiOS 4.0 MR3 The FortiGuard Analysis Service disk quota is full and the system will either overwrite or stop logging when the quota is used. Field Description FortiGuard Analysis Service disk quota is <value> used. System will {overwrite | no log} once passed all quota is used. 32016 Admin Emergency FortiOS 4.0 MR3 The FortiGuard Analysis Service disk quota is full. Field Description FortiGuard Analysis Service disk quota is <value> used. 32016 Admin Information FortiOS 4.0 MR3 The FortiGuard Analysis Service disk quota is full. Field Description FortiGuard Analysis Service disk quota is <value> used. System will {overwrite | no log} once the full quota is used.
Message ID Log Subtype Severity Firmware version Meaning Fields msg
Message ID Log Subtype Severity Firmware version Meaning Fields msg Message ID Log Subtype Severity Firmware version Meaning Fields msg
32016 Admin Information FortiOS 4.0 MR3 The FortiGate unit has stopped logging to the FortiGuard Analysis server because of the amount of disk quota that has been used. Logging will resume after an amount of time has passed, in seconds.
51
Fields msg
Field Description FortiGuard Analysis Service disk quota is <value> used. System stops logging until <seconds> later. 32016 Admin Warning FortiOS 4.0 MR3 The user failed to view logs from a specified location. Field Description The name of the user creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their pointof-entry in this field, GUI(10.10.20.5). This field contains any one of the following: User <user_name> failed to access the <log_file_name> logs from <ui> User <user_name> failed to access the <log_file_name> logs from <ui>
Message ID Log Subtype Severity Firmware version Meaning Fields user ui
msg
52
32017
Message ID Log Subtype Severity Firmware version Meaning 32017 Admin Alert FortiOS 4.0 MR3 Depending on what appears in the msg field, the meaning can be any one of the following: The FortiGuard daily quota is reached. The FortiGuard Analysis Service daily quota is full. Field Description This field contains any one of the following: FortiGuard daily quota is reached. System stops logging until <value> sec later. FortiGuard Analysis Service daily quota is reached. System stops logging until <seconds> sec later.
Fields msg
32020
Log Subtype Severity Firmware version Meaning Fields user ui Admin Warning FortiOS 4.0 MR3 A corrupted MAC packet was detected. Field Description The name of the user creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their pointof-entry in this field, GUI(10.10.20.5). The action information. The status information. The reason information. The name of the profile that was used to detect and take action. Corrupted MAC packet detected.
53
32021
Message ID Log Subtype Severity Firmware version Meaning Fields ui 32021 Admin Notification FortiOS 4.0 MR3 The user disabled the virtual domain root from the web-based manager, CLI or console. Field Description The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their pointof-entry in this field, GUI(10.10.20.5). User <user_name> disabled virtual domain root from <ui ip_address>>
msg
32022
Message ID Log Subtype Severity Firmware version Meaning Fields user ui 32022 Admin Notification FortiOS 4.0 MR3 The administrator enabled a virtual domain. Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their pointof-entry in this field, GUI(10.10.20.5). User <admin_name> enabled virtual domain <vd_name> from <ui(<ip_address>)>
msg
54
32086
Message ID Log Subtype Severity Firmware version Meaning Fields user ui 32086 Admin Warning FortiOS 4.0 MR3 The system has been changed to Transparent mode (LCD) from the LCD interface. Field Description The administrator who is creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their pointof-entry in this field, GUI(10.10.20.5). Note: In this log message, this field always contains lcd. The action that was taken. This field always contains success. System has been changed to transparent mode LCD via LCD.
action status msg
32087
Message ID Log Subtype Severity Firmware version Meaning Fields user ui 32087 Admin Warning FortiOS 4.0 MR3 The system has been changed to NAT/Route mode (LCD) from the LCD interface. Field Description The administrator who is creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their pointof-entry in this field, GUI(10.10.20.5). Note: In this log message, this field always contains lcd. The action that was taken. This field always contains success. System has been changed to NAT mode LCD via LCD.
action status msg
55
32140
Message ID Log Subtype Severity Firmware version Meaning Fields user ui 32140 Admin Notification FortiOS 4.0 MR3 The administrator changed the operation mode to Transparent. Field Description The name of the user creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their pointof-entry in this field, GUI(10.10.20.5). This field contains mode. The mode that the FortiGate unit was previously in. This field contains either NAT or TP, depending on what mode the FortiGate unit was previously in. The mode that the FortiGate unit is now in. This field contains either NAT or TP, depending on what mode the FortiGate unit was changed to. User <administrator_name> changed to TP opmode from <ui>(<ip_address> 32140 Admin Notification FortiOS 4.0 MR3 The administrator changed the global settings on the FortiGate unit, allowing virtual domain configuration. Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). The status of the virtual domain feature. This field always contains enable. This field always contains virtual-domain. User <admin_name> changed global settings from <ui(<ip_address>)> The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The priority level. This field always contains notice.
field old_value
new_value msg
action field msg vd pri
56
32141
Message ID Log Subtype Severity Firmware version Meaning Fields msg 32141 Admin Information FortiOS 4.0 MR3 The specified interface received a new DHCP lease address. Field Description interface <interface_name> gets a DHCP lease, ip:<ip_address>, mask:<netmask>, gateway:<gateway_ip>, lease expires:<day_of_week> <month> <date> <hh:mm:ss:> <yyyy> The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The priority level. This field is always information. The identification number.
vd pri id
32095
Message ID Log Subtype Severity Firmware version Meaning Fields user ui 32095 Admin Warning FortiOS 4.0 MR3 The specified administrator has performed a specified action on the FortiGate unit. Field Description The name of the user creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). The type of action that the FortiGate unit took. This field contains any one of the following: reboot reload factory_reset upgrade (upgrade the firmware) download (all types of configuration files) clear_mlog (clear all log in memory buffer) update (virus or IPS signatures) del_session (delete session) status msg shutdown backup restore (all types of configuration files) switch_mode upload del_log (delete log) downgrade (downgrade the firmware) bootup
action
This field contains either success or failure. <action_type OR file_name> by user <administrator_name> via <ui> Note: The beginning of the sentence depends on what type of action was taken, and if a file was downloaded or not.
57
32095 Admin Warning FortiOS 4.0 MR3 A user has downloaded a log file from the firewall from the within the web-based manager. Field Description The name of the user creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). Note: In this log message, the location is the web-based manager. The type of action that the FortiGate unit took. This field contains any one of the following: reboot reload factory_reset upgrade (upgrade the firmware) download (all types of configuration files) clear_mlog (clear all log in memory buffer) update (virus or IPS signatures) del_session (delete session) shutdown backup restore (all types of configuration files) switch_mode upload del_log (delete log) downgrade (downgrade the firmware) bootup
action
status hash file msg
This field contains either success or failure. The hash information. The name of the log file. <action_type OR file_name> by user <administrator_name> via <ui>
58
32101
Message ID Log Subtype Severity Firmware version Meaning Fields user ui 32101 Admin Notification FortiOS 4.0 MR3 The administrator added a new access profile. Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). The name of the administration access profile that was created. User <administrator_name> added new access profile <string> from {GUI | CLI | console} The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The priority level. This field always contains notice. 32101 Admin Notification FortiOS 4.0 MR3 The administrator changed the configuration from the LCD interface. Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). <administrator_name> by <ui>
profile msg vd pri Message ID Log Subtype Severity Firmware version Meaning Fields user ui
msg
59
32102
Message ID Log Subtype Severity Firmware version Meaning Fields user ui 32102 Admin Information FortiOS 4.0 MR3 The administrator added a local certificate and is being generated. Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). User <admin_name> made a change via <ui(<ip_address>)>: VPN local certificate <cert_name> has been generated. The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The priority level. This field always contains information. This field always contains VPN. This field always contains cert-local.
msg vd pri module submodule
32102 Admin (Variable): can be any severity level FortiOS 4.0 MR3 A user has changed the configuration. Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). The module information. The submodule information. User <admin_name> made a change from <ui> 32102 Admin Notification FortiOS 4.0 MR3 A new firmware image is available from FortiGuard. Field Description This field always contains system. The action that was taken. This field always contains firmware.
module submodule msg Message ID Log Subtype Severity Firmware version Meaning Fields user action
60
status msg Message ID Log Subtype Severity Firmware version Meaning Fields user ui
The status of the firmware. This field always contains new. New firmware is available from FortiGuard. 32102 Admin (Variable): can be any severity level FortiOS 4.0 MR3 A user has changed the configuration for a specific submodule from a specific location. Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). The module information. The submodule information. User <admin_name> made a change via <ui>: <ip_address>
module submodule msg
61
32103
Message ID Log Subtype Severity Firmware version Meaning Fields user ui 32103 Admin Notification FortiOS 4.0 MR3 A user deleted an access profile. Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). The name of the access profile. User <administrator_name> deleted an access profile <profile_name> from <string>
profile msg
32104
Message ID Log Subtype Severity Firmware version Meaning Fields admin msg 32104 Admin Critical FortiOS 4.0 MR3 An administrator has failed to update the FortiGate unit. Field Description The name of the administrator creating the traffic. FortiGate <string> failed
32105
Message ID Log Subtype Severity Firmware version Meaning 32105 Admin Warning FortiOS 4.0 MR3 Depending on what appears in the msg field, the meaning can be any one of the following: An administrator has update the databases and engines successfully. An administrator has updated AV database successfully. An administrator has updated the IDS database successfully. Field Description The name of the administrator creating the traffic. This field always contains update. This field always contains yes. This field contains any one of the following: Fortigate <string> virdb(<value>) idsdb(<value>) aven(<value>) idsen(<value>) from <string> Fortigate updated virdb (<value>) Fortigate updated idsdb (<value>)
Fields admin status virdb msg
62
32120
Message ID Log Subtype Severity Firmware version Meaning Fields user ui 32120 Admin Notification FortiOS 4.0 MR3 The administrator added a UTM profile. Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). The type of action that occurred. In this log message, this field can contain add. Administrator <admin_name> added an <utm_profile_type> <utm_profile_name> from <ui(<ip_address>)>. Note: The UTM profile type can be a sensor, such as DLP or IPS. The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The priority level. This field always contains notice. The type of profile that was used. For example, antivirus.profile. The name of the profile that was used. For example, av_1. 32120 Admin Notification FortiOS 4.0 MR3 The administrator edited the settings within another administrator. Field Description The name of the administrator who is creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). Administrator <admin_name> edited the settings of administrator <admin_name> from <ui(<ip_address>)> The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The priority level. This field always contains notice. The name of the administrator whose settings were modified within their account. 32120 Admin Notification FortiOS 4.0 MR3 The administrator added an admin user.
action msg
vd pri cmdb_obj name Message ID Log Subtype Severity Firmware version Meaning Fields user ui
msg vd pri name Message ID Log Subtype Severity Firmware version Meaning
63
Fields user ui
Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). User <admin_name> added an admin user <admin_name> from <ui(<ip_address>)> The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The priority level. This field always contains notice. The name of the administrator who was added. 32120 Admin Notification FortiOS 4.0 MR3 The administrator added a new interface. Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). User <admin_name> added a new interface <interface_name> from <ui(<ip_address>)> The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The priority level. This field always contains notice. The name of the new interface. For example, interface_1 32120 Admin Notification FortiOS 4.0 MR3 The administrator modified the settings within another administrators account. Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). Administrator <admin_name> edited the settings of administrator <admin_name> from <ui(<ip_address>)> The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
msg vd pri name Message ID Log Subtype Severity Firmware version Meaning Fields user ui
msg vd pri intf Message ID Log Subtype Severity Firmware version Meaning Fields user ui
msg vd
64
pri name
The priority level. This field always contains notice. The name of the administrator who had their settings modified by another administrator. 32120 Admin Notification FortiOS 4.0 MR3 The administrator modified the settings within another administrators account. Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). User <admin_name> added a user group <user_group_name> from <ui(<ip_address>)> The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The priority level. This field always contains notice. The name of the new user group. 32120 Admin Notification FortiOS 4.0 MR3 The administrator added a new Directory Server (FSAE) entry. Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). User <admin_name> added a Directory Server (FSAE) entry <fsae_entry_name> from <ui(<ip_address>)> The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The priority level. This field always contains notice. The name of the new FSAE entry. The FSAEs IP address. 32120 Admin Notification FortiOS 4.0 MR3 The administrator added a new report dataset.
msg vd pri name server Message ID Log Subtype Severity Firmware version Meaning
65
Fields user ui
Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). The name of the report dataset. User <admin_name> added a report dataset <dataset_name> from <ui> 32120 Admin Notification FortiOS 4.0 MR3 The administrator added a new report chart widget. Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). The name of the report chart. User <admin_user> added a report chart widget <chart_name> from <ui> 32120 Admin Notification FortiOS 4.0 MR3 The administrator added report summary entry. Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). The name of the report summary entry that were added. User <admin_name> added a report summary entry <summary_entry> from <ui>
name msg Message ID Log Subtype Severity Firmware version Meaning Fields user ui
name msg
66
32121
Message ID Log Subtype Severity Firmware version Meaning Fields user ui 32121 Admin Notification FortiOS 4.0 MR3 The administrator modified settings within a UTM profile. Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). The type of action that occurred. This field always contains modify. Administrator <admin_name> changed a <utm_profile_type> <utm_profile_name> from <ui(<ip_address>)> Note: The UTM profile can be a sensor, such as DLP or IPS. The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The priority level. This field is always notice. The type of profile that was used. For example, antivirus.profile. The name of the profile that was used. For example, av_1.
action msg
vd pri cmdb_obj name
32121 Admin Notification FortiOS 4.0 MR3 The administrator changed the interface setting. Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). The name of the interface of the originating traffic. This field contains either status or mtu. This field contains either up or down. This field contains either up or down. This field contains any one of the following: User <administrator_name> changed the status of interface {internal | external | dmz | <other>...} from <ui> User <administrator_name> changed the mtu setting of interface <interface_name> from <ui> User <administrator_name> changed the ip setting of the interface <interface_name> from <ui>
intf field old new msg
67
32122
Message ID Log Subtype Severity Firmware version Meaning Fields user ui 32122 Admin Notification FortiOS 4.0 MR3 The administrator deleted the specified interface. Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). User <administrator_name> deleted interface <interface_name> from <ui(<ip_address>)> The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The priority level. This field always contains notice. The name of the interface that was removed.
msg vd pri intf
32122 Admin Notification FortiOS 4.0 MR3 The administrator deleted the specified interface. Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). The name of the administrator who was deleted. User <administrator_name> deleted an admin user <user_name> from <ui>
name msg
32122 Admin Notification FortiOS 4.0 MR3 An administrator deleted another administrators account. Field Description The administrator who is creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
68
User <admin_name> deleted user <admin_user> from <ui(<ip_address>)> The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The priority level. This field always contains notice. The name of the administrator who was deleted by another administrator. 32122 Admin Notification FortiOS 4.0 MR3 The administrator deleted an IPsec manualkey. Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). The name of the manual key that was deleted by the administrator. The IP address of the remote gateway. User <administrator_name> deleted an ipsec manualkey <manualkey_name> from <ui> 32122 Admin Notification FortiOS 4.0 MR3 The administrator deleted an FSAE entry. Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). User <administrator_name> deleted a Directory Service (FSAE) entry <fsae_entry_name> from <ui(<ip_address>)> The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The priority level. This field always contains notice. The name of the entry that was remove from the list. The removed FSAEs IP address.
name remote-gw msg
msg vd pri name server
Message ID Log Subtype Severity Firmware version
32122 Admin Notification FortiOS 4.0 MR3
69
Meaning
Depending on what appears in the msg field, the meaning can be any one of the following: An administrator deleted a CA certificate. An administrator has removed all CA certificates. An administrator deleted a local certificate. An administrator deleted all local certificates. An administrator deleted a CRL certificate. An administrator deleted all CRLs. Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). The name of the administrator who deleted or removed the certificate. This field contains any one of the following: User <administrator_name> removed a CA certificate <certificate_name> from <ui> User <administrator_name> removed all CA certificates from <ui> User <administrator_name> deleted a local certificate <certificate_name> from <ui> User <administrator_name> removed all local certificates from <ui> User <administrator_name> removed a CRL certificate <certifcate_name> from <ui> User <administrator_name> removed all CRL certificates from <ui> 32122 Admin Notification FortiOS 4.0 MR3 The administrator deleted a dataset. Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). The name of the report dataset. User <admin_name> delete a report dataset <dataset_name> from <ui> 32122 Admin Notification FortiOS 4.0 MR3 The administrator deleted a chart widget. Field Description The name of the administrator creating the traffic.
Fields user ui
name msg
name msg Message ID Log Subtype Severity Firmware version Meaning Fields user
70
ui
The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). The name of the report chart widget. User <admin_name> delete a report chart widget <chart_name> from <ui> 32122 Admin Notification FortiOS 4.0 MR3 The administrator deleted a chart widget. Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). The name of the report summary entry. User <admin_name> delete a report summary entry <summary_entry> from <ui>
name msg
71
32123
Message ID Log Subtype Severity Firmware version Meaning Fields user ui 32123 Admin Notification FortiOS 4.0 MR3 The administrator added the specified static route entry. Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). The status of the route entry. This field contains up. User <administrator_name> added new static routing entry <seq_number> from <ui(<ip_address>)> The destination IP address. The number that describes where the entry is in the static route entry table. The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The priority level. This field always contains notice. The interface that will be using the static route. The distance number. The priority number. The flags information.
status msg dst seq vd pri device distance priority flags
72
32124
Message ID Log Subtype Severity Firmware version Meaning Fields user ui 32124 Admin Notification FortiOS 4.0 MR3 The administrator made the specified changes to the static route entry. Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). The sequence number or the number of the order of that entry within the list. The previous interface. The previous hops number. The previous administrative priority. The previous destination IP address. The previous status. This field contains either up or down. The previous flag string. The new interface. The new hops number. The new administrative priority. The new destination IP address. The new status. This field contains either up or down. The new flag information. User <administrator_name> changed the setting of a new static routing entry from <ui>
seq old_device old_distance old_priority old_dst old_status old_flags new_device new_distance new_priority new_dst new_status new_flags msg
73
32125
Message ID Log Subtype Severity Firmware version Meaning Fields user ui 32125 Admin Notification FortiOS 4.0 MR3 The administrator deleted the specified static route entry. Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). The NAT identification number. For example, the first entry in the table is 1, so this field displays 1. The interface. The hops number information. The administrative priority. The destination IP address. The status. This field contains either up or down. The flag information. User <administrator_name> deleted a static routing entry from <ui>
seq device distance priority dst status flags msg
32126
Log Subtype Severity Firmware version Meaning Fields user ui Admin Notification FortiOS 4.0 MR3 An administrator added a firewall policy. Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). User <administrator_name> added <iptype> firewall central-nat policy <nat_id_number> from <ui(<ip_address>)>. The NAT identification number. For example, the first entry in the table is 1, so this field dsplays 1. The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The priority level. This field always contains notice. The original source IP address. The name of translated IP pool that was applied to the entry. The original source port number. The translated port number range.
msg seq vd pri orig-addr nat-ippool orig-port nat-port
74
32127
Message ID Log Subtype Severity Firmware version Meaning Fields user ui 32127 Admin Notification FortiOS 4.0 MR3 An administrator modified a firewall policy. Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their pointof-entry in this field, GUI(10.10.20.5). User <admin_name> changed IPv4 firewall policy <policy_id_number> from <ui(<ip_address>)>. The firewall policy identification number. The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The priority level. This field is always notice. The name of the source interface or zone applied to the firewall policy. The name of the destination interface or zone applied to the firewall policy. The firewall policys select source address. For example if you selected all, then all appears in this field. The firewall policys selected destination address. For example, if you selected all, then all appears in this field. The type of action applied to the firewall policy. For example, ACCEPT. This field contains either no or yes. The type of IP address. This can be ipv4 or ipv6, depending if you have configured IPv4 addresses or IPv6 addresses. The type of firewall schedule that was selected for that firewall policy. The type of firewall service applied to the firewall policy. For example, ANY.
msg seq vd pri sintf dstintf saddr daddr act nat iptype schd srv
75
32128
Message ID Log Subtype Severity Firmware version Meaning Fields user ui 32128 Admin Notification FortiOS 4.0 MR3 The administrator deleted a firewall policy. Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their pointof-entry in this field, GUI(10.10.20.5). The firewall policy identification number. The name of the source interface. The name of the destination interface. The source IP address. The destination IP address. The name of the schedule. The network service. The type of action applied to the firewall policy. For example, ACCEPT. This field contains either no or yes. The log identification number. The type of IP address, such as IPv6. This field always contains ipv6. User <administrator_name> deleted a firewall policy from <ui>
seq sintf dintf saddr daddr schd srv act nat log iptype msg
76
32129
Message ID Log Subtype Severity Firmware version Meaning Fields user ui 32129 Admin Notification FortiOS 4.0 MR3 The administrator added a local user. Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their pointof-entry in this field, GUI(10.10.20.5). The status of the local user. This field always contains enable. User <admin_name. added local user <user_name> from <ui(<ip_address>)> The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The priority level. This field always contains notice. The name of the new local user.
status msg vd pri name
32130
Message ID Log Subtype Severity Firmware version Meaning Fields user ui 32130 Admin Notification FortiOS 4.0 MR3 The administrator added a new local administrator. The administrator changed the specified settings for a local administrator. Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their pointof-entry in this field, GUI(10.10.20.5). The name of the new local administrator. The old_status information. The new_status information. The password information. User <administrator_name> changed a local users setting from <ui>
name old_status new_status passwd msg
77
32131
Message ID Log Subtype Severity Firmware version Meaning Fields user ui 32131 Admin Notification FortiOS 4.0 MR3 The administrator added a new local administrator. The administrator changed the specified settings for a local administrator. Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their pointof-entry in this field, GUI(10.10.20.5). The name of the new administrator. This field contains either enable or disable. User <administrator_name> deleted a local user <administrator_name> deleted a local user from <ui>
name status msg
32132
Message ID Log Subtype Severity Firmware version Meaning Fields user ui 32132 Admin Notification FortiOS 4.0 MR3 The administrator added a RADIUS server. Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their pointof-entry in this field, GUI(10.10.20.5). User <admin_name> added radius server <radius_name> from <ui(<ip_address>)> The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The priority level. This field always contains notice. The name of the new RADIUS server. The RADIUS servers IP address.
Message ID Log Subtype Severity Firmware version Meaning Fields
32132 Admin Notification FortiOS 4.0 MR3 The administrator added a TACACS+ server Field Description
78
user ui
The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their pointof-entry in this field, GUI(10.10.20.5). User <admin_name> added TACACS+ server <tacacs+_name> from <ui(<ip_address>)> The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The priority level. This field always contains notice. The name of the new TACACS+ server. The TACACS+ servers IP address.
79
32133
Message ID Log Subtype Severity Firmware version Meaning Fields user ui 32133 Admin Notification FortiOS 4.0 MR3 The administrator made the specified changes to the RADIUS server entry Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their pointof-entry in this field, GUI(10.10.20.5). The name of the administrator. The previous servers IP address. The new servers IP address. The servers encrypted password. User <administrator_name> changed a radius server <radius_server_name> setting from <ui>
name old_server new_server secret msg
32134
Message ID Log Subtype Severity Firmware version Meaning Fields user ui 32134 Admin Notification FortiOS 4.0 MR3 The administrator deleted the RADIUS server from the server list. Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their pointof-entry in this field, GUI(10.10.20.5). The name of the administrator. The servers IP address. User <administrator_name> deleted a radius server <radius_server_name> from <ui>
name server msg
80
32135
Message ID Log Subtype Severity Firmware version Meaning Fields user ui 32135 Admin Notification FortiOS 4.0 MR3 The administrator added a new LDAP server to the list. Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their pointof-entry in this field, GUI(10.10.20.5). User <admin_name> added ldap server <ldap_name> from <ui(<ip_address>)> The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The priority level. This field always contains notice. The name of the new LDAP server. The LDAP servers IP address.
32136
Message ID Log Subtype Severity Firmware version Meaning Fields user ui 32136 Admin Notification FortiOS 4.0 MR3 The administrator made the specified changes to an LDAP server entry. Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their pointof-entry in this field, GUI(10.10.20.5). The name of the administrator. The previous servers IP address. The previous servers port number. The previous CN value. The previous DN value. The new servers IP address. The new servers port number. The new CN value. The new DN value. User <administrator_name> changed an ldap server <ldap_server_name> setting from <ui>
name old_server old_port old_cn old_dn new_server new_port new_cn new_dn msg
81
32137
Message ID Log Subtype Severity Firmware version Meaning Fields user ui 32137 Admin Notification FortiOS 4.0 MR3 The administrator deleted the LDAP server from the list. Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their pointof-entry in this field, GUI(10.10.20.5). The name of the administrator. The servers IP address. User <administrator_name> deleted an ldap user from <ui>
name server msg
32137 Admin Notification FortiOS 4.0 MR3 An IM/P2P user was deleted. Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their pointof-entry in this field, GUI(10.10.20.5). The name of the administrator. The firewall policy identification number. User <user_name> deleted im/p2p <im/p2puser_name> user <user_name> from <ui>
name policy msg
82
32138
Message ID Log Subtype Severity Firmware version Meaning Fields user ui 32138 Admin Critical FortiOS 4.0 MR3 The administrator either rebooted or shut down the FortiGate unit. Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their pointof-entry in this field, GUI(10.10.20.5). This field is either reboot or shutdown. User <administrator_name> rebooted the device from <ui>. The reason is <reason> The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The priority level. This field always contains critical.
action msg vd pri
32139
Message ID Log Subtype Severity Firmware version Meaning Fields user ui 32139 Admin Critical FortiOS 4.0 MR3 The administrator reset the FortiGate unit to its default settings. Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5). This field contains factory-reset. User <administrator_name> reset to the factory settings from <ui> The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The priority level. This field always contains critical. 32139 Admin Critical FortiOS 4.0 MR3 The administrator or user formatted the log disk on the FortiGate unit. Field Description The name of the administrator creating the traffic.
action msg vd pri Message ID Log Subtype Severity Firmware version Meaning Fields user
83
ui
The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5). This field always contains format-disk. User <administrator_name> formatted the log disk from <ui> The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The priority level. This field always contains critical. 32139 Admin Critical FortiOS 4.0 MR3 The administrator restored a firmware image. Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5). This field contains any one of the following: restore-image restore-all-configuration restore-configuration
action msg vd pri Message ID Log Subtype Severity Firmware version Meaning Fields user ui
action
msg vd pri Message ID Log Subtype Severity Firmware version Meaning
User <administrator_name> restored the image from <ui(<ip_address> -> <ip_address>) The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The priority level. This field always contains critical. 32139 Admin Critical FortiOS 4.0 MR3 Depending on what appears in the msg field, the meaning can be any one of the following: The auto-install restored the configuration using the USB key. The auto-install restored the firmware image using the USB key. Field Description The name of the administrator creating the traffic. In this log message, this field always contains auto-install. This means that the FortiGate unit automatically installed the image itself. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5). In this log message, this field always contains usb. This field always contains restore-image.
Fields user
ui
action
84
msg
This field contains any one of the following: User auto-install restored the configuration from usb (<ip_address>) User auto-install restored the image from usb (<ip_address> -> <ip_address>) The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The priority level. This field always contains critical. 32139 Admin Critical FortiOS 4.0 MR3 An administrator has updated either the virus engine and/or the IDS database. Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5). This field contains update. This field contains any one of the following: User <administrator_name> requested a virus and IDS engine/definitions update from <ui> User <administrator_name> requested an IDS engine/definitions update from <ui> The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The priority level. This field always contains critical. 32139 Admin Critical FortiOS 4.0 MR3 Depending on what appears in the msg field, the meaning can be any one of the following: The system encountered an error when trying to restore an image from the FortiGuard Analysis and Management Service. The system restored an image from the FortiGuard Analysis and Management Service. The system restored a template from the management station. The system failed to load a configuration file from the management station. Field Description The name of the administrator creating the traffic. In this log message, this field contains system. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5). This field contains any one of the following:
vd pri Message ID Log Subtype Severity Firmware version Meaning Fields user ui
action msg
vd pri Message ID Log Subtype Severity Firmware version Meaning
Fields user ui
action FortiGate Log Message Reference 01-430-112804-20111121 http://docs.fortinet.com/ Feedback
85
restore-image restore-configuration msg
restore-template
This field contains any one of the following: System loaded an image from FortiGate Management, the new image has an invalid CC signature. System restored the image from FortiGuard Management (<ip_address> -> <ip_address>) System restored configuration template <template_name> from management station. System failed to restore configuration from management station. The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The priority level. This field always contains critical. 32139 Admin Critical FortiOS 4.0 MR3 Depending on what appears in the msg field, the meaning can be any one of the following: The administrator loaded an image with a valid RSA signature from a FortiManager unit, which includes a new public key. The administrator loaded a firmware image from a FortiManager unit and that image has an invalid or no RSA signature. The administrator loaded an image with a valid RSA signature from a FortiManager unit. The administrator updated the firmware image from a FortiManager unit. Field Description The name of the administrator creating the traffic. In this log message, this field contains system. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5). This field always contains update-image. This field contains any one of the following: User <user_name> loaded an image from FortiManager, the new image does have a valid RSA signature with new public key. User <user_name> loaded an image from FortiManager, the new image has an invalid RSA signature. User <user_name> loaded an image from FortiManager, the new image does have a valid signature. User <user_name> loaded an image from FortiManager, the new image does not have a valid RSA signature. User <user_name> updated the image from FortiManager (<ip_address> -> <Ip_address>) The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The priority level. This field always contains critical. 32139 Admin Critical
vd pri Message ID Log Subtype Severity Firmware version Meaning
Fields user ui
action msg
vd pri Message ID Log Subtype Severity
86
Firmware version Meaning Fields user ui
FortiOS 4.0 MR3 The administrator loaded a diagnostic application. Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5). This field contains loaded-diag-app. User <administrator_name> loaded a diagnostic application from <ui> with serial number <serial_number>. The executable result= <string> The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The priority level. This field always contains critical. 32139 Admin Critical FortiOS 4.0 MR3 Depending on what appears in the msg field, the meaning can be any one of the following: The system loaded an image that contains an invalid RSA signature. The administrator uploaded an image with an invalid RSA signature. The administrator uploaded an image with a valid RSA signature and new public key. The administrator uploaded an image with a valid RSA signature. The administrator uploaded an image that does not have a valid RSA signature. Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5). This field contains loaded-image. This field contains any one of the following; System loaded an image from FortiGuard Management, the new image has an invalid RSA signature User <administrator_name> loaded an image from <ui>, the new image has an invalid signature. User <administrator_name> loaded an image from <ui>, the new image does have a valid RSA signature with a new public key. User <administrator_name> loaded an image from <ui>, the new image does have a valid RSA signature. User <administrator_name> loaded an image from <ui>, the new image does not have a valid RSA signature. The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The priority level. This field always contains critical.
action msg vd pri Message ID Log Subtype Severity Firmware version Meaning
Fields user ui
action msg
vd pri
87
32139 Admin Critical FortiOS 4.0 MR3 Depening on what is in the msg field, the meanning can be any one of the following: The administrator restored a FortiClient firmware image. The administrator updated the firmware. The administrator restored a firmware image. The administrator successfully restored the configuration file. The administrator failed to restore the configuration file. The administrator restored a complete configuration. Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5). This field contains any one of the following: restore-forticlient. restore-forticlient restore-image restore-all-configuration update restore-configuration
Fields user ui
action
msg
This field contains any one of the following: User <administrator_name> restored the image <image_name> from <ui> User <administrator_name> updated the firmware from <ui> User <administrator_name> restored image from <ui>(<ip_address> -> <ip_address>)> User <administrator_name> restored the configuration from <ui> User <administrator_name> failed to restored the configuration from <ui> User <administrator_name> restored all the configuration from <ui> The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The priority level. This field always contains critical.
vd pri
32139 Admin Critical FortiOS 4.0 MR3 The administrator either loaded a firmware image that does not support CC mode or the image has an invalid CC signature. Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5). This field contains either loaded-image or update-image
action
88
msg
This field contains any one of the following: User <administrator_name> loaded the image from <ui> the new image does not support CC mode. User <administrator_name> loaded an image from <ui>, the new image has an invalid CC signature. The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The priority level. This field always contains critical.
vd pri
32139 Admin Critical FortiOS 4.0 MR3 The administrator imported a certificate. Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5). This field contains import-certificate. User <administrator_name> imported the certificate from <ui> The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The priority level. This field always contains critical. 32139 Admin Critical FortiOS 4.0 MR3 The administrator loaded a firmware image from a FortiManager unit and that image has an invalid RSA signature. Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5). Note: For this log message, the location is FortiManager. This field always contains update-image. User <user_name> loaded an image from FortiManager, the new image has an invalid RSA signature. 32139 Admin Critical FortiOS 4.0 MR3
action msg vd pri Message ID Log Subtype Severity Firmware version Meaning Fields user ui
action msg
89
Meaning
Depending on what is in the msg field, the meaning can be any one of the following: The system uploaded a firmware image from the FortiGuard Analysis and Management Service, however, the image has an invalid CC signature. The system uploaded a firmware image from the FortiGuard Analysis and Management Service, however, the image has an invalid RSA signature. The system uploaded a firmware image from the FortiGuard Analysis and Management Service, and the image has a valid RSA signature with new public key. The system uploaded a firmware image from the FortiGuard Analysis and Management Service, and the image has a valid RSA signature. The system uploaded a firmware image from the FortiGuard Analysis and Management Service, and the image does not has a valid RSA signature. The system restored a firmware image from FortiGuard Analysis and Management Service. Field Description The name of the administrator creating the traffic. For this log message, the user is the FortiGate system, or system. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5). This field contains any one of the following: . restore-image restore-image loaded-image
Fields user ui
action
msg
This field contains any one of the following: System loaded an image from FortiGuard Management, the new image has an invalid CC signature. System loaded an image from FortiGuard Management, the new image has an invalid RSAsignature. System loaded an image from FortiGuard Management, the new image does have a valid RSA signature with new public key. System loaded an image from FortiGuard Management, the new image does have a valid RSA signature. System loaded an image from FortiGuard Management, the new image does not have a valid RSA signature. System restored the image from FortiGuard Management (<firmware_build> -> <firmware_build>) 32139 Admin Warning FortiOS 4.0 MR3 Depending on what is in the msg field, the meaning can be any one of the following: The system restored the specified script. The system restored a configuration file from the management station. The system failed to restore a configuration file from the management station. The system failed to upgrade a firmware image. The system failed to restore a firmware image from the management station. Field Description The name of the administrator creating the traffic. For this log message, the user is the FortiGate system, or system.
Fields user
90
ui
The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5). This field contains any one of the following: restore-script restore-<string> restore-cfg update-image
action
msg
This field contains any one of the following: System restored script <script_name> from management station. System restored <string> file <string> from management station. System failed to restore <string> file <string> from management station. User <user_name> loaded an image from <ui>, System upgrade failed due to failed operation file. System failed to restore <string> file <string> from management station. 32139 Admin Critical FortiOS 4.0 MR3 Depending on what is in the msg field, the meaning can be any one of the following: The administrator formatted the RAID disk. The administrator enabled the RAID disk. The administrator disabled the RAID disk. Field Description The name of the administrator creating the traffic. For this log message, the user is the FortiGate system, or system. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5). This field contains any one of the following: format-rebuild-level enable-raid disable-raid This field contains any one of the following: User <user-name> formatted the RAID disk from <ui> User <user_name> enabled RAID from <ui> User <user_name> disabled RAID from <ui>
Fields user ui
action
msg
32140
Message ID Log Subtype Severity Firmware version Meaning Fields 32140 Admin Information FortiOS 4.0 MR3 The administrator changed a global setting. Field Description
91
ui
The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). The type of field within the Administration Settings page that was changed. For example, if you changed the idle timeout, located in Timeout Settings, this field would contain timeout. This field contains any one of the following: mode hostname timeout virtual-domain ip-overlap detection-interval
field
old_value
The previous setting for the type of field before it was changed. For example, if you changed the idle timeout from the default time, 5m would appear in this field. The new setting for the type of field that was changed. User <administrator_name> changed <field_type> global setting to <new_value> from <ui>. 32140 Admin Information FortiOS 4.0 MR3 The administrator changed the user authentication settings. Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). The type of action that was taken. This field always contains authtimeout. The previous timeout period within the authentication settings. The new time out period within the authentication settings. User <admin_name> changed auth-timeout user setting to <new_value> from <ui(<ip_address>)> The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The priority level. This field always contains notice.
new_value msg
field old_value new_value msg vd pri
32141
Message ID Log Subtype Severity Firmware version Meaning Fields 32141 Admin Information FortiOS 4.0 MR3 The specified interface has received a new DHCP address. The address expires at the specified time. Field Description
92
id msg
The identification number. interface <interface_name> gets a DHCP lease, ip:<ip_address>, mask:<netmask>, gateway:<gateway_address>, lease expires:<name_day><name_month> <date> <hh:mm:ss> <yyyy>
32142
Message ID Log Subtype Severity Firmware version Meaning 32142 Admin Information FortiOS 4.0 MR3 Depending on what appears in the msg field, the meaning can be any one of the following: The administrator backed up the current configuration to a file. The administrator backed up the specified file. The administrator failed to back up the specified file. The administrator backed up all the logs. A configuration file was automatically backed up to the management station successfully. The administrator failed to back up all log files. The system backed up the configuration file to the FortiGuard Analysis and Management Service, per a request from the FortiGuard Analysis and Management Service portal. Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). The type of action that was taken by the administrator. This field always contains backup. The reason for the trigger. For this log message, the service portal of the FortiGuard Analysis and Management Services was used. This field contains any one of the following. User <administrator_name> backed up the configuration from <ui> User <administrator_name> backed up <file_name> log from <ui> User <administrator_name> failed to backup <file_name> log from <ui> User <administrator_name> backed up all the logs from <ui> Automatic configuration backup to Management Station succeeded User <administrator_name> failed to back up all the logs from <ui> System backed up configuration to Management Station per service portal request. 32142 Admin Warning FortiOS 4.0 MR3
Fields user ui
action reason msg
93
Meaning
Depending on what appears in the msg field, the meaning can be any one of the following: The administrator backed up a standardized error output by SCP. The administrator backed up a batch of mode commands by SCP. The administrator failed to update the antivirus package by SCP. The administrator successfully updated the antivirus package by SCP. The administrator successfully update the IPS package by SCP. The administrator failed to update the IPS package by SCP. The administrator failed to update the DLP fingerprint database by SCP. Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). Note: For this log message, location is FortiManager or the FortiManager unit. The type of action that was taken by the administrator. This field contains either update or backup. This field contains any one of the following. User <user_name> backed up the result of batch mode commands by SCP. User <user_name> backed up the result of batch mode commands by SCP. User <user_name> failed to update AV package by SCP. User <user_name> updated AV package by SCP. User <user_name> failed to update IPS package by SCP. User <user_name> updated IPS package by SCP. User <user_name> failed to update DLP fingerprint database by SCP. 32142 Admin Alert FortiOS 4.0 MR3 The administrator deleted a configuration revision from the database. Field Description The type of action that was taken by the administrator. This field always contains delete. This field always contains success. <configuration_revision_name> has been deleted from revision database. 32142 Admin Notification FortiOS 4.0 MR3 Depending on what is in the msg field, the meaning can be any one of the following: The administrator backed up a configuration file to the management station. The administrator deleted a configuration file from the local hard disk.
Fields user ui
action msg
Message ID Log Subtype Severity Firmware version Meaning Fields action status msg
94
Fields user ui
Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). The type of action that was taken by the administrator. This field is either backup or delete. This field always contains success. This field contains any one of the following: User <user_name> backed up the configuration from <ui> to management station. User <user_name> delete the <string> from <string> from flash disk.
action status msg
95
32143
Message ID Log Subtype Severity Firmware version Meaning Fields user ui 32143 Admin Notification FortiOS 4.0 MR3 The administrator loaded the wrong image type. Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). The type of action that was taken by the administrator. This field always contains loaded-image. User <administrator_name> loaded a wrong image from <ui>
action msg
32143 Admin Critical FortiOS 4.0 MR3 The administrator changed the policy routing entry. Field Description The name of administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). User <administrator_name> changed policy routing entry <incoming_interface> from <ui(<ip_address>)> The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The priority level. This field always contains notice. The previous incoming interface. The new incoming interface.
msg vd pri old_iff new_iff
96
32144
Message ID Log Subtype Severity Firmware version Meaning Fields user ui 32144 Admin Notification FortiOS 4.0 MR3 An administrator added a policy routing entry. Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). User <admin_name> added policy routing entry <outgoing_interface_name> from <ui(<ip_address>)> The source IP address. The destination IP address. The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The priority level. This field always contains notice. The if interface. In the policy routing entry, you must specify the interface if. The IP protocol number. The destination port range. For example ports 1-65535. The outgoing interface. This is the interface that was chosen in the section Force traffic to: on the New Routing Policy page. The gateway IP address.
msg src dst vd pri iff ipproto ports off gw
97
32145
Message ID Log Subtype Severity Firmware version Meaning Fields user ui 32145 Admin Notification FortiOS 4.0 MR3 An administrator deleted a policy routing entry. Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). The name of the incoming interface. The source IP address. The destination IP address. The name of the protocol. The range of port numbers. The outgoing interface. The gateway IP address. User <administrator_name> deleted a policy routing entry
iff src dst proto ports off gw msg
Message ID Log Subtype Severity Firmware version Meaning Fields msg Message ID Log Subtype Severity Firmware version Meaning Fields msg
32145 Admin Notification FortiOS 4.0 MR3 Found a new neighbor. Field Description Found a new connection to <connection_name> (<connection_ip>) 32145 Admin Notification FortiOS 4.0 MR3 Lost a neighbor. Field Description Found a new connection to <connection_name> (<connection_ip>)
98
32148
Message ID Log Subtype Severity Firmware version Meaning Fields user ui 32148 Admin Notification FortiOS 4.0 MR3 An administrator required a CRL update. Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). The type of action that was taken. This field is always crl-update. The name of the CRL. User <administrator_name> requested a CRL update from <ui>
action crl msg
32148 Admin Notification FortiOS 4.0 MR3 The specified administrator changed a configuration. Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). The type of action the administrator took. The object information. The entry information. Administrator <administrator_name> of <location> from {GUI CLI}
action obj entry msg
99
32149
Message ID Log Subtype Severity Firmware version Meaning Fields user ui 32149 Admin Notification FortiOS 4.0 MR3 A command failure occurred. Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). The ret value information. Command failed: <value>. Return code <value>
ret msg
32150
Message ID Log Subtype Severity Firmware version Meaning Fields user ui 32150 Admin Warning FortiOS 4.0 MR3 An administrator changed the password of another administrator. Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). The action that was taken by the user. This field always contains password-changed This field always contains password. Admin user <admin_name> changed password of admin user <admin_user> The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The priority level. This field always contains warning. The name of the administrator who had their password changed.
action field msg vd pri admin-user
100
32151
Message ID Log Subtype Severity Firmware version Meaning 32151 Admin Notification FortiOS 4.0 MR3 Depending on what is in the msg field, the meaning can be any one of the following: A new firewall local-in policy was added. A new IPv6 firewll local-in policy was added. Field Description The log message information. This is usually a sentence and explains the activity and/or action taken.
Fields msg
32152
Message ID Log Subtype Severity Firmware version Meaning 32152 Admin Notification FortiOS 4.0 MR3 Depending on what is in the msg field, the meaning can be any one of the following: A firewall local-in policys setting was changed. An IPv6 firewall local-in policys setting was changed. Field Description The log message information. This is usually a sentence and explains the activity and/or action taken.
Fields msg
32153
Message ID Log Subtype Severity Firmware version Meaning 32153 Admin Notification FortiOS 4.0 MR3 Depending on what is in the msg field, the meaning can be any one of the following: A firewall local-in policy was deleted. An IPv6 firewall local-in policy was deleted. Field Description The log message information. This is usually a sentence and explains the activity and/or action taken.
Fields msg
101
32154
Message ID Log Subtype Severity Firmware version Meaning Fields user ui 32154 Admin Notification FortiOS 4.0 MR3 The administrator uploaded a FortiToken. Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). User <user_name> has uploaded a FortiToken file.
msg
32155
Message ID Log Subtype Severity Firmware version Meaning Fields user ui 32155 Admin Notification FortiOS 4.0 MR3 The administrator has requested to activate the specified FortiToken. Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). This field always contains fortitoken-activate. The serial number of the FortiToken device. User <user_name> has requested to activate FortiToken <serialno>
action serialno msg
102
32156
Message ID Log Subtype Severity Firmware version Meaning Fields action serialno status msg 32156 Admin Notification FortiOS 4.0 MR3 The FortiToken has been activiated by FortiGuard. Field Description This field always contains fortitoken-activate The serial number of the FortiToken device. The status of the activation process. Activation of FortiToken <serialno> <status>.
32157
Message ID Log Subtype Severity Firmware version Meaning Fields user ui 32157 Admin Notification FortiOS 4.0 MR3 The administrator added an email filter IP black/white list entry. Fields Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5). The status of the UTM profile. This field always contains enabled. The IP address. User <admin_name> added antispam IP black/white entry <ip_address> from <ui(<ip_address>)> The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The priority level. This field always contains notice.
status ip msg vd pri
32157 Admin Notification FortiOS 4.0 MR3 The administrator added an email address black/white list entry. Fields Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5). The status of the UTM profile. This field always contains enabled.
status FortiGate Log Message Reference 01-430-112804-20111121 http://docs.fortinet.com/ Feedback
103
ip msg vd pri email-pattern Message ID Log Subtype Severity Firmware version Meaning Fields user ui
The IP address. User <admin_name> added email black/white entry <email_address> from <ui(<ip_address>)> The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The priority level. This field always contains notice. The email address entry. For example, user@example.com. 32157 Admin Notification FortiOS 4.0 MR3 The administrator added a banned word to the email filtering banned word list. Fields Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5). The status of the UTM profile. This field always contains enabled. User <admin_name> added antispam banned word entry <banned_word> from <ui(<ip_address>)> The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The priority level. This field always contains notice. The banned word entry. 32157 Admin Notification FortiOS 4.0 MR3 The administrator added an URL address to the URL filter. Fields Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5). The status of the UTM profile. This field always contains enabled. The IP address. User <admin_name> added URL filter entry <url_address> from <ui(<ip_address>)> The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The priority level. This field always contains notice. The URL address that was entered.
status msg vd pri pattern Message ID Log Subtype Severity Firmware version Meaning Fields user ui
status ip msg vd pri url
104
32157 Admin Notification FortiOS 4.0 MR3 The administrator added a banned word entry to the web content filter list. Fields Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5). The status of the UTM profile. This field always contains enabled. User <admin_name> added webfilter banned word entry <banned_word> from <ui(<ip_address>)> The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The priority level. This field always contains notice. The word or words that was added to the webfilter content filter list. The type of language applied to the entry. For example, Western. The type of pattern applied to the word. For example, wildcard. 32157 Admin Notification FortiOS 4.0 MR3 The administrator added an email address to the email address black/white list. Fields Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5). The email address of the new entry in the list. The status of the UTM profile. This field always contains enabled. User <admin_name> added antispam email black/white entry <email_address> from <ui(<ip_address>)> 32157 Admin Notification FortiOS 4.0 MR3 The administrator added an email address to the email address black/white list. Fields Description The name of the administrator creating the traffic.
status msg vd pri word lang pattern_type Message ID Log Subtype Severity Firmware version Meaning Fields user ui
email-pattern status msg
Message ID Log Subtype Severity Firmware version Meaning Fields user FortiGate Log Message Reference 01-430-112804-20111121 http://docs.fortinet.com/ Feedback
105
ui
The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5). This field always contains fortitoken-synchronize. The serial number of the FortiToken device. The status of the synchronization process. User <admin_name> resynchronized FortiToken <serialno> with result: <status>
action serialno status msg
106
32158
Message ID Log Subtype Severity Firmware version Meaning Fields user ui 32158 Admin Notification FortiOS 4.0 MR3 The administrator deleted a word from within a web content filter list. Fields Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5). The web filter word that was deleted from within the list. The type of language that was chosen. For example, Western. The type of pattern that was chosen, for example, Regular Expression. The status of the word within the list before it was deleted. This field always contains enabled. User <admin_name> deleted webfilter banned word entry <word> from <ui(<ip_address>)>
word lang pattern_type status msg
32161
Message ID Log Subtype Severity Firmware version Meaning Fields user ui 32161 Admin Notification FortiOS 4.0 MR3 The administrator changed the specified sensor. Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5). User <admin_name> changed sensor <ips_sensor_name> The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The priority level.
msg vd pri
107
32162
Message ID Log Subtype Severity Firmware version Meaning Fields user ui 32162 Admin Notification FortiOS 4.0 MR3 The administrator changed the specified sensor. Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5). User <admin_name> changed sensor <dos_sensor_name> The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The priority level.
msg vd pri
32168
Message ID Log Subtype Severity Firmware version Meaning Fields user ui 32168 Admin Notification FortiOS 4.0 MR3 The administrator failed to add a new entry because the VDOM property limit has been reached. Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5). Adding new entry failed: vdom property limit has been reached when user <user_name> adds <vdom> from <ui>
msg
108
32170
Message ID Log Subtype Severity Firmware version Meaning Fields user ui 32170 Admin Notification FortiOS 4.0 MR3 An administrator added a new multicast firewall policy. Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). The type of action that occurred. This field can contain config-add. The status of the action. This field contains success. The reason for taking the action. This field contains none. User <admin_name> added multicast firewall policy <policy_number> from <ui(<ip_address>)> The new firewall policy identification number for the new multicast firewall policy. The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The priority level. This field always contains notice. The new source interface that was applied to the new multicast firewall policy. The new destination interface that was applied to the new multicast firewall policy. The new source address that was applied to the policy. The new destination IP address. that was applied to the policy. The new NAT IP address that was applied to the policy. The new DNAT IP address that was applied to the policy. The type of action that was applied. The type of protocol that was applied. The new start port number. For example port 1. The new end port number. For example, port 655535
action status reason msg new_id vd pri new_srcintf new_dintf new_saddr new_daddr new_nat_addr new_dnat_addr new_action new_proto new_start_port new_end_port
Message ID Log Subtype Severity Firmware version Meaning Fields action alarmid
32170 Admin Alert FortiOS 4.0 MR3 An alarm was triggered. Field Description The type of action that occurred. This field always contains alarm. The alarms identification number.
109
groupid msg
The group identification number. The log message information. This is usually a sentence and explains the activity and/or action taken.
110
32171
Message ID Log Subtype Severity Firmware version Meaning Fields user ui 32171 Admin Notification FortiOS 4.0 MR3 An administrator modified a multicast firewall policy. Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). The type of action that occurred. This field can contain config-edit. The status of the action. This field contains success. The reason for taking the action. This field contains none. User <admin_name> changed multicast firewall policy <policy_number> from <ui(<ip_address>)> The multicast firewall policy identification number. The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The priority level. This field always contains notice. The previous source interface. The previous destination interface. The previous source IP address. The previous destination IP address. The previous type of action that was applied. The previous start port number. The previous end port number. The new source interface that was applied to the new multicast firewall policy. The new destination interface that was applied to the new multicast firewall policy. The new source address that was applied to the policy. The new destination IP address. that was applied to the policy. The new NAT IP address that was applied to the policy. The new DNAT IP address that was applied to the policy. The type of action that was applied. The type of protocol that was applied. The new start port number. For example port 1. The new end port number. For example, port 655535 32171 Admin Alert
action status reason msg pol_id vd pri old_srcintf old_dintf old_saddr old_daddr old_action old_start_port old_end_port new_srcintf new_dintf new_saddr new_daddr new_nat_addr new_dnat_addr new_action new_proto new_start_port new_end_port Message ID Log Subtype Severity
111
Firmware version Meaning Fields user ui
FortiOS 4.0 MR3 An alarm was triggered. Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). The type of action that occurred. This field always contains alarm.-ack The alarms identification number. The group identification number. The log message information. This is usually a sentence and explains the activity and/or action taken.
action alarmid groupid msg
112
32172
Message ID Log Subtype Severity Firmware version Meaning Fields user ui 32172 Admin Notification FortiOS 4.0 MR3 An administrator deleted a multicast firewall policy. Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). This field can contain config-delete. The status of the action. This field contains success. The reason for taking the action. This field contains none. User <admin_name> removed multicast firewall policy <policy_number> from <ui(<ip_address>)> The multicast firewall policy identification number. The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The priority level. This field always contains notice. The previous source interface. The previous destination interface. The previous source IP address. The previous destination IP address. The previous type of action. that was applied. The previous start port number. The previous end port number.
action status reason msg old_id vd pri old_srcintf old_dintf old_saddr old_daddr old_action old_start_port old_end_port
113
32180
Message ID Log Subtype Severity Firmware version Meaning 32180 Admin Notification FortiOS 4.0 MR3 The administrator failed to backup the configuration from the management station, or the FortiGate units automatic backup to the management station failed. The meaning can also be that there was a failed backup of the configuration file after the system upgraded. Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). This field contains backup. The status of the action. This field contains failure. This field contains any one of the following: User <admin_name> failed to backup the configuration from <ui> to management station. Automatic configuration backup to Management Station failed. Failed to backup configuration after system upgrading: <string>
Fields user ui
action status msg
32200
Message ID Log Subtype Severity Firmware version Meaning Fields user ui 32200 Admin Notification FortiOS 4.0 MR3 The administrator uploaded the new web filter list specified in the upload field. Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). This field contains any one of the following: url-exempt-list word-block-list num msg The num value information. User <administrator_name> uploaded <upload_type> from <ui> url-block-list
upload
114
32301
Message ID Log Subtype Severity Firmware version Meaning Fields user ui 32301 Admin Notification FortiOS 4.0 MR3 The administrator added a virtual domain. Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5). This field contains add-vdom. Virtual domain <vd_name> is added.
action msg
32302
Message ID Log Subtype Severity Firmware version Meaning Fields user ui 32302 Admin Notification FortiOS 4.0 MR3 The administrator deleted a virtual domain. Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5). This field always contains del-vdom. Virtual domain <vd_name> is deleted.
action msg
32400
Message ID Log Subtype Severity Firmware version Meaning Fields user ui 32400 Admin Alert FortiOS 4.0 MR3 The configuration changed. Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5). Configuraiton is changed in the admin session.
msg
115
32401
Message ID Log Subtype Severity Firmware version Meaning Fields user ui 32401 Admin Notification FortiOS 4.0 MR3 The administrator added an application control list. Field Description The administrator who is creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5). This field contains add. Administrator <admin_name> added an application control list <app_crtl_list_name> from <ui(<ip_address>)> The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The priority level. This field always contains notice. The name of the application control list.
action msg vd pri name
32401 Admin Notification FortiOS 4.0 MR3 The administrator modified settings within an application control list. Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5). This field always contains edit. Administrator <admin_name> edited an application control list <default_app_name> from <ui(<ip_address>)> The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The priority level. This field always contains notice. The name of the application control list.
action msg vd pri name
116
32545
Message ID Log Subtype Severity Firmware version Meaning Fields user ui 32545 Admin Notification FortiOS 4.0 MR3 The system was restarted because it was scheduled to. Field Description The name of the administrator creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5). This field always contains reboot. System will reboot due to scheduled daily restart. The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root.
action msg vd
32546
Message ID Log Subtype Severity Firmware version Meaning Fields action msg 32546 Admin Notification FortiOS 4.0 MR3 The archive log files are being uploaded to the FortiAnalyzer unit. Field Description This field always contains upload_request Content Archive data has been uploaded to FortiAnalyzer.
32547
Message ID Log Subtype Severity Firmware version Meaning Fields action msg 32547 Admin Error FortiOS 4.0 MR3 The content archive file failed to upload. Field Description This field always contains upload_request Content Archive data failed to upload to <string>.
117
32548
Message ID Log Subtype Severity Firmware version Meaning Fields action msg 32548 Admin Notification FortiOS 4.0 MR3 The upload of memory logs to a remote server failed because it reached the maximum capacity. Field Description This field always contains upload_request Uploading memory logs to remote logging server(s) because it reached <percentage> percent full
32549
Message ID Log Subtype Severity Firmware version Meaning Fields action msg 32549 Admin Notification FortiOS 4.0 MR3 The upload of memory logs to a remote server occurred as scheduled. Field Description This field always contains upload_request Uploading memory logs to remote logging server(s) as scheduled
118
Event-System
Event-System log messages record events that occur in the FortiGate system, such as administrators logging in and out, or events occurring on the interfaces. 20001 20002 20003 20004 20007 20010 20031 20032 20033 20034 20035 20036 20037 20038 20039 20040 20041 20042 20043 20044 20045 20046 20047 20048 20049 20050 20051 20052 20053 20054 20055 20056 20057 20058 20059 20060 20061 20062 20063 20064 20065 20066 20067 20068 20069 20070 20071 20072 20073 20074 20075 20076 20077 20078 20079 20080 20081 20082 20083 20084 20099 20100 20101 20110 20111 20200 20201 20202 20203 22000 22001 22002 22003 22004 22005 22006 22009 22010 22011 22012 22013 22100 22101 22102 22103 22800 22801 22802 22803 22804 22805 22806 22901 22902 22903 22911 22912 22913 22914
FortiGate 4.0 MR3 Log Message Reference 01-430-112804-20111121 http://docs.fortinet.com/ Feedback
119
Event-System
20001
Message ID Log Subtype Severity Firmware version Meaning Fields interface 20001 System Information FortiOS 4.0 MR3 The routing information has changed because of the gateways status, up or down. Field Description This field contains any one of the following: internal dmz status msg Message ID Log Subtype Severity Firmware version Meaning Ping server is {up | down} 20001 System Information FortiOS 4.0 MR3 Depending on what appears in the msg field, the meaning can be any one of the following: There is a problem contacting the modem. Verify the modem connection and settings. The FortiGate unit has attempted to redial the IPS from the modem and could not connect after the set number of redial attempts. You must reset the modem to attempt the connection. The wireless user has been disconnected. A client was accepted. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contain root. This field contains any one of the following: Problem contacting the modem modem: Redial limit exceeded giving up Client <wireless_user> is disassociated. Accepted associated from <client_name> 20001 System Information FortiOS 4.0 MR3 Depending on what appears in the msg field, the meaning can be any one of the following: Client <client_name> does 1X The client does 1X Client <client_name> does WPA The client does WPA. Field Description This field contains any one of the following: Client <client_name> does 1X Client <client_name> does WPA external other
This field contains either up or down.
Fields vd msg
Fields msg
120
Event-System
Message ID Log Subtype Severity Firmware version Meaning Fields interface status msg
20001 System Information FortiOS 4.0 MR3 Routing information is changed because the gateway is up/down. Field Description The name of the interface. The status information. The log message information. This is usually a sentence and explains the activity and/or action taken. 20001 System Critical FortiOS 4.0 MR3 A gateways status. Field Description The name of the interface. The gateway group information. The status information. The gateway status. The status of <gateway> for gateway group <gw_group> is <information>
Message ID Log Subtype Severity Firmware version Meaning Fields interface gw_group status gw_status msg
121
Event-System
20002
Message ID Log Subtype Severity Firmware version Meaning Fields user ui 20002 System Notification FortiOS 4.0 MR3 The domain name configured for an alert email recipient cannot be resolved. Verify the email addresses to ensure that it is correct. Field Description This field always contains system The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5). The type of action taken by the FortiGate unit. This field always contains failure. Cant resolve the IP address of <email_address>
action status msg
20003
Message ID Log Subtype Severity Firmware version Meaning 20003 System Notification FortiOS 4.0 MR3 Failed to send an alert email. You can verify the email addresses configured for alert emails and see if that solves the problem. Field Description This field always contains system The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5). The type of action taken by the FortiGate unit. This field always contains alert-email. This field always contains failure. The number of times the same event was detected within a short period of time. Failed to send alert email from <ip_address> to <ip_address>.
Fields user ui
action status count msg
122
Event-System
20004
Message ID Log Subtype Severity Firmware version Meaning Fields user ui 20004 System Critical FortiOS 4.0 MR3 The policy is too big for the system to handle. Field Description This field always contains system The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5). This field always contains failure. Policy <policy_id> is too big for system, its installed partially.
status msg
20007
Message ID Log Subtype Severity Firmware version Meaning Fields service status proto src src_port nat dst dst_port msg 20007 System Critical FortiOS 4.0 MR3 The socket is exhausted. Field Description The type of service. This field always contains kernel. This field always contains failure. The protocol information. The source IP address. The source port number. The NAT information. The destination IP address. The destination port number. NAT port is exhausted.
20010
Message ID Log Subtype Severity Firmware version Meaning Fields msg 20010 System Error FortiOS 4.0 MR3 A RADIUS IPC error. Field Description Unable to initialize RADIUS IPS (<value>)
123
Event-System
20031
Message ID Log Subtype Severity Firmware version Meaning 20031 System Critical FortiOS 4.0 MR3 The FortiGate units flash memory is full in the specified sector. You can delete logs stored to the local disk, and perform other maintenance to free memory space. Field Description Interface <interface_name> Out of memory in <memory_sector>.
Fields msg
20032
Message ID Log Subtype Severity Firmware version Meaning 20032 System Critical FortiOS 4.0 MR3 The FortiGate unit cannot find the specified interface by name. You can check configuration of the interface and check any physical connections to solve the problem. Field Description Interface <interface_name> not found in <memory_sector>.
Fields msg
20033
Message ID Log Subtype Severity Firmware version Meaning Fields msg 20033 System Information FortiOS 4.0 MR3 An interface uses Mobile IPv6 extensions. Field Description Using Mobile IPv6 extensions.
20034
Message ID Log Subtype Severity Firmware version Meaning 20034 System Critical FortiOS 4.0 MR3 The minimum time allowed between sending unsolicited multicast router advertisements from the specified interface (using Mobile IPv6 extensions) must be configured within the specified range because it is not currently in the specified range. The range is specified in seconds. Field Description MinRtrAdvInterval for <interface> must be between <start_range_seconds> and <end_range_seconds>
Fields msg
124
Event-System
20034 System Critical FortiOS 4.0 MR3 The minimum time allowed between sending unsolicited multicast router advertisements from the specified interface (using Mobile IPv6 extensions) must be configured within the specified range because it is not currently in the specified range. The range is specified in seconds. Field Description MinRtrAdvInterval for <interface_name> must be between <start_range_seconds> and <end_range_seconds>
Fields msg
20035
Message ID Log Subtype Severity Firmware version Meaning 20035 System Critical FortiOS 4.0 MR3 The minimum time allowed between sending unsolicited multicast router advertisements from the specified interface must be configured within the specified range. Range is specified in seconds. You can reconfigure the router according to MinRtrAdvInterval to solve this problem. Field Description MinRtrAdvInterval must be between <start_range_seconds> and <end_range_seconds> for <interface_name>
Fields msg
20036
Message ID Log Subtype Severity Firmware version Meaning 20036 System Critical FortiOS 4.0 MR3 The maximum time allowed between sending unsolicited multicast router advertisements from the specified interface, using Mobile IPv6 extensions, must be configured within the specified range. The range is specified in seconds. Field Description MaxRtrAdvInterval for <interface_name> must be between <start_range_seconds> and <end_range_seconds>
Fields msg
125
Event-System
20037
Message ID Log Subtype Severity Firmware version Meaning 20037 System Critical FortiOS 4.0 MR3 The maximum time allowed between sending unsolicited multicast router advertisements from the specified interface must be configured within the specified range. Range is specified in seconds. You can reconfigure the router according to MaxRtrAdvInterval to solve this problem. Field Description MaxRtrAdvInterval must be between <start_range_seconds> and <end_range_seconds> for <interface_name>
Fields msg
20038
Message ID Log Subtype Severity Firmware version Meaning 20038 System Critical FortiOS 4.0 MR3 The value placed in MTU options sent by the router must be either zero or between the specified range for the specified interface. A value of zero indicates that no MTU options are sent. You can reconfigure the router according to range to solve this problem. Field Description AdvLinkMTU must be zero or between <start_range_bytes> and <end_range_bytes> for <interface_name>
Fields msg
20039
Message ID Log Subtype Severity Firmware version Meaning 20039 System Critical FortiOS 4.0 MR3 The value placed in MTU options sent by the router must be either zero or greater than the specified value for the specified interface. A value of zero indicates that no MTU options are sent. You can reconfigure the router according to range to solve this problem. Field Description AdvLinkMTU must be zero or greater than <value_bytes> for <interface_name>
Fields msg
126
Event-System
20040
Message ID Log Subtype Severity Firmware version Meaning 20040 System Critical FortiOS 4.0 MR3 The value to be placed in the Reachable Time field in the Router Advertisement message sent by the router must be less than the specified value for the specified interface. A value of zero means unspecified by this router. You can reconfigure the router according to the specified value to solve this problem. Field Description AdvReachableTime must be less than <value> for <interface_name>
Fields msg
20041
Message ID Log Subtype Severity Firmware version Meaning 20041 System Critical FortiOS 4.0 MR3 The default value to be placed in the CurHopLimit field in the Router Advertisements message sent by the router must not be greater than the specified value for the specified interface. You can reconfigure the router according to the specified value to solve this problem. Field Description AdvCurHopLimit must not be greater than <value_hop_limit> for <interface_name>
Fields msg
20042
Message ID Log Subtype Severity Firmware version Meaning 20042 System Critical FortiOS 4.0 MR3 The value to be placed in the Router Lifetime field of Router Advertisements sent from the interface in seconds, must be either zero or between the specified range. A value of zero indicates that the router is not to be used as a default router. You can reconfigure the router according to the specified range to solve this problem. Field Description AdvDefaultLifetime for <interface_name> must be zero or between <start_range_seconds> and <end_range_seconds>
Fields msg
127
Event-System
20043
Message ID Log Subtype Severity Firmware version Meaning 20043 System Critical FortiOS 4.0 MR3 HomeAgentLifetime in Router Advertisement packet is out of range. You can reconfigure the router according to the specified range to solve this problem. Field Description HomeAgentLifetime must be between <value> and <value> for <interface_name>
Fields msg
20044
Message ID Log Subtype Severity Firmware version Meaning 20044 System Critical FortiOS 4.0 MR3 AdvHomeAgentFlag and HomeAgentLifetime in Router Advertisement packet must be set with HomeAgentInfo. You can reconfigure the router according to the specified range to solve this problem. Field Description AdvHomeAgentFlag must be set with HomeAgentInfo
Fields msg
20045
Message ID Log Subtype Severity Firmware version Meaning Fields msg 20045 System Critical FortiOS 4.0 MR3 Prefix length is too long. You can adjust packet prefix length to solve this problem. Field Description Invalid prefix length for <string>
20046
Message ID Log Subtype Severity Firmware version Meaning 20046 System Critical FortiOS 4.0 MR3 The value to be placed in the Valid Lifetime in the Prefix Information option, in seconds, must be greater than the AdvPreferredLifetime. You can adjust packet prefix length to solve this problem. Field Description AdvValidLifetime must be greater than AdvPreferredLifetime for <string>
Fields msg
128
Event-System
20047
Message ID Log Subtype Severity Firmware version Meaning Fields msg 20047 System Critical FortiOS 4.0 MR3 The IPv6 router advertisement daemon failed to create an IPv6 socket. Field Description Cant create socket (AF_INET6): <string>
20048
Message ID Log Subtype Severity Firmware version Meaning Fields msg 20048 System Critical FortiOS 4.0 MR3 The IPv6 router advertisement daemon failed to set IPV6_PKTINFO option. Field Description Setsockopt(IPv6_PKTINFO): <string>
20049
Message ID Log Subtype Severity Firmware version Meaning Fields msg 20049 System Critical FortiOS 4.0 MR3 The IPv6 router advertisement daemon failed to set IPV6_CHECKSUM option. Field Description Setsockopt(IPV6_CHECKSUM): <string>
20050
Message ID Log Subtype Severity Firmware version Meaning Fields msg 20050 System Critical FortiOS 4.0 MR3 The IPv6 router advertisement daemon failed to set IPV6_UNICAST_HOPS option. Field Description Setsockopt(IPV6_UNICAST_HOPS): <string>
129
Event-System
20051
Message ID Log Subtype Severity Firmware version Meaning Fields msg 20051 System Critical FortiOS 4.0 MR3 The IPv6 router advertisement daemon failed to set IPV6_MULTICAST_HOPS option. Field Description Setsockopt(IPV6_MULTICAST_HOPS): <string>
20052
Message ID Log Subtype Severity Firmware version Meaning Fields msg 20052 System Critical FortiOS 4.0 MR3 The IPv6 router advertisement daemon failed to set IPV6_HOPLIMIT option. Field Description Setsockopt (IPV6_HOPLIMIT): <string>
20053
Message ID Log Subtype Severity Firmware version Meaning Fields msg 20053 System Critical FortiOS 4.0 MR3 The IPv6 router advertisement daemon failed to set ICMPV6_FILTER option. Field Description Setsockopt(ICMPV6_FILTER): <string>
20054
Message ID Log Subtype Severity Firmware version Meaning Fields msg 20054 System Critical FortiOS 4.0 MR3 The IPv6 router advertisement daemon received the specified signal and is going to exit. Field Description radvd receive signal=<value_signal>\n
130
Event-System
20055
Message ID Log Subtype Severity Firmware version Meaning Fields msg 20055 System Critical FortiOS 4.0 MR3 The IPv6 router advertisement daemon cannot create query to interface by using cmf_query_create(). Field Description Can not create query to interface at <string>:<string>:<value>!
20056
Message ID Log Subtype Severity Firmware version Meaning Fields msg 20056 System Critical FortiOS 4.0 MR3 The IPv6 router advertisement daemon encounters an internal error when it uses cmf_query_for_each(). Field Description Interfal error in cmf_query_for_each()!
20057
Message ID Log Subtype Severity Firmware version Meaning Fields msg 20057 System Critical FortiOS 4.0 MR3 The IPv6 router advertisement daemon failed to find a virtual interface by interface index. Field Description Interface <string>:<value> not found in the list!
20058
Message ID Log Subtype Severity Firmware version Meaning Fields msg 20058 System Critical FortiOS 4.0 MR3 The IPv6 router advertisement daemon reloaded or unloaded the specified interface. Field Description This field contains any one of the following: Interface <string>: <value> reloaded! Interface <string>:<value> unloaded!
131
Event-System
20059
Message ID Log Subtype Severity Firmware version Meaning Fields msg 20059 System Warning FortiOS 4.0 MR3 The IPv6 router advertisement daemon received a packet with no pkt_info. Field Description Received packet with no pkt_info!
20060
Message ID Log Subtype Severity Firmware version Meaning Fields msg 20060 System Warning FortiOS 4.0 MR3 The IPv6 router advertisement daemon received an ICMPv6 packet with invalid length. Field Description Received icmpv6 packet with invalid length: <value_bytes>
20061
Message ID Log Subtype Severity Firmware version Meaning Fields msg 20061 System Critical FortiOS 4.0 MR3 The IPv6 router advertisement daemon received an unwanted type of ICMPv6 packet. Field Description icmpv6 filter failed
20062
Message ID Log Subtype Severity Firmware version Meaning Fields msg 20062 System Warning FortiOS 4.0 MR3 The IPv6 router advertisement daemon received an ICMPv6 RA packet with invalid length. Field Description Received icmpv6 RA packet with invalid length. <value_bytes>
132
Event-System
20063
Message ID Log Subtype Severity Firmware version Meaning Fields msg 20063 System Warning FortiOS 4.0 MR3 The IPv6 router advertisement daemon received ICMPv6 RA packet with non-linklocal source address.. Field Description Received icmpv6 RA packet with non-linklocal source address
20064
Message ID Log Subtype Severity Firmware version Meaning Fields msg 20064 System Warning FortiOS 4.0 MR3 The IPv6 router advertisement daemon received ICMPv6 RS packet with invalid length. Field Description Received icmpv6 RS packet with invalid length: <value_bytes>
20065
Message ID Log Subtype Severity Firmware version Meaning Fields msg 20065 System Warning FortiOS 4.0 MR3 The IPv6 router advertisement daemon received ICMPv6 RS/RA packet with invalid code. Field Description Received icmpv6 RS/RA packet with invalid code: <value_code>
20066
Message ID Log Subtype Severity Firmware version Meaning Fields msg 20066 System Warning FortiOS 4.0 MR3 The IPv6 router advertisement daemon received ICMPv6 RS/RA packet with wrong hoplimit. Field Description Received RS or RA with invalid hoplimit <value_hops> from <interface_name>
133
Event-System
20067
Message ID Log Subtype Severity Firmware version Meaning 20067 System Warning FortiOS 4.0 MR3 The AdvCurHopLimit on the specified FortiGate interface does not agree with the value on the specified remote interface. A value of zero means unspecified by this router. You should configure the interfaces with the same AdvCurHopLimit value to correct the problem. Field Description Our AdvCurHopLimit on <interface_name> doesnt agree with <interface_name>
Fields msg
20068
Message ID Log Subtype Severity Firmware version Meaning 20068 System Warning FortiOS 4.0 MR3 The AdvManagerFlag value (True/False) on the specified FortiGate interface does not agree with the value on the specified remote interface. You should configure the interface with the same AdvManagerFlag value. Field Description Our AdvManagerFlag on <interface_name> doesnt agree with <interface_name>
Fields msg
20069
Message ID Log Subtype Severity Firmware version Meaning 20069 System Warning FortiOS 4.0 MR3 The AdvOtherConfigFlag value (True/False) on the specified FortiGate interface does not agree with the value on the specified remote interface. You should configure the interfaces with the same AdvOtherConfigFlag value. Field Description Our AdvOtherConfigFlag on <interface_name> doesnt agree with <interface_name>
Fields msg
134
Event-System
20070
Message ID Log Subtype Severity Firmware version Meaning 20070 System Warning FortiOS 4.0 MR3 The AdvReachableTime configured on the specified FortiGate interface does not agree with the value on the specified remote interface. A value of zero means unspecified by this router. The value must be no greater than 3,600,000 seconds or 1 hour. You should configure the interfaces with the same AdvReachableTime value. Field Description Our AdvReachableTime on <interface_name> doesnt agree with <interface_name>
Fields msg
20071
Message ID Log Subtype Severity Firmware version Meaning 20071 System Warning FortiOS 4.0 MR3 The AdvRetransTimer value on the specified FortiGate interface does not agree with the value on the specified remote interface. A value of zero means unspecified (by this router). You should configure the interfaces with the same AdvRetransTimer value. Field Description our AdvRetransTimer on <interface_name> doesnt agree with <interface_name>
Fields msg
20072
Message ID Log Subtype Severity Firmware version Meaning Fields msg 20072 System Warning FortiOS 4.0 MR3 The IPv6 router advertisement daemon found extra data in an RA packet from the specified source. Field Description trailing garbage in RA on <interface_name> from <interface_name>
135
Event-System
20073
Message ID Log Subtype Severity Firmware version Meaning Fields msg 20073 System Critical FortiOS 4.0 MR3 The IPv6 router advertisement daemon found in an RA packet with no option data from the specified source. Field Description zero length option in RA on <interface_name> from <interface_name>
20074
Message ID Log Subtype Severity Firmware version Meaning Fields msg 20074 System Critical FortiOS 4.0 MR3 The option length is greater than the total length in an RA packet from the specified source. Field Description option length greater than total length in RA on <interface_name> from <interface_name>
20075
Message ID Log Subtype Severity Firmware version Meaning 20075 System Warning FortiOS 4.0 MR3 The AdvLinkMTU value on the specified FortiGate interface does not agree with the specified remote interface. A value of zero indicates that no MTU options are sent. You should configure the interfaces with the same AdvLinkMTU value. Field Description our AdvLinkMTU on <interface_name> doesnt agree with <interface_name>
Fields msg
20076
Message ID Log Subtype Severity Firmware version Meaning 20076 System Warning FortiOS 4.0 MR3 The AdvValidLifetime value on the specified FortiGate interface does not agree with the value on the specified remote interface. You should configure the interfaces with the same AdvValidLifetime value. Field Description our AdvValidLifetime on <interface_name> for <value> doesnt agree with <interface_name>
Fields msg
136
Event-System
20077
Message ID Log Subtype Severity Firmware version Meaning 20077 System Warning FortiOS 4.0 MR3 The AdvPreferredLifetime value on the specified FortiGate interface does not agree with the value on the specified remote interface. You should configure the interfaces with the same AdvPreferredLifetime value. Field Description our AdvPreferredLifetime on <interface_name> for <value> doesnt agree with <interface_name>
Fields msg
20078
Message ID Log Subtype Severity Firmware version Meaning Fields msg 20078 System Critical FortiOS 4.0 MR3 The IPv6 router advertisement daemon found the specified invalid option in an RA packet from the specified source from a remote site. Field Description Invalid option <value_option> in RA on <interface_name> from <location>
20079
Message ID Log Subtype Severity Firmware version Meaning Fields msg 20079 System Information FortiOS 4.0 MR3 The IPv6 router advertisement daemon is ready to serve. Field Description radvd started\n
20080
Message ID Log Subtype Severity Firmware version Meaning Fields msg 20080 System Critical FortiOS 4.0 MR3 Recvmsg() in the IPv6 router advertisement daemon failed. Field Description recvmsg: <string>
137
Event-System
20081
Message ID Log Subtype Severity Firmware version Meaning Fields msg 20081 System Critical FortiOS 4.0 MR3 The IPv6 router advertisement daemon received a packet with a wrong IPV6_HOPLIMIT. Field Description received a bogus IPV6_HOPLIMIT from the kernel! len=<value_bytes>, data=<value>
20082
Message ID Log Subtype Severity Firmware version Meaning 20082 System Critical FortiOS 4.0 MR3 Depending on what appears in the msg field, the meaning can be any one of the following: The wrong IPv6 router advertisement daemon received a packet with a wrong IPV6_PKINFO. The IPv6 router advertisement daemon failed to check whether weve joined the all-routers multicast group. Field Description This field contains any one of the following: received a bogus IPV6_PKINFO from the kernel! len=<value_bytes>, index=<value_index> Problem checking all-routers membership on <interface_name>
Fields msg
20083
Message ID Log Subtype Severity Firmware version Meaning Fields msg 20083 System Warning FortiOS 4.0 MR3 The rounting advertisement failed to check if joined the all-routers membership group. Field Description problem checking all-routers membership on <interface_name>
138
Event-System
20084
Message ID Log Subtype Severity Firmware version Meaning 20084 System Warning FortiOS 4.0 MR3 Depending on what appears in the msg field, the meaning can be any one of the following: Sendmsg () in the IPv6 router advertisement daemon failed. Sendmsg () in radvd failed. Field Description sendmsg: <string>
Fields msg
20090
Message ID Log Subtype Severity Firmware version Meaning Fields intf status msg 20090 System Notification FortiOS 4.0 MR3 The interface link status has changed. Field Description The name of the interface. The status of the interface. interface <interface_name> link status is <status_type>
20099
Message ID Log Subtype Severity Firmware version Meaning Fields action status msg 20099 System Information FortiOS 4.0 MR3 The interface link status has changed. Field Description This field is always interface-stat-change. This field contains either DOWN or UP. This field contains any one of the following: Link monitor: Interface <interface_name> was turned down Link monitor: Interface <interface_name> was turned up
139
Event-System
20100
Message ID Log Subtype Severity Firmware version Meaning Fields msg 20099 System Critical FortiOS 4.0 MR3 FortiGuard Web Filtering category has been updated. Field Description The FortiGuard Web Filtering category list has been updated. Please verify the protection profile settings are still correct.
20101
Message ID Log Subtype Severity Firmware version Meaning Fields action status hash file user server port msg Message ID Log Subtype Severity Firmware version Meaning Fields action status file user server port Message ID Log Subtype Severity 20101 System Notification FortiOS 4.0 MR3 Status of the file upload. Field Description This field always contains upload. The status of the upload. The hash information. The name of the file that was uploaded. The name of the user creating the traffic. The name of the server. The number of the port. <file_name> upload reached the <string> state \n 20101 System Variable FortiOS 4.0 MR3 File upload error. Field Description This field always contains upload. The status of the upload. The name of the file that was uploaded. The name of the user creating the traffic. The name of the server. The number of the port. 20101 System Critical.
140
Event-System
Firmware version Meaning Fields msg Message ID Log Subtype Severity Firmware version Meaning Fields action status file user server port msg Message ID Log Subtype Severity Firmware version Meaning Fields action error file user server port msg
FortiOS 4.0 MR3 FortiGuard license is expired. You need to renew the FortiGuard license. Field Description FortiGuard license is expired. 20101 System Notification FortiOS 4.0 MR3 Status of the uploaded file. Field Description The type of upload being performed. The status of the upload. The name of the file that was uploaded. The name of the user creating the traffic. The IP address of the server. The name of the port. <file_name> upload reached the <server_ip_address> state <status_name> 20101 System Variable FortiOS 4.0 MR3 File upload error. Field Description This field always contains upload. The type of error that occurred during the files uploading process. The name of the file that was uploaded. The name of the user creating the traffic. The IP address of the server. The name of the port. <file_name> upload error\ \n
141
Event-System
20110
Message ID Log Subtype Severity Firmware version Meaning Fields msg 20110 System Notification FortiOS 4.0 MR3 A hp_api log message. Field Description hp_api: Connection to ESPd has been initialized.
20111
Message ID Log Subtype Severity Firmware version Meaning Fields msg 20111 System Warning FortiOS 4.0 MR3 A hp_api log message. Field Description hp_api: Connection to ESPd has been reset, exiting.
20200
Message ID Log Subtype Severity Firmware version Meaning Fields user ui 20200 System Notification FortiOS 4.0 MR3 An administrator initiated a self-test type from a specific location. Field Description The name of the user creating the traffic. In this log message, it is the administrator that is creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5). This field always contains self-test. The type of test that was taken. Administrator <administrator_name> initiates the <test_type> self-test from <ui>
action test msg
142
Event-System
20201
Message ID Log Subtype Severity Firmware version Meaning Fields user ui 20201 System Notification FortiOS 4.0 MR3 An administrator initiated all self-tests from a specified location. Field Description The name of the user creating the traffic. In this log message, it is the administrator that is creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5). This field always contains self-test. This field always contains all. Administrator <administrator_name> initiates all self-tests from <ui>
action test msg
20202
Message ID Log Subtype Severity Firmware version Meaning Fields action daemon pid msg 20202 System Information FortiOS 4.0 MR3 The daemon started. Field Description This field always contains daemon-startup. The type of daemon used. The PID number. Daemon <daemon_type> started.
Message ID Log Subtype Severity Firmware version Meaning Fields msg
20202 System Warning FortiOS 4.0 MR3 There was an error when either partitioning the disk or formatting the disk. Field Description Partitioning or formatting error (<string>) partition=<partition> format=<format> label=<label>
143
Event-System
20203
