Escolar Documentos
Profissional Documentos
Cultura Documentos
Technical Documentation
docs.fortinet.com
Knowledge Base
kb.fortinet.com
support.fortinet.com
Training Services
training.fortinet.com
FortiGuard
fortiguard.com
Document Feedback
techdocs@fortinet.com
Change Log
Date
Change Description
2013-03-20
Initial Release.
2013-09-27
Patch 4 Release.
2014-04-01
2015-01-16
2015-03-13
Page 3
5
appcat
applist
apptype
assetid
assetname
attackid
attackname
carrierep
catdesc
classdesc
connmode
contenttype
decspi
direction
dirdisp
dlpsensor
dstip
dstcountry
dstintf
dstport
encspi
enddate
espauth
esptransform
filtertype
icmpcode
icmpid
icmptype
incidentserialno
lanin
lanout
locip
locport
locip
logid
malformdata
malformdesc
msg
messagetype
osfamily
osgen
osvendor
outintf
ovrdid
ovrdtbl
shaperperipdropbyte
shaperperipname
4.3
pri
profile_group
profile_type
quota_exceeded
quota_max
quota_used
rcvd
rcvd_pkt
rem_ip
rem_port
remote_ip
req_type
request_name
rule_data
rule_type
sent
sent_pkt
shaper_drop_rcvd
shaper_drop_sent
shaper_rcvd_name
shaper_sent_name
src
src_country
src_int
src_port
start-date
tran_disp
tran_ip
tran_port
tran_sip
tran_sport
url_type
urlfilter_idx
urlfilter_list
voip_proto
vpn_tunnel
vpn_type
vuln_cat
vuln_cnt
vuln_id
vuln_ref
wan_in
wan_out
wanopt_app_type
xauth_group
xauth_user
Page 4
5
level
profilegroup
profiletype
quotaexceeded
quotamax
quotaused
rcvdbyte
rcvdpkt
remip
remport
remip
reqtype
requestname
ruledata
ruletype
sentbyte
sentpkt
shaperdroprcvdbyte
shaperdropsentbyte
shaperrcvdname
shapersentname
srcip
srccountry
srcintf
srcport
startdate
trandisp
tranip
tranport
transip
transport
urltype
urlfilteridx
urlfilterlist
voipproto
vpntunnel
vpntype
vulncat
vulncnt
vulnid
vulnref
wanin
wanout
wanoptapptype
xauthgroup
xauthuser
4.3 subtypes
traffic
allowed
webcache-traffic, wanopt-traffic, explicit-proxy-traffic
failed-conn, violation, other
5.0 subtypes
forward/local/multicast
forward
forward
event
vpn
system
router
auth, radius
wireless
wad
voip
user
wireless
wad
moved to voip logs section
virus
infected
filename
oversize
scanerror
---------
infected
filename
oversized
scanerror
analytics
switchproto
webfilter
content
urlfilter
ftgd_blk
ftgd_allow
ftgd_err
activexfilter
cookiefilter
appletfilter
ftgd_quota_counting
ftgd_quota
---------
content
urlfilter
ftgd_blk
ftgd_allow
ftgd_err
activexfilter
cookiefilter
appletfilter
ftgd_quota_counting
ftgd_quota
ftgd_quota_expired
webfilter_command_block
ips
signature
anomaly
emailfilter msn-hotmail
yahoo-mail
smtp
pop3
imap
carrier-endpoint-filter
mass-mms
---------
signature
anomaly
msn
yahoo
smtp
pop3
imap
endpointfilter
mms
google
mapi
Page 5
netscan
discovery
vulnerability
discovery
vulnerability
dlp
dlp
-----
dlp
dlp-docsource
app-ctrl
app-ctrl-all
app-ctrl-all
content
http
ftp
smtp
pop3
imap
https
im-all
nntp
voip
mm1
mm3
mm4
mm7
smtps
pop3s
imaps
http
ftp
smtp
pop3
imap
https
im-all
nntp
voip
mm1
mm3
mm4
mm7
smtps
pop3s
imaps
voip
-----
voip
Page 6
Page 7
Traffic
2
Message ID: 000002
Message Description: allowed message
Type (type): traffic
Subtype (subtype): forward
Level/Severity: notice
Log field
Meaning
type
traffic
subtype
forward
level
notice
date
time
status
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
trandisp
Whether the packet is source NAT translated (snat) or destination NAT translated (dnat), both (snat+dnat) or neither
(noop).
srcip
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstip
dstname
dstcountry
Destination country.
srccountry
Source country.
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
tranip
tranport
The translated port number in NAT mode. For Transparent mode, it is zero.
transip
transport
The translated source port number in NAT mode. For Transparent mode, it is zero.
service
proto
The protocol number that applies to the session or packet. This is the protocol number in the packet header that
identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
duration
Page 8
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched.
This number is not globally unique, it is only locally unique within a given firewall policy.
sentbyte
rcvdbyte
shaperdropsentbyte
shaperdroprcvdbyte
shaperrcvdname
shaperperipname
sentpkt
rcvdpkt
vpn
vpntype
The type of VPN tunnel that the traffic is flowing through. This field can be any one of the following: ipsec-static,
ipsec-dynamic, ipsec-ddns, sslvpn.
vpntunnel
The name of the VPN tunnel that was used. For example, ssl_vpn1.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstintf
sessionid
Session ID.
appid
Application ID.
app
The name of the application that triggered the action within the control list. For example, SSL.
appcat
applist
The name of the application control list that was used to detect and take action.
appact
Application action.
user
User name.
group
osname
osversion
unauthuser
unauthusersource
crscore
craction
Page 9
3
Message ID: 000003
Message Description: violation message
Type (type): traffic
Subtype (subtype): invalid
Level/Severity: warning
Log field
Meaning
type
traffic
subtype
invalid
level
warning
date
time
status
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstip
dstname
dstcountry
Destination country.
srccountry
Source country.
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
service
proto
The protocol number that applies to the session or packet. This is the protocol number in the packet header that
identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
duration
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched.
This number is not globally unique, it is only locally unique within a given firewall policy.
sentbyte
rcvdbyte
shaperdropsentbyte
shaperdroprcvdbyte
Page 10
shapersentname
shaperrcvdname
shaperperipname
sentpkt
rcvdpkt
vpn
vpntype
The type of VPN tunnel that the traffic is flowing through. This field can be any one of the following: ipsec-static,
ipsec-dynamic, ipsec-ddns, sslvpn.
vpntunnel
The name of the VPN tunnel that was used. For example, ssl_vpn1.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstintf
sessionid
Session ID.
appid
Application ID.
app
The name of the application that triggered the action within the control list. For example, SSL.
appcat
applist
The name of the application control list that was used to detect and take action.
appact
Application action.
user
User name.
group
osname
osversion
unauthuser
unauthusersource
crscore
craction
Page 11
4
Message ID: 000004
Message Description: other message
Type (type): traffic
Subtype (subtype): invalid
Level/Severity: notice
Log field
Meaning
type
traffic
subtype
invalid
level
notice
date
time
status
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstip
dstname
dstcountry
Destination country.
srccountry
Source country.
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
tranip
tranport
The translated port number in NAT mode. For Transparent mode, it is zero.
transip
transport
The translated source port number in NAT mode. For Transparent mode, it is zero.
service
proto
The protocol number that applies to the session or packet. This is the protocol number in the packet header that
identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
duration
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched.
This number is not globally unique, it is only locally unique within a given firewall policy.
sentbyte
Page 12
rcvdbyte
shaperdropsentbyte
shaperdroprcvdbyte
shaperrcvdname
shaperperipname
sentpkt
rcvdpkt
vpn
vpntype
The type of VPN tunnel that the traffic is flowing through. This field can be any one of the following: ipsec-static,
ipsec-dynamic, ipsec-ddns, sslvpn.
vpntunnel
The name of the VPN tunnel that was used. For example, ssl_vpn1.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstintf
sessionid
Session ID.
appid
Application ID.
app
The name of the application that triggered the action within the control list. For example, SSL.
appcat
applist
The name of the application control list that was used to detect and take action.
appact
Application action.
user
User name.
group
osname
osversion
unauthuser
unauthusersource
crscore
craction
Page 13
5
Message ID: 000005
Message Description: allowed icmp message
Type (type): traffic
Subtype (subtype): invalid
Level/Severity: notice
Log field
Meaning
type
traffic
subtype
invalid
level
notice
date
time
status
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
trandisp
Whether the packet is source NAT translated (snat) or destination NAT translated (dnat), both (snat+dnat) or neither
(noop).
srcip
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstip
dstname
dstcountry
Destination country.
srccountry
Source country.
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
tranip
tranport
The translated port number in NAT mode. For Transparent mode, it is zero.
transip
transport
The translated source port number in NAT mode. For Transparent mode, it is zero.
service
proto
The protocol number that applies to the session or packet. This is the protocol number in the packet header that
identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
duration
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched.
This number is not globally unique, it is only locally unique within a given firewall policy.
Page 14
sentbyte
rcvdbyte
shaperdropsentbyte
shaperdroprcvdbyte
shaperrcvdname
shaperperipname
sentpkt
rcvdpkt
vpn
vpntype
The type of VPN tunnel that the traffic is flowing through. This field can be any one of the following: ipsec-static,
ipsec-dynamic, ipsec-ddns, sslvpn.
vpntunnel
The name of the VPN tunnel that was used. For example, ssl_vpn1.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstintf
sessionid
Session ID.
appid
Application ID.
app
The name of the application that triggered the action within the control list. For example, SSL.
appcat
applist
The name of the application control list that was used to detect and take action.
appact
Application action.
user
User name.
group
osname
osversion
unauthuser
unauthusersource
crscore
craction
Page 15
6
Message ID: 000006
Message Description: deny internal icmp message
Type (type): traffic
Subtype (subtype): invalid
Level/Severity: warning
Log field
Meaning
type
traffic
subtype
invalid
level
warning
date
time
status
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstip
dstname
dstcountry
Destination country.
srccountry
Source country.
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
service
proto
The protocol number that applies to the session or packet. This is the protocol number in the packet header that
identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
duration
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched.
This number is not globally unique, it is only locally unique within a given firewall policy.
sentbyte
rcvdbyte
shaperdropsentbyte
shaperdroprcvdbyte
Page 16
shapersentname
shaperrcvdname
shaperperipname
sentpkt
rcvdpkt
vpn
vpntype
The type of VPN tunnel that the traffic is flowing through. This field can be any one of the following: ipsec-static,
ipsec-dynamic, ipsec-ddns, sslvpn.
vpntunnel
The name of the VPN tunnel that was used. For example, ssl_vpn1.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstintf
sessionid
Session ID.
appid
Application ID.
app
The name of the application that triggered the action within the control list. For example, SSL.
appcat
applist
The name of the application control list that was used to detect and take action.
appact
Application action.
user
User name.
group
osname
osversion
unauthuser
unauthusersource
crscore
craction
Page 17
7
Message ID: 000007
Message Description: deny external icmp message
Type (type): traffic
Subtype (subtype): invalid
Level/Severity: warning
Log field
Meaning
type
traffic
subtype
invalid
level
warning
date
time
status
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstip
dstname
dstcountry
Destination country.
srccountry
Source country.
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
service
proto
The protocol number that applies to the session or packet. This is the protocol number in the packet header that
identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
duration
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched.
This number is not globally unique, it is only locally unique within a given firewall policy.
sentbyte
rcvdbyte
shaperdropsentbyte
shaperdroprcvdbyte
Page 18
shapersentname
shaperrcvdname
shaperperipname
sentpkt
rcvdpkt
vpn
vpntype
The type of VPN tunnel that the traffic is flowing through. This field can be any one of the following: ipsec-static,
ipsec-dynamic, ipsec-ddns, sslvpn.
vpntunnel
The name of the VPN tunnel that was used. For example, ssl_vpn1.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstintf
sessionid
Session ID.
appid
Application ID.
app
The name of the application that triggered the action within the control list. For example, SSL.
appcat
applist
The name of the application control list that was used to detect and take action.
appact
Application action.
user
User name.
group
osname
osversion
unauthuser
unauthusersource
crscore
craction
Page 19
8
Message ID: 000008
Message Description: WAN optimization traffic
Type (type): traffic
Subtype (subtype): forward
Level/Severity: notice
Log field
Meaning
type
traffic
subtype
forward
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstip
dstname
dstcountry
Destination country.
srccountry
Source country.
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
wanoptapptype
WANOpt app type. One of: web-cache, cifs, tcp, ftp, mapi, http, web-proxy, ftp-proxy.
duration
policyid
The ID number of the firewall policy that applies to the session or packet.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
wanin
WAN in.
wanout
WAN out.
lanin
LAN in.
lanout
LAN out.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstintf
osname
osversion
unauthuser
Page 20
Page 21
9
Message ID: 000009
Message Description: webcache traffic
Type (type): traffic
Subtype (subtype): forward
Level/Severity: notice
Log field
Meaning
type
traffic
subtype
forward
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstip
dstname
dstcountry
Destination country.
srccountry
Source country.
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
wanoptapptype
WANOpt app type. One of: web-cache, cifs, tcp, ftp, mapi, http, web-proxy, ftp-proxy.
duration
policyid
The ID number of the firewall policy that applies to the session or packet.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
wanin
WAN in.
wanout
WAN out.
lanin
LAN in.
lanout
LAN out.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstintf
osname
osversion
unauthuser
Page 22
Page 23
10
Message ID: 000010
Message Description: explicit proxy traffic
Type (type): traffic
Subtype (subtype): forward
Level/Severity: notice
Log field
Meaning
type
traffic
subtype
forward
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstip
dstname
dstcountry
Destination country.
srccountry
Source country.
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
wanoptapptype
WANOpt app type. One of: web-cache, cifs, tcp, ftp, mapi, http, web-proxy, ftp-proxy.
duration
policyid
The ID number of the firewall policy that applies to the session or packet.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
wanin
WAN in.
wanout
WAN out.
lanin
LAN in.
lanout
LAN out.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstintf
osname
osversion
unauthuser
Page 24
Page 25
11
Message ID: 000011
Message Description: failed connection attempts
Type (type): traffic
Subtype (subtype): invalid
Level/Severity: warning
Log field
Meaning
type
traffic
subtype
invalid
level
warning
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstip
dstname
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
duration
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstintf
User name.
group
crscore
craction
Page 26
12
Message ID: 000012
Message Description: multicast allowed message
Type (type): traffic
Subtype (subtype): multicast
Level/Severity: notice
Log field
Meaning
type
traffic
subtype
multicast
level
notice
date
time
status
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
trandisp
Whether the packet is source NAT translated (snat) or destination NAT translated (dnat), both (snat+dnat) or neither
(noop).
srcip
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstip
dstname
dstcountry
Destination country.
srccountry
Source country.
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
tranip
tranport
The translated port number in NAT mode. For Transparent mode, it is zero.
transip
transport
The translated source port number in NAT mode. For Transparent mode, it is zero.
service
proto
The protocol number that applies to the session or packet. This is the protocol number in the packet header that
identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
duration
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched.
This number is not globally unique, it is only locally unique within a given firewall policy.
Page 27
sentbyte
rcvdbyte
shaperdropsentbyte
shaperdroprcvdbyte
shaperrcvdname
shaperperipname
sentpkt
rcvdpkt
vpn
vpntype
The type of VPN tunnel that the traffic is flowing through. This field can be any one of the following: ipsec-static,
ipsec-dynamic, ipsec-ddns, sslvpn.
vpntunnel
The name of the VPN tunnel that was used. For example, ssl_vpn1.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstintf
sessionid
Session ID.
appid
Application ID.
app
The name of the application that triggered the action within the control list. For example, SSL.
appcat
applist
The name of the application control list that was used to detect and take action.
appact
Application action.
user
User name.
group
osname
osversion
unauthuser
unauthusersource
crscore
craction
Page 28
13
Message ID: 000013
Message Description: traffic forward message
Type (type): traffic
Subtype (subtype): forward
Level/Severity: notice
Log field
Meaning
type
traffic
subtype
forward
level
notice
date
time
status
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
trandisp
Whether the packet is source NAT translated (snat) or destination NAT translated (dnat), both (snat+dnat) or neither
(noop).
srcip
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstip
dstname
dstcountry
Destination country.
srccountry
Source country.
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
tranip
tranport
The translated port number in NAT mode. For Transparent mode, it is zero.
transip
transport
The translated source port number in NAT mode. For Transparent mode, it is zero.
service
proto
The protocol number that applies to the session or packet. This is the protocol number in the packet header that
identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
duration
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched.
This number is not globally unique, it is only locally unique within a given firewall policy.
Page 29
sentbyte
rcvdbyte
shaperdropsentbyte
shaperdroprcvdbyte
shaperrcvdname
shaperperipname
sentpkt
rcvdpkt
vpn
vpntype
The type of VPN tunnel that the traffic is flowing through. This field can be any one of the following: ipsec-static,
ipsec-dynamic, ipsec-ddns, sslvpn.
vpntunnel
The name of the VPN tunnel that was used. For example, ssl_vpn1.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstintf
sessionid
Session ID.
appid
Application ID.
app
The name of the application that triggered the action within the control list. For example, SSL.
appcat
applist
The name of the application control list that was used to detect and take action.
appact
Application action.
user
User name.
group
osname
osversion
unauthuser
unauthusersource
utmaction
filename
virus
attack
ATTACK
hostname
catdesc
sender
SENDER
recipient
RECIPIENT
mailcount
MAILCOUNT
Page 30
spamcount
SPAMCOUNT
dlprule
DLP rule.
utmevent
utmseverity
UTM severity.
sha256
SHA256 hash.
analyticssubmit
crscore
craction
Page 31
14
Message ID: 000014
Message Description: traffic local message
Type (type): traffic
Subtype (subtype): local
Level/Severity: notice
Log field
Meaning
type
traffic
subtype
local
level
notice
date
time
status
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
trandisp
Whether the packet is source NAT translated (snat) or destination NAT translated (dnat), both (snat+dnat) or neither
(noop).
srcip
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstip
dstname
dstcountry
Destination country.
srccountry
Source country.
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
tranip
tranport
The translated port number in NAT mode. For Transparent mode, it is zero.
transip
transport
The translated source port number in NAT mode. For Transparent mode, it is zero.
service
proto
The protocol number that applies to the session or packet. This is the protocol number in the packet header that
identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
duration
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched.
This number is not globally unique, it is only locally unique within a given firewall policy.
Page 32
sentbyte
rcvdbyte
shaperdropsentbyte
shaperdroprcvdbyte
shaperrcvdname
shaperperipname
sentpkt
rcvdpkt
vpn
vpntype
The type of VPN tunnel that the traffic is flowing through. This field can be any one of the following: ipsec-static,
ipsec-dynamic, ipsec-ddns, sslvpn.
vpntunnel
The name of the VPN tunnel that was used. For example, ssl_vpn1.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstintf
sessionid
Session ID.
appid
Application ID.
app
The name of the application that triggered the action within the control list. For example, SSL.
appcat
applist
The name of the application control list that was used to detect and take action.
appact
Application action.
user
User name.
group
osname
osversion
unauthuser
unauthusersource
crscore
craction
Page 33
15
Message ID: 000015
Message Description: start forward message
Type (type): traffic
Subtype (subtype): forward
Level/Severity: notice
Log field
Meaning
type
traffic
subtype
forward
level
notice
date
time
status
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
trandisp
Whether the packet is source NAT translated (snat) or destination NAT translated (dnat), both (snat+dnat) or neither
(noop).
srcip
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstip
dstname
dstcountry
Destination country.
srccountry
Source country.
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
tranip
tranport
The translated port number in NAT mode. For Transparent mode, it is zero.
transip
transport
The translated source port number in NAT mode. For Transparent mode, it is zero.
service
proto
The protocol number that applies to the session or packet. This is the protocol number in the packet header that
identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
duration
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched.
This number is not globally unique, it is only locally unique within a given firewall policy.
Page 34
sentbyte
rcvdbyte
shaperdropsentbyte
shaperdroprcvdbyte
shaperrcvdname
shaperperipname
sentpkt
rcvdpkt
vpn
vpntype
The type of VPN tunnel that the traffic is flowing through. This field can be any one of the following: ipsec-static,
ipsec-dynamic, ipsec-ddns, sslvpn.
vpntunnel
The name of the VPN tunnel that was used. For example, ssl_vpn1.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstintf
sessionid
Session ID.
appid
Application ID.
app
The name of the application that triggered the action within the control list. For example, SSL.
appcat
applist
The name of the application control list that was used to detect and take action.
appact
Application action.
user
User name.
group
osname
osversion
unauthuser
unauthusersource
crscore
craction
Page 35
16
Message ID: 000016
Message Description: start local message
Type (type): traffic
Subtype (subtype): local
Level/Severity: notice
Log field
Meaning
type
traffic
subtype
local
level
notice
date
time
status
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstip
dstname
dstcountry
Destination country.
srccountry
Source country.
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
tranip
tranport
The translated port number in NAT mode. For Transparent mode, it is zero.
transip
transport
The translated source port number in NAT mode. For Transparent mode, it is zero.
service
proto
The protocol number that applies to the session or packet. This is the protocol number in the packet header that
identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
duration
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched.
This number is not globally unique, it is only locally unique within a given firewall policy.
sentbyte
Page 36
rcvdbyte
shaperdropsentbyte
shaperdroprcvdbyte
shaperrcvdname
shaperperipname
sentpkt
rcvdpkt
vpn
vpntype
The type of VPN tunnel that the traffic is flowing through. This field can be any one of the following: ipsec-static,
ipsec-dynamic, ipsec-ddns, sslvpn.
vpntunnel
The name of the VPN tunnel that was used. For example, ssl_vpn1.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstintf
sessionid
Session ID.
appid
Application ID.
app
The name of the application that triggered the action within the control list. For example, SSL.
appcat
applist
The name of the application control list that was used to detect and take action.
appact
Application action.
user
User name.
group
osname
osversion
unauthuser
unauthusersource
crscore
craction
Page 37
Netscan
4096
Message ID: 004096
Message Description: Network scan performed
Type (type): utm
Subtype (subtype): netscan
Event Type (eventtype): vulnerability
Level/Severity: notice
Log field
Meaning
type
utm
subtype
netscan
eventtype vulnerability
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
The nature of the netscan event. Scan, vuln-detection, host-detection, os-scan, port-detection, service-detection, vuln-count.
start
end
status
engine
plugin
Page 38
4097
Message ID: 004097
Message Description: Network scan performed
Type (type): utm
Subtype (subtype): netscan
Event Type (eventtype): discovery
Level/Severity: notice
Log field
Meaning
type
utm
subtype
netscan
eventtype discovery
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
The nature of the netscan event. Scan, vuln-detection, host-detection, os-scan, port-detection, service-detection, vuln-count.
start
end
status
engine
plugin
Page 39
4098
Message ID: 004098
Message Description: Netscan vulnerability detected
Type (type): utm
Subtype (subtype): netscan
Event Type (eventtype): vulnerability
Level/Severity: notice
Log field
Meaning
type
utm
subtype
netscan
eventtype vulnerability
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
The nature of the netscan event. Scan, vuln-detection, host-detection, os-scan, port-detection, service-detection, vuln-count.
dstip
vuln
vulncat
vulnid
vulnref
severity
The priority level of the attack log. Can be info, low, medium, high, or critical.
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
Page 40
4099
Message ID: 004099
Message Description: Netscan OS detected
Type (type): utm
Subtype (subtype): netscan
Event Type (eventtype): discovery
Level/Severity: notice
Log field
Meaning
type
utm
subtype
netscan
eventtype discovery
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
The nature of the netscan event. Scan, vuln-detection, host-detection, os-scan, port-detection, service-detection, vuln-count.
dstip
os
osfamily
OS family.
osgen
OS generation.
osvendor OS vendor.
Page 41
4100
Message ID: 004100
Message Description: Netscan service detected
Type (type): utm
Subtype (subtype): netscan
Event Type (eventtype): discovery
Level/Severity: notice
Log field
Meaning
type
utm
subtype
netscan
eventtype discovery
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
The nature of the netscan event. Scan, vuln-detection, host-detection, os-scan, port-detection, service-detection, vuln-count.
dstip
service
proto
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
Page 42
4101
Message ID: 004101
Message Description: Notification message
Type (type): utm
Subtype (subtype): netscan
Event Type (eventtype): vulnerability
Level/Severity: notice
Log field
Meaning
type
utm
subtype
netscan
eventtype vulnerability
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
The nature of the netscan event. Scan, vuln-detection, host-detection, os-scan, port-detection, service-detection, vuln-count.
Page 43
4102
Message ID: 004102
Message Description: Notification message
Type (type): utm
Subtype (subtype): netscan
Event Type (eventtype): discovery
Level/Severity: notice
Log field
Meaning
type
utm
subtype
netscan
eventtype discovery
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
The nature of the netscan event. Scan, vuln-detection, host-detection, os-scan, port-detection, service-detection, vuln-count.
Page 44
4103
Message ID: 004103
Message Description: Netscan number of vulnerabilities detected
Type (type): utm
Subtype (subtype): netscan
Event Type (eventtype): vulnerability
Level/Severity: notice
Log field
Meaning
type
utm
subtype
netscan
eventtype vulnerability
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
The nature of the netscan event. Scan, vuln-detection, host-detection, os-scan, port-detection, service-detection, vuln-count.
dstip
vulncnt
Vulnerability count.
Page 45
4104
Message ID: 004104
Message Description: Netscan host detected
Type (type): utm
Subtype (subtype): netscan
Event Type (eventtype): discovery
Level/Severity: notice
Log field
Meaning
type
utm
subtype
netscan
eventtype
discovery
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
The nature of the netscan event. Scan, vuln-detection, host-detection, os-scan, port-detection, service-detection, vuln-count.
dstip
method
assetid
Page 46
4105
Message ID: 004105
Message Description: Netscan port detected
Type (type): utm
Subtype (subtype): netscan
Event Type (eventtype): discovery
Level/Severity: notice
Log field
Meaning
type
utm
subtype
netscan
eventtype discovery
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
The nature of the netscan event. Scan, vuln-detection, host-detection, os-scan, port-detection, service-detection, vuln-count.
dstip
proto
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
Page 47
Virus
8192
Message ID: 008192
Message Description: virus infected block
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): infected
Level/Severity: warning
Log field
Meaning
type
utm
subtype
virus
eventtype
infected
level
warning
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status
service
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
direction
file
checksum
The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same
checksum, the FortiGate unit assumes that they have the same content.
Page 48
quarskip
Quarantine skip explanation: notskip (file quarantined), filepattern (not quarantined due to HTTP GET file pattern
block), oversized (not quarantined due to no oversize rule), unknown (not quarantined for other reason).
virus
dtype
Dtype.
ref
url
profile
The name of the profile that was used to detect and take action.
profiletype
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
Agent.
from
Source identifier.
to
Destination identifier.
sha256
SHA256 hash.
analyticssubmit
msg
"File is infected."
Page 49
8193
Message ID: 008193
Message Description: virus infected pass
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): infected
Level/Severity: notice
Log field
Meaning
type
utm
subtype
virus
eventtype
infected
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status
service
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
direction
file
checksum
The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same
checksum, the FortiGate unit assumes that they have the same content.
quarskip
Quarantine skip explanation: notskip (file quarantined), filepattern (not quarantined due to HTTP GET file pattern
block), oversized (not quarantined due to no oversize rule), unknown (not quarantined for other reason).
virus
dtype
Dtype.
Page 50
ref
url
profile
The name of the profile that was used to detect and take action.
profiletype
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
Agent.
from
Source identifier.
to
Destination identifier.
sha256
SHA256 hash.
analyticssubmit
msg
"File is infected."
Page 51
8194
Message ID: 008194
Message Description: virus infected mime block
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): infected
Level/Severity: warning
Log field
Meaning
type
utm
subtype
virus
eventtype
infected
level
warning
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status
service
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
direction
file
checksum
The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same
checksum, the FortiGate unit assumes that they have the same content.
quarskip
Quarantine skip explanation: notskip (file quarantined), filepattern (not quarantined due to HTTP GET file pattern
block), oversized (not quarantined due to no oversize rule), unknown (not quarantined for other reason).
virus
dtype
Dtype.
Page 52
ref
url
profile
The name of the profile that was used to detect and take action.
profiletype
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
Agent.
from
Source identifier.
to
Destination identifier.
sha256
SHA256 hash.
analyticssubmit
msg
"File is infected."
Page 53
8195
Message ID: 008195
Message Description: virus infected mime pass
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): infected
Level/Severity: notice
Log field
Meaning
type
utm
subtype
virus
eventtype
infected
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status
service
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
direction
file
checksum
The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same
checksum, the FortiGate unit assumes that they have the same content.
quarskip
Quarantine skip explanation: notskip (file quarantined), filepattern (not quarantined due to HTTP GET file pattern
block), oversized (not quarantined due to no oversize rule), unknown (not quarantined for other reason).
virus
dtype
Dtype.
Page 54
ref
url
profile
The name of the profile that was used to detect and take action.
profiletype
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
Agent.
from
Source identifier.
to
Destination identifier.
sha256
SHA256 hash.
analyticssubmit
msg
Page 55
8196
Message ID: 008196
Message Description: virus infected worm block
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): infected
Level/Severity: warning
Log field
Meaning
type
utm
subtype
virus
eventtype
infected
level
warning
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status
service
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
virus
dtype
Dtype.
url
profile
The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
user
User name.
group
Page 56
msg
"Worm detected."
Page 57
8197
Message ID: 008197
Message Description: virus infected worm monitor
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): infected
Level/Severity: notice
Log field
Meaning
type
utm
subtype
virus
eventtype
infected
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status
service
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
virus
dtype
Dtype.
url
profile
The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
user
User name.
group
Page 58
msg
"Worm detected."
Page 59
8198
Message ID: 008198
Message Description: virus infected worm mime block
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): infected
Level/Severity: warning
Log field
Meaning
type
utm
subtype
virus
eventtype
infected
level
warning
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status
service
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
virus
dtype
Dtype.
url
profile
The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
user
User name.
group
Page 60
from
Source identifier.
to
Destination identifier.
msg
"Worm detected."
Page 61
8199
Message ID: 008199
Message Description: virus infected worm mime monitor
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): infected
Level/Severity: notice
Log field
Meaning
type
utm
subtype
virus
eventtype
infected
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status
service
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
virus
dtype
Dtype.
url
profile
The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
user
User name.
group
Page 62
from
Source identifier.
to
Destination identifier.
msg
"Worm detected."
Page 63
8448
Message ID: 008448
Message Description: virus blocked (warning)
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): filename
Level/Severity: warning
Log field
Meaning
type
utm
subtype
virus
eventtype
filename
level
warning
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status
service
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
direction
filefilter
filetype
file
checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same checksum, the
FortiGate unit assumes that they have the same content.
quarskip
Quarantine skip explanation: notskip (file quarantined), filepattern (not quarantined due to HTTP GET file pattern block),
oversized (not quarantined due to no oversize rule), unknown (not quarantined for other reason).
Page 64
url
profile
The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
user
User name.
group
agent
Agent.
from
Source identifier.
to
Destination identifier.
msg
"File is blocked."
Page 65
8449
Message ID: 008449
Message Description: virus blocked (notice)
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): filename
Level/Severity: notice
Log field
Meaning
type
utm
subtype
virus
eventtype
filename
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status
service
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
direction
filefilter
filetype
file
checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same checksum, the
FortiGate unit assumes that they have the same content.
quarskip
Quarantine skip explanation: notskip (file quarantined), filepattern (not quarantined due to HTTP GET file pattern block),
oversized (not quarantined due to no oversize rule), unknown (not quarantined for other reason).
Page 66
url
profile
The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
user
User name.
group
agent
Agent.
from
Source identifier.
to
Destination identifier.
msg
"File is blocked."
Page 67
8450
Message ID: 008450
Message Description: virus blocked mime (warning)
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): filename
Level/Severity: warning
Log field
Meaning
type
utm
subtype
virus
eventtype
filename
level
warning
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status
service
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
direction
filefilter
filetype
file
checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same checksum, the
FortiGate unit assumes that they have the same content.
quarskip
Quarantine skip explanation: notskip (file quarantined), filepattern (not quarantined due to HTTP GET file pattern block),
oversized (not quarantined due to no oversize rule), unknown (not quarantined for other reason).
Page 68
url
profile
The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
user
User name.
group
agent
Agent.
from
Source identifier.
to
Destination identifier.
msg
"File is blocked."
Page 69
8451
Message ID: 008451
Message Description: virus blocked mime (notice)
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): filename
Level/Severity: notice
Log field
Meaning
type
utm
subtype
virus
eventtype
filename
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status
service
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
direction
filefilter
filetype
file
checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same checksum, the
FortiGate unit assumes that they have the same content.
quarskip
Quarantine skip explanation: notskip (file quarantined), filepattern (not quarantined due to HTTP GET file pattern block),
oversized (not quarantined due to no oversize rule), unknown (not quarantined for other reason).
Page 70
url
profile
The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
user
User name.
group
agent
Agent.
from
Source identifier.
to
Destination identifier.
msg
"File is blocked."
Page 71
8452
Message ID: 008452
Message Description: virus blocked command
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): filename
Level/Severity: warning
Log field
Meaning
type
utm
subtype
virus
eventtype
filename
level
warning
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status
service
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
url
user
User name.
group
command
Command information.
agent
Agent.
profiletype The type of profile responsible for the UTM action taken.
profile
The name of the profile that was used to detect and take action.
Page 72
msg
"Command blocked."
Page 73
8453
Message ID: 008453
Message Description: virus intercepted
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): filename
Level/Severity: notice
Log field
Meaning
type
utm
subtype
virus
eventtype
filename
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status
service
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
direction
filefilter
filetype
file
checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same checksum, the
FortiGate unit assumes that they have the same content.
quarskip
Quarantine skip explanation: notskip (file quarantined), filepattern (not quarantined due to HTTP GET file pattern block),
oversized (not quarantined due to no oversize rule), unknown (not quarantined for other reason).
Page 74
url
profile
The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
user
User name.
group
agent
Agent.
from
Source identifier.
to
Destination identifier.
msg
"File is intercepted."
Page 75
8454
Message ID: 008454
Message Description: virus intercepted mime
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): filename
Level/Severity: notice
Log field
Meaning
type
utm
subtype
virus
eventtype
filename
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status
service
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
direction
filefilter
filetype
file
checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same checksum, the
FortiGate unit assumes that they have the same content.
quarskip
Quarantine skip explanation: notskip (file quarantined), filepattern (not quarantined due to HTTP GET file pattern block),
oversized (not quarantined due to no oversize rule), unknown (not quarantined for other reason).
Page 76
virus
dtype
Dtype.
url
profile
The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
user
User name.
group
agent
Agent.
from
Source identifier.
to
Destination identifier.
msg
"File is intercepted."
Page 77
8455
Message ID: 008455
Message Description: virus exempted
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): filename
Level/Severity: notice
Log field
Meaning
type
utm
subtype
virus
eventtype
filename
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status
service
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
direction
filefilter
filetype
file
url
profile
The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
Page 78
user
User name.
group
agent
Agent.
from
Source identifier.
to
Destination identifier.
msg
Page 79
8456
Message ID: 008456
Message Description: virus exempted mime
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): filename
Level/Severity: notice
Log field
Meaning
type
utm
subtype
virus
eventtype
filename
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status
service
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
direction
filefilter
filetype
file
url
profile
The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
Page 80
user
User name.
group
agent
Agent.
from
Source identifier.
to
Destination identifier.
msg
Page 81
8457
Message ID: 008457
Message Description: mms content checksum
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): infected
Level/Severity: warning
Log field
Meaning
type
utm
subtype
virus
eventtype
infected
level
warning
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status
service
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
direction
checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same checksum, the
FortiGate unit assumes that they have the same content.
url
profile
The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
user
User name.