Message ID Log Subtype Severity Firmware version Meaning Fields action daemon pid msg 20203 System Notification FortiOS 4.0 MR3 The daemon was shut down. Field Description This field always contains daemon-shutdown. The type of daemon used. The PID number. Daemon <daemon_type> shutdown.
22000
\
22000 System Warning FortiOS 4.0 MR3 Depending on what appears in the msg field, the meaning can be any one of the following: Packet lengths do not match. The packet length does not match what is specified in the request header. Field Description This field contains any one of the following: Packet length does not match that specified in the request header. lengths of packets does not match
Fields msg
144
Event-System
22001
Message ID Log Subtype Severity Firmware version Meaning 22001 System Warning/Information FortiOS 4.0 MR3 Depending on what appears in the msg field, the meaning can be any one of the following: The specified version of the URL agent is not supported. The specified version of the protocol is not supported. An administrator started to convert the current SQL format. Field Description The action that was taken. The name of the administrator. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5). This field always contains started. This field contains any one of the following: version <agent_version_num> is not supported. Protocol version <version_number> is not supported. Administrator <administrator_name> started to convert existing logs to SQL format from <ui>
Fields action admin ui
status msg
22002
Message ID Log Subtype Severity Firmware version Meaning 22002 System Warning FortiOS 4.0 MR3 Depending on what appears in the msg field, the meaning can be any one of the following: Only HTTP is supported. Requests other than HTTP, HTTPS, FTP, MAIL, and AV are not supported. Request other than HTTP, HTTPS, FTP, MAIL, and AV are not supported. The conversion of the existing SQL logs failed. The administrator failed to conver the existing logs into SQL format. Field Description The action that was taken. This field always contains failed. This field contains either sql-db-not-running or cannot-send-request. This field contains any one of the following: Other request <request_type> than http is not supported. Other requests <string> than http & ftp is not supported. Request type <type> is not supported Conversion of existing logs to SQL format failed to start because SQL DB is not running. Conversion of existing logs to SQL format failed to start because request cannot be sent.
Fields action status reason msg
145
Event-System
22003
Message ID Log Subtype Severity Firmware version Meaning Fields msg 22003 System Warning FortiOS 4.0 MR3 Failed to set up a signal handler. Field Description sigaction(<signal_handler>)failed: <string>
22004
Message ID Log Subtype Severity Firmware version Meaning 22004 System Warning FortiOS 4.0 MR3 Depending on what the msg field contains, the meaning can be any one of the following: The system failed to create a socket or failed to create a socket. The system failed to create a socket or failed to create a HA socket. Field Description This field contains any one of the following: Socket () failed: <string> Socket () failed: <string>
Fields msg
22005
Message ID Log Subtype Severity Firmware version Meaning Fields msg 22005 System Warning FortiOS 4.0 MR3 The system failed to create a UDP socket to receive URL requests. Field Description This field contains any one of the following: Failed to create a udp socket to relay URL requests: <string> failed to create a <value>/udp socket to receive URL request
22006
Message ID Log Subtype Severity Firmware version Meaning Fields msg 22006 System Warning FortiOS 4.0 MR3 The system failed to register for cmdb events. Field Description Failed to register for cmdb events.
146
Event-System
22009
Message ID Log Subtype Severity Firmware version Meaning Fields name status msg 22009 System Warning FortiOS 4.0 MR3 Could not find antivirus profile by using ID. Field Description The name of the antivirus profile. This field always contains failure. failed to find its AV protection profile
22010
Message ID Log Subtype Severity Firmware version Meaning 22010 System Error FortiOS 4.0 MR3 Depending on what is in the msg field, it can contain any one of the following: The url filter has failed to send the rating result back to HTTP proxy. The HTTP proxy has crashed. The sendto () failed. Field Description The type of process that is being performed by the FortiGate unit. The reason for the trigger. This field contains any one of the following: <string> failed to send rating result failed to send urlfilter packet failed to send urlfilter packet because queue was full failed to send urlfilter packet <sent_number> times
Fields process reason msg
147
Event-System
22011
Message ID Log Subtype Severity Firmware version Meaning Fields action status files msg 22011 System Information FortiOS 4.0 MR3 The conversion of existing log files to SQL log files in the specified VDOM started. Field Description The action that was taken. This field always contains started. The name of the logs files that are being converted. Conversion of existing logs to SQL format for vdom <vdom_name> started.
22012
Message ID Log Subtype Severity Firmware version Meaning 22012 System Notification FortiOS 4.0 MR3 Depending on what is in the msg field, the meaning can be any one of the following: The SQL log database is full and cannot format any more logs. The SQL conversion failed because the log could not be opened. Field Description The action that was taken. This field always contains failed. This field contains either sql-log-full or cannot-open-file. The name of the log file being converted. This field contains any one of the following: Conversion of <log_file_name> to SQL format failed because SQL log is full. Conversion of <log_file_name> to SQL format failed because the log file cannto be opened.
Fields action status reason file msg
148
Event-System
22013
Message ID Log Subtype Severity Firmware version Meaning Fields action status converted_files entry msg 22013 System Information FortiOS 4.0 MR3 The conversion process finished and the logs are now in SQL format in the specified VDOM. Field Description The action that was taken. This field always contains ended The names of the converted log files. The entry information. Conversion of existing logs to SQL format for vdom <vdom_name> has been finished.
22100
Message ID Log Subtype Severity Firmware version Meaning Fields file size limit avail action status reason msg 22100 System Warning FortiOS 4.0 MR3 Quarantine has dropped a FortiAnalyzer transfer job due to limited memory. Field Description The name of the file. The size of the file. The number of the set limit. The number for avail. This field always contains content-archive. This field always contains drop. This field always contains memory-limit. File <file_name> is not transferred to FortiAnalyzer due to exceeding memory usage limit. 22100 System Warning FortiOS 4.0 MR3 Quarantine dropped FortiAnalyzer transfer jobs because there was limited available memory. Field Description The number of times the same event was detected within a short period of time. The duration, or time lapse, in seconds. The number of the set limit. The amount used.
Message ID Log Subtype Severity Firmware version Meaning Fields count duration limit used
149
Event-System
This field always contains content-archive. This field always contains drop. This field always contains memory-limit. In the past <seconds> seconds, <value> files were not transferred to FortiAnalyzer due to exceeding memory usage limit.
22101
Message ID Log Subtype Severity Firmware version Meaning Fields file size limit avail action status reason msg 22101 System Warning FortiOS 4.0 MR3 Quarantine has dropped a FortiAnalyzer transfer job due to memory limit. Field Description The name of the file. The size of the file. The number of the set limit. The number for avail. This field always contains content-archive. This field always contains drop. This field always contains memory-limit. File <file-name> is not transferred to FortiAnalyzer due to exceeding memory usage limit. 22101 System Warning FortiOS 4.0 MR3 Quarantine has dropped a FortiAnalyzer transfer job due to memory limit. Field Description The name of the file. The size of the file. This field always contains content-archive. This field always contains fail. Failed to transfer file <file_name> to FortiAnalyzer <ip_address> 22101 System Warning FortiOS 4.0 MR3 Failed to send a file to the FortiAnalyzer unit. Field Description The name of the file. The size of the file.
Message ID Log Subtype Severity Firmware version Meaning Fields file size action status msg Message ID Log Subtype Severity Firmware version Meaning Fields file size
150
Event-System
action status msg
The type of action taken by the FortiGate unit. This field always contains fail. Failed to transfer file <file_name> to FortiAnalyzer <ip_address>
22102
Message ID Log Subtype Severity Firmware version Meaning Fields msg 22102 System Critical FortiOS 4.0 MR3 Erroneous SMART status. Field Description Log disk failure is imminent, logs should be backed up
22103
Message ID Log Subtype Severity Firmware version Meaning 22103 System Critical FortiOS 4.0 MR3 The FortiGuard log buffer was reset because of a system overload. Current log data and possibly old log data may be lost. You must reopen FortiGuard log pipe to solve the issue. Field Description This field always contains buffer-overflow. This field contains any one of the following: FortiGuard Log buffer is reset due to a buffer overflow (system overload). Some log data may be lost. FortiGuard Analysis Service buffer is reset due to a buffer overflow (system overload). Some log data may be lost.\
Fields reason msg
22200
Message ID Log Subtype Severity Firmware version Meaning Fields user action status cert msg 22200 System Warning FortiOS 4.0 MR3 The specified certificate will automatically update itself after a specified number of days is up. Field Description This field always contains system. This field always contains certificate-update. This field always contains warning. The name of the certificate. CA certificate <certificate_name> will auto-update in <number_days> days.
151
Event-System
22201
Message ID Log Subtype Severity Firmware version Meaning Fields user action status cert msg 22201 System Warning FortiOS 4.0 MR3 The specified certificate will automatically regenerate itself after a specified number of days is up. Field Description This field always contains system. This field always contains certificate-regenerate. This field always contains warning. The name of the certificate. Local certificate <certificate_name> will auto-regenerate in <number_days> days.
22202
Message ID Log Subtype Severity Firmware version Meaning Fields user action status cert msg 22202 System Warning FortiOS 4.0 MR3 The certificate failed to automatically update. Field Description This field always contains system. This field always contains certificate-update This field always contains failure. The name of the certificate. The log message information. This usually contains a sentence and explains the activity and/or action taken.
22203
Message ID Log Subtype Severity Firmware version Meaning Fields user action status cert msg 22203 System Warning FortiOS 4.0 MR3 The specified certificate will automatically regenerate itself after a specified number of days is up. Field Description This field always contains system. This field always contains certificate-regenerate. This field always contains failure. The name of the certificate. The log message information. This usually contains a sentence and explains the activity and/or action taken.
152
Event-System
22800
Message ID Log Subtype Severity Firmware version Meaning Fields service mode conserve total free entermargin exitmargin msg 22800 System Critical FortiOS 4.0 MR3 Scan services entered conserve mode. Note: Not all of the fields may appear with every 22800 log message. Field Description The name of the service. The mode information. This field always contains on. The total information. The free information. The entermargin information. The exitmargin information. This field contains any one of the following: The system has entered conserve mode conserve=on total=<value> free=<value> entermargin=<value> exitmargin=<value> Scan services session fail mode. Scan services entered conserve mode.
22801
Message ID Log Subtype Severity Firmware version Meaning 22801 System Critical FortiOS 4.0 MR3 Depending on what is in the msg field, the meaning can be any one of the following: The system exited conserve mode. The scan services exited conserve mode. Field Description The type of service used. This field contains either on or exit. The total information. The free information. The enter margin information. The exit margin information. This field can be any one of the following: The system exited conserve mode. The system has entered conserve mode.
Fields service conserve total free entermargin exitmargin msg
153
Event-System
22802
Message ID Log Subtype Severity Firmware version Meaning Fields service sysconserve total free entermargin exitmargin msg 22802 System Critical FortiOS 4.0 MR3 System services entered conserve mode. Field Description The type of service used. This field always contains on. The total information. The free information. The enter margin information. The exit margin information. The system has entered system conserve mode
22803
Message ID Log Subtype Severity Firmware version Meaning Fields service sysconserve total free entermargin exitmargin msg 22803 System Critical FortiOS 4.0 MR3 System services exited conserve mode. Field Description The type of service used. This field always contains exit. The total information. The free information. The enter margin information. The exit margin information. The system exited system conserve mode
154
Event-System
22804
Message ID Log Subtype Severity Firmware version Meaning Fields service status msg 22804 System Critical FortiOS 4.0 MR3 The status of the license has changed. Field Description This field always contains license. The status information of the license. License status changed to <status>
22805
Message ID Log Subtype Severity Firmware version Meaning Fields service status msg 22805 System Warning FortiOS 4.0 MR3 The status of the license could not be validated. Field Description This field always contains license. This field always contains warning. License could not be validated for over 4 hours.
22806
Message ID Log Subtype Severity Firmware version Meaning Fields service status msg 22806 System Warning FortiOS 4.0 MR3 There is a duplicate of the license. Field Description This field always contains license. This field always contains warning. Detected duplicate license in use.
155
Event-System
22901
Message ID Log Subtype Severity Firmware version Meaning Fields action status reason msg 22901 System Notification FortiOS 4.0 MR3 The FortiGate unit is connected to the FortiAnalyzer unit. Field Description This field always contains connect. This field always contains success. The reason for the trigger. Connected to FortiAnalyzer <ip_address>
22902
Message ID Log Subtype Severity Firmware version Meaning Fields action status reason msg 22902 System Notification FortiOS 4.0 MR3 The FortiGate unit has been disconnected from the FortiAnalyzer unit. Field Description This field always contains disconnect. This field always contains success. The reason for the trigger. Disconnected from FortiAnalyzer <ip_address>
22903
Message ID Log Subtype Severity Firmware version Meaning Fields action status reason msg 22903 System Critical FortiOS 4.0 MR3 The FortiGate unit failed to connect to the FortiAnalyzer unit. Field Description This field always contains connect. This field always contains failure. The reason for the trigger. Failed to connect to FortiAnalyzer <ip_address>
156
Event-System
22911
Message ID Log Subtype Severity Firmware version Meaning Fields server action msg 22911 System Notification FortiOS 4.0 MR3 The FortiGuard Analysis Service server is up. Field Description This field contains either Home or Alter. This field always contains up. FortiGuard Analysis Service {Home | Alter} server is up
22912
Message ID Log Subtype Severity Firmware version Meaning Fields server action msg 22912 System Notification FortiOS 4.0 MR3 The FortiGuard Analysis Service server is down. Field Description This field contains either Home or Alter. This field always contains down. FortiGuard Analysis Service {Home | Alter} server is down
22913
Message ID Log Subtype Severity Firmware version Meaning Fields server action msg 22913 System Notification FortiOS 4.0 MR3 The FortiGuard Analysis Service server has been disconnected. Field Description This field contains either Home or Alter. This field always contains disconnect. FortiGuard Analysis Service {Home | Alter} server is disconnected
157
Event-System
22914
Message ID Log Subtype Severity Firmware version Meaning Fields server action msg 22914 System Notification FortiOS 4.0 MR3 The FortiGuard Analysis Service server was changed to disable on the FortiGuard Analysis and Management Service portal web site. Field Description This field contains either Home or Alter. This field always contains change. FortiGuard Analysis Service server is changed to {Home | Alter}.
158
Event-DHCP service
Event-DHCP service log messages record DHCP service events.
26001
Message ID Log Subtype Severity Firmware version Meaning Fields dhcp_msg dir mac ip lease hostname msg 26001 DHCP service Error FortiOS 4.0 MR3 A DHCP service occurred. Field Description Information about the DHCP server. The direction information. The MAC IP address with 2x. The IP address. The lease information. The host name information. The log message information. This is usually a sentence and explains the activity and/or action taken.
26002
Message ID Log Subtype Severity Firmware version Meaning 26002 DHCP service Error FortiOS 4.0 MR3 Depending on what appears in the msg field, the meaning can be any one of the following: No shared network found. The IP address range spans multiple subnets. The IP address range does not belong to the net. Field Description Information about the DHCP server. The direction information. The MAC IP address with 2x at the end. The IP address. The lease information. The host name information. This field contains any one of the following: No shared network for network <interface_name> (ip_address) Address range <ip_address> to <ip_address>, netmask <netmask_address> spans <string>! Address range <ip_address> to <ip_address> netmask <netmask_address> not on net <string>!
Fields dhcp_msg dir mac ip lease hostname msg
159
Event-DHCP service
160
Event-Firewall authentication log messages record authentication events that occur within the FortiGate firewall. 38001 38002 38003 38004 38005 38010 38011 38012 38020 38021 38022 38026 38027
161
38001
Message ID Log Subtype Severity Firmware version Meaning Fields policyid 38001 Firewall Authentication Notification FortiOS 4.0 MR3 The specified administrator succeeded in authentication. Field Description The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The name of the user creating the traffic. The name of the group creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). This field always contains authenticate. This field always contains success. User <user_name> succeeded in authentication
user group ui
action status msg
Message ID Log Subtype Severity Firmware version Meaning Fields ipproto src dst policyid
38001 Firewall Authentication Notification FortiOS 4.0 MR3 The specified AD group succeeded in authentication. Field Description The IP protocol information. The source IP address. The destination IP address. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The name of the AD group. The name of the user creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). This field always contains FSAE-auth. This field always contains success. AD group <adgroup_name> user <user_name> succeeded in authentication.
adgroup user ui
action status msg
Message ID Log Subtype
38001 Firewall Authentication
162
Severity Firmware version Meaning Fields policyid
Notification FortiOS 4.0 MR3 The specified AD domain group failed in authentication. Field Description The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The domain name. The name of the user creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). This field always contains NTML-auth. This field always contains failure The reason that the trigger occurred. AD domain <domain_name> user <user_name> failed in authentication.
domain user ui
163
38002
Message ID Log Subtype Severity Firmware version Meaning Fields policyid 38002 Firewall Authentication Notification FortiOS 4.0 MR3 The specified user failed in concurrent check. Field Description The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The name of the user creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). This field is always authenticate. This field always contains failure. User <user_name> failed in concurrent check. 38002 Firewall Authentication Notification FortiOS 4.0 MR3 The specified user failed in authentication. Field Description The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The name of the user creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). This field is always authenticate. This field always contains failure. User <user_name> failed in authentication
user ui
action status msg Message ID Log Subtype Severity Firmware version Meaning Fields policyid
user ui
action status msg
Message ID Log Subtype Severity Firmware version Meaning Fields ipproto
38002 Firewall Authentication Notification FortiOS 4.0 MR3 The specified user failed in authentication. Field Description The IP protocol information.
164
src dst policyid adgroup user ui
The source IP address. The destination IP address. The firewall policy identification number. The name of the AD group. The name of the user creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). This field always contains FSAE-auth. This field always contains failure. The reason that the trigger occurred. AD group <group_name> user <user_name> failed in authentication. 38002 Firewall Authentication Warning FortiOS 4.0 MR3 The user failed to was blacked out for a specified amount of time because of abnormal behavior. Field Description The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 access the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). The destination IP address. This field always contains authenticate This field always contains blackout. This field always contains abnormal. User from <ip_address> was blacked out for <time_seconds> seconds due to abnormal behavior. 38002 Firewall Authentication Warning FortiOS 4.0 MR3 The user failed to authenticate within the allowed time frame. Field Description The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The name of the user creating the traffic. The IP network service that applies to the session or packet. The services displayed correspond to the services configured in the firewall policy.
action status reason msg Message ID Log Subtype Severity Firmware version Meaning Fields policyid
ui
dst action status reason msg
Message ID Log Subtype Severity Firmware version Meaning Fields policyid
user service
165
action status reason src srcname dst dstname msg
This field always contains authenticate This field always contains timeout. This field always contains timeout. The source IP address. The name of the source. This can be the sources IP address; however, it can also be N/A. The destination IP address. The name of the destination. This can be the destinations IP address; however it can also be N/A. User failed to authenticate within the allowed period.
166
38003
Message ID Log Subtype Severity Firmware version Meaning Fields policyid 38003 Firewall Authentication Notification FortiOS 4.0 MR3 The specified administrator failed authentication and is locked out because they tried too many times. Field Description The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The name of the user creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). This field always contains authenticate. This field always contains lockout. User at <ip_address> failed authentication too many times.
user ui
action status msg
38004
Message ID Log Subtype Severity Firmware version Meaning Fields user src server action status msg 38004 Firewall Authentication Notification FortiOS 4.0 MR3 A successful FSAE log in event. Field Description The name of the user creating the traffic. The source IP address. The name or IP address of the server. This field always contains FSAE-logon. This field always contains success. FSAE-logon event from <ip_address>: user <user_name> logged on <ip_address> 38004 Firewall Authentication Notification FortiOS 4.0 MR3 A successful FSAE log in event. Field Description The name of the user creating the traffic. The source IP address. The name or IP address of the server.
Message ID Log Subtype Severity Firmware version Meaning Fields user src server
167
action status msg
This field always contains FSAE-logoff. This field always contains success. FSAE-logoff event from <ip_address>: user <user_name> logged off <ip_address>
168
38005
Message ID Log Subtype Severity Firmware version Meaning Fields src user group policyid 38005 Firewall Authentication Notification FortiOS 4.0 MR3 The policy authentication of the specified user has timed out. Field Description The source IP address. The name of the user creating the traffic. The name of the user group creating the traffic. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. This field always contains authenticate. This field always contains timeout. Policy authentication of user <user_name> has timed out.
action status msg
38010
Message ID Log Subtype Severity Firmware version Meaning Fields initiator status reason src dst msg 38010 Firewall Authentication Warning FortiOS 4.0 MR3 The specified user failed authentication when creating a FortiGuard Web Filtering override. Field Description The initiator information. This field always contains failure. This field always contains credentials. The source IP address. The destination IP address. User <user_name> failed authentication when creating a FortiGuard Web Filtering overrride from <ip_address>
38010 Firewall Authentication Alert FortiOS 4.0 MR3 The encryption for EVP failed. Field Description The name of the user creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5).
169
action cipher status msg
This field always contains encryption. This field always contains aes-128-cbc. This field always contains failed. EVP encryption failed.
38011
Message ID Log Subtype Severity Firmware version Meaning Fields initiator status reason src dst msg Message ID Log Subtype Severity Firmware version Meaning Fields user ui 38011 Firewall Authentication Warning FortiOS 4.0 MR3 The FortiGuard Web Filtering override table is full and cannot contain anymore overrides. Field Description The initiator information. This field always contains failure. This field always contains table_add_failed. The source IP address. The destination IP address. FortiGuard Web Filtering override table is full. 38011 Firewall Authentication Alert FortiOS 4.0 MR3 The decryption for EVP failed. Field Description The name of the user creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). This field always contains decryption. This field always contains aes-128-cbc. This field always contains failed. EVP decryption failed.
action cipher status msg
170
38012
Message ID Log Subtype Severity Firmware version Meaning Fields initiator status reason src dst action scope scope_data rule_type rule_data offsite expiry msg 38012 Firewall Authentication Notification FortiOS 4.0 MR3 A FortiGuard Web Filtering override was successfully created. Field Description The initiator information. This field always contains success. This field always contains none. The source IP address. The destination IP address. This field always contains authentication. The scope information. The scope data information The rule type information. The rule data information. The offsite information. The expiry information. User <user_name> added webfilter override entry <entry_name> from <location>.
38020
Message ID Log Subtype Severity Firmware version Meaning Fields ui 38020 Firewall Authentication Notification FortiOS 4.0 MR3 A FortiClient checking event occurred. Field Description The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). The destination IP address. Log message information. 38020 Firewall Authentication Notification FortiOS 4.0 MR3 A FortiClient checking event occurred. Field Description
dst msg Message ID Log Subtype Severity Firmware version Meaning Fields
171
ui
The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). Log message information.
msg
38021
Message ID Log Subtype Severity Firmware version Meaning Fields ui 38021 Firewall Authentication Notification FortiOS 4.0 MR3 The quota for per IP shaper was exceeded. Field Description The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). This field always contains ip-traffic-shaper. This field always contains blocked. The name of the traffic shaper. The bps information. The Gigabyte number. The mega number. The number of bytes. Traffic exceed per ip traffic shaper quota, ip: <ip_address> 38021 Firewall Authentication Notification FortiOS 4.0 MR3 The quota for per IP shaper was exceeded. Field Description The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). This field always contains policy-traffic-shaper. This field always contains blocked. The name of the traffic shaper. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The bps information. The Gigabyte number. The mega number.
action status shaper bps giga mega bytes msg Message ID Log Subtype Severity Firmware version Meaning Fields ui
action status shaper policyid
bps giga mega
172
bytes msg
The number of bytes. Traffic exceed shared traffic shaper quota, policy id: <firewall_policy_id_number>.
173
38022
Message ID Log Subtype Severity Firmware version Meaning Fields ui 38022 Firewall Authentication Notification FortiOS 4.0 MR3 The shared traffic shaper data was logged. Field Description The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). This field always contains ip-traffic-shaper This field always contains allowed. The name of the traffic shaper. The bps information. The Gigabyte number. The mega number. The number of bytes. Per ip traffic shaper statistic data is logged, ip: <ip_address> 38022 Firewall Authentication Notification FortiOS 4.0 MR3 The shared traffic shaper data was logged. Field Description The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). This field always contains policy-traffic-shaper This field always contains allowed. The name of the traffic shaper. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The bps information. The Gigabyte number. The mega number. The number of bytes. Shared traffic shaper statistic data is logged, policy id: <firewall_policy_id_number>
action status shaper bps giga mega bytes msg Message ID Log Subtype Severity Firmware version Meaning Fields ui
action status shaper policyid
bps giga mega bytes msg
174
38026
Message ID Log Subtype Severity Firmware version Meaning Fields msg 38026 Firewall Authentication Notification FortiOS 4.0 MR3 The Endpoint License Distribution has indicated that there are a specified number of keys assigned with a specified IP address. Field Description Endpoint License Distribution: active license keys left; key <key_number> assigned to endpoint with ip=<ip_address>
38027
Message ID Log Subtype Severity Firmware version Meaning Fields ui 38027 Firewall Authentication Notification FortiOS 4.0 MR3 An endpoint application was detected. Field Description The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). The destination IP address. The action taken by the FortiGate unit. Log message information.
dst action msg
175
176
Event-Wireless
Event-Wireless log messages record wireless events that occur with FortiGate units that have WiFi capabilities. 43520 43521 43522 43524 43525 43526
177
Event-Wireless
43520
Log Subtype Severity Firmware version Meaning Fields vd action msg Wireless Notification FortiOS 4.0 MR3 A wireless system activity occurred. Field Description The name of the virtual domain where the action occurred in. If no virtual domain exists, this field always contains root. The information about the action that was taken. The log message information. This is usually a sentence and explains the activity and/or action taken.
43521
Log Subtype Severity Firmware version Meaning Fields vd ssid bssid rate radio-band channel action manuf security-mode nssi noise live age on-wire detection-method Wireless Notification FortiOS 4.0 MR3 A wireless rogue AP activity occurred. Field Description The name of the virtual domain where the action occurred in. If no virtual domain exists, this field always contains roots. The service set identifier. The basic service set identifier The data rate number. The radio band information. The channel number. The information about the action that was taken. The name of the manufacturer. The type of security mode. The NSSI number. The noise number. The live number. The age number. This is either no or yes. The type of detection method being used. This can be any one of the following: N/A mac adjancency sta-mac ap-scan msg The station MAC information. The WTP that scanned the station. The log message information. This is usually a sentence and explains the activity and/or action taken. sta
178
Event-Wireless
43522
Log Subtype Severity Firmware version Meaning Fields vd sn ap ap_profile ip action reason msg Wireless Notification FortiOS 4.0 MR3 A physical AP activity occurred. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The phsyical AP units serial number. The name of the physical AP. The name of the AP profile. The IP address of the AP unit. The information about the action that was taken. The reason for taking the specified action. The log message information. This is usually a sentence and explains the activity and/or action taken.
43524
Log Subtype Severity Firmware version Meaning Fields vd sn ap vap ssid mac security Wireless Notification FortiOS 4.0 MR3 A wireless client activity occurred. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The physical AP units serial number. The physical AP name. The virtual AP name. The service set identifier. The client wireless MAC address. This field contains any one of the following: open wep128 wpa-radius wpa2 action msg wep64 wpa-psk wpa wpa2-auto
The information about the action that was taken. The log message information. This is usually a sentence and explains the activity and/or action taken.
179
Event-Wireless
43525
Log Subtype Severity Firmware version Meaning Fields vd ssid bssid rate radio-band channel action manuf security-mode nssi noise live age on-wire detection-method Wireless Warning FortiOS 4.0 MR3 A wireless rogue AP activity occurred. Field Description The name of the virtual domain where the action occurred in. If no virtual domain exists, this field always contains roots. The service set identifier. The basic service set identifier The data rate number. The radio band information. The channel number. The information about the action that was taken. The name of the manufacturer. The information about the security mode. The NSSI number. The noise number. The live number. The age number. This is either no or yes. The type of detection method being used. This can be any one of the following: N/A mac adjancency sta-mac ap-scan msg The station MAC information. The WTP that scanned the station. The log message information. This is usually a sentence and explains the activity and/or action taken. sta
180
Event-Wireless
43526
Log Subtype Severity Firmware version Meaning Fields vd sn ap ip radio-id action msg Wireless Notification FortiOS 4.0 MR3 A physical AP radio activity. Field Description The name of the virtual domain where the action occured in. If no virtual domains exist, this field always contains root. The physical AP units serial number. The name of the physical AP unit. The IP address of the AP unit. The radio identification number. The information about the action that was taken. The log message information. This is usually a sentence and explains the activity and/or action taken.
181
Event-Wireless
182
Event-IPsec negotiation log messages record IPsec activities and events. 37120 37121 37122 37123 37124 37125 37126 37127 37129 37130 37131 37132 37133 37134 37135 37136 37137 37138 37139 37184 37185 37186 37187 37188 37189 37190 37191 37192 37193 37194 37195 37196 37197 37198 37199 37200 37201 37202 37203
183
37120
Log Subtype Severity Firmware version Meaning Fields vd msg action IPsec Notification FortiOS 4.0 MR3 Notification of an IPsec negotiation of Phase 1. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. negotiate IPsec phase 1 This field contains any one of the following: negotiate error install_sa delete_phase1_sa delete_IPsec_sa dpd rem_ip loc_ip rem_port loc_port out_intf cookies user group xauth_user xauth_group vpn_tunnel status The remote IP address. The local IP address. The remote port number. The local port number. The interface that is outbound. The cookies for that IPsec session. The name of the user creating the traffic. The name of the group creating the traffic. The name of the XAuth user. The name of the Xauthentication group. The name of the VPN tunnel that was used. For example, ssl_vpn1. This field contains any one of the following: success failure negotiate_error xauth_result This field contain either XAUTH authentication successful or XAUTH authentication failed. esp_error dpd_failure tunnel-up tunnel-down tunnel-stats phase2-up phase2-down
184
37121
Log Subtype Severity Firmware version Meaning Fields vd msg action IPsec Error FortiOS 4.0 MR3 Negotiation error of an IPsec Phase 1. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. negotiate IPsec phase 1 This field contains any one of the following: negotiate error install_sa delete_phase1_sa delete_IPsec_sa dpd rem_ip loc_ip rem_port loc_port out_intf cookies user group xauth_user xauth_group vpn_tunnel status The remote IP address. The local IP address. The remote port number. The local port number. The interface that is outbound. The cookies for that IPsec session. The name of the user creating the traffic. The name of the group creating the traffic. The name of the XAuth user. The name of the Xauthentication group. The name of the VPN tunnel that was used. For example, ssl_vpn1. This field contains any one of the following: success failure negotiate_error xauth_result This field contain either XAUTH authentication successful or XAUTH authentication failed. esp_error dpd_failure tunnel-up tunnel-down tunnel-stats phase2-up phase2-down
185
37122
Log Subtype Severity Firmware version Meaning Fields vd msg action IPsec Notification FortiOS 4.0 MR3 Notification of an IPsec negotiation of Phase 2. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. negotiate IPsec phase 1 This field contains any one of the following: negotiate error install_sa delete_phase1_sa delete_IPsec_sa dpd rem_ip loc_ip rem_port loc_port out_intf cookies user group xauth_user xauth_group vpn_tunnel status The remote IP address. The local IP address. The remote port number. The local port number. The interface that is outbound. The cookies for that IPsec session. The name of the user creating the traffic. The name of the group creating the traffic. The name of the XAuth user. The name of the Xauthentication group. The name of the VPN tunnel that was used. For example, ssl_vpn1. This field contains any one of the following: success failure negotiate_error role esp_transform This field contains either responder or initiator. This field contains any one of the following; ESP_NULL ESP_DES esp_auth no authentication HMAC_SHA1 ESP_3DES ESP_AES HMAC_MD5 HMAC_SHA256 esp_error dpd_failure tunnel-up tunnel-down tunnel-stats phase2-up phase2-down
This field contains any one of the following;
186
37123
Log Subtype Severity Firmware version Meaning Fields vd msg action IPsec Error FortiOS 4.0 MR3 Negotiation error of an IPsec Phase 2. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. negotiate IPsec phase 1 This field contains any one of the following: negotiate error install_sa delete_phase1_sa delete_IPsec_sa dpd rem_ip loc_ip rem_port loc_port out_intf cookies user group xauth_user xauth_group vpn_tunnel status The remote IP address. The local IP address. The remote port number. The local port number. The interface that is outbound. The cookies for that IPsec session. The name of the user creating the traffic. The name of the group creating the traffic. The name of the XAuth user. The name of the Xauthentication group. The name of the VPN tunnel that was used. For example, ssl_vpn1. This field contains any one of the following: success failure negotiate_error role esp_transform This field contains either responder or initiator. This field contains any one of the following; ESP_NULL ESP_DES esp_auth no authentication HMAC_SHA1 ESP_3DES ESP_AES HMAC_MD5 HMAC_SHA256 esp_error dpd_failure tunnel-up tunnel-down tunnel-stats phase2-up phase2-down
This field contains any one of the following;
187
37124
Log Subtype Severity Firmware version Meaning Fields vd msg action IPsec Error FortiOS 4.0 MR3 IPsec Phase 1 error. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. negotiate IPsec phase 1 This field contains any one of the following: negotiate error install_sa delete_phase1_sa delete_IPsec_sa dpd rem_ip loc_ip rem_port loc_port out_intf cookies user group xauth_user xauth_group vpn_tunnel status The remote IP address. The local IP address. The remote port number. The local port number. The interface that is outbound. The cookies for that IPsec session. The name of the user creating the traffic. The name of the group creating the traffic. The name of the XAuth user. The name of the Xauthentication group. The name of the VPN tunnel that was used. For example, ssl_vpn1. This field contains any one of the following: success failure negotiate_error error_reason This field contains any one of the following: invalid certificate invalid SA payload probable preshared key mismatch peer SA proposal not match local policy peer_notif NOT-APPLICABLE INVALID-PAYLOAD-TYPE DOI-NOT-SUPPORTED SITUATION-NOT-SUPPORTED peer notification not enough key material for tunnel encapsulated mode mismatch no matching gateway for new request aggressive vs main mode mismatch for new request INVALID-CERTIFICATE BAD-CERT-REQUEST-SYNTAX INVALID-CERT-AUTHORITY INVALID-HASH-INFORMATION FortiGate Log Message Reference 01-430-112804-20111121 http://docs.fortinet.com/ Feedback esp_error dpd_failure tunnel-up tunnel-down tunnel-stats phase2-up phase2-down
This field, peer notification, can contain any one of the following:
188
INVALID-COOKIE INVALID-MAJOR-VERSION INVALID-MINOR-VERSION INVALID-EXCHANGE-TYPE INVALID-FLAGS INVALID-MESSAGE-ID INVALID-PROTOCOL-ID INVALID-SPI INVALID-TRANSFORM-ID ATTRIBUTES-NOT-SUPPORTED NO-PROPOSAL-CHOSEN BAD-PROPOSAL-SYNTAX PAYLOAD-MALFORMED INVALID-KEY-INFORMATION INVALID-ID-INFORMATION INVALID-CERT-ENCODING
AUTHENTICATION-FAILED INVALID-SIGNATURE ADDRESS-NOTIFICATION NOTIFY-SA-LIFETIME CERTIFICATE-UNAVAILABLE UNSUPPORTED-EXCHANGE-TYPE UNEQUAL-PAYLOAD-LENGTHS CONNECTED RESPONDER-LIFETIME REPLAY-STATUS INTIAL-CONTACT R-U-THERE R-U-THERE-ACK HEARTBEAT RETRY-LIMIT-REACHED
189
37125
Log Subtype Severity Firmware version Meaning Fields vd msg action IPsec Error FortiOS 4.0 MR3 IPsec Phase 2 error. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. negotiate IPsec phase 1 This field contains any one of the following: negotiate error install_sa delete_phase1_sa delete_IPsec_sa dpd rem_ip loc_ip rem_port loc_port out_intf cookies user group xauth_user xauth_group vpn_tunnel status The remote IP address. The local IP address. The remote port number. The local port number. The interface that is outbound. The cookies for that IPsec session. The name of the user creating the traffic. The name of the group creating the traffic. The name of the XAuth user. The name of the Xauthentication group. The name of the VPN tunnel that was used. For example, ssl_vpn1. This field contains any one of the following: success failure negotiate_error error_reason This field contains any one of the following: invalid certificate invalid SA payload probable preshared key mismatch peer SA proposal not match local policy peer notification not enough key material for tunnel encapsulated mode mismatch no matching gateway for new request aggressive vs main mode mismatch for new request esp_error dpd_failure tunnel-up tunnel-down tunnel-stats phase2-up phase2-down
190
37126
Log Subtype Severity Firmware version Meaning Fields vd msg action IPsec Notification FortiOS 4.0 MR3 IPsec not state error. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. negotiate IPsec phase 1 This field contains any one of the following: negotiate error install_sa delete_phase1_sa delete_IPsec_sa dpd rem_ip loc_ip rem_port loc_port out_intf cookies user group xauth_user xauth_group vpn_tunnel status The remote IP address. The local IP address. The remote port number. The local port number. The interface that is outbound. The cookies for that IPsec session. The name of the user creating the traffic. The name of the group creating the traffic. The name of the XAuth user. The name of the Xauthentication group. The name of the VPN tunnel that was used. For example, ssl_vpn1. This field contains any one of the following: success failure negotiate_error error_reason This field contains any one of the following: invalid certificate invalid SA payload not enough key material for tunnel encapsulated mode mismatch esp_error dpd_failure tunnel-up tunnel-down tunnel-stats phase2-up phase2-down
probable preshared key mismatch no matching gateway for new request peer SA proposal not match local aggressive vs main mode mismatch for policy new request peer notification
191
37127
Log Subtype Severity Firmware version Meaning Fields vd msg action IPsec Notification FortiOS 4.0 MR3 Progress of an IPsec phase 1 notification. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. negotiate IPsec phase 1 This field contains any one of the following; negotiate error install_sa delete_phase1_sa delete_IPsec_sa dpd rem_ip loc_ip rem_port loc_port out_intf cookies user group xauth_user xauth_group vpn_tunnel status The remote IP address. The local IP address. The remote port number. The local port number. The interface that is outbound. The cookies for that IPsec session. The name of the user creating the traffic. The name of the group creating the traffic. The name of the XAuth user. The name of the Xauthentication group. The name of the VPN tunnel that was used. For example, ssl_vpn1. This field contains any one of the following: success failure negotiate_error init mode This field can either be local or remote. This field contains any one of the following; aggressive main quick dir stage role result This field can be either outbound or inbound. The stage number. This field contains either responder or initiator. This field contains any one of the following: ERROR OK DONE PENDING xauth xauth_client esp_error dpd_failure tunnel-up tunnel-down tunnel-stats phase2-up phase2-down
192
37128
Log Subtype Severity Firmware version Meaning Fields vd msg action IPsec Error FortiOS 4.0 MR3 Progress of an IPsec Phase 1 error. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. negotiate IPsec phase 1 This field contains any one of the following; negotiate error install_sa delete_phase1_sa delete_IPsec_sa dpd rem_ip loc_ip rem_port loc_port out_intf cookies user group xauth_user xauth_group vpn_tunnel status The remote IP address. The local IP address. The remote port number. The local port number. The interface that is outbound. The cookies for that IPsec session. The name of the user creating the traffic. The name of the group creating the traffic. The name of the XAuth user. The name of the Xauthentication group. The name of the VPN tunnel that was used. For example, ssl_vpn1. This field contains any one of the following; success failure negotiate_error init mode This field contains either local or remote. This field contains any one of the following: aggressive main quick dir stage role result The direction of the traffic. This field contains either outbound or inbound. The stage number. This field contains either responder or initiator. This field contains any one of the following: ERROR OK DONE PENDING xauth xauth_client esp_error dpd_failure tunnel-up tunnel-down tunnel-stats phase2-up phase2-down
193
37129
Log Subtype Severity Firmware version Meaning Fields msg action IPsec Notification FortiOS 4.0 MR3 Progress of an IPsec Phase 2 notification. Field Description negotiate IPsec phase 1 This field contains any one of the following; negotiate error install_sa delete_phase1_sa delete_IPsec_sa dpd rem_ip loc_ip rem_port loc_port out_intf cookies user group xauth_user xauth_group vpn_tunnel status The remote IP address. The local IP address. The remote port number. The local port number. The interface that is outbound. The cookies for that IPsec session. The name of the user creating the traffic. The name of the group creating the traffic. The name of the XAuth user. The name of the XAuthentication group. The name of the VPN tunnel that was used. For example, ssl_vpn1. This field contains any one of the following: success failure negotiate_error init mode This field can either be local or remote. This field contains any one of the following; aggressive main quick dir stage role result The direction of the traffic. This field contains either outbound or inbound. The stage number. This field contains either responder or initiator. This field contains any one of the following: ERROR OK DONE PENDING xauth xauth_client esp_error dpd_failure tunnel-up tunnel-down tunnel-stats phase2-up phase2-down
194
37130
Log Subtype Severity Firmware version Meaning Fields vd msg action IPsec Error FortiOS 4.0 MR3 The progress status of an IPsec Phase 2 error. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. progress IPsec phase 2 This field contains any one of the following: negotiate error install_sa delete_phase1_sa delete_IPsec_sa dpd rem_ip loc_ip rem_port loc_port out_intf cookies user group xauth_user xauth_group vpn_tunnel status The remote IP address. The local IP address. The remote port number. The local port number. The interface that is outbound. The cookies for that IPsec session. The name of the user creating the traffic. The name of the group creating the traffic. The name of the XAuth user. The name of the XAuthentication group. The name of the VPN tunnel that was used. For example, ssl_vpn1. This field contains any one of the following; success failure negotiate_error init mode This field can either be local or remote. This field contains any one of the following: aggressive main quick dir stage role result The direction of the traffic. This field contain either outbound or inbound. The stage number. This field contains either responder or initiator. This field contains any one of the following: ERROR OK DONE PENDING xauth xauth_client esp_error dpd_failure tunnel-up tunnel-down tunnel-stats phase2-up phase2-down
195
37131
Log Subtype Severity Firmware version Meaning Fields msg action IPsec Error FortiOS 4.0 MR3 A notification of IPsec ESP. Field Description IPsec ESP. This field contains any one of the following: negotiate error install_sa delete_phase1_sa delete_IPsec_sa dpd rem_ip loc_ip rem_port loc_port out_intf cookies user group xauth_user xauth_group vpn_tunnel status The remote IP address. The local IP address. The remote port number. The local port number. The interface that is outbound. The cookies for that IPsec session. The name of the user creating the traffic. The name of the group creating the traffic. The name of the XAuth user. The name of the Xauthentication group. The name of the VPN tunnel that was used. For example, ssl_vpn1. This field contains any one of the following: success failure negotiate_error error_num This field contains any one of the following: Invalid ESP packet detected Invalid ESP packet detected (HMAC validation failed) Invalid ESP packet detected (invalid padding) spi seq The spi information. The seq information. Invalid ESP packet detected (invalid padding length) Invalid ESP packet detected (replayed packet) Received ESP packet with unknown SPI esp_error dpd_failure tunnel-up tunnel-down tunnel-stats phase2-up phase2-down
196
37132
Log Subtype Severity Firmware version Meaning Fields vd msg action IPsec Critical FortiOS 4.0 MR3 A notification of IPsec ESP error. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. IPsec ESP. This field contains any one of the following: negotiate error install_sa delete_phase1_sa delete_IPsec_sa dpd rem_ip loc_ip rem_port loc_port out_intf cookies user group xauth_user xauth_group vpn_tunnel status The remote IP address. The local IP address. The remote port number. The local port number. The interface that is outbound. The cookies for that IPsec session. The name of the user creating the traffic. The name of the group creating the traffic. The name of the XAuth user. The name of the Xauthentication group. The name of the VPN tunnel that was used. For example, ssl_vpn1. This field contains any one of the following: success failure negotiate_error error_num This field contains any one of the following: Invalid ESP packet detected Invalid ESP packet detected (HMAC validation failed) Invalid ESP packet detected (invalid padding) spi seq The spi information. The seq information. Invalid ESP packet detected (invalid padding length) Invalid ESP packet detected (replayed packet) Received ESP packet with unknown SPI esp_error dpd_failure tunnel-up tunnel-down tunnel-stats phase2-up phase2-down
197
37133
Log Subtype Severity Firmware version Meaning Fields IPsec Notification FortiOS 4.0 MR3 An administrator installed IPsec SA. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. msg action Install IPsec SA This field contains any one of the following: negotiate error install_sa delete_phase1_sa delete_IPsec_sa dpd rem_ip loc_ip rem_port loc_port out_intf cookies user group xauth_user xauth_group vpn_tunnel role in_spi out_spi The remote IP address. The local IP address. The remote port number. The local port number. The interface that is outbound. The cookies for that IPsec session. The name of the user creating the traffic. The name of the group creating the traffic. The name of the XAuth user. The name of the XAuthentication group. The name of the VPN tunnel that was used. For example, ssl_vpn1. This field contains either responder or initiator. The in_spi information. The out_spi information. tunnel-up tunnel-down tunnel-stats phase2-up phase2-down
198
37134
Log Subtype Severity Firmware version Meaning Fields vd msg action IPsec Notification FortiOS 4.0 MR3 An administrator deleted an IPsec Phase 1 SA. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. delete IPsec phase 1 SA. This field contains any one of the following: negotiate error install_sa delete_phase1_sa delete_IPsec_sa dpd rem_ip loc_ip rem_port loc_port out_intf cookies user group xauth_user xauth_group vpn_tunnel The remote IP address. The local IP address. The remote port number. The local port number. The interface that is outbound. The cookies for that IPsec session. The name of the user creating the traffic. The name of the group creating the traffic. The name of the XAuth user. The name of the XAuthentication group. The name of the VPN tunnel that was used. For example, ssl_vpn1. tunnel-up tunnel-down tunnel-stats phase2-up phase2-down
199
37135
Log Subtype Severity Firmware version Meaning Fields vd msg action IPsec Notification FortiOS 4.0 MR3 An administrator deleted an IPsec Phase 1 SA. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. delete IPsec phase 2 SA. This field contains any one of the following: negotiate error install_sa delete_phase1_sa delete_IPsec_sa dpd rem_ip loc_ip rem_port loc_port out_intf cookies user group xauth_user xauth_group vpn_tunnel enc_spi dec_spi The remote IP address. The local IP address. The remote port number. The local port number. The interface that is outbound. The cookies for that IPsec session. The name of the user creating the traffic. The name of the group creating the traffic. The name of the XAuth user. The name of the Xauthentication group. The name of the VPN tunnel that was used. For example, ssl_vpn1. The enc_spi information. The desc_spi information. tunnel-up tunnel-down tunnel-stats phase2-up phase2-down
200
37136
Log Subtype Severity Firmware version Meaning Fields vd msg action IPsec Error FortiOS 4.0 MR3 An IPsec DPD failed. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. IPsec DPD failure This field contains any one of the following: negotiate error install_sa delete_phase1_sa delete_IPsec_sa dpd rem_ip loc_ip rem_port loc_port out_intf cookies user group xauth_user xauth_group vpn_tunnel status The remote IP address. The local IP address. The remote port number. The local port number. The interface that is outbound. The cookies for that IPsec session. The name of the user creating the traffic. The name of the group creating the traffic. The name of the XAuth user. The name of the XAuthentication group. The name of the VPN tunnel that was used. For example, ssl_vpn1. This field contains any one of the following: success failure negotiate_error esp_error dpd_failure tunnel-up tunnel-down tunnel-stats phase2-up phase2-down
201
37137
Log Subtype Severity Firmware version Meaning Fields vd msg action IPsec Error FortiOS 4.0 MR3 An IPsec connection failed. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. IPsec connection failure This field contains any one of the following: negotiate error install_sa delete_phase1_sa delete_IPsec_sa dpd rem_ip loc_ip rem_port loc_port out_intf cookies user group xauth_user xauth_group vpn_tunnel status The remote IP address. The local IP address. The remote port number. The local port number. The interface that is outbound. The cookies for that IPsec session. The name of the user creating the traffic. The name of the group creating the traffic. The name of the XAuth user. The name of the XAuthentication group. The name of the VPN tunnel that was used. For example, ssl_vpn1. This field contains any one of the following: success failure negotiate_error esp_error dpd_failure tunnel-up tunnel-down tunnel-stats phase2-up phase2-down
202
37138
Log Subtype Severity Meaning Fields vd msg action IPsec Notification An IPsec connection status changed. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. IPsec connection status change This field contains any one of the following: negotiate error install_sa delete_phase1_sa delete_IPsec_sa dpd rem_ip loc_ip rem_port loc_port out_intf cookies user group xauth_user xauth_group vpn_tunnel tunnel_ip tunnel_id tunnel_type duration sent rcvd next_stat tunnel The remote IP address. The local IP address. The remote port number. The local port number. The interface that is outbound. The cookies for that IPsec session. The name of the user creating the traffic. The name of the group creating the traffic. The name of the XAuth user. The name of the Xauthentication group. The name of the VPN tunnel that was used. For example, ssl_vpn1. The tunnels IP address. The tunnels identification number. The type of tunnel. This field always contains IPsec. This represents the value in seconds. The total number of bytes sent. The total number of bytes received. The next_stat information. The tunnel information. tunnel-up tunnel-down tunnel-stats phase2-up phase2-down
Firmware version FortiOS 4.0 MR3
203
37139
Log Subtype Severity Meaning Fields vd msg action IPsec Notification An IPsec Phase 2 status changed. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. IPsec phase 2 status change This field contains any one of the following: negotiate error install_sa delete_phase1_sa delete_IPsec_sa dpd rem_ip loc_ip rem_port loc_port out_intf cookies user group xauth_user xauth_group vpn_tunnel phase2_name The remote IP address. The local IP address. The remote port number. The local port number. The interface that is outbound. The cookies for that IPsec session. The name of the user creating the traffic. The name of the group creating the traffic. The name of the XAuth user. The name of the XAuthentication group. The name of the VPN tunnel that was used. For example, ssl_vpn1. The name given to the phase 2 configuration. tunnel-up tunnel-down tunnel-stats phase2-up phase2-down
Firmware version FortiOS 4.0 MR3
204
37184
Log Subtype Severity Firmware version Meaning Fields vd msg action IPsec Error FortiOS 4.0 MR3 An IPsec connection failed. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. negotiate IPsec phase 1 This field contains any one of the following: negotiate error install_sa delete_phase1_sa delete_IPsec_sa dpd rem_ip loc_ip rem_port loc_port out_intf cookies user group vpn_tunnel status The remote IP address. The local IP address. The remote port number. The local port number. The interface that is outbound. The cookies for that IPsec session. The name of the user creating the traffic. The name of the group creating the traffic. The name of the VPN tunnel that was used. For example, ssl_vpn1. This field contains any one of the following: success failure negotiate_error peer_notif This field, peer notification, can contain any one of the following: NOT-APPLICABLE INVALID-PAYLOAD-TYPE DOI-NOT-SUPPORTED SITUATION-NOTSUPPORTED INVALID-COOKIE INVALID-MINOR-VERSION INVALID-FLAGS INVALID-MESSAGE-ID INVALID-PROTOCOL-ID INVALID-SPI INVALID-CERTIFICATE BAD-CERT-REQUEST-SYNTAX INVALID-CERT-AUTHORITY INVALID-HASH-INFORMATION AUTHENTICATION-FAILED ADDRESS-NOTIFICATION CERTIFICATE-UNAVAILABLE UNSUPPORTED-EXCHANGE-TYPE UNEQUAL-PAYLOAD-LENGTHS CONNECTED esp_error dpd_failure tunnel-up tunnel-down tunnel-stats phase2-up phase2-down
INVALID-MAJOR-VERSION INVALID-SIGNATURE INVALID-EXCHANGE-TYPE NOTIFY-SA-LIFETIME
205
INVALID-TRANSFORM-ID ATTRIBUTES-NOTSUPPORTED NO-PROPOSAL-CHOSEN BAD-PROPOSAL-SYNTAX PAYLOAD-MALFORMED INVALID-KEY INFORMATION INVALID-CERT-ENCODING
RESPONDER-LIFETIME REPLAY-STATUS INTIAL-CONTACT R-U-THERE R-U-THERE-ACK HEARTBEAT
INVALID-ID-INFORMATION RETRY-LIMIT-REACHED
206
37185
Log Subtype Severity Firmware version Meaning Fields vd msg action IPsec Error FortiOS 4.0 MR3 An IPsec connection failed. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. negotiate IPsec phase 1 This field contains any one of the following: negotiate error install_sa delete_phase1_sa delete_IPsec_sa dpd rem_ip loc_ip rem_port loc_port out_intf cookies user group vpn_tunnel status The remote IP address. The local IP address. The remote port number. The local port number. The interface that is outbound. The cookies for that IPsec session. The name of the user creating the traffic. The name of the group creating the traffic. The name of the VPN tunnel that was used. For example, ssl_vpn1. This field contains any one of the following: success failure negotiate_error peer_notif This field contains any one of the following: NOT APPLICABLE INVALID-PAYLOAD-TYPE DOI-NOT-SUPPORTED SITUATION-NOT SUPPORTED INVALID-COOKIE INVALID-MAJOR-VERSION INVALID-MINOR-VERSION INVALID-MINOR-VERSION INVALID-EXCHANGE-TYPE INVALID-FLAGS INVALID-MESSAGE-ID INVALID-PROTOCOL-ID INVALID-SPI FortiGate Log Message Reference 01-430-112804-20111121 http://docs.fortinet.com/ Feedback ATTRIBUTES-NOT-SUPPORTED NO-PROPOSAL-CHOSEN BAD-PROPOSAL-SYNTAX PAYLOAD-MALFORMED INVALID-KEY-INFORMATION INVALID-ID-INFORMATION INVALID-CERT-ENCODING INVALID-CERTIIFCATE BAD-CERT-REQUEST-SYNTAX INVALID-CERT-AUTHORITY INVALID-HASH-INFORMATION AUTHENTICATION-FAILED INVALID-SIGNATURE esp_error dpd_failure tunnel-up tunnel-down tunnel-stats phase2-up phase2-down
207
INVALID-TRANSFORM-ID NOTIFY-SA-LIFETIME CERTIFICATE-UNAVAILABLE UNSUPPORTED-EXCHANGETYPE CONNECTED HEARTBEAT
ADDRESS-NOTIFICATION RESPONDER-LIFETIME REPLAY-STATUS INITIAL-CONTACT
UNEQUAL-PAYLOAD-LENGTHS R-U-THERE R-U-THERE-ACK RETRY-LIMIT-REACHED
208
37186
Log Subtype Severity Firmware version Meaning Fields vd msg action IPsec Notification FortiOS 4.0 MR3 An IPsec Phase 2 negotiation notification. Field Description The name of the virtual domain where the action occurred in. If no vritual domains exist, this field always contains root. negotiate IPsec phase 2 This field contains any one of the following: negotiate error install_sa delete_phase1_sa delete_IPsec_sa dpd rem_ip loc_ip rem_port loc_port out_intf cookies user group vpn_tunnel status The remote IP address. The local IP address. The remote port number. The local port number. The interface that is outbound. The cookies for that IPsec session. The name of the user creating the traffic. The name of the group creating the traffic. The name of the VPN tunnel that was used. For example, ssl_vpn1. This field contains any one of the following: success failure negotiate_error role esp_transform This field contains either responder or initiator. This field contains any one of the following: ESP_NULL ESP_DES esp_auth no authentication HMAC_SHA1 ESP_3DES ESP_AES HMAC_MD5 HMAC_SHA256 esp_error dpd_failure tunnel-up tunnel-down tunnel-stats phase2-up phase2-down
This field contains any one of the following:
209
37187
Log Subtype Severity Firmware version Meaning Fields vd msg action IPsec Error FortiOS 4.0 MR3 An IPsec Phase 2 negotiation notification. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. negotiate IPsec phase 2 This field contains any one of the following: negotiate error install_sa delete_phase1_sa delete_IPsec_sa dpd rem_ip loc_ip rem_port loc_port out_intf cookies user group vpn_tunnel status The remote IP address. The local IP address. The remote port number. The local port number. The interface that is outbound. The cookies for that IPsec session. The name of the user creating the traffic. The name of the group creating the traffic. The name of the VPN tunnel that was used. For example, ssl_vpn1. This field contains any one of the following: success failure negotiate_error role esp_transform This field contains either responder or initiator. This field contains any one of the following: ESP_NULL ESP_DES esp_auth no authentication HMAC_SHA1 ESP_3DES ESP_AES HMAC_MD5 HMAC_SHA256 esp_error dpd_failure tunnel-up tunnel-down tunnel-stats phase2-up phase2-down
210
37188
Log Subtype Severity Firmware version Meaning Fields vd msg action IPsec Error FortiOS 4.0 MR3 An IPsec Phase 1 negotiation error. Field Description The name of the virtual domain where the action occurred in. if no virtual domains exist, this field always contains root. IPsec phase 1 error This field contains any one of the following: negotiate error install_sa delete_phase1_sa delete_IPsec_sa dpd rem_ip loc_ip rem_port loc_port out_intf cookies user group vpn_tunnel status The remote IP address. The local IP address. The remote port number. The local port number. The interface that is outbound. The cookies for that IPsec session. The name of the user creating the traffic. The name of the group creating the traffic. The name of the VPN tunnel that was used. For example, ssl_vpn1. This field contains any one of the following: success failure negotiate_error error_reason This field contains any one of the following: invalid certificate invalid SA payload probable preshared key mismatch peer SA proposal not match local policy aggressive vs main mode mismatch for new request peer notification not enough key material for tunnel encapsulation mode mismatch no matching gateway for new request esp_error dpd_failure tunnel-up tunnel-down tunnel-stats phase2-up phase2-down
211
37189
Log Subtype Severity Firmware version Meaning Fields vd msg action IPsec Error FortiOS 4.0 MR3 An IPsec Phase 1 negotiation error. Field Description The name of the virtual domain where the action occurred in. If no vritual domains exist, this field always contains root. IPsec phase 2 error This field contains any one of the following: negotiate error install_sa delete_phase1_sa delete_IPsec_sa dpd rem_ip loc_ip rem_port loc_port out_intf cookies user group vpn_tunnel status The remote IP address. The local IP address. The remote port number. The local port number. The interface that is outbound. The cookies for that IPsec session. The name of the user creating the traffic. The name of the group creating the traffic. The name of the VPN tunnel that was used. For example, ssl_vpn1. This field contains any one of the following: success failure negotiate_error error_reason This field contains any one of the following: invalid certificate invalid SA payload probable preshared key mismatch peer SA proposal not match local policy aggressive vs main mode mismatch for new request peer notification not enough key material for tunnel encapsulation mode mismatch no matching gateway for new request esp_error dpd_failure tunnel-up tunnel-down tunnel-stats phase2-up phase2-down
212
37190
Log Subtype Severity Firmware version Meaning Fields vd msg action IPsec Error FortiOS 4.0 MR3 An IPsec no state error. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. IPsec no state error This field contains any one of the following: negotiate error install_sa delete_phase1_sa delete_IPsec_sa dpd rem_ip loc_ip rem_port loc_port out_intf cookies user group vpn_tunnel status The remote IP address. The local IP address. The remote port number. The local port number. The interface that is outbound. The cookies for that IPsec session. The name of the user creating the traffic. The name of the group creating the traffic. The name of the VPN tunnel that was used. For example, ssl_vpn1. This field contains any one of the following: success failure negotiate_error error_reason This field contains any one of the following: invalid certificate invalid SA payload probable preshared key mismatch peer SA proposal not match local policy aggressive vs main mode mismatch for new request peer notification not enough key material for tunnel encapsulation mode mismatch no matching gateway for new request esp_error dpd_failure tunnel-up tunnel-down tunnel-stats phase2-up phase2-down
213
37191
Log Subtype Severity Firmware version Meaning Fields vd msg action IPsec Notification FortiOS 4.0 MR3 An IPsec Phase 1 progress notification. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. progress IPsec phase 1 This field contains any one of the following: negotiate error install_sa delete_phase1_sa delete_IPsec_sa dpd rem_ip loc_ip rem_port loc_port out_intf cookies user group vpn_tunnel status The remote IP address. The local IP address. The remote port number. The local port number. The interface that is outbound. The cookies for that IPsec session. The name of the user creating the traffic. The name of the group creating the traffic. The name of the VPN tunnel that was used. For example, ssl_vpn1. This field contains any one of the following: success failure negotiate_error init exch This field contains either local or remote. This field contains any one of the following: SA_INIT AUTH dir role result This field contains either outbound or inbound. This field contains either responder or initiator. This field contains one of the following: ERROR OK version DONE PENDING CREATE_CHILD esp_error dpd_failure tunnel-up tunnel-down tunnel-stats phase2-up phase2-down
The version of the IPsec, which is IKEv2.
214
37192
Log Subtype Severity Firmware version Meaning Fields vd msg action IPsec Error FortiOS 4.0 MR3 An IPsec Phase 1 progress error. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. progress IPsec phase 1 This field contains any one of the following: negotiate error install_sa delete_phase1_sa delete_IPsec_sa dpd rem_ip loc_ip rem_port loc_port out_intf cookies user group vpn_tunnel status The remote IP address. The local IP address. The remote port number. The local port number. The interface that is outbound. The cookies for that IPsec session. The name of the user creating the traffic. The name of the group creating the traffic. The name of the VPN tunnel that was used. For example, ssl_vpn1. This field contains any one of the following: success failure negotiate_error init exch This field contains either local or remote. This field contains any one of the following: SA_INIT AUTH dir role result The direction of the traffic. This field contains either outbound or inbound. This field contains either responder or initiator. This field contains one of the following: ERROR OK version DONE PENDING CREATE_CHILD esp_error dpd_failure tunnel-up tunnel-down tunnel-stats phase2-up phase2-down
215
37193
Log Subtype Severity Firmware version Meaning Fields vd msg action IPsec Notification FortiOS 4.0 MR3 An IPsec Phase 2 progress notification. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. progress IPsec phase 2 This field contains any one of the following: negotiate error install_sa delete_phase1_sa delete_IPsec_sa dpd rem_ip loc_ip rem_port loc_port out_intf cookies user group vpn_tunnel status The remote IP address. The local IP address. The remote port number. The local port number. The interface that is outbound. The cookies for that IPsec session. The name of the user creating the traffic. The name of the group creating the traffic. The name of the VPN tunnel that was used. For example, ssl_vpn1. This field contains any one of the following: success failure negotiate_error init exch This field contains either local or remote. This field contains any one of the following: SA_INIT AUTH dir role result The direction of the traffic. This field contains either outbound or inbound. This field contains either responder or initiator. This field contains one of the following: ERROR OK version DONE PENDING CREATE_CHILD esp_error dpd_failure tunnel-up tunnel-down tunnel-stats phase2-up phase2-down
216
37194
Log Subtype Severity Firmware version Meaning Fields msg action IPsec Error FortiOS 4.0 MR3 An IPsec Phase 2 progress error. Field Description progress IPsec phase 2 This field contains any one of the following: negotiate error install_sa delete_phase1_sa delete_IPsec_sa dpd rem_ip loc_ip rem_port loc_port out_intf cookies user group vpn_tunnel status The remote IP address. The local IP address. The remote port number. The local port number. The interface that is outbound. The cookies for that IPsec session. The name of the user creating the traffic. The name of the group creating the traffic. The name of the VPN tunnel that was used. For example, ssl_vpn1. This field contains any one of the following: success failure negotiate_error init exch This field contains either local or remote. This field contains any one of the following: SA_INIT AUTH dir role result The direction of the traffic. This field contains either outbound or inbound. This field contains either responder or initiator. This field contains one of the following: ERROR OK version DONE PENDING CREATE_CHILD esp_error dpd_failure tunnel-up tunnel-down tunnel-stats phase2-up phase2-down
217
37195
Log Subtype Severity Firmware version Meaning Fields vd msg action IPsec Error FortiOS 4.0 MR3 An IPsec ESP notification. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. IPsec ESP This field contains any one of the following: negotiate error install_sa delete_phase1_sa delete_IPsec_sa dpd rem_ip loc_ip rem_port loc_port out_intf cookies user group vpn_tunnel status The remote IP address. The local IP address. The remote port number. The local port number. The interface that is outbound. The cookies for that IPsec session. The name of the user creating the traffic. The name of the group creating the traffic. The name of the VPN tunnel that was used. For example, ssl_vpn1. This field contains any one of the following: success failure negotiate_error error_num This field contains any one of the following: Invalid ESP packet detected Invalid ESP packet detected (HMAC validation failed) Invalid ESP packet detected (invalid padding) spi seq The spi information. The seq information. Invalid ESP packet detected. (invalid padding length) Invalid ESP packet detected (replayed packet) Received ESP packet with unknown SPI esp_error dpd_failure tunnel-up tunnel-down tunnel-stats phase2-up phase2-down
218
37196
Log Subtype Severity Firmware version Meaning Fields vd msg action IPsec Critical FortiOS 4.0 MR3 An IPsec ESP error. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. IPsec ESP This field contains any one of the following: negotiate error install_sa delete_phase1_sa delete_IPsec_sa dpd rem_ip loc_ip rem_port loc_port out_intf cookies user group vpn_tunnel status The remote IP address. The local IP address. The remote port number. The local port number. The interface that is outbound. The cookies for that IPsec session. The name of the user creating the traffic. The name of the group creating the traffic. The name of the VPN tunnel that was used. For example, ssl_vpn1. This field contains any one of the following: success failure negotiate_error error_num This field contains any one of the following: Invalid ESP packet detected Invalid ESP packet detected. (invalid padding length) Invalid ESP packet detected Invalid ESP packet detected (replayed (HMAC validation failed) packet) Invalid ESP packet detected Received ESP packet with unknown SPI (invalid padding) spi seq The spi information. The seq information. esp_error dpd_failure tunnel-up tunnel-down tunnel-stats phase2-up phase2-down
219
37197
Log Subtype Severity Firmware version Meaning Fields vd msg action IPsec Notification FortiOS 4.0 MR3 Installation of IPsec SA occurred. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. install IPsec SA This field contains any one of the following: negotiate error install_sa delete_phase1_sa delete_IPsec_sa dpd rem_ip loc_ip rem_port loc_port out_intf cookies user group vpn_tunnel role in_spi out_spi The remote IP address. The local IP address. The remote port number. The local port number. The interface that is outbound. The cookies for that IPsec session. The name of the user creating the traffic. The name of the group creating the traffic. The name of the VPN tunnel that was used. For example, ssl_vpn1. This field contains either responder or initiator. The in_spi information. The out_spi information. tunnel-up tunnel-down tunnel-stats phase2-up phase2-down
220
37198
Log Subtype Severity Firmware version Meaning Fields vd msg action IPsec Notification FortiOS 4.0 MR3 Removed an IPsec Phase 1 SA. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. delete IPsec phase 1SA This field contains any one of the following: negotiate error install_sa delete_phase1_sa delete_IPsec_sa dpd rem_ip loc_ip rem_port loc_port out_intf cookies user group vpn_tunnel The remote IP address. The local IP address. The remote port number. The local port number. The interface that is outbound. The cookies for that IPsec session. The name of the user creating the traffic. The name of the group creating the traffic. The name of the VPN tunnel that was used. For example, ssl_vpn1. tunnel-up tunnel-down tunnel-stats phase2-up phase2-down
221
37199
Log Subtype Severity Firmware version Meaning Fields vd msg action IPsec Notification FortiOS 4.0 MR3 Removed an IPsec Phase 2 SA. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. delete IPsec phase 2 SA This field contains any one of the following: negotiate error install_sa delete_phase1_sa delete_IPsec_sa dpd rem_ip loc_ip rem_port loc_port out_intf cookies user group vpn_tunnel The remote IP address. The local IP address. The remote port number. The local port number. The interface that is outbound. The cookies for that IPsec session. The name of the user creating the traffic. The name of the group creating the traffic. The name of the VPN tunnel that was used. For example, ssl_vpn1. tunnel-up tunnel-down tunnel-stats phase2-up phase2-down
222
37200
Log Subtype Severity Firmware version Meaning Fields vd msg action IPsec Error FortiOS 4.0 MR3 An IPsec DPD failure occurred. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. IPsec DPD failure This field contains any one of the following: negotiate error install_sa delete_phase1_sa delete_IPsec_sa dpd rem_ip loc_ip rem_port loc_port out_intf cookies user group vpn_tunnel status The remote IP address. The local IP address. The remote port number. The local port number. The interface that is outbound. The cookies for that IPsec session. The name of the user creating the traffic. The name of the group creating the traffic. The name of the VPN tunnel that was used. For example, ssl_vpn1. This field contains any one of the following: success failure negotiate_error esp_error dpd_failure tunnel-up tunnel-down tunnel-stats phase2-up phase2-down
223
37201
Log Subtype Severity Firmware version Meaning Fields vd msg action IPsec Error FortiOS 4.0 MR3 An IPsec connection failure occurred. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. IPsec connection failure This field contains any one of the following: negotiate error install_sa delete_phase1_sa delete_IPsec_sa dpd rem_ip loc_ip rem_port loc_port out_intf cookies user group vpn_tunnel status The remote IP address. The local IP address. The remote port number. The local port number. The interface that is outbound. The cookies for that IPsec session. The name of the user creating the traffic. The name of the group creating the traffic. The name of the VPN tunnel that was used. For example, ssl_vpn1. This field contains any one of the following: success failure negotiate_error esp_error dpd_failure tunnel-up tunnel-down tunnel-stats phase2-up phase2-down}
224
37202
Log Subtype Severity Firmware version Meaning Fields vd msg action IPsec Notification FortiOS 4.0 MR3 An IPsec connection status changed. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. IPsec connection status change This field contains any one of the following: negotiate error install_sa delete_phase1_sa delete_IPsec_sa dpd rem_ip loc_ip rem_port loc_port out_intf cookies user group vpn_tunnel tunnel_ip tunnel_id tunnel_type duration sent rcvd next_stat tunnel The remote IP address. The local IP address. The remote port number. The local port number. The interface that is outbound. The cookies for that IPsec session. The name of the user creating the traffic. The name of the group creating the traffic. The name of the VPN tunnel that was used. For example, ssl_vpn1. The VPN tunnels IP address. The VPN tunnels identification number. The type of VPN tunnel. This field contains IPsec. This represents the value in seconds. The total number of bytes sent. The total number of bytes received. The next_stat information. The tunnel information. tunnel-up tunnel-down tunnel-stats phase2-up phase2-down
225
37203
Log Subtype Severity Firmware version Meaning Fields vd msg action IPsec Notification FortiOS 4.0 MR3 An IPsec phase 2 status change. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. IPsec phase 2 status change This field contains any one of the following: negotiate error install_sa delete_phase1_sa delete_IPsec_sa dpd rem_ip loc_ip rem_port loc_port out_intf cookies user group vpn_tunnel phase2_name The remote IP address. The local IP address. The remote port number. The local port number. The interface that is outbound. The cookies for that IPsec session. The name of the user creating the traffic. The name of the group creating the traffic. The name of the VPN tunnel that was used. For example, ssl_vpn1. The name of the Phase 2 configuration. tunnel-up tunnel-down tunnel-stats phase2-up phase2-down
226
Event-L2TP/PPP/PPPoE log messages record events and activities that occur with the Internet and modem protocols, L2TP, PPP, and PPPoE.
29001 29002 29003 29004 29009 29015 29016 29022 29024 30004 30005 30006 30007 30008 30009 31004 31005
31006 31007 31008 31009
227
29001
Message ID Log Subtype Severity Firmware version Meaning Fields user local remote assigned stat msg 29001 L2TP/PPTP/PPPoE Variable FortiOS 4.0 MR3 PPPd log message. Field Description The name of the user creating the traffic. The local IP address. The remote IP address. The assigned IP address. The stat information. The log message information. This is usually a sentence and explains the activity and/or action taken.
29002
Message ID Log Subtype Severity Firmware version Meaning Fields user local remote assigned action msg 29002 L2TP/PPTP/PPPoE Notification FortiOS 4.0 MR3 PPPd authentication message. Field Description The name of the user creating the traffic. The local IP address. The remote IP address. The assigned IP address. This field always contains auth_success. User <user_name> using <auth> with authentication protocol <protocol_information>
228
29003
Message ID Log Subtype Severity Firmware version Meaning Fields local remote assigned action msg 29003 L2TP/PPTP/PPPoE Notification FortiOS 4.0 MR3 The user failed authentication when trying to connect. Field Description The local IP address. The remote IP address. The assigned IP address. This field always contains auth_failed. <user_name> is trying to connect using <auth> with authentication protocol <protocol_information>, failed.
29004
Message ID Log Subtype Severity Firmware version Meaning Fields status action msg 29004 L2TP/PPTP/PPPoE Warning FortiOS 4.0 MR3 The maximum number of PPTP connections has been reached. Field Description This field always contains failure. This field always contains connect. PPTP: the maximum number of connections has been reached. No more clients can connect.
29009
Message ID Log Subtype Severity Firmware version Meaning Fields gateway_ip assigned_IP mtu msg 29009 L2TP/PPTP/PPPoE Notification FortiOS 4.0 MR3 A PPPoE status report. Field Description The gateway IP address. The assigned IP address. The MTU information. PPPoE status report.
229
29015
Message ID Log Subtype Severity Firmware version Meaning Fields msg 29015 L2TP/PPTP/PPPoE Error FortiOS 4.0 MR3 PPP has received bad options. Field Description Peer IP is the same as an interface IP <interface>. IP(<interface_ip_address>).
29016
Message ID Log Subtype Severity Firmware version Meaning Fields msg 29016 L2TP/PPTP/PPPoE Error FortiOS 4.0 MR3 PPP has received bad options. Field Description Local IP is the same as an interface IP <interface>. IP(<interface_ip_address>)
29022
Message ID Log Subtype Severity Firmware version Meaning Fields status action msg 29022 L2TP/PPTP/PPPoE Warning FortiOS 4.0 MR3 No IP address is currently available. Field Description This field always contains failure. This field always contains connect. PPTP: No IP addresses left to assign in virtual domain: <virtual_domain_name>
29024
Message ID Log Subtype Severity Firmware version Meaning Fields status action msg 29024 L2TP/PPTP/PPPoE Warning FortiOS 4.0 MR3 Not enough memory available. Field Description This field always contains failure. This field always contains start. failed to expand pptp config list due to not enough memory.
230
30004
Message ID Log Subtype Severity Firmware version Meaning 30004 L2TP/PPTP/PPPoE Variable FortiOS 4.0 MR3 Depending on the msg field, the meaning can be any one of the following: The PPTPD successfully started. An PPPTP log message. Field Description This field always contains start. This field always contains success. This field contains any one of the following: PPTPD: started successfully The log message information, which is usually a sentence explaining the activity and/or action taken.
Fields action status msg
30005
Message ID Log Subtype Severity Firmware version Meaning Fields action status reason msg 30005 L2TP/PPTP/PPPoE Error FortiOS 4.0 MR3 The PPTPD failed to start. Field Description This field always contains start. This field always contains failure. failed to create socket PPTPD failed to start because failed to create socket.
30006
Message ID Log Subtype Severity Firmware version Meaning Fields action status msg 30006 L2TP/PPTP/PPPoE Notification FortiOS 4.0 MR3 The PPTPD successfully exited. Field Description This field always contains exit. This field always contains success. PPTPD exited successfully.
231
30007
Message ID Log Subtype Severity Firmware version Meaning Fields action status reason msg 30007 L2TP/PPTP/PPPoE Error FortiOS 4.0 MR3 All PPTPD connections were closed because the PPTP setting changed. Field Description This field always contains disconnect. This field always contains success. PPTP setting is changed. PPTPD closed all client connections in vdom <vdom_name> because PPTP setting was changed. 30007 L2TP/PPTP/PPPoE Error FortiOS 4.0 MR3 The PPTPD disconnected. Field Description This field always contains disconnect. This field always contains success. failed to find the interface by device index PPTPD closed all client connections in vdom <vdom_name> because failed to find the interface by device index.
Message ID Log Subtype Severity Firmware version Meaning Fields action status reason msg
30008
Message ID Log Subtype Severity Firmware version Meaning Fields action status msg 30008 L2TP/PPTP/PPPoE Error FortiOS 4.0 MR3 PPTPD client connection. Field Description This field always contains connect This field always contains success. Client <ip_address> control connection started.
232
30009
Message ID Log Subtype Severity Firmware version Meaning Fields action status msg 30009 L2TP/PPTP/PPPoE Information FortiOS 4.0 MR3 PPTPD client disconnected. Field Description This field always contains disconnect. This field always contains success. Client <client_name> control connection finished.
31004
Message ID Log Subtype Severity Firmware version Meaning Fields msg 31004 L2TP/PPTP/PPPoE Variable FortiOS 4.0 MR3 An L2TP log message. Field Description The log message information. This is usually a sentence and explains the activity and/or action taken.
31005
Message ID Log Subtype Severity Firmware version Meaning Fields action status msg 31005 L2TP/PPTP/PPPoE Information FortiOS 4.0 MR3 L2TP exited successfully. Field Description This field always contains exit. This field always contains success. L2TPD exited successfully.
233
31006
Message ID Log Subtype Severity Firmware version Meaning Fields action status reason msg 31006 L2TP/PPTP/PPPoE Information FortiOS 4.0 MR3 L2TP closed all client connections in a specified VDOM because L2TP setting was changed. Field Description This field always contains disconnect. This field always contains success. L2TP setting changed. L2TPD closed all client connections in vdom <vdom_name> because L2TP setting was changed. 31006 L2TP/PPTP/PPPoE Warning FortiOS 4.0 MR3 L2TP closed all client connections in a specified VDOM because failed to find interface by device index. Field Description This field always contains disconnect. This field always contains success. interface not found L2TPD closed all client connections in vdom <vdom_name> because failed to find interface by device index.
Message ID Log Subtype Severity Firmware version Meaning Fields action status reason msg
31007
Message ID Log Subtype Severity Firmware version Meaning Fields action status reason msg 31007 L2TP/PPTP/PPPoE Warning FortiOS 4.0 MR3 An L2TP client connection. There are no more available IP addresses to assign in the specified VDOM. Field Description This field always contains connect. This field always contains failure no ip available No IP addresses left to assign in virtual domain: <vdom_name>
234
31008
Message ID Log Subtype Severity Firmware version Meaning Fields action status msg 31008 L2TP/PPTP/PPPoE Information FortiOS 4.0 MR3 An L2TP connection started. Field Description This field always contains connect. This field always contains success. Client <client_name> control connection started (id<ip_address>), assigned ip <ip_address>.
31009
Message ID Log Subtype Severity Firmware version Meaning Fields action status msg 31009 L2TP/PPTP/PPPoE Information FortiOS 4.0 MR3 An L2TP connection has finished. Field Description This field always contains disconnect. This field always contains success. Client <client_name> control connection(id<ip_address>) finished.
235
236
Event-SSL VPN
Event SSL-VPN log messages record SSL-VPN user, administration and session events. 39424 39425 39426 41984 41985 41986 41987 41988 39936 39937 39939 39940 39941 39942 39944 39945 39946 39947 39948 39949 39950 39951
237
Event-SSL VPN
39424
Message ID Log Sub-type Severity Firmware version Meaning Fields action tunnel_type vd tunnel_id remote_ip tunnel_ip user group dst_host reason msg 39424 sslvpn-user Information FortiOS 4.0 MR3 An SSL-VPN web access user has log into the system successfully. Field Description The status of the SSL VPN tunnel. This field contains tunnel-up, which indicates that the SSL VPN tunnel is currently up and running. The type of SSL VPN tunnel. The field contains ssl-web, which indicates that it is an SSL VPN web access tunnel. The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The tunnel identification number. The remote IP address. The tunnel IP address. The name of the user creating the traffic. The name of the group creating the traffic. The destination host information. The reason that the trigger occurred. SSL tunnel established.
238
Event-SSL VPN
39425
Message ID Log Sub-type Severity Firmware version Meaning Fields action tunnel_type vd tunnel_id remote_ip tunnel_ip user group dst_host reason duration sent rcvd msg 39425 sslvpn-user Information FortiOS 4.0 MR3 An SSL-VPN tunnel was shut down. Field Description The status of the SSL VPN tunnel. This field contains tunnel-down, which indicates that the SSL VPN tunnel is currently down, or not running. The type of SSL VPN tunnel that was accessed. The field contains ssl-web, which indicates that it is an SSL VPN web access tunnel. The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The tunnel identification number. The remote IP address. The tunnel IP address. The name of the user creating the traffic. The name of the group creating the traffic. The destination host information. The reason that the trigger occurred. This represents the value in seconds. The total number of bytes sent. The total number of bytes received. SSL tunnel shutdown.
239
Event-SSL VPN
39426
Message ID Log Type Severity Firmware version Meaning Fields action tunnel_type vd tunnel_id remote_ip tunnel_ip user group dst_host reason msg 39426 sslvpn-user Alert FortiOS 4.0 MR3 An SSL VPN user has failed to log in. Field Description The action of an SSL VPN user. This field contains ssl-login-fail, which indicates that a user tried to log in using the SSL VPN tunnel but failed. The type of SSL VPN tunnel that was accessed. This field contains ssl-web, which indicates that it is an SSL VPN web access tunnel. The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The tunnel identification number. The remote IP address. The tunnel IP address. The name of the user creating the traffic. The name of the group creating the traffic. The destination host information. The reason that the trigger occurred. SSL user failed to logged in.
41984
Message ID Log Type Severity Firmware version Meaning Fields vd action user ui 41984 sslvpn-admin Information FortiOS 4.0 MR3 An SSL-VPN admin user successfully uploaded a certificate. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. This field contains info. The name of the user creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5). A certificate is loaded. This field contains any one of the following: CA CRL Local Remote
msg cert-type
240
Event-SSL VPN
41985
Message ID Log Type Severity Firmware version Meaning Fields vd action user ui 41985 sslvpn-admin Information FortiOS 4.0 MR3 An SSL-VPN admin removed a certificate. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. This field contains info. The name of the user creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). A certificate is removed. This field contains any one of the following: CA CRL Local Remote
msg cert-type
41986
Message ID Log Type Severity Firmware version Meaning Fields vd action user ui 41986 sslvpn-admin Information FortiOS 4.0 MR3 An SSL-VPN admin regenerated a certificate. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. This field contains info. The name of the user creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). A certificate is regenerated. This field contains any one of the following: CA CRL status Local Remote
msg cert-type
This field contains success.
241
Event-SSL VPN
41987
Message ID Log Type Severity Firmware version Meaning Fields vd action cert-type 41987 sslvpn-admin Information FortiOS 4.0 MR3 An SSL-VPN admin updated a certificate. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. This field contains info. This field contains any one of the following: CA CRL status name method msg Local Remote
This field contains success. The name of the certificate. The method information. A certificate is updated.
41988
Message ID Log Type Severity Firmware version Meaning Fields vd action user ui 41988 sslvpn-admin Information FortiOS 4.0 MR3 An SSL-VPN admin changed a setting. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. This field contains info. The name of the user creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accessed the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5). User changed SSL setting.
msg
242
Event-SSL VPN
39936
Message ID Log Type Severity Firmware version Meaning Fields action tunnel_type vd tunnel_id remote_ip tunnel_ip user group dst_host next_stats duration sent rcvd reason msg 39936 sslvpn-session Information FortiOS 4.0 MR3 SSL VPN web tunnel statistics. Field Description The status of the SSL VPN tunnel. This field contains tunnel-stats. The type of SSL VPN tunnel. This field contains ssl-web, which indicates that it is an SSL VPN web access tunnel. The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The tunnel identification number. The remote IP address. The tunnel IP address. The name of the user creating the traffic. The name of the group creating the traffic. The destination host information. The information of the next statistics. This represents the value in seconds. The number of bytes sent. The number of bytes received. The reason that the trigger occurred. SSL web tunnel statistics.
243
Event-SSL VPN
39937
Message ID Log Type Severity Firmware version Meaning Fields action tunnel_type vd tunnel_id remote_ip tunnel_ip user group dst_host app-type msg 39937 sslvpn-session Warning FortiOS 4.0 MR3 An SSL VPN web application was blocked. Field Description This field contains ssl-web-deny. The type of SSL VPN tunnel. This field contains ssl-web-deny. This indicates that the SSL VPN was blocked and users were denied access. The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The tunnel identification number. The remote IP address. The tunnel IP address. The name of the user creating the traffic. The name of the group creating the traffic. The destination host information. The type of application that triggered the action within the control list. SSL web application blocked.
39938
Message ID Log Type Severity Firmware version Meaning Fields action tunnel_type vd tunnel_id remote_ip tunnel_ip user group dst_host app-type msg 39938 sslvpn-session Information FortiOS 4.0 MR3 An SSL VPN web application was activated. Field Description The status of the SSL VPN tunnel. This field contains ssl-web-pass. The type of SSL VPN tunnel. This field contains ssl-web, which indicates that it is for web access. The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The tunnel identification number. The remote IP address. The tunnel IP address. The name of the user creating the traffic. The name of the group creating the traffic. The destination host information. The type of application that triggered the action within the control list. SSL web application timeout.
244
Event-SSL VPN
39939
Message ID Log Type Severity Firmware version Meaning Fields action tunnel_type vd tunnel_id remote_ip tunnel_ip user group dst_host app-type msg 39939 sslvpn-session Information FortiOS 4.0 MR3 An SSL VPN web application timed out. Field Description The status of the SSL VPN tunnel. This field contains ssl-web-timeout, which indicates that the web application timed out. The type of tunnel. This field contains ssl-web, which indicates that it is an SSL VPN web tunnel. The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The tunnel identification number. The remote IP address. The tunnel IP address. The name of the user creating the traffic. The name of the group creating the traffic. The destination host information. The type of application that triggered the action within the control list. SSL web application timeout.
39940
Message ID Log Type Severity Firmware version Meaning Fields action tunnel_type vd tunnel_id remote_ip tunnel_ip user group dst_host app-type msg 39940 sslvpn-session Information FortiOS 4.0 MR3 An SSL VPN web application was closed. Field Description The status of the SSL VPN web application. This field contains ssl-web-close, which indicates that the application closed. The type of tunnel. This field contains ssl-web, which indicates that it is an SSL VPN web tunnel. The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The tunnel identification number. The remote IP address. The tunnel IP address. The name of the user creating the traffic. The name of the group creating the traffic. The destination host information. The type of application that triggered the action within the control list. SSL web application closed.
245
Event-SSL VPN
39941
Message ID Log Type Severity Firmware version Meaning Fields action tunnel_type vd tunnel_id remote_ip tunnel_ip user group dst_host reason msg 39941 sslvpn-session Information FortiOS 4.0 MR3 The SSL VPN system is busy. Field Description The status of the SSL VPN tunnel. This field contains ssl-sys-busy. The type of SSL VPN tunnel. This field contains ssl-web which indicates it is an SSL VPN tunnel with web access. The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The tunnel identification number. The remote IP address. The tunnel IP address. The name of the user creating the traffic. The name of the group creating the traffic. The destination host information. The reason that the trigger occurred. SSL system busy.
39942
Message ID Log Type Severity Firmware version Meaning Fields action tunnel_type vd tunnel_id remote_ip tunnel_ip user group dst_host reason msg 39942 sslvpn-session Information FortiOS 4.0 MR3 A new SSL VPN certification was successfully verified. Field Description The status of the SSL VPN tunnel. This field contains ssl-cert. The type of SSL VPN tunnel. This field contains ssl, which indicates that it is an SSL VPN tunnel. The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The tunnel identification number. The remote IP address. The tunnel IP address. The name of the user creating the traffic. The name of the group creating the traffic. The destination host information. The reason that the trigger occurred. SSL new SSL certificate verification success.
246
Event-SSL VPN
39943
Message ID Log Type Severity Firmware version Meaning Fields action tunnel_type vd tunnel_id remote_ip tunnel_ip user group dst_host reason msg 39943 sslvpn-session Information FortiOS 4.0 MR3 A new connection was made. Field Description The status of the SSL VPN tunnel. This field contains ssl-new-con, which indicates a new SSL VPN tunnel connection was created. The type of SSL VPN tunnel. This field contains ssl, which indicates that it is an SSL VPN tunnel. The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The tunnel identification number. The remote IP address. The tunnel IP address. The name of the user creating the traffic. The name of the group creating the traffic. The destination host information. The reason that the trigger occurred. SSL new connection.
39944
Message ID Log Type Severity Firmware version Meaning Fields action tunnel_type vd tunnel_id remote_ip tunnel_ip user group dst_host alert desc msg 39944 sslvpn-session Error FortiOS 4.0 MR3 SSL alerts Field Description The status of the SSL VPN tunnel. This field contains ssl-alert. The type of SSL VPN tunnel. This field contains ssl, which indicates that this is an SSL VPN tunnel. The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The tunnel identification number. The remote IP address. The tunnel IP address. The name of the user creating the traffic. The name of the group creating the traffic. The destination host information. The alert information. The description information. SSL alerts
247
Event-SSL VPN
39945
Message ID Log Type Severity Firmware version Meaning Fields action tunnel_type vd tunnel_id remote_ip tunnel_ip user group dst_host reason msg 39945 Session Error FortiOS 4.0 MR3 An SSL VPN exit failed. Field Description The status of the SSL VPN tunnel. This field contains ssl-exit-fail. The type of SSL VPN tunnel. This field contains ssl, which indicates that it is an SSL VPN tunnel. The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The tunnel identification number. The remote IP address. The tunnel IP address. The name of the user creating the traffic. The name of the group creating the traffic. The destination host information. The reason that the trigger occurred. SSL exit fail.
39946
Message ID Log Type Severity Firmware version Meaning Fields action tunnel_type vd tunnel_id remote_ip tunnel_ip user group dst_host reason msg 39946 sslvpn-session Error FortiOS 4.0 MR3 An SSL VPN exit error. Field Description The status of the SSL VPN tunnel. This field contains ssl-exit-error. The type of SSL VPN tunnel. This field contains ssl, which indicates that it is an SSL VPN tunnel. The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The tunnel identification number. The remote IP address. The tunnel IP address. The name of the user creating the traffic. The name of the group creating the traffic. The destination host information. The reason that the trigger occurred. SSL exit error
248
Event-SSL VPN
39947
Message ID Log Type Severity Firmware version Meaning Fields action tunnel_type vd tunnel_id remote_ip tunnel_ip user group dst_host reason msg 39947 sslvpn-session Information FortiOS 4.0 MR3 An SSL VPN tunnel was established. Field Description The status of the SSL VPN tunnel. This field contains tunnel-up, which indicates that the current SSL VPN tunnel is up and running . The type of SSL VPN tunnel. This field contains ssl-tunnel, which indicates that it is an SSL VPN tunnel. The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The tunnel identification number. The remote IP address. The tunnel IP address. The name of the user creating the traffic. The name of the group creating the traffic. The destination host information. The reason that the trigger occurred. SSL tunnel established.
249
Event-SSL VPN
39948
Message ID Log Type Severity Firmware version Meaning Fields action tunnel_type vd tunnel_id remote_ip tunnel_ip user group dst_host duration sent rcvd reason msg 39948 sslvpn-session Information FortiOS 4.0 MR3 The SSL VPN tunnel was shut down. Field Description The status of the SSL VPN tunnel. This field contains tunnel-down, which indicates that the SSL VPN is no longer connected or running. The type of SSL VPN tunnel. This field contains ssl-tunnel. The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The tunnel identification number. The remote IP address. The tunnel IP address. The name of the user creating the traffic. The name of the group creating the traffic. Destination host. This represents the value in seconds. The total number of bytes that were sent. The total number of bytes that were received. The reason that the trigger occurred. SSL tunnel shutdown.
250
Event-SSL VPN
39949
Message ID Log Type Severity Firmware version Meaning Fields action tunnel_type vd tunnel_id remote_ip tunnel_ip user group dst_host next_stats duration sent rcvd reason msg 39949 sslvpn-session Information FortiOS 4.0 MR3 SSL tunnel statistics. Field Description The status of the SSL VPN tunnel. This field contains tunnel-stats. The type of SSL VPN tunnel. This field contains ssl-tunnel, which indicates that it is an SSL VPN tunnel. The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The tunnel identification number. The remote IP address. The tunnel IP address. The name of the user creating the traffic. The name of the group creating the traffic. The destination host information. The next statistical number. This represents the value in seconds. The total number of bytes that were sent. The total number of bytes that were received. The reason that the trigger occurred. SSL tunnel statistics
251
Event-SSL VPN
39950
Message ID Log Type Severity Firmware version Meaning Fields action tunnel_type vd tunnel_id remote_ip tunnel_ip user group dst_host reason msg 39950 sslvpn-session Information FortiOS 4.0 MR3 SSL VPN tunnel unknown tag. Field Description The status of the SSL VPN tunnel. This field contains ssl-tunnel-unknown-tag. The type of SSL VPN tunnel. This field contains ssl-tunnel, which indicates that it is an SSL VPN tunnel. The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The tunnel identification number. The remote IP address. The tunnel IP address. The name of the user creating the traffic. The name of the group creating the traffic. The destination host information. The reason that the trigger occurred. SSL tunnel unknown tag
39951
Message ID Log Type Severity Firmware version Meaning Fields action tunnel_type vd tunnel_id remote_ip tunnel_ip user group dst_host reason msg 39951 sslvpn-session Error FortiOS 4.0 MR3 An SSL tunnel error. Field Description The status of the SSL VPN tunnel. This field contains ssl-tunnel-error. The type of SSL VPN tunnel. This field contains ssl-tunnel, which indicates that it is an SSL VPN tunnel. The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The tunnel identification number. The remote IP address. The tunnel IP address. The name of the user creating the traffic. The name of the group creating the traffic. The destination host information. The reason that the trigger occurred. SSL tunnel error.
252
Event-VIP SSL
Event-VIP SSL log messages record VIP activities. 45001 45003 45005 45007 45009 45011 45012 45013 45015 45017 45019 45023 45027 45029 45031 45032
253
Event-VIP SSL
45001
Message ID Log Subtype Severity Firmware version Meaning Fields vd serial policy 45001 VIP SSL Error FortiOS 4.0 MR3 The SSL received an incorrect handshake message. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The serial number of the firewall session on which the event happened. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate unit will have an index number of zero. The virtual IP address. The source IP address. The source port number. The destination IP address. The destination port number. This field always contains received. This field contains any one of the following: HelloRequest ServerHello Certificate CertificateRequest CertificateVerify Finished received This field contains any one of the following, especially if the record is corrupted: HelloRequest ServerHello Certificate CertificateRequest CertificateVerify Finished msg Incorrect SSL handshake message. ClientHello NewsSessionTicket ServerKeyExchange ServerHelloDone ClientKeyExchange ClientHello NewsSessionTicket ServerKeyExchange ServerHelloDone ClientKeyExchange
vip src src-port dst dst-port action expected
254
Event-VIP SSL
45003
Message ID Log Subtype Severity Firmware version Meaning Fields vd serial policy 45003 VIP SSL Error FortiOS 4.0 MR3 An SSL handshake message has a bad length. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The serial number of the firewall session on which the event happened. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate unit will have an index number of zero. The virtual IP address. The source IP address. The source port number. The destination IP address. The destination port number. This field always contains close. The handshake information. Bad length in SSL handshake.
vip src src-port dst dst-port action handshake msg
45005
Message ID Log Subtype Severity Firmware version Meaning Fields vd serial policy 45005 VIP SSL Error FortiOS 4.0 MR3 An RSA verification of Diffie-Hellman parameters failed. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The serial number of the firewall session on which the event happened. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate unit will have an index number of zero. The virtual IP address. The source IP address. The source port number. The destination IP address. The destination port number. This field always contains close. RSA verification of Diffie-Hellman parameters failed.
vip src src-port dst dst-port action msg
255
Event-VIP SSL
45007
Message ID Log Subtype Severity Firmware version Meaning Fields vd serial policy 45007 VIP SSL Error FortiOS 4.0 MR3 A Hash in the SSL Finished does not match the calculated hash. Each hash value in the local and remote log fields are hex encoded. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The serial number of the firewall session on which the event happened. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate unit will have an index number of zero. The virtual IP address. The source IP address. The source port number. The destination IP address. The destination port number. The local information. The remote information. This field always contains close. Hash in SSL Finished does not match calculated hash
vip src src-port dst dst-port local remote action msg
256
Event-VIP SSL
45009
Message ID Log Subtype Severity Firmware version Meaning Fields vd serial policy 45007 VIP SSL Error FortiOS 4.0 MR3 The SSL decryption failed. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The serial number of the firewall session on which the event happened. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate unit will have an index number of zero. The virtual IP address. The source IP address. The source port number. The destination IP address. The destination port number. This field always contains close. This field contains any one of the following: status_bad_pad_len=1 indicates that the received SSL Record did not comply with RFC 4336 section 6.2.3.2 on padding_length status_bad_pad_value=2 indicates that the received SSL Record did not comply with RFC 4346 section 6.2.3.2 on padding status_bad_mac=3 indicates that the MAC in the received SSL Record did not match the MAC calculated by the FortiGate unit for that SSL Record. status_internal_error=4 indicates that there was an internal error msg SSL decryption failure
vip src src-port dst dst-port action reason
257
Event-VIP SSL
45011
Message ID Log Subtype Severity Firmware version Meaning Fields vd serial policy 45011 VIP SSL Error FortiOS 4.0 MR3 An SSL minor version is below the configured minimum value. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The serial number of the firewall session on which the event happened. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate unit will have an index number of zero. The virtual IP address. The source IP address. The source port number. The destination IP address. The destination port number. This field always contains close. The min-minor information. The recv-minor information. SSL minor below minimum configured value.
vip src src-port dst dst-port action min-minor recv-minor msg
45012
Message ID Log Subtype Severity Firmware version Meaning Fields vd serial policy 45012 VIP SSL Warning FortiOS 4.0 MR3 The SSL maximum connection limit was reached. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The serial number of the firewall session on which the event happened. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate unit will have an index number of zero. The virtual IP address. The source IP address. The source port number. The destination IP address. The destination port number. This field always contains close. SSL maximum connections reached.
258
Event-VIP SSL
45013
Message ID Log Subtype Severity Firmware version Meaning Fields vd serial policy 45013 VIP SSL Error FortiOS 4.0 MR3 None of the offered SSL CipherSuites are supported. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The serial number of the firewall session on which the event happened. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate unit will have an index number of zero. The virtual IP address. The source IP address. The source port number. The destination IP address. The destination port number. This field always contains close. None of the offered CipherSuites are supported
45015
Message ID Log Subtype Severity Firmware version Meaning Fields vd serial policy 45015 VIP SSL Error FortiOS 4.0 MR3 The SSL handshake has an invalid length. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The serial number of the firewall session on which the event happened. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate unit will have an index number of zero. The virtual IP address. The source IP address. The source port number. The destination IP address. The destination port number. This field always contains receive. The length information. Incorrect SSL handshake length
vip src src-port dst dst-port action len msg
259
Event-VIP SSL
45017
Message ID Log Subtype Severity Firmware version Meaning Fields vd serial policy 45017 VIP SSL Error FortiOS 4.0 MR3 The SSL handshake was too long. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The serial number of the firewall session on which the event happened. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate unit will have an index number of zero. The virtual IP address. The source IP address. The source port number. The destination IP address. The destination port number. This field always contains receive. The handshake information. The length information. The maximum length information. SSL Handshake too long
vip src src-port dst dst-port action handshake len max msg
260
Event-VIP SSL
45019
Message ID Log Subtype Severity Firmware version Meaning Fields vd serial policy 45019 VIP SSL Error FortiOS 4.0 MR3 An SSL alert message was sent. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The serial number of the firewall session on which the event happened. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate unit will have an index number of zero. The virtual IP address. The source IP address. The source port number. The destination IP address. The destination port number. This field always contains send. The level information. This field contains any one of the following: fts_alert_desc_close_notify=0 notifies the recipient that the sender will not send any more messages on this connection fts_alert_desc_unexpected_message=10 an inappropriate message was received; this is usually fatal and should be observed closely fts_alert_desc_bad_record_mac=20 is returned if a record is received with an incorrect MAC fts_alert_desc_decryption_failed=21 may be returned if a TLSCiphertext decrypted in an invalid way; either it was not an even multiple of the block length or its padding values, when checked, were not correct (always fatal) fts_alert_desc_record_overflow=22 a TLSCiphertext record was received that had a length more than 2^14+2048 bytes, or a record decypted to a TLSCompressed record with more than 2^14+1024 bytes (always fatal) fts_alert_desc_handshake_failure=40 indicates the sender was unable to negotiate an acceptable set of security parameters given the options available (fatal error) fts_alert_desc_no_certificate=41 indicates there is no available certificate fts_alert_desc_illegal_parameter=47 a field in the handshake was out of range or inconsistent with other fields (always fatal) fts_alert_desc_decord_error=50 a message could not be decoded because some field was out of the specified range or the length of the message was incorrect (always fatal) fts_alert_desc_decrypt_error=51 a handshake cryptographic operation failed, including being unable to correctly verify a signature, decrypt a key exchange, or validate a finished message fts_alert_desc_protocol_version=70 the protocol version the client has attempted to negotiate is recognized but not supported (always fatal)
vip src src-port dst dst-port action level desc
261
Event-VIP SSL
fts_alert_desc_internal_error=80 an internal error unrelated to the peer or correctness of the protocol (always fatal) msg SSL Alert sent
262
Event-VIP SSL
45023
Message ID Log Subtype Severity Firmware version Meaning Fields vd serial policy 45023 VIP SSL Error FortiOS 4.0 MR3 An SSL alert was received. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The serial number of the firewall session on which the event happened. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate unit will have an index number of zero. The virtual IP address. The source IP address. The source port number. The destination IP address. The destination port number. This field always contains receive. The level information. The description information. SSL Alert received
vip src src-port dst dst-port action level desc msg
45027
Message ID Log Subtype Severity Firmware version Meaning Fields vd serial policy 45027 VIP SSL Error FortiOS 4.0 MR3 An invalid SSL ContentType occurred. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The serial number of the firewall session on which the event happened. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate unit will have an index number of zero. The virtual IP address. The source IP address. The source port number. The destination IP address. The destination port number. This field always contains receive. The type information. Invalid SSL ContentType
vip src src-port dst dst-port action type msg
263
Event-VIP SSL
45029
Message ID Log Subtype Severity Firmware version Meaning Fields vd serial policy 45029 VIP SSL Error FortiOS 4.0 MR3 An SSL ChangeCipherSpec has a bad length. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The serial number of the firewall session on which the event happened. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate unit will have an index number of zero. The virtual IP address. The source IP address. The source port number. The destination IP address. The destination port number. This field always contains close. Bad length in SSL ChangeCipherSpec
264
Event-VIP SSL
45031
Message ID Log Subtype Severity Firmware version Meaning Fields vd serial policy 45031 VIP SSL Error FortiOS 4.0 MR3 An SSL ChangeCipherSpec has a bad length. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The serial number of the firewall session on which the event happened. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate unit will have an index number of zero. The virtual IP address. The source IP address. The source port number. The destination IP address. The destination port number. This field always contains close. The maximum information. The received information. This field always contains close. The log message information. This is usually a sentence and explains the activity and/or action taken.
vip src src-port dst dst-port humin max received action msg
265
Event-VIP SSL
45032
Message ID Log Subtype Severity Firmware version Meaning Fields vd serial policy 45032 VIP SSL Error FortiOS 4.0 MR3 A certificates public key is too big for SSL off-loading. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The serial number of the firewall session on which the event happened. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate unit will have an index number of zero. The virtual IP address. The source IP address. The source port number. The destination IP address. The destination port number. This field is always close. The maximum information. This field always contains close. The log message information. This is usually a sentence and explains the activity and/or action taken.
vip src src-port dst dst-port hulen max action msg
266
Event-DNS
Event-DNS log messages record DNS response activity.
44288
Message ID Log Subtype Severity Firmware version Meaning Fields vd policy_id 44288 Event-DNS Information FortiOS 4.0 MR3 A DNS response log message. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate unit will have an index number of zero. The source IP address. The destination IP address. The name of the source interface. The name of the destination interface. The name of the user creating the traffic. The name of the gorup creating the traffic. The name of the DNS sesrver. The IP address of the DNS server.
src dst src_int dst_int user group dns_name dns_ip
267
Event-DNS
268
Event-config
Event-config log messages record configuration changes that an administrator or user makes to the FortiOS configuration. 44544 44545 44546 44547
269
Event-config
44544
Message ID Log Sub-type Severity Firmware version Meaning Fields vd user ui action 44544 Event-config Information FortiOS 4.0 MR3 A configuration path log message. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The name of the user changing the configuration setting. The user interface. This can be any one of the following: add delete move clone cfg_tid cfg_path msg edit clear rename abort
The configuration transaction identification number. The configuration path. The log message information. This is usually a sentence and explains the activity and/or action taken.
44545
Message ID Log Sub-type Severity Firmware version Meaning Fields vd user ui action 44545 Event-config Information FortiOS 4.0 MR3 A configuration object log message. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The name of the user changing the configuration setting. The user interface. This can be any one of the following: add delete move clone cfg_tid cfg_path cfg_obj msg edit clear rename abort
The configuration transaction identification number. The configuration path. The configuration object. The log message information. This is usually a sentence and explains the activity and/or action taken.
270
Event-config
44546
Message ID Log Sub-type Severity Firmware version Meaning Fields vd user ui action 44546 Event-config Information FortiOS 4.0 MR3 A configuration attributes log message. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The name of the user changing the configuration setting. The user interface. This can be any one of the following: add delete move clone cfg_tid cfg_path cfg_attr msg edit clear rename abort
The configuration transaction identification number. The configuration path. The configuration attributes. The log message information. This is usually a sentence and explains the activity and/or action taken.
271
Event-config
44547
Message ID Log Sub-type Severity Firmware version Meaning Fields vd user ui action 44547 Event-config Information FortiOS 4.0 MR3 A configuration object attributes log message. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The name of the user changing the configuration setting. The user interface. This can be any one of the following: add delete move clone cfg_tid cfg_path conf_obj cfg_attr msg edit clear rename abort
The configuration transaction identification number. The configuration path. The configuration object. The configuration attributes. The log message information. This is usually a sentence and explains the activity and/or action taken.
272
Event-auth
Event-auth log messages record authentication activity, including FSAE activity and NTLM authentication. 43008 43009 43010 43011 43012 43013 43014 43015 43016 43017 43018 43019 43020 43021 43022 43023 43024 43025 43025 43026 43027 43028 43029 43030
273
Event-auth
43008
Message ID Log Subtype Severity Firmware version Meaning Fields vd src dst policyid 43008 auth Notification FortiOS 4.0 MR3 The authentication was successful. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The source IP address. The destination IP address. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate unit will have an index number of zero. The name of the user creating the traffic. The name of the group creating the traffic. The user interface. The action that was taken. This can be any one of the following: authentication FSAE-logon NTLM-auth status The status of the authentication session. This can be any one of the following: success timed_out reason msg failure locked_out FSAE-auth FSAE-logoff
user group ui action
The reason for recording the activity. The log message information. This is usually a sentence and explains the activity and/or action taken.
274
Event-auth
43009
Message ID Log Subtype Severity Firmware version Meaning Fields vd src dst policyid 43009 auth Notification FortiOS 4.0 MR3 The authentication session failed. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The source IP address. The destination IP address. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate unit will have an index number of zero. The name of the user creating the traffic. The name of the group creating the traffic. The user interface. The action that was taken. This can be any one of the following: authentication FSAE-logon NTLM-auth status The status of the authentication session. This can be any one of the following: success timed_out reason msg failure locked_out FSAE-auth FSAE-logoff
275
Event-auth
43010
Message ID Log Subtype Severity Firmware version Meaning Fields vd src dst policyid 43010 auth Warning FortiOS 4.0 MR3 The authentication locked out. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The source IP address. The destination IP address. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate unit will have an index number of zero. The name of the user creating the traffic. The name of the group creating the traffic. The user interface. The action that was taken. This can be any one of the following: authentication FSAE-logon NTLM-auth status The status of the authentication session. This can be any one of the following: success timed_out reason msg failure locked_out FSAE-auth FSAE-logoff
276
Event-auth
43011
Message ID Log Subtype Severity Firmware version Meaning Fields vd src dst policyid 43011 auth Notification FortiOS 4.0 MR3 The authentication timed out. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The source IP address. The destination IP address. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate unit will have an index number of zero. The name of the user creating the traffic. The name of the group creating the traffic. The user interface. The action that was taken. This can be any one of the following: authentication FSAE-logon NTLM-auth status The status of the authentication session. This can be any one of the following: success timed_out reason msg failure locked_out FSAE-auth FSAE-logoff
277
Event-auth
43012
Message ID Log Subtype Severity Firmware version Meaning Fields vd src dst policyid 43012 auth Notification FortiOS 4.0 MR3 FSAE authentication was successful. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The source IP address. The destination IP address. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate unit will have an index number of zero. The name of the user creating the traffic. The name of the active directory group. The name of the group creating the traffic. The user interface. The action that was taken. This can be any one of the following: authentication FSAE-logon NTLM-auth status The status of the authentication session. This can be any one of the following: success timed_out reason msg failure locked_out FSAE-auth FSAE-logoff
user adgroup group ui action
278
Event-auth
43013
Message ID Log Subtype Severity Firmware version Meaning Fields vd src dst policyid 43013 auth Notification FortiOS 4.0 MR3 The FSAE authentication failed. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The source IP address. The destination IP address. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate unit will have an index number of zero. The name of the user creating the traffic. The name of the active directory group. The name of the group creating the traffic. The user interface. The action that was taken. This can be any one of the following: authentication FSAE-logon NTLM-auth status The status of the authentication session. This can be any one of the following: success timed_out reason msg failure locked_out FSAE-auth FSAE-logoff
279
Event-auth
43014
Message ID Log Subtype Severity Firmware version Meaning Fields vd src user server action 43014 auth Notification FortiOS 4.0 MR3 The FSAE user logged on. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The source IP address. The name of the FSAE user who is logggin on. The IP address of the FSAE server. The action that was taken. This can be any one of the following: authentication FSAE-logon NTLM-auth msg The log message information. This is usually a sentence and explains the activity and/or action taken. FSAE-auth FSAE-logoff
43015
Message ID Log Subtype Severity Firmware version Meaning Fields vd src user server action 43015 auth Notification FortiOS 4.0 MR3 The FSAE user logged off. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The source IP address. The name of the FSAE user who is logggin on. The IP address of the FSAE server. The action that was taken. This can be any one of the following: authentication FSAE-logon NTLM-auth msg The log message information. This is usually a sentence and explains the activity and/or action taken. FSAE-auth FSAE-logoff
280
Event-auth
43016
Message ID Log Subtype Severity Firmware version Meaning Fields vd src dst policyid 43016 auth Notification FortiOS 4.0 MR3 The NTLM authentication was successful. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The source IP address. The destination IP address. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate unit will have an index number of zero. The name of the user creating the traffic. The name of the active directory group. The name of the group creating the traffic. The user interface. The action that was taken. This can be any one of the following: authentication FSAE-logon NTLM-auth status The status of the authentication session. This can be any one of the following: success timed_out reason msg failure locked_out FSAE-auth FSAE-logoff
281
Event-auth
43017
Message ID Log Subtype Severity Firmware version Meaning Fields vd src dst policyid 43017 auth Notification FortiOS 4.0 MR3 The NTLM authentication failed. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The source IP address. The destination IP address. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate unit will have an index number of zero. The name of the user creating the traffic. The name of the active directory group. The name of the group creating the traffic. The user interface. The action that was taken. This can be any one of the following: authentication FSAE-logon NTLM-auth status The status of the authentication session. This can be any one of the following: success timed_out reason msg failure locked_out FSAE-auth FSAE-logoff
282
Event-auth
43018
Message ID Log Subtype Severity Firmware version Meaning Fields vd src dst initiator status 43018 auth Warning FortiOS 4.0 MR3 The FortiGuard override failed. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The source IP address. The destination IP address. The initiator information. The status of the authentication session. This can be any one of the following: success timed_out reason msg failure locked_out
43019
283
Event-auth
43020
Message ID Log Subtype Severity Firmware version Meaning Fields vd src dst initator status 43020 auth Notification FortiOS 4.0 MR3 The FortiGuard override was successful. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The source IP address. The destination IP address. The initiator information. This can be any one of the following: success timed_out reason scope This can be any one of the following: user ip unhandled scope_data rule_type The scope data information. This can be any one of the following: directory rating rule_data offsite expiry msg The rule data information. This can be either yes, meaning the offsite was allowed, or no, meaning the offsite was not allowed. The expiry information. The log message information. This is usually a sentence and explains the activity and/or action taken. domain unhandled user_group profile failure locked_out
The reason that the activity or action occurred.
284
Event-auth
43021
Message ID Log Subtype Severity Firmware version Meaning Fields vd dst ui msg 43021 auth Notification FortiOS 4.0 MR3 Endpoint checking event. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The destination IP address. The user interface. The log message information. This is usually a sentence and explains the activity and/or action taken.
43022
Message ID Log Subtype Severity Firmware version Meaning Fields vd dst ui msg 43022 auth Notification FortiOS 4.0 MR3 Endpoint license distribution. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The destination IP address. The user interface. The log message information. This is usually a sentence and explains the activity and/or action taken.
43023
Message ID Log Subtype Severity Firmware version Meaning Fields vd dst ui msg 43023 auth Notification FortiOS 4.0 MR3 Endpoint detection. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The destination IP address. The user interface. The log message information. This is usually a sentence and explains the activity and/or action taken.
285
Event-auth
43024
Message ID Log Subtype Severity Firmware version Meaning Fields vd dst ui msg 43024 auth Notification FortiOS 4.0 MR3 Endpoint detection. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The destination IP address. The user interface. The log message information. This is usually a sentence and explains the activity and/or action taken.
43025
Message ID Log Subtype Severity Firmware version Meaning Fields vd src dst policyid 43025 auth Notification FortiOS 4.0 MR3 The authentication was successful. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The source IP address. The destination IP address. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate unit will have an index number of zero. The name of the user creating the traffic. The name of the group creating the traffic. The user interface. The action that was taken. This can be any one of the following: authentication FSAE-logon NTLM-auth status The status of the authentication session. This can be any one of the following: success timed_out reason msg failure locked_out FSAE-auth FSAE-logoff
286
Event-auth
43026
Message ID Log Subtype Severity Firmware version Meaning Fields vd src dst policyid 43026 auth Notification FortiOS 4.0 MR3 The authentication failed. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The source IP address. The destination IP address. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate unit will have an index number of zero. The name of the user creating the traffic. The name of the group creating the traffic. The user interface. The action that was taken. This can be any one of the following: authentication FSAE-logon NTLM-auth status The status of the authentication session. This can be any one of the following: success timed_out reason msg failure locked_out FSAE-auth FSAE-logoff
287
Event-auth
43027
Message ID Log Subtype Severity Firmware version Meaning Fields vd src dst policyid 43027 auth Notification FortiOS 4.0 MR3 The authentication session timed out. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The source IP address. The destination IP address. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate unit will have an index number of zero. The name of the user creating the traffic. The name of the group creating the traffic. The user interface. The action that was taken. This can be any one of the following: authentication FSAE-logon NTLM-auth status The status of the authentication session. This can be any one of the following: success timed_out reason msg failure locked_out FSAE-auth FSAE-logoff
288
Event-auth
43028
Message ID Log Subtype Severity Firmware version Meaning Fields vd src dst policyid 43028 auth Notification FortiOS 4.0 MR3 The authentication session failed. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The source IP address. The destination IP address. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate unit will have an index number of zero. The name of the user creating the traffic. The name of the group creating the traffic. The user interface. The action that was taken. This can be any one of the following: authentication FSAE-logon NTLM-auth status The status of the authentication session. This can be any one of the following: success timed_out reason msg failure locked_out FSAE-auth FSAE-logoff
289
Event-auth
43029
Message ID Log Subtype Severity Firmware version Meaning Fields vd src dst initator status 43029 auth Notification FortiOS 4.0 MR3 The FortiGuard override was successful. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The source IP address. The destination IP address. The initiator information. This can be any one of the following: success timed_out reason scope This can be any one of the following: user ip unhandled scope_data rule_type The scope data information. This can be any one of the following: directory rating rule_data offsite expiry msg The rule data information. This can be either yes, meaning the offsite was allowed, or no, meaning the offsite was not allowed. The expiry information. The log message information. This is usually a sentence and explains the activity and/or action taken. domain unhandled user_group profile failure locked_out
The reason the activity or action occurred.
290
Event-auth
43030
291
Event-auth
292
Event-wad
Event-wad log messages record WAN optimization events, such as a user adding an WAN optimization rule as well as web proxy events. 40960 48001 48003 48005 48007 48009 48011 48012 48013 48015 48017 48019 48023 48027 48029 48031 48032 48100 48101 48102 48123 48124 48124 48127 48129 48131 48132 48200 48201 48205 48300 48301
293
Event-wad
40960
Message ID Log Subtype Severity Firmware version Meaning Fields vd fwserver_name addr_type ip fqdn port msg 40960 wad Notification FortiOS 4.0 MR3 A web proxy forward server error. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The name of the web proxy server. The type of address used, for example FQDN. This field contains either IP or FQDN. The IP address. The FQDN address. The port number. The log message is any one of the following: Failed to connection to forward server. Successfully connected to forward server.
294
Event-wad
48001
Message ID Log Subtype Severity Firmware version Meaning Fields vd serial policy 48001 wad Error FortiOS 4.0 MR3 The SSL received an incorrect handshake message. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The serial number of the firewall session on which the event happened. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The source IP address. The source port number. The destination IP address. The destination port number. This field always contains receive. The expected information. The received information. Incorrect SSL handshake message.
src src-port dst dst-port action expected received msg
48003
Message ID Log Subtype Severity Firmware version Meaning Fields vd serial policy 48003 wad Error FortiOS 4.0 MR3 The SSL handshake message contains a bad length. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The serial number of the firewall session on which the event happened. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The source IP address. The source port number. The destination IP address. The destination port number. This field always contains close. The handshake information. Bad length in SSL handshake.
src src-port dst dst-port action handshake msg
295
Event-wad
48005
Message ID Log Subtype Severity Firmware version Meaning Fields vd serial policy 48005 wad Error FortiOS 4.0 MR3 The RSA verification of Diffie-Hellman parameters failed. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The serial number of the firewall session on which the event happened. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The source IP address. The source port number. The destination IP address. The destination port number. This field always contains close. RSA verification of Diffie-Hellman parameters failed.
src src-port dst dst-port action msg
48007
Message ID Log Subtype Severity Firmware version Meaning Fields vd serial policy 48007 wad Error FortiOS 4.0 MR3 The hash in SSL FInished does not match the calculated hash. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The serial number of the firewall session on which the event happened. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The source IP address. The source port number. The destination IP address. The destination port number. The local information. The remote information. This field always contains close. Hash in SSL Finished does not match calculated hash.
src src-port dst dst-port local remote action msg
296
Event-wad
48009
Message ID Log Subtype Severity Firmware version Meaning Fields vd serial policy 48009 wad Error FortiOS 4.0 MR3 An SSL decryption failure occurred. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The serial number of the firewall session on which the event happened. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The source IP address. The source port number. The destination IP address. The destination port number. This field always contains close. The reason that the trigger occurred. SSL decryption failure.
src src-port dst dst-port action reason msg
48011
Message ID Log Subtype Severity Firmware version Meaning Fields vd serial policy 48011 wad Error FortiOS 4.0 MR3 An SSL minor version is less than the configured minimum value. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The serial number of the firewall session on which the event happened. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The source IP address. The source port number. The destination IP address. The destination port number. This field always contains close. The min-minor information. The recv-minor information. SSL minor below minimum configured value.
src src-port dst dst-port action min-minor recv-minor msg
297
Event-wad
48012
Message ID Log Subtype Severity Firmware version Meaning Fields vd serial policy 48012 wad Warning FortiOS 4.0 MR3 The maximum limit of SSL connections were reached. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The serial number of the firewall session on which the event happened. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The source IP address. The source port number. The destination IP address. The destination port number. This field always contains close. SSL maximum connections reached.
48013
Message ID Log Subtype Severity Firmware version Meaning Fields vd serial policy 48013 wad Error FortiOS 4.0 MR3 There is no support for the offered CipherSuites. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The serial number of the firewall session on which the event happened. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The source IP address. The source port number. The destination IP address. The destination port number. This field always contains close. None of the offered CipherSuites are supported.
298
Event-wad
48015
Message ID Log Subtype Severity Firmware version Meaning Fields vd serial policy 48015 wad Error FortiOS 4.0 MR3 The SSL handshake does not have a valid length. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The serial number of the firewall session on which the event happened. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The source IP address. The source port number. The destination IP address. The destination port number. This field always contains receive. The length information. Incorrect SSL handshake length.
src src-port dst dst-port action len msg
48017
Message ID Log Subtype Severity Firmware version Meaning Fields vd serial policy 48017 wad Error FortiOS 4.0 MR3 The SSL handshake is too long. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The serial number of the firewall session on which the event happened. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The source IP address. The source port number. The destination IP address. The destination port number. This field always contains receive. The handshake information. The length information. The maximum length information. SSL Handshake too long
src src-port dst dst-port action handshake len max msg
299
Event-wad
48019
Message ID Log Subtype Severity Firmware version Meaning Fields vd serial policy 48019 wad Error FortiOS 4.0 MR3 An SSL alert message was sent. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The serial number of the firewall session on which the event happened. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The source IP address. The source port number. The destination IP address. The destination port number. This field always contains send. The level information. The description information. SSL Alert sent
src src-port dst dst-port action level desc msg
48023
Message ID Log Subtype Severity Firmware version Meaning Fields vd serial policy 48023 wad Error FortiOS 4.0 MR3 An SSL alert message was received. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The serial number of the firewall session on which the event happened. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The source IP address. The source port number. The destination IP address. The destination port number. This field always contains receive. The level information. The description information. SSL Alert received.
src src-port dst dst-port action level desc msg
300
Event-wad
48027
Message ID Log Subtype Severity Firmware version Meaning Fields vd serial policy 48027 wad Error FortiOS 4.0 MR3 An invalid SSL content type was received. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The serial number of the firewall session on which the event happened. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The source IP address. The source port number. The destination IP address. The destination port number. This field always contains receive. The type information. Invalid SSL ContentType.
src src-port dst dst-port action type msg
48029
Message ID Log Subtype Severity Firmware version Meaning Fields vd serial policy 48029 wad Error FortiOS 4.0 MR3 An SSL ChangeCipherSpec has bad length. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The serial number of the firewall session on which the event happened. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The source IP address. The source port number. The destination IP address. The destination port number. This field always contains close. Bad length in SSL ChangeCipherSpec.
301
Event-wad
48031
Message ID Log Subtype Severity Firmware version Meaning Fields vd serial policy 48031 wad Error FortiOS 4.0 MR3 An SSL ChangeCipherSpec has bad length. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The serial number of the firewall session on which the event happened. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The source IP address. The source port number. The destination IP address. The destination port number. The minimum information. The maximum information. The received information. This field always contains close. The log message information. This is usually a sentence and explains the activity and/or action taken.
src src-port dst dst-port min max received action msg
302
Event-wad
48032
Message ID Log Subtype Severity Firmware version Meaning Fields vd serial policy 48032 wad Error FortiOS 4.0 MR3 The certificates public key is too big for SSL offloading to handle. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The serial number of the firewall session on which the event happened. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The source IP address. The source port number. The destination IP address. The destination port number. The length information. The maximum length information. This field always contains close. The log message information. This is usually a sentence and explains the activity and/or action taken.
src src-port dst dst-port len max action msg
303
Event-wad
48100
Message ID Log Subtype Severity Firmware version Meaning Fields vd serial policy 48100 wad Error FortiOS 4.0 MR3 Cert authentication has failed. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The serial number of the firewall session on which the event happened. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The source IP address. The source port number. The destination IP address. The destination port number. authentication failed: cert authentication failed.
src src-port dst dst-port msg
48101
Message ID Log Subtype Severity Firmware version Meaning Fields vd serial policy 48101 wad Error FortiOS 4.0 MR3 Authentication failed because of an incorrect private shared key. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The serial number of the firewall session on which the event happened. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The source IP address. The source port number. The destination IP address. The destination port number. The authentication group information. The host information. authentication failed: incorrect psk.
src src-port dst dst-port authgrp host msg
304
Event-wad
48102
Message ID Log Subtype Severity Firmware version Meaning Fields vd serial policy 48102 wad Error FortiOS 4.0 MR3 Authentication failed. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The serial number of the firewall session on which the event happened. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The source IP address. The source port number. The destination IP address. The destination port number. The authentication group information. The peer information. authentication failed: <reason>
src src-port dst dst-port authgrp peer msg
48123
Message ID Log Subtype Severity Firmware version Meaning Fields vd serial policy 48123 wad Notification FortiOS 4.0 MR3 A WAN optimization rule was changed. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The serial number of the firewall session on which the event happened. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The source IP address. The source port number. The destination IP address. The destination port number. A wan-opt rule has changed.
305
Event-wad
48124
Message ID Log Subtype Severity Firmware version Meaning Fields vd serial policy 48124 wad Notification FortiOS 4.0 MR3 A WAN optimization rule was added. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The serial number of the firewall session on which the event happened. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The source IP address. The source port number. The destination IP address. The destination port number. A wan-opt rule is added.
Message ID Log Subtype Severity Firmware version Meaning Fields vd user ui
48124 wad Notification FortiOS 4.0 MR3 A WAN optimization rule was removed. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The name of the user creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). The identification information. User <user_name> deleted a wad rule <rule_name> from <ui>
id msg
306
Event-wad
48127
Message ID Log Subtype Severity Firmware version Meaning Fields vd user ui 48127 wad Notification FortiOS 4.0 MR3 A web cache name was entered or a host name was entered. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The name of the user creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). This field contains one of the following: user <user_name> set web proxy name. user<user_name> set wan acceleration host-id
msg
48129
Message ID Log Subtype Severity Firmware version Meaning 48129 wad Notification FortiOS 4.0 MR3 Depending on what appears in the msg field, the meaning can be any one of the following: The specified user set the WAN-opt storage. The specified user deleted the WAN-opt storage entry. The specified user set the byte cache storage. The specified user set the web cache storage. The specified user deleted the disk storage entry. The ISCSI target is set. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The name of the user creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). The action information. This field does not appear for all 48129 log messages. The name information. This field contains one of the following: user <user_name> set wanopt storage <storage> size=<size_amount> Administrator <user_name> disk storage <disk_storage> from <ui> user <user_name> delete disk storage entry
Fields vd user ui
action name msg
307
Event-wad
48131
Message ID Log Subtype Severity Firmware version Meaning Fields vd user ui 48131 wad Notification FortiOS 4.0 MR3 A user added a WAN accelerator SSL server. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The name of the user creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). The name information. User <user_name> added a wan accelerator ssl server setting <ssl_server_setting> from <ui>.
name msg
48132
Message ID Log Subtype Severity Firmware version Meaning Fields vd user ui 48132 wad Notification FortiOS 4.0 MR3 A user removed a WAN accelerator SSL server. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The name of the user creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). The name information. User <user_name> deleted a wan accelerator ssl server setting <ssl_server_setting> from <ui>
name msg
308
Event-wad
48200
Message ID Log Subtype Severity Firmware version Meaning Fields vd user ui 48200 wad Notification FortiOS 4.0 MR3 A user added a network peer. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The name of the user creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). The name information. User <user_name> added network accelerator peer <peer_name> from <ui>
name msg
48201
Message ID Log Subtype Severity Firmware version Meaning Fields vd user ui 48201 wad Notification FortiOS 4.0 MR3 A user deleted a peer. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The name of the user creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). The name information. User <user_name> deleted a network accelerator peer entry <peer_name> from <ui>
name msg
309
Event-wad
48205
Message ID Log Subtype Severity Firmware version Meaning Fields vd user ui 48205 wad Notification FortiOS 4.0 MR3 A user deleted an authentication group entry. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The name of the user creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). The authentication group information. User <user_name> deleted a network accelerator auth-group entry <auth_group_name> from <ui>
auth-group msg
48300
Message ID Log Subtype Severity Firmware version Meaning Fields vd serial policy 48300 wad Critical FortiOS 4.0 MR3 The server side, FortiGate, is not properly configured. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The serial number of the firewall session on which the event happened. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The identification number of the rule. The source IP address. The source port number. The destination IP address. The destination port number. auto detection failed: server side ftg is not properly configured.
rule-id src src-port dst dst-port msg
310
Event-wad
48301
Message ID Log Subtype Severity Firmware version Meaning Fields vd serial policy 48301 wad Critical FortiOS 4.0 MR3 An unexpected application type was detected. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The serial number of the firewall session on which the event happened. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The identification number of the rule. The type of application that triggered the action within the control list. The source IP address. The source port number. The destination IP address. The destination port number. unexpected application type. Please report.
rule-id app-type src src-port dst dst-port msg
311
Event-wad
312
Event-LDB-monitor
Event-LDB-monitor log messages record VIP activities. 46000 46001 46002 46003 46004 46005 46100 46101
313
Event-LDB-monitor
46000
Message ID Log Subtype Severity Firmware version Meaning Fields vd vip server port status action msg 46000 ldb-monitor Notification FortiOS 4.0 MR3 The VIP real server was enabled. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The name of the virtual IP list used. The IP address of the server. The port number. The status information. This field always contains enable. ldb server enabled.
46001
Message ID Log Subtype Severity Firmware version Meaning Fields vd vip server port status action msg 46001 ldb-monitor Alert FortiOS 4.0 MR3 The VIP real server was disabled. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The name of the virtual IP list used. The IP address of the server. The port number. The status information. This field always contains disable. ldb server disabled.
314
Event-LDB-monitor
46002
Message ID Log Subtype Severity Firmware version Meaning Fields vd vip server port status action msg 46002 ldb-monitor Notification FortiOS 4.0 MR3 The VIP real server is now up. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The name of the virtual IP list used. The IP address of the server. The port number. The status information. This field always contains up. ldb server up.
46003
Message ID Log Subtype Severity Firmware version Meaning Fields vd vip server port status action msg 46003 ldb-monitor Alert FortiOS 4.0 MR3 The VIP real server is down. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The name of the virtual IP list used. The IP address of the server. The port number. The status information. This field always contains down. ldb server down
315
Event-LDB-monitor
46004
Message ID Log Subtype Severity Firmware version Meaning Fields vd vip server port status action msg interval 46004 ldb-monitor Notification FortiOS 4.0 MR3 The VIP real server has started a hold down period. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The name of the virtual IP list used. The IP address of the server. The port number. The status information. This field always contains holddown. ldb server entered holddown period The hold-down interval period in seconds.
46005
Message ID Log Subtype Severity Firmware version Meaning Fields vd vip server port status action msg 46000 ldb-monitor Alert FortiOS 4.0 MR3 The VIP realserver failed during the hold down period. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The name of the virtual IP list used. The IP address of the server. The port number. The status information. This field always contains holddown ldb server health checking failed during holddown period.
316
Event-LDB-monitor
46100
Message ID Log Subtype Severity Firmware version Meaning Fields vd user ui 46100 ldb-monitor Notification FortiOS 4.0 MR3 A load balance server monitor was added. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The name of the user creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). The name information. User <user_name> added load balance monitor <load_balance_monitor_name> from <ui>
name msg
46101
Message ID Log Subtype Severity Firmware version Meaning Fields vd user ui 46100 ldb-monitor Notification FortiOS 4.0 MR3 A load balance server monitor was added. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The name of the user creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in this field, GUI(10.10.20.5). The name information. User <user_name> deleted a load balance server monitor <load_balance_monitor_name> from <ui>
name msg
317
Event-LDB-monitor
318
Event-nac-quarantine log messages record quarantine events, such as when banned users are quarantined.
43776
Log Sub-type Severity Firmware version Meaning Fields vd src dst src_int dst_int src_port dst_port proto nac-quarantine Notification FortiOS 4.0 MR3 A NAC quarantine event was recorded. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The banned IP address. The destination IP address. The banned interface. The destination interface. The source port number. The destination port number. The protocol number that applies to the session or packet. The protocol number in the packet header that identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA). The IP network service that applies to the session or packet. The services displayed correspond to the services configured in the firewall policy. This field contains any one of the following: ban-ip ban-interface user group policid The name of the user creating the traffic. The name of the group creating the traffic. The ID number of the firewall policy that applies the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The banned source. This field contains any one of the following: ips dos dlp-rule banned_rule sensor The banned rule or reason that was detected. The name of the DLP sensor that was used to detect and take action. dlp-compound av ban-src-dst-ip (banned all traffic from source IP to destination IP by NAC quarantine)
service action
banned_src
319
320
Event-his-performance log messages record the FortiGate units performance statistics.
40704
Message ID Log Sub-type Severity Firmware version Meaning Fields vd action cpu mem total_session msg 40704 his-performance Information FortiOS 4.0 MR3 Performance statistics for the FortiGate unit. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. This field contains perf-stats. The CPU usage in percent. The memory usage in percent. The total number of sessions. Performance statistics.
321
322
Event-HA
Event-HA log messages are recorded when FortiGate units are in high availability mode. These log messages describe changes in cluster unit status. These changes in status occur if a cluster unit fails/starts up, or if a link fails/restored. Each of these messages includes the serial number of the cluster unit reporting the message. You can use the serial number to determine which cluster units status has changed. 37888 37889 37890 37891 37892 37893 37894 37895 37896 37897 37898 37899 37900 37901
323
Event-HA
37888
Message ID Log Subtype Severity Firmware version Meaning Fields vd msg ha_group 37888 HA Notification FortiOS 4.0 MR3 A specified HA group was deleted. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. HA group is deleted. The number of the HA group.
37889
Message ID Log Subtype Severity Firmware version Meaning Fields vd msg vcluster 37889 HA Notification FortiOS 4.0 MR3 A specified virtual cluster was deleted. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. Virtual cluster is deleted. The number of the virtual cluster.
37890
Message ID Log Subtype Severity Firmware version Meaning Fields vd msg from_vcluster to_vcluster vdname 37890 HA Notification FortiOS 4.0 MR3 A specific VDOM in a virtual cluster was moved. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. Virtual clusters vdom is moved. The number of the virtual cluster that the VDOM is being moved from. The number of the virtual cluster that the VDOM is being moved to. The name of the virtual domain where the VDOM has been moved to.
324
Event-HA
37891
Message ID Log Subtype Severity Firmware version Meaning Fields vd msg to_vcluster vdname 37891 HA Notification FortiOS 4.0 MR3 A VDOM was added to the specified virtual cluster. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. Virtual clusters vdom is added. The number of the virtual cluster that the VDOM was added to. The name of the virtual domain where the new VDOM was added in.
37892
Message ID Log Subtype Severity Firmware version Meaning Fields vd msg ha_role 37892 HA Notification FortiOS 4.0 MR3 A virtual cluster moved a members status. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. Virtual clusters member state moved The role of the unit within the cluster, for example, subordinate. This field contains either slave or master. Note: A FortiGate unit in a cluster has either a slave role (which is often referred to as subordinate), or master role (which is often referred to as primary). There are no other roles for the unit in a cluster. The number of the virtual cluster that the VDOM was added to. The state the virtual cluster is in. This field contains any one of the following: init helo vcluster_member hostname sn The host name. The serial number of the log message. work standby
vcluster vcluster_state
The number of the member of the virtual cluster.
325
Event-HA
37893
Message ID Log Subtype Severity Firmware version Meaning Fields vd msg vcluster ha_group 37893 HA Notification FortiOS 4.0 MR3 A virtual clusters member was detected and its status was that it was not functioning. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. Virtual cluster detected memeber dead. The number of the virtual cluster. The number of the HA group.
37894
Message ID Log Subtype Severity Firmware version Meaning Fields vd msg vcluster ha_group 37894 HA Notification FortiOS 4.0 MR3 A virtual clusters member was detected and its status was that it joined the virtual cluster. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. Virtual cluster detected member join The number of the virtual cluster. The number of the HA group.
37895
Message ID Log Subtype Severity Firmware version Meaning Fields vd msg vcluster devintfname 37895 HA Notification FortiOS 4.0 MR3 A FortiGate unit in HA mode was added to the virtual cluster. The units name is not given, only its internal interface name. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. Virtual cluster add HA device The number of the virtual cluster. The name of the units interface.
326
Event-HA
37896
Message ID Log Subtype Severity Firmware version Meaning Fields vd msg vcluster devintfname 37896 HA Notification FortiOS 4.0 MR3 A FortiGate unit in HA mode was deleted from the virtual cluster. The units name is not given, only its internal interface name. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. Virtual cluster delete HA device(interface) The number of the virtual cluster. The name of the units interface.
37897
Message ID Log Subtype Severity Firmware version Meaning Fields vd msg ha_role 37897 HA Notification FortiOS 4.0 MR3 A FortiGate unit in HA mode is ready. The units name is not given, only its internal interface name. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. HA device(interface) ready The type of role the device has in the HA cluster. This field contains either master or slave. Note: A FortiGate unit in a cluster has either a slave role (which is often referred to as subordinate), or master role (which is often referred to as primary). There are no other roles for the unit in a cluster. The name of the units interface.
devintfname
327
Event-HA
37898
Message ID Log Subtype Severity Firmware version Meaning Fields vd msg ha_role 37898 HA Warning FortiOS 4.0 MR3 A FortiGate unit in HA mode failed. The units name is not given, only its internal interface name. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. HA device(interface) fail The type of role the device has in the HA cluster. This field contains either master or slave. Note: A FortiGate unit in a cluster has either a slave role (which is often referred to as subordinate), or master role (which is often referred to as primary). There are no other roles for the unit in a cluster. The name of the interface of the device.
devintfname
37899
Message ID Log Subtype Severity Firmware version Meaning Fields vd msg ha_role 37899 HA Notification FortiOS 4.0 MR3 A FortiGate unit in HA mode with peer information. The units name is not given, only its internal interface name. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. HA device(interface) peerinfo The type of role the unit has in the HA cluster. This field contains either master or slave. Note: A FortiGate unit in a cluster has either a slave role (which is often referred to as subordinate), or master role (which is often referred to as primary). There are no other roles for the unit in a cluster. The name of the units interface.
devintfname
328
Event-HA
37900
Message ID Log Subtype Severity Firmware version Meaning Fields vd msg devintfname 37900 HA Notification FortiOS 4.0 MR3 The HA heartbeat was deleted. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. Heartbeat device(interface) delete The name of the interface on the FortiGate unit.
37901
Message ID Log Subtype Severity Firmware version Meaning Fields vd msg ha_role 37901 HA Critical FortiOS 4.0 MR3 The FortiGate unit in HA mode is not functioning properly. The units name is not given, only its internal interface name. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. Heartbeat device(interface) down The type of role the FortiGate unit has in the HA cluster. This field contains either master or slave. Note: A FortiGate unit in a cluster has either a slave role (which is often referred to as subordinate), or master role (which is often referred to as primary). There are no other roles for the unit in a cluster. The reason why the heartbeat is currently down. This field contains either linkfail or neighbor-info-lost. The name of the interface on the FortiGate unit.
hbdn_reason devintfname
329
Event-HA
37902
Message ID Log Subtype Severity Firmware version Meaning Fields vd msg ha_role 37902 HA Information FortiOS 4.0 MR3 The HA heartbeat is up. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. Heartbeat device(interface) up The type of role the FortiGate unit has in the HA cluster. This field contains either master or slave. Note: A FortiGate unit in a cluster has either a slave role (which is often referred to as subordinate), or master role (which is often referred to as primary). There are no other roles for the unit in a cluster. The name of the interface on the FortiGate unit.
devintfname
37903
Message ID Log Subtype Severity Firmware version Meaning Fields vd msg sync_type synt_status 37903 HA Information FortiOS 4.0 MR3 The primary units synchronization status. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The sync status with the master The type of synchronization being performed. This field contains either configurations or external-files. The status of the synchronization. This field contains either out-of-sync or in-sync.
330
Event-HA
37904
Message ID Log Subtype Severity Firmware version Meaning Fields vd msg vd ip ha-prio activity 37904 HA Notification FortiOS 4.0 MR3 The HA activity report Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. HA activity report The name of the virtual domain where the information for the report was gathered from. The IP address of the unit. The priority number of the unit. The HA activity message.
331
Event-HA
332
Event-pattern
Event-pattern logs are recorded whenever an administrator updates virus, IPS, and antispam databases from the FortiGuard network. 41000 41001
333
Event-pattern
41000
Message ID Log Subtype Severity Firmware version Meaning 41000 pattern Notification FortiOS 4.0 MR3 Depending on what appears in the msg field, the meaning can be any one of the following: The specified administrator updated the IPS database from the web-based manager. The specified administrator failed to updated the virus database from the web-based manager. The specified administrator successfully updated the AntiSpam database from the web-based manager. The specified administrator successfully updated the IPS database from the web-based manager. Field Description The name of the user creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry, GUI(10.10.20.5). This field is always update. This field contains either success or failure. This field contains any one of the following: VCM plugin has been updated successfully by user <user_name> via GUI(<ip_address>) Virus database has been updated successfully by user <user_name> via GUI(<ip_address>) Antispam database has been updated successfully by user <user_name> via GUI (<ip_address>) IPS database has been updated successfully by user <user_name> via GUI (<ip_address>)
Fields user ui
action status msg
334
Event-pattern
41001
Message ID Log Subtype Severity Firmware version Meaning 41001 pattern Critical FortiOS 4.0 MR3 Depending on what appears in the msg field, the meaning can be any one of the following: The specified administrator failed to update the IPS database from the web-based manager. The specified administrator failed to update the virus database from the web-based manager. The specified administrator failed to update the AntiSpam database from the web-based manager. The specified administrator failed to update the IPS database from the web-based manager. Field Description The name of the user creating the traffic. The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry, GUI(10.10.20.5). This field is always update. This field contains either success or failure. This field contains any one of the following: Update VCM plugin failed by user <user_name> via GUI (<ip_address>) Update virus database failed by user <user_name> via GUI(<ip_address>) Update AntiSpam database failed by user <user_name> via GUI(<ip_address>) Update IPS database failed by user <user_name> via GUI(<ip_address>)
Fields user ui
action status msg
335
Event-pattern
336
Event-RADIUS
Event RADIUS log messages record RADIUS server events. 38656 38657 38658 38659 38660 38661 38662 38663 38664 38665 38666 38667
337
Event-RADIUS
38656
Message ID Log Sub-type Severity Firmware version Meaning Fields vd count duration msg 38656 RADIUS Notification FortiOS 4.0 MR3 A RADIUS protocol error report. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The number of times the same event was detected within a short period of time. This represents the value in seconds. The log message information. This is usually a sentence and explains the activity and/or action taken.
38657
Message ID Log Sub-type Severity Firmware version Meaning Fields vd count duration msg 38657 RADIUS Notification FortiOS 4.0 MR3 A RADIUS profile error report. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The number of times the same event was detected within a short period of time. This represents the value in seconds. The log message information. This is usually a sentence and explains the activity and/or action taken.
38658
Message ID Log Sub-type Severity Firmware version Meaning Fields vd count duration msg 38658 RADIUS Notification FortiOS 4.0 MR3 A RADIUS context error report. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The number of times the same event was detected within a short period of time. This represents the value in seconds. The log message information. This is usually a sentence and explains the activity and/or action taken.
338
Event-RADIUS
38659
Message ID Log Sub-type Severity Firmware version Meaning Fields vd count duration msg 38659 RADIUS Notification FortiOS 4.0 MR3 A RADIUS missing stop packet report. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The number of times the same event was detected within a short period of time. This represents the value in seconds. The log message information. This is usually a sentence and explains the activity and/or action taken.
38660
Message ID Log Sub-type Severity Firmware version Meaning Fields vd count duration msg 38660 RADIUS Information FortiOS 4.0 MR3 A RADIUS accounting event report. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The number of times the same event was detected within a short period of time. This represents the value in seconds. The log message information. This is usually a sentence and explains the activity and/or action taken.
38661
Message ID Log Sub-type Severity Firmware version Meaning Fields vd count duration msg 38661 RADIUS Information FortiOS 4.0 MR3 A RADIUS other dynamic profile report. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The number of times the same event was detected within a short period of time. This represents the value in seconds. The log message information. This is usually a sentence and explains the activity and/or action taken.
339
Event-RADIUS
38662
Message ID Log Sub-type Severity Firmware version Meaning Fields vd carrier_ep 38662 RADIUS Notification FortiOS 4.0 MR3 RADIUS protocol errors occurred. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The IP address. The name of the profile that was used to detect and take action. The log message information. This is usually a sentence and explains the activity and/or action taken. The accounting state. This field contains any one of the following: Start Interim-Update Accounting-Off reason The reason that the trigger occurred. Stop Accounting-On
ip profile msg acc_stat
38663
Message ID Log Sub-type Severity Firmware version Meaning Fields vd carrier_ep 38663 RADIUS Notification FortiOS 4.0 MR3 A RADIUS start or interim-update packet received with missing or invalid profile specified. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The IP address. The name of the profile that was used to detect and take action. The log message information. This is usually a sentence and explains the activity and/or action taken. This field contains any one of the following: Start Interim-Update Accounting-Off reason The reason that the trigger occurred. Stop Accounting-On
ip profile msg acct_stat
340
Event-RADIUS
38664
Message ID Log Sub-type Severity Firmware version Meaning Fields vd carrier_ep 38664 RADIUS Notification FortiOS 4.0 MR3 RADIUS context not found for user. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The IP address. The name of the profile that was used to detect and take action. The log message information. This is usually a sentence and explains the activity and/or action taken.
ip profile msg
38665
Message ID Log Sub-type Severity Firmware version Meaning Fields vd carrier_ep 38665 RADIUS Notification FortiOS 4.0 MR3 A RADIUS stop packet was missed. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The IP address. The name of the profile that was used to detect and take action. The log message information. This is usually a sentence and explains the activity and/or action taken. The accounting state. This field contains any one of the following: Start Interim-Update Accounting-Off reason The reason that the trigger occurred. Stop Accounting-On
341
Event-RADIUS
38666
Message ID Log Sub-type Severity Firmware version Meaning Fields vd carrier_ep 38666 RADIUS Notification FortiOS 4.0 MR3 A RADIUS account event. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The IP address. The name of the profile that was used to detect and take action. The log message information. This is usually a sentence and explains the activity and/or action taken. This field contains any one of the following: Start Interim-Update Accounting-Off reason The reason that the trigger occurred. Stop Accounting-On
38667
Message ID Log Sub-type Severity Firmware version Meaning Fields vd carrier_ep 38667 RADIUS Information FortiOS 4.0 MR3 A RADIUS other dynamic profile event. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The IP address. The name of the profile that was used to detect and take action. The log message information. This is usually a sentence and explains the activity and/or action taken. This field contains any one of the following: Start Interim-Update Accounting-Off reason The reason that the trigger occurred. Stop Accounting-On
342
Event-notification
Event-notification logs messages record sent email notification alerts. 38400 38401 38402
343
Event-notification
38400
Message ID Log Subtype Severity Firmware version Meaning Fields vd user from to service 38400 Notification Notification FortiOS 4.0 MR3 The system successfully sent an email notification message. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The name of the user creating the traffic. The senders email address. The recipients email address. The IP network service that applies to the session or packet. The services displayed correspond to the services configured in the firewall policy. The MMS protocol used when running FortiOS Carrier. When running FortiOS, this field contains N/A. This field contains any one of the following: mm1 mm3 dst dport nf_type mm4 mm7
proto
The destination IP address. The destination port number. The type of notification that was sent. For example, if a file was blocked. This field contains any one of the following: bword carrier_ep_bwl dupe mms_checksum file_block flood alert virus
virus profile profiletype profilegroup count duration msg
The name of the virus that was found. The name of the profile that was used to detect and take action. The type of profile used. The group that the profile is part of. This field contains N/A if there is no profile group configured. The number of times the same event was detected within a short period of time. This represents the value in seconds. Successfully sent a notification message.
344
Event-notification
38401
Message ID Log Subtype Severity Firmware version Meaning Fields vd user from to service 38401 Notification Warning FortiOS 4.0 MR3 The system failed to send an email notification message. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The name of the user creating the traffic. The senders email address. The recipients email address. The IP network service that applies to the session or packet. The services displayed correspond to the services configured in the firewall policy. The MMS protocol used when running FortiOS Carrier. When running FortiOS, this field contains N/A. This field contains any one of the following: mm1 mm3 dst dport nf_type mm4 mm7
proto
The destination IP address. The destination port number. The type of notification that was sent. For example, if a file was blocked. This field contains any one of the following: bword carrier_ep_bwl dupe mms_checksum file_block flood alert virus
virus profile profiletype profilegroup count duration msg sess_duration
The name of the virus that was found. The name of the profile that was used to detect and take action. The type of profile used. The group that the profile is part of. This field contains N/A if there is no profile group configured. The number of times the same event was detected within a short period of time. This represents the value in seconds. Unable to send notification message. The session duration number.
345
Event-notification
38402
Message ID Log Subtype Severity Firmware version Meaning Fields vd service 38402 Notification Notification FortiOS 4.0 MR3 The system was unable to resolve an MMSC hostname. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The IP network service that applies to the session or packet. The services displayed correspond to the services configured in the firewall policy. The name of the profile that was used to detect and take action. The type of profile used. The virtual domain that the profile is from. Unable to resolve hostname.
profile profiletype profile_vd msg
346
Event-amc-intf-bypass log messages record the AMC disks bypass mode activity.
47201
Message ID Log Sub-type Severity Firmware version Meaning Fields msg 47201 amc-intf-bypass Emergency FortiOS 4.0 MR3 AMC card entered bypass mode. Field Description The AMC card in slot <slot_number> has entered bypass mode due to <reason>.
47202
Message ID Log Sub-type Severity Firmware version Meaning Fields msg 47202 amc-intf-bypass Emergency FortiOS 4.0 MR3 AMC card exited bypass mode. Field Description The AMC card in slot <slot_number> has exited bypass mode due to <reason>.
347
348
Event-GTP
Event-GTP log messages record GTP activity. These messages are recorded only when running FortiOS Carrier firmware. 41216 41217 41218 41219 41220 41221 41222
349
Event-GTP
41216
Message ID Log Subtype Severity Firmware version Meaning Fields vd profile status 41216 GTP Information FortiOS Carrier 4.0 MR3 GTP forward Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The name of the VoIP profile that was used to detect and take action. This field can contain any one of the following: forwarded rate-limited tunnel-limited user-data version msg-type carrier_ep The version number. The number of the message type. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The source IP address. The destination IP address. The IMSI information. The MSISDN information. The APN information. This field contains any one of the following: apns-vrf net-apn-no-vrf c-gsn u-gsn nsapi linked-nsapi imei-sv rat-type The GSN IP address for signaling. The GSN IP address for user traffic. The NSAPI number. The linked-NSAPI number. The IMEI-SV information. This field contains any one of the following utran geran wlan rai uli end-user-address The RAI information. The ULI information. The end-users IP address. gan hspa ms-apn-no-vrf prohibited state-invalid traffic-count
from to imsi msisdn apn selection
350
Event-GTP
41217
Message ID Log Subtype Severity Firmware version Meaning Fields vd profile status 41217 GTP Information FortiOS Carrier 4.0 MR3 GTP deny Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The name of the VoIP profile that was used to detect and take action. This field can contain any one of the following: forwarded rate-limited tunnel-limited user-data version msg-type carrier_ep The version number. The number of the message type. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The source IP address. The destination IP address. Explains why the message is prohibited. This field contains any one of the following: packet-sanity reserved-msg reserved-ie invalid-msg-length miss-mandatory-ie non-ip-policy sgsn-no-handover invalid-seq-num apn-filter adv-policy-filter imsi msisdn apn selection The IMSI information. The MSISDN information. The APN information. This field contains any one of the following: apns-vrf net-apn-no-vrf c-gsn u-gsn nsapi The IP address. The IP address. The number of NSAPI. ms-apn-no-vrf invalid-reserved-field out-state-msg out-state-ie invalid-ie-length ip-policy sgsn-not-authorized ggsn-not-authorized msg-filter imsi-filter prohibited state-invalid traffic-count
from to deny-cause
351
Event-GTP
linked-nsapi imei-sv rat-type
The number of linked-NSAPI. The IMEI-SV information. This field contains any one of the following utran geran wlan gan hspa
rai uli end-user-address
The RAI information. The ULI information. The end-users IP address.
352
Event-GTP
41218
Message ID Log Subtype Severity Firmware version Meaning Fields vd profile status 41218 GTP Information FortiOS Carrier 4.0 MR3 GTP rate limit. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The name of the VoIP profile that was used to detect and take action. This field can contain any one of the following: forwarded rate-limited tunnel-limited user-data version msg-type carrier_ep The version number. The number of the message type. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The source IP address. The destination IP address. The identification number of the IMSI. The identification number of the MSISDN. The identification number for APN. This field contains any one of the following: apns-vrf net-apn-no-vrf c-gsn u-gsn nsapi linked-nsapi imei-sv rat-type The IP address. The IP address. The NSAPI number. The linked-NSAPI number. The IMEI-SV information. This field contains any one of the following utran geran wlan rai uli end-user-address The RAI information. The ULI information. The end-users IP address. gan hspa ms-apn-no-vrf prohibited state-invalid traffic-count
353
Event-GTP
41219
Message ID Log Subtype Severity Firmware version Meaning Fields vd profile status 41219 GTP Information FortiOS Carrier 4.0 MR3 GTP state invalid Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The name of the VoIP profile that was used to detect and take action. This field always contains state-invalid. This means the message is blocked because the FortiGate unit found no valid state. For example, a response message comes in and the FortiGate unit detects no corresponding request message. The version number. The number of the message type. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The source IP address. The destination IP address. The IMSI information. The MSISDN information. The APN information. This field contains any one of the following: apns-vrf net-apn-no-vrf c-gsn u-gsn nsapi linked-nsapi imei-sv rat-type The IP address. The IP address. The number of NSAPI. The number of linked-NSAPI. The IMEI-SV information. This field contains any one of the following utran geran wlan rai uli end-user-address The RAI information. The ULI information. The end-users IP address. gan hspa ms-apn-no-vrf
version msg-type carrier_ep
354
Event-GTP
41220
Message ID Log Subtype Severity Firmware version Meaning 41220 GTP Information FortiOS Carrier 4.0 MR3 Tunnel limit GTP message. These messages occur only when the maximum number of GTP tunnels is reached. No new tunnels are created when the maximum number is reached. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The name of the VoIP profile that was used to detect and take action. This field contains any one of the following: forwarded rate-limited tunnel-limited user-data version msg-type carrier_ep The version number. The number of the message type. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The source IP address. The destination IP address. The IMSI information. The MSISDN information. The APN information. This field contains any one of the following: apns-vrf net-apn-no-vrf c-gsn u-gsn nsapi linked-nsapi imei-sv rat-type The IP address. The IP address. The number of NSAPI. The number of linked-NSAPI. The IMEI-SV information. This field contains any one of the following utran geran wlan rai uli end-user-address The RAI information. The ULI information. The end-users IP address. gan hspa ms-apn-no-vrf prohibited state-invalid traffic-count
Fields vd profile status
355
Event-GTP
41221
Message ID Log Subtype Severity Firmware version Meaning Fields vd profile status 41221 GTP Information FortiOS Carrier 4.0 MR3 Statistic summary information when the GTP tunnel is being torn down. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The name of the VoIP profile that was used to detect and take action. This field contains any one of the following: forwarded rate-limited tunnel-limited user-data version c-sgsn c-ggsn u-sgsn u-ggsn c-sgsn-teid c-ggsn-teid u-sgsn-teid u-ggsn-teid tunnel-idx duration c-pkts c-bytes u-pkts u-bytes imsi msisdn apn selection The version number. The SGSN IP address for signaling. The GGSN IP address for signaling. The SGSN IP address for user traffic. The GGSN IP address for user traffic. The identification number. The identification number. The identification number. The identification number. The tunnels identity index number. The duration of the GTP tunnels existence. The duration is in seconds. The number of GTP-c packets. The number of bytes for GTP-c signaling traffic. The number of GTP-u packets. The number of bytes for GTP-u user traffic. The IMSI information. The MSISDN information. The APN information. This field contains any one of the following: apns-vrf net-apn-no-vrf nsapi linked-nsapi imei-sv The NSAPI information. The linked-NSAPI information. The IMEI-SV information. ms-apn-no-vrf prohibited state-invalid traffic-count
356
Event-GTP
rat-type
This field contains any one of the following: utran geran wlan gan hspa
rai uli end-user-address
The RAI information. The ULI information. The end-users IP address.
357
Event-GTP
41222
Message ID Log Subtype Severity Firmware version Meaning Fields vd profile status 41222 GTP Information FortiOS Carrier 4.0 MR3 GTP user data Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The name of the VoIP profile that was used to detect and take action. This field contains any one of the following: forwarded rate-limited tunnel-limited user-data version tunnel-idx from to end-user-address imsi msisdn apn user_data The version number. The tunnels identity index number. The source IP address. The destination IP address. The end-users IP address. The IMSI information. The MSISDN information. The APN information. The actual user traffic content, represented in hexidecimal form. prohibited state-invalid traffic-count
358
Event-MMS-Stats
Event-MMS log messages record MMS activity. These log messages are recorded only when running FortiOS Carrier firmware.
43264
Message ID Log Sub-type Severity Firmware version Meaning Fields vd proto 43264 MMS Information FortiOS Carrier 4.0 MR3 MMS statistics. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The MMS protocol that was used. This field can be any one of the following: mm1 mm4 infected suspicious scanned intercepted blocked checksum duration mm3 mm7
The number of infected messages. The number of suspicous messages. The number of scanned messages. The number of intercepted messages. The number of blocked messages. The number of content checksum blocked messages. The duration of the interval this counts over.
359
Event-MMS-Stats
360
Event-VoIP
Event-VoIP log messages record VoIP activites that include the SIP and SCCP protocols. 44032 44033 44034 44035 44036 44037 44038
361
Event-VoIP
44032
Message ID Log Subtype Severity Firmware version Meaning Fields vd session_id epoch event_id src src_port dst dst_port proto src_int dst_int policy_id 44032 VoIP Information FortiOS 4.0 MR3 A SIP log. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The session identification number. The user session identification number. The events serial identification number. The source IP address. The source port number. The destination IP address. The destination port number The transport protocol number. The source interface. The destination interface. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate unit will have an index number of zero. The name of the user creating the traffic. The name of the group creating the traffic. The endpoint information. The name of the VoIP profile that was used to detect the SIP activity. The group that the profile is part of. This field contains N/A if there is no profile group configured. The type of profile used. The VoIP application protocol that was detected. This field contains either sip or sccp. This field contains any one of the following: register unregister call action This field contains any one of the following: permit block monitor kickout encrypt-kickout cm-reject exempt ban ban-user log-only call-info call-block
user group endpoint profile profile_group profile_type voip_proto kind
362
Event-VoIP
status
This field contains any one of the following: start end timeout blocked succeeded failed authentication-required
duration dir from to
This represents the value in seconds. The direction of the traffic. This field contains either inbound or outbound. The source name. The destination name.
363
Event-VoIP
44033
Message ID Log Subtype Severity Firmware version Meaning Fields vd session_id epoch event_id src src_port dst dst_port proto src_int dst_int policy_id 44033 VoIP Notification FortiOS 4.0 MR3 SIP was blocked. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The session identification number. The user session identification number. The events serial identification number. The source IP address. The source port number. The destination IP address. The destination port number The transport protocol number. The source interface. The destination interface. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate unit will have an index number of zero. The name of the user creating the traffic. The name of the group creating the traffic. The endpoint information. The name of the VoIP profile that was used to detect the SIP activity. The name of the profile group. This is for FortiOS Carrier only. The type of profile that was used. The VoIP application protocol that was detected. This field contains either sip or sccp. This field contains any one of the following: register unregister call action This field contains any one of the following: permit block monitor kickout encrypt-kickout cm-reject exempt ban ban-user log-only call-info call-block
364
Event-VoIP
status
reason
This field contains any one of the following: rate-limit long-header unknown phone new-register exceed-rate dialog-limit unrecognized-form block-request session-close invalid-ip
duration dir message_type request_name count from to
This represents the value in seconds. The direction of the traffic. This field contains either inbound or outbound. The type of message. This field contains either request or response. The name of the request. The number of times the same event was detected within a short period of time. The source name. The destination name.
365
Event-VoIP
44034
Message ID Log Subtype Severity Firmware version Meaning Fields vd session_id epoch event_id src src_port dst dst_port proto src_int dst_int policy_id 44034 VoIP Information FortiOS 4.0 MR3 SIP fuzzing occurred. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The session identification number. The user session identification number. The events identification serial number The source IP address. The source port number. The destination IP address. The destination port number The transport protocol number. The source interface. The destination interface. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate unit will have an index number of zero. The name of the user creating the traffic. The name of the group creating the traffic. The endpoint information. The name of the VoIP profile that was used to detect the SIP activity. The group that the profile is part of. This field contains N/A if there is no profile group configured. profile groups are only available in FortiOS Carrier. The type of profile used. The VoIP application protocol that was detected. This field contains either sip or sccp. This field contains any one of the following: register unregister call action This field contains any one of the following: permit block monitor kickout encrypt-kickout duration dir message_type cm-reject exempt ban ban-user log-only call-info call-block
This represents the value in seconds. The direction of the traffic. This field contains either inbound or outbound. The type of message. This field contains either request or response.
366
Event-VoIP
request_name malform_desc
The request name. The description of the syntax error. This field contains any one of the following: unexpected-character trailing-bytes msg-body-oversize domain-name-oversize syntax-malformed space-violation invalid-ipv6-address invalid-fqdn empty-quoted-string invalid-escape-encodingin<userinfor> invalid-escape-encoding-in-uriheader port-expected domain-name-invalid invalid-<gen-value> ipv4-address-expected uri-expected invalid-user-uri-parameter invalid-ttl-uri-parameter invalid-uri-parameter-value invalid-uri-header-name invalid-uri-header-name-valuepair invalid-status-code uri-parameters-not-allowed-byRFC whitespace-expected invalid-<SIP-Version>-onrequest-line invalid-<protocol-version> no-SLASH-after-<protocolname> header-parameter-expected invalid-madddr-parameter invalid-branch-parameter via-parameter-repeat <method>-expected <response-num>-expected <Method>-expected-after<CSeq-num> invalid-quoting-character header-line-oversize domain-name-oversize domain-label-oversize duplicated-sip-header invalid-ip4-address invalid-port no-matching-double-quote invalid<userinfo> invalid-escape-encoding-in-uriparamter invalid-escape-encoding-in<reasonphrase> port-not-allowed <gen-value>-expected invalid-<quoted-string>-in-<gen-value> ipv6-address-expected invalid-transport-uri-parameter invalid-method-uri-parameter invalid-uri-parameter-pname uri-parameter-repeat invalid-uri-header-value invalid-quoted-string-in-display-name
left-angle-bracket-is-mandatory right-angle-bracket-not-found no-METHOD-on-request-line unknown-scheme LWS-expected invalid-<protocol-name> invalid-<transport> no-SLASH-after-<protocol-version> invalid-ttl-parameter invalid-received-parameter invalid-rport-parameter <seq>-number-expected <method>-does-not-match-therequest-line <CSeq-num>-expected expires-header-repeated
367
Event-VoIP
<delta-seconds>expected token-expected invalid-q-parameter <m-type>-expected <m-subtype>expected boundary-parameter-appearsmore-than-once invalid-<quoted-string>-in-<mvalue>
invalid-max-forwards invalid-expires-parameter <generic-param>-with-invalid<genvalue> SLASH-expected-after-<m-type> <m-attribute>-expected-after-SEMI EQUAL-expected-after-<m-attribute> invalid-<m-value>
multipart-Content-Type-has-no- digits-expected boundary IN-expected IP4-or-IP6-expected line-order-error <time>-expected r-line-not-allowed-on-medialevel <bwtype>-expected <bandwidth>-expected invalid-<start-time> too-many-i-lines too-many-c-lines v-line-not-allowed-on-medialevel o-line-not-allowed-on-medialevel <sess-id>-expected too-many-s-lines too-many-m-lines <integer>-expected <token>-expected-in-<proto>after-slash <att-field>-expected <payload-type>-expected-inrtpmap slash-expected-after<encoding-name>-in-rtpmap invalid-<encodingparameters>-in-rtpmap sdp-candidate-line-before-mline invalid-port-after-ip-address-incandidate-line sdp-invalid-alt-line invalid-port-after-ip-address-inalt-line invalid-port-in-rtcp-lines IP-expected IPv4-or-IPv6-address-expected z-line-not-allowed-on-media-level <typed-time>-expected <repeat-interval>-expected colon-expected t-liine-not-allowed-on-media-level invalid<stop-time> <text>-expected too-many-v-line too-many-o-lines <username>-expected <sess-version>-expected s-line-not-allowed-on-media-level <media>-expected <proto>-expected <fmt>-expected <att-value>-expected <encoding-name>-expected-in-rtpmap invalid-<clock-rate>-in-rtpmap invalid-candidate-line sip-Yahoo-candidate-invalid-protocol too-many-candidate-lines sdp-alt-line-before-m-line sdp-rtcp-line-before-m-line too-many-rtcp-lines
368
Event-VoIP
<callid>-expected invalid-tag-parameter end-of-line-error missing-mandatory-field madlform_data line column The number of the malform data. The line information. The column number.
<word>-expected no-tag-parameter sip-udp-message-truncated
sdp-v-o-s-t-lines-are-mandatory unknown-header
369
Event-VoIP
44035
Message ID Log Subtype Severity Firmware version Meaning Fields vd session_id epoch event_id src proto src_int policy_id 44035 VoIP Information FortiOS 4.0 MR3 SCCP registration Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The session identification number. The user session identification number. The events serial identification number The source IP address. The transport protocol number. The source interface. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate unit will have an index number of zero. The name of the user creating the traffic. The name of the group creating the traffic. The endpoint information. The name of the VoIP profile that was used to detect the SIP activity. The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier. The type of profile used. The VoIP protocol that was detected. This field contains either sip or sccp. This field contains any one of the following: register unregister call action This field contains any one of the following: permit block monitor kickout encrypt-kickout status start end timeout blocked phone The phone information. cm-reject exempt ban ban-user log-only succeeded failed authentication-required call-info call-block
user group endpoint profile profile_group
profile_type voip_proto kind
370
Event-VoIP
44036
Message ID Log Subtype Severity Firmware version Meaning Fields vd session_id epoch event_id src proto src_int policy_id 44036 VoIP Information FortiOS 4.0 MR3 SCCP unregister Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The session identification number. The user session identification number. The events serial identification number The source IP address. The transport protocol number. The source interface. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate unit will have an index number of zero. The name of the user creating the traffic. The name of the group creating the traffic. The endpoint information. The name of the VoIP profile that was used to detect the VoIP activity. The group that the profile is part of. This field contains N/A if there is no profile group configured. The type of profile used. The VoIP protocol that was detected. This field contains either sip or sccp. This field contains any one of the following: register unregister call action This field contains any one of the following: permit block monitor kickout encrypt-kickout status start end timeout blocked reason This field contains any one of the following: rate-limit dialog-limit block-request phone cm-reject exempt ban ban-user log-only succeeded failed authentication-required call-info call-block
371
Event-VoIP
long-header unrecognized-form unknown exceed-rate phone The phone information.
session-close new-register invalid-ip
372
Event-VoIP
44037
Message ID Log Subtype Severity Firmware version Meaning Fields vd session_id epoch event_id src proto src_int policy_id 44037 VoIP Information FortiOS 4.0 MR3 SCCP call block Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The session identification number. The user session identification number. The events serial identification number. The source IP address. The transport protocol number. The source interface. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate unit will have an index number of zero. The name of the user creating the traffic. The name of the group creating the traffic. The endpoint information. The name of the VoIP profile that was used to detect the VoIP activity. The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier. The type of profile used. The VoIP protocol that was detected. This field contains either sip or sccp. This field contains any one of the following: register unregister call action This field contains any one of the following: permit block monitor kickout encrypt-kickout status start end timeout blocked reason This field contains any one of the following: rate-limit block-request cm-reject exempt ban ban-user log-only succeeded failed authentication-required call-info call-block
user group endpoint profile profile_group
profile_type voip_proto kind
373
Event-VoIP
dialog-limit long-header unrecognized-form unknown exceed-rate phone The phone information.
phone session-close new-register invalid-ip
374
Event-VoIP
44038
Message ID Log Subtype Severity Firmware version Meaning Fields vd session_id epoch event_id src src_port dst dst_port proto src_int dst_int policy_id 44038 VoIP Information FortiOS 4.0 MR3 SCCP call info Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The session identification number. The user session identification number. The events serial identification number The source IP address. The source port number. The destination IP address. The destination port number. The transport protocol number. The source interface. The destination interface. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate unit will have an index number of zero. The name of the user creating the traffic. The name of the group creating the traffic. The endpoint information. The name of the VoIP profile that was used to detect the VoIP activity. The group that the profile is part of. This field contains N/A if there is no profile group configured. The type of profile used. The VoIP protocol that was detected. This field contains either sip or sccp. This field contains any one of the following: register unregister call action This field contains any one of the following: permit block monitor kickout encrypt-kickout cm-reject exempt ban ban-user log-only call-info call-block
375
Event-VoIP
status
duration phone
This represents the value in seconds. The phone information.
376