Page 82
group
agent
Agent.
from
Source identifier.
to
Destination identifier.
msg
Page 83
8458
Message ID: 008458
Message Description: mms content checksum
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): infected
Level/Severity: warning
Log field
Meaning
type
utm
subtype
virus
eventtype
infected
level
warning
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status
service
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
direction
checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same checksum, the
FortiGate unit assumes that they have the same content.
file
url
profile
The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
Page 84
user
User name.
group
agent
Agent.
from
Source identifier.
to
Destination identifier.
msg
Page 85
8704
Message ID: 008704
Message Description: oversized block
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): oversize
Level/Severity: warning
Log field
Meaning
type
utm
subtype
virus
eventtype
oversize
level
warning
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status
service
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
file
url
profile
The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
user
User name.
group
agent
Agent.
Page 86
from
Source identifier.
to
Destination identifier.
msg
Page 87
8705
Message ID: 008705
Message Description: oversized pass
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): oversize
Level/Severity: notice
Log field
Meaning
type
utm
subtype
virus
eventtype
oversize
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status
service
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
file
url
profile
The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
user
User name.
group
agent
Agent.
Page 88
from
Source identifier.
to
Destination identifier.
msg
Page 89
8706
Message ID: 008706
Message Description: oversized mime block
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): oversize
Level/Severity: warning
Log field
Meaning
type
utm
subtype
virus
eventtype
oversize
level
warning
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status
service
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
file
url
profile
The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
user
User name.
group
from
Source identifier.
Page 90
to
Destination identifier.
msg
Page 91
8707
Message ID: 008707
Message Description: oversized mime pass
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): oversize
Level/Severity: notice
Log field
Meaning
type
utm
subtype
virus
eventtype
oversize
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status
service
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
file
url
profile
The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
user
User name.
group
from
Source identifier.
Page 92
to
Destination identifier.
msg
Page 93
8720
Message ID: 008720
Message Description: switching protocols block
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): switchproto
Level/Severity: warning
Log field
Meaning
type
utm
subtype
virus
eventtype
switchproto
level
warning
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status
service
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
url
profile
The name of the profile that was used to detect and take action.
profiletype
user
User name.
group
from
Source identifier.
to
Destination identifier.
Page 94
agent
Agent.
Page 95
8721
Message ID: 008721
Message Description: switching protocols bypass
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): switchproto
Level/Severity: notice
Log field
Meaning
type
utm
subtype
virus
eventtype
switchproto
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status
service
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
url
profile
The name of the profile that was used to detect and take action.
profiletype
user
User name.
group
from
Source identifier.
to
Destination identifier.
Page 96
agent
Agent.
Page 97
8960
Message ID: 008960
Message Description: uncompressed nested limit reached
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): scanerror
Level/Severity: notice
Log field
Meaning
type
utm
subtype
virus
eventtype
scanerror
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status
service
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
direction
file
checksum
The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same
checksum, the FortiGate unit assumes that they have the same content.
quarskip
Quarantine skip explanation: notskip (file quarantined), filepattern (not quarantined due to HTTP GET file pattern
block), oversized (not quarantined due to no oversize rule), unknown (not quarantined for other reason).
virus
dtype
Dtype.
Page 98
ref
url
profile
The name of the profile that was used to detect and take action.
profiletype
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
Agent.
from
Source identifier.
to
Destination identifier.
sha256
SHA256 hash.
analyticssubmit
msg
Page 99
8961
Message ID: 008961
Message Description: uncompressed size limit reached
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): scanerror
Level/Severity: notice
Log field
Meaning
type
utm
subtype
virus
eventtype
scanerror
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status
service
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
direction
file
checksum
The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same
checksum, the FortiGate unit assumes that they have the same content.
quarskip
Quarantine skip explanation: notskip (file quarantined), filepattern (not quarantined due to HTTP GET file pattern
block), oversized (not quarantined due to no oversize rule), unknown (not quarantined for other reason).
virus
dtype
Dtype.
Page 100
ref
url
profile
The name of the profile that was used to detect and take action.
profiletype
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
Agent.
from
Source identifier.
to
Destination identifier.
sha256
SHA256 hash.
analyticssubmit
msg
Page 101
8962
Message ID: 008962
Message Description: archive is encrypted
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): scanerror
Level/Severity: warning
Log field
Meaning
type
utm
subtype
virus
eventtype
scanerror
level
warning
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status
service
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
direction
file
checksum
The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same
checksum, the FortiGate unit assumes that they have the same content.
quarskip
Quarantine skip explanation: notskip (file quarantined), filepattern (not quarantined due to HTTP GET file pattern
block), oversized (not quarantined due to no oversize rule), unknown (not quarantined for other reason).
virus
dtype
Dtype.
Page 102
ref
url
profile
The name of the profile that was used to detect and take action.
profiletype
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
Agent.
from
Source identifier.
to
Destination identifier.
sha256
SHA256 hash.
analyticssubmit
msg
"Encrypted archive."
Page 103
8963
Message ID: 008963
Message Description: archive is encrypted
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): scanerror
Level/Severity: notice
Log field
Meaning
type
utm
subtype
virus
eventtype
scanerror
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status
service
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
direction
file
checksum
The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same
checksum, the FortiGate unit assumes that they have the same content.
quarskip
Quarantine skip explanation: notskip (file quarantined), filepattern (not quarantined due to HTTP GET file pattern
block), oversized (not quarantined due to no oversize rule), unknown (not quarantined for other reason).
virus
dtype
Dtype.
Page 104
ref
url
profile
The name of the profile that was used to detect and take action.
profiletype
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
Agent.
from
Source identifier.
to
Destination identifier.
sha256
SHA256 hash.
analyticssubmit
msg
"Encrypted archive."
Page 105
8964
Message ID: 008964
Message Description: archive is corrupted
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): scanerror
Level/Severity: warning
Log field
Meaning
type
utm
subtype
virus
eventtype
scanerror
level
warning
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status
service
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
direction
file
checksum
The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same
checksum, the FortiGate unit assumes that they have the same content.
quarskip
Quarantine skip explanation: notskip (file quarantined), filepattern (not quarantined due to HTTP GET file pattern
block), oversized (not quarantined due to no oversize rule), unknown (not quarantined for other reason).
virus
dtype
Dtype.
Page 106
ref
url
profile
The name of the profile that was used to detect and take action.
profiletype
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
Agent.
from
Source identifier.
to
Destination identifier.
sha256
SHA256 hash.
analyticssubmit
msg
"Corrupted archive."
Page 107
8965
Message ID: 008965
Message Description: archive is corrupted
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): scanerror
Level/Severity: notice
Log field
Meaning
type
utm
subtype
virus
eventtype
scanerror
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status
service
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
direction
file
checksum
The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same
checksum, the FortiGate unit assumes that they have the same content.
quarskip
Quarantine skip explanation: notskip (file quarantined), filepattern (not quarantined due to HTTP GET file pattern
block), oversized (not quarantined due to no oversize rule), unknown (not quarantined for other reason).
virus
dtype
Dtype.
Page 108
ref
url
profile
The name of the profile that was used to detect and take action.
profiletype
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
Agent.
from
Source identifier.
to
Destination identifier.
sha256
SHA256 hash.
analyticssubmit
msg
"Corrupted archive."
Page 109
8966
Message ID: 008966
Message Description: multipart archive
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): scanerror
Level/Severity: warning
Log field
Meaning
type
utm
subtype
virus
eventtype
scanerror
level
warning
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status
service
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
direction
file
checksum
The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same
checksum, the FortiGate unit assumes that they have the same content.
quarskip
Quarantine skip explanation: notskip (file quarantined), filepattern (not quarantined due to HTTP GET file pattern
block), oversized (not quarantined due to no oversize rule), unknown (not quarantined for other reason).
virus
dtype
Dtype.
Page 110
ref
url
profile
The name of the profile that was used to detect and take action.
profiletype
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
Agent.
from
Source identifier.
to
Destination identifier.
sha256
SHA256 hash.
analyticssubmit
msg
"Multipart archive."
Page 111
8967
Message ID: 008967
Message Description: multipart archive
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): scanerror
Level/Severity: notice
Log field
Meaning
type
utm
subtype
virus
eventtype
scanerror
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status
service
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
direction
file
checksum
The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same
checksum, the FortiGate unit assumes that they have the same content.
quarskip
Quarantine skip explanation: notskip (file quarantined), filepattern (not quarantined due to HTTP GET file pattern
block), oversized (not quarantined due to no oversize rule), unknown (not quarantined for other reason).
virus
dtype
Dtype.
Page 112
ref
url
profile
The name of the profile that was used to detect and take action.
profiletype
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
Agent.
from
Source identifier.
to
Destination identifier.
sha256
SHA256 hash.
analyticssubmit
msg
"Multipart archive."
Page 113
8968
Message ID: 008968
Message Description: nested archive
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): scanerror
Level/Severity: warning
Log field
Meaning
type
utm
subtype
virus
eventtype
scanerror
level
warning
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status
service
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
direction
file
checksum
The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same
checksum, the FortiGate unit assumes that they have the same content.
quarskip
Quarantine skip explanation: notskip (file quarantined), filepattern (not quarantined due to HTTP GET file pattern
block), oversized (not quarantined due to no oversize rule), unknown (not quarantined for other reason).
virus
dtype
Dtype.
Page 114
ref
url
profile
The name of the profile that was used to detect and take action.
profiletype
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
Agent.
from
Source identifier.
to
Destination identifier.
sha256
SHA256 hash.
analyticssubmit
msg
"Nested archive."
Page 115
8969
Message ID: 008969
Message Description: nested archive
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): scanerror
Level/Severity: notice
Log field
Meaning
type
utm
subtype
virus
eventtype
scanerror
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status
service
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
direction
file
checksum
The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same
checksum, the FortiGate unit assumes that they have the same content.
quarskip
Quarantine skip explanation: notskip (file quarantined), filepattern (not quarantined due to HTTP GET file pattern
block), oversized (not quarantined due to no oversize rule), unknown (not quarantined for other reason).
virus
dtype
Dtype.
Page 116
ref
url
profile
The name of the profile that was used to detect and take action.
profiletype
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
Agent.
from
Source identifier.
to
Destination identifier.
sha256
SHA256 hash.
analyticssubmit
msg
"Nested archive."
Page 117
8970
Message ID: 008970
Message Description: archive is oversized
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): scanerror
Level/Severity: warning
Log field
Meaning
type
utm
subtype
virus
eventtype
scanerror
level
warning
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status
service
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
direction
file
checksum
The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same
checksum, the FortiGate unit assumes that they have the same content.
quarskip
Quarantine skip explanation: notskip (file quarantined), filepattern (not quarantined due to HTTP GET file pattern
block), oversized (not quarantined due to no oversize rule), unknown (not quarantined for other reason).
virus
dtype
Dtype.
Page 118
ref
url
profile
The name of the profile that was used to detect and take action.
profiletype
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
Agent.
from
Source identifier.
to
Destination identifier.
sha256
SHA256 hash.
analyticssubmit
msg
"Oversized archive."
Page 119
8971
Message ID: 008971
Message Description: archive is oversized
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): scanerror
Level/Severity: notice
Log field
Meaning
type
utm
subtype
virus
eventtype
scanerror
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status
service
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
direction
file
checksum
The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same
checksum, the FortiGate unit assumes that they have the same content.
quarskip
Quarantine skip explanation: notskip (file quarantined), filepattern (not quarantined due to HTTP GET file pattern
block), oversized (not quarantined due to no oversize rule), unknown (not quarantined for other reason).
virus
dtype
Dtype.
Page 120
ref
url
profile
The name of the profile that was used to detect and take action.
profiletype
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
Agent.
from
Source identifier.
to
Destination identifier.
sha256
SHA256 hash.
analyticssubmit
msg
"Oversized archive."
Page 121
8972
Message ID: 008972
Message Description: unhandled archive type
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): scanerror
Level/Severity: warning
Log field
Meaning
type
utm
subtype
virus
eventtype
scanerror
level
warning
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status
service
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
direction
file
checksum
The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same
checksum, the FortiGate unit assumes that they have the same content.
quarskip
Quarantine skip explanation: notskip (file quarantined), filepattern (not quarantined due to HTTP GET file pattern
block), oversized (not quarantined due to no oversize rule), unknown (not quarantined for other reason).
virus
dtype
Dtype.
Page 122
ref
url
profile
The name of the profile that was used to detect and take action.
profiletype
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
Agent.
from
Source identifier.
to
Destination identifier.
sha256
SHA256 hash.
analyticssubmit
msg
"Unhandled archive."
Page 123
8973
Message ID: 008973
Message Description: unhandled archive type
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): scanerror
Level/Severity: notice
Log field
Meaning
type
utm
subtype
virus
eventtype
scanerror
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status
service
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
direction
file
checksum
The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same
checksum, the FortiGate unit assumes that they have the same content.
quarskip
Quarantine skip explanation: notskip (file quarantined), filepattern (not quarantined due to HTTP GET file pattern
block), oversized (not quarantined due to no oversize rule), unknown (not quarantined for other reason).
virus
dtype
Dtype.
Page 124
ref
url
profile
The name of the profile that was used to detect and take action.
profiletype
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
Agent.
from
Source identifier.
to
Destination identifier.
sha256
SHA256 hash.
analyticssubmit
msg
"Unhandled archive."
Page 125
9233
Message ID: 009233
Message Description: FortiGuard analytics
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): analytics
Level/Severity: notice
Log field
Meaning
type
utm
subtype
virus
eventtype
analytics
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status
service
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
direction
file
checksum
The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same
checksum, the FortiGate unit assumes that they have the same content.
quarskip
Quarantine skip explanation: notskip (file quarantined), filepattern (not quarantined due to HTTP GET file pattern
block), oversized (not quarantined due to no oversize rule), unknown (not quarantined for other reason).
virus
dtype
Dtype.
Page 126
ref
url
profile
The name of the profile that was used to detect and take action.
profiletype
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
Agent.
from
Source identifier.
to
Destination identifier.
sha256
SHA256 hash.
analyticssubmit
msg
Page 127
Webfilter
12288
Message ID: 012288
Message Description: Web content banned word
Type (type): utm
Subtype (subtype): webfilter
Event Type (eventtype): content
Level/Severity: warning
Log field
Meaning
type
utm
subtype
webfilter
eventtype
content
level
warning
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
initiator
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
Page 128
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
service
hostname
profiletype
profile
The name of the profile that was used to detect and take action.
reqtype
url
sentbyte
rcvdbyte
status
The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.
agent
Agent.
from
Source identifier.
to
Destination identifier.
banword
msg
Page 129
12289
Message ID: 012289
Message Description: Web content MMS banned word
Type (type): utm
Subtype (subtype): webfilter
Event Type (eventtype): content
Level/Severity: warning
Log field
Meaning
type
utm
subtype
webfilter
eventtype
content
level
warning
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
initiator
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
service
Page 130
hostname
profiletype
profile
The name of the profile that was used to detect and take action.
reqtype
url
sentbyte
rcvdbyte
status
The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.
direction
agent
Agent.
from
Source identifier.
to
Destination identifier.
banword
msg
Page 131
12290
Message ID: 012290
Message Description: Web content exempt word
Type (type): utm
Subtype (subtype): webfilter
Event Type (eventtype): content
Level/Severity: notice
Log field
Meaning
type
utm
subtype
webfilter
eventtype
content
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
initiator
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
service
Page 132
hostname
profiletype
profile
The name of the profile that was used to detect and take action.
reqtype
url
sentbyte
rcvdbyte
status
The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.
agent
Agent.
from
Source identifier.
to
Destination identifier.
banword
msg
Page 133
12291
Message ID: 012291
Message Description: Web content MMS exempt word
Type (type): utm
Subtype (subtype): webfilter
Event Type (eventtype): content
Level/Severity: notice
Log field
Meaning
type
utm
subtype
webfilter
eventtype
content
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
initiator
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
service
Page 134
hostname
profiletype
profile
The name of the profile that was used to detect and take action.
reqtype
url
sentbyte
rcvdbyte
status
The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.
direction
agent
Agent.
from
Source identifier.
to
Destination identifier.
banword
msg
Page 135
12292
Message ID: 012292
Message Description: Web search key word
Type (type): utm
Subtype (subtype): webfilter
Event Type (eventtype): content
Level/Severity: notice
Log field
Meaning
type
utm
subtype
webfilter
eventtype
content
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
initiator
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
service
Page 136
hostname
profiletype
profile
The name of the profile that was used to detect and take action.
reqtype
url
sentbyte
rcvdbyte
status
The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.
agent
Agent.
from
Source identifier.
to
Destination identifier.
keyword
msg
Page 137
12293
Message ID: 012293
Message Description: Web search
Type (type): utm
Subtype (subtype): webfilter
Event Type (eventtype): content
Level/Severity: notice
Log field
Meaning
type
utm
subtype
webfilter
eventtype
content
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
initiator
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
service
Page 138
hostname
profiletype
profile
The name of the profile that was used to detect and take action.
reqtype
url
sentbyte
rcvdbyte
status
The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.
agent
Agent.
from
Source identifier.
to
Destination identifier.
keyword
msg
Page 139
12305
Message ID: 012305
Message Description: Web content MMS banned word
Type (type): utm
Subtype (subtype): webfilter
Event Type (eventtype): content
Level/Severity: notice
Log field
Meaning
type
utm
subtype
webfilter
eventtype
content
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
initiator
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
service
Page 140
hostname
profiletype
profile
The name of the profile that was used to detect and take action.
reqtype
url
sentbyte
rcvdbyte
status
The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.
direction
agent
Agent.
from
Source identifier.
to
Destination identifier.
banword
msg
Page 141
12544
Message ID: 012544
Message Description: URL filter block
Type (type): utm
Subtype (subtype): webfilter
Event Type (eventtype): urlfilter
Level/Severity: warning
Log field
Meaning
type
utm
subtype
webfilter
eventtype
urlfilter
level
warning
date
time
urlfilteridx
urlfilterlist
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
initiator
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
Page 142
dstintf
service
hostname
profiletype
profile
The name of the profile that was used to detect and take action.
status
The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.
reqtype
url
sentbyte
rcvdbyte
msg
Page 143
12545
Message ID: 012545
Message Description: URL filter exempt
Type (type): utm
Subtype (subtype): webfilter
Event Type (eventtype): urlfilter
Level/Severity: information
Log field
Meaning
type
utm
subtype
webfilter
eventtype
urlfilter
level
information
date
time
urlfilteridx
urlfilterlist
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
initiator
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
Page 144
dstintf
service
hostname
profiletype
profile
The name of the profile that was used to detect and take action.
status
The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.
reqtype
url
sentbyte
rcvdbyte
msg
Page 145
12546
Message ID: 012546
Message Description: URL filter allow
Type (type): utm
Subtype (subtype): webfilter
Event Type (eventtype): urlfilter
Level/Severity: information
Log field
Meaning
type
utm
subtype
webfilter
eventtype
urlfilter
level
information
date
time
urlfilteridx
urlfilterlist
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
initiator
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
Page 146
dstintf
service
hostname
profiletype
profile
The name of the profile that was used to detect and take action.
status
The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.
reqtype
url
sentbyte
rcvdbyte
msg
Page 147
12547
Message ID: 012547
Message Description: URL filter invalid hostname (Block/HTTP)
Type (type): utm
Subtype (subtype): webfilter
Event Type (eventtype): urlfilter
Level/Severity: notice
Log field
Meaning
type
utm
subtype
webfilter
eventtype
urlfilter
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
user
User name.
group
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
service
profiletype The type of profile responsible for the UTM action taken.
profile
The name of the profile that was used to detect and take action.
hostname
status
The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.
reqtype
sentbyte
Page 148
rcvdbyte
msg
Page 149
12548
Message ID: 012548
Message Description: URL filter invalid hostname (Block/HTTPS)
Type (type): utm
Subtype (subtype): webfilter
Event Type (eventtype): urlfilter
Level/Severity: notice
Log field
Meaning
type
utm
subtype
webfilter
eventtype
urlfilter
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
user
User name.
group
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
service
profiletype The type of profile responsible for the UTM action taken.
profile
The name of the profile that was used to detect and take action.
hostname
status
The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.
reqtype
sentbyte
Page 150
rcvdbyte
msg
"The certificate for the HTTPS session contained an invalid domain name."
Page 151
12549
Message ID: 012549
Message Description: URL filter invalid hostname (Filter/HTTP)
Type (type): utm
Subtype (subtype): webfilter
Event Type (eventtype): urlfilter
Level/Severity: information
Log field
Meaning
type
utm
subtype
webfilter
eventtype
urlfilter
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
user
User name.
group
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
service
profiletype The type of profile responsible for the UTM action taken.
profile
The name of the profile that was used to detect and take action.
hostname
status
The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.
reqtype
sentbyte
Page 152
rcvdbyte
msg
"The HTTP request contained an invalid domain name. The session has been filtered by IP only."
Page 153
12550
Message ID: 012550
Message Description: URL filter invalid hostname (Filter/HTTPS)
Type (type): utm
Subtype (subtype): webfilter
Event Type (eventtype): urlfilter
Level/Severity: information
Log field
Meaning
type
utm
subtype
webfilter
eventtype
urlfilter
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
user
User name.
group
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
service
profiletype The type of profile responsible for the UTM action taken.
profile
The name of the profile that was used to detect and take action.
hostname
status
The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.
reqtype
sentbyte
Page 154
rcvdbyte
msg
"The certificate for this HTTPS session contained an invalid domain name. The session has been filtered by IP only."
Page 155
12553
Message ID: 012553
Message Description: Server certificate validation failed
Type (type): utm
Subtype (subtype): webfilter
Event Type (eventtype): urlfilter
Level/Severity: notice
Log field
Meaning
type
utm
subtype
webfilter
eventtype
urlfilter
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
user
User name.
group
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
service
profiletype The type of profile responsible for the UTM action taken.
profile
The name of the profile that was used to detect and take action.
sentbyte
rcvdbyte
msg
Page 156
12554
Message ID: 012554
Message Description: Unknown SSL session ID
Type (type): utm
Subtype (subtype): webfilter
Event Type (eventtype): urlfilter
Level/Severity: notice
Log field
Meaning
type
utm
subtype
webfilter
eventtype
urlfilter
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
user
User name.
group
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
profiletype The type of profile responsible for the UTM action taken.
profile
The name of the profile that was used to detect and take action.
service
status
The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.
sentbyte
rcvdbyte
msg
"The SSL session was blocked because the session ID was unknown."
Page 157
12555
Message ID: 012555
Message Description: SSL session blocked due to invalid/missing server certificate
Type (type): utm
Subtype (subtype): webfilter
Event Type (eventtype): urlfilter
Level/Severity: notice
Log field
Meaning
type
utm
subtype
webfilter
eventtype
urlfilter
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
user
User name.
group
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
profiletype The type of profile responsible for the UTM action taken.
profile
The name of the profile that was used to detect and take action.
service
status
The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.
sentbyte
rcvdbyte
msg
"The SSL session was blocked because the server certificate was missing or invalid."
Page 158
12556
Message ID: 012556
Message Description: SSL session ignored due to invalid/missing server certificate
Type (type): utm
Subtype (subtype): webfilter
Event Type (eventtype): urlfilter
Level/Severity: notice
Log field
Meaning
type
utm
subtype
webfilter
eventtype
urlfilter
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
user
User name.
group
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
profiletype The type of profile responsible for the UTM action taken.
profile
The name of the profile that was used to detect and take action.
service
status
The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.
sentbyte
rcvdbyte
msg
"The SSL session was ignored because the server certificate was missing or invalid."
Page 159
12557
Message ID: 012557
Message Description: FortiGuard service inactive
Type (type): utm
Subtype (subtype): webfilter
Event Type (eventtype): urlfilter
Level/Severity: critical
Log field
Meaning
type
utm
subtype
webfilter
eventtype urlfilter
level
critical
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
msg
"FortiGuard is enabled in the protection profile but the FortiGuard service is not enabled."
Page 160
12558
Message ID: 012558
Message Description: Rating error occurs
Type (type): utm
Subtype (subtype): webfilter
Event Type (eventtype): urlfilter
Level/Severity: information
Log field
Meaning
type
utm
subtype
webfilter
eventtype urlfilter
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
user
User name.
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
urltype
URL type. One of: HTTP, HTTPS, FTP, Telnet, mail, phishing.
The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.
error
Error.
url
msg
Page 161
12559
Message ID: 012559
Message Description: URL filter pass
Type (type): utm
Subtype (subtype): webfilter
Event Type (eventtype): urlfilter
Level/Severity: information
Log field
Meaning
type
utm
subtype
webfilter
eventtype
urlfilter
level
information
date
time
urlfilteridx
urlfilterlist
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
initiator
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
Page 162
dstintf
service
hostname
profiletype
profile
The name of the profile that was used to detect and take action.
status
The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.
reqtype
url
sentbyte
rcvdbyte
msg
Page 163
12800
Message ID: 012800
Message Description: FortiGuard webfilter error
Type (type): utm
Subtype (subtype): webfilter
Event Type (eventtype): ftgd_err
Level/Severity: error
Log field
Meaning
type
utm
subtype
webfilter
eventtype
ftgd_err
level
error
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
initiator
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
service
Page 164
hostname
profiletype
profile
The name of the profile that was used to detect and take action.
status
The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.
reqtype
url
sentbyte
rcvdbyte
error
Error.
msg
Page 165
12801
Message ID: 012801
Message Description: FortiGuard webfilter error
Type (type): utm
Subtype (subtype): webfilter
Event Type (eventtype): ftgd_err
Level/Severity: warning
Log field
Meaning
type
utm
subtype
webfilter
eventtype
ftgd_err
level
warning
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
initiator
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
service
Page 166
hostname
profiletype
profile
The name of the profile that was used to detect and take action.
status
The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.
reqtype
url
sentbyte
rcvdbyte
error
Error.
msg
Page 167
12802
Message ID: 012802
Message Description: Daily fortiguard quota status
Type (type): utm
Subtype (subtype): webfilter
Event Type (eventtype): ftgd_quota
Level/Severity: information
Log field
Meaning
type
utm
subtype
webfilter
eventtype
ftgd_quota
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
quotaused
quotamax
catdesc
user
User name.
profile
The name of the profile that was used to detect and take action.
Page 168
13056
Message ID: 013056
Message Description: FortiGuard webfilter category block
Type (type): utm
Subtype (subtype): webfilter
Event Type (eventtype): ftgd_blk
Level/Severity: warning
Log field
Meaning
type
utm
subtype
webfilter
eventtype
ftgd_blk
level
warning
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
initiator
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
service
Page 169
hostname
profiletype
profile
The name of the profile that was used to detect and take action.
status
The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.
reqtype
url
sentbyte
rcvdbyte
method
class
The class.
classdesc
cat
The category.
catdesc
msg
Page 170
13057
Message ID: 013057
Message Description: FortiGuard webfilter category block
Type (type): utm
Subtype (subtype): webfilter
Event Type (eventtype): ftgd_blk
Level/Severity: warning
Log field
Meaning
type
utm
subtype
webfilter
eventtype
ftgd_blk
level
warning
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
initiator
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
service
Page 171
hostname
profiletype
profile
The name of the profile that was used to detect and take action.
status
The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.
reqtype
url
sentbyte
rcvdbyte
method
class
The class.
classdesc
cat
The category.
catdesc
msg
Page 172
13312
Message ID: 013312
Message Description: FortiGuard webfilter category allow
Type (type): utm
Subtype (subtype): webfilter
Event Type (eventtype): ftgd_allow
Level/Severity: notice
Log field
Meaning
type
utm
subtype
webfilter
eventtype
ftgd_allow
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
initiator
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
service
Page 173
hostname
profiletype
profile
The name of the profile that was used to detect and take action.
status
The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.
reqtype
url
sentbyte
rcvdbyte
method
class
The class.
classdesc
cat
The category.
catdesc
msg
Page 174
13313
Message ID: 013313
Message Description: FortiGuard webfilter allow
Type (type): utm
Subtype (subtype): webfilter
Event Type (eventtype): ftgd_allow
Level/Severity: notice
Log field
Meaning
type
utm
subtype
webfilter
eventtype
ftgd_allow
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
initiator
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
service
Page 175
hostname
profiletype
profile
The name of the profile that was used to detect and take action.
status
The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.
reqtype
url
sentbyte
rcvdbyte
method
class
The class.
classdesc
cat
The category.
catdesc
mode
Mode.
ruletype
ruledata
Rule data.
ovrdtbl
ovrdid
Override ID.
msg
Page 176
13314
Message ID: 013314
Message Description: FortiGuard webfilter allow
Type (type): utm
Subtype (subtype): webfilter
Event Type (eventtype): ftgd_allow
Level/Severity: information
Log field
Meaning
type
utm
subtype
webfilter
eventtype
ftgd_allow
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
initiator
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
service
Page 177
hostname
profiletype
profile
The name of the profile that was used to detect and take action.
status
The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.
reqtype
url
sentbyte
rcvdbyte
method
class
The class.
classdesc
cat
The category.
catdesc
mode
Mode.
ruletype
ruledata
Rule data.
ovrdtbl
ovrdid
Override ID.
msg
Page 178
13315
Message ID: 013315
Message Description: FortiGuard webfilter category quota counting
Type (type): utm
Subtype (subtype): webfilter
Event Type (eventtype): ftgd_quota_counting
Level/Severity: notice
Log field
Meaning
type
utm
subtype
webfilter
eventtype
ftgd_quota_counting
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
initiator
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
service
Page 179
hostname
profiletype
profile
The name of the profile that was used to detect and take action.
status
The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.
reqtype
url
sentbyte
rcvdbyte
method
class
The class.
classdesc
cat
The category.
catdesc
quotatype
quotaused
quotamax
msg
Page 180
13316
Message ID: 013316
Message Description: FortiGuard webfilter category quota expired
Type (type): utm
Subtype (subtype): webfilter
Event Type (eventtype): urlfilter
Level/Severity: warning
Log field
Meaning
type
utm
subtype
webfilter
eventtype
urlfilter
level
warning
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
initiator
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
service
Page 181
hostname
profiletype
profile
The name of the profile that was used to detect and take action.
status
The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.
reqtype
url
sentbyte
rcvdbyte
method
class
The class.
classdesc
cat
The category.
catdesc
quotatype
quotaused
quotamax
msg
Page 182
13317
Message ID: 013317
Message Description: URL visited
Type (type): utm
Subtype (subtype): webfilter
Event Type (eventtype): urlfilter
Level/Severity: notice
Log field
Meaning
type
utm
subtype
webfilter
eventtype
urlfilter
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
initiator
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
service
Page 183
hostname
profiletype
profile
The name of the profile that was used to detect and take action.
status
The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.
reqtype
url
sentbyte
rcvdbyte
method
class
The class.
classdesc
cat
The category.
catdesc
msg
Page 184
13568
Message ID: 013568
Message Description: Web script filter ActiveX
Type (type): utm
Subtype (subtype): webfilter
Event Type (eventtype): activexfilter
Level/Severity: notice
Log field
Meaning
type
utm
subtype
webfilter
eventtype
activexfilter
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
initiator
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
service
Page 185
hostname
profiletype
profile
The name of the profile that was used to detect and take action.
status
The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.
reqtype
url
sentbyte
rcvdbyte
count
Number of packets.
msg
Page 186
13573
Message ID: 013573
Message Description: Web script filter cookie
Type (type): utm
Subtype (subtype): webfilter
Event Type (eventtype): cookiefilter
Level/Severity: notice
Log field
Meaning
type
utm
subtype
webfilter
eventtype
cookiefilter
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
initiator
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
service
Page 187
hostname
profiletype
profile
The name of the profile that was used to detect and take action.
status
The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.
reqtype
url
sentbyte
rcvdbyte
msg
Page 188
13584
Message ID: 013584
Message Description: Web script filter applet
Type (type): utm
Subtype (subtype): webfilter
Event Type (eventtype): appletfilter
Level/Severity: notice
Log field
Meaning
type
utm
subtype
webfilter
eventtype
appletfilter
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
initiator
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
service
Page 189
hostname
profiletype
profile
The name of the profile that was used to detect and take action.
status
The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.
reqtype
url
sentbyte
rcvdbyte
count
Number of packets.
msg
Page 190
13601
Message ID: 013601
Message Description: Web cookie filter
Type (type): utm
Subtype (subtype): webfilter
Event Type (eventtype): cookiefilter
Level/Severity: notice
Log field
Meaning
type
utm
subtype
webfilter
eventtype
cookiefilter
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
initiator
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
service
Page 191
hostname
profiletype
profile
The name of the profile that was used to detect and take action.
status
The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.
reqtype
url
sentbyte
rcvdbyte
count
Number of packets.
filtertype
The script filter type. Can be: N/A, jscript, javascript, vbscript, or unknown.
msg
Page 192
13602
Message ID: 013602
Message Description: Web referer filter
Type (type): utm
Subtype (subtype): webfilter
Event Type (eventtype): cookiefilter
Level/Severity: notice
Log field
Meaning
type
utm
subtype
webfilter
eventtype
cookiefilter
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
initiator
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
service
Page 193
hostname
profiletype
profile
The name of the profile that was used to detect and take action.
status
The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.
reqtype
url
sentbyte
rcvdbyte
count
Number of packets.
filtertype
The script filter type. Can be: N/A, jscript, javascript, vbscript, or unknown.
msg
Page 194
13603
Message ID: 013603
Message Description: Command blocked
Type (type): utm
Subtype (subtype): webfilter
Event Type (eventtype): webfilter_command_block
Level/Severity: warning
Log field
Meaning
type
utm
subtype
webfilter
eventtype
webfilter_command_block
level
warning
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
initiator
user
User name.
group
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
profiletype The type of profile responsible for the UTM action taken.
profile
The name of the profile that was used to detect and take action.
hostname
status
The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.
service
reqtype
Page 195
msg
"Command blocked."
Page 196
13616
Message ID: 013616
Message Description: Content type blocked
Type (type): utm
Subtype (subtype): webfilter
Event Type (eventtype): content
Level/Severity: warning
Log field
Meaning
type
utm
subtype
webfilter
eventtype
content
level
warning
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
initiator
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
service
Page 197
hostname
profiletype
profile
The name of the profile that was used to detect and take action.
reqtype
url
sentbyte
rcvdbyte
status
The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.
agent
Agent.
from
Source identifier.
to
Destination identifier.
contenttype
Content type.
msg
Page 198
IPS
16384
Message ID: 016384
Message Description: attack signature (tcp/udp)
Type (type): utm
Subtype (subtype): ips
Event Type (eventtype): signature
Level/Severity: alert
Log field
Meaning
type
utm
subtype
ips
eventtype
signature
level
alert
date
time
severity
The priority level of the attack log. Can be info, low, medium, high, or critical.
srcip
dstip
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstintf
policyid
The ID number of the firewall policy that applies to the session or packet.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
custom
Custom field.
sessionid
Session ID.
status
The status of the packet that was flagged as part of an attack. Can be detected, dropped, or reset.
proto
The protocol number that applies to the session or packet. This is the protocol number in the packet header that
identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
service
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
count
Number of packets.
attackname
Attack name.