Data Leak Protection (DLP) log messages are log messages that record data leaks. These logs provide additional information to help administrators better analyze and detect data leaks. In FortiOS 4.0 MR3 and higher, DLP log messages are located in UTM log file. These log messages are also viewed in the web-based manager from Log&Report > Log & Archive Access > UTM. 24576 24577 24578 24579
377
24576
Message ID Log Subtype Severity Firmware version Meaning Fields vd policyid 24576 DLP Warning FortiOS 4.0 MR3 A data leak was detected by a specified DLP sensor rule. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The serial number of the firewall session on which the event happend. The name of the user creating the traffic. The name of the group creating the traffic. The source IP address. The source port number. The source port number. The source interface. The destination IP address. The destination port number. The destination port number. The destination interface. For example, wan1. This field contains one of the following: http https smtp pop3 imap ftp mm1 mm3 status filefilter detected success mm4 mm7 nntp im smtps pop3s imaps ftp (ftp-over-http) blocked error file pattern
custom identidx
serial user group src sport src_port src_int dst dport dst_port dst_int service
The action the FortiGate unit took. This field contains any of the following:
The type of file filter. This field contains any one of the following: none file type
378
filetype
The type of file, for example, a zip file. This field contains any one of the following: arj tzh tar bzip bzip2 msc mime binhex elf hta jad cod msoffice upx aspack sis activemime gif png ignored N/A cab rar zip gzip bat uue base64 com exe html class javascript fsg petite prc hlp jpeg tiff bmp unknown
sent rcvd hostname url from to msg rulename compoundname filtername file action
The total number of bytes sent. The total number of bytes received. The home page of the web site. For example, www.example.com The URL address of the web page that the user was viewing. The senders email address. The receivers email address. The log message information. This is usually a sentence and explains the activity and/or action taken. The name of the DLP rule within the DLP sensor. The name of the compound rule used. The name of the filter. The file information. The action that was specified within the rule. In some rules within sensors, you can specify content archiving. If no log type is specified, this field displays log-only. This field contains any one of the following: log-only block exempt ban ban sender quarantine ip quarantine interface
severity
The level of severity for that specific rule.
379
24577
Message ID Log Subtype Severity Firmware version Meaning Fields vd policyid 24577 DLP Notification FortiOS 4.0 MR3 A data leak was detected by a specified DLP sensor rule. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The serial number of the firewall session on which the event happend. The name of the user creating the traffic. The name of the group creating the traffic. The source IP address. The source port number. The source port number. The source interface. The destination IP address. The destination port number. The destination port number. The destination interface. For example, wan1. This field contains one of the following: http https smtp pop3 imap ftp mm1 mm3 status mm4 mm7 nntp im smtps pop3s imaps ftp (ftp-over-http)
custom identidx
The action the FortiGate unit took. This field contains any one of the following: detected success blocked error file pattern
filefilter
The type of file filter. This field contains any one of the following: none file type
380
filetype
The type of file, for example, a zip file. This field contains any one of the following: arj tzh tar bzip bzip2 msc mime binhex elf hta jad cod msoffice upx aspack sis activemime gif png ignored N/A cab rar zip gzip bat uue base64 com exe html class javascript fsg petite prc hlp jpeg tiff bmp unknown
sent rcvd hostname url from to msg rulename compoundname filtername file action
The total number of bytes sent. The total number of bytes received. The home page of the web site. For example, www.example.com. The URL address of the web page that the user was viewing. This field contains N/A. This field contains N/A. data leak detected(Data Leak Prevention Rule matched) The name of the DLP rule that was used. The name of the compound rule used. The name of the filter. The file information. The action that was specified within the rule. In some rules within sensors, you can specify content archiving. If no log type is specified, this field displays log-only. This field contains one of the following: log-only block exempt ban ban sender quarantine ip quarantine interface
severity
The level of severity for that specific rule.
381
24578
Message ID Log Subtype Severity Firmware version Meaning Fields vd status 24578 DLP Notification FortiOS 4.0 MR3 A DLP fingerprint document source notice. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The action the FortiGate unit took. This field contains any one of the following: detected success msg sensitivity docsource errorstr blocked error
The log message information. This is usually a sentence and explains the activity and/or action taken. The document source. The document source. The erorr information, if there was an error in scanning the document source.
24579
Message ID Log Subtype Severity Firmware version Meaning Fields vd status 24579 DLP Notification FortiOS 4.0 MR3 A DLP fingerprint document source error. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The action the FortiGate unit took. This field contains any one of the following: detected success msg sensitivity docsource errorstr blocked error
The log message information. This is usually a sentence and explains the activity and/or action taken. The document source. The document source. The erorr information, if there was an error in scanning the document source.
382
383
384
Application Control
Application Control log messages are log messages that record application control protocols and events. In FortiOS 4.0 MR3 and higher, application control log messages are located in UTM log file. These log messages are also viewed in the web-based manager from Log&Report > Log & Archive Access > UTM. 28672 28673 28674 28675 28676 28677 28678 28688 28689 28690 28704 28705
385
Application Control
28672
Message ID Log Subtype Severity Firmware version Meaning Fields vd user group carrier_ep 28672 app-crtl-all Information FortiOS 4.0 MR3 An application control IM-basic log message. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The name of the user creating the traffic. The name of the group creating the traffic. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. This field can be any one of the following: login file audio regist call-block response profilegroup The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier. The type of profile that was used, for example, Antivirus_Profile. The name of the profile that was used to detect and take action. This field can be any one of the following: incoming N/A src src_port src_int dst dst_port dst_int src_name dst_name proto The source IP address. The source port number. The source interface name. For example, internal. The destination IP address. The destination port number. The destination interface name. For example, wan1. The source name. This can be a name or an IP address. The destination name. This can be a name or an IP address. The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA). The service where the event or activity occurred. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. FortiGate Log Message Reference 01-430-112804-20111121 http://docs.fortinet.com/ Feedback outgoing chat photo call unregister request
kind
profiletype profile dir
service policyid
custom
386
Application Control
identidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The serial number of the firewall session on which the event happened. The name of the application control list that was used to detect and take action. For example, the default application control list, monitor-all. The type of application that triggered the action within the control list. The name of the application that triggered the action within the control list. For example, SSL. The action that was taken by the application control engine. This field can be any one of the following: pass monitor encrypt-kickout block kickout reject
serial app_list app_type app action
387
Application Control
28673
Message ID Log Subtype Severity Firmware version Meaning Fields vd user group carrier_ep 28673 app-crtl-all Notification FortiOS 4.0 MR3 An application control IM log message. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The name of the user creating the traffic. The name of the group creating the traffic. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. This field can be any one of the following: login file audio regist call-block response profilegroup chat photo call unregister request video
kind
The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier. The type of profile that was used, for example, Antivirus_Profile. The name of the profile that was used to detect and take action. This field can be any one of the following: incoming N/A outgoing
src src_port src_int dst dst_port dst_int src_name dst_name proto
The source IP address. The source port number. The source interface name. For example, internal. The destination IP address. The destination port number. The destination interface name. For example, wan1. The source name. This can be a name or an IP address. The destination name. This can be a name or an IP address. The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA). The service where the event or activity occurred. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. FortiGate Log Message Reference 01-430-112804-20111121 http://docs.fortinet.com/ Feedback
service policyid
custom
388
Application Control
identidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The serial number of the firewall session on which the event happened. The name of the application control list that was used to detect and take action. For example, the default application control list, monitor-all. The type of application that triggered the action within the control list. The name of the application that triggered the action within the control list. For example, SSL. The action that was taken by the application control engine. This field can be any one of the following: pass monitor encrypt-kickout block kickout reject cancel fail stop end blocked failed pass
status
This field can be any one of the following: request accept download start timeout succeeded authentication-required block
389
Application Control
28674
Message ID Log Subtype Severity Firmware version Meaning Fields vd user group carrier_ep 28674 app-crtl-all Information FortiOS 4.0 MR3 An application control IM (chat message count) log message. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The name of the user creating the traffic. The name of the group creating the traffic. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. This field can be any one of the following: login file audio regist call-block response profilegroup chat photo call unregister request video
kind
service policyid
custom
390
Application Control
identidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The serial number of the firewall session on which the event happened. The name of the application control list that was used to detect and take action. For example, the default application control list, monitor-all. The type of application that triggered the action within the control list. The name of the application that triggered the action within the control list. For example, SSL. The action that was taken by the application control engine. This field can be any one of the following: pass monitor encrypt-kickout block kickout reject
count
The number of times the same event was detected within a short period of time.
391
Application Control
28675
Message ID Log Subtype Severity Firmware version Meaning Fields vd user group carrier_ep 28675 app-crtl-all Notification FortiOS 4.0 MR3 An application control IM (file) log message. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The name of the user creating the traffic. The name of the group creating the traffic. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. This field can be any one of the following: login file audio regist call-block response profilegroup chat photo call unregister request video
kind
service policyid
custom
392
Application Control
identidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The serial number of the firewall session on which the event happened. The name of the application control list that was used to detect and take action. For example, the default application control list, monitor-all. The type of application that triggered the action within the control list. The name of the application that triggered the action within the control list. For example, SSL. The action that was taken by the application control engine. This field can be any one of the following: pass monitor encrypt-kickout block kickout reject cancel fail stop end blocked failed pass
status
filename filesize message
The name of the file. The size of the file. The log information. This is usually a sentence and explains the activity and/or action taken.
393
Application Control
28676
Message ID Log Subtype Severity Firmware version Meaning Fields vd user group carrier_ep 28676 app-crtl-all Notification FortiOS 4.0 MR3 An application control IM (chat) log message. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The name of the user creating the traffic. The name of the group creating the traffic. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. This field can be any one of the following: login file audio regist call-block response profilegroup chat photo call unregister request video
kind
service policyid
custom
394
Application Control
identidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The serial number of the firewall session on which the event happened. The name of the application control list that was used to detect and take action. For example, the default application control list, monitor-all. The name of the application control list that was used to detect and take action. For example, the default application control list, monitor-all. The type of application that triggered the action within the control list. The action that was taken by the application control engine. This field can be any one of the following: pass monitor encrypt-kickout block kickout reject
count content
The number of times the same event was detected within a short period of time. The content information.
395
Application Control
28677
Message ID Log Subtype Severity Firmware version Meaning Fields vd user group carrier_ep 28677 app-crtl-all Notification FortiOS 4.0 MR3 An application control IM (chat blocked) log message. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The name of the user creating the traffic. The name of the group creating the traffic. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. This field can be any one of the following: login file audio regist call-block response profilegroup chat photo call unregister request video
kind
service policyid
custom
396
Application Control
identidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The serial number of the firewall session on which the event happend. The name of the application control list that was used to detect and take action. For example, the default application control list, monitor-all. The type of application that triggered the action within the control list. The name of the application that triggered the action within the control list. For example, SSL. The action that was taken by the application control engine. This field can be any one of the following: pass monitor encrypt-kickout block kickout reject
count reason
The number of times the same event was detected within a short period of time. This field contains any one of the following: meter-overload-drop rate-limit long-header unknown invalid-ip meter-overload-refuse dialog-limit unrecognized-form block-request exceed-rate
req
The request information.
397
Application Control
28678
Message ID Log Subtype Severity Firmware version Meaning Fields vd user group carrier_ep 28678 app-crtl-all Notification FortiOS 4.0 MR3 An application control IM (blocked) log message. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The name of the user creating the traffic. The name of the group creating the traffic. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. This field can be any one of the following: login file audio regist call-block response profilegroup chat photo call unregister request video
kind
service policyid
custom
398
Application Control
identidx
399
Application Control
28688
Message ID Log Subtype Severity Firmware version Meaning Fields vd user group carrier_ep 28688 app-crtl-all Notification FortiOS 4.0 MR3 An application control IM (VoIP basic) log message. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The name of the user creating the traffic. The name of the group creating the traffic. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. This field can be any one of the following: login file audio regist call-block response profilegroup chat photo call unregister request video
kind
service policyid
custom
400
Application Control
identidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The serial number of the firewall session on which the event happend. The name of the application control list that was used to detect and take action. For example, the default application control list, monitor-all. The type of application that triggered the action within the control list. The name of the application that triggered the action within the control list. For example, SSL. The action that was taken by the application control engine. This field can be any one of the following: pass monitor encrypt-kickout block kickout reject cancel fail stop end blocked failed pass
status
401
Application Control
28689
Message ID Log Subtype Severity Firmware version Meaning Fields vd user group carrier_ep 28689 app-crtl-all Notification FortiOS 4.0 MR3 An application control IM (SCCP call blocked) log message. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The name of the user creating the traffic. The name of the group creating the traffic. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. This field can be any one of the following: login file audio regist call-block response profilegroup chat photo call unregister request video
kind
service policyid
custom
402
Application Control
identidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The serial number of the firewall session on which the event happend. The name of the application control list that was used to detect and take action. For example, the default application control list, monitor-all. The type of application that triggered the action within the control list. The name of the application that triggered the action within the control list. For example, SSL. The action that was taken by the application control engine. This field can be any one of the following: pass monitor encrypt-kickout block kickout reject cancel fail stop end blocked failed pass
status
phone reason
The phone information. This field contains any one of the following: meter-overload-drop rate-limit long-header unknown invalid-ip meter-overload-refuse dialog-limit unrecognized-form block-request exceed-rate
403
Application Control
28690
Message ID Log Subtype Severity Firmware version Meaning Fields vd user group carrier_ep 28690 app-crtl-all Notification FortiOS 4.0 MR3 An application control IM (SIP block) log message. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The name of the user creating the traffic. The name of the group creating the traffic. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. This field can be any one of the following: login file audio regist call-block response profilegroup chat photo call unregister request video
kind
service policyid
custom
404
Application Control
identidx
count reason
The number of times the same event was detected within a short period of time. This field contains any one of the following: meter-overload-drop rate-limit long-header unknown invalid-ip meter-overload-refuse dialog-limit unrecognized-form block-request exceed-rate
req
The request information.
405
Application Control
28704
Message ID Log Subtype Severity Firmware version Meaning Fields vd attack_id user group src src_port src_int dst dst_port dst_int src_name dst_name profilegroup 28704 app-crtl-all Information FortiOS 4.0 MR3 An application control IM (IPS) log message (pass). Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The identification number of the IM (IPS) log message. The name of the user creating the traffic. The name of the group creating the traffic. The source IP address. The source port number. The source interface name. For example, internal. The destination IP address. The destination port number. The destination interface name. For example, wan1. The source name. This can be a name or an IP address. The destination name. This can be a name or an IP address. The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier. The type of profile that was used, for example, Antivirus_Profile. The name of the profile that was used to detect and take action. The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA). The service where the event or activity occurred. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The serial number of the firewall session on which the event happend. The name of the application control list that was used to detect and take action. For example, the default application control list, monitor-all. The type of application that triggered the action within the control list. The name of the application that triggered the action within the control list. For example, SSL. The action that was taken by the application control engine. This field can be any one of the following: pass monitor encrypt-kickout block kickout reject
profiletype profile proto
service policyid
custom serial app_list app_type app action
406
Application Control
count msg
The number of times the same event was detected within a short period of time. The log message information. This is usually a sentence and explains the activity and/or action taken.
407
Application Control
28705
Message ID Log Subtype Severity Firmware version Meaning Fields vd attack_id user group src src_port src_int dst dst_port dst_int src_name dst_name profilegroup 28705 app-crtl-all Information FortiOS 4.0 MR3 An application control IM (IPS) log message (pass). Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The identification number of the IM (IPS) log message. The name of the user creating the traffic. The name of the group creating the traffic. The source IP address. The source port number. The source interface name. For example, internal. The destination IP address. The destination port number. The destination interface name. For example, wan1. The source name. This can be a name or an IP address. The destination name. This can be a name or an IP address. The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier. The type of profile that was used, for example, Antivirus_Profile. The name of the profile that was used to detect and take action. The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA). The service where the event or activity occurred. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The serial number of the firewall session on which the event happend. The name of the application control list that was used to detect and take action. For example, the default application control list, monitor-all. The type of application that triggered the action within the control list. The name of the application that triggered the action within the control list. For example, SSL. The action that was taken by the application control engine. This field can be any one of the following: pass monitor encrypt-kickout block kickout reject
profiletype profile proto
service policyid
custom serial app_list app_type app action
408
Application Control
count msg
The number of times the same event was detected within a short period of time. The log message information. This is usually a sentence and explains the activity and/or action taken.
409
Application Control
410
Antivirus
Antivirus log messages record actual viruses that are contained in an email as well as anything that appears to be similar to a virus or suspicious, such as in a file or in an email. In FortiOS 4.0 MR3 and higher, antivirus log messages are located in UTM log file. These log messages are also viewed in the web-based manager from Log&Report > Log & Archive Access > UTM.
8192 8193 8194 8195 8196 8197 8198 8199 8448 8449 8450 8451 8452 8453 8454 8455 8456
8704 8704 8705 8706 8707 8960 8961 8962 8963 8964 8965 8966 8967 8968 8969 8970 8971
8972 8973
411
Antivirus
8192
Message ID Log Subtype Severity Firmware version Meaning Fields vd msg status 8192 Infected Warning FortiOS 4.0 MR3 An infected file was detected by the FortiGate unit and blocked. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. File is infected The decision of the antivirus engine on how to treat the file. This field contains any one of the following: blocked monitored service The type of protocol that was used to send and receive the traffic. This field contains any one of the following: http pop3 ftp mm3 mm7 im https imaps src dst sport src_port dport dst_port src_int dst_int policyid The source IP address. The destination IP address. The source port number. The source port number. The destination port number. The destination port number. The source interface. For example, internal. The destination interface. For example, wan1. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The serial number of the firewall session on which the event happend. This field contains any one of the following: N/A rx tx smtp imap mm1 mm4 nntp smtps pop3s http (ftp-over-http) passthrough
custom identidx
serial dir
412
Antivirus
file checksum
The name of the file. The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same checksum, the FortiGate unit assumes that they have the same content. This field contains any one of the following: No skip GET file pattern block File was not quarantined. No quarantine for HTTP No quarantine for oversized files.
quarskip
virus dtype ref
The name of the virus that was detected. The dtype information. The URL reference that give more information about the virus. If you enter the URL in the address bar of the web browser, you are directed to that specific page that contains information about the virus. The URL address of where the file was acquired. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The name of the profile that was used to detect and take action. The type of profile that was used, for example, Antivirus_Profile. The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier. The name of the user creating the traffic. The name of the group creating the traffic. This field is for FortiOS Carrier only. If the unit is not running FortiOS Carrier, this field always contains N/A. The senders email address. The recipients email address.
url carrier_ep
profile profiletype profilegroup
user group agent from to
413
Antivirus
8193
Message ID Log Subtype Severity Firmware version Meaning Fields vd msg status 8193 Infected Notification FortiOS 4.0 MR3 An infected file was detected by the FortiGate unit and it passed. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. File is infected The decision of the antivirus engine on how to treat the file. This field contains any one of the following: blocked monitored service The type of protocol that was used to send and receive the traffic. This field contains any one of the following: http pop3 ftp mm3 mm7 im https imaps src dst sport src_port dport dst_port src_int dst_int policyid The source IP address. The destination IP address. The source port number. The source port number. The destination port number. The destination port number. The source interface. For example, internal. The destination interface. For example, wan1. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The serial number of the firewall session on which the event happend. This field contains any one of the following: N/A rx tx smtp imap mm1 mm4 nntp smtps pop3s http (ftp-over-http) passthrough
custom identidx
serial dir
414
Antivirus
file checksum
The name of the file. The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same checksum, the FortiGate unit assumes that they have the same content. This field contains any one of the following: No skip GET file pattern block File was not quarantined. No quarantine for HTTP No quarantine for oversized files.
quarskip
virus dtype ref
url carrier_ep
415
Antivirus
8194
Message ID Log Subtype Severity Firmware version Meaning Fields vd msg status 8194 Infected Warning FortiOS 4.0 MR3 A MIME header was detected to have a virus and was blocked. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. File is infected The decision of the antivirus engine on how to treat the file. This field contains any one of the following: blocked monitored service The type of protocol that was used to send and receive the traffic. This field contains any one of the following: http pop3 ftp mm3 mm7 im https imaps src dst sport src_port dport dst_port src_int dst_int policyid The source IP address. The destination IP address. The source port number. The source port number. The destination port number. The destination port number. The source interface. For example, internal. The destination interface. For example, wan1. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The serial number of the firewall session on which the event happend. The name of the file. The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same checksum, the FortiGate unit assumes that they have the same content. smtp imap mm1 mm4 nntp smtps pop3s http (ftp-over-http) passthrough
custom identidx
serial file checksum
416
Antivirus
quarskip
This field contains any one of the following: No skip GET file pattern block File was not quarantined. No quarantine for HTTP No quarantine for oversized files.
virus dtype ref
The name of the virus that was detected. The dtype information. The URL reference that give more information about the virus. If you enter the URL in the address bar of the web browser, you are directed to that specific page that contains information about the virus. The URL address of where the file was acquired. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The name of the profile that was used to detect and take action. The type of profile that was used, for example, Antivirus_Profile. The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier. The name of the user creating the traffic. The name of the group creating the traffic. This field is for FortiOS Carrier only. If the unit is not running FortiOS Carrier, this field always contains N/A. The senders email address.
url carrier_ep
profiletype profilegroup profile
user group from to
417
Antivirus
8195
Message ID Log Subtype Severity Firmware version Meaning Fields vd msg status 8195 Infected Notification FortiOS 4.0 MR3 A MIME header is infected and passed. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. File is infected The decision of the antivirus engine on how to treat the file. This field contains any one of the following: blocked monitored service The type of protocol that was used to send and receive the traffic. This field contains any one of the following: http pop3 ftp mm3 mm7 im https imaps src dst sport src_port dport dst_port src_int dst_int policyid The source IP address. The destination IP address. The source port number. The source port number. The destination port number. The destination port number. The source interface. For example, internal. The destination interface. For example, wan1. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The serial number of the firewall session on which the event happend. The name of the file. The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same checksum, the FortiGate unit assumes that they have the same content. smtp imap mm1 mm4 nntp smtps pop3s http (ftp-over-http) passthrough
custom identidx
serial file checksum
418
Antivirus
quarskip
This field contains any one of the following: No skip GET file pattern block File was not quarantined. No quarantine for HTTP No quarantine for oversized files.
virus dtype ref
The name of the virus that was detected. The dtype information. The URL reference that give more information about the virus. If you enter the URL in the address bar of the web browser, you are directed to that specific page that contains information about the virus. The URL address of where the file was acquired. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The name of the profile that was used to detect and take action. The type of profile that was used, for example, Antivirus_Profile. The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier. The name of the user creating the traffic. The name of the group creating the traffic. This field is for FortiOS Carrier only. If the unit is not running FortiOS Carrier, this field always contains N/A. The senders email address.
url carrier_ep
user group from to
419
Antivirus
8196
Message ID Log Subtype Severity Firmware version Meaning Fields vd msg status 8196 Infected Warning FortiOS 4.0 MR3 The FortiGate unit detected a computer worm and blocked it. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. Worm detected. The decision of the antivirus engine on how to treat the file. This field contains any one of the following: blocked monitored service The type of protocol that was used to send and receive the traffic. This field contains any one of the following: http pop3 ftp mm3 mm7 im https imaps src dst sport src_port dport dst_port src_int dst_int policyid The source IP address. The destination IP address. The source port number. The source port number. The destination port number. The destination port number. The source interface. For example, internal. The destination interface. For example, wan1. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The serial number of the firewall session on which the event happend. The name of the virus that was detected. The dtype information. The URL address of where the file was acquired. smtp imap mm1 mm4 nntp smtps pop3s http (ftp-over-http) passthrough
custom identidx
serial virus dtype url
420
Antivirus
carrier_ep
The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The name of the profile that was used to detect and take action. The type of profile that was used, for example, Antivirus_Profile. The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier. The name of the user creating the traffic. The name of the group creating the traffic.
user group
421
Antivirus
8197
Message ID Log Subtype Severity Firmware version Meaning Fields vd msg status 8197 Infected Notification FortiOS 4.0 MR3 The FortiGate unit detected a computer worm and monitored it. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. Worm deteceted. The decision of the antivirus engine on how to treat the file. This field contains any one of the following: blocked monitored service The type of protocol that was used to send and receive the traffic. This field contains any one of the following: http pop3 ftp mm3 mm7 im https imaps src dst sport src_port dport dst_port src_int dst_int policyid The source IP address. The destination IP address. The source port number. The source port number. The destination port number. The destination port number. The source interface. For example, internal. The destination interface. For example, wan1. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The serial number of the firewall session on which the event happend. The name of the virus that was detected. The dtype information. The URL address of where the file was acquired. smtp imap mm1 mm4 nntp smtps pop3s http (ftp-over-http) passthrough
custom identidx
422
Antivirus
carrier_ep
user group
423
Antivirus
8198
Message ID Log Subtype Severity Firmware version Meaning Fields vd msg status 8198 Infected Warning FortiOS 4.0 MR3 The FortiGate unit detected a computer worm (MIME) and blocked it. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. Worm detected. The decision of the antivirus engine on how to treat the file. This field contains any one of the following: blocked monitored service The type of protocol that was used to send and receive the traffic. This field contains any one of the following: http pop3 ftp mm3 mm7 im https imaps src dst sport src_port dport dst_port src_int dst_int policyid The source IP address. The destination IP address. The source port number. The source port number. The destination port number. The destination port number. The source interface. For example, internal. The destination interface. For example, wan1. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The serial number of the firewall session on which the event happend. The name of the virus that was detected. The dtype information. The URL address of where the file was acquired. smtp imap mm1 mm4 nntp smtps pop3s http (ftp-over-http) passthrough
custom identidx
424
Antivirus
carrier_ep
user group
425
Antivirus
8199
Message ID Log Subtype Severity Firmware version Meaning Fields vd msg status 8199 Infected Notification FortiOS 4.0 MR3 The FortiGate unit detected a computer worm (MIME) and monitored it. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. Worm detected. The decision of the antivirus engine on how to treat the file. This field contains any one of the following: blocked monitored service The type of protocol that was used to send and receive the traffic. This field contains any one of the following: http pop3 ftp mm3 mm7 im https imaps src dst sport src_port dport dst_port src_int dst_int policyid The source IP address. The destination IP address. The source port number. The source port number. The destination port number. The destination port number. The source interface. For example, internal. The destination interface. For example, wan1. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The serial number of the firewall session on which the event happend. The name of the virus that was detected. The dtype information. The URL address of where the file was acquired. smtp imap mm1 mm4 nntp smtps pop3s http (ftp-over-http) passthrough
custom identidx
426
Antivirus
carrier_ep
The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The name of the profile that was used to detect and take action. The type of profile that was used, for example, Antivirus_Profile. The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier. The name of the user creating the traffic. The name of the group creating the traffic. The senders email address. The recipients email address.
user group from to
427
Antivirus
8457
Message ID Log Subtype Severity Firmware version Meaning Fields vd msg status 8457 Infected Warning FortiOS Carrier 4.0 MR3 An MMS content checksum blocked an infected file. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. Blocked by MMS content checksum The decision of the antivirus engine on how to treat the file. This field contains any one of the following: blocked monitored service The type of protocol that was used to send and receive the traffic. This field contains any one of the following: http pop3 ftp mm3 mm7 im https imaps src dst sport src_port dport dst_port src_int dst_int policyid The source IP address. The destination IP address. The source port number. The source port number. The destination port number. The destination port number. The source interface. For example, internal. The destination interface. For example, wan1. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The serial number of the firewall session on which the event happend. This fieldl contains any one of the following: N/A rx tx smtp imap mm1 mm4 nntp smtps pop3s http (ftp-over-http) passthrough
custom identidx
serial dir
428
Antivirus
checksum
The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same checksum, the FortiGate unit assumes that they have the same content. The name of the file. The URL address of where the file was acquired. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The name of the profile that was used to detect and take action. The type of profile that was used, for example, Antivirus_Profile. The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier. The name of the user creating the traffic. The name of the group creating the traffic. This field is for FortiOS Carrier only. If the unit is not running FortiOS Carrier, this field always contains N/A. The senders email address. The recipients email address.
file url carrier_ep
429
Antivirus
8458
Message ID Log Subtype Severity Firmware version Meaning Fields vd msg status 8458 Infected Notification FortiOS Carrier 4.0 MR3 An MMS content checksum was matched. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. Matched by MMS content checksum. The decision of the antivirus engine on how to treat the file. This field contains any one of the following: blocked monitored service The type of protocol that was used to send and receive the traffic. This field contains any one of the following: http pop3 ftp mm3 mm7 im https imaps src dst sport src_port dport dst_port src_int dst_int policyid The source IP address. The destination IP address. The source port number. The source port number. The destination port number. The destination port number. The source interface. For example, internal. The destination interface. For example, wan1. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The serial number of the firewall session on which the event happend. This fieldl contains any one of the following: N/A rx tx smtp imap mm1 mm4 nntp smtps pop3s http (ftp-over-http) passthrough
custom identidx
serial dir
430
Antivirus
checksum
The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same checksum, the FortiGate unit assumes that they have the same content. The name of the file. The URL address of where the file was acquired. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The name of the profile that was used to detect and take action. The type of profile that was used, for example, Antivirus_Profile. The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier. The name of the user creating the traffic. The name of the group creating the traffic. This field is for FortiOS Carrier only. If the unit is not running FortiOS Carrier, this field always contains N/A. The senders email address. The recipients email address.
file url carrier_ep
431
Antivirus
8448
Message ID Log Subtype Severity Firmware version Meaning Fields vd msg status 8448 Filename Warning FortiOS 4.0 MR3 The FortiGate unit blocked a file because it contains a virus. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. File is blocked The decision of the antivirus engine on how to treat the file. This field contains any one of the following: blocked monitored service The type of protocol that was used to send and receive the traffic. This field contains any one of the following: http pop3 ftp mm3 mm7 im https imaps src dst sport src_port dport dst_port src_int dst_int policyid The source IP address. The destination IP address. The source port number. The source port number. The destination port number. The destination port number. The source interface. For example, internal. The destination interface. For example, wan1. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The serial number of the firewall session on which the event happend. This field contains any one of the following: N/A rx tx smtp imap mm1 mm4 nntp smtps pop3s http (ftp-over-http) passthrough
custom identidx
serial dir
432
Antivirus
filefilter
This field contains any one of the following: none file type file pattern
filetype
This field contains any one of the following: arj lzh tar bzip bzip2 msc mime binhex elf hta jad cod msoffice upx aspack sis activemime gif png ignored N/A cab rar zip gzip bat uue base64 com exe html class javascript fsg petite prc hlp jpeg tiff bmp unknown
file checksum
The name of the file. The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same checksum, the FortiGate unit assumes that they have the same content. This field contains any one of the following: No skip No quarantine for oversized files No quarantine for HTTP GET file pattern block. File was not quarantined.
quarskip
url carrier_ep
The URL address of where the file was acquired. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The name of the profile that was used to detect and take action. The type of profile that was used, for example, Antivirus_Profile. The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier. The name of the user creating the traffic. The name of the group creating the traffic. This field is for FortiOS Carrier only. If the unit is not running FortiOS Carrier, this field always contains N/A.
profiletype profilegroup profile user group agent
433
Antivirus
from to
The senders email address. The recipients email address.
434
Antivirus
8449
Message ID Log Subtype Severity Firmware version Meaning Fields vd msg status 8449 Filename Notification FortiOS 4.0 MR3 The FortiGate unit blocked a file because it contains a virus. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. File is blocked The decision of the antivirus engine on how to treat the file. This field contains any one of the following: blocked monitored service The type of protocol that was used to send and receive the traffic.This field contains any one of the following: http pop3 ftp mm3 mm7 im https imaps src dst sport src_port dport dst_port src_int dst_int policyid The source IP address. The destination IP address. The source port number. The source port number. The destination port number. The destination port number. The source interface. For example, internal. The destination interface. For example, wan1. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The serial number of the firewall session on which the event happend. This field contains any one of the following: N/A rx tx smtp imap mm1 mm4 nntp smtps pop3s http (ftp-over-http) passthrough
custom identidx
serial dir
435
Antivirus
filefilter
filetype
file checksum
The name of the file. The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same checksum, the FortiGate unit assumes that they have the same content. This field contains any one of the following: No skip No quarantine for HTTP GET file pattern block.
quarskip
No quarantine for oversized File was not quarantined. files url carrier_ep The URL address of where the file was acquired. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The name of the profile that was used to detect and take action. The type of profile that was used, for example, Antivirus_Profile. The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier. The name of the user creating the traffic. The name of the group creating the traffic. This field is for FortiOS Carrier only. If the unit is not running FortiOS Carrier, this field always contains N/A.
profiletype profilegroup profile user group agent
436
Antivirus
from to
The senders email address. The recipients email address.
437
Antivirus
8450
Message ID Log Subtype Severity Firmware version Meaning Fields vd msg status 8450 Filename Warning FortiOS 4.0 MR3 The FortiGate unit blocked a file because it contains a virus (MIME). Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. File is blocked. The decision of the antivirus engine on how to treat the file. This field contains any one of the following: blocked monitored service The type of protocol that was used to send and receive the traffic. This field contains any one of the following: http pop3 ftp mm3 mm7 im https imaps src dst sport src_port dport dst_port src_int dst_int policyid The source IP address. The destination IP address. The source port number. The source port number. The destination port number. The destination port number. The source interface. For example, internal. The destination interface. For example, wan1. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The serial number of the firewall session on which the event happend. This field contains any one of the following: none file type FortiGate Log Message Reference 01-430-112804-20111121 http://docs.fortinet.com/ Feedback file pattern smtp imap mm1 mm4 nntp smtps pop3s http (ftp-over-http) passthrough
custom identidx
serial filefilter
438
Antivirus
filetype
file checksum
quarskip
url carrier_ep
The URL address of where the file was acquired. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The name of the profile that was used to detect and take action. The type of profile that was used, for example, Antivirus_Profile. The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier. The name of the user creating the traffic. The name of the group creating the traffic. The senders email address. The recipients email address.
user group from to
439
Antivirus
8451
Message ID Log Subtype Severity Firmware version Meaning Fields vd msg status 8451 Filename Notification FortiOS 4.0 MR3 The FortiGate unit blocked a file because it contains a virus (MIME). Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. File is blocked. The decision of the antivirus engine on how to treat the file. This field contains any one of the following: blocked monitored service The type of protocol that was used to send and receive the traffic. This field contains any one of the following: http pop3 ftp mm3 mm7 im https imaps src dst sport src_port dport dst_port src_int dst_int policyid The source IP address. The destination IP address. The source port number. The source port number. The destination port number. The destination port number. The source interface. For example, internal. The destination interface. For example, wan1. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The serial number of the firewall session on which the event happend. This field contains any one of the following: none file type FortiGate Log Message Reference 01-430-112804-20111121 http://docs.fortinet.com/ Feedback file pattern smtp imap mm1 mm4 nntp smtps pop3s http (ftp-over-http) passthrough
custom identidx
serial filefilter
440
Antivirus
filetype
file checksum
quarskip
url carrier_ep
The URL address of where the file was acquired. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The name of the profile that was used to detect and take action. The type of profile that was used, for example, Antivirus_Profile. The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier. The name of the user creating the traffic. The name of the group creating the traffic. The senders email address. The recipients email address.
user group from to
441
Antivirus
8452
Message ID Log Subtype Severity Firmware version Meaning Fields vd msg status 8452 Filename Warning FortiOS 4.0 MR3 The FortiGate unit blocked a virus command. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. Command blocked. The decision of the antivirus engine on how to treat the file. This field contains any one of the following: blocked monitored service The type of protocol that was used to send and receive the traffic. This field contains any one of the following: http pop3 ftp mm3 mm7 im https imaps src dst sport src_port dport dst_port src_int dst_int policyid The source IP address. The destination IP address. The source port number. The source port number. The destination port number. The destination port number. The source interface. For example, internal. The destination interface. For example, wan1. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The serial number of the firewall session on which the event happend. The URL address of where the file was acquired. The name of the user creating the traffic. smtp imap mm1 mm4 nntp smtps pop3s http (ftp-over-http) passthrough
custom identidx
serial url user
442
Antivirus
group command
The name of the group creating the traffic. The command information.
443
Antivirus
8453
Message ID Log Subtype Severity Firmware version Meaning Fields vd msg status 8453 Filename Notification FortiOS 4.0 MR3 The FortiGate unit intercepted a file containing a virus. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The file is intercepted. The decision of the antivirus engine on how to treat the file. This field contains any one of the following: blocked monitored service The type of protocol that was used to send and receive the traffic. This field contains any one of the following: http pop3 ftp mm3 mm7 im https imaps src dst sport src_port dport dst_port src_int dst_int policyid The source IP address. The destination IP address. The source port number. The source port number. The destination port number. The destination port number. The source interface. For example, internal. The destination interface. For example, wan1. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The serial number of the firewall session on which the event happend. This field contains any one of the following: N/A rx FortiGate Log Message Reference 01-430-112804-20111121 http://docs.fortinet.com/ Feedback tx smtp imap mm1 mm4 nntp smtps pop3s http (ftp-over-http) passthrough
custom identidx
serial dir
444
Antivirus
filefilter
filetype
file checksum
quarskip
url carrier_ep
The URL address of where the file was acquired. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The name of the profile that was used to detect and take action. The type of profile that was used, for example, Antivirus_Profile. The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier. The name of the user creating the traffic. The name of the group creating the traffic.
user group
445
Antivirus
agent from to
This field is for FortiOS Carrier only. If the unit is not running FortiOS Carrier, this field always contains N/A. The senders email address. The recipients email address.
446
Antivirus
8454
Message ID Log Subtype Severity Firmware version Meaning Fields vd msg status 8454 Filename Notification FortiOS 4.0 MR3 The FortiGate unit intercepted a file (MIME). Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The file is intercepted. The decision of the antivirus engine on how to treat the file. This field contains any one of the following: blocked monitored service The type of protocol that was used to send and receive the traffic. This field contains any one of the following: http pop3 ftp mm3 mm7 im https imaps src dst sport src_port dport dst_port src_int dst_int policyid The source IP address. The destination IP address. The source port number. The source port number. The destination port number. The destination port number. The source interface. For example, internal. The destination interface. For example, wan1. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The serial number of the firewall session on which the event happend. This field contains any one of the following: none file type FortiGate Log Message Reference 01-430-112804-20111121 http://docs.fortinet.com/ Feedback file pattern smtp imap mm1 mm4 nntp smtps pop3s http (ftp-over-http) passthrough
custom identidx
serial filefilter
447
Antivirus
filetype
file checksum
quarskip
url carrier_ep
The URL address of where the file was acquired. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The name of the profile that was used to detect and take action. The type of profile that was used, for example, Antivirus_Profile. The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier. The senders email address. The recipients email address.
from to
448
Antivirus
8455
Message ID Log Subtype Severity Firmware version Meaning Fields vd msg status 8455 Filename Notification FortiOS 4.0 MR3 A file was exempted. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. File has been exempted. The decision of the antivirus engine on how to treat the file. This field contains any one of the following: blocked monitored service The type of protocol that was used to send and receive the traffic. This field contains any one of the following: http pop3 ftp mm3 mm7 im https imaps src dst sport src_port dport dst_port src_int dst_int policyid The source IP address. The destination IP address. The source port number. The source port number. The destination port number. The destination port number. The source interface. For example, internal. The destination interface. For example, wan1. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The serial number of the firewall session on which the event happend. This field contains any one of the following: N/A rx FortiGate Log Message Reference 01-430-112804-20111121 http://docs.fortinet.com/ Feedback tx smtp imap mm1 mm4 nntp smtps pop3s http (ftp-over-http) passthrough
custom identidx
serial dir
449
Antivirus
filefilter
filetype
file url carrier_ep
The name of the file. The URL address of where the file was acquired. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The name of the profile that was used to detect and take action. The type of profile that was used, for example, Antivirus_Profile. The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier. The name of the user creating the traffic. The name of the group creating the traffic. This field is for FortiOS Carrier only. If the unit is not running FortiOS Carrier, this field always contains N/A. The senders email address. The recipients email address.
450
Antivirus
8456
Message ID Log Subtype Severity Firmware version Meaning Fields vd msg status 8456 Filename Notification FortiOS 4.0 MR3 A file was exempted. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. File has been exempted. The decision of the antivirus engine on how to treat the file. This field contains any one of the following: blocked monitored service The type of protocol that was used to send and receive the traffic. This field contains any one of the following: http pop3 ftp mm3 mm7 im https imaps src dst sport src_port dport dst_port src_int dst_int policyid The source IP address. The destination IP address. The source port number. The source port number. The destination port number. The destination port number. The source interface. For example, internal. The destination interface. For example, wan1. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The serial number of the firewall session on which the event happend. This field contains any one of the following: none file type FortiGate Log Message Reference 01-430-112804-20111121 http://docs.fortinet.com/ Feedback file pattern smtp imap mm1 mm4 nntp smtps pop3s http (ftp-over-http) passthrough
custom identidx
serial filefilter
451
Antivirus
filetype
file url carrier_ep
The name of the file. The URL address of where the file was acquired. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The name of the profile that was used to detect and take action. The type of profile that was used, for example, Antivirus_Profile. The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier. The name of the user creating the traffic. The name of the group creating the traffic. The senders email address. The recipients email address.
user group from to
452
Antivirus
8704
Message ID Log Subtype Severity Firmware version Meaning Fields vd msg status 8704 Oversize Warning FortiOS 4.0 MR3 The defined file size limit was exceeded Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. Size limit is exceeded. The decision of the antivirus engine on how to treat the file. This field contains any one of the following: blocked monitored service The type of protocol that was used to send and receive the traffic. This field contains any one of the following: http pop3 ftp mm3 mm7 im https imaps src dst sport src_port dport dst_port src_int dst_int policyid The source IP address. The destination IP address. The source port number. The source port number. The destination port number. The destination port number. The source interface. For example, internal. The destination interface. For example, wan1. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The serial number of the firewall session on which the event happend. The name of the file. The URL address of where the file was acquired. smtp imap mm1 mm4 nntp smtps pop3s http (ftp-over-http) passthrough
custom identidx
serial file url
453
Antivirus
carrier_ep
The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The name of the profile that was used to detect and take action. The type of profile that was used, for example, Antivirus_Profile. The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier. The name of the user creating the traffic. The name of the group creating the traffic. The senders email address. The recipients email address. This field is for FortiOS Carrier only. If the unit is not running FortiOS Carrier, this field always contains N/A.
user group from to agent
454
Antivirus
8705
Message ID Log Subtype Severity Firmware version Meaning Fields vd msg status 8705 Oversize Notification FortiOS 4.0 MR3 The file size limit was exceeded. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. Size limit is exceeded. The decision of the antivirus engine on how to treat the file. This field contains any one of the following: blocked monitored service The type of protocol that was used to send and receive the traffic. This field contains any one of the following: http pop3 ftp mm3 mm7 im https imaps src dst sport src_port dport dst_port src_int dst_int policyid The source IP address. The destination IP address. The source port number. The source port number. The destination port number. The destination port number. The source interface. For example, internal. The destination interface. For example, wan1. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The serial number of the firewall session on which the event happend. The name of the file. The URL address of where the file was acquired. smtp imap mm1 mm4 nntp smtps pop3s http (ftp-over-http) passthrough
custom identidx
serial file url
455
Antivirus
carrier_ep
The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The name of the profile that was used to detect and take action. The type of profile that was used, for example, Antivirus_Profile. The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier. The name of the user creating the traffic. The name of the group creating the traffic. The senders email address. The recipients email address. This field is for FortiOS Carrier only. If the unit is not running FortiOS Carrier, this field always contains N/A.
user group from to agent
456
Antivirus
8706
Message ID Log Subtype Severity Firmware version Meaning Fields vd msg status 8706 Oversize Warning FortiOS 4.0 MR3 The file (MIME) size exceed the defined size limit. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. Size limit is exceeded. The decision of the antivirus engine on how to treat the file. This field contains any one of the following: blocked monitored service The type of protocol that was used to send and receive the traffic. This field contains any one of the following: http pop3 ftp mm3 mm7 im https imaps src dst sport src_port dport dst_port src_int dst_int policyid The source IP address. The destination IP address. The source port number. The source port number. The destination port number. The destination port number. The source interface. For example, internal. The destination interface. For example, wan1. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The serial number of the firewall session on which the event happend. The name of the file. The URL address of where the file was acquired. smtp imap mm1 mm4 nntp smtps pop3s http (ftp-over-http) passthrough
custom identidx
serial file url
457
Antivirus
carrier_ep
user group from to
458
Antivirus
8707
Message ID Log Subtype Severity Firmware version Meaning Fields vd msg status 8707 Oversize Notification FortiOS 4.0 MR3 The file (MIME) size exceed the defined size limit. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. Size limit is exceeded. The decision of the antivirus engine on how to treat the file. This field contains any one of the following: blocked monitored service The type of protocol that was used to send and receive the traffic. This field contains any one of the following: http pop3 ftp mm3 mm7 im https imaps src dst sport src_port dport dst_port src_int dst_int policyid The source IP address. The destination IP address. The source port number. The source port number. The destination port number. The destination port number. The source interface. For example, internal. The destination interface. For example, wan1. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The serial number of the firewall session on which the event happend. The name of the file. The URL address of where the file was acquired. smtp imap mm1 mm4 nntp smtps pop3s http (ftp-over-http) passthrough
custom identidx
serial file url
459
Antivirus
carrier_ep
user group from to
460
Antivirus
8960
Message ID Log Subtype Severity Firmware version Meaning Fields vd msg status 8960 Scanerror Notification FortiOS 4.0 MR3 The file reached the uncompressed nested limit. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. File reached uncompressed nested limit. The decision of the antivirus engine on how to treat the file. This field contains any one of the following: blocked monitored service The type of protocol that was used to send and receive the traffic. This field contains any one of the following: http pop3 ftp mm3 mm7 im https imaps src dst sport src_port dport dst_port src_int dst_int policyid The source IP address. The destination IP address. The source port number. The source port number. The destination port number. The destination port number. The source interface. For example, internal. The destination interface. For example, wan1. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The serial number of the firewall session on which the event happend. This field contains any one of the following: N/A rx tx smtp imap mm1 mm4 nntp smtps pop3s http (ftp-over-http) passthrough
custom identidx
serial dir
461
Antivirus
file checksum
The name of the file. The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same checksum, the FortiGate unit assumes that they have the same content. This field contains any one of the following: No skip No quarantine for oversized files No quaratine for HTTP GET file pattern block File was not quarantined.
quarskip
virus dtype ref
url carrier_ep
462
Antivirus
8961
Message ID Log Subtype Severity Firmware version Meaning Fields vd msg status 8961 Scanerror Notification FortiOS 4.0 MR3 The file reached the uncompressed size limit. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. File reached uncompressed size limit. The decision of the antivirus engine on how to treat the file. This field contains any one of the following: blocked monitored service The type of protocol that was used to send and receive the traffic. This field contains any one of the following: http pop3 ftp mm3 mm7 im https imaps src dst sport src_port dport dst_port src_int dst_int policyid smtp imap mm1 mm4 nntp smtps pop3s http (ftp-over-http) passthrough
The source IP address. The destination IP address. The source port number. The source port number. The destination port number. The destination port number. The source interface. For example, internal. The destination interface. For example, wan1. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The serial number of the firewall session on which the event happend. This field contains any one of the following: N/A rx tx
custom identidx
serial dir
463
Antivirus
file checksum
quarskip
virus dtype ref
url carrier_ep
464
Antivirus
8962
Message ID Log Subtype Severity Firmware version Meaning Fields vd msg status 8962 Scanerror Notification FortiOS 4.0 MR3 The archived file is encrypted. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. Encrypted archive. The decision of the antivirus engine on how to treat the file. This field contains any one of the following: blocked monitored service The type of protocol that was used to send and receive the traffic. This field contains any one of the following: http pop3 ftp mm3 mm7 nntp smtps pop3s src dst sport src_port dport dst_port src_int dst_int policyid smtp imap mm1 mm4 im https imaps http (ftp-over-http) passthrough
custom identidx
serial dir
465
Antivirus
file checksum
quarskip
virus dtype ref
url carrier_ep
466
Antivirus
8963
Message ID Log Subtype Severity Firmware version Meaning Fields vd msg status 8963 Scanerror Notification FortiOS 4.0 MR3 The archived file is encrypted. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. Encrypted archive. The decision of the antivirus engine on how to treat the file. This field contains any one of the following: blocked monitored service The type of protocol that was used to send and receive the traffic. This field contains any one of the following: http pop3 ftp mm3 mm7 nntp smtps pop3s src dst sport src_port dport dst_port src_int dst_int policyid smtp imap mm1 mm4 im https imaps http (ftp-over-http) passthrough
custom identidx
serial dir
467
Antivirus
file checksum
quarskip
virus dtype ref
url carrier_ep
468
Antivirus
8964
Message ID Log Subtype Severity Firmware version Meaning Fields vd msg status 8964 Scanerror Warning FortiOS 4.0 MR3 The archived file is corrupted. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. Corrupted archive The decision of the antivirus engine on how to treat the file. This field contains any one of the following: blocked monitored service The type of protocol that was used to send and receive the traffic. This field contains any one of the following: http pop3 ftp mm3 mm7 nntp smtps pop3s src dst sport src_port dport dst_port src_int dst_int policyid smtp imap mm1 mm4 im https imaps http (ftp-over-http) passthrough
custom identidx
serial dir
469
Antivirus
file checksum
quarskip
virus dtype ref
url carrier_ep
470
Antivirus
8965
Message ID Log Subtype Severity Firmware version Meaning Fields vd msg status 8962 Scanerror Notification FortiOS 4.0 MR3 The archived file is corrupted. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. Corrupted archive. The decision of the antivirus engine on how to treat the file. This field contains any one of the following: blocked monitored service The type of protocol that was used to send and receive the traffic. This field contains any one of the following: http pop3 ftp mm3 mm7 nntp smtps pop3s src dst sport src_port dport dst_port src_int dst_int policyid smtp imap mm1 mm4 im https imaps http (ftp-over-http) passthrough
custom identidx
serial dir
471
Antivirus
file checksum
quarskip
virus dtype ref
url carrier_ep
472
Antivirus
8966
Message ID Log Subtype Severity Firmware version Meaning Fields vd msg status 8966 Scanerror Warning FortiOS 4.0 MR3 The file is a multipart archive or contains multiple files within the archive. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. Multipart archive. The decision of the antivirus engine on how to treat the file. This field contains any one of the following: blocked monitored service The type of protocol that was used to send and receive the traffic. This field contains any one of the following: http pop3 ftp mm3 mm7 nntp smtps pop3s src dst sport src_port dport dst_port src_int dst_int policyid smtp imap mm1 mm4 im https imaps http (ftp-over-http) passthrough
The source IP address. The destination IP address. The source port number. The source port number. The destination port number. The destination port number. The source interface. For example, internal. The destination interface. For example, wan1. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The serial number of the firewall session on which the event happend.
custom identidx
serial
473
Antivirus
dir
This field contains any one of the following: N/A rx tx
file checksum
quarskip
virus dtype ref
url carrier_ep
474
Antivirus
8967
Message ID Log Subtype Severity Firmware version Meaning Fields vd msg status 8967 Scanerror Notification FortiOS 4.0 MR3 The file is a multipart archive or contains multiple files within the archive. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. Encrypted archive. The decision of the antivirus engine on how to treat the file. This field contains any one of the following: blocked monitored service The type of protocol that was used to send and receive the traffic. This field contains any one of the following: http pop3 ftp mm3 mm7 nntp smtps pop3s src dst sport src_port dport dst_port src_int dst_int policyid smtp imap mm1 mm4 im https imaps http (ftp-over-http) passthrough
custom identidx
serial
475
Antivirus
dir
file checksum
quarskip
virus dtype ref
url carrier_ep
476
Antivirus
8968
Message ID Log Subtype Severity Firmware version Meaning Fields vd msg status 8968 Scanerror Warning FortiOS 4.0 MR3 The file is a nested archived file. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. Nested archive. The decision of the antivirus engine on how to treat the file. This field contains any one of the following: blocked monitored service The type of protocol that was used to send and receive the traffic. This field contains any one of the following: http pop3 ftp mm3 mm7 nntp smtps pop3s src dst sport src_port dport dst_port src_int dst_int policyid smtp imap mm1 mm4 im https imaps http (ftp-over-http) passthrough
custom identidx
serial dir
477
Antivirus
file checksum
quarskip
virus dtype ref
url carrier_ep
478
Antivirus
8969
Message ID Log Subtype Severity Firmware version Meaning Fields vd msg status 8969 Scanerror Notification FortiOS 4.0 MR3 The file is a nested archived file. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. Nested archive. The decision of the antivirus engine on how to treat the file. This field contains any one of the following: blocked monitored service The type of protocol that was used to send and receive the traffic. This field contains any one of the following: http pop3 ftp mm3 mm7 nntp smtps pop3s src dst sport src_port dport dst_port src_int dst_int policyid smtp imap mm1 mm4 im https imaps http (ftp-over-http) passthrough
custom identidx
serial dir
479
Antivirus
file checksum
quarskip
virus dtype ref
url carrier_ep
480
Antivirus
8970
Message ID Log Subtype Severity Firmware version Meaning Fields vd msg status 8970 Scanerror Warning FortiOS 4.0 MR3 The archived file is oversized. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. Oversize archive. The decision of the antivirus engine on how to treat the file. This field contains any one of the following: blocked monitored service The type of protocol that was used to send and receive the traffic. This field contains any one of the following: http pop3 ftp mm3 mm7 nntp smtps pop3s src dst sport src_port dport dst_port src_int dst_int policyid smtp imap mm1 mm4 im https imaps http (ftp-over-http) passthrough
custom identidx
serial dir
481
Antivirus
file checksum
quarskip
virus dtype ref
url carrier_ep
482
Antivirus
8971
Message ID Log Subtype Severity Firmware version Meaning Fields vd msg status 8971 Scanerror Notification FortiOS 4.0 MR3 The archived file is oversized. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. Nested archive. The decision of the antivirus engine on how to treat the file. This field contains any one of the following: blocked monitored service The type of protocol that was used to send and receive the traffic. This field contains any one of the following: http pop3 ftp mm3 mm7 nntp smtps pop3s src dst sport src_port dport dst_port src_int dst_int policyid smtp imap mm1 mm4 im https imaps http (ftp-over-http) passthrough
custom identidx
serial
483
Antivirus
dir
file checksum
quarskip
virus dtype ref
url carrier_ep
484
Antivirus
8972
Message ID Log Subtype Severity Firmware version Meaning Fields vd msg status 8969 Scanerror Warning FortiOS 4.0 MR3 A type of unhandled archived file. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. Unhandled archive. The decision of the antivirus engine on how to treat the file. This field contains any one of the following: blocked monitored service The type of protocol that was used to send and receive the traffic. This field contains any one of the following: http pop3 ftp mm3 mm7 nntp smtps pop3s src dst sport src_port dport dst_port src_int dst_int policyid smtp imap mm1 mm4 im https imaps http (ftp-over-http) passthrough
custom identidx
serial dir
485
Antivirus
file checksum
quarskip
virus dtype ref
url carrier_ep
486
Antivirus
8973
Message ID Log Subtype Severity Firmware version Meaning Fields vd msg status 8973 Scanerror Notification FortiOS 4.0 MR3 A type of unhandled archived file. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. Unhandled archive. The decision of the antivirus engine on how to treat the file. This field contains any one of the following: blocked monitored service The type of protocol that was used to send and receive the traffic. This field contains any one of the following: http pop3 ftp mm3 mm7 nntp smtps pop3s src dst sport src_port dport dst_port src_int dst_int policyid smtp imap mm1 mm4 im https imaps http (ftp-over-http) passthrough
custom identidx
serial dir
487
Antivirus
file checksum
quarskip
virus dtype ref
url carrier_ep
488
Attack
Attack log message are recorded when attacks are made against your network. These log messages provide details about the attack, such as the severity level of the attack and a reference URL link to find more information about the specified attack in the Fortinet Attack Encyclopedia. In FortiOS 4.0 MR3 and higher, attack log messages are located in UTM log file. These log messages are also viewed in the web-based manager from Log&Report > Log & Archive Access > UTM.
16384 16385 16386 18432 18433 18434
489
Attack
16384
Message ID Log Subtype Severity Firmware version Meaning Fields severity 16384 Signature Alert FortiOS 4.0 MR3 An attack signature using UCP/TCP. Field Description The specified severity level of the attack. This field contains any one of the following: info medium critical carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The group that the profile is a part of. This field contains N/A if there is no profile group configure. Profile groups are only available in FortiOS Carrier. The type of profile that was used, for example, Antivirus_Profile. The name of the profile that was used to detect and take action. The source IP address. The destination IP address. The source interface. For example, internal. The destination interface. For example, wan1. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The serial number of the firewall session on which the event happend. The type of action the FortiGate unit took, for example, detecting the attack. This field contains any one of the following: detected reset proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA). The service of where the event or activity occurred. For example, 139/tcp. The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The number of times that the attack was detected within a short period of time. This is useful when the attacks are DoS attacks. dropped low high
profilegroup
profiletype profile src dst src_int dst_int policyid
identidx
custom serial status
service vd count
490
Attack
attack_name src_port dst_port attack_id sensor ref
The name of the attack. The source port number. This number is either a TCP or UDP port number. The destination port number. This number is either a TCP or UDP port number. The identification number of the attack log message. The name of the DLP sensor that was used to detect and take action. The reference URL where you can find out more information about the attack. This URL takes you directly to Fortinets FortiGuard Center Encyclopedia. The name of the user creating the traffic. The name of the group creating the traffic. The unique ID for this attack. This number is used for cross-referencing IPS packet logs. The log message information. This is usually a sentence and explains the activity and/or action taken.
user group incident_serialno msg
491
Attack
16385
Message ID Log Subtype Severity Firmware version Meaning Fields severity 16385 Signature Alert FortiOS 4.0 MR3 An attack signature using ICMP. Field Description The specified severity level of the attack. This field contains any one of the following: info medium critical carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The group that the profile is a part of. This field contains N/A if there is no profile group configure. Profile groups are only available in FortiOS Carrier. The type of profile that was used, for example, Antivirus_Profile. The name of the profile that was used to detect and take action. The source IP address. The destination IP address. The source interface. For example, internal. The destination interface. For example, wan1. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The serial number of the firewall session on which the event happend. The type of action the FortiGate unit took, for example detecting the attack. This field contains any one of the following: detected reset proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA). The service of where the event or activity occurred. For example, 139/tcp. The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The number of times that the attack was detected within a short period of time. This is useful when the attacks are DoS attacks. dropped low high
profilegroup
identidx
service vd count
492
Attack
attack_name icmp_id icmp_type icmp_code attack_id sensor ref
The name of the attack. The ICMP source port number. The ICMP destination port number. The ICMP destination port number. The identification number of the attack log message. The name of the DLP sensor that was used to detect and take action. The reference URL where you can find out more information about the attack. This URL takes you directly to Fortinets FortiGuard Center Encyclopedia. The name of the user creating the traffic. The name of the group creating the traffic. The unique ID for this attack. This number is used for cross-referencing IPS packet logs. The log message information. This is usually a sentence and explains the activity and/or action taken.
493
Attack
16386
Message ID Log Subtype Severity Firmware version Meaning Fields severity 16386 Signature Alert FortiOS 4.0 MR3 An attack signature using others. Field Description The specified severity level of the attack. This field contains any one of the following: info medium critical carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The group that the profile is a part of. This field contains N/A if there is no profile group configure. Profile groups are only available in FortiOS Carrier. The type of profile that was used, for example, Antivirus_Profile. The name of the profile that was used to detect and take action. The source IP address. The destination IP address. The source interface. For example, internal. The destination interface. For example, wan1. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The serial number of the firewall session on which the event happend. The type of action the FortiGate unit took, for example detecting the attack. This field contains any one of the following: detected reset proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA). The service of where the event or activity occurred. For example, 139/tcp. The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The number of times that the attack was detected within a short period of time. This is useful when the attacks are DoS attacks. dropped low high
profilegroup
identidx
service vd count
494
Attack
attack_name attack_id sensor ref
The name of the attack. The identification number of the attack log message. The name of the DLP sensor that was used to detect and take action. The reference URL where you can find out more information about the attack. This URL takes you directly to Fortinets FortiGuard Center Encyclopedia. The name of the user creating the traffic. The name of the group creating the traffic. The unique ID for this attack. This number is used for cross-referencing IPS packet logs. The log message information. This is usually a sentence and explains the activity and/or action taken.
495
Attack
18432
Message ID Log Subtype Severity Firmware version Meaning Fields severity 18432 Anomaly Alert FortiOS 4.0 MR3 An attack anomaly using UDP/TCP Field Description The specified severity level of the attack. This field contains any one of the following: info medium critical carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The group that the profile is a part of. This field contains N/A if there is no profile group configure. Profile groups are only available in FortiOS Carrier. The type of profile that was used, for example, Antivirus_Profile. The name of the profile that was used to detect and take action. The source IP address. The destination IP address. The source interface. For example, internal. The destination interface. For example, wan1. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The serial number of the firewall session on which the event happend. The type of action the FortiGate unit took, for example detecting the attack. This field contains any one of the following: detected reset proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA). The service of where the event or activity occurred. For example, 139/tcp. The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The number of times that the attack was detected within a short period of time. This is useful when the attacks are DoS attacks. FortiGate Log Message Reference 01-430-112804-20111121 http://docs.fortinet.com/ Feedback dropped low high
profilegroup
identidx
service vd count
496
Attack
attack_name src_port dst_port attack_id sensor ref
The name of the attack. The source port number. This number is either a TCP or UDP port number. The destination port number. This number is either a TCP or UDP port number. The identification number of the attack log message. The name of the DLP sensor that was used to detect and take action. The reference URL where you can find out more information about the attack. This URL takes you directly to Fortinets FortiGuard Center Encyclopedia. The name of the user creating the traffic. The name of the group creating the traffic. The log message information. This is usually a sentence and explains the activity and/or action taken.
user group msg
497
Attack
18433
Message ID Log Subtype Severity Firmware version Meaning Fields severity 18433 Anomaly Alert FortiOS 4.0 MR3 An attack anomaly using ICMP. Field Description The specified severity level of the attack. This field contains any one of the following: info medium critical carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The group that the profile is a part of. This field contains N/A if there is no profile group configure. Profile groups are only available in FortiOS Carrier. The type of profile that was used, for example, Antivirus_Profile. The name of the profile that was used to detect and take action. The source IP address. The destination IP address. The source interface. For example, internal. The destination interface. For example, wan1. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The serial number of the firewall session on which the event happend. The type of action the FortiGate unit took, for example detecting the attack. This field contains any one of the following: detected reset proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA). The service of where the event or activity occurred. For example, 139/tcp. The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The number of times that the attack was detected within a short period of time. This is useful when the attacks are DoS attacks. dropped low high
profilegroup
identidx
service vd count
498
Attack
attack_name icmp_id icmp_type icmp_code attack_id sensor ref
The name of the attack. The ICMP source port number. The ICMP destination port number. The ICMP destination port number. The identification number of the attack log message. The name of the DLP sensor that was used to detect and take action. The reference URL where you can find out more information about the attack. This URL takes you directly to Fortinets FortiGuard Center Encyclopedia. The name of the user creating the traffic. The name of the group creating the traffic. The unique ID for this attack. This number is used for cross-referencing IPS packet logs. The log message information. This is usually a sentence and explains the activity and/or action taken.
499
Attack
18434
Message ID Log Subtype Severity Firmware version Meaning Fields severity 18434 Anomaly Alert FortiOS 4.0 MR3 An attack anomaly using others. Field Description The specified severity level of the attack. This field contains any one of the following: info medium critical carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The group that the profile is a part of. This field contains N/A if there is no profile group configure. Profile groups are only available in FortiOS Carrier. The type of profile that was used, for example, Antivirus_Profile. The name of the profile that was used to detect and take action. The source IP address. The destination IP address. The source interface. For example, internal. The destination interface. For example, wan1. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The serial number of the firewall session on which the event happend. The type of action the FortiGate unit took, for example detecting the attack. This field contains any one of the following: detected reset proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA). The service of where the event or activity occurred. For example, 139/tcp. The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The number of times that the attack was detected within a short period of time. This is useful when the attacks are DoS attacks. dropped low high
profilegroup
identidx
service vd count
500
Attack
attack_name attack_id sensor ref
The name of the attack. The identification number of the attack log message. The name of the DLP sensor that was used to detect and take action. The reference URL where you can find out more information about the attack. This URL takes you directly to Fortinets FortiGuard Center Encyclopedia. The name of the user creating the traffic. The name of the group creating the traffic. The unique ID for this attack. This number is used for cross-referencing IPS packet logs. The log message information. This is usually a sentence and explains the activity and/or action taken.
501
Attack
502
Email filter
Email filter log messages record email protocols SMTP, POP3 and IMAP. In FortiOS 4.0 MR3 and higher, email filtering log messages are located in UTM log file. These log messages are also viewed in the web-based manager from Log&Report > Log & Archive Access > UTM.
20480 20481 20482 20483 20484 20491 20485 20486 20487 20488 20489 20490 20492 20493 20494 20495
20496 20497 20498 20499 20500 20501 20503 20504 20505
503
Email filter
20480
Message ID Log Subtype Severity Firmware version Meaning Fields policyid 20480 SMTP Notification FortiOS 4.0 MR3 An SMTP warning. Field Description The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The serial number of the firewall session on which the event happend. The name of the user creating the traffic. The name of the group creating the traffic. The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The source IP address. The source port number. The source port number. The source interface. For example, internal. The destination IP address. The destination port number. The destination port number. The destination interface. For example, wan1. This field contains any one of the following: http pop3 ftp mm3 mm7 nntp smtps pop3s carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The name of the profile that was used to detect and take action. The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier. The type of profile that was used, for example, Antivirus_Profile. smtp imap mm1 mm4 im https imaps
custom identidx
serial user group vd src sport src_port src_int dst dport dst_port dst_int service
profile profilegroup
profiletype
504
Email filter
status
The type of action the FortiGate unit took, for example blocking the email message from getting through. This field contains any one of the following: exempted detected blocked
from to tracker
The senders email address. The recipients email address. The identification information that is associated wiith the rule or rules that were used to identify the email message as spam. This field appears only when the email message was blocked by the email filter rules, and not by other filter methods. For example, if an email message was blocked by URL filter, IP address filter and E-mail checksum filter (these filters are checked off in the FortiGuard Email Filter section of the Profile page for email filtering) this field displays. The log message information. This is usually a sentence and explains the activity and/or action taken.
msg
505
Email filter
20481
Message ID Log Subtype Severity Firmware version Meaning Fields policyid 20481 SMTP Notification FortiOS 4.0 MR3 An SMTP warning. Field Description The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The serial number of the firewall session on which the event happend. The name of the user creating the traffic. The name of the group creating the traffic. The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The source IP address. The source port number. The source port number. The source interface. For example, internal. The destination IP address. The destination port number. The destination port number. The destination interface. For example, wan1. This field contains any one of the following: http pop3 ftp mm3 mm7 nntp smtps pop3s carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The name of the profile that was used to detect and take action. The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier. The type of profile that was used, for example, Antivirus_Profile. smtp imap mm1 mm4 im https imaps
custom identidx
profiletype
506
Email filter
status
from to tracker
The senders email address. The recipients email address. The identification information that is associated wiith the rule or rules that were used to identify the email message as spam. This field appears only when the email message was blocked by the email filter rules, and not by other filter methods. For example, if an email message was blocked by URL filter, IP address filter and E-mail checksum filter (these filters are checked off in the FortiGuard Email Filter section of the Profile page for email filtering) this field displays. The banned word that was detected. The log message information. This is usually a sentence and explains the activity and/or action taken.
banword msg
507
Email filter
20482
Message ID Log Subtype Severity Firmware version Meaning Fields policyid 20482 POP3 Notification FortiOS 4.0 MR3 A POP3 warning. Field Description The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The serial number of the firewall session on which the event happend. The name of the user creating the traffic. The name of the group creating the traffic. The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The source IP address. The source port number. The source port number. The source interface. For example, internal. The destination IP address. The destination port number. The destination port number. The destination interface. For example, wan1. This field contains any one of the following: http pop3 ftp mm3 mm7 nntp smtps pop3s carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The name of the profile that was used to detect and take action. The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier. The type of profile that was used, for example, Antivirus_Profile. smtp imap mm1 mm4 im https imaps
custom identidx
profiletype
508
Email filter
status
from to tracker
msg
509
Email filter
20483
Message ID Log Subtype Severity Firmware version Meaning Fields policyid 20483 POP3 Notification FortiOS 4.0 MR3 A POP3 notice. Field Description The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The serial number of the firewall session on which the event happend. The name of the user creating the traffic. The name of the group creating the traffic. The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The source IP address. The source port number. The source port number. The source interface. For example, internal. The destination IP address. The destination port number. The destination port number. The destination interface. For example, wan1. This field contains any one of the following: http pop3 ftp mm3 mm7 nntp smtps pop3s carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The name of the profile that was used to detect and take action. The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier. The type of profile that was used, for example, Antivirus_Profile. smtp imap mm1 mm4 im https imaps
custom identidx
profiletype
510
Email filter
status
from to tracker
banword msg
511
Email filter
20484
Message ID Log Subtype Severity Firmware version Meaning Fields policyid 20484 IMAP Notification FortiOS 4.0 MR3 An IMAP notice. Field Description The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The serial number of the firewall session on which the event happend. The name of the user creating the traffic. The name of the group creating the traffic. The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The source IP address. The source port number. The source port number. The source interface. For example, internal. The destination IP address. The destination port number. The destination port number. The destination interface. For example, wan1. This field contains any one of the following: http pop3 ftp mm3 mm7 nntp smtps pop3s carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The name of the profile that was used to detect and take action. The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier. The type of profile that was used, for example, Antivirus_Profile. smtp imap mm1 mm4 im https imaps
custom identidx
profiletype
512
Email filter
status
from to tracker
msg
513
Email filter
20491
Message ID Log Subtype Severity Firmware version Meaning Fields policyid 20491 IMAP Notification FortiOS 4.0 MR3 An IMAP banned word notice. Field Description The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The serial number of the firewall session on which the event happend. The name of the user creating the traffic. The name of the group creating the traffic. The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The source IP address. The source port number. The source port number. The source interface. For example, internal. The destination IP address. The destination port number. The destination port number. The destination interface. For example, wan1. This field contains any one of the following: http pop3 ftp mm3 mm7 nntp smtps pop3s carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The name of the profile that was used to detect and take action. The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier. The type of profile that was used, for example, Antivirus_Profile. smtp imap mm1 mm4 im https imaps
custom identidx
profiletype
514
Email filter
status
from to tracker
banword msg
515
Email filter
20485
Message ID Log Subtype Severity Firmware version Meaning Fields policyid 20485 Carrier Endpoint Filter Warning FortiOS 4.0 MR3 An endpoint filter warning. Field Description The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The serial number of the firewall session on which the event happend. The name of the user creating the traffic. The name of the group creating the traffic. The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The source IP address. The source port number. The source port number. The source interface. For example, internal. The destination IP address. The destination port number. The destination port number. The destination interface. For example, wan1. This field contains any one of the following: http pop3 ftp mm3 mm7 nntp smtps pop3s carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The name of the profile that was used to detect and take action. The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier. The type of profile that was used, for example, Antivirus_Profile. smtp imap mm1 mm4 im https imaps
custom identidx
profiletype
516
Email filter
status
from to tracker
msg
517
Email filter
20486
Message ID Log Subtype Severity Firmware version Meaning Fields policyid 20486 Carrier Endpoint Filter Notification FortiOS 4.0 MR3 An endpoint filter notice. Field Description The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The serial number of the firewall session on which the event happend. The name of the user creating the traffic. The name of the group creating the traffic. The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The source IP address. The source port number. The source port number. The source interface. For example, internal. The destination IP address. The destination port number. The destination port number. The destination interface. For example, wan1. This field contains any one of the following: http pop3 ftp mm3 mm7 nntp smtps pop3s carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The name of the profile that was used to detect and take action. The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier. The type of profile that was used, for example, Antivirus_Profile. smtp imap mm1 mm4 im https imaps
custom identidx
profiletype
518
Email filter
status
from to tracker
msg
519
Email filter
20487
Message ID Log Subtype Severity Firmware version Meaning Fields policyid 20487 Carrier Endpoint Filter Warning FortiOS 4.0 MR3 An MM7 warning. Field Description The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The serial number of the firewall session on which the event happend. The name of the user creating the traffic. The name of the group creating the traffic. The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The source IP address. The source port number. The source port number. The source interface. For example, internal. The destination IP address. The destination port number. The destination port number. The destination interface. For example, wan1. This field contains any one of the following: http pop3 ftp mm3 mm7 nntp smtps pop3s carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The name of the profile that was used to detect and take action. The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier. The type of profile that was used, for example, Antivirus_Profile. smtp imap mm1 mm4 im https imaps
custom identidx
profiletype
520
Email filter
status
from to tracker
The senders email address. The recipients email address. The identification information that is associated wiith the rule or rules that were used to identify the email message as spam. This field appears only when the email message was blocked by the email filter rules, and not by other filter methods. For example, if an email message was blocked by URL filter, IP address filter and E-mail checksum filter (these filters are checked off in the FortiGuard Email Filter section of the Profile page for email filtering) this field displays. This field is for FortiOS Carrier only. If the unit is not running FortiOS Carrier, this field always contains N/A. The log message information. This is usually a sentence and explains the activity and/or action taken.
agent msg
521
Email filter
20488
Message ID Log Subtype Severity Firmware version Meaning Fields policyid 20488 Carrier Endpoint Filter Notification FortiOS 4.0 MR3 An MM7 notice. Field Description The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The serial number of the firewall session on which the event happend. The name of the user creating the traffic. The name of the group creating the traffic. The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The source IP address. The source port number. The source port number. The source interface. For example, internal. The destination IP address. The destination port number. The destination port number. The destination interface. For example, wan1. This field contains any one of the following: http pop3 ftp mm3 mm7 nntp smtps pop3s carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The name of the profile that was used to detect and take action. The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier. The type of profile that was used, for example, Antivirus_Profile. smtp imap mm1 mm4 im https imaps
custom identidx
profiletype
522
Email filter
status
from to tracker
The senders email address. The recipients email address. The identification information that is associated wiith the rule or rules that were used to identify the email message as spam. This field appears only when the email message was blocked by the email filter rules, and not by other filter methods. For example, if an email message was blocked by URL filter, IP address filter and E-mail checksum filter (these filters are checked off in the FortiGuard Email Filter section of the Profile page for email filtering) this field displays. This field is for FortiOS Carrier only. If the unit is not running FortiOS Carrier, this field always contains N/A. The log message information. This is usually a sentence and explains the activity and/or action taken.
agent msg
523
Email filter
20489
Message ID Log Subtype Severity Firmware version Meaning Fields policyid 20489 Carrier Endpoint Filter Warning FortiOS 4.0 MR3 An MM1 warning. Field Description The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The serial number of the firewall session on which the event happend. The name of the user creating the traffic. The name of the group creating the traffic. The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The source IP address. The source port number. The source port number. The source interface. For example, internal. The destination IP address. The destination port number. The destination port number. The destination interface. For example, wan1. This field contains any one of the following: http pop3 ftp mm3 mm7 nntp smtps pop3s carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The name of the profile that was used to detect and take action. The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier. The type of profile that was used, for example, Antivirus_Profile. smtp imap mm1 mm4 im https imaps
custom identidx
profiletype
524
Email filter
status
from to tracker
The senders email address. The recipients email address. The identification information that is associated wiith the rule or rules that were used to identify the email message as spam. This field appears only when the email message was blocked by the email filter rules, and not by other filter methods. For example, if an email message was blocked by URL filter, IP address filter and E-mail checksum filter (these filters are checked off in the FortiGuard Email Filter section of the Profile page for email filtering) this field displays. This field contains either tx or rx. This field is for FortiOS Carrier only. If the unit is not running FortiOS Carrier, this field always contains N/A. The log message information. This is usually a sentence and explains the activity and/or action taken.
dir agent msg
525
Email filter
20490
Message ID Log Subtype Severity Firmware version Meaning Fields policyid 20490 Carrier Endpoint Filter Notification FortiOS 4.0 MR3 An MM1 notice. Field Description The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The serial number of the firewall session on which the event happend. The name of the user creating the traffic. The name of the group creating the traffic. The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The source IP address. The source port number. The source port number. The source interface. For example, internal. The destination IP address. The destination port number. The destination port number. The destination interface. For example, wan1. This field contains any one of the following: http pop3 ftp mm3 mm7 nntp smtps pop3s carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The name of the profile that was used to detect and take action. The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier. The type of profile that was used, for example, Antivirus_Profile. smtp imap mm1 mm4 im https imaps
custom identidx
profiletype
526
Email filter
status
from to tracker
dir agent msg
527
Email filter
20492
Message ID Log Subtype Severity Firmware version Meaning Fields policyid 20492 Mass-MMS Warning FortiOS 4.0 MR3 An MM1 flood detection warning. Field Description The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The serial number of the firewall session on which the event happend. The name of the user creating the traffic. The name of the group creating the traffic. The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The source IP address. The source port number. The source port number. The source interface. For example, internal. The destination IP address. The destination port number. The destination port number. The destination interface. For example, wan1. This field contains any one of the following: http pop3 ftp mm3 mm7 nntp smtps pop3s carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The name of the profile that was used to detect and take action. The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier. The type of profile that was used, for example, Antivirus_Profile. smtp imap mm1 mm4 im https imaps
custom identidx
profiletype
528
Email filter
status
from to tracker
dir agent msg
529
Email filter
20493
Message ID Log Subtype Severity Firmware version Meaning Fields policyid 20493 Mass-MMS Notification FortiOS 4.0 MR3 An MM1 flood detection notice. Field Description The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The serial number of the firewall session on which the event happend. The name of the user creating the traffic. The name of the group creating the traffic. The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The source IP address. The source port number. The source port number. The source interface. For example, internal. The destination IP address. The destination port number. The destination port number. The destination interface. For example, wan1. This field contains any one of the following: http pop3 ftp mm3 mm7 nntp smtps pop3s carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The name of the profile that was used to detect and take action. The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier. The type of profile that was used, for example, Antivirus_Profile. smtp imap mm1 mm4 im https imaps
custom identidx
profiletype
530
Email filter
status
from to tracker
dir agent msg
531
Email filter
20494
Message ID Log Subtype Severity Firmware version Meaning Fields policyid 20494 Mass-MMS Warning FortiOS 4.0 MR3 An MM4 flood detection warning. Field Description The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The serial number of the firewall session on which the event happend. The name of the user creating the traffic. The name of the group creating the traffic. The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The source IP address. The source port number. The source port number. The source interface. For example, internal. The destination IP address. The destination port number. The destination port number. The destination interface. For example, wan1. This field contains any one of the following: http pop3 ftp mm3 mm7 nntp smtps pop3s carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The name of the profile that was used to detect and take action. The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier. The type of profile that was used, for example, Antivirus_Profile. smtp imap mm1 mm4 im https imaps
custom identidx
profiletype
532
Email filter
status
from to tracker
msg
533
Email filter
20495
Message ID Log Subtype Severity Firmware version Meaning Fields policyid 20495 Mass-MMS Notification FortiOS 4.0 MR3 An MM4 flood detection notice. Field Description The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The serial number of the firewall session on which the event happend. The name of the user creating the traffic. The name of the group creating the traffic. The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The source IP address. The source port number. The source port number. The source interface. For example, internal. The destination IP address. The destination port number. The destination port number. The destination interface. For example, wan1. This field contains any one of the following: http pop3 ftp mm3 mm7 nntp smtps pop3s carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The name of the profile that was used to detect and take action. The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier. The type of profile that was used, for example, Antivirus_Profile. smtp imap mm1 mm4 im https imaps
custom identidx
profiletype
534
Email filter
status
from to tracker
msg
535
Email filter
20496
Message ID Log Subtype Severity Firmware version Meaning Fields policyid 20496 Mass-MMS Warning FortiOS 4.0 MR3 An MM1 duplicate detection warning. Field Description The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The serial number of the firewall session on which the event happend. The name of the user creating the traffic. The name of the group creating the traffic. The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The source IP address. The source port number. The source port number. The source interface. For example, internal. The destination IP address. The destination port number. The destination port number. The destination interface. For example, wan1. This field contains any one of the following: http pop3 ftp mm3 mm7 nntp smtps pop3s carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The name of the profile that was used to detect and take action. The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier. The type of profile that was used, for example, Antivirus_Profile. smtp imap mm1 mm4 im https imaps
custom identidx
profiletype
536
Email filter
status
from to tracker
dir agent msg
537
Email filter
20497
Message ID Log Subtype Severity Firmware version Meaning Fields policyid 20497 Mass-MMS Notification FortiOS 4.0 MR3 An MM1 duplicate detection notice. Field Description The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The serial number of the firewall session on which the event happend. The name of the user creating the traffic. The name of the group creating the traffic. The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The source IP address. The source port number. The source port number. The source interface. For example, internal. The destination IP address. The destination port number. The destination port number. The destination interface. For example, wan1. This field contains any one of the following: http pop3 ftp mm3 mm7 nntp smtps pop3s carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The name of the profile that was used to detect and take action. The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier. The type of profile that was used, for example, Antivirus_Profile. smtp imap mm1 mm4 im https imaps
custom identidx
profiletype
538
Email filter
status
from to tracker
The senders email address. The recipients email address. The identification information that is associated wiith the rule or rules that were used to identify the email message as spam. This field appears only when the email message was blocked by the email filter rules, and not by other filter methods. For example, if an email message was blocked by URL filter, IP address filter and E-mail checksum filter (these filters are checked off in the FortiGuard Email Filter section of the Profile page for email filtering) this field displays. This field contains either tx or rx. This is for FortiOS Carrier only. If the unit is not running FortiOS Carrier, this field always contains N/A. The log message information. This is usually a sentence and explains the activity and/or action taken.
dir agent msg
539
Email filter
20498
Message ID Log Subtype Severity Firmware version Meaning Fields policyid 20498 Mass-MMS Warning FortiOS 4.0 MR3 An MM4 duplicate detection warning. Field Description The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The serial number of the firewall session on which the event happend. The name of the user creating the traffic. The name of the group creating the traffic. The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The source IP address. The source port number. The source port number. The source interface. For example, internal. The destination IP address. The destination port number. The destination port number. The destination interface. For example, wan1. This field contains any one of the following: http pop3 ftp mm3 mm7 nntp smtps pop3s carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The name of the profile that was used to detect and take action. The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier. The type of profile that was used, for example, Antivirus_Profile. smtp imap mm1 mm4 im https imaps
custom identidx
profiletype
540
Email filter
status
from to tracker
msg
541
Email filter
20499
Message ID Log Subtype Severity Firmware version Meaning Fields policyid 20499 Mass-MMS Notification FortiOS 4.0 MR3 An MM4 duplicate detection notice. Field Description The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The serial number of the firewall session on which the event happend. The name of the user creating the traffic. The name of the group creating the traffic. The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The source IP address. The source port number. The source port number. The source interface. For example, internal. The destination IP address. The destination port number. The destination port number. The destination interface. For example, wan1. This field contains any one of the following: http pop3 ftp mm3 mm7 nntp smtps pop3s carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The name of the profile that was used to detect and take action. The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier. The type of profile that was used, for example, Antivirus_Profile. smtp imap mm1 mm4 im https imaps
custom identidx
profiletype
542
Email filter
status
from to tracker
msg
543
Email filter
20500
Message ID Log Subtype Severity Firmware version Meaning Fields policyid 20500 msn-hotmail Information FortiOS 4.0 MR3 An MSN Hotmail email message. Field Description The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The serial number of the firewall session on which the event happend. The name of the user creating the traffic. The name of the group creating the traffic. The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The source IP address. The source port number. The source port number. The source interface. For example, internal. The destination IP address. The destination port number. The destination port number. The destination interface. For example, wan1. This field contains any one of the following: http pop3 ftp mm3 mm7 nntp smtps pop3s carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The name of the profile that was used to detect and take action. The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier. The type of profile that was used, for example, Antivirus_Profile. smtp imap mm1 mm4 im https imaps
custom identidx
profiletype
544
Email filter
status
from to tracker
The senders email address. The recipients email address. The identification information that is associated wiith the rule or rules that were used to identify the email message as spam. This field appears only when the email message was blocked by the email filter rules, and not by other filter methods. For example, if an email message was blocked by URL filter, IP address filter and E-mail checksum filter (these filters are checked off in the FortiGuard Email Filter section of the Profile page for email filtering) this field displays. The log message information. This is usually a sentence and explains the activity and/or action taken. The subject line of the email message. The email messages size. Indicates whether the email message includes an attachment or not. This log field contains either yes, that an attachment is included, or no, that an attachment is not included.
msg subject size attachment
545
Email filter
20501
Message ID Log Subtype Severity Firmware version Meaning Fields policyid 20501 yahoo-hotmail Information FortiOS 4.0 MR3 A Yahoo! email message. Field Description The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The serial number of the firewall session on which the event happend. The name of the user creating the traffic. The name of the group creating the traffic. The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The source IP address. The source port number. The source port number. The source interface. For example, internal. The destination IP address. The destination port number. The destination port number. The destination interface. For example, wan1. This field contains any one of the following: http pop3 ftp mm3 mm7 nntp smtps pop3s carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The name of the profile that was used to detect and take action. The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier. The type of profile that was used, for example, Antivirus_Profile. smtp imap mm1 mm4 im https imaps
custom identidx
profiletype
546
Email filter
status
from to tracker
547
Email filter
20503
Message ID Log Subtype Severity Firmware version Meaning Fields policyid 20503 smtp Information FortiOS 4.0 MR3 An SMTP warning. Field Description The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The serial number of the firewall session on which the event happend. The name of the user creating the traffic. The name of the group creating the traffic. The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The source IP address. The source port number. The source port number. The source interface. For example, internal. The destination IP address. The destination port number. The destination port number. The destination interface. For example, wan1. This field contains any one of the following: http pop3 ftp mm3 mm7 nntp smtps pop3s carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The name of the profile that was used to detect and take action. The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier. The type of profile that was used, for example, Antivirus_Profile. smtp imap mm1 mm4 im https imaps
custom identidx
profiletype
548
Email filter
status
from to tracker
549
Email filter
20504
Message ID Log Subtype Severity Firmware version Meaning Fields policyid 20504 POP3 Information FortiOS 4.0 MR3 A POP3 warning. Field Description The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The serial number of the firewall session on which the event happend. The name of the user creating the traffic. The name of the group creating the traffic. The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The source IP address. The source port number. The source port number. The source interface. For example, internal. The destination IP address. The destination port number. The destination port number. The destination interface. For example, wan1. This field contains any one of the following: http pop3 ftp mm3 mm7 nntp smtps pop3s carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The name of the profile that was used to detect and take action. The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier. The type of profile that was used, for example, Antivirus_Profile. smtp imap mm1 mm4 im https imaps
custom identidx
profiletype
550
Email filter
status
from to tracker
551
Email filter
20505
Message ID Log Subtype Severity Firmware version Meaning Fields policyid 20505 IMAP Information FortiOS 4.0 MR3 An IMAP notice. Field Description The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The serial number of the firewall session on which the event happend. The name of the user creating the traffic. The name of the group creating the traffic. The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The source IP address. The source port number. The source port number. The source interface. For example, internal. The destination IP address. The destination port number. The destination port number. The destination interface. For example, wan1. This field contains any one of the following: http pop3 ftp mm3 mm7 nntp smtps pop3s carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The name of the profile that was used to detect and take action. The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier. The type of profile that was used, for example, Antivirus_Profile. smtp imap mm1 mm4 im https imaps
custom identidx
profiletype
552
Email filter
status
from to tracker
553
Email filter
554
Webfilter
Web filter log messages record URL activity as well as filters, such as a blocked URL because it was found in the URL black list. In FortiOS 4.0 MR3 and higher, web filtering log messages are located in UTM log file. These log messages are also viewed in the web-based manager from Log&Report > Log & Archive Access > UTM. 12288 12289 12290 12291 12544 12545 12546 12547 12548 12549 12550 12551 12552 12553 12554 12555 12556 12557 12558 13056 13056 13312 13313 13314 12800 12801 13568 13601 13602 13573 13584 13315 13316 12802
555
Webfilter
12288
Message ID Log Subtype Severity Firmware version Meaning Fields vd policyid 12288 Content Warning FortiOS 4.0 MR3 A web content banned word was found. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The session number identification. The name of the user creating the traffic. The name of the group creating the traffic. The source IP address. The source port number. The source port number. The source interface. For example, internal. The destination IP address. The destination port number. The destination port number. The destination interface. For example, wan1. This field contains any one of the following: http smtp imap mm1 mm4 nntp smtps imaps hostname carrier_ep The name of the website that was accessed. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The type of profile that was used, for example, Antivirus_Profile. The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier. https pop3 ftp mm3 mm7 im pop3s
custom identidx
profiletype profilegroup
556
Webfilter
profile req_type
The name of the profile that was used to detect and take action. The type of request, which can be one of the following: referral if the HTTP transaction is requested from a parent web site, such as selecting a link on a web page direct a direct connection to a web page, such as typing in the URL address manually. The URL address. This field contains any one of the following: blocked allowed filtered exempted passthrough DLP
url status
agent from to banword msg
This field is for FortiOS carrier only. If the unit is not running FortiOS Carrier, this field always contains N/A. The senders information. The recipients information. The banned word that was detected. URL was blocked because it contained banned word(s).
557
Webfilter
12289
Message ID Log Subtype Severity Firmware version Meaning Fields vd policyid 12289 Content Warning FortiOS Carrier 4.0 MR2 A web content MMS banned word was found. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The session number identification. The name of the user creating the traffic. The name of the group creating the traffic. The source IP address. The source port number. The source port number. The source interface. For example, internal. The destination IP address. The destination port number. The destination port number. The destination interface. For example, wan1. This field contains any one of the following: http smtp imap mm1 mm4 nntp smtps imaps hostname carrier_ep The name of the website that was accessed. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The type of profile that was used, for example, Antivirus_Profile. The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier. https pop3 ftp mm3 mm7 im pop3s
custom identidx
558
Webfilter
profile req_type
The name of the profile that was used to detect and take action. The type of request, which can be one of the following: referral if the HTTP transaction is requested from a parent web site, such as selecting a link on a web page direct a direct connection to a web page, such as typing in the URL address manually. The URL address. This field contains any one of the following: blocked allowed filtered exempted passthrough DLP TX
url status
dir
This field contains any one of the following: n/a RX
This field is for FortiOS Carrier only. If the unit is not running FortiOS Caririer, this field always contains N/A. The senders information. The recipients information. The banned word that was detected. Message was blocked because it contained a banned word.
559
Webfilter
12290
Message ID Log Subtype Severity Firmware version Meaning Fields vd policyid 12290 Content Notification FortiOS 4.0 MR3 A web content exempt word was found. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The session number identification. The name of the user creating the traffic. The name of the group creating the traffic. The source IP address. The source port number. The source port number. The source interface. For example, internal. The destination IP address. The destination port number. The destination port number. The destination interface. For example, wan1. This field contains any one of the following: http smtp imap mm1 mm4 nntp smtps imaps hostname carrier_ep The name of the website that was accessed. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The type of profile that was used, for example, Antivirus_Profile. The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier. https pop3 ftp mm3 mm7 im pop3s
custom identidx
560
Webfilter
profile req_type
The name of the profile that was used to detect and take action. The type of request, which can be one of the following: referral if the HTTP transaction is requested from a parent web site, such as selecting a link on a web page direct a direct connection to a web page, such as typing in the URL address manually. The URL address. This field contains any one of the following: blocked allowed filtered exempted passthrough DLP
url status
This field is for FortiOS Carrier only. If the unit is not running FortiOS Carrier, this field always contains N/A. The senders information. The recipients information. The banned word that was detected. URL was exempted because it contained exempt word(s).
561
Webfilter
12291
Message ID Log Subtype Severity Firmware version Meaning Fields vd policyid 12291 Content Notification FortiOS 4.0 MR3 A web content MMS exempt word was found. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The session number identification. The name of the user creating the traffic. The name of the group creating the traffic. The source IP address. The source port number. The source port number. The source interface. For example, internal. The destination IP address. The destination port number. The destination port number. The destination interface. For example, wan1. This field contains any one of the following: http smtp imap mm1 mm4 nntp smtps imaps hostname carrier_ep The name of the website that was accessed. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The type of profile that was used, for example, Antivirus_Profile. The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier. https pop3 ftp mm3 mm7 im pop3s
custom identidx
562
Webfilter
profile req_type
url status
dir
This field is for FortiOS Carrier only. If the unit is not running FortiOS Carrier, this field always contains N/A. The senders information. The recipients information. The banned word that was detected. Message was exempted because it contained an exempt word.
563
Webfilter
12305
Message ID Log Subtype Severity Firmware version Meaning Fields vd policyid 12305 Content Notification FortiOS 4.0 MR3 A web content MMS banned word. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The session number identification. The name of the user creating the traffic. The name of the group creating the traffic. The source IP address. The source port number. The source port number. The source interface. For example, internal. The destination IP address. The destination port number. The destination port number. The destination interface. For example, wan1. This field contains any one of the following: http smtp imap mm1 mm4 nntp smtps imaps hostname carrier_ep The name of the website that was accessed. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The type of profile that was used, for example, Antivirus_Profile. The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile gorups are only available in FortiOS Carrier. https pop3 ftp mm3 mm7 im pop3s
custom identidx
564
Webfilter
profile req_type
url status
dir
This field is for FortiOS Carrier only. If the unit is not running FortiOS Carrier, this field always contains N/A. The senders information. The recipients information. The banned word that was detected. Message was logged because it contained a banned word.
565
Webfilter
12544
Message ID Log Subtype Severity Firmware version Meaning Fields urlfilter_idx urlfilter_list vd policyid 12544 URL Filter Warning FortiOS 4.0 MR3 The URL address was blocked because it was found in the URL filter list. Field Description The index number that identifies the URL filter in the URL filter list. The name of the URL filter list. The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The session number identification. The name of the user creating the traffic. The name of the group creating the traffic. The source IP address. The source port number. The source port number. The source interface. For example, internal. The destination IP address. The destination port number. The destination port number. The destination interface. For example, wan1. This field contains any one of the following: http smtp imap mm1 mm4 nntp smtps imaps hostname carrier_ep The name of the website that was accessed. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The type of profile that was used, for example, Antivirus_Profile. https pop3 ftp mm3 mm7 im pop3s
custom identidx
profiletype
566
Webfilter
profilegroup profile status
The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile gorups are only available in FortiOS Carrier. The name of the profile that was used to detect and take action. This field contains any one of the following: blocked allowed filtered exempted passthrough DLP
req_type
The type of request, which can be one of the following: referral if the HTTP transaction is requested from a parent web site, such as selecting a link on a web page direct a direct connection to a web page, such as typing in the URL address manually. The URL address. URL was blocked becaue it is in the URL filter list.
url msg
567
Webfilter
12545
Message ID Log Subtype Severity Firmware version Meaning Fields urlfilter_idx urlfilter_list vd policyid 12545 URL Filter Information FortiOS 4.0 MR3 The URL address was exempted because it was found in the URL filter list. Field Description The index number that identifies the URL filter in the URL filter list. The name of the URL filter list. The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The session number identification. The name of the user creating the traffic. The name of the group creating the traffic. The source IP address. The source port number. The source port number. The source interface. For example, internal. The destination IP address. The destination port number. The destination port number. The destination interface. For example, wan1. This field contains any one of the following: http smtp imap mm1 mm4 nntp smtps imaps hostname carrier_ep The name of the website that was accessed. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The type of profile that was used, for example, Antivirus_Profile. FortiGate Log Message Reference 01-430-112804-20111121 http://docs.fortinet.com/ Feedback https pop3 ftp mm3 mm7 im pop3s
custom identidx
profiletype
568
Webfilter
profilegroup
profile status
req_type
The type of request, which can be one of the following: referral if the HTTP transaction is requested from a parent web site, such as selecting a link on a web page direct a direct connection to a web page, such as typing in the URL address manually. The URL address. URL was exempted because it is in the URL filter list.
url msg
569
Webfilter
12546
Message ID Log Subtype Severity Firmware version Meaning Fields urlfilter_idx urlfilter_list vd policyid 12546 URL Filter Information FortiOS 4.0 MR3 The URL address was allowed because it was found in the URL filter list. Field Description The index number that identifies the URL filter in the URL filter list. The name of the URL filter list. The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The session number identification. The name of the user creating the traffic. The name of the group creating the traffic. The source IP address. The source port number. The source port number. The source interface. For example, internal. The destination IP address. The destination port number. The destination port number. The destination interface. For example, wan1. This field contains any one of the following: http smtp imap mm1 mm4 nntp smtps imaps hostname carrier_ep The name of the website that was accessed. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The type of profile that was used, for example, Antivirus_Profile. https pop3 ftp mm3 mm7 im pop3s
custom identidx
profiletype
570
Webfilter
profilegroup
profile status
req_type
The type of request, which can be one of the following: referral if the HTTP transaction is requested from a parent web site, such as selecting a link on a web page direct a direct connection to a web page, such as typing in the URL address manually. The URL address. URL was allowed because it is in the URL filter list.
url msg
571
Webfilter
12547
Message ID Log Subtype Severity Firmware version Meaning Fields vd policyid 12547 URL Filter Notification FortiOS 4.0 MR3 The request contained an invalid domain name. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The session number identification. The name of the user creating the traffic. The name of the group creating the traffic. The source IP address. The source port number. The source port number. The source interface. For example, internal. The destination IP address. The destination port number. The destination port number. The destination interface. For example, wan1. This field contains any one of the following: http smtp imap mm1 mm4 nntp smtps imaps carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The type of profile that was used, for example, Antivirus_Profile. The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier. The name of the profile that was used to detect and take action. https pop3 ftp mm3 mm7 im pop3s
custom identidx
profile
572
Webfilter
status
This field contains any one of the following: blocked allowed filtered exempted passthrough DLP
req_type
The type of request, which can be one of the following: referral if the HTTP transaction is requested from a parent web site, such as selecting a link on a web page direct a direct connection to a web page, such as typing in the URL address manually. The HTTP request contained an invalid domain name.
msg
573
Webfilter
12548
Message ID Log Subtype Severity Firmware version Meaning Fields vd policyid 12548 URL Filter Notification FortiOS 4.0 MR3 A HTTP certificate request contained an invalid domain name. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The session number identification. The name of the user creating the traffic. The name of the group creating the traffic. The source IP address. The source port number. The source port number. The source interface. For example, internal. The destination IP address. The destination port number. The destination port number. The destination interface. For example, wan1. This field contains any one of the following: http smtp imap mm1 mm4 nntp smtps imaps carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The type of profile that was used, for example, Antivirus_Profile. The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier. The name of the profile that was used to detect and take action. https pop3 ftp mm3 mm7 im pop3s
custom identidx
profile
574
Webfilter
status
This field contains any one of the following: blocked allowed filtered exempted passthrough DLP
req_type
The type of request, which can be one of the following: referral if the HTTP transaction is requested from a parent web site, such as selecting a link on a web page direct a direct connection to a web page, such as typing in the URL address manually. The certificate for the HTTPS session contained an invalid domain name.
msg
575
Webfilter
12549
Message ID Log Subtype Severity Firmware version Meaning Fields vd policyid 12549 URL Filter Information FortiOS 4.0 MR3 A HTTP request contained an invalid name so the session has been filtered by IP only. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The session number identification. The name of the user creating the traffic. The name of the group creating the traffic. The source IP address. The source port number. The source port number. The source interface. For example, internal. The destination IP address. The destination port number. The destination port number. The destination interface. For example, wan1. This field contains any one of the following: http smtp imap mm1 mm4 nntp smtps imaps carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The type of profile that was used, for example, Antivirus_Profile. The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier. https pop3 ftp mm3 mm7 im pop3s
custom identidx
576
Webfilter
profile status
The name of the profile that was used to detect and take action. This field contains any one of the following: blocked allowed filtered exempted passthrough DLP
req_type
The type of request, which can be one of the following: referral if the HTTP transaction is requested from a parent web site, such as selecting a link on a web page direct a direct connection to a web page, such as typing in the URL address manually. The HTTP request contained an invalid domain name. The session has been filtered by IP only.
msg
577
Webfilter
12550
Message ID Log Subtype Severity Firmware version Meaning Fields vd policyid 12550 URL Filter Information FortiOS 4.0 MR3 A HTTPS request contained an invalid name so the session has been filtered by IP only. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The session number identification. The name of the user creating the traffic. The name of the group creating the traffic. The source IP address. The source port number. The source port number. The source interface. For example, internal. The destination IP address. The destination port number. The destination port number. The destination interface. For example, wan1. This field contains any one of the following: http smtp imap mm1 mm4 nntp smtps imaps carrier_ep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The type of profile that was used, for example, Antivirus_Profile. The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier. https pop3 ftp mm3 mm7 im pop3s
custom identidx
578
Webfilter
profile status
req_type
The type of request, which can be one of the following: referral if the HTTP transaction is requested from a parent web site, such as selecting a link on a web page direct a direct connection to a web page, such as typing in the URL address manually. The certificate for the HTTP Ssession contained an invalid domain name. The session has been filtered by IP only.
msg
579
Webfilter
12551
Message ID Log Subtype Severity Firmware version Meaning Fields vd error msg 12551 URL Filter Critical FortiOS 4.0 MR3 There are insufficient resources. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The webfilter error information. Insufficient resources.
12552
Message ID Log Subtype Severity Firmware version Meaning Fields vd hostname error msg 12552 URL Filter Critical FortiOS 4.0 MR3 Getting the host name failed. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The name of the website that was accessed. The webfilter error information. gethostbyname() failed.
580
Webfilter
12553
Message ID Log Subtype Severity Firmware version Meaning Fields vd policyid 12553 URL Filter Notification FortiOS 4.0 MR3 A server certificate validation failed. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The session number identification. The name of the user creating the traffic. The name of the group creating the traffic. The source IP address. The source port number. The source port number. The source interface. For example, internal. The destination IP address. The destination port number. The destination port number. The destination interface. For example, wan1. This field contains any one of the following: http smtp imap mm1 mm4 nntp smtps imaps msg profiletype profilegroup The server certificate valiadation failed. The type of profile that was used, for example, Antivirus_Profile. The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile gorups are only available in FortiOS Carrier. The name of the profile that was used to detect and take action. https pop3 ftp mm3 mm7 im pop3s
custom identidx
profile
581
Webfilter
12554
Message ID Log Subtype Severity Firmware version Meaning Fields vd policyid 12554 URL Filter Notification FortiOS 4.0 MR3 The SSL session was blocked because its identification number was not known. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The session number identification. The name of the user creating the traffic. The name of the group creating the traffic. The source IP address. The source port number. The source port number. The source interface. For example, internal. The destination IP address. The destination port number. The destination port number. The destination interface. For example, wan1. This field contains any one of the following: http smtp imap mm1 mm4 nntp smtps imaps status This field contains any one of the following: blocked allowed filtered msg exempted passthrough DLP https pop3 ftp mm3 mm7 im pop3s
custom identidx
The SSL session was blocked because the session ID was unknown.
582
Webfilter
12555
Message ID Log Subtype Severity Firmware version Meaning Fields vd policyid 12555 URL Filter Notification FortiOS 4.0 MR3 The SSL session was blocked, either because the server certificate was missing or because the server certificate was invalid. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The session number identification. The name of the user creating the traffic. The name of the group creating the traffic. The source IP address. The source port number. The source port number. The source interface. For example, internal. The destination IP address. The destination port number. The destination port number. The destination interface. For example, wan1. This field contains any one of the following: http smtp imap mm1 mm4 nntp smtps imaps status This field contains any one of the following: blocked allowed filtered msg exempted passthrough DLP https pop3 ftp mm3 mm7 im pop3s
custom identidx
The SSL session was blocked because the server certificate was missing or invalid.
583
Webfilter
12556
Message ID Log Subtype Severity Firmware version Meaning Fields vd policyid 12556 URL Filter Notification FortiOS 4.0 MR3 The SSL session was ignored, either because the server certificate was missing, or the server certificate was invalid. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The session number identification. The name of the user creating the traffic. The name of the group creating the traffic. The source IP address. The source port number. The source port number. The source interface. For example, internal. The destination IP address. The destination port number. The destination port number. The destination interface. For example, wan1. This field contains any one of the following: http smtp imap mm1 mm4 nntp smtps imaps status This field contains any one of the following: blocked allowed filtered msg exempted passthrough DLP https pop3 ftp mm3 mm7 im pop3s
custom identidx
The SSL session was blocked because the server certificate was missing or invalid.
584
Webfilter
12557
Message ID Log Subtype Severity Firmware version Meaning 12557 URL Filter Critical FortiOS 4.0 MR3 The FortiGuard Analysis and Management Service is not active. You must enable this service, after subscribing to the service, in System > Maintenance > FortiGuard. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. FortiGate is enabled in the protection profile but the FortiGuard service is not enabled.
Fields vd msg
12558
Message ID Log Subtype Severity Firmware version Meaning Fields vd user src sport src_port dst dport dst_port url_type 12558 URL Filter Information FortiOS 4.0 MR3 A rating error occurred. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The name of the user creating the traffic. The source IP address. The source port number. The source port number. The destination IP address. The destination port number. The destination port number. This field contains any one of the following: http ftp mail hostname status The name of the website that was accessed. This field contains any one of the following: blocked allowed filtered error url msg The URL address. Policy allows URLs when a rating error occurs. exempted passthrough DLP https telnet
The webfilter error information.
585
Webfilter
12559
Message ID Log Subtype Severity Firmware version Meaning Fields urlfilter_idx urlfilter_list vd policyid 12559 URL Filter Information FortiOS 4.0 MR3 A URL was passed because it was in the URL filter list. Field Description The index number that identifies the URL filter in the URL filter list. The name of the URL filter list. The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The session number identification. The name of the user creating the traffic. The name of the group creating the traffic. The source IP address. The source port number. The source port number. The source interface. For example, internal. The destination IP address. The destination port number. The destination port number. The destination interface. For example, wan1. This field contains any one of the following: http smtp imap mm1 mm4 nntp smtps imaps hostname carrier_ep The name of the website that was accessed. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The type of profile that was used, for example Antivirus_Profile. https pop3 ftp mm3 mm7 im pop3s
custom identidx
profiletype
586
Webfilter
profilegroup
The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier. The name of the profile that was used to detect and take action. This field contains any one of the following: blocked allowed filtered exempted passthrough DLP
profile status
req_type
The type of request, which can be one of the following: referral if the HTTP transaction is requested from a parent web site, such as selecting a link on a web page direct a direct connection to a web page, such as typing in the URL address manually. The URL address. URL was passed becaused it is in the URL filter list.
url msg
587
Webfilter
13056
Message ID Log Subtype Severity Firmware version Meaning Fields vd policyid 13056 ftgd_blk Notification FortiOS 4.0 MR3 The URL belongs to an blocked category within the firewall policy. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The session number identification. The name of the user creating the traffic. The name of the group creating the traffic. The source IP address. The source port number. The source port number. The source interface. For example, internal. The destination IP address. The destination port number. The destination port number. The destination interface. For example, wan1. This field contains any one of the following: http smtp imap mm1 mm4 nntp smtps imaps hostname carrier_ep The name of the website that was accessed. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The type of profile that was used, for example Antivirus_Profile. The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier. https pop3 ftp mm3 mm7 im pop3s
custom identidx
588
Webfilter
profile status
req_type
The type of request, which can be one of the following: referral if the HTTP transaction is requested from a parent web site, such as selecting a link on a web page direct a direct connection to a web page, such as typing in the URL address manually. The URL address. URL belongs to a denied category in policy. This field contains either ip or domain The class the URL belongs to. The class description that the URL belongs to. The category that the URL belongs to. The category description that the URL belongs to.
url msg method class class_desc cat cat_desc
589
Webfilter
13312
Message ID Log Subtype Severity Firmware version Meaning Fields vd policyid 13312 ftgd_allow Notification FortiOS 4.0 MR3 The URL belongs to an allowed category within the firewall policy. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The session number identification. The name of the user creating the traffic. The name of the group creating the traffic. The source IP address. The source port number. The source port number. The source interface. For example, internal. The destination IP address. The destination port number. The destination port number. The destination interface. For example, wan1. This field contains any one of the following: http smtp imap mm1 mm4 nntp smtps imaps hostname carrier_ep The name of the website that was accessed. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The type of profile that was used, for example Antivirus_Profile. The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier. https pop3 ftp mm3 mm7 im pop3s
custom identidx
590
Webfilter
profile status
req_type
The type of request, which can be one of the following: referral if the HTTP transaction is requested from a parent web site, such as selecting a link on a web page direct a direct connection to a web page, such as typing in the URL address manually. The URL address. URL belongs to an allowed category in policy. This field contains either ip or domain The class the URL belongs to. The class description that the URL belongs to. The category that the URL belongs to. The category description that the URL belongs to.
url msg method class class_desc cat cat_desc
591
Webfilter
13313
Message ID Log Subtype Severity Firmware version Meaning Fields vd policyid 13313 ftgd_allow Notification FortiOS 4.0 MR3 The URL belongs to an override rule. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The session number identification. The name of the user creating the traffic. The name of the group creating the traffic. The source IP address. The source port number. The source port number. The source interface. For example, internal. The destination IP address. The destination port number. The destination port number. The destination interface. For example, wan1. This field contains any one of the following: http smtp imap mm1 mm4 nntp smtps imaps hostname carrier_ep The name of the website that was accessed. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The type of profile that was used, for example Antivirus_Profile. The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier. https pop3 ftp mm3 mm7 im pop3s
custom identidx
592
Webfilter
profile status
req_type
The type of request, which can be one of the following: referral if the HTTP transaction is requested from a parent web site, such as selecting a link on a web page direct a direct connection to a web page, such as typing in the URL address manually. The URL address. URL belongs to an override rule. This field contains either ip or domain. The class the URL belongs to. The class description that the URL belongs to. The category that the URL belongs to. The category description that the URL belongs to. This field contains rule. This field contains any one of the following: directory rating domain
url msg method class class_desc cat cat_desc mode rule_type
rule_data ovrd_tbl ovrd_id
The rule data information. The override table information . The override identification number.
593
Webfilter
13314
Message Id Log Subtype Severity Firmware version Meaning Fields vd policyid 13314 ftgd_allow Information FortiOS 4.0 MR3 The URL belongs to an override rule. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The session number identification. The name of the user creating the traffic. The name of the group creating the traffic. The source IP address. The source port number. The source port number. The source interface. For example, internal. The destination IP address. The destination port number. The destination port number. The destination interface. For example, wan1. This field contains any one of the following: http smtp imap mm1 mm4 nntp smtps imaps hostname carrier_ep The name of the website that was accessed. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The type of profile that was used, for example Antivirus_Profile. The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier. https pop3 ftp mm3 mm7 im pop3s
custom identidx
594
Webfilter
profile status
req_type
The type of request, which can be one of the following: referral if the HTTP transaction is requested from a parent web site, such as selecting a link on a web page direct a direct connection to a web page, such as typing in the URL address manually. The URL address. URL belongs to an override rule. This field contains either ip or domain The class the URL belongs to. The class description that the URL belongs to. The category that the URL belongs to. The category description that the URL belongs to. This field contains offsite. This field contains any one of the following: directory rating domain
url msg method class class_desc cat cat_desc mode rule_type
rule_data ovrd_tbl ovrd_id
The rule data information. The override table information . The override identification number.
595
Webfilter
12800
Message Id Log Subtype Severity Firmware version Meaning Fields vd policyid 12800 ftgd_err Error FortiOS 4.0 MR3 A FortiGuard Web Filter error. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The session number identification. The name of the user creating the traffic. The name of the group creating the traffic. The source IP address. The source port number. The source port number. The source interface. For example, internal. The destination IP address. The destination port number. The destination port number. The destination interface. For example, wan1. This field contains any one of the following: http smtp imap mm1 mm4 nntp smtps imaps hostname carrier_ep https pop3 ftp mm3 mm7 im pop3s ftp (ftp-over-http)
custom identidx
The name of the website that was accessed. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The type of profile that was used, for example Antivirus_Profile. The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier.
596
Webfilter
profile status
req_type
The type of request, which can be one of the following: referral if the HTTP transaction is requested from a parent web site, such as selecting a link on a web page direct a direct connection to a web page, such as typing in the URL address manually. The URL address. The total number of bytes sent. The total number of bytes received. A rating error occurs. The web filter error information.
url sent rcvd msg error
597
Webfilter
12801
Message Id Log Subtype Severity Firmware version Meaning Fields vd policyid 12801 ftgd_err Warning FortiOS 4.0 MR3 A FortiGuard Web Filter error. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The session number identification. The name of the user creating the traffic. The name of the group creating the traffic. The source IP address. The source port number. The source port number. The source interface. For example, internal. The destination IP address. The destination port number. The destination port number. The destination interface. For example, wan1. This field contains any one of the following: http smtp imap mm1 mm4 nntp smtps imaps hostname carrier_ep https pop3 ftp mm3 mm7 im pop3s ftp (ftp-over-http)
custom identidx
598
Webfilter
profile status
req_type
The type of request, which can be one of the following: referral if the HTTP transaction is requested from a parent web site, such as selecting a link on a web page direct a direct connection to a web page, such as typing in the URL address manually. The URL address. The total number of bytes sent. The total number of bytes received. A rating error occurs. The web filter error information.
url sent rcvd msg error
599
Webfilter
13601
Message Id Log Subtype Severity Firmware version Meaning Fields vd policyid 13601 cookiefilter Notification FortiOS 4.0 MR3 A FortiGuard web filter cookie log message. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The session number identification. The name of the user creating the traffic. The name of the group creating the traffic. The source IP address. The source port number. The source port number. The source interface. For example, internal. The destination IP address. The destination port number. The destination port number. The destination interface. For example, wan1. This field contains any one of the following: http smtp imap mm1 mm4 nntp smtps imaps hostname carrier_ep https pop3 ftp mm3 mm7 im pop3s ftp (ftp-over-http)
custom identidx
600
Webfilter
profile status
req_type
The type of request, which can be one of the following: referral if the HTTP transaction is requested from a parent web site, such as selecting a link on a web page direct a direct connection to a web page, such as typing in the URL address manually. The URL address. The total number of bytes sent. The total number of bytes received. The cookie was removed entirely. The number of times the same event was detected within a short period of time. The script filter type. This field contains any one of the following: n/a javascript unknown jscript vbscript
url sent rcvd msg count filter_type
601
Webfilter
13602
Message Id Log Subtype Severity Firmware version Meaning Fields vd policyid 13602 cookiefilter Notification FortiOS 4.0 MR3 A web reference filter log message. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The session number identification. The name of the user creating the traffic. The name of the group creating the traffic. The source IP address. The source port number. The source port number. The source interface. For example, internal. The destination IP address. The destination port number. The destination port number. The destination interface. For example, wan1. This field contains any one of the following: http smtp imap mm1 mm4 nntp smtps imaps hostname carrier_ep https pop3 ftp mm3 mm7 im pop3s ftp (ftp-over-http)
custom identidx
602
Webfilter
profile status
req_type
The type of request, which can be one of the following: referral if the HTTP transaction is requested from a parent web site, such as selecting a link on a web page direct a direct connection to a web page, such as typing in the URL address manually. The URL address. The total number of bytes sent. The total number of bytes received. Reference was removed from request. The number of times the same event was detected within a short period of time. The script filter type. This field contains any one of the following: n/a javascript unknown jscript vbscript
url sent rcvd msg count filter_type
603
Webfilter
13568
Message ID Log Subtype Severity Firmware version Meaning Fields vd policyid 13568 activexfilter Information FortiOS 4.0 MR3 An ActiveX script was removed. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The session number identification. The name of the user creating the traffic. The name of the group creating the traffic. The source IP address. The source port number. The source port number. The source interface. For example, internal. The destination IP address. The destination port number. The destination port number. The destination interface. For example, wan1. This field contains any one of the following: http smtp imap mm1 mm4 nntp smtps imaps hostname carrier_ep https pop3 ftp mm3 mm7 im pop3s ftp (ftp-over-http)
custom identidx
604
Webfilter
profile status
req_type
The type of request, which can be one of the following: referral if the HTTP transaction is requested from a parent web site, such as selecting a link on a web page direct a direct connection to a web page, such as typing in the URL address manually. The URL address. activex script was removed The number of times the same event was detected within a short period of time.
url msg count
605
Webfilter
13573
Message ID Log Subtype Severity Firmware version Meaning Fields vd policyid 13573 cookiefilter Information FortiOS 4.0 MR3 A cookie was removed. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The session number identification. The name of the user creating the traffic. The name of the group creating the traffic. The source IP address. The source port number. The source port number. The source interface. For example, internal. The destination IP address. The destination port number. The destination port number. The destination interface. For example, wan1. This field contains any one of the following: http smtp imap mm1 mm4 nntp smtps imaps hostname carrier_ep https pop3 ftp mm3 mm7 im pop3s ftp (ftp-over-http)
custom identidx
606
Webfilter
profile status
req_type
The type of request, which can be one of the following: referral if the HTTP transaction is requested from a parent web site, such as selecting a link on a web page direct a direct connection to a web page, such as typing in the URL address manually. The URL address. cookie was removed
url msg
607
Webfilter
13584
Message ID Log Subtype Severity Firmware version Meaning Fields vd policyid 13584 appletfilter Information FortiOS 4.0 MR3 A Java applet was removed. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The session number identification. The name of the user creating the traffic. The name of the group creating the traffic. The source IP address. The source port number. The source port number. The source interface. For example, internal. The destination IP address. The destination port number. The destination port number. The destination interface. For example, wan1. This field contains any one of the following: http smtp imap mm1 mm4 nntp smtps imaps hostname carrier_ep https pop3 ftp mm3 mm7 im pop3s ftp (ftp-over-http)
custom identidx
608
Webfilter
profile status
req_type
The type of request, which can be one of the following: referral if the HTTP transaction is requested from a parent web site, such as selecting a link on a web page direct a direct connection to a web page, such as typing in the URL address manually. The URL address. java applet was removed The number of times the same event was detected within a short period of time.
url msg count
609
Webfilter
13315
Message ID Log Subtype Severity Firmware version Meaning Fields vd policyid 13315 ftgd_quota_counting Notification FortiOS 4.0 MR3 A FortiGuard web filter category quota counting log message. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The session number identification. The name of the user creating the traffic. The name of the group creating the traffic. The source IP address. The source port number. The source port number. The source interface. For example, internal. The destination IP address. The destination port number. The destination port number. The destination interface. For example, wan1. This field contains any one of the following: http smtp imap mm1 mm4 nntp smtps imaps hostname carrier_ep https pop3 ftp mm3 mm7 im pop3s fp (ftp-over-http)
custom identidx
610
Webfilter
profile status
req_type
The type of request, which can be one of the following: referral if the HTTP transaction is requested from a parent web site, such as selecting a link on a web page direct a direct connection to a web page, such as typing in the URL address manually. The URL address. Webfilter wuota has begun counting This field contains either ip or domain The class the URL belongs to. The class description that the URL belongs to. The category that the URL belongs to. The category description that the URL belongs to. The number of times the quota was used by the user, in seconds. The maximum number of times quota time wa allowed, in seconds.
url msg method class class_desc cat cat_desc quota_used qutoa_max
611
Webfilter
13316
Message ID Log Subtype Severity Firmware version Meaning Fields vd policyid 13316 ftgd_quota_expired Warning FortiOS 4.0 MR3 A FortiGuard web filter category quota expired log message. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The log field that a user has created. This is referred to as a custom log field because the name can be anything, for example, hq. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The session number identification. The name of the user creating the traffic. The name of the group creating the traffic. The source IP address. The source port number. The source port number. The source interface. For example, internal. The destination IP address. The destination port number. The destination port number. The destination interface. For example, wan1. This field contains any one of the following: http smtp imap mm1 mm4 nntp smtps imaps hostname carrier_ep https pop3 ftp mm3 mm7 im pop3s ftp (ftps-over-http)
custom identidx
612
Webfilter
profile status
req_type
The type of request, which can be one of the following: referral if the HTTP transaction is requested from a parent web site, such as selecting a link on a web page direct a direct connection to a web page, such as typing in the URL address manually. The URL address. Webfilter quota for category has expired This field contains either ip or domain The class the URL belongs to. The class description that the URL belongs to. The category that the URL belongs to. The category description that the URL belongs to. The number of times the quota was used by the user, in seconds. The maximum number of times quota time wa allowed, in seconds.
url msg method class class_desc cat cat_desc quota_used qutoa_max
613
Webfilter
12802
Message ID Log Subtype Severity Firmware version Meaning Fields vd quota quota_used quota_max cat_desc user profile 12802 ftgd_quota Information FortiOS 4.0 MR3 The daily FortiGuard quota status. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. Indicates whether the quota was exceeded or not. This field contains either no or yes. The quota time used, in seconds. The maximum quota time that is allowed, in seconds. The category description. The name of the user. The name of the profile that was used to detect and take action.
614
Netscan logs
Netscan logs record network scanning activities that were preformed by the FortiGate unit. 4096 4097 4098 4099 4100 4101 4102 4103 4104 4105
615
Netscan logs
4096
Message ID Log Subtype Severity Firmware version Meaning Fields vd action 4096 Vulnerability Notification FortiOS 4.0 MR3 A network scan was performed. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field contains root. This field contains any one of the following: start end status scan vuln-detection os-scan vuln-count host-detection service-detection port-detection
The GMT start time, indicating when the scan began. The GMT end time, indicating when the scan stopped. The status of the scan. This field contains any one of the following: start pause complete stop resume
engine plugin
The version number of the netscan engine The version number of the netscan plugin.
4097
Message ID Log Subtype Severity Firmware version Meaning Fields vd action 4097 Discovery Notification FortiOS 4.0 MR3 A network scan was performed. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field contains root. This field contains any one of the following: start end engine plugin scan vuln-detection os-scan vuln-count host-detection service-detection port-detection
The GMT start time, indicating when the scan began. The GMT end time, indicating when the scan stopped. The version number of the netscan engine The version number of the netscan plugin.
616
Netscan logs
4098
Message ID Log Subtype Severity Firmware version Meaning Fields vd action 4098 Vulnerability Notification FortiOS 4.0 MR3 A network scan vulnerabilty was detected. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field contains root. This field contains any one of the following: ip vuln vuln_cat vuln_id vuln_ref severity scan vuln-detection os-scan vuln-count host-detection service-detection port-detection
The host IP address. The name of the detected vulnerabilty. The category of the detected vulnerability. The identification number of the detected vulnerability. The link that redirects you to the vulnerability listed in FortiGuard. The severity level of the detected vulnerabiltiy. This field contains any one of the following: cirticial medium info high low
proto port
The protocol that was used, which is either TCP or UDP. The port number.
617
Netscan logs
4099
Message ID Log Subtype Severity Firmware version Meaning Fields vd action 4099 Discovery Notification FortiOS 4.0 MR3 A network scan was performed. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field contains root. This field contains any one of the following: ip os os_family os_gen os_vender scan vuln-detection os-scan vuln-count host-detection service-detection port-detection
The hosts IP address. The name of the operating system. The name of the operating systems family. The operating systems generation. The name of the vendor for that operating system. For example, Microsoft.
618
Netscan logs
4100
Message ID Log Subtype Severity Firmware version Meaning Fields vd action 4100 Discovery Notification FortiOS 4.0 MR3 A network scan was performed. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field contains root. This field contains any one of the following: ip service proto port scan vuln-detection os-scan vuln-count host-detection service-detection port-detection
The hosts IP address. The name of the detected service. This field can be either tcp or udp, depending on the protocol that was used. The port number.
4101
Message ID Log Subtype Severity Firmware version Meaning Fields vd action 4101 Vulnerability Notification FortiOS 4.0 MR3 A network scan notification. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field contains root. This field contains any one of the following: msg scan vuln-detection os-scan vuln-count host-detection service-detection port-detection
The log message information. This is usually a sentence and explains the activity and/or action taken.
619
Netscan logs
4102
Message ID Log Subtype Severity Firmware version Meaning Fields vd action 4102 Discovery Notification FortiOS 4.0 MR3 A network scan was performed. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field contains root. This field contains any one of the following: message scan vuln-detection os-scan vuln-count host-detection service-detection port-detection
The log message information. This is usually a sentence and explains the activity and/or action taken.
4103
Message ID Log Subtype Severity Firmware version Meaning Fields vd action 4103 Vulnerability Notification FortiOS 4.0 MR3 The number of vulnerabilities that netscan detected. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field contains root. This field contains any one of the following: ip vuln_count scan vuln-detection os-scan vuln-count host-detection service-detection port-detection
The hosts IP address. The total number of vulnerabilities.
620
Netscan logs
4104
Message ID Log Subtype Severity Firmware version Meaning Fields vd action 4104 Discovery Notification FortiOS 4.0 MR3 A netscan host was detected. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field contains root. This field contains any one of the following: ip method scan vuln-detection os-scan vuln-count host-detection service-detection port-detection
The hosts IP address. The discovery method that was used. This field contains any one of the following: ARP TCP ICMP UDP
asset_id asset_name vuln_count
The asset definition fro this host. The asset definition name for this host. The total number of vulnerabilities.
621
Netscan logs
4105
Message ID Log Subtype Severity Firmware version Meaning Fields vd action 4105 Discovery Notification FortiOS 4.0 MR3 A netscan port was detected. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field contains root. This field contains any one of the following: ip proto port scan vuln-detection os-scan vuln-count host-detection service-detection port-detection
The hosts IP address. This field can be either tcp or udp, depending on the protocol that was used. The port number.
622
DLP archives
DLP archive log messages are log messages that are sent to the FortiAnalyzer unit, FortiGate hard disk, or FortiGuard Analysis server. These log messages include email, FTP activities, IM events, VoIP events, and web filter events. You can configure your FortiGate unit to send archives to a FortiGuard Analysis server if you have subscribe to the FortiGuard Analysis and Management Service.
32768 32776 32770 32772 32774 32769 32782 32783 32784 32785 32786 32787 32788 32789 32790 32791 32792 32793
32777 32794 32795 32796 32797 32798 32800 32778 32779 32780 32781 32771 32773 32775
623
DLP archives
32768
Message ID Log Subtype Severity Firmware version Meaning Fields vd clogver epoch eventid cstatus 32768 HTTP Information FortiOS 4.0 MR3 The HTTP log archive. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The content log version number. The time period in seconds. The event identification number or serial number. The status of the content log. This field contains any one of the following: clean heuristic blocked oversize mass_mms fragmented im_summary im_file_request im_file_cancel im_photo_share_request im_photo_share_cancel im_photo_xref error infection block file intercept carrier end point filter mms duplicate virusrm html script banned word oversize heuristic mime block exempt dnsbl helo mimeheader infected banned_word exempt carrier_endpoint_filter dlp spam im_message im_file_accept im_video im_voice im_photo_share_accept im_photo_share_stop voip fileexempt mms block mms flood virus heuristic script filter exempt word virus worm fragmented ip blacklist FortiGuard - Antispam ip blacklist emailblacklist dns
FortiGuard - AntiSpam ase banned word block
624
DLP archives
ipwhitelist fewhitelist dlp pass virus SN user group carrier_ep
emailwhitelist headerwhitelist dlpban mms content checksum
The name of the virus that was detected. The session number of the log message. The name of the user creating the traffic. The name of the group creating the traffic. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The type of profile that was used, for example, Antivirus_Profile. The name of the profile that was used to detect and take action. The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer. The internal IP address of the FortiGate unit. The IP address of the server. The total number of bytes transferred on server side. The total number of bytes transferred on client side. The name of the DLP sensor that was used to detect and take action. For example, the default sensor Content_Archive. The HTTP/HTTPS command. The HTTP/HTTPS host name. The HTTP/HTTPS URL address. The HTTP/HTTPS category. The HTTP/HTTPS description of the category.
profiletype profile profilegroup client server rcvd sent dlp_sensor method hostname url cat cat_desc
625
DLP archives
32776
Message ID Log Subtype Severity Firmware version Meaning Fields vd clogver epoch eventid cstatus 32776 FTP Information FortiOS 4.0 MR3 The FTP log archive Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The content log version number. The time period in seconds. The event identification number or serial number. The status of the content log. This field contains any one of the following: clean heuristic blocked oversize mass_mms fragmented im_summary im_file_request im_file_cancel im_photo_share_cancel im_photo_xref error infection block file intercept carrier end point filter mms duplicate virusrm html script banned word oversize heuristic mime block exempt dnsbl helo mimeheader FortiGuard - AntiSpam ase block infected banned_word exempt carrier_endpoint_filter dlp spam im_message im_file_accept im_video im_photo_share_accept im_photo_share_stop voip fileexempt mms block mms flood virus heuristic script filter exempt word virus worm fragmented ip blacklist FortiGuard - Antispam ip blacklist emailblacklist dns banned word
im_photo_share_request im_voice
626
DLP archives
The name of the virus detected. The session number of the log message. The name of the user creating the traffic. The name of the group creating the traffic. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The type of profile that was used, for example, Antivirus_Profile. The name of the profile that was used to detect and take action. The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer. The internal IP address of the FortiGate unit. The IP address of the server. The total number of bytes transferred on server side. The total number of bytes transferred on client side. The name of the DLP sensor that was used to detect and take action. For example, the default sensor Content_Archive. This field contains any one of the following: NONE PASS STOR QUIT USER ACCT RETR
profiletype profile profilegroup
client server rcvd sent dlp_sensor ftpcmd
file
The name of the file that was uploaded to the server.
627
DLP archives
32770
Message ID Log Subtype Severity Firmware version Meaning Fields vd clogver epoch eventid cstatus 32770 SMTP Information FortiOS 4.0 MR3 The SMTP log archive Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The content log version number. The time period in seconds. The event identification number or serial number. The status of the content log. This field contains any one of the following: clean heuristic blocked oversize mass_mms fragmented im_summary im_file_request im_file_cancel im_photo_share_request im_photo_share_cancel im_photo_xref error infection block file intercept carrier end point filter mms duplicate virusrm html script banned word oversize heuristic mime block exempt dnsbl helo mimeheader infected banned_word exempt carrier_endpoint_filter dlp spam im_message im_file_accept im_video im_voice im_photo_share_accept im_photo_share_stop voip fileexempt mms block mms flood virus heuristic script filter exempt word virus worm fragmented ip blacklist FortiGuard - Antispam ip blacklist emailblacklist dns
628
DLP archives
The name of the virus detected. The session number of the log message. The name of the user creating the traffic. The name of the group creating the traffic. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The type of profile that was used, for example, Antivirus_Profile. The name of the profile that was used to detect and take action. The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer. The internal IP address of the FortiGate unit. The IP address of the server. The total number of bytes transferred on server side. The total number of bytes transferred on client side. The name of the DLP sensor that was used to detect and take action. For example, the default sensor Content_Archive. The recipients email address. The senders email address. The subject line of the email message. The number of attachments that are present within the email. If there are no attachments, zero displays.
profiletype profile profilegroup client server rcvd sent dlp_sensor to from subject attachment
629
DLP archives
32772
Message ID Log Subtype Severity Firmware version Meaning Fields vd clogver epoch eventid cstatus 32772 POP3 Information FortiOS 4.0 MR3 The POP3 log archive. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The content log version number. The time period in seconds. The event identification number or serial number. The status of the content log. This field contains any one of the following: clean heuristic blocked oversize mass_mms fragmented im_summary im_file_request im_file_cancel im_photo_share_request im_photo_share_cancel im_photo_xref error infection block file intercept carrier end point filter mms duplicate virusrm html script banned word oversize heuristic mime block exempt dnsbl helo mimeheader infected banned_word exempt carrier_endpoint_filter dlp spam im_message im_file_accept im_video im_voice im_photo_share_accept im_photo_share_stop voip fileexempt mms block mms flood virus heuristic script filter exempt word virus worm fragmented ip blacklist FortiGuard - Antispam ip blacklist emailblacklist dns
630
DLP archives
The name of the virus detected. The session number of the log message. The name of the user creating the traffic. The name of the group creating the traffic. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The type of profile that was used, for example, Antivirus_Profile. The name of the profile that was used to detect and take action. The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer. The internal IP address of the FortiGate unit. The IP address of the server. The total number of bytes transferred on server side. The total number of bytes transferred on client side. The name of the DLP sensor that was used to detect and take action. For example, the default sensor Content_Archive. The recipients email address. The senders email address. The subject line of the email message. The number of attachments that are present within the email. If there are no attachments, zero displays.
631
DLP archives
32774
Message ID Log Subtype Severity Firmware version Meaning Fields vd clogver epoch eventid cstatus 32774 IMAP Information FortiOS 4.0 MR3 The IMAP content archive Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The content log version number. The time period in seconds. The event identification number or serial number. The status of the content log. This field contains any one of the following: clean heuristic blocked oversize mass_mms fragmented im_summary im_file_request im_file_cancel im_photo_share_request im_photo_share_cancel im_photo_xref error infection block file intercept carrier end point filter mms duplicate virusrm html script banned word oversize heuristic mime block exempt dnsbl helo mimeheader infected banned_word exempt carrier_endpoint_filter dlp spam im_message im_file_accept im_video im_voice im_photo_share_accept im_photo_share_stop voip fileexempt mms block mms flood virus heuristic script filter exempt word virus worm fragmented ip blacklist FortiGuard - Antispam ip blacklist emailblacklist dns
632
DLP archives
The name of the virus detected. The session number of the log message. The name of the user creating the traffic. The name of the group creating the traffic. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The type of profile that was used, for example, Antivirus_Profile. The name of the profile that was used to detect and take action. The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer. The internal IP address of the FortiGate unit. The IP address of the server. The total number of bytes transferred on server side. The total number of bytes transferred on client side. The name of the DLP sensor that was used to detect and take action. For example, the default sensor Content_Archive. The recipients email address. The senders email address. The subject line of the email. The number of attachments that are present within the email. If there are no attachments, zero displays.
633
DLP archives
32769
Message ID Log Subtype Severity Firmware version Meaning Fields vd clogver epoch eventid cstatus 32769 HTTPS Information FortiOS 4.0 MR3 The HTTPS log archive. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The content log version number. The time period in seconds. The event identification number or serial number. The status of the content log. This field contains any one of the following: clean heuristic blocked oversize mass_mms fragmented im_summary im_file_request im_file_cancel im_photo_share_request im_photo_share_cancel im_photo_xref error infection block file intercept carrier end point filter mms duplicate virusrm html script banned word oversize heuristic mime block exempt dnsbl helo mimeheader infected banned_word exempt carrier_endpoint_filter dlp spam im_message im_file_accept im_video im_voice im_photo_share_accept im_photo_share_stop voip fileexempt mms block mms flood virus heuristic script filter exempt word virus worm fragmented ip blacklist FortiGuard - Antispam ip blacklist emailblacklist dns
634
DLP archives
The name of the virus detected. The session number of the log message. The name of the user creating the traffic. The name of the group creating the traffic. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The type of profile that was used, for example, Antivirus_Profile. The name of the profile that was used to detect and take action. The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer. The internal IP address of the FortiGate unit. The IP address of the server. The total number of bytes transferred on server side. The total number of bytes transferred on client side. The name of the DLP sensor that was used to detect and take action. For example, the default sensor Content_Archive. The HTTP/HTTPS command. The HTTP/HTTPS host name. The HTTP/HTTPS URL address. The HTTP/HTTPS category. The HTTP/HTTPS description of the category.
profiletype profile profilegroup client server rcvd sent dlp_sensor method hostname url cat cat_desc
635
DLP archives
32782
Message ID Log Subtype Severity Firmware version Meaning Fields vd clogver epoch eventid cstatus 32782 im-all Information FortiOS 4.0 MR3 The IM chat summary log archive. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The content log version number. The time period in seconds. The event identification number or serial number. The status of the content log. This field contains any one of the following: clean heuristic blocked oversize mass_mms fragmented im_summary im_file_request im_file_cancel im_photo_share_request im_photo_share_cancel im_photo_xref error infection block file intercept carrier end point filter mms duplicate virusrm html script banned word oversize heuristic mime block exempt dnsbl helo mimeheader infected banned_word exempt carrier_endpoint_filter dlp spam im_message im_file_accept im_video im_voice im_photo_share_accept im_photo_share_stop voip fileexempt mms block mms flood virus heuristic script filter exempt word virus worm fragmented ip blacklist FortiGuard - Antispam ip blacklist emailblacklist dns
636
DLP archives
ipwhitelist fewhitelist dlp pass SN profiletype profilegroup profile user group carrier_ep
The session number of the log message. The type of profile that was used, for example, Antivirus_Profile. The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier. The name of the profile that was used to detect and take action. The name of the user creating the traffic. The name of the group creating the traffic. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The name of the profile that was used to detect and take action. The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer. The type of profile that was used, for example, Antivirus_Profile. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The identity-based policy identification number. This field displays zero is the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA). This field contains any one of the following: summary file photo-xref oversize fileexempt dlp call-info register chat photo audio fileblock virus call-block call unregister
profile profilegroup profiletype policyid
identidx
proto
kind
laddr raddr local remote messages start-date end-date
The local IP address. The remote IP address. The local user. The remote user. The number of chat messages. The local start date. The local end date.
637
DLP archives
32783
Message Id Log Subtype Severity Firmware version Meaning Fields vd clogver epoch eventid cstatus 32783 im-all Information FortiOS 4.0 MR3 The IM chat message log archive. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The content log version number. The time period in seconds. The event identification number or serial number. The status of the content log. This field contains any one of the following: clean heuristic blocked oversize mass_mms fragmented im_summary im_file_request im_file_cancel im_photo_share_request im_photo_share_cancel im_photo_xref error infection block file intercept carrier end point filter mms duplicate virusrm html script banned word oversize heuristic mime block exempt dnsbl helo mimeheader infected banned_word exempt carrier_endpoint_filter dlp spam im_message im_file_accept im_video im_voice im_photo_share_accept im_photo_share_stop voip fileexempt mms block mms flood virus heuristic script filter exempt word virus worm fragmented ip blacklist FortiGuard - Antispam ip blacklist emailblacklist dns
638
DLP archives
The session number of the log message. The type of profile that was used, for example, Antivirus_Profile. The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are available only in FortiOS Carrier. The name of the profile that was used to detect and take action. The name of the user creating the traffic. The name of the group creating the traffic. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The name of the profile that was used to detect and take action. The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer. The type of profile that was used, for example, Antivirus_Profile. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The identity-based policy identification number. This field displays zero is the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA). This field contains any one of the following: summary file photo-xref oversize fileexempt dlp call-info register video chat photo audio fileblock virus call-block call unregister
identidx
proto
kind
laddr raddr local remote
The local IP address. The remote IP address. The local user. The remote user.
639
DLP archives
action
This field contains any one of the following: permit monitor encrypt-kickout exempt ban-im-user block kickout cm-reject ban log-only
dir messages content
The direction of the traffic. This field contains either outbound or inbound. The number of chat messages. The content of the IM chat message.
640
DLP archives
32784
Message Id Log Subtype Severity Firmware version Meaning Fields vd clogver epoch eventid cstatus 32784 im-all Information FortiOS 4.0 MR3 An IM file transfer log archive. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The content log version number. The time period in seconds. The event identification number or serial number. The status of the content log. This field contains any one of the following: clean heuristic blocked oversize mass_mms fragmented im_summary im_file_request im_file_cancel im_photo_share_request im_photo_share_cancel im_photo_xref error infection block file intercept carrier end point filter mms duplicate virusrm html script banned word oversize heuristic mime block exempt dnsbl helo mimeheader infected banned_word exempt carrier_endpoint_filter dlp spam im_message im_file_accept im_video im_voice im_photo_share_accept im_photo_share_stop voip fileexempt mms block mms flood virus heuristic script filter exempt word virus worm fragmented ip blacklist FortiGuard - Antispam ip blacklist emailblacklist dns
641
DLP archives
The session number of the log message. The type of profile that was used, for example Antivirus_Profile. The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrier. The name of the profile that was used to detect and take action. The name of the user creating the traffic. The name of the group creating the traffic. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The name of the profile that was used to detect and take action. The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer. The type of profile that was used, for example Antivirus_Profile. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The identity-based policy identification number. This field displays zero is the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA). This field contains any one of the following: summary file photo-xref oversize fileexempt dlp call-info register video chat photo audio fileblock virus call-block call unregister
identidx
proto
kind
642
DLP archives
action
dir status filename filesize message
The direction of the traffic. This field contains either outbound or inbound. The IM status. The name of the file that was transferred. The size of the file that was transferred. The number of chat messages.
643
DLP archives
32785
Message ID Log Subtype Severity Firmware version Meaning Fields vd clogver epoch eventid cstatus 32785 im-all Information FortiOS 4.0 MR3 An IM photo sharing log archive. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The content log version number. The time period in seconds. The event identification number or serial number. The status of the content log. This field contains any one of the following: clean heuristic blocked oversize mass_mms fragmented im_summary im_file_request im_file_cancel im_photo_share_request im_photo_share_cancel im_photo_xref error infection block file intercept carrier end point filter mms duplicate virusrm html script banned word oversize heuristic mime block exempt dnsbl helo mimeheader infected banned_word exempt carrier_endpoint_filter dlp spam im_message im_file_accept im_video im_voice im_photo_share_accept im_photo_share_stop voip fileexempt mms block mms flood virus heuristic script filter exempt word virus worm fragmented ip blacklist FortiGuard - Antispam ip blacklist emailblacklist dns
644
DLP archives
The session number of the log message. The type of profile that was used, for example, Antivirus_Profile. The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer. The name of the profile that was used to detect and take action. The name of the user creating the traffic. The name of the group creating the traffic. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The name of the profile that was used to detect and take action. The group that the profile is part of. This field contains N/A if there is no profile group configured. The type of profile that was used, for example Antivirus_Profile. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The identity-based policy identification number. This field displays zero is the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA). This field contains any one of the following: summary file photo-xref oversize fileexempt dlp call-info register video chat photo audio fileblock virus call-block call unregister
identidx
proto
kind
645
DLP archives
action
dir status
The direction of the traffic. This field contains either outbound or inbound. The IM status.
646
DLP archives
32786
Message ID Log Subtype Severity Firmware version Meaning Fields vd clogver epoch eventid cstatus 32786 im-all Information FortiOS 4.0 MR3 An IM photo transfer log archive. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The content log version number. The time period in seconds. The event identification number or serial number. The status of the content log. This field contains any one of the following: clean heuristic blocked oversize mass_mms fragmented im_summary im_file_request im_file_cancel im_photo_share_request im_photo_share_cancel im_photo_xref error infection block file intercept carrier end point filter mms duplicate virusrm html script banned word oversize heuristic mime block exempt dnsbl helo mimeheader infected banned_word exempt carrier_endpoint_filter dlp spam im_message im_file_accept im_video im_voice im_photo_share_accept im_photo_share_stop voip fileexempt mms block mms flood virus heuristic script filter exempt word virus worm fragmented ip blacklist FortiGuard - Antispam ip blacklist emailblacklist dns
647
DLP archives
The session number of the log message. The type of profile that was used, for example, Antivirus_Profile. The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer. The name of the profile that was used to detect and take action. The name of the user creating the traffic. The name of the group creating the traffic. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The name of the profile that was used to detect and take action. The group that the profile is part of. This field contains N/A if there is no profile group configured. The type of profile that was used, for example Antivirus_Profile. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The identity-based policy identification number. This field displays zero is the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA). This field contains any one of the following: summary file photo-xref oversize fileexempt dlp call-info register video chat photo audio fileblock virus call-block call unregister
identidx
proto
kind
laddr raddr local remote dir conn-mode
The local IP address. The remote IP address. The local user. The remote user. The direction of the traffic. This field contains either outbound or inbound. The mode information.
648
DLP archives
32787
Message ID Log Subtype Severity Firmware version Meaning Fields vd clogver epoch eventid cstatus 32787 im-all Information FortiOS 4.0 MR3 An IM voice chat log archive. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The content log version number. The time period in seconds. The event identification number or serial number. The status of the content log. This field contains any one of the following: clean heuristic blocked oversize mass_mms fragmented im_summary im_file_request im_file_cancel im_photo_share_request im_photo_share_cancel im_photo_xref error infection block file intercept carrier end point filter mms duplicate virusrm html script banned word oversize heuristic mime block exempt dnsbl helo mimeheader infected banned_word exempt carrier_endpoint_filter dlp spam im_message im_file_accept im_video im_voice im_photo_share_accept im_photo_share_stop voip fileexempt mms block mms flood virus heuristic script filter exempt word virus worm fragmented ip blacklist FortiGuard - Antispam ip blacklist emailblacklist dns
649
DLP archives
The session number of the log message. The type of profile that was used, for example Antivirus_Profile. The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer. The name of the profile that was used to detect and take action. The name of the user creating the traffic. The name of the group creating the traffic. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The name of the profile that was used to detect and take action. The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer. The type of profile that was used, for example Antivirus_Profile. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The identity-based policy identification number. This field displays zero is the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA). This field contains any one of the following: summary file photo-xref oversize fileexempt dlp call-info register video chat photo audio fileblock virus call-block call unregister
identidx
proto
kind
650
DLP archives
action
dir status
651
DLP archives
32788
Message ID Log Subtype Severity Firmware version Meaning Fields vd clogver epoch eventid cstatus 32788 im-all Information FortiOS 4.0 MR3 An IM virus log archive. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The content log version number. The time period in seconds. The event identification number or serial number. The status of the content log. This field contains any one of the following: clean heuristic blocked oversize mass_mms fragmented im_summary im_file_request im_file_cancel im_photo_share_request im_photo_share_cancel im_photo_xref error infection block file intercept carrier end point filter mms duplicate virusrm html script banned word oversize heuristic mime block exempt dnsbl helo mimeheader infected banned_word exempt carrier_endpoint_filter dlp spam im_message im_file_accept im_video im_voice im_photo_share_accept im_photo_share_stop voip fileexempt mms block mms flood virus heuristic script filter exempt word virus worm fragmented ip blacklist FortiGuard - Antispam ip blacklist emailblacklist dns
652
DLP archives
identidx
proto
kind
653
DLP archives
action
dir filename virus heuristic
The direction of the traffic. This field contains either outbound or inbound. The name of the file that was transferred. The name of the virus detected. The information regarding heuristics.
654
DLP archives
32789
Message ID Log Subtype Severity Firmware version Meaning Fields vd clogver epoch eventid cstatus 32789 im-all Information FortiOS 4.0 MR3 An IM file oversize log archive. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The content log version number. The time period in seconds. The event identification number or serial number. The status of the content log. This field contains any one of the following: clean heuristic blocked oversize mass_mms fragmented im_summary im_file_request im_file_cancel im_photo_share_request im_photo_share_cancel im_photo_xref error infection block file intercept carrier end point filter mms duplicate virusrm html script banned word oversize heuristic mime block exempt dnsbl helo mimeheader infected banned_word exempt carrier_endpoint_filter dlp spam im_message im_file_accept im_video im_voice im_photo_share_accept im_photo_share_stop voip fileexempt mms block mms flood virus heuristic script filter exempt word virus worm fragmented ip blacklist FortiGuard - Antispam ip blacklist emailblacklist dns
655
DLP archives
identidx
proto
kind
656
DLP archives
action
dir filename
The direction of the traffic. This field contains either outbound or inbound. The name of the file that was transferred.
657
DLP archives
32790
Message ID Log Subtype Severity Firmware version Meaning Fields vd clogver epoch eventid cstatus 32790 im-all Information FortiOS 4.0 MR3 An IM file block log archive. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The content log version number. The time period in seconds. The event identification number or serial number. The status of the content log. This field contains any one of the following: clean heuristic blocked oversize mass_mms fragmented im_summary im_file_request im_file_cancel im_photo_share_request im_photo_share_cancel im_photo_xref error infection block file intercept carrier end point filter mms duplicate virusrm html script banned word oversize heuristic mime block exempt dnsbl helo mimeheader infected banned_word exempt carrier_endpoint_filter dlp spam im_message im_file_accept im_video im_voice im_photo_share_accept im_photo_share_stop voip fileexempt mms block mms flood virus heuristic script filter exempt word virus worm fragmented ip blacklist FortiGuard - Antispam ip blacklist emailblacklist dns
658
DLP archives
The session number of the log message. The type of profile that was used, for example, Antivirus_Profile. The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer. The name of the profile that was used to detect and take action. The name of the user creating the traffic. The name of the group creating the traffic. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The name of the profile that was used to detect and take action. The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer. The type of profile that was used, for example Antivirus_Profile. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The identity-based policy identification number. This field displays zero is the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA). This field contains any one of the following: summary file photo-xref oversize fileexempt dlp call-info register video chat photo audio fileblock virus call-block call unregister
identidx
proto
kind
659
DLP archives
action
dir filename
660
DLP archives
32791
Message ID Log Subtype Severity Firmware version Meaning Fields vd clogver epoch eventid cstatus 32791 im-all Information FortiOS 4.0 MR3 An IM file exempt log archive. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The content log version number. The time period in seconds. The event identification number or serial number. The status of the content log. This field contains any one of the following: clean heuristic blocked oversize mass_mms fragmented im_summary im_file_request im_file_cancel im_photo_share_request im_photo_share_cancel im_photo_xref error SN profiletype profilegroup profile user group carrier_ep infected banned_word exempt carrier_endpoint_filter dlp spam im_message im_file_accept im_video im_voice im_photo_share_accept im_photo_share_stop voip
The session number of the log message. The type of profile that was used, for example, Antivirus_Profiile. The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer. The name of the profile that was used to detect and take action. The name of the user creating the traffic. The name of the group creating the traffic. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The name of the profile that was used to detect and take action. The group that the profile is part of. This field contains N/A if there is no profile group configured. The type of profile that was used, for example, Antivirus _Profile. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
661
DLP archives
identidx
The identity-based policy identification number. This field displays zero is the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy. The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA). This field contains any one of the following: summary file photo-xref oversize fileexempt dlp call-info register video chat photo audio fileblock virus call-block call unregister
proto
kind
laddr raddr local remote action
The local IP address. The remote IP address. The local user. The remote user. This field contains any one of the following: permit monitor encrypt-kickout exempt ban-im-user block kickout cm-reject ban log-only
dir filename
662
DLP archives
32792
Message ID Log Subtype Severity Firmware version Meaning Fields vd clogver epoch eventid cstatus 32792 im-all Information FortiOS 4.0 MR3 An IM DLP information log archive. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The content log version number. The time period in seconds. The event identification number or serial number. The status of the content log. This field contains any one of the following: clean heuristic blocked oversize mass_mms fragmented im_summary im_file_request im_file_cancel im_photo_share_request im_photo_share_cancel im_photo_xref error SN profiletype profilegroup profile user group carrier_ep infected banned_word exempt carrier_endpoint_filter dlp spam im_message im_file_accept im_video im_voice im_photo_share_accept im_photo_share_stop voip
The session number of the log message. The type of profile that was used, for example, Antivirus_Profile. The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer. The name of the profile that was used to detect and take action. The name of the user creating the traffic. The name of the group creating the traffic. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The name of the profile that was used to detect and take action. The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer. The type of profile that was used, for example, Antivirus_Profile. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
663
DLP archives
identidx
proto
kind
dir filename filesize
The direction of the traffic. This field contains either outbound or inbound. The name of the file that was transferred. The size of the file that was transferred.
664
DLP archives
32793
Message ID Log Subtype Severity Firmware version Meaning Fields vd clogver epoch eventid cstatus 32793 im-all Warning FortiOS 4.0 MR3 An IM DLP warning log archive. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The content log version number. The time period in seconds. The event identification number or serial number. The status of the content log. This field contains any one of the following: clean heuristic blocked oversize mass_mms fragmented im_summary im_file_request im_file_cancel im_photo_share_request im_photo_share_cancel im_photo_xref error SN profiletype profilegroup profile user group carrier_ep infected banned_word exempt carrier_endpoint_filter dlp spam im_message im_file_accept im_video im_voice im_photo_share_accept im_photo_share_stop voip
The session number of the log message. The type of profile that was used, for example Antivirus_Profile. The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer. The name of the profile that was used to detect and take action. The name of the user creating the traffic. The name of the group creating the traffic. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The name of the profile that was used to detect and take action. The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer. The type of profile that was used, for example Antivirus_Profile. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
665
DLP archives
identidx
proto
kind
dir filename filesize
The direction of the traffic. This field contains either outbound or inbound. The name of the file that was transferred. The size of the file that was transferred.
666
DLP archives
32777
Message ID Log Subtype Severity Firmware version Meaning Fields vd clogver epoch eventid cstatus 32777 NNTP Information FortiOS 4.0 MR3 An NNTP log archive. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The content log version number. The time period in seconds. The event identification number or serial number. The status of the content log. This field contains any one of the following: clean heuristic blocked oversize mass_mms fragmented im_summary im_file_request im_file_cancel im_photo_share_request im_photo_share_cancel im_photo_xref error infection block file intercept carrier end point filter mms duplicate virusrm html script banned word oversize heuristic mime block exempt dnsbl helo mimeheader infected banned_word exempt carrier_endpoint_filter dlp spam im_message im_file_accept im_video im_voice im_photo_share_accept im_photo_share_stop voip fileexempt mms block mms flood virus heuristic script filter exempt word virus worm fragmented ip blacklist FortiGuard - Antispam ip blacklist emailblacklist dns
The type of infection. This field contains any one of the following:
667
DLP archives
The name of the virus that was detected. The session number of the log message. The name of the user creating the traffic. The name of the group creating the traffic. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The type of profile that was used, for example Antivirus_Profile. The name of the profile that was used to detect and take action. The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer. The internal IP address of the FortiGate unit. The IP address of the server. The total number of bytes transferred on server side. The total number of bytes transferred on client side.
profiletype profile profilegroup client server rcvd sent
668
DLP archives
32794
Message ID Log Subtype Severity Firmware version Meaning Fields vd clogver epoch eventid cstatus 32794 VOIP Information FortiOS 4.0 MR3 A VoIP SIP log archive. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The content log version number. The time period in seconds. The event identification number or serial number. The status of the content log. This field contains any one of the following: clean heuristic blocked oversize mass_mms fragmented im_summary im_file_request im_file_cancel im_photo_share_request im_photo_share_cancel im_photo_xref error SN profile profiletype profilegroup user group carrier_ep profile profiletype profilegroup identidx infected banned_word exempt carrier_endpoint_filter dlp spam im_message im_file_accept im_video im_voice im_photo_share_accept im_photo_share_stop voip
The session number of the log message. The name of the profile applied to the firewall policy and used during the detection process. The type of profile that was used, for example Antivirus_Profile. The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer. The name of the user creating the traffic. The name of the group creating the traffic. The carrier endpoint identification number. This field contains N/A unless FortiOS Carrier is running on the unit. The name of the profile that was used to detect and take action. The type of profile that was used, for example, Antivirus_Profile. The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer. The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
669
DLP archives
proto
The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the next level protocol. Protocol numbers are assigned by the Intenet Assigned Number Authority (IANA). This field contains any one of the following: summary file photo-xref oversize fileexempt dlp call-info register video chat photo audio fileblock virus call-block call unregister
kind
action
status src dst src_port dst_port dir duration from to
The IM status. The source IP address. The destination IP address. The source port number. The destination port number. The direction of the traffic. This field contains either outbound or inbound. This represents the value in seconds. The senders email address. The recipients email address.
670
DLP archives
32795
Message ID Log Subtype Severity Firmware version Meaning Fields vd clogver epoch eventid cstatus 32795 VOIP Information FortiOS 4.0 MR3 A VOIP SCCP register log archive. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The content log version number. The time period in seconds. The event identification number or serial number. The status of the content log. This field contains any one of the following: clean heuristic blocked oversize mass_mms fragmented im_summary im_file_request im_file_cancel im_photo_share_request im_photo_share_cancel im_photo_xref error SN profile profiletype profilegroup user group carrier_ep infected banned_word exempt carrier_endpoint_filter dlp spam im_message im_file_accept im_video im_voice im_photo_share_accept im_photo_share_stop voip
The session number of the log message. The name of the profile applied to the firewall policy and used during the detection process. The type of profile that was used, for example Antivirus_Profile. The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer. The name of the user creating the traffic. The name of the group creating the traffic. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The name of the profile that was used to detect and take action. The type of profile that was used, for example, Antivirus_Profile. The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
profile profiletype profilegroup policyid
671
DLP archives
identidx
proto
kind
action
status phone src from to
The IM status. The phone number. The source IP address. The senders information. The receivers information.
672
DLP archives
32796
Message ID Log Subtype Severity Firmware version Meaning Fields vd clogver epoch eventid cstatus 32796 VOIP Information FortiOS 4.0 MR3 A VOIP SCCP unregister log archive. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The content log version number. The time period in seconds. The event identification number or serial number. The status of the content log. This field contains any one of the following: clean heuristic blocked oversize mass_mms fragmented im_summary im_file_request im_file_cancel im_photo_share_request im_photo_share_cancel im_photo_xref error SN profile profiletype profilegroup user group carrier_ep infected banned_word exempt carrier_endpoint_filter dlp spam im_message im_file_accept im_video im_voice im_photo_share_accept im_photo_share_stop voip
The session number of the log message. The name of the profile applied to the firewall policy and used during the detection process. The type of profile that was used, for example Antivirus_Profile. The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer. The name of the user creating the traffic. The name of the group creating the traffic. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The name of the profile that was used to detect and take action. The type of profile that was used, for example, Antivirus_Profile. The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
673
DLP archives
identidx
proto
kind
action
status phone src reason
The IM status. The phone information. The source IP address. The information about why the trigger occurred.
674
DLP archives
32797
Message ID Log Subtype Severity Firmware version Meaning Fields vd clogver epoch eventid cstatus 32797 VOIP Information FortiOS 4.0 MR3 A VOIP SCCP call block log archive. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The content log version number. The time period in seconds. The event identification number or serial number. The status of the content log. This field contains any one of the following: clean heuristic blocked oversize mass_mms fragmented im_summary im_file_request im_file_cancel im_photo_share_request im_photo_share_cancel im_photo_xref error SN profile profiletype profilegroup user group carrier_ep infected banned_word exempt carrier_endpoint_filter dlp spam im_message im_file_accept im_video im_voice im_photo_share_accept im_photo_share_stop voip
The session number of the log message. The name of the profile that was used to detect and take action. The type of profile that was used, for example Antivirus_Profile. The grou pthat the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer. The name of the user creating the traffic. The name of the group creating the traffic. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The name of the profile that was used to detect and take action. The type of profile that was used, for example Antivirus_Profile. The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
675
DLP archives
identidx
proto
kind
action
status phone src reason from to
The IM status. The phone information. The source IP address. The reason as to why the trigger occurred. The senders information. The receivers information.
676
DLP archives
32798
Message ID Log Subtype Severity Firmware version Meaning Fields vd clogver epoch eventid cstatus 32798 VOIP Information FortiOS 4.0 MR3 A VOIP SCCP call information log archive. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The content log version number. The time period in seconds. The event identification number or serial number. The status of the content log. This field contains any one of the following: clean heuristic blocked oversize mass_mms fragmented im_summary im_file_request im_file_cancel im_photo_share_request im_photo_share_cancel im_photo_xref error SN profile profiletype profilegroup user group carrier_ep infected banned_word exempt carrier_endpoint_filter dlp spam im_message im_file_accept im_video im_voice im_photo_share_accept im_photo_share_stop voip
The session number of the log message. The name of the profile that was used to detect and take action. The type of profile that was used, for example Antivirus_Profile. The group that the profile is a part of. This field contains N/A if there is no profile group configured. The name of the user creating the traffic. The name of the group creating the traffic. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The name of the profile that was used to detect and take action. The type of profile that was used, for example Antivirus_Profile. The grou pthat the profile is a part of. This field contains N/A if there is no profile group configured. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
677
DLP archives
identidx
proto
kind
action
status phone src dst src_port dst_port duration from to
The IM status. The phone information. The source IP address. The destination IP address. The source port number. The destination port number. This represents the value in seconds. The senders information. The receipients information.
678
DLP archives
32800
Message ID Log Subtype Severity Firmware version Meaning Fields vd clogver epoch eventid cstatus 32800 VOIP Information FortiOS 4.0 MR3 A VOIP SIP fuzzing log archive. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The content log version number. The time period in seconds. The event identification number or serial number. The status of the content log. This field contains any one of the following: clean heuristic blocked oversize mass_mms fragmented im_summary im_file_request im_file_cancel im_photo_share_request im_photo_share_cancel im_photo_xref error SN profile profiletype profilegroup user group carrier_ep profile profiletype profilegroup policyid identidx infected banned_word exempt carrier_endpoint_filter dlp spam im_message im_file_accept im_video im_voice im_photo_share_accept im_photo_share_stop voip
The session number of the log message. The name of the profile that was used to detect and take action. The type of profile that was used, for example Antivirus_Profile. The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer. The name of the user creating the traffic. The name of the group creating the traffic. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The name of the profile that was used to detect and take action. The type of profile that was used, for example Antivirus_Profile. The grou pthat the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The identity-based policy identification number. This field displays zero is the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
679
DLP archives
proto
The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA). This field contains any one of the following: summary file photo-xref oversize fileexempt dlp call-info register video chat photo audio fileblock virus call-block call unregister
kind
action
status src dst src_port dst_port dir duration message_type request_name malform_desc
The IM status. The source IP address. The destination IP address. The source port number. The destination port number. The direction of the traffic. This field contains either outbound or inbound. This represents the value in seconds. This field contains either request or response. The request name. The description of the malformed header. This field contains any one of the following; unexpected-character trailing-bytes msg-body-oversize domain-label-oversize duplicated-sip-header invalid-ipv4-address invalid-port no-matching-double-quote invalid-<user_info> invalid-escape-encoding-in-uriparameter invalid-escape-encoding-in<reason-phrase> port-not-allowed <gen-value>-expected invalid-quoting-character header-line-oversize domain-name-oversize syntax-malformed space-violation invalid-ipv6-address invalid-fqdn empty-quoted-string invalid-escape-encoding-in-<userinfo> invalid-escape-encoding-in-uri-header port-expected domain-name-invalid invalid-<gen-value>
680
DLP archives
invalid-<quoted-string>-in-<genvalue> ipv6-address-expected invalid-transport-uri-parameter invalid-method-uri-parameter invalid-uri-parameter-pname uri-parameter-repeat invalid-uri-header-value invalid-quoted-string-in-displayname right-angle-bracket-not-found no-METHOD-on-request-time unknown-scheme LWS-expected invalid-<protocol-name> invalid-<transport> invalid-ttl-parameter invalid-received-parameter invalid-rport-parameter <seq>-number-expected <method>-does-not-match-therequest-line <CSeq-num>-expected expires-header-repeated invalid-max-forwards invalid-expires-parameter
ip4-address-expected uri-expected invalid-user-uri-parameter invalid-ttl-uri-parameter invalid-uri-parameter-value invalid-uri-header-name invalid-uri-header-name-value-pair left-angle-braket-is-mandatory invalid-status-code uri-parameters-not-allowed-by-RFC whitespace-expected invalid-<SIP-Version>-on-request-line invalid-<protocol-version> no-SLASH-after-<protocol_name> invalid-maddr-parameter invalid-branch-parameter via-parameter-repeat <method>-expected <response-num>-expected <Method>-expected-after-<CSeq-num> <delta-seconds>-expected token-expected invalid-q-parameter
no-SLASH-after-<protocol-version> header-parameter-expected
<generic-param>-with-invalid-<gen- <m-type>-expected value> SLASH-expected-after-<m-type> <m-attribute>-expected-after-SEMI EQUAL-expected-after-<mattribute> invalid-<m-value> digits-expected IP-expected IPv4-or-IPv6-address-expected z-line-not-allowed-on-media-level <typed-time>-expected <repeat-interval>-expected colon-expected t-line-not-allowed-on-media-level invalid-<stop-time> <text>-expected <m-subtype>-expected boundary-parameter-appears-more-thanonce invalid-<quoted-string>-in-<m-value> multipart-Content-Type-has-no-boundary IN-expected IP4-or-IP6-expected line-order-error <time>-expected r-line-not-allowed-on-media-level <bwtype>-expected <bandwidth>-expected invalid-<start-time> too-many-i-lines too-many-c-lines
681
DLP archives
too-many-v-line too-many-o-lines <username>-expected <sess-version>-expected s-line-not-allowed-on-media-level <media>-expected <proto>-expected <fmt>-expected <att-value>-expected <encording-name>-expected-inrtpmap invalid-<clock-rate>-in-rtpmap invalid-candidate-line sip-Yahoo-candidate-invalidprotocol too-many-candidate-lines sdp-alt-line-before-m-line sdp-rtcp-line-before-m-line too-many-rtcp-lines <word>-expected no-tag-parameter unknown-header sip-udp-message-truncated malform_data line column from to The malformed data number. The line information. The column number. The senders information. The receipients information.
v-line-not-allowed-on-media-level o-line-not-allowed-on-media-level <sess-id>-expected too-many-s-lines too-many-m-lines <integer>-expected <token>-expected-in-<proto>-after-slash <att-field>-expected <payload-type>-expected-in-rtpmap slash-expected-after-<encoding-name>-inrtpmap invalid-<encoding--parameters>-in-rtpmap sdp-candidtae-line-before-m-line invalid-port-after-ip-address-in-candidateline sdp-invalid-alt-line invalid-port-after-ip-address-in-alt-line invalid-port-in-rtcp-line <callid>-expected invalid-tag-parameter sdp-v-o-s-t-lines-are-madatory end-of-line-error missing-mandatory-field
682
DLP archives
328001
Message ID Log Subtype Severity Firmware version Meaning Fields vd clogver epoch eventid cstatus 328001 im-all Information FortiOS 4.0 MR3 An IM video chat log archive. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The content log version number. The time period in seconds. The event identification number or serial number. The status of the content log. This field contains any one of the following: clean heuristic blocked oversize mass_mms fragmented im_summary im_file_request im_file_cancel im_photo_share_request im_photo_share_cancel im_photo_xref error SN profile profiletype profilegroup user group carrier_ep infected banned_word exempt carrier_endpoint_filter dlp spam im_message im_file_accept im_video im_voice im_photo_share_accept im_photo_share_stop voip
The session number of the log message. The name of the profile that was used to detect and take action. The type of profile that was used, for example Antivirus_Profile. The group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer. The name of the user creating the traffic. The name of the group creating the traffic. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The name of the profile that was used to detect and take action. The type of profile that was used, for example Antivirus_Profile. The grou pthat the profile is a part of. This field contains N/A if there is no profile group configured.Profile groups are only available in FortiOS Carrer. The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
683
DLP archives
identidx
proto
kind
dir status
684
DLP archives
32778
Message ID Log Subtype Severity Firmware version Meaning Fields vd clogver epoch eventid cstatus 32778 MM1 Information FortiOS Carrier 4.0 MR2 An MM1 log archive. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The content log version number. The time period in seconds. The event identification number or serial number. The status of the content log. This field contains any one of the following: clean heuristic blocked oversize mass_mms fragmented im_summary im_file_request im_file_cancel im_photo_share_request im_photo_share_cancel im_photo_xref error infection block file intercept carrier end point filter mms duplicate virusrm html script banned word oversize heuristic mime block exempt dnsbl helo mimeheader infected banned_word exempt carrier_endpoint_filter dlp spam im_message im_file_accept im_video im_voice im_photo_share_accept im_photo_share_stop voip fileexempt mms block mms flood virus heuristic script filter exempt word virus worm fragmented ip blacklist FortiGuard - Antispam ip blacklist emailblacklist dns
The type of infection. This field contains any one of the following:
685
DLP archives
The name of the virus detected. The session number of the log message. The name of the user creating the traffic. The name of the group creating the traffic. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The type of profile that was used, for example Antivirus_Profile. The name of the profile that was used to detect and take action. The group that the profile is part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer. The internal IP address of the FortiGate unit. The IP address of the server. The total number of bytes transferred on server side. The total number of bytes transferred on client side. The recipients email address or MSISDN. The recipients email address or MSISDN. The subject line of the email address. This field contains any one of the following: n/a RX TX
profiletype profile profilegroup client server rcvd sent to from subject direction
686
DLP archives
32779
687
DLP archives
The name of the virus that was detected. The session number of the log message. The name of the user creating the traffic. The name of the group creating the traffic. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The type of profile that was used, for example Antivirus_Profile. The name of the profile that was used to detect and take action. The name of the profile group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer. The internal IP address of the FortiGate unit. The IP address of the server. The total number of bytes transferred on server side. The total number of bytes transferred on client side. The name of the DLP sensor that was used to detect and take action. For example, the default sensor Content_Archive. The recipients email address or MSISDN. The recipients email address or MSISDN. The subject line of the email address.
client server rcvd sent dlp_sensor to from subject
688
DLP archives
32780
689
DLP archives
The name of the virus that was detected. The session number of the log message. The name of the user creating the traffic. The name of the group creating the traffic. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The type of profile that was used, for example Antivirus_Profile. The name of the profile that was used to detect and take action. The name of the profile group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer. The internal IP address of the FortiGate unit. The IP address of the server. The total number of bytes transferred on server side. The total number of bytes transferred on client side. The name of the DLP sensor that was used to detect and take action. For example, the default sensor Content_Archive. The recipients email address or MSISDN. The recipients email address or MSISDN. The subject line of the email message.
client server rcvd sent dlp_sensor to from subject
690
DLP archives
32781
691
DLP archives
The name of the virus that was detected. The session number of the log message. The name of the user creating the traffic. The name of the group creating the traffic. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The type of profile that was used, for example Antivirus_Profile. The name of the profile that was used to detect and take action. The name of the profile group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer. The internal IP address of the FortiGate unit. The IP address of the server. The total number of bytes transferred on server side. The total number of bytes transferred on client side. The recipients email address or MSISDN. The recipients email address or MSISDN. The subject line of the email address.
client server rcvd sent to from subject
692
DLP archives
32771
Message ID Log Subtype Severity Firmware version Meaning Fields vd clogver epoch eventid cstatus 32771 SMTPS Information FortiOS 4.0 MR2 An SMTPS log archive Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The content log version number. The time period in seconds. The event identification number or serial number. The status of the content log. This field contains any one of the following: clean heuristic blocked oversize mass_mms fragmented im_summary im_file_request im_file_cancel im_photo_share_request im_photo_share_cancel im_photo_xref error infection block file intercept carrier end point filter mms duplicate virusrm html script banned word oversize heuristic mime block exempt dnsbl helo mimeheader infected banned_word exempt carrier_endpoint_filter dlp spam im_message im_file_accept im_video im_voice im_photo_share_accept im_photo_share_stop voip fileexempt mms block mms flood virus heuristic script filter exempt word virus worm fragmented ip blacklist FortiGuard - Antispam ip blacklist emailblacklist dns
693
DLP archives
The name of the virus that was detected. The session number of the log message. The name of the user creating the traffic. The name of the group creating the traffic. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The type of profile that was used, for example Antivirus_Profile. The name of the profile that was used to detect and take action. The name of the profile group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer. The internal IP address of the FortiGate unit. The IP address of the server. The total number of bytes transferred on server side. The total number of bytes transferred on client side. The name of the DLP sensor that was used to detect and take action. For example, the default sensor Content_Archive. The recipients email address. The recipients email address. The subject line of the email message. The number of attachments that are present within the email. If there are no attachments, zero displays.
client server rcvd sent dlp_sensor to from subject attachment
694
DLP archives
32773
Message ID Log Subtype Severity Firmware version Meaning Fields vd clogver epoch eventid cstatus 32773 POP3S Information FortiOS 4.0 MR3 A POP3S log archive. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The content log version number. The time period in seconds. The event identification number or serial number. The status of the content log. This field contains any one of the following: clean heuristic blocked oversize mass_mms fragmented im_summary im_file_request im_file_cancel im_photo_share_request im_photo_share_cancel im_photo_xref error infection block file intercept carrier end point filter mms duplicate virusrm html script banned word oversize heuristic mime block exempt dnsbl helo mimeheader infected banned_word exempt carrier_endpoint_filter dlp spam im_message im_file_accept im_video im_voice im_photo_share_accept im_photo_share_stop voip fileexempt mms block mms flood virus heuristic script filter exempt word virus worm fragmented ip blacklist FortiGuard - Antispam ip blacklist emailblacklist dns
695
DLP archives
The name of the virus that was detected. The session number of the log message. The name of the user creating the traffic. The name of the group creating the traffic. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The type of profile that was used, for example Antivirus_Profile. The name of the profile that was used to detect and take action. The name of the profile group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer. The internal IP address of the FortiGate unit. The IP address of the server. The total number of bytes transferred on server side. The total number of bytes transferred on client side. The name of the DLP sensor that was used to detect and take action. For example, the default sensor Content_Archive. The recipients email address. The recipients email address. The subject line of the email message. The number of attachments that are present within the email. If there are no attachments, zero displays.
696
DLP archives
32775
Message ID Log Subtype Severity Firmware version Meaning Fields vd clogver epoch eventid cstatus 32775 IMAPS Information FortiOS 4.0 MR3 An IMAPS log archive. Field Description The name of the virtual domain where the action occurred in. If no virtual domains exist, this field always contains root. The content log version number. The time period in seconds. The event identification number or serial number. The status of the content log. This field contains any one of the following: clean heuristic blocked oversize mass_mms fragmented im_summary im_file_request im_file_cancel im_photo_share_request im_photo_share_cancel im_photo_xref error infection block file intercept carrier end point filter mms duplicate virusrm html script banned word oversize heuristic mime block exempt dnsbl helo mimeheader infected banned_word exempt carrier_endpoint_filter dlp spam im_message im_file_accept im_video im_voice im_photo_share_accept im_photo_share_stop voip fileexempt mms block mms flood virus heuristic script filter exempt word virus worm fragmented ip blacklist FortiGuard - Antispam ip blacklist emailblacklist dns
697
DLP archives
The name of the virus that was detected. The session number of the log message. The name of the user creating the traffic. The name of the group creating the traffic. The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS. The type of profile that was used, for example Antivirus_Profile. The name of the profile that was used to detect and take action. The name of the profile group that the profile is a part of. This field contains N/A if there is no profile group configured. Profile groups are only available in FortiOS Carrer. The internal IP address of the FortiGate unit. The IP address of the server. The total number of bytes transferred on server side. The total number of bytes transferred on client side. The name of the DLP sensor that was used to detect and take action. For example, the default sensor Content_Archive. The senders email address. The recipients email address.. The subject line of the email message. The number of attachments that are present within the email. If there are no attachments, zero displays.
698
DLP archives
699
Document conventions
Appendix
Appendix
Fortinet technical documentation uses the conventions described below.
IP addresses
To avoid publication of public IP addresses that belong to Fortinet or any other organization, the IP addresses used in Fortinet technical documentation are fictional and follow the documentation guidelines specific to Fortinet. The addresses used are from the private IP address ranges defined in RFC 1918: Address Allocation for Private Internets, available at http://ietf.org/rfc/rfc1918.txt?number-1918. Most of the examples in this document use the following IP addressing: IP addresses are made up of A.B.C.D A - can be one of 192, 172, or 10 - the non-public addresses covered in RFC 1918. B - 168, or the branch / device / virtual device number. Branch number can be 0xx, 1xx, 2xx - 0 is Head office, 1 is remote, 2 is other. Device or virtual device - allows multiple FortiGate units in this address space (VDOMs). Devices can be from x01 to x99.
C - interface - FortiGate units can have up to 40 interfaces, potentially more than one on the same subnet 001 - 099- physical address ports, and non -virtual interfaces 100-255 - VLANs, tunnels, aggregate links, redundant links, vdom-links, etc.
700
Appendix
D - usage based addresses, this part is determined by what device is doing The following gives 16 reserved, 140 users, and 100 servers in the subnet. 001 - 009 - reserved for networking hardware, like routers, gateways, etc. 010 - 099 - DHCP range - users 100 - 109 - FortiGate devices - typically only use 100 110 - 199 - servers in general (see later for details) 200 - 249 - static range - users 250 - 255 - reserved (255 is broadcast, 000 not used) The D segment servers can be farther broken down into: 110 - 119 - Email servers 120 - 129 - Web servers 130 - 139 - Syslog servers 140 - 149 - Authentication (RADIUS, LDAP, TACACS+, FSAE, etc) 150 - 159 - VoIP / SIP servers / managers 160 - 169 - FortiAnalyzers 170 - 179 - FortiManagers 180 - 189 - Other Fortinet products (FortiScan, FortiDB, etc.) 190 - 199 - Other non-Fortinet servers (NAS, SQL, DNS, DDNS, etc.) Fortinet products, non-FortiGate, are found from 160 - 189.
The following table shows some examples of how to choose an IP number for a device based on the information given. For internal and dmz, it is assumed in this case there is only one interface being used.
Table 1: Examples of the IP numbering Location and device Head Office, one FortiGate Head Office, second FortiGate Branch Office, one FortiGate Office 7, one FortiGate with 9 VDOMs Office 3, one FortiGate, web server Bob in accounting on the corporate user network (dhcp) at Head Office, one FortiGate Router outside the FortiGate Internal 10.011.101.100 10.012.101.100 10.021.101.100 10.079.101.100 n/a 10.0.11.101.200 Dmz 10.011.201.100 10.012.201.100 10.021.201.100 10.079.101.100 10.031.201.110 n/a External 172.20.120.191 172.20.120.192 172.20.120.193 172.20.120.194 n/a n/a
n/a
n/a
172.20.120.195
701
Appendix
Example Network configuration