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
Page 199
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
attackid
sensor
Sensor.
ref
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
Page 200
16385
Message ID: 016385
Message Description: attack signature (icmp)
Type (type): utm
Subtype (subtype): ips
Event Type (eventtype): signature
Level/Severity: alert
Log field
Meaning
type
utm
subtype
ips
eventtype
signature
level
alert
date
time
severity
The priority level of the attack log. Can be info, low, medium, high, or critical.
srcip
dstip
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstintf
policyid
The ID number of the firewall policy that applies to the session or packet.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
custom
Custom field.
sessionid
Session ID.
status
The status of the packet that was flagged as part of an attack. Can be detected, dropped, or reset.
proto
The protocol number that applies to the session or packet. This is the protocol number in the packet header that
identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
service
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
count
Number of packets.
attackname
Attack name.
icmpid
icmptype
icmpcode
attackid
Page 201
sensor
Sensor.
ref
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
Page 202
16386
Message ID: 016386
Message Description: attack signature (others)
Type (type): utm
Subtype (subtype): ips
Event Type (eventtype): signature
Level/Severity: alert
Log field
Meaning
type
utm
subtype
ips
eventtype
signature
level
alert
date
time
severity
The priority level of the attack log. Can be info, low, medium, high, or critical.
srcip
dstip
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstintf
policyid
The ID number of the firewall policy that applies to the session or packet.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
custom
Custom field.
sessionid
Session ID.
status
The status of the packet that was flagged as part of an attack. Can be detected, dropped, or reset.
proto
The protocol number that applies to the session or packet. This is the protocol number in the packet header that
identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
service
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
count
Number of packets.
attackname
Attack name.
attackid
sensor
Sensor.
ref
user
User name.
Page 203
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
Page 204
18432
Message ID: 018432
Message Description: attack anomaly (tcp/udp)
Type (type): utm
Subtype (subtype): ips
Event Type (eventtype): anomaly
Level/Severity: alert
Log field
Meaning
type
utm
subtype
ips
eventtype
anomaly
level
alert
date
time
severity
The priority level of the attack log. Can be info, low, medium, high, or critical.
srcip
dstip
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstintf
policyid
The ID number of the firewall policy that applies to the session or packet.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
custom
Custom field.
sessionid
Session ID.
status
The status of the packet that was flagged as part of an attack. Can be detected, dropped, or reset.
proto
The protocol number that applies to the session or packet. This is the protocol number in the packet header that
identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
service
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
count
Number of packets.
attackname
Attack name.
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
attackid
sensor
Sensor.
Page 205
ref
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
Page 206
18433
Message ID: 018433
Message Description: attack anomaly (icmp)
Type (type): utm
Subtype (subtype): ips
Event Type (eventtype): anomaly
Level/Severity: alert
Log field
Meaning
type
utm
subtype
ips
eventtype
anomaly
level
alert
date
time
severity
The priority level of the attack log. Can be info, low, medium, high, or critical.
srcip
dstip
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstintf
policyid
The ID number of the firewall policy that applies to the session or packet.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
custom
Custom field.
sessionid
Session ID.
status
The status of the packet that was flagged as part of an attack. Can be detected, dropped, or reset.
proto
The protocol number that applies to the session or packet. This is the protocol number in the packet header that
identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
service
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
count
Number of packets.
attackname
Attack name.
icmpid
icmptype
icmpcode
attackid
Page 207
sensor
Sensor.
ref
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
Page 208
18434
Message ID: 018434
Message Description: attack anomaly (others)
Type (type): utm
Subtype (subtype): ips
Event Type (eventtype): anomaly
Level/Severity: alert
Log field
Meaning
type
utm
subtype
ips
eventtype
anomaly
level
alert
date
time
severity
The priority level of the attack log. Can be info, low, medium, high, or critical.
srcip
dstip
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstintf
policyid
The ID number of the firewall policy that applies to the session or packet.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
custom
Custom field.
sessionid
Session ID.
status
The status of the packet that was flagged as part of an attack. Can be detected, dropped, or reset.
proto
The protocol number that applies to the session or packet. This is the protocol number in the packet header that
identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
service
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
count
Number of packets.
attackname
Attack name.
attackid
sensor
Sensor.
ref
user
User name.
Page 209
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
Page 210
Spam
20480
Message ID: 020480
Message Description: antispam smtp (warning)
Type (type): utm
Subtype (subtype): spam
Event Type (eventtype): smtp
Level/Severity: notice
Log field
Meaning
type
utm
subtype
spam
eventtype
smtp
level
notice
date
time
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
Page 211
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
service
profile
The name of the profile that was used to detect and take action.
profiletype
status
The status of the email message. One of: exempted, blocked, or detected.
from
Source identifier.
to
Destination identifier.
tracker
Tracker ID.
sentbyte
rcvdbyte
Page 212
20481
Message ID: 020481
Message Description: antispam smtp (warning)
Type (type): utm
Subtype (subtype): spam
Event Type (eventtype): smtp
Level/Severity: notice
Log field
Meaning
type
utm
subtype
spam
eventtype
smtp
level
notice
date
time
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
service
profile
The name of the profile that was used to detect and take action.
Page 213
profiletype
status
The status of the email message. One of: exempted, blocked, or detected.
from
Source identifier.
to
Destination identifier.
tracker
Tracker ID.
sentbyte
rcvdbyte
banword
subject
Subject.
Page 214
20482
Message ID: 020482
Message Description: antispam pop3 (warning)
Type (type): utm
Subtype (subtype): spam
Event Type (eventtype): pop3
Level/Severity: notice
Log field
Meaning
type
utm
subtype
spam
eventtype
pop3
level
notice
date
time
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
service
profile
The name of the profile that was used to detect and take action.
Page 215
profiletype
status
The status of the email message. One of: exempted, blocked, or detected.
from
Source identifier.
to
Destination identifier.
tracker
Tracker ID.
sentbyte
rcvdbyte
Page 216
20483
Message ID: 020483
Message Description: antispam pop3 (warning)
Type (type): utm
Subtype (subtype): spam
Event Type (eventtype): pop3
Level/Severity: notice
Log field
Meaning
type
utm
subtype
spam
eventtype
pop3
level
notice
date
time
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
service
profile
The name of the profile that was used to detect and take action.
Page 217
profiletype
status
The status of the email message. One of: exempted, blocked, or detected.
from
Source identifier.
to
Destination identifier.
tracker
Tracker ID.
sentbyte
rcvdbyte
banword
Page 218
20484
Message ID: 020484
Message Description: antispam imap (notice)
Type (type): utm
Subtype (subtype): spam
Event Type (eventtype): imap
Level/Severity: notice
Log field
Meaning
type
utm
subtype
spam
eventtype
imap
level
notice
date
time
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
service
profile
The name of the profile that was used to detect and take action.
Page 219
profiletype
status
The status of the email message. One of: exempted, blocked, or detected.
from
Source identifier.
to
Destination identifier.
tracker
Tracker ID.
sentbyte
rcvdbyte
Page 220
20485
Message ID: 020485
Message Description: antispam endpoint filter (warning)
Type (type): utm
Subtype (subtype): spam
Event Type (eventtype): endpointfilter
Level/Severity: warning
Log field
Meaning
type
utm
subtype
spam
eventtype
endpointfilter
level
warning
date
time
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
service
profile
The name of the profile that was used to detect and take action.
Page 221
profiletype
status
The status of the email message. One of: exempted, blocked, or detected.
from
Source identifier.
to
Destination identifier.
tracker
Tracker ID.
sentbyte
rcvdbyte
Page 222
20486
Message ID: 020486
Message Description: antispam endpoint filter (notice)
Type (type): utm
Subtype (subtype): spam
Event Type (eventtype): endpointfilter
Level/Severity: notice
Log field
Meaning
type
utm
subtype
spam
eventtype
endpointfilter
level
notice
date
time
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
service
profile
The name of the profile that was used to detect and take action.
Page 223
profiletype
status
The status of the email message. One of: exempted, blocked, or detected.
from
Source identifier.
to
Destination identifier.
tracker
Tracker ID.
sentbyte
rcvdbyte
Page 224
20487
Message ID: 020487
Message Description: antispam endpoint filter (mm7 warning)
Type (type): utm
Subtype (subtype): spam
Event Type (eventtype): endpointfilter
Level/Severity: warning
Log field
Meaning
type
utm
subtype
spam
eventtype
endpointfilter
level
warning
date
time
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
service
profile
The name of the profile that was used to detect and take action.
Page 225
profiletype
status
The status of the email message. One of: exempted, blocked, or detected.
from
Source identifier.
to
Destination identifier.
tracker
Tracker ID.
sentbyte
rcvdbyte
agent
Agent.
Page 226
20488
Message ID: 020488
Message Description: antispam endpoint filter (mm7 notice)
Type (type): utm
Subtype (subtype): spam
Event Type (eventtype): endpointfilter
Level/Severity: notice
Log field
Meaning
type
utm
subtype
spam
eventtype
endpointfilter
level
notice
date
time
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
service
profile
The name of the profile that was used to detect and take action.
Page 227
profiletype
status
The status of the email message. One of: exempted, blocked, or detected.
from
Source identifier.
to
Destination identifier.
tracker
Tracker ID.
sentbyte
rcvdbyte
agent
Agent.
Page 228
20489
Message ID: 020489
Message Description: antispam endpoint filter (mm1 warning)
Type (type): utm
Subtype (subtype): spam
Event Type (eventtype): endpointfilter
Level/Severity: warning
Log field
Meaning
type
utm
subtype
spam
eventtype
endpointfilter
level
warning
date
time
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
service
profile
The name of the profile that was used to detect and take action.
Page 229
profiletype
status
The status of the email message. One of: exempted, blocked, or detected.
from
Source identifier.
to
Destination identifier.
tracker
Tracker ID.
sentbyte
rcvdbyte
direction
agent
Agent.
Page 230
20490
Message ID: 020490
Message Description: antispam endpoint filter (mm1 notice)
Type (type): utm
Subtype (subtype): spam
Event Type (eventtype): endpointfilter
Level/Severity: notice
Log field
Meaning
type
utm
subtype
spam
eventtype
endpointfilter
level
notice
date
time
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
service
profile
The name of the profile that was used to detect and take action.
Page 231
profiletype
status
The status of the email message. One of: exempted, blocked, or detected.
from
Source identifier.
to
Destination identifier.
tracker
Tracker ID.
sentbyte
rcvdbyte
direction
agent
Agent.
Page 232
20491
Message ID: 020491
Message Description: antispam imap banned-word (notice)
Type (type): utm
Subtype (subtype): spam
Event Type (eventtype): imap
Level/Severity: notice
Log field
Meaning
type
utm
subtype
spam
eventtype
imap
level
notice
date
time
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
service
profile
The name of the profile that was used to detect and take action.
Page 233
profiletype
status
The status of the email message. One of: exempted, blocked, or detected.
from
Source identifier.
to
Destination identifier.
tracker
Tracker ID.
sentbyte
rcvdbyte
banword
subject
Subject.
Page 234
20492
Message ID: 020492
Message Description: antispam MM1 flood detection (warning)
Type (type): utm
Subtype (subtype): spam
Event Type (eventtype): mms
Level/Severity: warning
Log field
Meaning
type
utm
subtype
spam
eventtype
mms
level
warning
date
time
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
service
profile
The name of the profile that was used to detect and take action.
Page 235
profiletype
status
The status of the email message. One of: exempted, blocked, or detected.
from
Source identifier.
to
Destination identifier.
tracker
Tracker ID.
sentbyte
rcvdbyte
direction
agent
Agent.
Page 236
20493
Message ID: 020493
Message Description: antispam MM1 flood detection (notice)
Type (type): utm
Subtype (subtype): spam
Event Type (eventtype): mms
Level/Severity: notice
Log field
Meaning
type
utm
subtype
spam
eventtype
mms
level
notice
date
time
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
service
profile
The name of the profile that was used to detect and take action.
Page 237
profiletype
status
The status of the email message. One of: exempted, blocked, or detected.
from
Source identifier.
to
Destination identifier.
tracker
Tracker ID.
sentbyte
rcvdbyte
direction
agent
Agent.
Page 238
20494
Message ID: 020494
Message Description: antispam MM4 flood detection (warning)
Type (type): utm
Subtype (subtype): spam
Event Type (eventtype): mms
Level/Severity: warning
Log field
Meaning
type
utm
subtype
spam
eventtype
mms
level
warning
date
time
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
service
profile
The name of the profile that was used to detect and take action.
Page 239
profiletype
status
The status of the email message. One of: exempted, blocked, or detected.
from
Source identifier.
to
Destination identifier.
tracker
Tracker ID.
sentbyte
rcvdbyte
Page 240
20495
Message ID: 020495
Message Description: antispam MM4 flood detection (notice)
Type (type): utm
Subtype (subtype): spam
Event Type (eventtype): mms
Level/Severity: notice
Log field
Meaning
type
utm
subtype
spam
eventtype
mms
level
notice
date
time
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
service
profile
The name of the profile that was used to detect and take action.
Page 241
profiletype
status
The status of the email message. One of: exempted, blocked, or detected.
from
Source identifier.
to
Destination identifier.
tracker
Tracker ID.
sentbyte
rcvdbyte
Page 242
20496
Message ID: 020496
Message Description: antispam MM1 duplicate detection (warning)
Type (type): utm
Subtype (subtype): spam
Event Type (eventtype): mms
Level/Severity: warning
Log field
Meaning
type
utm
subtype
spam
eventtype
mms
level
warning
date
time
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
service
profile
The name of the profile that was used to detect and take action.
Page 243
profiletype
status
The status of the email message. One of: exempted, blocked, or detected.
from
Source identifier.
to
Destination identifier.
tracker
Tracker ID.
sentbyte
rcvdbyte
direction
agent
Agent.
Page 244
20497
Message ID: 020497
Message Description: antispam MM1 duplicate detection (notice)
Type (type): utm
Subtype (subtype): spam
Event Type (eventtype): mms
Level/Severity: notice
Log field
Meaning
type
utm
subtype
spam
eventtype
mms
level
notice
date
time
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
service
profile
The name of the profile that was used to detect and take action.
Page 245
profiletype
status
The status of the email message. One of: exempted, blocked, or detected.
from
Source identifier.
to
Destination identifier.
tracker
Tracker ID.
sentbyte
rcvdbyte
direction
agent
Agent.
Page 246
20498
Message ID: 020498
Message Description: antispam MM4 duplicate detection (warning)
Type (type): utm
Subtype (subtype): spam
Event Type (eventtype): mms
Level/Severity: warning
Log field
Meaning
type
utm
subtype
spam
eventtype
mms
level
warning
date
time
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
service
profile
The name of the profile that was used to detect and take action.
Page 247
profiletype
status
The status of the email message. One of: exempted, blocked, or detected.
from
Source identifier.
to
Destination identifier.
tracker
Tracker ID.
sentbyte
rcvdbyte
Page 248
20499
Message ID: 020499
Message Description: antispam MM4 duplicate detection (notice)
Type (type): utm
Subtype (subtype): spam
Event Type (eventtype): mms
Level/Severity: notice
Log field
Meaning
type
utm
subtype
spam
eventtype
mms
level
notice
date
time
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
service
profile
The name of the profile that was used to detect and take action.
Page 249
profiletype
status
The status of the email message. One of: exempted, blocked, or detected.
from
Source identifier.
to
Destination identifier.
tracker
Tracker ID.
sentbyte
rcvdbyte
Page 250
20500
Message ID: 020500
Message Description: antispam msn hotmail (notice)
Type (type): utm
Subtype (subtype): spam
Event Type (eventtype): msn
Level/Severity: information
Log field
Meaning
type
utm
subtype
spam
eventtype
msn
level
information
date
time
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
service
profile
The name of the profile that was used to detect and take action.
Page 251
profiletype
status
The status of the email message. One of: exempted, blocked, or detected.
from
Source identifier.
to
Destination identifier.
tracker
Tracker ID.
sentbyte
rcvdbyte
subject
Subject.
size
cc
attachment
Email attachment.
Page 252
20501
Message ID: 020501
Message Description: antispam yahoo mail (notice)
Type (type): utm
Subtype (subtype): spam
Event Type (eventtype): yahoo
Level/Severity: information
Log field
Meaning
type
utm
subtype
spam
eventtype
yahoo
level
information
date
time
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
service
profile
The name of the profile that was used to detect and take action.
Page 253
profiletype
status
The status of the email message. One of: exempted, blocked, or detected.
from
Source identifier.
to
Destination identifier.
tracker
Tracker ID.
sentbyte
rcvdbyte
subject
Subject.
size
cc
attachment
Email attachment.
Page 254
20502
Message ID: 020502
Message Description: antispam gmail (notice)
Type (type): utm
Subtype (subtype): spam
Event Type (eventtype): google
Level/Severity: information
Log field
Meaning
type
utm
subtype
spam
eventtype
level
information
date
time
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
service
profile
The name of the profile that was used to detect and take action.
Page 255
profiletype
status
The status of the email message. One of: exempted, blocked, or detected.
from
Source identifier.
to
Destination identifier.
tracker
Tracker ID.
sentbyte
rcvdbyte
subject
Subject.
size
cc
attachment
Email attachment.
Page 256
20503
Message ID: 020503
Message Description: antispam smtp general (info)
Type (type): utm
Subtype (subtype): spam
Event Type (eventtype): smtp
Level/Severity: information
Log field
Meaning
type
utm
subtype
spam
eventtype
smtp
level
information
date
time
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
service
profile
The name of the profile that was used to detect and take action.
Page 257
profiletype
status
The status of the email message. One of: exempted, blocked, or detected.
from
Source identifier.
to
Destination identifier.
tracker
Tracker ID.
sentbyte
rcvdbyte
banword
subject
Subject.
size
cc
attachment
Email attachment.
Page 258
20504
Message ID: 020504
Message Description: antispam pop3 general (info)
Type (type): utm
Subtype (subtype): spam
Event Type (eventtype): pop3
Level/Severity: information
Log field
Meaning
type
utm
subtype
spam
eventtype
pop3
level
information
date
time
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
service
profile
The name of the profile that was used to detect and take action.
Page 259
profiletype
status
The status of the email message. One of: exempted, blocked, or detected.
from
Source identifier.
to
Destination identifier.
tracker
Tracker ID.
sentbyte
rcvdbyte
banword
subject
Subject.
size
cc
attachment
Email attachment.
Page 260
20505
Message ID: 020505
Message Description: antispam imap general (info)
Type (type): utm
Subtype (subtype): spam
Event Type (eventtype): imap
Level/Severity: information
Log field
Meaning
type
utm
subtype
spam
eventtype
imap
level
information
date
time
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
service
profile
The name of the profile that was used to detect and take action.
Page 261
profiletype
status
The status of the email message. One of: exempted, blocked, or detected.
from
Source identifier.
to
Destination identifier.
tracker
Tracker ID.
sentbyte
rcvdbyte
banword
subject
Subject.
size
cc
attachment
Email attachment.
Page 262
20506
Message ID: 020506
Message Description: antispam mapi (warning)
Type (type): utm
Subtype (subtype): spam
Event Type (eventtype): mapi
Level/Severity: information
Log field
Meaning
type
utm
subtype
spam
eventtype
mapi
level
information
date
time
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
service
profile
The name of the profile that was used to detect and take action.
Page 263
profiletype
status
The status of the email message. One of: exempted, blocked, or detected.
from
Source identifier.
to
Destination identifier.
tracker
Tracker ID.
sentbyte
rcvdbyte
subject
Subject.
size
Page 264
20507
Message ID: 020507
Message Description: antispam mapi (warning)
Type (type): utm
Subtype (subtype): spam
Event Type (eventtype): mapi
Level/Severity: notice
Log field
Meaning
type
utm
subtype
spam
eventtype
mapi
level
notice
date
time
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
service
profile
The name of the profile that was used to detect and take action.
Page 265
profiletype
status
The status of the email message. One of: exempted, blocked, or detected.
from
Source identifier.
to
Destination identifier.
tracker
Tracker ID.
sentbyte
rcvdbyte
banword
Page 266
20508
Message ID: 020508
Message Description: antispam mapi (warning)
Type (type): utm
Subtype (subtype): spam
Event Type (eventtype): mapi
Level/Severity: notice
Log field
Meaning
type
utm
subtype
spam
eventtype
mapi
level
notice
date
time
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
service
profile
The name of the profile that was used to detect and take action.
Page 267
profiletype
status
The status of the email message. One of: exempted, blocked, or detected.
from
Source identifier.
to
Destination identifier.
tracker
Tracker ID.
sentbyte
rcvdbyte
subject
Subject.
size
Page 268
DLP
24576
Message ID: 024576
Message Description: DLP log (Warning)
Type (type): utm
Subtype (subtype): dlp
Event Type (eventtype): dlp
Level/Severity: warning
Log field
Meaning
type
utm
subtype
dlp
eventtype dlp
level
warning
date
time
filteridx
dlpextra
filtertype
DLP filter type. One of the following: credit-card, ssn, regexp, file-size, file-type, watermark, encrypted, none.
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
policyid
The ID number of the firewall policy that applies to the session or packet.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.
Epoch.
eventid
Serial number.
user
User name.
group
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
Page 269
dstintf
service
filetype
sentbyte
rcvdbyte
from
Source identifier.
to
Destination identifier.
subject
Subject.
file
action
Action taken by the FortiGate unit. One of the following: log-only, block, exempt, ban, ban sender, quarantine ip, quarantine
interface.
profile
The name of the profile that was used to detect and take action.
Page 270
24577
Message ID: 024577
Message Description: DLP log (Notice)
Type (type): utm
Subtype (subtype): dlp
Event Type (eventtype): dlp
Level/Severity: notice
Log field
Meaning
type
utm
subtype
dlp
eventtype dlp
level
notice
date
time
filteridx
dlpextra
filtertype
DLP filter type. One of the following: credit-card, ssn, regexp, file-size, file-type, watermark, encrypted, none.
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
policyid
The ID number of the firewall policy that applies to the session or packet.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.
Epoch.
eventid
Serial number.
user
User name.
group
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
service
filetype
sentbyte
Page 271
rcvdbyte
from
Source identifier.
to
Destination identifier.
subject
Subject.
file
action
Action taken by the FortiGate unit. One of the following: log-only, block, exempt, ban, ban sender, quarantine ip, quarantine
interface.
profile
The name of the profile that was used to detect and take action.
Page 272
24578
Message ID: 024578
Message Description: DLP fingerprint document source (Notice)
Type (type): utm
Subtype (subtype): dlp
Event Type (eventtype): dlp-docsource
Level/Severity: notice
Log field
Meaning
type
utm
subtype
dlp
eventtype
dlp-docsource
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
Page 273
24579
Message ID: 024579
Message Description: DLP fingerprint document source (Error)
Type (type): utm
Subtype (subtype): dlp
Event Type (eventtype): dlp-docsource
Level/Severity: warning
Log field
Meaning
type
utm
subtype
dlp
eventtype
dlp-docsource
level
warning
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
Page 274
Application Control
28672
Message ID: 028672
Message Description: application control im-basic log
Type (type): utm
Subtype (subtype): app-ctrl
Event Type (eventtype): app-ctrl-all
Level/Severity: information
Log field
Meaning
type
utm
subtype
app-ctrl
eventtype
app-ctrl-all
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
The type of application traffic. Can be: login, chat, file, photo, audio, call, chat, regist, unregister, call-block, request,
response, video, ssh.
profiletype
profile
The name of the profile that was used to detect and take action.
direction
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
Page 275
dstintf
srcuser
dstuser
proto
The protocol number that applies to the session or packet. This is the protocol number in the packet header that
identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
service
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
applist
The name of the application control list that was used to detect and take action.
apptype
The type of application that triggered the action within the control list.
app
The name of the application that triggered the action within the control list. For example, SSL.
action
The app control action taken by the FortiGate. One of: pass, block, monitor, kickout, encrypt-kickout, reject, reset.
Page 276
28673
Message ID: 028673
Message Description: application control im log
Type (type): utm
Subtype (subtype): app-ctrl
Event Type (eventtype): app-ctrl-all
Level/Severity: notice
Log field
Meaning
type
utm
subtype
app-ctrl
eventtype
app-ctrl-all
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
The type of application traffic. Can be: login, chat, file, photo, audio, call, chat, regist, unregister, call-block, request,
response, video, ssh.
profiletype
profile
The name of the profile that was used to detect and take action.
direction
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
srcuser
dstuser
Page 277
proto
The protocol number that applies to the session or packet. This is the protocol number in the packet header that
identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
service
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
applist
The name of the application control list that was used to detect and take action.
apptype
The type of application that triggered the action within the control list.
app
The name of the application that triggered the action within the control list. For example, SSL.
action
The app control action taken by the FortiGate. One of: pass, block, monitor, kickout, encrypt-kickout, reject, reset.
status
The status of the traffic. One of: request, cancel, accept, fail, download, stop, start, end, timeout, blocked, succeeded,
failed, authentication-required, pass, block.
Page 278
28674
Message ID: 028674
Message Description: application control im(chat message count) log
Type (type): utm
Subtype (subtype): app-ctrl
Event Type (eventtype): app-ctrl-all
Level/Severity: information
Log field
Meaning
type
utm
subtype
app-ctrl
eventtype
app-ctrl-all
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
The type of application traffic. Can be: login, chat, file, photo, audio, call, chat, regist, unregister, call-block, request,
response, video, ssh.
profiletype
profile
The name of the profile that was used to detect and take action.
direction
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
srcuser
dstuser
Page 279
proto
The protocol number that applies to the session or packet. This is the protocol number in the packet header that
identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
service
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
applist
The name of the application control list that was used to detect and take action.
apptype
The type of application that triggered the action within the control list.
app
The name of the application that triggered the action within the control list. For example, SSL.
action
The app control action taken by the FortiGate. One of: pass, block, monitor, kickout, encrypt-kickout, reject, reset.
count
Number of packets.
Page 280
28675
Message ID: 028675
Message Description: application control im(file) log
Type (type): utm
Subtype (subtype): app-ctrl
Event Type (eventtype): app-ctrl-all
Level/Severity: information
Log field
Meaning
type
utm
subtype
app-ctrl
eventtype
app-ctrl-all
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
The type of application traffic. Can be: login, chat, file, photo, audio, call, chat, regist, unregister, call-block, request,
response, video, ssh.
profiletype
profile
The name of the profile that was used to detect and take action.
direction
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
srcuser
dstuser
Page 281
proto
The protocol number that applies to the session or packet. This is the protocol number in the packet header that
identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
service
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
applist
The name of the application control list that was used to detect and take action.
apptype
The type of application that triggered the action within the control list.
app
The name of the application that triggered the action within the control list. For example, SSL.
action
The app control action taken by the FortiGate. One of: pass, block, monitor, kickout, encrypt-kickout, reject, reset.
status
The status of the traffic. One of: request, cancel, accept, fail, download, stop, start, end, timeout, blocked, succeeded,
failed, authentication-required, pass, block.
filename
filesize
File size.
immsg
IM message content.
Page 282
28676
Message ID: 028676
Message Description: application control im(chat) log
Type (type): utm
Subtype (subtype): app-ctrl
Event Type (eventtype): app-ctrl-all
Level/Severity: notice
Log field
Meaning
type
utm
subtype
app-ctrl
eventtype
app-ctrl-all
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
The type of application traffic. Can be: login, chat, file, photo, audio, call, chat, regist, unregister, call-block, request,
response, video, ssh.
profiletype
profile
The name of the profile that was used to detect and take action.
direction
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
srcuser
dstuser
Page 283
proto
The protocol number that applies to the session or packet. This is the protocol number in the packet header that
identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
service
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
applist
The name of the application control list that was used to detect and take action.
apptype
The type of application that triggered the action within the control list.
app
The name of the application that triggered the action within the control list. For example, SSL.
action
The app control action taken by the FortiGate. One of: pass, block, monitor, kickout, encrypt-kickout, reject, reset.
count
Number of packets.
content
Traffic content.
Page 284
28677
Message ID: 028677
Message Description: application control im(chat blocked) log
Type (type): utm
Subtype (subtype): app-ctrl
Event Type (eventtype): app-ctrl-all
Level/Severity: notice
Log field
Meaning
type
utm
subtype
app-ctrl
eventtype
app-ctrl-all
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
The type of application traffic. Can be: login, chat, file, photo, audio, call, chat, regist, unregister, call-block, request,
response, video, ssh.
profiletype
profile
The name of the profile that was used to detect and take action.
direction
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
srcuser
dstuser
Page 285
proto
The protocol number that applies to the session or packet. This is the protocol number in the packet header that
identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
service
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
applist
The name of the application control list that was used to detect and take action.
apptype
The type of application that triggered the action within the control list.
app
The name of the application that triggered the action within the control list. For example, SSL.
action
The app control action taken by the FortiGate. One of: pass, block, monitor, kickout, encrypt-kickout, reject, reset.
count
Number of packets.
reason
The reason for the blocking. One of the following: meter-overload-drop, meter-overload-refuse, rate-limit, dialog-limit,
long-header, unrecognized-form, unknown, block-request, invalid-ip, or exceed-rate.
req
Page 286
28678
Message ID: 028678
Message Description: application control im-block log
Type (type): utm
Subtype (subtype): app-ctrl
Event Type (eventtype): app-ctrl-all
Level/Severity: notice
Log field
Meaning
type
utm
subtype
app-ctrl
eventtype
app-ctrl-all
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
The type of application traffic. Can be: login, chat, file, photo, audio, call, chat, regist, unregister, call-block, request,
response, video, ssh.
profiletype
profile
The name of the profile that was used to detect and take action.
direction
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
srcuser
dstuser
Page 287
proto
The protocol number that applies to the session or packet. This is the protocol number in the packet header that
identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
service
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
applist
The name of the application control list that was used to detect and take action.
apptype
The type of application that triggered the action within the control list.
app
The name of the application that triggered the action within the control list. For example, SSL.
action
The app control action taken by the FortiGate. One of: pass, block, monitor, kickout, encrypt-kickout, reject, reset.
Page 288
28688
Message ID: 028688
Message Description: application control (voip basic) log
Type (type): utm
Subtype (subtype): app-ctrl
Event Type (eventtype): app-ctrl-all
Level/Severity: information
Log field
Meaning
type
utm
subtype
app-ctrl
eventtype
app-ctrl-all
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
The type of application traffic. Can be: login, chat, file, photo, audio, call, chat, regist, unregister, call-block, request,
response, video, ssh.
profiletype
profile
The name of the profile that was used to detect and take action.
direction
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
srcuser
dstuser
Page 289
proto
The protocol number that applies to the session or packet. This is the protocol number in the packet header that
identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
service
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
applist
The name of the application control list that was used to detect and take action.
apptype
The type of application that triggered the action within the control list.
app
The name of the application that triggered the action within the control list. For example, SSL.
action
The app control action taken by the FortiGate. One of: pass, block, monitor, kickout, encrypt-kickout, reject, reset.
status
The status of the traffic. One of: request, cancel, accept, fail, download, stop, start, end, timeout, blocked, succeeded,
failed, authentication-required, pass, block.
Page 290
28689
Message ID: 028689
Message Description: application control (sccp call blocked) log
Type (type): utm
Subtype (subtype): app-ctrl
Event Type (eventtype): app-ctrl-all
Level/Severity: information
Log field
Meaning
type
utm
subtype
app-ctrl
eventtype
app-ctrl-all
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
The type of application traffic. Can be: login, chat, file, photo, audio, call, chat, regist, unregister, call-block, request,
response, video, ssh.
profiletype
profile
The name of the profile that was used to detect and take action.
direction
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
srcuser
dstuser
Page 291
proto
The protocol number that applies to the session or packet. This is the protocol number in the packet header that
identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
service
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
applist
The name of the application control list that was used to detect and take action.
apptype
The type of application that triggered the action within the control list.
app
The name of the application that triggered the action within the control list. For example, SSL.
action
The app control action taken by the FortiGate. One of: pass, block, monitor, kickout, encrypt-kickout, reject, reset.
status
The status of the traffic. One of: request, cancel, accept, fail, download, stop, start, end, timeout, blocked, succeeded,
failed, authentication-required, pass, block.
phone
reason
The reason for the blocking. One of the following: meter-overload-drop, meter-overload-refuse, rate-limit, dialog-limit,
long-header, unrecognized-form, unknown, block-request, invalid-ip, or exceed-rate.
Page 292
28690
Message ID: 028690
Message Description: application control (sip block) log
Type (type): utm
Subtype (subtype): app-ctrl
Event Type (eventtype): app-ctrl-all
Level/Severity: notice
Log field
Meaning
type
utm
subtype
app-ctrl
eventtype
app-ctrl-all
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
The type of application traffic. Can be: login, chat, file, photo, audio, call, chat, regist, unregister, call-block, request,
response, video, ssh.
profiletype
profile
The name of the profile that was used to detect and take action.
direction
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
srcuser
dstuser
Page 293
proto
The protocol number that applies to the session or packet. This is the protocol number in the packet header that
identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
service
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
applist
The name of the application control list that was used to detect and take action.
apptype
The type of application that triggered the action within the control list.
app
The name of the application that triggered the action within the control list. For example, SSL.
action
The app control action taken by the FortiGate. One of: pass, block, monitor, kickout, encrypt-kickout, reject, reset.
count
Number of packets.
reason
The reason for the blocking. One of the following: meter-overload-drop, meter-overload-refuse, rate-limit, dialog-limit,
long-header, unrecognized-form, unknown, block-request, invalid-ip, or exceed-rate.
req
Page 294
28704
Message ID: 028704
Message Description: application control ips log (pass)
Type (type): utm
Subtype (subtype): app-ctrl
Event Type (eventtype): app-ctrl-all
Level/Severity: information
Log field
Meaning
type
utm
subtype
app-ctrl
eventtype
app-ctrl-all
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
attackid
user
User name.
group
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname
osversion
unauthuser
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
dstname
profiletype
profile
The name of the profile that was used to detect and take action.
proto
The protocol number that applies to the session or packet. This is the protocol number in the packet header that
identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
service
Page 295
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
applist
The name of the application control list that was used to detect and take action.
apptype
The type of application that triggered the action within the control list.
app
The name of the application that triggered the action within the control list. For example, SSL.
action
The app control action taken by the FortiGate. One of: pass, block, monitor, kickout, encrypt-kickout, reject, reset.
count
Number of packets.
hostname
url
message
Page 296
28705
Message ID: 028705
Message Description: application control ips log (block)
Type (type): utm
Subtype (subtype): app-ctrl
Event Type (eventtype): app-ctrl-all
Level/Severity: warning
Log field
Meaning
type
utm
subtype
app-ctrl
eventtype
app-ctrl-all
level
warning
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
attackid
user
User name.
group
osname
osversion
unauthuser
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
dstname
profiletype
profile
The name of the profile that was used to detect and take action.
proto
The protocol number that applies to the session or packet. This is the protocol number in the packet header that
identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
service
policyid
The ID number of the firewall policy that applies to the session or packet.