The network configuration shown in Figure 1 or variations on it is used for many of the examples in this document. In this example, the 172.20.120.0 network is equivalent to the Internet. The network consists of a head office and two branch offices.
Figure 1: Example network configuration
702
Appendix
Cautions, Notes and Tips

Fortinet technical documentation uses the following guidance and styles for cautions, notes and tips.
Caution: Warns you about commands or procedures that could have unexpected or undesirable results including loss of data or damage to equipment.
Note: Presents useful information, but usually focused on an alternative, optional method, such as a shortcut, to perform a step.
Tip: Highlights useful additional information, often tailored to your workplace activity.
Typographical conventions
Fortinet documentation uses the following typographical conventions:
Table 2: Typographical conventions in Fortinet technical documentation Convention Example
Button, menu, text box, From Minimum log level, select Notification. field, or check box label CLI input config system dns set primary <address_ipv4> end FGT-602803030703 # get system settings comments : (null) opmode : nat HTTP connections are not secure and can be intercepted by a third party. <HTML><HEAD><TITLE>Firewall Authentication</TITLE></HEAD> <BODY><H4>You must authenticate to use this service.</H4> Visit the Fortinet Technical Support web site, https://support.fortinet.com. Type a name for the remote VPN peer or client, such as Central_Office_1. Go to VPN > IPSEC > Auto Key (IKE). For details, see the FortiOS Handbook.
CLI output
Emphasis File content
Hyperlink Keyboard entry Navigation Publication
CLI command syntax conventions

This guide uses the following conventions to describe the syntax to use when entering commands in the Command Line Interface (CLI). Brackets, braces, and pipes are used to denote valid permutations of the syntax. Constraint notations, such as <address_ipv4>, indicate which data types or string patterns are acceptable value input.
703
Appendix
Table 3: Command syntax notation Convention Square brackets [ ] Description A non-required word or series of words. For example: [verbose {1 | 2 | 3}] indicates that you may either omit or type both the verbose word and its accompanying option, such as: verbose 3 A word constrained by data type. To define acceptable input, the angled brackets contain a descriptive name followed by an underscore ( _ ) and suffix that indicates the valid data type. For example: <retries_int> indicates that you should enter a number of retries, such as 5. Data types include: <xxx_name>: A name referring to another part of the configuration, such as policy_A. <xxx_index>: An index number referring to another part of the configuration, such as 0 for the first static route. <xxx_pattern>: A regular expression or word with wild cards that matches possible variations, such as *@example.com to match all email addresses ending in @example.com. <xxx_fqdn>: A fully qualified domain name (FQDN), such as mail.example.com. <xxx_email>: An email address, such as admin@mail.example.com. <xxx_url>: A uniform resource locator (URL) and its associated protocol and host name prefix, which together form a uniform resource identifier (URI), such as http://www.fortinet./com/. <xxx_ipv4>: An IPv4 address, such as 192.168.1.99. <xxx_v4mask>: A dotted decimal IPv4 netmask, such as 255.255.255.0. <xxx_ipv4mask>: A dotted decimal IPv4 address and netmask separated by a space, such as 192.168.1.99 255.255.255.0. <xxx_ipv4/mask>: A dotted decimal IPv4 address and CIDR-notation netmask separated by a slash, such as such as 192.168.1.99/24. <xxx_ipv6>: A colon( : )-delimited hexadecimal IPv6 address, such as 3f2e:6a8b:78a3:0d82:1725:6a2f:0370:6234. <xxx_v6mask>: An IPv6 netmask, such as /96. <xxx_ipv6mask>: An IPv6 address and netmask separated by a space. <xxx_str>: A string of characters that is not another data type, such as P@ssw0rd. Strings containing spaces or special characters must be surrounded in quotes or use escape sequences. <xxx_int>: An integer number that is not another data type, such as 15 for the number of minutes.
Angle brackets < >
704
Appendix
Entering FortiOS 4.0 MR3 configuration data
Table 3: Command syntax notation (Continued) Convention Curly braces { } Description A word or series of words that is constrained to a set of options delimited by either vertical bars or spaces. You must enter at least one of the options, unless the set of options is surrounded by square brackets [ ]. Mutually exclusive options. For example: {enable | disable} indicates that you must enter either enable or disable, but must not enter both. Non-mutually exclusive options. For example: {http https ping snmp ssh telnet} indicates that you may enter all or a subset of those options, in any order, in a space-delimited list, such as: ping https ssh Note: To change the options, you must re-type the entire list. For example, to add snmp to the previous example, you would type: ping https snmp ssh If the option adds to or subtracts from the existing list of options, instead of replacing it, or if the list is comma-delimited, the exception will be noted.
Options delimited by vertical bars | Options delimited by spaces
Entering FortiOS 4.0 MR3 configuration data