Page 297
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
applist
The name of the application control list that was used to detect and take action.
apptype
The type of application that triggered the action within the control list.
app
The name of the application that triggered the action within the control list. For example, SSL.
action
The app control action taken by the FortiGate. One of: pass, block, monitor, kickout, encrypt-kickout, reject, reset.
count
Number of packets.
hostname
url
message
Page 298
28706
Message ID: 028706
Message Description: application control ips log (reset)
Type (type): utm
Subtype (subtype): app-ctrl
Event Type (eventtype): app-ctrl-all
Level/Severity: warning
Log field
Meaning
type
utm
subtype
app-ctrl
eventtype
app-ctrl-all
level
warning
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
attackid
user
User name.
group
osname
osversion
unauthuser
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
dstname
profiletype
profile
The name of the profile that was used to detect and take action.
proto
The protocol number that applies to the session or packet. This is the protocol number in the packet header that
identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
service
policyid
The ID number of the firewall policy that applies to the session or packet.
Page 299
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
applist
The name of the application control list that was used to detect and take action.
apptype
The type of application that triggered the action within the control list.
app
The name of the application that triggered the action within the control list. For example, SSL.
action
The app control action taken by the FortiGate. One of: pass, block, monitor, kickout, encrypt-kickout, reject, reset.
count
Number of packets.
hostname
url
message
Page 300
28720
Message ID: 028720
Message Description: application control ssh filter
Type (type): utm
Subtype (subtype): app-ctrl
Event Type (eventtype): app-ctrl-all
Level/Severity: notice
Log field
Meaning
type
utm
subtype
app-ctrl
eventtype
app-ctrl-all
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
user
User name.
group
osname
osversion
unauthuser
The type of application traffic. Can be: login, chat, file, photo, audio, call, chat, regist, unregister, call-block, request,
response, video, ssh.
profiletype
profile
The name of the profile that was used to detect and take action.
direction
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
srcuser
dstuser
proto
The protocol number that applies to the session or packet. This is the protocol number in the packet header that
identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
Page 301
service
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
applist
The name of the application control list that was used to detect and take action.
apptype
The type of application that triggered the action within the control list.
app
The name of the application that triggered the action within the control list. For example, SSL.
action
The app control action taken by the FortiGate. One of: pass, block, monitor, kickout, encrypt-kickout, reject, reset.
Page 302
28721
Message ID: 028721
Message Description: application control ssh filter block
Type (type): utm
Subtype (subtype): app-ctrl
Event Type (eventtype): app-ctrl-all
Level/Severity: warning
Log field
Meaning
type
utm
subtype
app-ctrl
eventtype
app-ctrl-all
level
warning
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
user
User name.
group
osname
osversion
unauthuser
The type of application traffic. Can be: login, chat, file, photo, audio, call, chat, regist, unregister, call-block, request,
response, video, ssh.
profiletype
profile
The name of the profile that was used to detect and take action.
direction
srcip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf
srcuser
dstuser
proto
The protocol number that applies to the session or packet. This is the protocol number in the packet header that
identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
Page 303
service
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
applist
The name of the application control list that was used to detect and take action.
apptype
The type of application that triggered the action within the control list.
app
The name of the application that triggered the action within the control list. For example, SSL.
action
The app control action taken by the FortiGate. One of: pass, block, monitor, kickout, encrypt-kickout, reject, reset.
Page 304
Event
20099
Message ID: 020099
Message Description: interface statistics change
Type (type): event
Subtype (subtype): system
Level/Severity: information
Log field Meaning
type
event
subtype
system
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
status
msg
Page 305
32001
Message ID: 032001
Message Description: successful admin login attempt
Type (type): event
Subtype (subtype): system
Level/Severity: information
Log
field
Meaning
type
event
subtype system
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
user
User name.
ui
The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting.
For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address
is 10.10.20.5). This field shows their point-of- entry in this field, GUI(10.10.20.5).
action
status
reason
The reason for the blocking. One of the following: meter-overload-drop, meter-overload-refuse, rate-limit, dialog-limit, long-header,
unrecognized-form, unknown, block-request, invalid-ip, or exceed-rate.
profile
The name of the profile that was used to detect and take action.
msg
Page 306
32003
Message ID: 032003
Message Description: successful admin logout attempt
Type (type): event
Subtype (subtype): system
Level/Severity: information
Log
field
Meaning
type
event
subtype system
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
user
User name.
ui
The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting.
For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address
is 10.10.20.5). This field shows their point-of- entry in this field, GUI(10.10.20.5).
action
status
reason
The reason for the blocking. One of the following: meter-overload-drop, meter-overload-refuse, rate-limit, dialog-limit, long-header,
unrecognized-form, unknown, block-request, invalid-ip, or exceed-rate.
profile
The name of the profile that was used to detect and take action.
msg
"Administrator (name) logged out successfully from (source)." "Administrator (name) timed out on (source)."
Page 307
32142
Message ID: 032142
Message Description: automatic config backup
Type (type): event
Subtype (subtype): system
Level/Severity: notice
Log
field
Meaning
type
event
subtype system
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
user
User name.
ui
The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting.
For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address
is 10.10.20.5). This field shows their point-of- entry in this field, GUI(10.10.20.5).
action
status
reason
The reason for the blocking. One of the following: meter-overload-drop, meter-overload-refuse, rate-limit, dialog-limit, long-header,
unrecognized-form, unknown, block-request, invalid-ip, or exceed-rate.
profile
The name of the profile that was used to detect and take action.
msg
Page 308
37120
Message ID: 037120
Message Description: negotiate IPsec phase 1 notif
Type (type): event
Subtype (subtype): vpn
Level/Severity: notice
Log field
Meaning
type
event
subtype
vpn
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down,
tunnel-stats, phase2-up, phase2-down, auto-ipsec.
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
xauthuser
The name of the VPN tunnel that was used. For example, ssl_vpn1.
status
Status. One of: success, failure, negotiate_error, esp_error, dpd_failure, route-not-found, route-conflict,
preshared-key-mismatch, client-config-installed, tunnel-up, tunnel-down.
xauthresult XAuth result. Either XAUTH authentication successful, or XAUTH authentication failed.
msg
Page 309
37121
Message ID: 037121
Message Description: negotiate IPsec phase 1 error
Type (type): event
Subtype (subtype): vpn
Level/Severity: error
Log field
Meaning
type
event
subtype
vpn
level
error
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down,
tunnel-stats, phase2-up, phase2-down, auto-ipsec.
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
xauthuser
The name of the VPN tunnel that was used. For example, ssl_vpn1.
status
Status. One of: success, failure, negotiate_error, esp_error, dpd_failure, route-not-found, route-conflict,
preshared-key-mismatch, client-config-installed, tunnel-up, tunnel-down.
xauthresult XAuth result. Either XAUTH authentication successful, or XAUTH authentication failed.
msg
Page 310
37122
Message ID: 037122
Message Description: negotiate IPsec phase 2 notif
Type (type): event
Subtype (subtype): vpn
Level/Severity: notice
Log field
Meaning
type
event
subtype
vpn
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down,
tunnel-stats, phase2-up, phase2-down, auto-ipsec.
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
xauthuser
xauthgroup
vpntunnel
The name of the VPN tunnel that was used. For example, ssl_vpn1.
status
Status. One of: success, failure, negotiate_error, esp_error, dpd_failure, route-not-found, route-conflict,
preshared-key-mismatch, client-config-installed, tunnel-up, tunnel-down.
role
esptransform ESP transform information. One of: ESP_NULL, ESP_DES, ESP_3DES, ESP_AES.
espauth
msg
Page 311
37123
Message ID: 037123
Message Description: negotiate IPsec phase 2 error
Type (type): event
Subtype (subtype): vpn
Level/Severity: error
Log field
Meaning
type
event
subtype
vpn
level
error
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down,
tunnel-stats, phase2-up, phase2-down, auto-ipsec.
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
xauthuser
xauthgroup
vpntunnel
The name of the VPN tunnel that was used. For example, ssl_vpn1.
status
Status. One of: success, failure, negotiate_error, esp_error, dpd_failure, route-not-found, route-conflict,
preshared-key-mismatch, client-config-installed, tunnel-up, tunnel-down.
role
esptransform ESP transform information. One of: ESP_NULL, ESP_DES, ESP_3DES, ESP_AES.
espauth
msg
Page 312
37124
Message ID: 037124
Message Description: IPsec phase 1 error
Type (type): event
Subtype (subtype): vpn
Level/Severity: error
Log field
Meaning
type
event
subtype
vpn
level
error
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down,
tunnel-stats, phase2-up, phase2-down, auto-ipsec.
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
xauthuser
The name of the VPN tunnel that was used. For example, ssl_vpn1.
status
Status. One of: success, failure, negotiate_error, esp_error, dpd_failure, route-not-found, route-conflict,
preshared-key-mismatch, client-config-installed, tunnel-up, tunnel-down.
errorreason Error reason. One of the following: invalid certificate, invalid SA payload, probable preshared key mismatch, peer SA proposal
not match local policy, peer notification, not enough key material for tunnel, encapsulation mode mismatch, no matching
gateway for new request, aggressive vs main mode mismatch for new request
Page 313
peernotif
msg
Page 314
37125
Message ID: 037125
Message Description: IPsec phase 2 error
Type (type): event
Subtype (subtype): vpn
Level/Severity: error
Log field
Meaning
type
event
subtype
vpn
level
error
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down,
tunnel-stats, phase2-up, phase2-down, auto-ipsec.
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
xauthuser
The name of the VPN tunnel that was used. For example, ssl_vpn1.
status
Status. One of: success, failure, negotiate_error, esp_error, dpd_failure, route-not-found, route-conflict,
preshared-key-mismatch, client-config-installed, tunnel-up, tunnel-down.
errorreason Error reason. One of the following: invalid certificate, invalid SA payload, probable preshared key mismatch, peer SA proposal
not match local policy, peer notification, not enough key material for tunnel, encapsulation mode mismatch, no matching
gateway for new request, aggressive vs main mode mismatch for new request
msg
Page 315
37126
Message ID: 037126
Message Description: IPsec no state error
Type (type): event
Subtype (subtype): vpn
Level/Severity: error
Log field
Meaning
type
event
subtype
vpn
level
error
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down,
tunnel-stats, phase2-up, phase2-down, auto-ipsec.
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
xauthuser
The name of the VPN tunnel that was used. For example, ssl_vpn1.
status
Status. One of: success, failure, negotiate_error, esp_error, dpd_failure, route-not-found, route-conflict,
preshared-key-mismatch, client-config-installed, tunnel-up, tunnel-down.
errorreason Error reason. One of the following: invalid certificate, invalid SA payload, probable preshared key mismatch, peer SA proposal
not match local policy, peer notification, not enough key material for tunnel, encapsulation mode mismatch, no matching
gateway for new request, aggressive vs main mode mismatch for new request
msg
Page 316
37127
Message ID: 037127
Message Description: progress IPsec phase 1 notif
Type (type): event
Subtype (subtype): vpn
Level/Severity: notice
Log field
Meaning
type
event
subtype
vpn
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down,
tunnel-stats, phase2-up, phase2-down, auto-ipsec.
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
xauthuser
The name of the VPN tunnel that was used. For example, ssl_vpn1.
status
Status. One of: success, failure, negotiate_error, esp_error, dpd_failure, route-not-found, route-conflict,
preshared-key-mismatch, client-config-installed, tunnel-up, tunnel-down.
init
mode
direction
stage
Stage number.
role
result
msg
Page 317
37128
Message ID: 037128
Message Description: progress IPsec phase 1 error
Type (type): event
Subtype (subtype): vpn
Level/Severity: error
Log field
Meaning
type
event
subtype
vpn
level
error
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down,
tunnel-stats, phase2-up, phase2-down, auto-ipsec.
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
xauthuser
The name of the VPN tunnel that was used. For example, ssl_vpn1.
status
Status. One of: success, failure, negotiate_error, esp_error, dpd_failure, route-not-found, route-conflict,
preshared-key-mismatch, client-config-installed, tunnel-up, tunnel-down.
init
mode
direction
stage
Stage number.
role
result
msg
Page 318
37129
Message ID: 037129
Message Description: progress IPsec phase 2 notif
Type (type): event
Subtype (subtype): vpn
Level/Severity: notice
Log field
Meaning
type
event
subtype
vpn
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down,
tunnel-stats, phase2-up, phase2-down, auto-ipsec.
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
xauthuser
The name of the VPN tunnel that was used. For example, ssl_vpn1.
status
Status. One of: success, failure, negotiate_error, esp_error, dpd_failure, route-not-found, route-conflict,
preshared-key-mismatch, client-config-installed, tunnel-up, tunnel-down.
init
mode
direction
stage
Stage number.
role
result
msg
Page 319
37130
Message ID: 037130
Message Description: progress IPsec phase 2 error
Type (type): event
Subtype (subtype): vpn
Level/Severity: error
Log field
Meaning
type
event
subtype
vpn
level
error
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down,
tunnel-stats, phase2-up, phase2-down, auto-ipsec.
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
xauthuser
The name of the VPN tunnel that was used. For example, ssl_vpn1.
status
Status. One of: success, failure, negotiate_error, esp_error, dpd_failure, route-not-found, route-conflict,
preshared-key-mismatch, client-config-installed, tunnel-up, tunnel-down.
init
mode
direction
stage
Stage number.
role
result
msg
Page 320
37131
Message ID: 037131
Message Description: IPsec ESP notif
Type (type): event
Subtype (subtype): vpn
Level/Severity: error
Log field
Meaning
type
event
subtype
vpn
level
error
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down,
tunnel-stats, phase2-up, phase2-down, auto-ipsec.
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
xauthuser
The name of the VPN tunnel that was used. For example, ssl_vpn1.
status
Status. One of: success, failure, negotiate_error, esp_error, dpd_failure, route-not-found, route-conflict,
preshared-key-mismatch, client-config-installed, tunnel-up, tunnel-down.
errornum
ESP error information. One of the following: Invalid ESP packet detected (HMAC validation failed)., Invalid ESP packet
detected (invalid padding)., Invalid ESP packet detected (invalid padding length)., Invalid ESP packet detected (replayed
packet)., Invalid ESP packet detected (payload not aligned)., Invalid ESP packet detected (wrong cipher key size)., Invalid
ESP packet detected (no space)., Invalid ESP packet detected (invalid padding)., Invalid ESP packet detected (ASIC error).,
Invalid ESP packet detected (unsupported protocol)., Invalid ESP packet detected (truncated header)., Received ESP packet
with unknown SPI.
spi
seq
Sequence number.
msg
"IPsec ESP."
Page 321
37132
Message ID: 037132
Message Description: IPsec ESP error
Type (type): event
Subtype (subtype): vpn
Level/Severity: critical
Log field
Meaning
type
event
subtype
vpn
level
critical
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down,
tunnel-stats, phase2-up, phase2-down, auto-ipsec.
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
xauthuser
The name of the VPN tunnel that was used. For example, ssl_vpn1.
status
Status. One of: success, failure, negotiate_error, esp_error, dpd_failure, route-not-found, route-conflict,
preshared-key-mismatch, client-config-installed, tunnel-up, tunnel-down.
errornum
ESP error information. One of the following: Invalid ESP packet detected (HMAC validation failed)., Invalid ESP packet
detected (invalid padding)., Invalid ESP packet detected (invalid padding length)., Invalid ESP packet detected (replayed
packet)., Invalid ESP packet detected (payload not aligned)., Invalid ESP packet detected (wrong cipher key size)., Invalid
ESP packet detected (no space)., Invalid ESP packet detected (invalid padding)., Invalid ESP packet detected (ASIC error).,
Invalid ESP packet detected (unsupported protocol)., Invalid ESP packet detected (truncated header)., Received ESP packet
with unknown SPI.
spi
seq
Sequence number.
msg
"IPsec ESP."
Page 322
37133
Message ID: 037133
Message Description: install IPsec SA
Type (type): event
Subtype (subtype): vpn
Level/Severity: notice
Log field
Meaning
type
event
subtype
vpn
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down,
tunnel-stats, phase2-up, phase2-down, auto-ipsec.
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
xauthuser
The name of the VPN tunnel that was used. For example, ssl_vpn1.
role
inspi
In SPI.
outspi
Out SPI.
msg
Page 323
37134
Message ID: 037134
Message Description: delete IPsec phase 1 SA
Type (type): event
Subtype (subtype): vpn
Level/Severity: notice
Log field
Meaning
type
event
subtype
vpn
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down,
tunnel-stats, phase2-up, phase2-down, auto-ipsec.
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
xauthuser
The name of the VPN tunnel that was used. For example, ssl_vpn1.
msg
Page 324
37135
Message ID: 037135
Message Description: delete IPsec phase 2 SA
Type (type): event
Subtype (subtype): vpn
Level/Severity: notice
Log field
Meaning
type
event
subtype
vpn
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down,
tunnel-stats, phase2-up, phase2-down, auto-ipsec.
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
xauthuser
The name of the VPN tunnel that was used. For example, ssl_vpn1.
encspi
Enc SPI.
decspi
Dec SPI.
msg
Page 325
37136
Message ID: 037136
Message Description: IPsec DPD failure
Type (type): event
Subtype (subtype): vpn
Level/Severity: error
Log field
Meaning
type
event
subtype
vpn
level
error
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down,
tunnel-stats, phase2-up, phase2-down, auto-ipsec.
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
xauthuser
The name of the VPN tunnel that was used. For example, ssl_vpn1.
status
Status. One of: success, failure, negotiate_error, esp_error, dpd_failure, route-not-found, route-conflict,
preshared-key-mismatch, client-config-installed, tunnel-up, tunnel-down.
msg
Page 326
37137
Message ID: 037137
Message Description: IPsec connection failure
Type (type): event
Subtype (subtype): vpn
Level/Severity: error
Log field
Meaning
type
event
subtype
vpn
level
error
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down,
tunnel-stats, phase2-up, phase2-down, auto-ipsec.
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
xauthuser
The name of the VPN tunnel that was used. For example, ssl_vpn1.
status
Status. One of: success, failure, negotiate_error, esp_error, dpd_failure, route-not-found, route-conflict,
preshared-key-mismatch, client-config-installed, tunnel-up, tunnel-down.
msg
Page 327
37138
Message ID: 037138
Message Description: IPsec connection status change
Type (type): event
Subtype (subtype): vpn
Level/Severity: notice
Log field
Meaning
type
event
subtype
vpn
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down,
tunnel-stats, phase2-up, phase2-down, auto-ipsec.
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
xauthuser
The name of the VPN tunnel that was used. For example, ssl_vpn1.
tunnelip
tunnelid
tunneltype
"ipsec"
duration
sentbyte
rcvdbyte
nextstat
tunnel
Tunnel name.
msg
Page 328
37139
Message ID: 037139
Message Description: IPsec connection status change
Type (type): event
Subtype (subtype): vpn
Level/Severity: notice
Log field
Meaning
type
event
subtype
vpn
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down,
tunnel-stats, phase2-up, phase2-down, auto-ipsec.
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
xauthuser
xauthgroup
vpntunnel
The name of the VPN tunnel that was used. For example, ssl_vpn1.
Page 329
37140
Message ID: 037140
Message Description: auto-IPsec status
Type (type): event
Subtype (subtype): vpn
Level/Severity: notice
Log field
Meaning
type
event
subtype
vpn
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down,
tunnel-stats, phase2-up, phase2-down, auto-ipsec.
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
xauthuser
The name of the VPN tunnel that was used. For example, ssl_vpn1.
status
Status. One of: success, failure, negotiate_error, esp_error, dpd_failure, route-not-found, route-conflict,
preshared-key-mismatch, client-config-installed, tunnel-up, tunnel-down.
reason
The reason for the blocking. One of the following: meter-overload-drop, meter-overload-refuse, rate-limit, dialog-limit,
long-header, unrecognized-form, unknown, block-request, invalid-ip, or exceed-rate.
msg
"auto-IPsec status."
Page 330
37141
Message ID: 037141
Message Description: IPsec tunnel statistics
Type (type): event
Subtype (subtype): vpn
Level/Severity: notice
Log field
Meaning
type
event
subtype
vpn
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down,
tunnel-stats, phase2-up, phase2-down, auto-ipsec.
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
xauthuser
The name of the VPN tunnel that was used. For example, ssl_vpn1.
tunnelip
tunnelid
tunneltype
"ipsec"
duration
sentbyte
rcvdbyte
nextstat
tunnel
Tunnel name.
msg
Page 331
37184
Message ID: 037184
Message Description: negotiate IPsec phase 1 notif
Type (type): event
Subtype (subtype): vpn
Level/Severity: notice
Log field
Meaning
type
event
subtype
vpn
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down, tunnel-stats,
phase2-up, phase2-down, auto-ipsec.
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
status
Status. One of: success, failure, negotiate_error, esp_error, dpd_failure, route-not-found, route-conflict,
preshared-key-mismatch, client-config-installed, tunnel-up, tunnel-down.
peernotif
msg
Page 332
37185
Message ID: 037185
Message Description: negotiate IPsec phase 1 error
Type (type): event
Subtype (subtype): vpn
Level/Severity: error
Log field
Meaning
type
event
subtype
vpn
level
error
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down, tunnel-stats,
phase2-up, phase2-down, auto-ipsec.
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
status
Status. One of: success, failure, negotiate_error, esp_error, dpd_failure, route-not-found, route-conflict,
preshared-key-mismatch, client-config-installed, tunnel-up, tunnel-down.
peernotif
msg
Page 333
37186
Message ID: 037186
Message Description: negotiate IPsec phase 2 notif
Type (type): event
Subtype (subtype): vpn
Level/Severity: notice
Log field
Meaning
type
event
subtype
vpn
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down,
tunnel-stats, phase2-up, phase2-down, auto-ipsec.
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
vpntunnel
The name of the VPN tunnel that was used. For example, ssl_vpn1.
status
Status. One of: success, failure, negotiate_error, esp_error, dpd_failure, route-not-found, route-conflict,
preshared-key-mismatch, client-config-installed, tunnel-up, tunnel-down.
role
esptransform ESP transform information. One of: ESP_NULL, ESP_DES, ESP_3DES, ESP_AES.
espauth
msg
Page 334
37187
Message ID: 037187
Message Description: negotiate IPsec phase 2 error
Type (type): event
Subtype (subtype): vpn
Level/Severity: error
Log field
Meaning
type
event
subtype
vpn
level
error
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down,
tunnel-stats, phase2-up, phase2-down, auto-ipsec.
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
vpntunnel
The name of the VPN tunnel that was used. For example, ssl_vpn1.
status
Status. One of: success, failure, negotiate_error, esp_error, dpd_failure, route-not-found, route-conflict,
preshared-key-mismatch, client-config-installed, tunnel-up, tunnel-down.
role
esptransform ESP transform information. One of: ESP_NULL, ESP_DES, ESP_3DES, ESP_AES.
espauth
msg
Page 335
37188
Message ID: 037188
Message Description: IPsec phase 1 error
Type (type): event
Subtype (subtype): vpn
Level/Severity: error
Log field
Meaning
type
event
subtype
vpn
level
error
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down,
tunnel-stats, phase2-up, phase2-down, auto-ipsec.
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
vpntunnel
The name of the VPN tunnel that was used. For example, ssl_vpn1.
status
Status. One of: success, failure, negotiate_error, esp_error, dpd_failure, route-not-found, route-conflict,
preshared-key-mismatch, client-config-installed, tunnel-up, tunnel-down.
errorreason Error reason. One of the following: invalid certificate, invalid SA payload, probable preshared key mismatch, peer SA proposal
not match local policy, peer notification, not enough key material for tunnel, encapsulation mode mismatch, no matching
gateway for new request, aggressive vs main mode mismatch for new request
msg
Page 336
37189
Message ID: 037189
Message Description: IPsec phase 2 error
Type (type): event
Subtype (subtype): vpn
Level/Severity: error
Log field
Meaning
type
event
subtype
vpn
level
error
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down,
tunnel-stats, phase2-up, phase2-down, auto-ipsec.
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
vpntunnel
The name of the VPN tunnel that was used. For example, ssl_vpn1.
status
Status. One of: success, failure, negotiate_error, esp_error, dpd_failure, route-not-found, route-conflict,
preshared-key-mismatch, client-config-installed, tunnel-up, tunnel-down.
errorreason Error reason. One of the following: invalid certificate, invalid SA payload, probable preshared key mismatch, peer SA proposal
not match local policy, peer notification, not enough key material for tunnel, encapsulation mode mismatch, no matching
gateway for new request, aggressive vs main mode mismatch for new request
msg
Page 337
37190
Message ID: 037190
Message Description: IPsec not state error
Type (type): event
Subtype (subtype): vpn
Level/Severity: error
Log field
Meaning
type
event
subtype
vpn
level
error
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down,
tunnel-stats, phase2-up, phase2-down, auto-ipsec.
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
vpntunnel
The name of the VPN tunnel that was used. For example, ssl_vpn1.
status
Status. One of: success, failure, negotiate_error, esp_error, dpd_failure, route-not-found, route-conflict,
preshared-key-mismatch, client-config-installed, tunnel-up, tunnel-down.
errorreason Error reason. One of the following: invalid certificate, invalid SA payload, probable preshared key mismatch, peer SA proposal
not match local policy, peer notification, not enough key material for tunnel, encapsulation mode mismatch, no matching
gateway for new request, aggressive vs main mode mismatch for new request
msg
Page 338
37191
Message ID: 037191
Message Description: progress IPsec phase 1 notif
Type (type): event
Subtype (subtype): vpn
Level/Severity: notice
Log field
Meaning
type
event
subtype
vpn
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down, tunnel-stats,
phase2-up, phase2-down, auto-ipsec.
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
status
Status. One of: success, failure, negotiate_error, esp_error, dpd_failure, route-not-found, route-conflict,
preshared-key-mismatch, client-config-installed, tunnel-up, tunnel-down.
init
exch
direction
role
result
version
"IKEv2"
msg
Page 339
37192
Message ID: 037192
Message Description: progress IPsec phase 1 error
Type (type): event
Subtype (subtype): vpn
Level/Severity: error
Log field
Meaning
type
event
subtype
vpn
level
error
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down, tunnel-stats,
phase2-up, phase2-down, auto-ipsec.
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
status
Status. One of: success, failure, negotiate_error, esp_error, dpd_failure, route-not-found, route-conflict,
preshared-key-mismatch, client-config-installed, tunnel-up, tunnel-down.
init
exch
direction
role
result
version
"IKEv2"
msg
Page 340
37193
Message ID: 037193
Message Description: progress IPsec phase 2 notif
Type (type): event
Subtype (subtype): vpn
Level/Severity: notice
Log field
Meaning
type
event
subtype
vpn
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down, tunnel-stats,
phase2-up, phase2-down, auto-ipsec.
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
status
Status. One of: success, failure, negotiate_error, esp_error, dpd_failure, route-not-found, route-conflict,
preshared-key-mismatch, client-config-installed, tunnel-up, tunnel-down.
init
exch
direction
role
result
version
"IKEv2"
msg
Page 341
37194
Message ID: 037194
Message Description: progress IPsec phase 2 error
Type (type): event
Subtype (subtype): vpn
Level/Severity: error
Log field
Meaning
type
event
subtype
vpn
level
error
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down, tunnel-stats,
phase2-up, phase2-down, auto-ipsec.
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
status
Status. One of: success, failure, negotiate_error, esp_error, dpd_failure, route-not-found, route-conflict,
preshared-key-mismatch, client-config-installed, tunnel-up, tunnel-down.
init
exch
direction
role
result
version
"IKEv2"
msg
Page 342
37195
Message ID: 037195
Message Description: IPsec ESP notif
Type (type): event
Subtype (subtype): vpn
Level/Severity: error
Log field
Meaning
type
event
subtype
vpn
level
error
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down, tunnel-stats,
phase2-up, phase2-down, auto-ipsec.
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
status
Status. One of: success, failure, negotiate_error, esp_error, dpd_failure, route-not-found, route-conflict,
preshared-key-mismatch, client-config-installed, tunnel-up, tunnel-down.
errornum
ESP error information. One of the following: Invalid ESP packet detected (HMAC validation failed)., Invalid ESP packet detected
(invalid padding)., Invalid ESP packet detected (invalid padding length)., Invalid ESP packet detected (replayed packet)., Invalid
ESP packet detected (payload not aligned)., Invalid ESP packet detected (wrong cipher key size)., Invalid ESP packet detected
(no space)., Invalid ESP packet detected (invalid padding)., Invalid ESP packet detected (ASIC error)., Invalid ESP packet
detected (unsupported protocol)., Invalid ESP packet detected (truncated header)., Received ESP packet with unknown SPI.
spi
seq
Sequence number.
msg
"IPsec ESP."
Page 343
37196
Message ID: 037196
Message Description: IPsec ESP error
Type (type): event
Subtype (subtype): vpn
Level/Severity: critical
Log field
Meaning
type
event
subtype
vpn
level
critical
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down, tunnel-stats,
phase2-up, phase2-down, auto-ipsec.
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
status
Status. One of: success, failure, negotiate_error, esp_error, dpd_failure, route-not-found, route-conflict,
preshared-key-mismatch, client-config-installed, tunnel-up, tunnel-down.
errornum
ESP error information. One of the following: Invalid ESP packet detected (HMAC validation failed)., Invalid ESP packet detected
(invalid padding)., Invalid ESP packet detected (invalid padding length)., Invalid ESP packet detected (replayed packet)., Invalid
ESP packet detected (payload not aligned)., Invalid ESP packet detected (wrong cipher key size)., Invalid ESP packet detected
(no space)., Invalid ESP packet detected (invalid padding)., Invalid ESP packet detected (ASIC error)., Invalid ESP packet
detected (unsupported protocol)., Invalid ESP packet detected (truncated header)., Received ESP packet with unknown SPI.
spi
seq
Sequence number.
msg
"IPsec ESP."
Page 344
37197
Message ID: 037197
Message Description: install IPsec SA
Type (type): event
Subtype (subtype): vpn
Level/Severity: notice
Log field
Meaning
type
event
subtype
vpn
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down, tunnel-stats,
phase2-up, phase2-down, auto-ipsec.
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
role
inspi
In SPI.
outspi
Out SPI.
msg
Page 345
37198
Message ID: 037198
Message Description: delete IPsec phase 1 SA
Type (type): event
Subtype (subtype): vpn
Level/Severity: notice
Log field
Meaning
type
event
subtype
vpn
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down, tunnel-stats,
phase2-up, phase2-down, auto-ipsec.
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
msg
Page 346
37199
Message ID: 037199
Message Description: delete IPsec phase 2 SA
Type (type): event
Subtype (subtype): vpn
Level/Severity: notice
Log field
Meaning
type
event
subtype
vpn
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down, tunnel-stats,
phase2-up, phase2-down, auto-ipsec.
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
encspi
Enc SPI.
decspi
Dec SPI.
msg
Page 347
37200
Message ID: 037200
Message Description: IPsec DPD failure
Type (type): event
Subtype (subtype): vpn
Level/Severity: error
Log field
Meaning
type
event
subtype
vpn
level
error
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down, tunnel-stats,
phase2-up, phase2-down, auto-ipsec.
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
status
Status. One of: success, failure, negotiate_error, esp_error, dpd_failure, route-not-found, route-conflict,
preshared-key-mismatch, client-config-installed, tunnel-up, tunnel-down.
msg
Page 348
37201
Message ID: 037201
Message Description: IPsec connection failure
Type (type): event
Subtype (subtype): vpn
Level/Severity: error
Log field
Meaning
type
event
subtype
vpn
level
error
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down, tunnel-stats,
phase2-up, phase2-down, auto-ipsec.
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
status
Status. One of: success, failure, negotiate_error, esp_error, dpd_failure, route-not-found, route-conflict,
preshared-key-mismatch, client-config-installed, tunnel-up, tunnel-down.
msg
Page 349
37202
Message ID: 037202
Message Description: IPsec connection status change
Type (type): event
Subtype (subtype): vpn
Level/Severity: notice
Log field
Meaning
type
event
subtype
vpn
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down,
tunnel-stats, phase2-up, phase2-down, auto-ipsec.
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
vpntunnel
The name of the VPN tunnel that was used. For example, ssl_vpn1.
tunnelip
tunnelid
tunneltype "ipsec"
duration
sentbyte
rcvdbyte
nextstat
tunnel
Tunnel name.
msg
Page 350
37203
Message ID: 037203
Message Description: IPsec connection status change
Type (type): event
Subtype (subtype): vpn
Level/Severity: notice
Log field
Meaning
type
event
subtype
vpn
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down,
tunnel-stats, phase2-up, phase2-down, auto-ipsec.
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
vpntunnel
The name of the VPN tunnel that was used. For example, ssl_vpn1.
Page 351
37204
Message ID: 037204
Message Description: IPsec tunnel statistics
Type (type): event
Subtype (subtype): vpn
Level/Severity: notice
Log field
Meaning
type
event
subtype
vpn
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down,
tunnel-stats, phase2-up, phase2-down, auto-ipsec.
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
vpntunnel
The name of the VPN tunnel that was used. For example, ssl_vpn1.
tunnelip
tunnelid
tunneltype "ipsec"
duration
sentbyte
rcvdbyte
nextstat
tunnel
Tunnel name.
msg
Page 352
37888
Message ID: 037888
Message Description: HA group delete
Type (type): event
Subtype (subtype): system
Level/Severity: notice
Log field Meaning
type
event
subtype
system
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
hagroup HA group.
msg
Page 353
37889
Message ID: 037889
Message Description: Virtual cluster delete
Type (type): event
Subtype (subtype): system
Level/Severity: notice
Log field Meaning
type
event
subtype
system
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
vcluster
Virtual cluster.
msg
Page 354
37890
Message ID: 037890
Message Description: Virtual cluster move vdom
Type (type): event
Subtype (subtype): system
Level/Severity: notice
Log field
Meaning
type
event
subtype
system
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
vdname
VDOM name.
msg
Page 355
37891
Message ID: 037891
Message Description: Virtual cluster add vdom
Type (type): event
Subtype (subtype): system
Level/Severity: notice
Log field
Meaning
type
event
subtype
system
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
VDOM name.
msg
Page 356
37892
Message ID: 037892
Message Description: Virtual cluster move member state
Type (type): event
Subtype (subtype): system
Level/Severity: notice
Log field
Meaning
type
event
subtype
system
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
harole
vcluster
Virtual cluster.
vclusterstate
sn
Serial number.
msg
Page 357
37893
Message ID: 037893
Message Description: Virtual cluster detect member dead
Type (type): event
Subtype (subtype): system
Level/Severity: notice
Log field Meaning
type
event
subtype
system
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
hagroup HA group.
vcluster
Virtual cluster.
msg
Page 358
37894
Message ID: 037894
Message Description: Virtual cluster detect member join
Type (type): event
Subtype (subtype): system
Level/Severity: notice
Log field Meaning
type
event
subtype
system
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
hagroup HA group.
vcluster
Virtual cluster.
msg
Page 359
37895
Message ID: 037895
Message Description: Virtual cluster add HA device (interface)
Type (type): event
Subtype (subtype): system
Level/Severity: notice
Log field
Meaning
type
event
subtype
system
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
vcluster
Virtual cluster.
Page 360
37896
Message ID: 037896
Message Description: Virtual cluster delete HA device (interface)
Type (type): event
Subtype (subtype): system
Level/Severity: notice
Log field
Meaning
type
event
subtype
system
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
vcluster
Virtual cluster.
Page 361
37897
Message ID: 037897
Message Description: HA device (interface) ready
Type (type): event
Subtype (subtype): system
Level/Severity: notice
Log field
Meaning
type
event
subtype
system
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
harole
Page 362
37898
Message ID: 037898
Message Description: HA device (interface) fail
Type (type): event
Subtype (subtype): system
Level/Severity: warning
Log field
Meaning
type
event
subtype
system
level
warning
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
harole
Page 363
37899
Message ID: 037899
Message Description: HA device (interface) peerinfo
Type (type): event
Subtype (subtype): system
Level/Severity: notice
Log field
Meaning
type
event
subtype
system
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
harole
Page 364
37900
Message ID: 037900
Message Description: Heartbeat device (interface) delete
Type (type): event
Subtype (subtype): system
Level/Severity: notice
Log field
Meaning
type
event
subtype
system
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
Page 365
37901
Message ID: 037901
Message Description: Heartbeat device (interface) down
Type (type): event
Subtype (subtype): system
Level/Severity: critical
Log field
Meaning
type
event
subtype
system
level
critical
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
harole
Page 366
37902
Message ID: 037902
Message Description: Heartbeat device (interface) up
Type (type): event
Subtype (subtype): system
Level/Severity: information
Log field
Meaning
type
event
subtype
system
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
harole
Page 367
37903
Message ID: 037903
Message Description: The sync status with the master
Type (type): event
Subtype (subtype): system
Level/Severity: information
Log field
Meaning
type
event
subtype
system
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
synctype
Page 368
37904
Message ID: 037904
Message Description: HA activity report
Type (type): event
Subtype (subtype): system
Level/Severity: notice
Log field Meaning
type
event
subtype
system
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
ip
HA IP.
haprio
HA priority.
activity
HA activity message.
msg
Page 369
38031
Message ID: 038031
Message Description: Authentication message
Type (type): event
Subtype (subtype): user
Level/Severity: notice
Log field Meaning
type
event
subtype
user
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
user
User name.
src
server
action
FSSO-polling-logon
status
success
reason
Reason.
msg
Page 370
38032
Message ID: 038032
Message Description: Authentication message
Type (type): event
Subtype (subtype): user
Level/Severity: notice
Log field Meaning
type
event
subtype
user
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
user
User name.
src
server
action
FSSO-polling-logoff
status
success
reason
Reason.
msg
Page 371
38033
Message ID: 038033
Message Description: Authentication message
Type (type): event
Subtype (subtype): user
Level/Severity: notice
Log field Meaning
type
event
subtype
user
level
notice
date
time
user
User name.
server
action
FSSO-polling-AD-server
msg
Page 372
38400
Message ID: 038400
Message Description: The system successfully sent a notification message
Type (type): event
Subtype (subtype): system
Level/Severity: notice
Log field
Meaning
type
event
subtype
system
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
user
User name.
from
Source identifier.
to
Destination identifier.
service
proto
The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the
next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
dst
dport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
nftype
Notification type. One of: bword, file_block, carrier_ep_bwl, flood, dupe, alert, mms_checksum, virus.
virus
profile
The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
count
Number of packets.
duration
msg
Page 373
38401
Message ID: 038401
Message Description: The system was unable to send a notification message
Type (type): event
Subtype (subtype): system
Level/Severity: warning
Log field
Meaning
type
event
subtype
system
level
warning
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
user
User name.
from
Source identifier.
to
Destination identifier.
service
proto
The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the
next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
dst
dport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
nftype
Notification type. One of: bword, file_block, carrier_ep_bwl, flood, dupe, alert, mms_checksum, virus.
virus
profile
The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
count
Number of packets.
duration
msg
Page 374
38402
Message ID: 038402
Message Description: The system was unable to resolve an MMSC hostname
Type (type): event
Subtype (subtype): system
Level/Severity: notice
Log field
Meaning
type
event
subtype
system
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
hostname
service
profile
The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
profilevd
Profile VDOM.
msg
Page 375
38656
Message ID: 038656
Message Description: RADIUS protocol error report
Type (type): event
Subtype (subtype): user
Level/Severity: notice
Log field Meaning
type
event
subtype
user
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
count
Number of packets.
Message.
Page 376
38657
Message ID: 038657
Message Description: RADIUS profile error report
Type (type): event
Subtype (subtype): user
Level/Severity: notice
Log field Meaning
type
event
subtype
user
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
count
Number of packets.
Message.
Page 377
38658
Message ID: 038658
Message Description: RADIUS context error report
Type (type): event
Subtype (subtype): user
Level/Severity: notice
Log field Meaning
type
event
subtype
user
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
count
Number of packets.
Message.
Page 378
38659
Message ID: 038659
Message Description: RADIUS missing stop packet report
Type (type): event
Subtype (subtype): user
Level/Severity: notice
Log field Meaning
type
event
subtype
user
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
count
Number of packets.
Message.
Page 379
38660
Message ID: 038660
Message Description: RADIUS accounting event report
Type (type): event
Subtype (subtype): user
Level/Severity: information
Log field Meaning
type
event
subtype
user
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
count
Number of packets.
Message.
Page 380
38661
Message ID: 038661
Message Description: RADIUS other dynamic profile report
Type (type): event
Subtype (subtype): user
Level/Severity: information
Log field Meaning
type
event
subtype
user
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
count
Number of packets.
Message.
Page 381
38662
Message ID: 038662
Message Description: RADIUS protocol errors occurred
Type (type): event
Subtype (subtype): user
Level/Severity: notice
Log field Meaning
type
event
subtype
user
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
carrierep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message.
This field will always display N/A in the FortiOS interface.
ip
IP address.
rssokey
RSSO key.
msg
Message.
acctstat
reason
Reason.
Page 382
38663
Message ID: 038663
Message Description: RADIUS start or interim-update packet received with missing or invalid profile
specified
Type (type): event
Subtype (subtype): user
Level/Severity: notice
Log field Meaning
type
event
subtype
user
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
carrierep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message.
This field will always display N/A in the FortiOS interface.
ip
IP address.
rssokey
RSSO key.
msg
Message.
acctstat
reason
Reason.
Page 383
38664
Message ID: 038664
Message Description: RADIUS no context found for user
Type (type): event
Subtype (subtype): user
Level/Severity: notice
Log field Meaning
type
event
subtype
user
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
carrierep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message.
This field will always display N/A in the FortiOS interface.
ip
IP address.
rssokey
RSSO key.
msg
Message.
Page 384
38665
Message ID: 038665
Message Description: RADIUS stop packet was missed
Type (type): event
Subtype (subtype): user
Level/Severity: notice
Log field Meaning
type
event
subtype
user
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
carrierep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message.
This field will always display N/A in the FortiOS interface.
ip
IP address.
rssokey
RSSO key.
msg
Message.
acctstat
reason
Reason.
Page 385
38666
Message ID: 038666
Message Description: RADIUS accounting event
Type (type): event
Subtype (subtype): user
Level/Severity: notice
Log field Meaning
type
event
subtype
user
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
carrierep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message.
This field will always display N/A in the FortiOS interface.
ip
IP address.
rssokey
RSSO key.
msg
Message.
acctstat
reason
Reason.
Page 386
38667
Message ID: 038667
Message Description: RADIUS other dynamic profile event
Type (type): event
Subtype (subtype): user
Level/Severity: information
Log field Meaning
type
event
subtype
user
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
carrierep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message.
This field will always display N/A in the FortiOS interface.
ip
IP address.
rssokey
RSSO key.
msg
Message.
acctstat
reason
Reason.
count
Number of packets.
Page 387
39424
Message ID: 039424
Message Description: SSL tunnel established
Type (type): event
Subtype (subtype): vpn
Level/Severity: information
Log field
Meaning
type
event
subtype
vpn
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
"tunnel-up"
tunneltype "ssl-web"
tunnelid
remip
tunnelip
user
User name.
group
dsthost
Destination host.
reason
The reason for the blocking. One of the following: meter-overload-drop, meter-overload-refuse, rate-limit, dialog-limit,
long-header, unrecognized-form, unknown, block-request, invalid-ip, or exceed-rate.
msg
Page 388
39425
Message ID: 039425
Message Description: SSL tunnel shutdown
Type (type): event
Subtype (subtype): vpn
Level/Severity: information
Log field
Meaning
type
event
subtype
vpn
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
"tunnel-down"
tunneltype "ssl-web"
tunnelid
remip
tunnelip
user
User name.
group
dsthost
Destination host.
reason
The reason for the blocking. One of the following: meter-overload-drop, meter-overload-refuse, rate-limit, dialog-limit,
long-header, unrecognized-form, unknown, block-request, invalid-ip, or exceed-rate.
duration
sentbyte
rcvdbyte
msg
Page 389
39426
Message ID: 039426
Message Description: SSL user failed to log in
Type (type): event
Subtype (subtype): vpn
Level/Severity: information
Log field
Meaning
type
event
subtype
vpn
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
"ssl-login-fail"
tunneltype "ssl-web"
tunnelid
remip
tunnelip
user
User name.
group
dsthost
Destination host.
reason
The reason for the blocking. One of the following: meter-overload-drop, meter-overload-refuse, rate-limit, dialog-limit,
long-header, unrecognized-form, unknown, block-request, invalid-ip, or exceed-rate.
msg
Page 390
39936
Message ID: 039936
Message Description: SSL web tunnel statistics
Type (type): event
Subtype (subtype): vpn
Level/Severity: information
Log field
Meaning
type
event
subtype
vpn
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
"tunnel-stats"
tunneltype "ssl-web"
tunnelid
remip
tunnelip
user
User name.
group
dsthost
Destination host.
nextstats
Next statistics.
duration
sentbyte
rcvdbyte
reason
The reason for the blocking. One of the following: meter-overload-drop, meter-overload-refuse, rate-limit, dialog-limit,
long-header, unrecognized-form, unknown, block-request, invalid-ip, or exceed-rate.
msg
Page 391
39937
Message ID: 039937
Message Description: SSL web application blocked
Type (type): event
Subtype (subtype): vpn
Level/Severity: warning
Log field
Meaning
type
event
subtype
vpn
level
warning
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
"ssl-web-deny"
tunneltype "ssl-web"
tunnelid
remip
tunnelip
user
User name.
group
dsthost
Destination host.
apptype
The type of application that triggered the action within the control list.
msg
Page 392
39938
Message ID: 039938
Message Description: SSL web application activated
Type (type): event
Subtype (subtype): vpn
Level/Severity: information
Log field
Meaning
type
event
subtype
vpn
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
"ssl-web-pass"
tunneltype "ssl-web"
tunnelid
remip
tunnelip
user
User name.
group
dsthost
Destination host.
apptype
The type of application that triggered the action within the control list.
msg
Page 393
39939
Message ID: 039939
Message Description: SSL web application timeout
Type (type): event
Subtype (subtype): vpn
Level/Severity: information
Log field
Meaning
type
event
subtype
vpn
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
"ssl-web-timeout"
tunneltype "ssl-web"
tunnelid
remip
tunnelip
user
User name.
group
dsthost
Destination host.
apptype
The type of application that triggered the action within the control list.
msg
Page 394
39940
Message ID: 039940
Message Description: SSL web application closed
Type (type): event
Subtype (subtype): vpn
Level/Severity: information
Log field
Meaning
type
event
subtype
vpn
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
"ssl-web-close"
tunneltype "ssl-web"
tunnelid
remip
tunnelip
user
User name.
group
dsthost
Destination host.
apptype
The type of application that triggered the action within the control list.
msg
Page 395
39941
Message ID: 039941
Message Description: SSL system busy
Type (type): event
Subtype (subtype): vpn
Level/Severity: information
Log field
Meaning
type
event
subtype
vpn
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
"ssl-sys-busy"
tunneltype "ssl-web"
tunnelid
remip
tunnelip
user
User name.
group
dsthost
Destination host.
reason
The reason for the blocking. One of the following: meter-overload-drop, meter-overload-refuse, rate-limit, dialog-limit,
long-header, unrecognized-form, unknown, block-request, invalid-ip, or exceed-rate.
msg
Page 396
39942
Message ID: 039942
Message Description: SSL new SSL certification verification success
Type (type): event
Subtype (subtype): vpn
Level/Severity: information
Log field
Meaning
type
event
subtype
vpn
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
"ssl-cert"
tunneltype "ssl"
tunnelid
remip
tunnelip
user
User name.
group
dsthost
Destination host.
reason
The reason for the blocking. One of the following: meter-overload-drop, meter-overload-refuse, rate-limit, dialog-limit,
long-header, unrecognized-form, unknown, block-request, invalid-ip, or exceed-rate.
msg
Page 397
39943
Message ID: 039943
Message Description: SSL new connection
Type (type): event
Subtype (subtype): vpn
Level/Severity: debug
Log field
Meaning
type
event
subtype
vpn
level
debug
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
"ssl-new-con"
tunneltype "ssl"
tunnelid
remip
tunnelip
user
User name.
group
dsthost
Destination host.
reason
The reason for the blocking. One of the following: meter-overload-drop, meter-overload-refuse, rate-limit, dialog-limit,
long-header, unrecognized-form, unknown, block-request, invalid-ip, or exceed-rate.
msg
Page 398
39944
Message ID: 039944
Message Description: SSL alerts
Type (type): event
Subtype (subtype): vpn
Level/Severity: error
Log field
Meaning
type
event
subtype
vpn
level
error
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
"ssl-alert"
tunneltype "ssl"
tunnelid
remip
tunnelip
user
User name.
group
dsthost
Destination host.
alert
Alert information.
desc
Description.
msg
"SSL alerts."
Page 399
39945
Message ID: 039945
Message Description: SSL exit fail
Type (type): event
Subtype (subtype): vpn
Level/Severity: error
Log field
Meaning
type
event
subtype
vpn
level
error
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
"ssl-exit-fail"
tunneltype "ssl"
tunnelid
remip
tunnelip
user
User name.
group
dsthost
Destination host.
reason
The reason for the blocking. One of the following: meter-overload-drop, meter-overload-refuse, rate-limit, dialog-limit,
long-header, unrecognized-form, unknown, block-request, invalid-ip, or exceed-rate.
msg
Page 400
39946
Message ID: 039946
Message Description: SSL exit error
Type (type): event
Subtype (subtype): vpn
Level/Severity: error
Log field
Meaning
type
event
subtype
vpn
level
error
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
"ssl-exit-error"
tunneltype "ssl"
tunnelid
remip
tunnelip
user
User name.
group
dsthost
Destination host.
reason
The reason for the blocking. One of the following: meter-overload-drop, meter-overload-refuse, rate-limit, dialog-limit,
long-header, unrecognized-form, unknown, block-request, invalid-ip, or exceed-rate.
msg
Page 401
39947
Message ID: 039947
Message Description: SSL tunnel established
Type (type): event
Subtype (subtype): vpn
Level/Severity: information
Log field
Meaning
type
event
subtype
vpn
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
"tunnel-up"
tunneltype "ssl-tunnel"
tunnelid
remip
tunnelip
user
User name.
group
dsthost
Destination host.
reason
The reason for the blocking. One of the following: meter-overload-drop, meter-overload-refuse, rate-limit, dialog-limit,
long-header, unrecognized-form, unknown, block-request, invalid-ip, or exceed-rate.
msg
Page 402
39948
Message ID: 039948
Message Description: SSL tunnel shutdown
Type (type): event
Subtype (subtype): vpn
Level/Severity: information
Log field
Meaning
type
event
subtype
vpn
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
"tunnel-down"
tunneltype "ssl-tunnel"
tunnelid
remip
tunnelip
user
User name.
group
dsthost
Destination host.
duration
sentbyte
rcvdbyte
reason
The reason for the blocking. One of the following: meter-overload-drop, meter-overload-refuse, rate-limit, dialog-limit,
long-header, unrecognized-form, unknown, block-request, invalid-ip, or exceed-rate.
msg
Page 403
39949
Message ID: 039949
Message Description: SSL tunnel statistics
Type (type): event
Subtype (subtype): vpn
Level/Severity: information
Log field
Meaning
type
event
subtype
vpn
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
"tunnel-stats"
tunneltype "ssl-tunnel"
tunnelid
remip
tunnelip
user
User name.
group
dsthost
Destination host.
nextstats
Next statistics.
duration
sentbyte
rcvdbyte
reason
The reason for the blocking. One of the following: meter-overload-drop, meter-overload-refuse, rate-limit, dialog-limit,
long-header, unrecognized-form, unknown, block-request, invalid-ip, or exceed-rate.
msg
Page 404
39950
Message ID: 039950
Message Description: SSL tunnel unknown tag
Type (type): event
Subtype (subtype): vpn
Level/Severity: information
Log field
Meaning
type
event
subtype
vpn
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
"ssl-tunnel-unknown-tag"
tunneltype "ssl-tunnel"
tunnelid
remip
tunnelip
user
User name.
group
dsthost
Destination host.
reason
The reason for the blocking. One of the following: meter-overload-drop, meter-overload-refuse, rate-limit, dialog-limit,
long-header, unrecognized-form, unknown, block-request, invalid-ip, or exceed-rate.
msg
Page 405
39951
Message ID: 039951
Message Description: SSL tunnel error
Type (type): event
Subtype (subtype): vpn
Level/Severity: error
Log field
Meaning
type
event
subtype
vpn
level
error
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
"ssl-tunnel-error"
tunneltype "ssl-tunnel"
tunnelid
remip
tunnelip
user
User name.
group
dsthost
Destination host.
reason
The reason for the blocking. One of the following: meter-overload-drop, meter-overload-refuse, rate-limit, dialog-limit,
long-header, unrecognized-form, unknown, block-request, invalid-ip, or exceed-rate.
msg
Page 406
40704
Message ID: 040704
Message Description: System performance
Type (type): event
Subtype (subtype): system
Level/Severity: information
Log field
Meaning
type
event
subtype
system
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
"perf-stats"
cpu
CPU usage.
mem
Memory usage.
"Performance statistics."
Page 407
40960
Message ID: 040960
Message Description: web proxy forward server error
Type (type): event
Subtype (subtype): wad
Level/Severity: notice
Log field
Meaning
type
event
subtype
wad
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
ip
IP address.
fqdn
Domain name.
port
Port number.
msg
Message. Either "Failed to connect to forward server" or "Successfully connected to forward server".
Page 408
41216
Message ID: 041216
Message Description: GTP forward
Type (type): event
Subtype (subtype): system
Level/Severity: information
Log field
Meaning
type
event
subtype
system
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
profile
The name of the profile that was used to detect and take action.
status
GTP status. One of: forwarded, prohibited, rate-limited, state-invalid, tunnel-limited, traffic-count, user-data,
prohibited-monitor, rate-limited-monitor, state-invalid-monitor, tunnel-limited-monitor.
version
Version.
msgtype
Message type.
from
Source identifier.
to
Destination identifier.
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
seqnum
Sequence number.
tunnelidx
Tunnel index.
imsi
IMSI.
msisdn
apn
APN.
selection
cgsn
CGSN.
ugsn
UGSN.
nsapi
NSAPI.
linkednsapi
Linked NSAPI.
imeisv
IMEISV.
rattype
Rat type. One of: utran, geran, wlan, gan, hspa, eutran, virtual.
rai
RAI.
uli
ULI.
Page 409
Header TEID.
Page 410
41217
Message ID: 041217
Message Description: GTP Deny
Type (type): event
Subtype (subtype): system
Level/Severity: information
Log field
Meaning
type
event
subtype
system
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
profile
The name of the profile that was used to detect and take action.
status
GTP status. One of: forwarded, prohibited, rate-limited, state-invalid, tunnel-limited, traffic-count, user-data,
prohibited-monitor, rate-limited-monitor, state-invalid-monitor, tunnel-limited-monitor.
version
Version.
msgtype
Message type.
from
Source identifier.
to
Destination identifier.
denycause
Denial cause. One of: packet-sanity, invalid-reserved-field, reserved-msg, out-state-msg, reserved-ie, out-state-ie,
invalid-msg-length, invalid-ie-length, miss-mandatory-ie, ip-policy, non-ip-policy, sgsn-not-authorized, sgsn-no-handover,
ggsn-not-authorized, invalid-seq-num, msg-filter, apn-filter, imsi-filter, adv-policy-filter, unknown-gtp-version
ietype
IE type.
dtlexp
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
seqnum
Sequence number.
tunnelidx
Tunnel index.
imsi
IMSI.
Page 411
msisdn
apn
APN.
selection
cgsn
CGSN.
ugsn
UGSN.
nsapi
NSAPI.
linkednsapi
Linked NSAPI.
imeisv
IMEISV.
rattype
Rat type. One of: utran, geran, wlan, gan, hspa, eutran, virtual.
rai
RAI.
uli
ULI.
Header TEID.
Page 412
41218
Message ID: 041218
Message Description: GTP Rate Limit
Type (type): event
Subtype (subtype): system
Level/Severity: information
Log field
Meaning
type
event
subtype
system
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
profile
The name of the profile that was used to detect and take action.
status
GTP status. One of: forwarded, prohibited, rate-limited, state-invalid, tunnel-limited, traffic-count, user-data,
prohibited-monitor, rate-limited-monitor, state-invalid-monitor, tunnel-limited-monitor.
version
Version.
msgtype
Message type.
from
Source identifier.
to
Destination identifier.
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
seqnum
Sequence number.
tunnelidx
Tunnel index.
imsi
IMSI.
msisdn
apn
APN.
selection
cgsn
CGSN.
ugsn
UGSN.
nsapi
NSAPI.
linkednsapi
Linked NSAPI.
imeisv
IMEISV.
rattype
Rat type. One of: utran, geran, wlan, gan, hspa, eutran, virtual.
rai
RAI.
uli
ULI.
Page 413
Header TEID.
Page 414
41219
Message ID: 041219
Message Description: GTP State Invalid
Type (type): event
Subtype (subtype): system
Level/Severity: information
Log field
Meaning
type
event
subtype
system
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
profile
The name of the profile that was used to detect and take action.
status
GTP status. One of: forwarded, prohibited, rate-limited, state-invalid, tunnel-limited, traffic-count, user-data,
prohibited-monitor, rate-limited-monitor, state-invalid-monitor, tunnel-limited-monitor.
version
Version.
msgtype
Message type.
from
Source identifier.
to
Destination identifier.
dtlexp
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
seqnum
Sequence number.
tunnelidx
Tunnel index.
imsi
IMSI.
msisdn
apn
APN.
selection
cgsn
CGSN.
Page 415
ugsn
UGSN.
nsapi
NSAPI.
linkednsapi
Linked NSAPI.
imeisv
IMEISV.
rattype
Rat type. One of: utran, geran, wlan, gan, hspa, eutran, virtual.
rai
RAI.
uli
ULI.
Header TEID.
Page 416
41220
Message ID: 041220
Message Description: GTP Tunnel Limit
Type (type): event
Subtype (subtype): system
Level/Severity: information
Log field
Meaning
type
event
subtype
system
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
profile
The name of the profile that was used to detect and take action.
status
GTP status. One of: forwarded, prohibited, rate-limited, state-invalid, tunnel-limited, traffic-count, user-data,
prohibited-monitor, rate-limited-monitor, state-invalid-monitor, tunnel-limited-monitor.
version
Version.
msgtype
Message type.
from
Source identifier.
to
Destination identifier.
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
seqnum
Sequence number.
tunnelidx
Tunnel index.
imsi
IMSI.
msisdn
apn
APN.
selection
cgsn
CGSN.
ugsn
UGSN.
nsapi
NSAPI.
linkednsapi
Linked NSAPI.
imeisv
IMEISV.
rattype
Rat type. One of: utran, geran, wlan, gan, hspa, eutran, virtual.
rai
RAI.
uli
ULI.
Page 417
Header TEID.
Page 418
41221
Message ID: 041221
Message Description: GTP Traffic Account
Type (type): event
Subtype (subtype): system
Level/Severity: information
Log field
Meaning
type
event
subtype
system
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
profile
The name of the profile that was used to detect and take action.
status
GTP status. One of: forwarded, prohibited, rate-limited, state-invalid, tunnel-limited, traffic-count, user-data,
prohibited-monitor, rate-limited-monitor, state-invalid-monitor, tunnel-limited-monitor.
version
Version.
csgsn
CSGSN.
cggsn
CGGSN.
usgsn
USGSN.
uggsn
UGGSN.
csgsnteid
CSGSN TEID.
cggsnteid
CSGSN TEID.
usgsnteid
USGSN TEID.
uggsnteid
UGGSN TEID.
tunnelidx
Tunnel index.
duration
cpkts
C-packets.
cbytes
C-bytes.
upkts
U-packets.
ubytes
U-bytes.
tunnelidx
Tunnel index.
imsi
IMSI.
msisdn
apn
APN.
selection
Page 419
cgsn
CGSN.
ugsn
UGSN.
nsapi
NSAPI.
linkednsapi
Linked NSAPI.
imeisv
IMEISV.
rattype
Rat type. One of: utran, geran, wlan, gan, hspa, eutran, virtual.
rai
RAI.
uli
ULI.
Page 420
41222
Message ID: 041222
Message Description: GTP User Data
Type (type): event
Subtype (subtype): system
Level/Severity: information
Log field
Meaning
type
event
subtype
system
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
profile
The name of the profile that was used to detect and take action.
status
GTP status. One of: forwarded, prohibited, rate-limited, state-invalid, tunnel-limited, traffic-count, user-data,
prohibited-monitor, rate-limited-monitor, state-invalid-monitor, tunnel-limited-monitor.
version
Version.
tunnelidx
Tunnel index.
from
Source identifier.
to
Destination identifier.
IMSI.
msisdn
apn
APN.
userdata
User data.
Page 421
41223
Message ID: 041223
Message Description: GTPv2 Forward
Type (type): event
Subtype (subtype): system
Level/Severity: information
Log field
Meaning
type
event
subtype
system
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
profile
The name of the profile that was used to detect and take action.
status
GTP status. One of: forwarded, prohibited, rate-limited, state-invalid, tunnel-limited, traffic-count, user-data,
prohibited-monitor, rate-limited-monitor, state-invalid-monitor, tunnel-limited-monitor.
version
Version.
msgtype
Message type.
from
Source identifier.
to
Destination identifier.
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
seqnum
Sequence number.
tunnelidx
Tunnel index.
imsi
IMSI.
msisdn
imeisv
IMEISV.
snetwork
Serving network.
rattype
Rat type. One of: utran, geran, wlan, gan, hspa, eutran, virtual.
selection
apn
APN.
Header TEID.
cpaddr
cpteid
Page 422
41224
Message ID: 041224
Message Description: GTPv2 Deny
Type (type): event
Subtype (subtype): system
Level/Severity: information
Log field
Meaning
type
event
subtype
system
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
profile
The name of the profile that was used to detect and take action.
status
GTP status. One of: forwarded, prohibited, rate-limited, state-invalid, tunnel-limited, traffic-count, user-data,
prohibited-monitor, rate-limited-monitor, state-invalid-monitor, tunnel-limited-monitor.
version
Version.
msgtype
Message type.
from
Source identifier.
to
Destination identifier.
denycause
Denial cause. One of: packet-sanity, invalid-reserved-field, reserved-msg, out-state-msg, reserved-ie, out-state-ie,
invalid-msg-length, invalid-ie-length, miss-mandatory-ie, ip-policy, non-ip-policy, sgsn-not-authorized, sgsn-no-handover,
ggsn-not-authorized, invalid-seq-num, msg-filter, apn-filter, imsi-filter, adv-policy-filter, unknown-gtp-version
ietype
IE type.
dtlexp
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
seqnum
Sequence number.
tunnelidx
Tunnel index.
imsi
IMSI.
Page 423
msisdn
imeisv
IMEISV.
snetwork
Serving network.
rattype
Rat type. One of: utran, geran, wlan, gan, hspa, eutran, virtual.
selection
apn
APN.
Header TEID.
cpaddr
cpteid
Page 424
41225
Message ID: 041225
Message Description: GTPv2 Rate Limit
Type (type): event
Subtype (subtype): system
Level/Severity: information
Log field
Meaning
type
event
subtype
system
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
profile
The name of the profile that was used to detect and take action.
status
GTP status. One of: forwarded, prohibited, rate-limited, state-invalid, tunnel-limited, traffic-count, user-data,
prohibited-monitor, rate-limited-monitor, state-invalid-monitor, tunnel-limited-monitor.
version
Version.
msgtype
Message type.
from
Source identifier.
to
Destination identifier.
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
seqnum
Sequence number.
tunnelidx
Tunnel index.
imsi
IMSI.
msisdn
imeisv
IMEISV.
snetwork
Serving network.
rattype
Rat type. One of: utran, geran, wlan, gan, hspa, eutran, virtual.
selection
apn
APN.
Header TEID.
cpaddr
cpteid
Page 425
41226
Message ID: 041226
Message Description: GTPv2 State Invalid
Type (type): event
Subtype (subtype): system
Level/Severity: information
Log field
Meaning
type
event
subtype
system
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
profile
The name of the profile that was used to detect and take action.
status
GTP status. One of: forwarded, prohibited, rate-limited, state-invalid, tunnel-limited, traffic-count, user-data,
prohibited-monitor, rate-limited-monitor, state-invalid-monitor, tunnel-limited-monitor.
version
Version.
msgtype
Message type.
from
Source identifier.
to
Destination identifier.
dtlexp
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
seqnum
Sequence number.
tunnelidx
Tunnel index.
imsi
IMSI.
msisdn
imeisv
IMEISV.
snetwork
Serving network.
rattype
Rat type. One of: utran, geran, wlan, gan, hspa, eutran, virtual.
Page 426
selection
apn
APN.
Header TEID.
cpaddr
cpteid
Page 427
41227
Message ID: 041227
Message Description: GTPv2 Tunnel Limit
Type (type): event
Subtype (subtype): system
Level/Severity: information
Log field
Meaning
type
event
subtype
system
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
profile
The name of the profile that was used to detect and take action.
status
GTP status. One of: forwarded, prohibited, rate-limited, state-invalid, tunnel-limited, traffic-count, user-data,
prohibited-monitor, rate-limited-monitor, state-invalid-monitor, tunnel-limited-monitor.
version
Version.
msgtype
Message type.
from
Source identifier.
to
Destination identifier.
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
seqnum
Sequence number.
tunnelidx
Tunnel index.
imsi
IMSI.
msisdn
imeisv
IMEISV.
snetwork
Serving network.
rattype
Rat type. One of: utran, geran, wlan, gan, hspa, eutran, virtual.
selection
apn
APN.
Header TEID.
cpaddr
cpteid
Page 428
41228
Message ID: 041228
Message Description: GTP Traffic Account
Type (type): event
Subtype (subtype): system
Level/Severity: information
Log field
Meaning
type
event
subtype
system
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
profile
The name of the profile that was used to detect and take action.
status
GTP status. One of: forwarded, prohibited, rate-limited, state-invalid, tunnel-limited, traffic-count, user-data,
prohibited-monitor, rate-limited-monitor, state-invalid-monitor, tunnel-limited-monitor.
version
Version.
cpdladdr
cpdlisraddr
cpuladdr
cpdlteid
cpdlisrteid
cpulteid
tunnelidx
Tunnel index.
duration
cpkts
C-packets.
cbytes
C-bytes.
upkts
U-packets.
ubytes
U-bytes.
imsi
IMSI.
msisdn
apn
APN.
selection
imeisv
IMEISV.
rattype
Rat type. One of: utran, geran, wlan, gan, hspa, eutran, virtual.
Page 429
snetwork
Serving network.
Page 430
41984
Message ID: 041984
Message Description: Certificate Load
Type (type): event
Subtype (subtype): vpn
Level/Severity: information
Log
field
Meaning
type
event
subtype vpn
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
"info"
user
User name.
ui
The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting.
For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address
is 10.10.20.5). This field shows their point-of- entry in this field, GUI(10.10.20.5).
Page 431
41985
Message ID: 041985
Message Description: Certificate Removal
Type (type): event
Subtype (subtype): vpn
Level/Severity: information
Log
field
Meaning
type
event
subtype vpn
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
"info"
user
User name.
ui
The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting.
For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address
is 10.10.20.5). This field shows their point-of- entry in this field, GUI(10.10.20.5).
Page 432
41986
Message ID: 041986
Message Description: Certificate Regenerated
Type (type): event
Subtype (subtype): vpn
Level/Severity: information
Log
field
Meaning
type
event
subtype vpn
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
"info"
status
"success"
user
User name.
ui
The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting.
For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address
is 10.10.20.5). This field shows their point-of- entry in this field, GUI(10.10.20.5).
Page 433
41987
Message ID: 041987
Message Description: Certificate Updated
Type (type): event
Subtype (subtype): vpn
Level/Severity: information
Log field Meaning
type
event
subtype
vpn
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
"info"
status
"success"
name
Certificate name.
method
certtype
msg
Page 434
41988
Message ID: 041988
Message Description: SSL Setting Updated
Type (type): event
Subtype (subtype): vpn
Level/Severity: information
Log
field
Meaning
type
event
subtype vpn
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
"info"
user
User name.
ui
The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting.
For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address
is 10.10.20.5). This field shows their point-of- entry in this field, GUI(10.10.20.5).
msg
Page 435
41989
Message ID: 041989
Message Description: Certificate Error
Type (type): event
Subtype (subtype): vpn
Level/Severity: information
Log
field
Meaning
type
event
subtype vpn
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
"info"
user
User name.
ui
The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting.
For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address
is 10.10.20.5). This field shows their point-of- entry in this field, GUI(10.10.20.5).
"Certificate is invalid."
Page 436
43008
Message ID: 043008
Message Description: Authentication succeeded
Type (type): event
Subtype (subtype): user
Level/Severity: notice
Log
field
Meaning
type
event
subtype user
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip
dstip
policyid The ID number of the firewall policy that applies to the session or packet.
user
User name.
group
ui
The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting.
For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address
is 10.10.20.5). This field shows their point-of- entry in this field, GUI(10.10.20.5).
action
status
reason
Reason.
msg
Message.
Page 437
43009
Message ID: 043009
Message Description: Authentication failed
Type (type): event
Subtype (subtype): user
Level/Severity: notice
Log
field
Meaning
type
event
subtype user
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip
dstip
policyid The ID number of the firewall policy that applies to the session or packet.
user
User name.
group
ui
The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting.
For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address
is 10.10.20.5). This field shows their point-of- entry in this field, GUI(10.10.20.5).
action
status
reason
Reason.
msg
Message.
Page 438
43010
Message ID: 043010
Message Description: Authentication locked out
Type (type): event
Subtype (subtype): user
Level/Severity: warning
Log
field
Meaning
type
event
subtype user
level
warning
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip
dstip
policyid The ID number of the firewall policy that applies to the session or packet.
user
User name.
group
ui
The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting.
For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address
is 10.10.20.5). This field shows their point-of- entry in this field, GUI(10.10.20.5).
action
status
reason
Reason.
msg
Message.
Page 439
43011
Message ID: 043011
Message Description: Authentication timed out
Type (type): event
Subtype (subtype): user
Level/Severity: notice
Log
field
Meaning
type
event
subtype user
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip
dstip
policyid The ID number of the firewall policy that applies to the session or packet.
user
User name.
group
ui
The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting.
For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address
is 10.10.20.5). This field shows their point-of- entry in this field, GUI(10.10.20.5).
action
status
reason
Reason.
msg
Message.
Page 440
43012
Message ID: 043012
Message Description: FSSO authentication succeeded
Type (type): event
Subtype (subtype): user
Level/Severity: notice
Log
field
Meaning
type
event
subtype user
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip
dstip
proto
The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the next
level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
policyid
The ID number of the firewall policy that applies to the session or packet.
user
User name.
The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting.