The configuration of a FortiGate unit is stored as a series of configuration settings in the FortiOS 4.0 MR3 configuration database. To change the configuration you can use the web-based manager or CLI to add, delete or change configuration settings. These configuration changes are stored in the configuration database as they are made. Individual settings in the configuration database can be text strings, numeric values, selections from a list of allowed options, or on/off (enable/disable).
Entering text strings (names)

Text strings are used to name entities in the configuration. For example, the name of a firewall address, administrative user, and so on. You can enter any character in a FortiGate configuration text string except, to prevent Cross-Site Scripting (XSS) vulnerabilities, text strings in FortiGate configuration names cannot include the following characters: " (double quote), & (ampersand), ' (single quote), < (less than) and < (greater than) You can determine the limit to the number of characters that are allowed in a text string by determining how many characters the web-based manager or CLI allows for a given name field. From the CLI, you can also use the tree command to view the number of characters that are allowed. For example, firewall address names can contain up to 64 characters. When you add a firewall address to the web-based manager you are limited to entering 64 characters in the firewall address name field. From the CLI you can do the following to confirm that the firewall address name field allows 64 characters. config firewall address tree -- [address] --*name (64) |- subnet |- type |- start-ip |- end-ip
705
Registering your Fortinet product
Appendix
|||||+-
fqdn (256) cache-ttl (0,86400) wildcard comment (64 xss) associated-interface (16) color (0,32)
Note that the tree command output also shows the number of characters allowed for other firewall address name settings. For example, the fully-qualified domain name (fqdn) field can contain up to 256 characters.
Entering numeric values