For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address
is 10.10.20.5). This field shows their point-of- entry in this field, GUI(10.10.20.5).
action
status
reason
Reason.
msg
Message.
Page 441
43013
Message ID: 043013
Message Description: FSSO authentication failed
Type (type): event
Subtype (subtype): user
Level/Severity: notice
Log
field
Meaning
type
event
subtype user
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip
dstip
proto
The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the next
level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
policyid
The ID number of the firewall policy that applies to the session or packet.
user
User name.
The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting.
For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address
is 10.10.20.5). This field shows their point-of- entry in this field, GUI(10.10.20.5).
action
status
reason
Reason.
msg
Message.
Page 442
43014
Message ID: 043014
Message Description: FSSO log on
Type (type): event
Subtype (subtype): user
Level/Severity: notice
Log field Meaning
type
event
subtype
user
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip
user
User name.
server
action
msg
Message.
Page 443
43015
Message ID: 043015
Message Description: FSSO log off
Type (type): event
Subtype (subtype): user
Level/Severity: notice
Log field Meaning
type
event
subtype
user
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip
user
User name.
server
action
msg
Message.
Page 444
43016
Message ID: 043016
Message Description: NTLM authentication succeeded
Type (type): event
Subtype (subtype): user
Level/Severity: notice
Log
field
Meaning
type
event
subtype user
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip
dstip
policyid
The ID number of the firewall policy that applies to the session or packet.
user
User name.
ui
The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting.
For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address
is 10.10.20.5). This field shows their point-of- entry in this field, GUI(10.10.20.5).
action
status
reason
Reason.
msg
Message.
Page 445
43017
Message ID: 043017
Message Description: NTLM authentication failed
Type (type): event
Subtype (subtype): user
Level/Severity: notice
Log
field
Meaning
type
event
subtype user
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip
dstip
policyid
The ID number of the firewall policy that applies to the session or packet.
user
User name.
ui
The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting.
For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address
is 10.10.20.5). This field shows their point-of- entry in this field, GUI(10.10.20.5).
action
status
reason
Reason.
msg
Message.
Page 446
43018
Message ID: 043018
Message Description: FortiGuard override failed
Type (type): event
Subtype (subtype): user
Level/Severity: warning
Log field Meaning
type
event
subtype
user
level
warning
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip
dstip
initiator
status
reason
Reason.
msg
Message.
Page 447
43019
Message ID: 043019
Message Description: FortiGuard override failed
Type (type): event
Subtype (subtype): user
Level/Severity: warning
Log field Meaning
type
event
subtype
user
level
warning
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip
dstip
initiator
status
reason
Reason.
msg
Message.
Page 448
43020
Message ID: 043020
Message Description: FortiGuard override succeeded
Type (type): event
Subtype (subtype): user
Level/Severity: notice
Log field
Meaning
type
event
subtype
user
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip
dstip
initiator
status
reason
Reason.
scope
ruledata
Rule data.
offsite
expiry
Expiry information.
oldwprof
newwprof
msg
Message.
Page 449
43021
Message ID: 043021
Message Description: Endpoint checking event
Type (type): event
Subtype (subtype): user
Level/Severity: notice
Log
field
Meaning
type
event
subtype user
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
dstip
ui
The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting.
For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address
is 10.10.20.5). This field shows their point-of- entry in this field, GUI(10.10.20.5).
msg
Message.
Page 450
43022
Message ID: 043022
Message Description: Endpoint license distribution
Type (type): event
Subtype (subtype): user
Level/Severity: notice
Log
field
Meaning
type
event
subtype user
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
dstip
ui
The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting.
For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address
is 10.10.20.5). This field shows their point-of- entry in this field, GUI(10.10.20.5).
msg
Message.
Page 451
43023
Message ID: 043023
Message Description: Endpoint detection
Type (type): event
Subtype (subtype): user
Level/Severity: notice
Log
field
Meaning
type
event
subtype user
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
dstip
ui
The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting.
For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address
is 10.10.20.5). This field shows their point-of- entry in this field, GUI(10.10.20.5).
msg
Message.
Page 452
43024
Message ID: 043024
Message Description: Endpoint detection
Type (type): event
Subtype (subtype): user
Level/Severity: notice
Log
field
Meaning
type
event
subtype user
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
dstip
ui
The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting.
For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address
is 10.10.20.5). This field shows their point-of- entry in this field, GUI(10.10.20.5).
msg
Message.
Page 453
43025
Message ID: 043025
Message Description: Authentication succeeded
Type (type): event
Subtype (subtype): user
Level/Severity: notice
Log
field
Meaning
type
event
subtype user
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip
dstip
policyid The ID number of the firewall policy that applies to the session or packet.
user
User name.
group
ui
The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting.
For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address
is 10.10.20.5). This field shows their point-of- entry in this field, GUI(10.10.20.5).
action
status
reason
Reason.
msg
Message.
Page 454
43026
Message ID: 043026
Message Description: Authentication failed
Type (type): event
Subtype (subtype): user
Level/Severity: notice
Log
field
Meaning
type
event
subtype user
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip
dstip
policyid The ID number of the firewall policy that applies to the session or packet.
user
User name.
group
ui
The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting.
For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address
is 10.10.20.5). This field shows their point-of- entry in this field, GUI(10.10.20.5).
action
status
reason
Reason.
msg
Message.
Page 455
43027
Message ID: 043027
Message Description: Authentication timed out
Type (type): event
Subtype (subtype): user
Level/Severity: notice
Log
field
Meaning
type
event
subtype user
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip
dstip
policyid The ID number of the firewall policy that applies to the session or packet.
user
User name.
group
ui
The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting.
For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address
is 10.10.20.5). This field shows their point-of- entry in this field, GUI(10.10.20.5).
action
status
reason
Reason.
msg
Message.
Page 456
43028
Message ID: 043028
Message Description: Authentication failed
Type (type): event
Subtype (subtype): user
Level/Severity: notice
Log
field
Meaning
type
event
subtype user
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip
dstip
policyid The ID number of the firewall policy that applies to the session or packet.
user
User name.
group
ui
The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting.
For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address
is 10.10.20.5). This field shows their point-of- entry in this field, GUI(10.10.20.5).
action
status
reason
Reason.
msg
Message.
Page 457
43029
Message ID: 043029
Message Description: FortiGuard override succeeded
Type (type): event
Subtype (subtype): user
Level/Severity: notice
Log field
Meaning
type
event
subtype
user
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip
dstip
initiator
status
reason
Reason.
scope
ruledata
Rule data.
offsite
expiry
Expiry information.
oldwprof
newwprof
msg
Message.
Page 458
43030
Message ID: 043030
Message Description: FortiGuard override failed
Type (type): event
Subtype (subtype): user
Level/Severity: warning
Log field Meaning
type
event
subtype
user
level
warning
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip
dstip
initiator
status
reason
Reason.
msg
Message.
Page 459
43264
Message ID: 043264
Message Description: MMS Statistics
Type (type): event
Subtype (subtype): system
Level/Severity: information
Log field
Meaning
type
event
subtype
system
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
proto
infected
checksum
duration
Page 460
43520
Message ID: 043520
Message Description: wireless system activity
Type (type): event
Subtype (subtype): wireless
Level/Severity: notice
Log field Meaning
type
event
subtype
wireless
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
msg
Message.
Page 461
43521
Message ID: 043521
Message Description: wireless rogue AP activity
Type (type): event
Subtype (subtype): wireless
Level/Severity: notice
Log field
Meaning
type
event
subtype
wireless
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
onwire
Will display NO or 0.
ssid
bssid
aptype
AP type.
rate
radioband
Radio band.
channel
action
manuf
Manufacturer.
securitymode
Security mode.
rssi
RSSI.
Noise
Noise.
live
Live.
age
Age.
detectionmethod Method of detection: N/A, sta, mac adjacency, sta and mac adjacency.
stamac
Station MAC.
apscan
sndetected
radioiddetected
stacount
STA count.
snclosest
radioiddetected
Page 462
msg
Message.
Page 463
43522
Message ID: 043522
Message Description: physical AP activity
Type (type): event
Subtype (subtype): wireless
Level/Severity: notice
Log field
Meaning
type
event
subtype
wireless
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
sn
Serial number.
ap
Physical AP name.
approfile
AP profile.
ip
IP address.
meshmode
Mesh mode: non-mesh, mesh ap, mesh root ap, mesh branch/leaf ap.
snmeshparent Serial number of physical AP which is the mesh parent of this mesh branch/leaf AP.
action
reason
Reason.
msg
Message.
Page 464
43524
Message ID: 043524
Message Description: wireless client activity
Type (type): event
Subtype (subtype): wireless
Level/Severity: notice
Log field
Meaning
type
event
subtype
wireless
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
sn
Serial number.
ap
Physical AP name.
vap
Virtual AP name.
ssid
user
User name.
group
mac
ip
IP address.
channel
Security type: open, wep64, wep128, wpa-psk, wpa-radius, wpa, wpa2, wpa2-auto.
action
reason
Reason.
msg
Message.
Page 465
43525
Message ID: 043525
Message Description: wireless rogue AP activity (on-wire)
Type (type): event
Subtype (subtype): wireless
Level/Severity: warning
Log field
Meaning
type
event
subtype
wireless
level
warning
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
onwire
ssid
bssid
aptype
AP type.
rate
onwire
radioband
Radio band.
channel
action
manuf
Manufacturer.
securitymode
Security mode.
rssi
RSSI.
Noise
Noise.
live
Live.
age
Age.
detectionmethod Method of detection: N/A, sta, mac adjacency, sta and mac adjacency.
stamac
Station MAC.
apscan
sndetected
radioiddetected
stacount
STA count.
snclosest
Page 466
radioiddetected
msg
Message.
Page 467
43526
Message ID: 043526
Message Description: physical AP radio activity
Type (type): event
Subtype (subtype): wireless
Level/Severity: notice
Log field
Meaning
type
event
subtype
wireless
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
sn
Serial number.
ap
Physical AP name.
ip
IP address.
radioid
Radio ID.
Operating country.
cfgtxpower
Config TX power.
opertxpower
Operating TX power.
radioband
Radio band.
action
msg
Message.
Page 468
43527
Message ID: 043527
Message Description: wireless rogue AP status config
Type (type): event
Subtype (subtype): wireless
Level/Severity: notice
Log field Meaning
type
event
subtype
wireless
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
ssid
bssid
apstatus AP status.
msg
Message.
Page 469
43528
Message ID: 043528
Message Description: physical AP radio activity
Type (type): event
Subtype (subtype): wireless
Level/Severity: error
Log field
Meaning
type
event
subtype
wireless
level
error
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
sn
Serial number.
ap
Physical AP name.
ip
IP address.
radioid
Radio ID.
Operating country.
cfgtxpower
Config TX power.
opertxpower
Operating TX power.
radioband
Radio band.
action
msg
Message.
Page 470
43529
Message ID: 043529
Message Description: wireless client load balancing
Type (type): event
Subtype (subtype): wireless
Level/Severity: notice
Log field
Meaning
type
event
subtype
wireless
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
sn
Serial number.
ap
Physical AP name.
vap
Virtual AP name.
ssid
mac
STA count.
action
reason
Reason.
msg
Message.
Page 471
43530
Message ID: 043530
Message Description: wl-bridge-detect
Type (type): event
Subtype (subtype): wireless
Level/Severity: notice
Log field
Meaning
type
event
subtype
wireless
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
threattype
live
Live.
age
Age.
channel
rssi
RSSI.
frametype
Frame type.
ds
bssid
seq
Sequence number.
encrypt
tamac
manuf
Manufacturer.
sndetected
Message.
Page 472
43531
Message ID: 043531
Message Description: bc-deauth-detect
Type (type): event
Subtype (subtype): wireless
Level/Severity: notice
Log field
Meaning
type
event
subtype
wireless
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
threattype
live
Live.
age
Age.
channel
rssi
RSSI.
frametype
Frame type.
ds
bssid
seq
Sequence number.
encrypt
tamac
manuf
Manufacturer.
sndetected
Message.
Page 473
43532
Message ID: 043532
Message Description: null-pbresp-detect
Type (type): event
Subtype (subtype): wireless
Level/Severity: notice
Log field
Meaning
type
event
subtype
wireless
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
threattype
live
Live.
age
Age.
channel
rssi
RSSI.
frametype
Frame type.
ds
bssid
seq
Sequence number.
encrypt
tamac
manuf
Manufacturer.
sndetected
Message.
Page 474
43533
Message ID: 043533
Message Description: invalid-OUI-detect
Type (type): event
Subtype (subtype): wireless
Level/Severity: notice
Log field
Meaning
type
event
subtype
wireless
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
threattype
live
Live.
age
Age.
channel
rssi
RSSI.
frametype
Frame type.
ds
bssid
seq
Sequence number.
encrypt
tamac
manuf
Manufacturer.
sndetected
msg
Message.
Page 475
43534
Message ID: 043534
Message Description: long-dur-detect
Type (type): event
Subtype (subtype): wireless
Level/Severity: notice
Log field
Meaning
type
event
subtype
wireless
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
threattype
live
Live.
age
Age.
channel
rssi
RSSI.
frametype
Frame type.
ds
bssid
seq
Sequence number.
encrypt
tamac
manuf
Manufacturer.
sndetected
msg
Message.
Page 476
43535
Message ID: 043535
Message Description: weak-wepiv-detect
Type (type): event
Subtype (subtype): wireless
Level/Severity: notice
Log field
Meaning
type
event
subtype
wireless
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
threattype
live
Live.
age
Age.
channel
rssi
RSSI.
frametype
Frame type.
ds
bssid
seq
Sequence number.
encrypt
tamac
manuf
Manufacturer.
sndetected
msg
Message.
Page 477
43536
Message ID: 043536
Message Description: wl-bridge-detect
Type (type): event
Subtype (subtype): wireless
Level/Severity: error
Log field
Meaning
type
event
subtype
wireless
level
error
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
threattype
live
Live.
age
Age.
channel
rssi
RSSI.
frametype
Frame type.
ds
bssid
seq
Sequence number.
encrypt
tamac
manuf
Manufacturer.
sndetected
Message.
Page 478
43537
Message ID: 043537
Message Description: bc-deauth-detect
Type (type): event
Subtype (subtype): wireless
Level/Severity: error
Log field
Meaning
type
event
subtype
wireless
level
error
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
threattype
live
Live.
age
Age.
channel
rssi
RSSI.
frametype
Frame type.
ds
bssid
seq
Sequence number.
encrypt
tamac
manuf
Manufacturer.
sndetected
Message.
Page 479
43538
Message ID: 043538
Message Description: null-pbresp-detect
Type (type): event
Subtype (subtype): wireless
Level/Severity: error
Log field
Meaning
type
event
subtype
wireless
level
error
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
threattype
live
Live.
age
Age.
channel
rssi
RSSI.
frametype
Frame type.
ds
bssid
seq
Sequence number.
encrypt
tamac
manuf
Manufacturer.
sndetected
Message.
Page 480
43539
Message ID: 043539
Message Description: invalid-OUI-detect
Type (type): event
Subtype (subtype): wireless
Level/Severity: error
Log field
Meaning
type
event
subtype
wireless
level
error
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
threattype
live
Live.
age
Age.
channel
rssi
RSSI.
frametype
Frame type.
ds
bssid
seq
Sequence number.
encrypt
tamac
manuf
Manufacturer.
sndetected
msg
Message.
Page 481
43540
Message ID: 043540
Message Description: long-dur-detect
Type (type): event
Subtype (subtype): wireless
Level/Severity: error
Log field
Meaning
type
event
subtype
wireless
level
error
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
threattype
live
Live.
age
Age.
channel
rssi
RSSI.
frametype
Frame type.
ds
bssid
seq
Sequence number.
encrypt
tamac
manuf
Manufacturer.
sndetected
msg
Message.
Page 482
43541
Message ID: 043541
Message Description: weak-wepiv-detect
Type (type): event
Subtype (subtype): wireless
Level/Severity: error
Log field
Meaning
type
event
subtype
wireless
level
error
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
threattype
live
Live.
age
Age.
channel
rssi
RSSI.
frametype
Frame type.
ds
bssid
seq
Sequence number.
encrypt
tamac
manuf
Manufacturer.
sndetected
msg
Message.
Page 483
43542
Message ID: 043542
Message Description: eapol-packet-flood
Type (type): event
Subtype (subtype): wireless
Level/Severity: notice
Log field
Meaning
type
event
subtype
wireless
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
threattype
live
Live.
tamac
manuf
Manufacturer.
sndetected
eapolcnt
msg
Message.
Page 484
43543
Message ID: 043543
Message Description: eapol-packet-flood
Type (type): event
Subtype (subtype): wireless
Level/Severity: notice
Log field
Meaning
type
event
subtype
wireless
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
threattype
live
Live.
tamac
manuf
Manufacturer.
sndetected
eapolcnt
msg
Message.
Page 485
43544
Message ID: 043544
Message Description: mgmt-flood-detect
Type (type): event
Subtype (subtype): wireless
Level/Severity: notice
Log field
Meaning
type
event
subtype
wireless
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
threattype
live
Live.
age
Age.
channel
rssi
RSSI.
frametype
Frame type.
ds
bssid
tamac
manuf
Manufacturer.
sndetected
msg
Message.
Page 486
43545
Message ID: 043545
Message Description: mgmt-flood-detect
Type (type): event
Subtype (subtype): wireless
Level/Severity: error
Log field
Meaning
type
event
subtype
wireless
level
error
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
threattype
live
Live.
age
Age.
channel
rssi
RSSI.
frametype
Frame type.
ds
bssid
tamac
manuf
Manufacturer.
sndetected
msg
Message.
Page 487
43546
Message ID: 043546
Message Description: spoofed-deauth-detect
Type (type): event
Subtype (subtype): wireless
Level/Severity: notice
Log field
Meaning
type
event
subtype
wireless
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
threattype
live
Live.
age
Age.
channel
rssi
RSSI.
frametype
Frame type.
ds
bssid
seq
Sequence number.
encrypt
tamac
manuf
Manufacturer.
sndetected
Message.
Page 488
43548
Message ID: 043548
Message Description: asleep-attack-detect
Type (type): event
Subtype (subtype): wireless
Level/Severity: notice
Log field
Meaning
type
event
subtype
wireless
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
threattype
live
Live.
age
Age.
channel
rssi
RSSI.
frametype
Frame type.
ds
bssid
seq
Sequence number.
encrypt
tamac
manuf
Manufacturer.
sndetected
Message.
Page 489
43549
Message ID: 043549
Message Description: asleep-attack-detect
Type (type): event
Subtype (subtype): wireless
Level/Severity: error
Log field
Meaning
type
event
subtype
wireless
level
error
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
threattype
live
Live.
age
Age.
channel
rssi
RSSI.
frametype
Frame type.
ds
bssid
seq
Sequence number.
encrypt
tamac
manuf
Manufacturer.
sndetected
Message.
Page 490
43776
Message ID: 043776
Message Description: NAC quarantine event log
Type (type): event
Subtype (subtype): system
Level/Severity: notice
Log field
Meaning
type
event
subtype
system
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip
dstip
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstintf
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
proto
The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the
next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
service
action
user
User name.
group
policyid
The ID number of the firewall policy that applies to the session or packet.
bannedsrc
Sensor.
Page 491
44288
Message ID: 044288
Message Description: dns response
Type (type): event
Subtype (subtype): router
Level/Severity: information
Log field Meaning
type
event
subtype
router
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
policyid
The ID number of the firewall policy that applies to the session or packet.
srcip
dstip
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstintf
user
User name.
group
DNS IP address(es).
Page 492
44544
Message ID: 044544
Message Description: config path msg
Type (type): event
Subtype (subtype): system
Level/Severity: information
Log
field
Meaning
type
event
subtype system
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
user
User name.
ui
The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting.
For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address
is 10.10.20.5). This field shows their point-of- entry in this field, GUI(10.10.20.5).
action
Action. One of: add, edit, delete, clear, move, rename, clone, abort.
cfgtid
cfgpath
Config path.
msg
Config message.
Page 493
44545
Message ID: 044545
Message Description: config obj msg
Type (type): event
Subtype (subtype): system
Level/Severity: information
Log
field
Meaning
type
event
subtype system
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
user
User name.
ui
The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting.
For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address
is 10.10.20.5). This field shows their point-of- entry in this field, GUI(10.10.20.5).
action
Action. One of: add, edit, delete, clear, move, rename, clone, abort.
cfgtid
cfgpath
Config path.
cfgobj
Config object.
msg
Config message.
Page 494
44546
Message ID: 044546
Message Description: config attr msg
Type (type): event
Subtype (subtype): system
Level/Severity: information
Log
field
Meaning
type
event
subtype system
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
user
User name.
ui
The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting.
For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address
is 10.10.20.5). This field shows their point-of- entry in this field, GUI(10.10.20.5).
action
Action. One of: add, edit, delete, clear, move, rename, clone, abort.
cfgtid
cfgpath
Config path.
cfgattr
Config attributes.
msg
Config message.
Page 495
44547
Message ID: 044547
Message Description: config obj attr msg
Type (type): event
Subtype (subtype): system
Level/Severity: information
Log
field
Meaning
type
event
subtype system
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
user
User name.
ui
The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting.
For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address
is 10.10.20.5). This field shows their point-of- entry in this field, GUI(10.10.20.5).
action
Action. One of: add, edit, delete, clear, move, rename, clone, abort.
cfgtid
cfgpath
Config path.
cfgobj
Config object.
cfgattr
Config attributes.
msg
Config message.
Page 496
45056
Message ID: 045056
Message Description: forticlient license exceed msg
Type (type): event
Subtype (subtype): system
Level/Severity: notice
Log field
Meaning
type
event
subtype
system
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
status
Reason.
repeat
msg
Page 497
45057
Message ID: 045057
Message Description: add forticlient connection msg
Type (type): event
Subtype (subtype): system
Level/Severity: information
Log field
Meaning
type
event
subtype
system
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
status
licenselimit
licenseused
usedfortype
connectiontype Type of connection. One of: ipsec, sslvpn, nac, wanopt, test.
count
user
User name.
ip
Source IP address.
name
Name of connection.
forticlientid
msg
Page 498
45058
Message ID: 045058
Message Description: close forticlient connection msg
Type (type): event
Subtype (subtype): system
Level/Severity: information
Log field
Meaning
type
event
subtype
system
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
status
licenselimit
licenseused
usedfortype
connectiontype Type of connection. One of: ipsec, sslvpn, nac, wanopt, test.
count
user
User name.
ip
Source IP address.
name
Name of connection.
forticlientid
msg
Page 499
45059
Message ID: 045059
Message Description: upgrade forticlient license msg
Type (type): event
Subtype (subtype): system
Level/Severity: notice
Log field
Meaning
type
event
subtype
system
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
status
ui
The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a
setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B
(IP address is 10.10.20.5). This field shows their point-of- entry in this field, GUI(10.10.20.5).
user
User name.
Page 500
45060
Message ID: 045060
Message Description: upgrade forticlient license failed msg
Type (type): event
Subtype (subtype): system
Level/Severity: error
Log
field
Meaning
type
event
subtype system
level
error
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
status
ui
The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting.
For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address
is 10.10.20.5). This field shows their point-of- entry in this field, GUI(10.10.20.5).
user
User name.
reason
Reason.
msg
Page 501
45100
Message ID: 045100
Message Description: FortiClient registration fail msg
Type (type): event
Subtype (subtype): system
Level/Severity: warning
Log field
Meaning
type
event
subtype
system
level
warning
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
user
User name.
hostname
ip
HA IP.
Interface information.
msg
Page 502
45101
Message ID: 045101
Message Description: FortiClient registration succeed msg
Type (type): event
Subtype (subtype): system
Level/Severity: notice
Log field
Meaning
type
event
subtype
system
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
user
User name.
hostname
ip
HA IP.
Interface information.
msg
Page 503
45102
Message ID: 045102
Message Description: FortiClient registration renew msg
Type (type): event
Subtype (subtype): system
Level/Severity: notice
Log field
Meaning
type
event
subtype
system
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
user
User name.
hostname
ip
HA IP.
Interface information.
msg
Page 504
45103
Message ID: 045103
Message Description: FortiClient registration block msg
Type (type): event
Subtype (subtype): system
Level/Severity: notice
Log field
Meaning
type
event
subtype
system
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
Page 505
45104
Message ID: 045104
Message Description: FortiClient registration unblock msg
Type (type): event
Subtype (subtype): system
Level/Severity: notice
Log field
Meaning
type
event
subtype
system
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
Page 506
45105
Message ID: 045105
Message Description: FortiClient registration de-register msg
Type (type): event
Subtype (subtype): system
Level/Severity: notice
Log field
Meaning
type
event
subtype
system
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
Page 507
45106
Message ID: 045106
Message Description: FortiClient registration license upgrade msg
Type (type): event
Subtype (subtype): system
Level/Severity: notice
Log field Meaning
type
event
subtype
system
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
msg
Page 508
45107
Message ID: 045107
Message Description: FortiClient configuration distribute msg
Type (type): event
Subtype (subtype): system
Level/Severity: notice
Log field
Meaning
type
event
subtype
system
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
user
User name.
hostname
ip
HA IP.
Interface information.
msg
Page 509
45108
Message ID: 045108
Message Description: FortiClient unregister msg
Type (type): event
Subtype (subtype): system
Level/Severity: notice
Log field
Meaning
type
event
subtype
system
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
user
User name.
hostname
ip
HA IP.
Interface information.
msg
"FortiClient unregistered."
Page 510
45109
Message ID: 045109
Message Description: FortiClient logoff msg
Type (type): event
Subtype (subtype): system
Level/Severity: notice
Log field
Meaning
type
event
subtype
system
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
user
User name.
hostname
ip
HA IP.
Interface information.
msg
Page 511
45110
Message ID: 045110
Message Description: FortiClient disable SYNC_WITH_FGT msg
Type (type): event
Subtype (subtype): system
Level/Severity: notice
Log field
Meaning
type
event
subtype
system
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
user
User name.
hostname
ip
HA IP.
Interface information.
msg
Page 512
48009
Message ID: 048009
Message Description: SSL decryption failure
Type (type): event
Subtype (subtype): wad
Level/Severity: error
Log field
Meaning
type
event
subtype
wad
level
error
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
'close'.
The ID number of the firewall policy that applies to the session or packet.
src
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dst
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
reason
Reason.
msg
Page 513
48023
Message ID: 048023
Message Description: SSL Alert received
Type (type): event
Subtype (subtype): wad
Level/Severity: error
Log field
Meaning
type
event
subtype
wad
level
error
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action
'receive'
The ID number of the firewall policy that applies to the session or packet.
src
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dst
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
alert
Alert information.
desc
Description.
msg
Page 514
Content
32768
Message ID: 032768
Message Description: content http log
Type (type): utm
Subtype (subtype): contentlog
Event Type (eventtype): HTTP
Level/Severity: information
Log field
Meaning
type
utm
subtype
contentlog
eventtype
HTTP
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
clogver
epoch
Epoch.
eventid
Serial number.
cstatus
The status of a content log. One of the following: Clean, infected, heuristic, banned_word, blocked, exempt, oversize,
carrier_endpoint_filter, mass_mms, dlp, fragmented, spam, im_summary, im_message, im_file_request, im_file_accept,
im_file_cancel, im_voice, im_video, im_photo_share_request, im_photo_share_accept, im_photo_share_cancel,
im_photo_share_stop, im_photo_xfer, voip, error.
infection
Infection type. One of the following: Carrier end point filter, mms flood, mms duplicate, virus, virusrm (virus removed), heuristic,
html script, script filter, banned word, exempt word, oversize, worm, fragmented, ip blacklist, dnsbl, FortiGuard AntiSpam IP
blacklist, helo, emailblacklist, mimeheader, dns, FortiGuard AntiSpam ase block, ipwhitelist, emailwhitelist, fewhitelist,
headerwhitelist, wordwhitelist, dlp, pass, mms content checksum.
virus
sessionid
Session ID.
user
User name.
group
profile
The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
client
server
Page 515
rcvdbyte
sentbyte
dlpsensor
method
hostname
url
cat
The category.
catdesc
Page 516
32769
Message ID: 032769
Message Description: content https log
Type (type): utm
Subtype (subtype): contentlog
Event Type (eventtype): HTTPS
Level/Severity: information
Log field
Meaning
type
utm
subtype
contentlog
eventtype
HTTPS
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
clogver
epoch
Epoch.
eventid
Serial number.
cstatus
The status of a content log. One of the following: Clean, infected, heuristic, banned_word, blocked, exempt, oversize,
carrier_endpoint_filter, mass_mms, dlp, fragmented, spam, im_summary, im_message, im_file_request, im_file_accept,
im_file_cancel, im_voice, im_video, im_photo_share_request, im_photo_share_accept, im_photo_share_cancel,
im_photo_share_stop, im_photo_xfer, voip, error.
infection
Infection type. One of the following: Carrier end point filter, mms flood, mms duplicate, virus, virusrm (virus removed), heuristic,
html script, script filter, banned word, exempt word, oversize, worm, fragmented, ip blacklist, dnsbl, FortiGuard AntiSpam IP
blacklist, helo, emailblacklist, mimeheader, dns, FortiGuard AntiSpam ase block, ipwhitelist, emailwhitelist, fewhitelist,
headerwhitelist, wordwhitelist, dlp, pass, mms content checksum.
virus
sessionid
Session ID.
user
User name.
group
profile
The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
client
server
rcvdbyte
sentbyte
dlpsensor
Page 517
method
hostname
url
cat
The category.
catdesc
Page 518
32770
Message ID: 032770
Message Description: content smtp log
Type (type): utm
Subtype (subtype): contentlog
Event Type (eventtype): SMTP
Level/Severity: information
Log field
Meaning
type
utm
subtype
contentlog
eventtype
SMTP
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
clogver
epoch
Epoch.
eventid
Serial number.
cstatus
The status of a content log. One of the following: Clean, infected, heuristic, banned_word, blocked, exempt, oversize,
carrier_endpoint_filter, mass_mms, dlp, fragmented, spam, im_summary, im_message, im_file_request, im_file_accept,
im_file_cancel, im_voice, im_video, im_photo_share_request, im_photo_share_accept, im_photo_share_cancel,
im_photo_share_stop, im_photo_xfer, voip, error.
infection
Infection type. One of the following: Carrier end point filter, mms flood, mms duplicate, virus, virusrm (virus removed), heuristic,
html script, script filter, banned word, exempt word, oversize, worm, fragmented, ip blacklist, dnsbl, FortiGuard AntiSpam IP
blacklist, helo, emailblacklist, mimeheader, dns, FortiGuard AntiSpam ase block, ipwhitelist, emailwhitelist, fewhitelist,
headerwhitelist, wordwhitelist, dlp, pass, mms content checksum.
virus
sessionid
Session ID.
user
User name.
group
profile
The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
client
server
rcvdbyte
sentbyte
dlpsensor
Page 519
to
Destination identifier.
from
Source identifier.
subject
Subject.
Page 520
32771
Message ID: 032771
Message Description: content smtps log
Type (type): utm
Subtype (subtype): contentlog
Event Type (eventtype): SMTPS
Level/Severity: information
Log field
Meaning
type
utm
subtype
contentlog
eventtype
SMTPS
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
clogver
epoch
Epoch.
eventid
Serial number.
cstatus
The status of a content log. One of the following: Clean, infected, heuristic, banned_word, blocked, exempt, oversize,
carrier_endpoint_filter, mass_mms, dlp, fragmented, spam, im_summary, im_message, im_file_request, im_file_accept,
im_file_cancel, im_voice, im_video, im_photo_share_request, im_photo_share_accept, im_photo_share_cancel,
im_photo_share_stop, im_photo_xfer, voip, error.
infection
Infection type. One of the following: Carrier end point filter, mms flood, mms duplicate, virus, virusrm (virus removed), heuristic,
html script, script filter, banned word, exempt word, oversize, worm, fragmented, ip blacklist, dnsbl, FortiGuard AntiSpam IP
blacklist, helo, emailblacklist, mimeheader, dns, FortiGuard AntiSpam ase block, ipwhitelist, emailwhitelist, fewhitelist,
headerwhitelist, wordwhitelist, dlp, pass, mms content checksum.
virus
sessionid
Session ID.
user
User name.
group
profile
The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
client
server
rcvdbyte
sentbyte
dlpsensor
Page 521
to
Destination identifier.
from
Source identifier.
subject
Subject.
Page 522
32772
Message ID: 032772
Message Description: content pop3 log
Type (type): utm
Subtype (subtype): contentlog
Event Type (eventtype): POP3
Level/Severity: information
Log field
Meaning
type
utm
subtype
contentlog
eventtype
POP3
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
clogver
epoch
Epoch.
eventid
Serial number.
cstatus
The status of a content log. One of the following: Clean, infected, heuristic, banned_word, blocked, exempt, oversize,
carrier_endpoint_filter, mass_mms, dlp, fragmented, spam, im_summary, im_message, im_file_request, im_file_accept,
im_file_cancel, im_voice, im_video, im_photo_share_request, im_photo_share_accept, im_photo_share_cancel,
im_photo_share_stop, im_photo_xfer, voip, error.
infection
Infection type. One of the following: Carrier end point filter, mms flood, mms duplicate, virus, virusrm (virus removed), heuristic,
html script, script filter, banned word, exempt word, oversize, worm, fragmented, ip blacklist, dnsbl, FortiGuard AntiSpam IP
blacklist, helo, emailblacklist, mimeheader, dns, FortiGuard AntiSpam ase block, ipwhitelist, emailwhitelist, fewhitelist,
headerwhitelist, wordwhitelist, dlp, pass, mms content checksum.
virus
sessionid
Session ID.
user
User name.
group
profile
The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
client
server
rcvdbyte
sentbyte
dlpsensor
Page 523
to
Destination identifier.
from
Source identifier.
subject
Subject.
Page 524
32773
Message ID: 032773
Message Description: content pop3s log
Type (type): utm
Subtype (subtype): contentlog
Event Type (eventtype): POP3S
Level/Severity: information
Log field
Meaning
type
utm
subtype
contentlog
eventtype
POP3S
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
clogver
epoch
Epoch.
eventid
Serial number.
cstatus
The status of a content log. One of the following: Clean, infected, heuristic, banned_word, blocked, exempt, oversize,
carrier_endpoint_filter, mass_mms, dlp, fragmented, spam, im_summary, im_message, im_file_request, im_file_accept,
im_file_cancel, im_voice, im_video, im_photo_share_request, im_photo_share_accept, im_photo_share_cancel,
im_photo_share_stop, im_photo_xfer, voip, error.
infection
Infection type. One of the following: Carrier end point filter, mms flood, mms duplicate, virus, virusrm (virus removed), heuristic,
html script, script filter, banned word, exempt word, oversize, worm, fragmented, ip blacklist, dnsbl, FortiGuard AntiSpam IP
blacklist, helo, emailblacklist, mimeheader, dns, FortiGuard AntiSpam ase block, ipwhitelist, emailwhitelist, fewhitelist,
headerwhitelist, wordwhitelist, dlp, pass, mms content checksum.
virus
sessionid
Session ID.
user
User name.
group
profile
The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
client
server
rcvdbyte
sentbyte
dlpsensor
Page 525
to
Destination identifier.
from
Source identifier.
subject
Subject.