Numeric values are used to configure various sizes, rates, numeric addresses, or other numeric values. For example, a static routing priority of 10, a port number of 8080, or an IP address of 10.10.10.1. Numeric values can be entered as a series of digits without spaces or commas (for example, 10 or 64400), in dotted decimal format (for example the IP address 10.10.10.1) or as in the case of MAC or IPv6 addresses separated by colons (for example, the MAC address 00:09:0F:B7:37:00). Most numeric values are standard base-10 numbers, but some fields (again such as MAC addresses) require hexadecimal numbers. Most web-based manager numeric value configuration fields limit the number of numeric digits that you can add or contain extra information to make it easier to add the acceptable number of digits and to add numbers in the allowed range. CLI help includes information about allowed numeric value ranges. Both the web-based manager and the CLI prevent you from entering invalid numbers.
Selecting options from a list

If a configuration field can only contain one of a number of selected options, the web-based manager and CLI present you a list of acceptable options and you can select one from the list. No other input is allowed. From the CLI you must spell the selection name correctly.
Enabling or disabling options

If a configuration field can only be on or off (enabled or disabled) the web-based manager presents a check box or other control that can only be enabled or disabled. From the CLI you can set the option to enable or disable.
Registering your Fortinet product

Before you begin configuring and customizing features, take a moment to register your Fortinet product at the Fortinet Technical Support web site, https://support.fortinet.com. Many Fortinet customer services, such as firmware updates, technical support, and FortiGuard Antivirus and other FortiGuard services, require product registration. For more information, see the Fortinet Knowledge Center article Registration Frequently Asked Questions.
Fortinet products End User License Agreement

See the Fortinet products End User License Agreement.
706
Appendix
Training
Training
Fortinet Training Services provides courses that orient you quickly to your new equipment, and certifications to verify your knowledge level. Fortinet provides a variety of training programs to serve the needs of our customers and partners world-wide. To learn about the training services that Fortinet provides, visit the Fortinet Training Services web site at http://campus.training.fortinet.com, or email training@fortinet.com.
Documentation
The Fortinet Technical Documentation web site, http://docs.fortinet.com, provides the most up-to-date versions of Fortinet publications, as well as additional technical documentation such as technical notes. In addition to the Fortinet Technical Documentation web site, you can find Fortinet technical documentation on the Fortinet Tools and Documentation CD, and on the Fortinet Knowledge Center.
Fortinet Tools and Documentation CD

Many Fortinet publications are available on the Fortinet Tools and Documentation CD shipped with your Fortinet product. The documents on this CD are current at shipping time. For current versions of Fortinet documentation, visit the Fortinet Technical Documentation web site, http://docs.fortinet.com.
Fortinet Knowledge Base

The Fortinet Knowledge Base provides additional Fortinet technical documentation, such as troubleshooting and how-to-articles, examples, FAQs, technical notes, a glossary, and more. Visit the Fortinet Knowledge Base at http://kb.fortinet.com.
Comments on Fortinet technical documentation

Please send information about any errors or omissions in this or any Fortinet technical document to techdoc@fortinet.com.
Customer service and technical support

Fortinet Technical Support provides services designed to make sure that your Fortinet products install quickly, configure easily, and operate reliably in your network. To learn about the technical support services that Fortinet provides, visit the Fortinet Technical Support web site at https://support.fortinet.com. You can dramatically improve the time that it takes to resolve your technical support ticket by providing your configuration file, a network diagram, and other specific information. For a list of required information, see the Fortinet Knowledge Base article FortiGate Troubleshooting Guide - Technical Support Requirements.
707
Customer service and technical support
Appendix
708
www.fortinet.com
www.fortinet.com

Fortigate LMR 40 mr3

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Fortigate LMR 40 mr3

Uploaded by

Copyright:

Available Formats

FortiGate Log Message Reference

FortiOS 4.0 MR3

FortiGate Log Message Reference 01-430-112804-20111121 http://docs.fortinet.com/ Feedback

FortiGate Log Message Reference 01-430-112804-20111121 http://docs.fortinet.com/ Feedback

FortiGate Log Message Reference 01-430-112804-20111121 http://docs.fortinet.com/ Feedback

26001 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 26002 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

FortiGate Log Message Reference 01-430-112804-20111121 http://docs.fortinet.com/ Feedback

38012 38020 38021 38022 38026 38027

171 171 172 174 175 175

FortiGate Log Message Reference 01-430-112804-20111121 http://docs.fortinet.com/ Feedback

FortiGate Log Message Reference 01-430-112804-20111121 http://docs.fortinet.com/ Feedback

44544 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270 44545 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270 44546 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271

FortiGate Log Message Reference 01-430-112804-20111121 http://docs.fortinet.com/ Feedback

FortiGate Log Message Reference 01-430-112804-20111121 http://docs.fortinet.com/ Feedback

FortiGate Log Message Reference 01-430-112804-20111121 http://docs.fortinet.com/ Feedback

37898 37899 37900 37901 37902 37903 37904

328 328 329 329 330 330 331

41000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334 41001 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335

38400 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344 38401 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345 38402 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346

47201 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347 47202 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347

Data Leak Prevention

FortiGate Log Message Reference 01-430-112804-20111121 http://docs.fortinet.com/ Feedback

20480 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504 20481 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506 20482 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508

FortiGate Log Message Reference 01-430-112804-20111121 http://docs.fortinet.com/ Feedback

FortiGate Log Message Reference 01-430-112804-20111121 http://docs.fortinet.com/ Feedback

FortiGate Log Message Reference 01-430-112804-20111121 http://docs.fortinet.com/ Feedback

Customer service and technical support . . . . . . . . . . . . . . . . . . . . . . . . 707

FortiGate Log Message Reference 01-430-112804-20111121 http://docs.fortinet.com/ Feedback

Before you begin

How this reference is organized

FortiGate Log Message Reference 01-430-112804-20111121 http://docs.fortinet.com/ Feedback

Document conventions and other information

Document conventions and other information

FortiGate Log Message Reference 01-430-112804-20111121 http://docs.fortinet.com/ Feedback

FortiGate Log Message Reference 01-430-112804-20111121 http://docs.fortinet.com/ Feedback

tran_disp src srcname src_port dst dstname dst_country

dst_port tran_ip tran_port tran_sip tran_sport service proto

FortiGate Log Message Reference 01-430-112804-20111121 http://docs.fortinet.com/ Feedback

vpn_tunnel src_int dst_int SN app app_cat user group carrier_ep

FortiGate Log Message Reference 01-430-112804-20111121 http://docs.fortinet.com/ Feedback

dst_port service proto

sent rcvd shaper_drop_sent

shaper_drop_rcvd perip_drop shaper_sent_name shaper_rcvd_name perip_name vpn vpn_type

src_int dst_int SN app app_cat user group msg carrier_ep

FortiGate Log Message Reference 01-430-112804-20111121 http://docs.fortinet.com/ Feedback

dst_port tran_ip tran_port tran_sip tran_sport service proto

FortiGate Log Message Reference 01-430-112804-20111121 http://docs.fortinet.com/ Feedback

rcvd shaper_drop_sent shaper_drop_rcvd perip_drop shaper_sent_name shaper_rcvd_name perip_name vpn vpn_type

vpn_tunnel src_int dst_int SN app app_cat user group carrier_ep

FortiGate Log Message Reference 01-430-112804-20111121 http://docs.fortinet.com/ Feedback

tran_disp src srcname src_port dst dstname dst_country

dst_port tran_ip tran_port tran_sip tran_sport service proto

FortiGate Log Message Reference 01-430-112804-20111121 http://docs.fortinet.com/ Feedback

vpn_tunnel src_int dst_int SN app app_cat user group carrier_ep

FortiGate Log Message Reference 01-430-112804-20111121 http://docs.fortinet.com/ Feedback

dst_port service proto

FortiGate Log Message Reference 01-430-112804-20111121 http://docs.fortinet.com/ Feedback

shaper_drop_sent shaper_drop_rcvd perip_drop shaper_sent_name shaper_rcvd_name perip_name vpn vpn_type

vpn_tunnel src_int dst_int SN app app_cat user group msg carrier_ep

FortiGate Log Message Reference 01-430-112804-20111121 http://docs.fortinet.com/ Feedback

dst_port tran_ip tran_port service proto

FortiGate Log Message Reference 01-430-112804-20111121 http://docs.fortinet.com/ Feedback

vpn_tunnel src_int dst_int SN app app_cat user group msg carrier_ep