Page 526
32774
Message ID: 032774
Message Description: content imap log
Type (type): utm
Subtype (subtype): contentlog
Event Type (eventtype): IMAP
Level/Severity: information
Log field
Meaning
type
utm
subtype
contentlog
eventtype
IMAP
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
clogver
epoch
Epoch.
eventid
Serial number.
cstatus
The status of a content log. One of the following: Clean, infected, heuristic, banned_word, blocked, exempt, oversize,
carrier_endpoint_filter, mass_mms, dlp, fragmented, spam, im_summary, im_message, im_file_request, im_file_accept,
im_file_cancel, im_voice, im_video, im_photo_share_request, im_photo_share_accept, im_photo_share_cancel,
im_photo_share_stop, im_photo_xfer, voip, error.
infection
Infection type. One of the following: Carrier end point filter, mms flood, mms duplicate, virus, virusrm (virus removed), heuristic,
html script, script filter, banned word, exempt word, oversize, worm, fragmented, ip blacklist, dnsbl, FortiGuard AntiSpam IP
blacklist, helo, emailblacklist, mimeheader, dns, FortiGuard AntiSpam ase block, ipwhitelist, emailwhitelist, fewhitelist,
headerwhitelist, wordwhitelist, dlp, pass, mms content checksum.
virus
sessionid
Session ID.
user
User name.
group
profile
The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
client
server
rcvdbyte
sentbyte
dlpsensor
Page 527
to
Destination identifier.
from
Source identifier.
subject
Subject.
Page 528
32775
Message ID: 032775
Message Description: content imaps log
Type (type): utm
Subtype (subtype): contentlog
Event Type (eventtype): IMAPS
Level/Severity: information
Log field
Meaning
type
utm
subtype
contentlog
eventtype
IMAPS
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
clogver
epoch
Epoch.
eventid
Serial number.
cstatus
The status of a content log. One of the following: Clean, infected, heuristic, banned_word, blocked, exempt, oversize,
carrier_endpoint_filter, mass_mms, dlp, fragmented, spam, im_summary, im_message, im_file_request, im_file_accept,
im_file_cancel, im_voice, im_video, im_photo_share_request, im_photo_share_accept, im_photo_share_cancel,
im_photo_share_stop, im_photo_xfer, voip, error.
infection
Infection type. One of the following: Carrier end point filter, mms flood, mms duplicate, virus, virusrm (virus removed), heuristic,
html script, script filter, banned word, exempt word, oversize, worm, fragmented, ip blacklist, dnsbl, FortiGuard AntiSpam IP
blacklist, helo, emailblacklist, mimeheader, dns, FortiGuard AntiSpam ase block, ipwhitelist, emailwhitelist, fewhitelist,
headerwhitelist, wordwhitelist, dlp, pass, mms content checksum.
virus
sessionid
Session ID.
user
User name.
group
profile
The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
client
server
rcvdbyte
sentbyte
dlpsensor
Page 529
to
Destination identifier.
from
Source identifier.
subject
Subject.
Page 530
32776
Message ID: 032776
Message Description: content ftp log
Type (type): utm
Subtype (subtype): contentlog
Event Type (eventtype): FTP
Level/Severity: information
Log field
Meaning
type
utm
subtype
contentlog
eventtype
FTP
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
clogver
epoch
Epoch.
eventid
Serial number.
cstatus
The status of a content log. One of the following: Clean, infected, heuristic, banned_word, blocked, exempt, oversize,
carrier_endpoint_filter, mass_mms, dlp, fragmented, spam, im_summary, im_message, im_file_request, im_file_accept,
im_file_cancel, im_voice, im_video, im_photo_share_request, im_photo_share_accept, im_photo_share_cancel,
im_photo_share_stop, im_photo_xfer, voip, error.
infection
Infection type. One of the following: Carrier end point filter, mms flood, mms duplicate, virus, virusrm (virus removed), heuristic,
html script, script filter, banned word, exempt word, oversize, worm, fragmented, ip blacklist, dnsbl, FortiGuard AntiSpam IP
blacklist, helo, emailblacklist, mimeheader, dns, FortiGuard AntiSpam ase block, ipwhitelist, emailwhitelist, fewhitelist,
headerwhitelist, wordwhitelist, dlp, pass, mms content checksum.
virus
sessionid
Session ID.
user
User name.
group
profile
The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
client
server
rcvdbyte
sentbyte
dlpsensor
Page 531
ftpcmd
The related FTP command: NONE, USER, PASS, ACCT, STOR, RETR, QUIT.
file
Page 532
32777
Message ID: 032777
Message Description: content nntp log
Type (type): utm
Subtype (subtype): contentlog
Event Type (eventtype): NNTP
Level/Severity: information
Log field
Meaning
type
utm
subtype
contentlog
eventtype
NNTP
level
information
date
time
dlpsensor
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
clogver
epoch
Epoch.
eventid
Serial number.
cstatus
The status of a content log. One of the following: Clean, infected, heuristic, banned_word, blocked, exempt, oversize,
carrier_endpoint_filter, mass_mms, dlp, fragmented, spam, im_summary, im_message, im_file_request, im_file_accept,
im_file_cancel, im_voice, im_video, im_photo_share_request, im_photo_share_accept, im_photo_share_cancel,
im_photo_share_stop, im_photo_xfer, voip, error.
infection
Infection type. One of the following: Carrier end point filter, mms flood, mms duplicate, virus, virusrm (virus removed), heuristic,
html script, script filter, banned word, exempt word, oversize, worm, fragmented, ip blacklist, dnsbl, FortiGuard AntiSpam IP
blacklist, helo, emailblacklist, mimeheader, dns, FortiGuard AntiSpam ase block, ipwhitelist, emailwhitelist, fewhitelist,
headerwhitelist, wordwhitelist, dlp, pass, mms content checksum.
virus
sessionid
Session ID.
user
User name.
group
profile
The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
client
server
rcvdbyte
sentbyte
Page 533
32778
Message ID: 032778
Message Description: content mm1 log
Type (type): utm
Subtype (subtype): contentlog
Event Type (eventtype): MM1
Level/Severity: information
Log field
Meaning
type
utm
subtype
contentlog
eventtype
MM1
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
clogver
epoch
Epoch.
eventid
Serial number.
cstatus
The status of a content log. One of the following: Clean, infected, heuristic, banned_word, blocked, exempt, oversize,
carrier_endpoint_filter, mass_mms, dlp, fragmented, spam, im_summary, im_message, im_file_request, im_file_accept,
im_file_cancel, im_voice, im_video, im_photo_share_request, im_photo_share_accept, im_photo_share_cancel,
im_photo_share_stop, im_photo_xfer, voip, error.
infection
Infection type. One of the following: Carrier end point filter, mms flood, mms duplicate, virus, virusrm (virus removed), heuristic,
html script, script filter, banned word, exempt word, oversize, worm, fragmented, ip blacklist, dnsbl, FortiGuard AntiSpam IP
blacklist, helo, emailblacklist, mimeheader, dns, FortiGuard AntiSpam ase block, ipwhitelist, emailwhitelist, fewhitelist,
headerwhitelist, wordwhitelist, dlp, pass, mms content checksum.
virus
sessionid
Session ID.
user
User name.
group
profile
The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
client
server
rcvdbyte
sentbyte
to
Destination identifier.
Page 534
from
Source identifier.
subject
Subject.
direction
Page 535
32779
Message ID: 032779
Message Description: content mm3 log
Type (type): utm
Subtype (subtype): contentlog
Event Type (eventtype): MM3
Level/Severity: information
Log field
Meaning
type
utm
subtype
contentlog
eventtype
MM3
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
clogver
epoch
Epoch.
eventid
Serial number.
cstatus
The status of a content log. One of the following: Clean, infected, heuristic, banned_word, blocked, exempt, oversize,
carrier_endpoint_filter, mass_mms, dlp, fragmented, spam, im_summary, im_message, im_file_request, im_file_accept,
im_file_cancel, im_voice, im_video, im_photo_share_request, im_photo_share_accept, im_photo_share_cancel,
im_photo_share_stop, im_photo_xfer, voip, error.
infection
Infection type. One of the following: Carrier end point filter, mms flood, mms duplicate, virus, virusrm (virus removed), heuristic,
html script, script filter, banned word, exempt word, oversize, worm, fragmented, ip blacklist, dnsbl, FortiGuard AntiSpam IP
blacklist, helo, emailblacklist, mimeheader, dns, FortiGuard AntiSpam ase block, ipwhitelist, emailwhitelist, fewhitelist,
headerwhitelist, wordwhitelist, dlp, pass, mms content checksum.
virus
sessionid
Session ID.
user
User name.
group
profile
The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
client
server
rcvdbyte
sentbyte
dlpsensor
Page 536
to
Destination identifier.
from
Source identifier.
subject
Subject.
Page 537
32780
Message ID: 032780
Message Description: content mm4 log
Type (type): utm
Subtype (subtype): contentlog
Event Type (eventtype): MM4
Level/Severity: information
Log field
Meaning
type
utm
subtype
contentlog
eventtype
MM4
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
clogver
epoch
Epoch.
eventid
Serial number.
cstatus
The status of a content log. One of the following: Clean, infected, heuristic, banned_word, blocked, exempt, oversize,
carrier_endpoint_filter, mass_mms, dlp, fragmented, spam, im_summary, im_message, im_file_request, im_file_accept,
im_file_cancel, im_voice, im_video, im_photo_share_request, im_photo_share_accept, im_photo_share_cancel,
im_photo_share_stop, im_photo_xfer, voip, error.
infection
Infection type. One of the following: Carrier end point filter, mms flood, mms duplicate, virus, virusrm (virus removed), heuristic,
html script, script filter, banned word, exempt word, oversize, worm, fragmented, ip blacklist, dnsbl, FortiGuard AntiSpam IP
blacklist, helo, emailblacklist, mimeheader, dns, FortiGuard AntiSpam ase block, ipwhitelist, emailwhitelist, fewhitelist,
headerwhitelist, wordwhitelist, dlp, pass, mms content checksum.
virus
sessionid
Session ID.
user
User name.
group
profile
The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
client
server
rcvdbyte
sentbyte
dlpsensor
Page 538
to
Destination identifier.
from
Source identifier.
subject
Subject.
Page 539
32781
Message ID: 032781
Message Description: content mm7 log
Type (type): utm
Subtype (subtype): contentlog
Event Type (eventtype): MM7
Level/Severity: information
Log field
Meaning
type
utm
subtype
contentlog
eventtype
MM7
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
clogver
epoch
Epoch.
eventid
Serial number.
cstatus
The status of a content log. One of the following: Clean, infected, heuristic, banned_word, blocked, exempt, oversize,
carrier_endpoint_filter, mass_mms, dlp, fragmented, spam, im_summary, im_message, im_file_request, im_file_accept,
im_file_cancel, im_voice, im_video, im_photo_share_request, im_photo_share_accept, im_photo_share_cancel,
im_photo_share_stop, im_photo_xfer, voip, error.
infection
Infection type. One of the following: Carrier end point filter, mms flood, mms duplicate, virus, virusrm (virus removed), heuristic,
html script, script filter, banned word, exempt word, oversize, worm, fragmented, ip blacklist, dnsbl, FortiGuard AntiSpam IP
blacklist, helo, emailblacklist, mimeheader, dns, FortiGuard AntiSpam ase block, ipwhitelist, emailwhitelist, fewhitelist,
headerwhitelist, wordwhitelist, dlp, pass, mms content checksum.
virus
sessionid
Session ID.
user
User name.
group
profile
The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
client
server
rcvdbyte
sentbyte
to
Destination identifier.
Page 540
from
Source identifier.
subject
Subject.
Page 541
32782
Message ID: 032782
Message Description: IM chat summary
Type (type): utm
Subtype (subtype): contentlog
Event Type (eventtype): im-all
Level/Severity: information
Log field
Meaning
type
utm
subtype
contentlog
eventtype
im-all
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
clogver
epoch
Epoch.
eventid
Serial number.
cstatus
The status of a content log. One of the following: Clean, infected, heuristic, banned_word, blocked, exempt, oversize,
carrier_endpoint_filter, mass_mms, dlp, fragmented, spam, im_summary, im_message, im_file_request, im_file_accept,
im_file_cancel, im_voice, im_video, im_photo_share_request, im_photo_share_accept, im_photo_share_cancel,
im_photo_share_stop, im_photo_xfer, voip, error.
sessionid
Session ID.
user
User name.
group
profile
The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
policyid
The ID number of the firewall policy that applies to the session or packet.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.
proto
The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the
next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
kind
The kind of content traffic. One of the following: Summary, chat, file, photo, photo-xfer, audio, video, oversize, fileblock,
fileexempt, virus, dlp, call-block, call-info, call, register, unregister.
laddr
raddr
local
Page 542
remote
messages
Message number.
startdate
enddate
Page 543
32783
Message ID: 032783
Message Description: IM chat message
Type (type): utm
Subtype (subtype): contentlog
Event Type (eventtype): im-all
Level/Severity: information
Log field
Meaning
type
utm
subtype
contentlog
eventtype
im-all
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
clogver
epoch
Epoch.
eventid
Serial number.
cstatus
The status of a content log. One of the following: Clean, infected, heuristic, banned_word, blocked, exempt, oversize,
carrier_endpoint_filter, mass_mms, dlp, fragmented, spam, im_summary, im_message, im_file_request, im_file_accept,
im_file_cancel, im_voice, im_video, im_photo_share_request, im_photo_share_accept, im_photo_share_cancel,
im_photo_share_stop, im_photo_xfer, voip, error.
sessionid
Session ID.
user
User name.
group
profile
The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
policyid
The ID number of the firewall policy that applies to the session or packet.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.
proto
The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the
next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
kind
The kind of content traffic. One of the following: Summary, chat, file, photo, photo-xfer, audio, video, oversize, fileblock,
fileexempt, virus, dlp, call-block, call-info, call, register, unregister.
laddr
raddr
local
Page 544
remote
action
Action taken by the system: permit, block, monitor, kickout, encrypt-kickout, cm-reject, ban, ban-user, log-only.
direction
messages
Message number.
content
Traffic content.
Page 545
32784
Message ID: 032784
Message Description: IM file transfer
Type (type): utm
Subtype (subtype): contentlog
Event Type (eventtype): im-all
Level/Severity: information
Log field
Meaning
type
utm
subtype
contentlog
eventtype
im-all
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
clogver
epoch
Epoch.
eventid
Serial number.
cstatus
The status of a content log. One of the following: Clean, infected, heuristic, banned_word, blocked, exempt, oversize,
carrier_endpoint_filter, mass_mms, dlp, fragmented, spam, im_summary, im_message, im_file_request, im_file_accept,
im_file_cancel, im_voice, im_video, im_photo_share_request, im_photo_share_accept, im_photo_share_cancel,
im_photo_share_stop, im_photo_xfer, voip, error.
sessionid
Session ID.
user
User name.
group
profile
The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
policyid
The ID number of the firewall policy that applies to the session or packet.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.
proto
The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the
next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
kind
The kind of content traffic. One of the following: Summary, chat, file, photo, photo-xfer, audio, video, oversize, fileblock,
fileexempt, virus, dlp, call-block, call-info, call, register, unregister.
laddr
raddr
local
Page 546
remote
action
Action taken by the system: permit, block, monitor, kickout, encrypt-kickout, cm-reject, ban, ban-user, log-only.
direction
status
filename
filesize
File size.
msg
Message.
Page 547
32785
Message ID: 032785
Message Description: IM photo sharing
Type (type): utm
Subtype (subtype): contentlog
Event Type (eventtype): im-all
Level/Severity: information
Log field
Meaning
type
utm
subtype
contentlog
eventtype
im-all
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
clogver
epoch
Epoch.
eventid
Serial number.
cstatus
The status of a content log. One of the following: Clean, infected, heuristic, banned_word, blocked, exempt, oversize,
carrier_endpoint_filter, mass_mms, dlp, fragmented, spam, im_summary, im_message, im_file_request, im_file_accept,
im_file_cancel, im_voice, im_video, im_photo_share_request, im_photo_share_accept, im_photo_share_cancel,
im_photo_share_stop, im_photo_xfer, voip, error.
sessionid
Session ID.
user
User name.
group
profile
The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
policyid
The ID number of the firewall policy that applies to the session or packet.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.
proto
The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the
next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
kind
The kind of content traffic. One of the following: Summary, chat, file, photo, photo-xfer, audio, video, oversize, fileblock,
fileexempt, virus, dlp, call-block, call-info, call, register, unregister.
laddr
raddr
local
Page 548
remote
action
Action taken by the system: permit, block, monitor, kickout, encrypt-kickout, cm-reject, ban, ban-user, log-only.
direction
status
Page 549
32786
Message ID: 032786
Message Description: IM photo transfer
Type (type): utm
Subtype (subtype): contentlog
Event Type (eventtype): im-all
Level/Severity: information
Log field
Meaning
type
utm
subtype
contentlog
eventtype
im-all
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
clogver
epoch
Epoch.
eventid
Serial number.
cstatus
The status of a content log. One of the following: Clean, infected, heuristic, banned_word, blocked, exempt, oversize,
carrier_endpoint_filter, mass_mms, dlp, fragmented, spam, im_summary, im_message, im_file_request, im_file_accept,
im_file_cancel, im_voice, im_video, im_photo_share_request, im_photo_share_accept, im_photo_share_cancel,
im_photo_share_stop, im_photo_xfer, voip, error.
sessionid
Session ID.
user
User name.
group
profile
The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
policyid
The ID number of the firewall policy that applies to the session or packet.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.
proto
The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the
next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
kind
The kind of content traffic. One of the following: Summary, chat, file, photo, photo-xfer, audio, video, oversize, fileblock,
fileexempt, virus, dlp, call-block, call-info, call, register, unregister.
laddr
raddr
local
Page 550
remote
direction
Page 551
32787
Message ID: 032787
Message Description: IM voice chat
Type (type): utm
Subtype (subtype): contentlog
Event Type (eventtype): im-all
Level/Severity: information
Log field
Meaning
type
utm
subtype
contentlog
eventtype
im-all
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
clogver
epoch
Epoch.
eventid
Serial number.
cstatus
The status of a content log. One of the following: Clean, infected, heuristic, banned_word, blocked, exempt, oversize,
carrier_endpoint_filter, mass_mms, dlp, fragmented, spam, im_summary, im_message, im_file_request, im_file_accept,
im_file_cancel, im_voice, im_video, im_photo_share_request, im_photo_share_accept, im_photo_share_cancel,
im_photo_share_stop, im_photo_xfer, voip, error.
sessionid
Session ID.
user
User name.
group
profile
The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
policyid
The ID number of the firewall policy that applies to the session or packet.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.
proto
The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the
next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
kind
The kind of content traffic. One of the following: Summary, chat, file, photo, photo-xfer, audio, video, oversize, fileblock,
fileexempt, virus, dlp, call-block, call-info, call, register, unregister.
laddr
raddr
local
Page 552
remote
action
Action taken by the system: permit, block, monitor, kickout, encrypt-kickout, cm-reject, ban, ban-user, log-only.
direction
status
Page 553
32788
Message ID: 032788
Message Description: IM virus
Type (type): utm
Subtype (subtype): contentlog
Event Type (eventtype): im-all
Level/Severity: information
Log field
Meaning
type
utm
subtype
contentlog
eventtype
im-all
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
clogver
epoch
Epoch.
eventid
Serial number.
cstatus
The status of a content log. One of the following: Clean, infected, heuristic, banned_word, blocked, exempt, oversize,
carrier_endpoint_filter, mass_mms, dlp, fragmented, spam, im_summary, im_message, im_file_request, im_file_accept,
im_file_cancel, im_voice, im_video, im_photo_share_request, im_photo_share_accept, im_photo_share_cancel,
im_photo_share_stop, im_photo_xfer, voip, error.
sessionid
Session ID.
user
User name.
group
profile
The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
policyid
The ID number of the firewall policy that applies to the session or packet.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.
proto
The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the
next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
kind
The kind of content traffic. One of the following: Summary, chat, file, photo, photo-xfer, audio, video, oversize, fileblock,
fileexempt, virus, dlp, call-block, call-info, call, register, unregister.
laddr
raddr
local
Page 554
remote
action
Action taken by the system: permit, block, monitor, kickout, encrypt-kickout, cm-reject, ban, ban-user, log-only.
direction
filename
virus
heuristic
Heuristic information.
Page 555
32789
Message ID: 032789
Message Description: IM file oversize
Type (type): utm
Subtype (subtype): contentlog
Event Type (eventtype): im-all
Level/Severity: information
Log field
Meaning
type
utm
subtype
contentlog
eventtype
im-all
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
clogver
epoch
Epoch.
eventid
Serial number.
cstatus
The status of a content log. One of the following: Clean, infected, heuristic, banned_word, blocked, exempt, oversize,
carrier_endpoint_filter, mass_mms, dlp, fragmented, spam, im_summary, im_message, im_file_request, im_file_accept,
im_file_cancel, im_voice, im_video, im_photo_share_request, im_photo_share_accept, im_photo_share_cancel,
im_photo_share_stop, im_photo_xfer, voip, error.
sessionid
Session ID.
user
User name.
group
profile
The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
policyid
The ID number of the firewall policy that applies to the session or packet.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.
proto
The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the
next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
kind
The kind of content traffic. One of the following: Summary, chat, file, photo, photo-xfer, audio, video, oversize, fileblock,
fileexempt, virus, dlp, call-block, call-info, call, register, unregister.
laddr
raddr
local
Page 556
remote
action
Action taken by the system: permit, block, monitor, kickout, encrypt-kickout, cm-reject, ban, ban-user, log-only.
direction
filename
Page 557
32790
Message ID: 032790
Message Description: IM file block
Type (type): utm
Subtype (subtype): contentlog
Event Type (eventtype): im-all
Level/Severity: information
Log field
Meaning
type
utm
subtype
contentlog
eventtype
im-all
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
clogver
epoch
Epoch.
eventid
Serial number.
cstatus
The status of a content log. One of the following: Clean, infected, heuristic, banned_word, blocked, exempt, oversize,
carrier_endpoint_filter, mass_mms, dlp, fragmented, spam, im_summary, im_message, im_file_request, im_file_accept,
im_file_cancel, im_voice, im_video, im_photo_share_request, im_photo_share_accept, im_photo_share_cancel,
im_photo_share_stop, im_photo_xfer, voip, error.
sessionid
Session ID.
user
User name.
group
profile
The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
policyid
The ID number of the firewall policy that applies to the session or packet.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.
proto
The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the
next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
kind
The kind of content traffic. One of the following: Summary, chat, file, photo, photo-xfer, audio, video, oversize, fileblock,
fileexempt, virus, dlp, call-block, call-info, call, register, unregister.
laddr
raddr
local
Page 558
remote
action
Action taken by the system: permit, block, monitor, kickout, encrypt-kickout, cm-reject, ban, ban-user, log-only.
direction
filename
Page 559
32791
Message ID: 032791
Message Description: IM file exempt
Type (type): utm
Subtype (subtype): contentlog
Event Type (eventtype): im-all
Level/Severity: information
Log field
Meaning
type
utm
subtype
contentlog
eventtype
im-all
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
clogver
epoch
Epoch.
eventid
Serial number.
cstatus
The status of a content log. One of the following: Clean, infected, heuristic, banned_word, blocked, exempt, oversize,
carrier_endpoint_filter, mass_mms, dlp, fragmented, spam, im_summary, im_message, im_file_request, im_file_accept,
im_file_cancel, im_voice, im_video, im_photo_share_request, im_photo_share_accept, im_photo_share_cancel,
im_photo_share_stop, im_photo_xfer, voip, error.
sessionid
Session ID.
user
User name.
group
profile
The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
policyid
The ID number of the firewall policy that applies to the session or packet.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.
proto
The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the
next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
kind
The kind of content traffic. One of the following: Summary, chat, file, photo, photo-xfer, audio, video, oversize, fileblock,
fileexempt, virus, dlp, call-block, call-info, call, register, unregister.
laddr
raddr
local
Page 560
remote
action
Action taken by the system: permit, block, monitor, kickout, encrypt-kickout, cm-reject, ban, ban-user, log-only.
direction
filename
Page 561
32792
Message ID: 032792
Message Description: IM DLP (information)
Type (type): utm
Subtype (subtype): contentlog
Event Type (eventtype): im-all
Level/Severity: information
Log field
Meaning
type
utm
subtype
contentlog
eventtype
im-all
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
clogver
epoch
Epoch.
eventid
Serial number.
cstatus
The status of a content log. One of the following: Clean, infected, heuristic, banned_word, blocked, exempt, oversize,
carrier_endpoint_filter, mass_mms, dlp, fragmented, spam, im_summary, im_message, im_file_request, im_file_accept,
im_file_cancel, im_voice, im_video, im_photo_share_request, im_photo_share_accept, im_photo_share_cancel,
im_photo_share_stop, im_photo_xfer, voip, error.
sessionid
Session ID.
user
User name.
group
profile
The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
policyid
The ID number of the firewall policy that applies to the session or packet.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.
proto
The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the
next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
kind
The kind of content traffic. One of the following: Summary, chat, file, photo, photo-xfer, audio, video, oversize, fileblock,
fileexempt, virus, dlp, call-block, call-info, call, register, unregister.
laddr
raddr
local
Page 562
remote
action
Action taken by the system: permit, block, monitor, kickout, encrypt-kickout, cm-reject, ban, ban-user, log-only.
direction
filename
filesize
File size.
Page 563
32793
Message ID: 032793
Message Description: IM DLP (warning)
Type (type): utm
Subtype (subtype): contentlog
Event Type (eventtype): im-all
Level/Severity: warning
Log field
Meaning
type
utm
subtype
contentlog
eventtype
im-all
level
warning
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
clogver
epoch
Epoch.
eventid
Serial number.
cstatus
The status of a content log. One of the following: Clean, infected, heuristic, banned_word, blocked, exempt, oversize,
carrier_endpoint_filter, mass_mms, dlp, fragmented, spam, im_summary, im_message, im_file_request, im_file_accept,
im_file_cancel, im_voice, im_video, im_photo_share_request, im_photo_share_accept, im_photo_share_cancel,
im_photo_share_stop, im_photo_xfer, voip, error.
sessionid
Session ID.
user
User name.
group
profile
The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
policyid
The ID number of the firewall policy that applies to the session or packet.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.
proto
The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the
next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
kind
The kind of content traffic. One of the following: Summary, chat, file, photo, photo-xfer, audio, video, oversize, fileblock,
fileexempt, virus, dlp, call-block, call-info, call, register, unregister.
laddr
raddr
local
Page 564
remote
action
Action taken by the system: permit, block, monitor, kickout, encrypt-kickout, cm-reject, ban, ban-user, log-only.
direction
filename
filesize
File size.
Page 565
32794
Message ID: 032794
Message Description: VOIP SIP log
Type (type): utm
Subtype (subtype): contentlog
Event Type (eventtype): VOIP
Level/Severity: information
Log field
Meaning
type
utm
subtype
contentlog
eventtype
VOIP
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
clogver
epoch
Epoch.
eventid
Serial number.
cstatus
The status of a content log. One of the following: Clean, infected, heuristic, banned_word, blocked, exempt, oversize,
carrier_endpoint_filter, mass_mms, dlp, fragmented, spam, im_summary, im_message, im_file_request, im_file_accept,
im_file_cancel, im_voice, im_video, im_photo_share_request, im_photo_share_accept, im_photo_share_cancel,
im_photo_share_stop, im_photo_xfer, voip, error.
sessionid
Session ID.
user
User name.
group
profile
The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
policyid
The ID number of the firewall policy that applies to the session or packet.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.
proto
The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the
next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
kind
The kind of content traffic. One of the following: Summary, chat, file, photo, photo-xfer, audio, video, oversize, fileblock,
fileexempt, virus, dlp, call-block, call-info, call, register, unregister.
action
Action taken by the system: permit, block, monitor, kickout, encrypt-kickout, cm-reject, ban, ban-user, log-only.
status
srcip
Page 566
dstip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
direction
duration
from
Source identifier.
to
Destination identifier.
Page 567
32795
Message ID: 032795
Message Description: SCCP register
Type (type): utm
Subtype (subtype): contentlog
Event Type (eventtype): VOIP
Level/Severity: information
Log field
Meaning
type
utm
subtype
contentlog
eventtype
VOIP
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
clogver
epoch
Epoch.
eventid
Serial number.
cstatus
The status of a content log. One of the following: Clean, infected, heuristic, banned_word, blocked, exempt, oversize,
carrier_endpoint_filter, mass_mms, dlp, fragmented, spam, im_summary, im_message, im_file_request, im_file_accept,
im_file_cancel, im_voice, im_video, im_photo_share_request, im_photo_share_accept, im_photo_share_cancel,
im_photo_share_stop, im_photo_xfer, voip, error.
sessionid
Session ID.
user
User name.
group
profile
The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
policyid
The ID number of the firewall policy that applies to the session or packet.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.
proto
The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the
next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
kind
The kind of content traffic. One of the following: Summary, chat, file, photo, photo-xfer, audio, video, oversize, fileblock,
fileexempt, virus, dlp, call-block, call-info, call, register, unregister.
action
Action taken by the system: permit, block, monitor, kickout, encrypt-kickout, cm-reject, ban, ban-user, log-only.
status
phone
Page 568
srcip
from
Source identifier.
to
Destination identifier.
Page 569
32796
Message ID: 032796
Message Description: SCCP unregister
Type (type): utm
Subtype (subtype): contentlog
Event Type (eventtype): VOIP
Level/Severity: information
Log field
Meaning
type
utm
subtype
contentlog
eventtype
VOIP
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
clogver
epoch
Epoch.
eventid
Serial number.
cstatus
The status of a content log. One of the following: Clean, infected, heuristic, banned_word, blocked, exempt, oversize,
carrier_endpoint_filter, mass_mms, dlp, fragmented, spam, im_summary, im_message, im_file_request, im_file_accept,
im_file_cancel, im_voice, im_video, im_photo_share_request, im_photo_share_accept, im_photo_share_cancel,
im_photo_share_stop, im_photo_xfer, voip, error.
sessionid
Session ID.
user
User name.
group
profile
The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
policyid
The ID number of the firewall policy that applies to the session or packet.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.
proto
The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the
next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
kind
The kind of content traffic. One of the following: Summary, chat, file, photo, photo-xfer, audio, video, oversize, fileblock,
fileexempt, virus, dlp, call-block, call-info, call, register, unregister.
action
Action taken by the system: permit, block, monitor, kickout, encrypt-kickout, cm-reject, ban, ban-user, log-only.
status
phone
Page 570
srcip
reason
The reason for the blocking. One of the following: meter-overload-drop, meter-overload-refuse, rate-limit, dialog-limit,
long-header, unrecognized-form, unknown, block-request, invalid-ip, or exceed-rate.
Page 571
32797
Message ID: 032797
Message Description: SCCP call block
Type (type): utm
Subtype (subtype): contentlog
Event Type (eventtype): VOIP
Level/Severity: information
Log field
Meaning
type
utm
subtype
contentlog
eventtype
VOIP
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
clogver
epoch
Epoch.
eventid
Serial number.
cstatus
The status of a content log. One of the following: Clean, infected, heuristic, banned_word, blocked, exempt, oversize,
carrier_endpoint_filter, mass_mms, dlp, fragmented, spam, im_summary, im_message, im_file_request, im_file_accept,
im_file_cancel, im_voice, im_video, im_photo_share_request, im_photo_share_accept, im_photo_share_cancel,
im_photo_share_stop, im_photo_xfer, voip, error.
sessionid
Session ID.
user
User name.
group
profile
The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
policyid
The ID number of the firewall policy that applies to the session or packet.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.
proto
The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the
next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
kind
The kind of content traffic. One of the following: Summary, chat, file, photo, photo-xfer, audio, video, oversize, fileblock,
fileexempt, virus, dlp, call-block, call-info, call, register, unregister.
action
Action taken by the system: permit, block, monitor, kickout, encrypt-kickout, cm-reject, ban, ban-user, log-only.
status
phone
Page 572
srcip
reason
The reason for the blocking. One of the following: meter-overload-drop, meter-overload-refuse, rate-limit, dialog-limit,
long-header, unrecognized-form, unknown, block-request, invalid-ip, or exceed-rate.
from
Source identifier.
to
Destination identifier.
Page 573
32798
Message ID: 032798
Message Description: SCCP call information
Type (type): utm
Subtype (subtype): contentlog
Event Type (eventtype): VOIP
Level/Severity: information
Log field
Meaning
type
utm
subtype
contentlog
eventtype
VOIP
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
clogver
epoch
Epoch.
eventid
Serial number.
cstatus
The status of a content log. One of the following: Clean, infected, heuristic, banned_word, blocked, exempt, oversize,
carrier_endpoint_filter, mass_mms, dlp, fragmented, spam, im_summary, im_message, im_file_request, im_file_accept,
im_file_cancel, im_voice, im_video, im_photo_share_request, im_photo_share_accept, im_photo_share_cancel,
im_photo_share_stop, im_photo_xfer, voip, error.
sessionid
Session ID.
user
User name.
group
profile
The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
policyid
The ID number of the firewall policy that applies to the session or packet.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.
proto
The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the
next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
kind
The kind of content traffic. One of the following: Summary, chat, file, photo, photo-xfer, audio, video, oversize, fileblock,
fileexempt, virus, dlp, call-block, call-info, call, register, unregister.
action
Action taken by the system: permit, block, monitor, kickout, encrypt-kickout, cm-reject, ban, ban-user, log-only.
status
phone
Page 574
srcip
dstip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
duration
from
Source identifier.
to
Destination identifier.
Page 575
32800
Message ID: 032800
Message Description: VOIP SIP fuzzing log
Type (type): utm
Subtype (subtype): contentlog
Event Type (eventtype): VOIP
Level/Severity: information
Log field
Meaning
type
utm
subtype
contentlog
eventtype
VOIP
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
clogver
epoch
Epoch.
eventid
Serial number.
cstatus
The status of a content log. One of the following: Clean, infected, heuristic, banned_word, blocked, exempt, oversize,
carrier_endpoint_filter, mass_mms, dlp, fragmented, spam, im_summary, im_message, im_file_request, im_file_accept,
im_file_cancel, im_voice, im_video, im_photo_share_request, im_photo_share_accept, im_photo_share_cancel,
im_photo_share_stop, im_photo_xfer, voip, error.
sessionid
Session ID.
user
User name.
group
profile
The name of the profile that was used to detect and take action.
profiletype
policyid
The ID number of the firewall policy that applies to the session or packet.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.
proto
The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies
the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
kind
The kind of content traffic. One of the following: Summary, chat, file, photo, photo-xfer, audio, video, oversize, fileblock,
fileexempt, virus, dlp, call-block, call-info, call, register, unregister.
action
Action taken by the system: permit, block, monitor, kickout, encrypt-kickout, cm-reject, ban, ban-user, log-only.
status
srcip
Page 576
dstip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
direction
duration
Malform data.
line
Content line.
column
Content column.
from
Source identifier.
to
Destination identifier.
Page 577
32801
Message ID: 032801
Message Description: IM video chat
Type (type): utm
Subtype (subtype): contentlog
Event Type (eventtype): im-all
Level/Severity: information
Log field
Meaning
type
utm
subtype
contentlog
eventtype
im-all
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
clogver
epoch
Epoch.
eventid
Serial number.
cstatus
The status of a content log. One of the following: Clean, infected, heuristic, banned_word, blocked, exempt, oversize,
carrier_endpoint_filter, mass_mms, dlp, fragmented, spam, im_summary, im_message, im_file_request, im_file_accept,
im_file_cancel, im_voice, im_video, im_photo_share_request, im_photo_share_accept, im_photo_share_cancel,
im_photo_share_stop, im_photo_xfer, voip, error.
sessionid
Session ID.
user
User name.
group
profile
The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
policyid
The ID number of the firewall policy that applies to the session or packet.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.
proto
The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the
next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
kind
The kind of content traffic. One of the following: Summary, chat, file, photo, photo-xfer, audio, video, oversize, fileblock,
fileexempt, virus, dlp, call-block, call-info, call, register, unregister.
laddr
raddr
local
Page 578
remote
action
Action taken by the system: permit, block, monitor, kickout, encrypt-kickout, cm-reject, ban, ban-user, log-only.
direction
status
Page 579
VoIP
44032
Message ID: 044032
Message Description: SIP log
Type (type): utm
Subtype (subtype): voip
Event Type (eventtype): voip
Level/Severity: information
Log field
Meaning
type
utm
subtype
voip
eventtype
voip
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
sessionid
Session ID.
epoch
Epoch.
eventid
Serial number.
srcip
dstip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
proto
The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the
next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstintf
policyid
The ID number of the firewall policy that applies to the session or packet.
user
User name.
group
profile
The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
voipproto
Page 580
kind
action
Action taken by the system: permit, block, monitor, kickout, encrypt-kickout, cm-reject, ban, ban-user, log-only.
status
duration
direction
callid
Call ID.
from
Source identifier.
to
Destination identifier.
Page 581
44033
Message ID: 044033
Message Description: SIP block log
Type (type): utm
Subtype (subtype): voip
Event Type (eventtype): voip
Level/Severity: notice
Log field
Meaning
type
utm
subtype
voip
eventtype
voip
level
notice
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
sessionid
Session ID.
epoch
Epoch.
eventid
Serial number.
srcip
dstip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
proto
The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies
the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstintf
policyid
The ID number of the firewall policy that applies to the session or packet.
user
User name.
group
profile
The name of the profile that was used to detect and take action.
profiletype
voipproto
kind
action
Action taken by the system: permit, block, monitor, kickout, encrypt-kickout, cm-reject, ban, ban-user, log-only.
status
Page 582
reason
duration
direction
Call ID.
count
Number of packets.
from
Source identifier.
to
Destination identifier.
Page 583
44034
Message ID: 044034
Message Description: SIP fuzzing log
Type (type): utm
Subtype (subtype): voip
Event Type (eventtype): voip
Level/Severity: information
Log field
Meaning
type
utm
subtype
voip
eventtype
voip
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
sessionid
Session ID.
epoch
Epoch.
eventid
Serial number.
srcip
dstip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
proto
The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies
the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstintf
policyid
The ID number of the firewall policy that applies to the session or packet.
user
User name.
group
profile
The name of the profile that was used to detect and take action.
profiletype
voipproto
kind
action
Action taken by the system: permit, block, monitor, kickout, encrypt-kickout, cm-reject, ban, ban-user, log-only.
reason
Page 584
duration
direction
Malform data.
line
Content line.
column
Content column.
Page 585
44035
Message ID: 044035
Message Description: SCCP register
Type (type): utm
Subtype (subtype): voip
Event Type (eventtype): voip
Level/Severity: information
Log field
Meaning
type
utm
subtype
voip
eventtype
voip
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
sessionid
Session ID.
epoch
Epoch.
eventid
Serial number.
srcip
dstip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
proto
The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the
next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstintf
policyid
The ID number of the firewall policy that applies to the session or packet.
user
User name.
group
profile
The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
voipproto
kind
action
Action taken by the system: permit, block, monitor, kickout, encrypt-kickout, cm-reject, ban, ban-user, log-only.
status
phone
Page 586
Page 587
44036
Message ID: 044036
Message Description: SCCP unregister
Type (type): utm
Subtype (subtype): voip
Event Type (eventtype): voip
Level/Severity: information
Log field
Meaning
type
utm
subtype
voip
eventtype
voip
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
sessionid
Session ID.
epoch
Epoch.
eventid
Serial number.
srcip
dstip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
proto
The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the
next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstintf
policyid
The ID number of the firewall policy that applies to the session or packet.
user
User name.
group
profile
The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
voipproto
kind
action
Action taken by the system: permit, block, monitor, kickout, encrypt-kickout, cm-reject, ban, ban-user, log-only.
status
Page 588
reason
Reason: rate-limit, dialog-limit, long-header, unrecognized-form, unknown, block-request, phone, session-close, new-register,
invalid-ip, exceed-rate.
phone
Page 589
44037
Message ID: 044037
Message Description: SCCP call block
Type (type): utm
Subtype (subtype): voip
Event Type (eventtype): voip
Level/Severity: information
Log field
Meaning
type
utm
subtype
voip
eventtype
voip
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
sessionid
Session ID.
epoch
Epoch.
eventid
Serial number.
srcip
dstip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
proto
The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the
next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstintf
policyid
The ID number of the firewall policy that applies to the session or packet.
user
User name.
group
profile
The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
voipproto
kind
action
Action taken by the system: permit, block, monitor, kickout, encrypt-kickout, cm-reject, ban, ban-user, log-only.
status
Page 590
reason
Reason: rate-limit, dialog-limit, long-header, unrecognized-form, unknown, block-request, phone, session-close, new-register,
invalid-ip, exceed-rate.
phone
Page 591
44038
Message ID: 044038
Message Description: SCCP call info
Type (type): utm
Subtype (subtype): voip
Event Type (eventtype): voip
Level/Severity: information
Log field
Meaning
type
utm
subtype
voip
eventtype
voip
level
information
date
time
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
sessionid
Session ID.
epoch
Epoch.
eventid
Serial number.
srcip
dstip
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
proto
The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the
next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstintf
policyid
The ID number of the firewall policy that applies to the session or packet.
user
User name.
group
profile
The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
voipproto
kind
action
Action taken by the system: permit, block, monitor, kickout, encrypt-kickout, cm-reject, ban, ban-user, log-only.
status
duration
Page 592
phone
Page 593
ID
Severity
Subtype Macro
Format
Description
LOG_ID_CLIENT_
DISASSOCIATED
paed log
20002 notice
system
LOG_ID_DOMAIN_
UNRESOLVABLE
user=system ui=system
action=[s] status=failure
msg="Can't resolve the IP
address of [s]"
20003 notice
system
LOG_ID_MAIL_SENT_FAIL
user=system ui=system
action=alert-email
status=failure count=[n]
msg="Failed to send alert
email from [s] to ([s])"
20004 unknown
system
LOG_ID_POLICY_TOO_BIG
LOG_ID_PPP_LINK_UP
modemd log
LOG_ID_PPP_LINK_DOWN
modemd log
20007 critical
20007
service=kernel
status=failure proto=[n]
src=[n].[n].[n].[n] src_
port=[n] nat=[n].[n].[n].[n]
dst=[n].[n].[n].[n] dst_
port=[n] msg="NAT port is
exhausted."
Socket is exhausted
LOG_ID_CLIENT_NEW_
ASSOCIATION
paed log
LOG_ID_CLIENT_WPA_1X
paed log
LOG_ID_CLIENT_WPA_SSN
paed log
system
Page 594
ID
Severity
Subtype Macro
Format
Description
system
LOG_ID_TEST
user="admin"
action="login"
status="success"
msg="user admin logged
into the fw - [n]"
test
LOG_ID_IEEE802_NEW_
STATION
action=authentication
status=start msg="Client
does 801.1x"
wpad log
LOG_ID_MODEM_EXCEED_
REDIAL_COUNT
modemd log
LOG_ID_MODEM_FAIL_TO_
OPEN
msg="modem: unable to
open modem device check hardware"
modemd log
20018 critical
system
LOG_ID_GW_GRP_STATE_
CHANGED
20019 critical
system
LOG_ID_ROUTE_INFO_
CHANGED
interface="[s]" status=[s]
msg="[s]"
LOG_ID_MAIL_RESENT
user=system ui=system
action=alert-email
status=success count=[n]
msg="Resending alert
e-mail with [n] pending
alert(s) from [s] to ([s])"
20025 notice
system
LOG_ID_REPORTD_
REPORT_SUCCESS
msg="Report generation
succeeded for layout:[s]."
file="[s]" filesize=[n]
datarange="[s]"
reporttype="[s]"
processtime=[n]
Reporting Complete
20026 error
system
LOG_ID_REPORTD_
REPORT_FAILURE
msg="[s]"
Reporting Failure
20027 warning
system
20031 critical
system
ravdv_iface_set_config() finds a
pointer pointing to a wrong
address
20032 critical
system
LOG_ID_RAD_NOT_FOUND
ravdv_iface_same_config()
cannot find the corresponding
interface by name
LOG_ID_RAD_MOBILE_IPV6
20014 warning
Page 595
ID
Severity
Subtype Macro
Format
20034 critical
system
LOG_ID_RAD_IPV6_OUT_
OF_RANGE
20035 critical
system
LOG_ID_RAD_MIN_OUT_OF_ msg="MinRtrAdvInterval
MinRtrAdvInterval is out of
RANGE
must be between [n] and [n] range
for [s]"
20036 critical
system
LOG_ID_RAD_MAX_OUT_
OF_RANGE
msg="MaxRtrAdvInterval
for [s] must be between [n]
and [n]"
20037 critical
system
LOG_ID_RAD_MAX_ADV_
OUT_OF_RANGE
msg="MaxRtrAdvInterval
MaxRtrAdvInterval is out of
must be between [n] and [n] range
for [s]"
20038 critical
system
LOG_ID_RAD_MTU_OUT_
OF_RANGE
msg="AdvLinkMTU must
be zero or between [n] and
[n] for [s]"
20039 critical
system
LOG_ID_RAD_MTU_TOO_
SMALL
msg="AdvLinkMTU must
be zero or greater than [n]
for [s]"
20040 critical
system
LOG_ID_RAD_TIME_TOO_
SMALL
20041 critical
system
LOG_ID_RAD_HOP_OUT_
OF_RANGE
msg="AdvCurHopLimit
AdvCurHopLimit in Router
must not be greater than [n] Advertisement packet is too
for [s]"
big
20042 critical
system
LOG_ID_RAD_DFT_HOP_
OUT_OF_RANGE
msg="AdvDefaultLifetime
for [s] must be zero or
between [n] and [n]"
20043 critical
system
LOG_ID_RAD_AGENT_OUT_
OF_RANGE
20044 critical
system
LOG_ID_RAD_AGENT_FLAG_ msg="AdvHomeAgentFlag
NOT_SET
must be set with
HomeAgentInfo"
AdvHomeAgentFlag
HomeAgentLifetime in Router
Advertisement packet must be
set with HomeAgentInfo
20045 critical
system
LOG_ID_RAD_PREFIX_TOO_
LONG
20046 critical
system
LOG_ID_RAD_PREF_TIME_
TOO_SMALL
msg="AdvValidLifetime
must be greater than
AdvPreferredLifetime for
[s]"
20047 critical
system
LOG_ID_RAD_FAIL_IPV6_
SOCKET
msg="can't create
socket(AF_INET6): [s]"
20048 critical
system
LOG_ID_RAD_FAIL_OPT_
IPV6_PKTINFO
msg="setsockopt(IPV6_
PKTINFO): [s]"
Page 596
Description
MaxRtrAdvInterval using
Mobile Ipv6 extension is out of
range
AdvCurHopLimit in Router
Advertisement packet is out of
range
ID
Severity
Subtype Macro
Format
Description
20049 critical
system
LOG_ID_RAD_FAIL_OPT_
IPV6_CHECKSUM
msg="setsockopt(IPV6_
CHECKSUM): [s]"
20050 critical
system
LOG_ID_RAD_FAIL_OPT_
IPV6_UNICAST_HOPS
msg="setsockopt(IPV6_
UNICAST_HOPS): [s]"
20051 critical
system
LOG_ID_RAD_FAIL_OPT_
IPV6_MULTICAST_HOPS
msg="setsockopt(IPV6_
MULTICAST_HOPS): [s]"
20052 critical
system
LOG_ID_RAD_FAIL_OPT_
IPV6_HOPLIMIT
msg="setsockopt(IPV6_
HOPLIMIT): [s]"
20053 critical
system
LOG_ID_RAD_FAIL_OPT_
IPPROTO_ICMPV6
LOG_ID_RAD_EXIT_BY_
SIGNAL
msg="radvd receive
signal=[n]"
20055 critical
system
LOG_ID_RAD_FAIL_CMDB_
QUERY
20056 critical
system
LOG_ID_RAD_FAIL_CMDB_
FOR_EACH
20057 critical
system
LOG_ID_RAD_FAIL_FIND_
VIRT_INTF
20059 warning
system
20060 warning
system
LOG_ID_RAD_INV_ICMPV6_
LEN
msg="received icmpv6
packet with invalid length:
[n]"
20061 critical
system
LOG_ID_RAD_INV_ICMPV6_
TYPE
20062 warning
system
LOG_ID_RAD_INV_ICMPV6_
RA_LEN
msg="received icmpv6 RA
packet with invalid length:
[n]"
20063 warning
system
LOG_ID_RAD_ICMPV6_NO_
SRC_ADDR
msg="received icmpv6 RA
packet with non-linklocal
source address"
20064 warning
system
LOG_ID_RAD_INV_ICMPV6_
RS_LEN
msg="received icmpv6 RS
packet with invalid length:
[n]"
20065 warning
system
LOG_ID_RAD_INV_ICMPV6_
CODE
msg="received icmpv6
RS/RA packet with invalid
code: [n]"
Page 597
ID
Severity
Subtype Macro
Format
20066 warning
system
LOG_ID_RAD_INV_ICMPV6_
HOP
msg="received RS or RA
Radvd received icmpv6 RS/RA
with invalid hoplimit [n] from packet with wrong hoplimit
[s]"
20067 warning
system
LOG_ID_RAD_MISMATCH_
HOP
20068 warning
system
LOG_ID_RAD_MISMATCH_
MGR_FLAG
msg="our
AdvManagedFlag on [s]
doesn't agree with [s]"
AdvManagedFlag on our
interface does not agree with a
remote site
20069 warning
system
LOG_ID_RAD_MISMATCH_
OTH_FLAG
msg="our
AdvOtherConfigFlag on [s]
doesn't agree with [s]"
AdvOtherConfigFlag on our
interface does not agree with a
remote site
20070 warning
system
LOG_ID_RAD_MISMATCH_
TIME
msg="our
AdvReachableTime on [s]
doesn't agree with [s]"
AdvReachableTime on our
interface does not agree with a
remote site
20071 warning
system
LOG_ID_RAD_MISMATCH_
TIMER
20072 critical
system
LOG_ID_RAD_EXTRA_DATA
msg="trailing garbage in
RA on [s] from [s]"
20073 critical
system
20074 critical
system
LOG_ID_RAD_INV_OPT_LEN
20075 warning
system
LOG_ID_RAD_MISMATCH_
MTU
msg="our AdvLinkMTU on
[s] doesn't agree with [s]"
20077 warning
system
LOG_ID_RAD_MISMATCH_
PREF_TIME
AdvPreferredLifetime on our
msg="our
AdvPreferredLifetime on [s] interface does not agree with a
remote site
for [s] doesn't agree with
[s]"
20078 critical
system
LOG_ID_RAD_INV_OPT
LOG_ID_RAD_READY
msg="radvd started"
20080 critical
system
LOG_ID_RAD_FAIL_TO_RCV
msg="recvmsg: [s]"
20081 critical
system
LOG_ID_RAD_INV_HOP
msg="received a bogus
IPV6_HOPLIMIT from the
kernel! len=[n], data=[n]"
20082 critical
system
LOG_ID_RAD_INV_PKTINFO
msg="received a bogus
IPV6_PKTINFO from the
kernel! len=[n], index=[n]"
Page 598
Description
ID
Severity
Subtype Macro
Format
Description
20083 warning
system
LOG_ID_RAD_FAIL_TO_
CHECK
msg="problem checking
all-routers membership on
[s]"
20084 warning
system
LOG_ID_RAD_FAIL_TO_
SEND
msg="sendmsg: [s]"
20085
status="clash" proto=[n]
msg="session clash"[s]
session clash
20086 unknown
20086
msg="==[s] xh0(sp_[n],
fmc[n]) crashed, master is
fmc[n]=="
xh0 crashed
20090 notice |
system
information
LOG_ID_INTF_LINK_STA_
CHG
intf=[s] status=[s]
msg="interface [s] link
status is [s]"
20101 warning
system
LOG_ID_WEB_LIC_EXPIRE
msg="FortiGuard web
FortiGuard web filtering license
filtering license will expire in expiring
[n] day(s)"
20102 warning
system
LOG_ID_SPAM_LIC_EXPIRE
msg="FortiGuard
anti-spam license will
expire in [n] day(s)"
20103 warning
system
LOG_ID_AV_LIC_EXPIRE
msg="FortiGuard AV
FortiGuard AV update license
update license will expire in expiring
[n] day(s)"
20104 warning
system
LOG_ID_IPS_LIC_EXPIRE
msg="FortiGuard IPS
FortiGuard IPS update license
update license will expire in expiring
[n] day(s)"
20105 warning
system
Log uploading
20107 warning
system
LOG_ID_LOG_UPLOAD_ERR
action=upload error="[s]"
user="[s]" server=[s]
port=[n] msg="Log upload
to [s] error on vdom [s]"
uploading error
20108 notice
system
LOG_ID_LOG_UPLOAD_
DONE
action=upload
status=completed
user="[s]" server=[s]
port=[n] msg="Log upload
to [s] completed on vdom
[s]"
upload status
20110 notice
system
LOG_ID_HPAPI_ESPD_
START
msg="hp_api: Connection
to ESPd has been
initialized"
hp_api log
20111 warning
system
LOG_ID_HPAPI_ESPD_
RESET
msg="hp_api: Connection
to ESPd has been reset,
exiting"
hp_api log
system
Page 599
ID
Severity
Subtype Macro
Format
Description
20113 error
system
LOG_ID_IPSA_DOWNLOAD_
FAIL
msg="Fail to download
IPSA DB!"
IPSA error
20114 error
system
LOG_ID_IPSA_SELFTEST_
FAIL
IPSA error
20115 error
system
LOG_ID_IPSA_STATUSUPD_
FAIL
IPSA error
20200 notice
system
LOG_ID_FIPS_SELF_TEST
user="[s]" ui=[s]
action=self-test
msg="Administrator [s]
initiates the [s] self-test
from [s]"
running self-test
20201 notice
system
LOG_ID_FIPS_SELF_ALL_
TEST
user="[s]" ui=[s]
action=self-test
msg="Administrator [s]
initiates all self-tests from
[s]"
running self-test
20202 warning
system
LOG_ID_DISK_FORMAT_
ERROR
msg="Partitioning or
formatting error ([s], [s])
partition=[n] format=[n]
label=[s]"
Error in partitioning or
formatting
LOG_ID_DAEMON_
SHUTDOWN
action=daemon-shutdown
daemon=[s] pid=[n]
msg="[s] shut down"
daemon shutdown
LOG_ID_DAEMON_START
action=daemon-startup
daemon=[s] pid=[n]
msg="[s] has started"
daemon started
20205 critical
system
format disk
LOG_ID_DISK_FORMAT_REQ user="[s]" ui=[s]
action=format-disk
msg="User [s] requested to
format [s] disk from [s]"
20206 warning
system
LOG_ID_DISK_SCAN_REQ
20300 unknown
system
LOG_ID_BGP_NB_STAT_CHG msg="BGP:
%%BGP-5-ADJCHANGE:
neighbor [s] [s] [s]"
22000 warning
system
LOG_ID_INV_PKT_LEN
22001 warning
system
LOG_ID_UNSUPPORTED_
PROT_VER
msg="Protocol version-[n]
is not supported"
22002 warning
system
LOG_ID_INV_REQ_TYPE
scan disk
user="[s]" ui=[s]
action=scan-disk
msg="User [s] requested to
scan [s] disk from [s]"
Page 600
ID
Severity
Subtype Macro
Format
Description
22003 warning
system
LOG_ID_FAIL_SET_SIG_
HANDLER
sigaction([n])failed: [s]
22004 warning
system
LOG_ID_FAIL_CREATE_
SOCKET
22005 warning
system
LOG_ID_FAIL_CREATE_
SOCKET_RETRY
22006 warning
system
LOG_ID_FAIL_REG_CMDB_
EVENT
22009 warning
system
LOG_ID_FAIL_FIND_AV_
PROFILE
name=[s] status=failure
msg="failed to find its AV
protection profile"
22010 error
system
LOG_ID_SENDTO_FAIL
22011 unknown
system
22011
service=kernel
conserve=on free="[n]
pages" red="[n] pages"
msg="Kernel enters
conserve mode"
22012 unknown
system
22012
service=kernel
conserve=exit free="[n]
pages" green="[n] pages"
msg="Kernel leaves
conserve mode"
22013 alert
system
22013
action=pba-block-exhaust
saddr=[n].[n].[n].[n]
poolname="[s]" msg="Pba
ippool port-block has been
exhausted"
22014 alert |
notice
system
22014
action=pba-natip-exhaust
saddr=[n].[n].[n].[n]
poolname="[s]" msg="Pba
ippool natip has been
exhausted"
22015 notice
system
LOG_ID_EXCEED_VD_RES_
LIMIT
service=kernel msg="[s]
vdom([n]) limit. count=[n]
limit=[n]"
22016 notice
system
22016
action=pba-close
saddr=[n].[n].[n].[n]
nat=[n].[n].[n].[n]
portbegin=[n] portend=[n]
poolname="[s]"
duration=[n] msg="Pba
ippool close"
22020 warning
system
LOG_ID_FAIL_CREATE_HA_
SOCKET
Page 601
ID
Severity
Subtype Macro
Format
Description
22021 warning
system
LOG_ID_FAIL_CREATE_HA_
SOCKET_RETRY
msg="Failed to create a
udp socket to relay URL
requests: [s]"
22100 warning
system
LOG_ID_QUAR_DROP_
TRAN_JOB
count=[n] duration=[n]
limit=[n] used=[n] fams_
pause=[n] action=transfer
status=drop reason=[s]
msg="In the past [n]
seconds, [n] files were
dropped by quard."
22101 warning
system
LOG_ID_QUAR_DROP_TLL_
JOB
22102 critical
system
22104 critical
system
22104
22105 critical
system
LOG_ID_POWER_FAILURE
22106 warning |
system
information
LOG_ID_POWER_
OPTIONAL_NOT_DETECTED
22107 warning
system
LOG_ID_VOLT_ANOM
22108 warning
system
LOG_ID_FAN_ANOM
22110 critical
system
LOG_ID_SPARE_BLOCK_
LOW
msg="Available spare
Available spare blocks is low
blocks of boot device are
getting low (remaining [n])."
22200 warning
system
LOG_ID_AUTO_UPT_CERT
user=system
action=certificate-update
status=warning cert=[s]
msg="CA certificate [s] will
auto-update in [n] days."
22201 warning
system
LOG_ID_AUTO_GEN_CERT
user=system
Certificate will be
action=certificate-regenerat auto-regenerate
e status=warning cert=[s]
msg="Local certificate [s]
will auto-regenerate in [n]
days."
Page 602
ID
Severity
Subtype Macro
Format
Description
22202 error
system
LOG_ID_AUTO_UPT_CERT_
FAIL
user=system
action=certificate-update
status=failure cert=[s]
msg="[s]"
Certificate failed to
auto-update
22203 error
system
LOG_ID_AUTO_GEN_CERT_
FAIL
Certificate failed to
user=system
action=certificate-regenerat auto-regenerate
e status=failure cert=[s]
msg="[s]"
22700 critical
system
LOG_ID_IPS_FAIL_OPEN
22800 critical
system
LOG_ID_SCAN_SERV_FAIL
service=[s] mode=[s]
msg="The system has [s]
session fail mode"
22801 critical
system
LOG_ID_SCAN_LEAVE_
CONSERVE_MODE
service=[s] conserve=exit
total=[n] free=[n]
entermargin=[n]
exitmargin=[n] msg="The
system exited conserve
mode"
22802 critical
system
LOG_ID_SYS_ENTER_
CONSERVE_MODE
22803 critical
system
LOG_ID_SYS_LEAVE_
CONSERVE_MODE
service=[s]
sysconserve=exit total=[n]
free=[n] entermargin=[n]
exitmargin=[n] msg="The
system exited system
conserve mode"
22804 critical
system
LOG_ID_LIC_STATUS_CHG
service=license status=[s]
msg="License status
changed to [s]"
22805 warning
system
22806 warning
system
LOG_ID_DUP_LIC
service=license
status=warning
msg="Detected duplicate
license in use"
22810 critical
system
LOG_ID_SCAN_ENTER_
CONSERVE_MODE
service=[s] conserve=on
total=[n] free=[n]
entermargin=[n]
exitmargin=[n] msg="The
system has entered
conserve mode"
Page 603
ID
Severity
Subtype Macro
Format
Description
22900 notice
system
LOG_ID_CAPUTP_SESSION
msg="[s]" action=[s]
src=[n].[n].[n].[n]
caputp-session
22901 notice
system
LOG_ID_FAZ_CON
action=connect
status=success
msg="Connected to
FortiAnalyzer [s]"
FortiAnalyzer Connection
22902 notice
system
LOG_ID_FAZ_DISCON
action=disconnect
status=success
reason="[s]"
msg="Disconnected from
FortiAnalyzer [s]"
FortiAnalyzer Disconnection
22903 critical
system
LOG_ID_FAZ_CON_ERR
action=connect
status=failure reason="[s]"
msg="Failed to connect
FortiAnalyzer [s]"
FortiAnalyzer Connection
22910 notice
system
LOG_ID_EVENT_SLA_
PROBE_PING
22911 notice
system
LOG_ID_EVENT_SLA_
PROBE_HTTPGET
22916 notice
system
LOG_ID_FDS_STATUS
22917 notice
system
LOG_ID_FDS_SMS_QUOTA
user=system msg="SMS
quota is used up."
23101 unknown
vpn
23102 unknown
vpn
LOG_ID_IPSEC_TUNNEL_
DOWN
action=[s] tunnel_id=[n]
[s]tunneltype=[s] remote_
ip=[s] tunnel_ip=[s]
user="[s]" group="[s]"
[s][s][s][s]msg="[s] [s]"
23103 unknown
vpn
LOG_ID_IPSEC_TUNNEL_
STAT
action=[s] tunnel_id=[n]
[s]tunneltype=[s] remote_
ip=[s] tunnel_ip=[s]
user="[s]" group="[s]"
[s][s][s][s]msg="[s] [s]"
LOG_ID_DHCP_MSG
interface="[s]" dhcp_
msg="[s]" dir=[s]
mac=[s]:[s]:[s]:[s]:[s]:[s]
ip=[n].[n].[n].[n] lease=[n]
hostname="[s]" msg="[s]"
Page 604
ID
Severity
Subtype Macro
Format
Description
router
LOG_ID_DHCP_NO_SHARE_
NET
interface="[s]" No shared
network for network [s] ([s])
LOG_ID_DHCP_STAT
interface="[s]" total=[n]
used=[n] msg="[s]"
DHCP Statistics
26004 error
router
LOG_ID_DHCP_MULT_SUB_
NET
interface="[s]" Address
range [s] to [s], netmask [s]
spans [s]!
26005 error
router
LOG_ID_DHCP_INV_ADDR_
RANGE
interface="[s]" Address
range [s] to [s] not on net
[s]/[s]!
29001 unknown
router
LOG_ID_PPPD_MSG
user="[s]"
local=[n].[n].[n].[n]
remote=[n].[n].[n].[n]
assigned=[n].[n].[n].[n]
stat="[s]" msg="[s]"
29002 notice |
debug
router
LOG_ID_PPPD_AUTH_SUC
29003 notice
router
LOG_ID_PPPD_AUTH_FAIL
29009 notice
router
LOG_ID_PPPOE_STATUS_
REPORT
gateway=[n].[n].[n].[n]
PPPoE status report
assigned=[n].[n].[n].[n]
msg="PPPoE status report"
29011 error
router
LOG_ID_PPPD_FAIL_TO_
EXEC
29012 unknown
router
LOG_ID_PPP_OPT_ERR
[s]
29013 notice
router
LOG_ID_PPPD_START
msg="pppd is started"
pppd is started
LOG_ID_PPPD_EXIT
msg="pppd is exiting"
pppd is exiting
29015 error
router
LOG_ID_PPP_RCV_BAD_
PEER_IP
29016 error
router
LOG_ID_PPP_RCV_BAD_
LOCAL_IP
26002 error
Page 605
ID
Severity
Subtype Macro
Format
Description
29017 unknown
router
LOG_ID_PPP_OPT_NOTIF
[s]
29020 notice
router
LOG_ID_WIRELESS_SET_
FAIL
LOG_ID_ADMIN_LOGIN_
SUCC
32002 alert
LOG_ID_ADMIN_LOGOUT
user="[s]" ui=[s]
action=logout
status=success
duration=[n] [s]reason=[s]
msg="Administrator [s] [s]
[s]"
LOG_ID_ALARM_TEST_FAIL
action=error-mode
reason=self-test
msg="Alarm testing"
alarm testing
32005
user="[s]"
action=vdom-override
status=success
reason=none
msg="Administrator [s]
vdom overridden to [s]"
LOG_ID_ADMIN_ENTER_
VDOM
32008 warning
system
LOG_ID_VIEW_LOG_FAIL
LOG_ID_SYSTEM_START
msg="Fortigate started[s]"
System started
LOG_ID_DISK_LOG_FULL
msg="[s] is [n]%
full.System will stop [s]
logging."
Log full
system
Page 606
ID
Severity
Subtype Macro
Format
Description
system
LOG_ID_LOG_ROLL
action=roll-log
reason=file-size log=[s]
msg="Disk log has rolled."
Log rotation
LOG_ID_FIPS_LEAVE_ERR_
MOD
action=exit-error-mode
CC exiting error mode
msg="System exiting out of
error mode."
32014 warning
system
LOG_ID_CS_LIC_EXPIRE
32015 warning
system
LOG_ID_DISK_LOG_USAGE
LOG_ID_FIPS_ENTER_ERR_
MOD
action=error-mode
reason=[s] msg="System
enters error-mode due to
[s]"
32020 warning
system
LOG_ID_SSH_CORRPUT_
MAC
ui=https msg="Corrupted
MAC packet detected"
32021 alert
system
LOG_ID_ADMIN_LOGIN_
DISABLE
ui=[s] action=login
status=failed
reason=exceed_limit
msg="Login disabled from
IP [s] for [n] seconds
because of [n] bad
attempts"
32022 notice
system
LOG_ID_VDOM_ENABLED
32023 warning |
system
information
LOG_ID_MEM_LOG_FULL
Log full
32024 notice
system
LOG_ID_ADMIN_PASSWD_
EXPIRE
user="[s]"
action=admin-password
status=expired
msg="Password of
administrator [s] has
expired."
32026 critical
system
LOG_ID_STORE_CONF_FAIL
32027 notice
system
LOG_ID_VIEW_LOG_SUCC
LOG_ID_LOG_DEL_DIR
msg="System deleted
directory [s]."
Log full
LOG_ID_LOG_DEL_FILE
action=delete
msg="System deleted log
file [s]"
Log deleted
32011 notice
Page 607
ID
Severity
Subtype Macro
Format
32030 notice
system
LOG_ID_SEND_FDS_STAT
32035 notice
system
LOG_ID_VDOM_DISABLED
32045 warning
system
LOG_ID_MGR_LIC_EXPIRE
msg="FortiGuard
management service
license will expire in [n]
day(s)"
32048 warning
system
32051 notice
system
LOG_ID_LOG_UPLOAD
ui=[s] action=upload
status=start msg="Start
uploading disk logs to [s]
from vdom [s]."
Log uploading
32086 warning
system
LOG_ID_ENTER_
TRANSPARENT
32087 warning
system
LOG_ID_ENTER_NAT
32095 warning
system
LOG_ID_GUI_CHG_SUB_
MODULE
32096 warning
system
LOG_ID_GUI_DOWNLOAD_
LOG
32100 warning
system
LOG_ID_FORTI_TOKEN_
SYNC
user="[s]" action=token_
sync msg="User [s]
synchronized his/her
FortiToken"
FortiToken synchronization
32101 notice
system
LOG_ID_LCD_CHG_CONF
Page 608
Description
FortiGuard management
service license expiring
ID
Severity
Subtype Macro
Format
32102 unknown
system
LOG_ID_CHG_CONFIG
32103 notice
system
LOG_ID_NEW_FIRMWARE
user=system
action=firmware
status=new msg="New
firmware is available from
FortiGuard"
32120 notice
system
32122 notice
system
32123 notice
system
32124 notice
system
32125 notice
system
LOG_ID_RPT_ADD_CHART
32126 notice
system
LOG_ID_RPT_DEL_CHART
32129 notice
system
LOG_ID_ADD_GUEST
32130 notice
system
LOG_ID_CHG_USER
32131 notice
system
LOG_ID_DEL_GUEST
32132 notice
system
LOG_ID_ADD_USER
Page 609
Description
ID
Severity
Subtype Macro
Format
Description
32138 critical
system
LOG_ID_REBOOT
device is rebooted
32139 critical |
warning |
notice
system
LOG_ID_UPD_SIGN_DB
32140 notice
system
32140
user="[s]" ui=[s]
field=date-time msg="The
[s] ntp server, [s]([s]), is
determined [s] at [s]"
LOG_ID_BACKUP_CONF
action=backup
status=success
msg="Configuration
backed up to flash disk
after system upgrading"
backup configuration
32143 critical
system
32143
user="[s]" ui="[s]"
action=update-image
msg="User [s] loaded a
wrong layout image from
[s]."
update image
32148 notice
system
LOG_ID_GET_CRL
user="[s]" ui=[s]
action=crl-update crl=[s]
msg="User [s] requested a
CRL update from [s]"
get CRL
32149 notice
system
LOG_ID_COMMAND_FAIL
32151 notice
system
LOG_ID_ADD_IP6_LOCAL_
POL
[s]
32152 notice
system
LOG_ID_CHG_IP6_LOCAL_
POL
[s]
32153 notice
system
LOG_ID_DEL_IP6_LOCAL_
POL
[s]
32155 notice
system
LOG_ID_ACT_FTOKEN_REQ
user="[s]" ui=[s]
action=fortitoken-activate
serialno=[s] msg="User [s]
has requested to activate
FortiToken [s]."
Activate FortiToken
32156 notice
system
LOG_ID_ACT_FTOKEN_
SUCC
Activate FortiToken
action=fortitoken-activate
serialno=[s] status=success
msg="Activation of
FortiToken [s] succeeded."
32157 notice
system
LOG_ID_SYNC_FTOKEN_
SUCC
user="[s]" ui=[s]
Synchronize FortiToken
action=fortitoken-synchroni
ze serialno=[s]
status=success
msg="Administrator [s]
resynchronized FortiToken
[s] successfully."
Page 610
ID
Severity
Subtype Macro
Format
32158 notice
system
LOG_ID_SYNC_FTOKEN_
FAIL
Synchronize FortiToken
user="[s]" ui=[s]
action=fortitoken-synchroni
ze serialno=[s] status=failed
msg="Administrator [s]
failed to resynchronize
FortiToken [s], because [s]."
32159 notice
system
LOG_ID_ACT_FTOKEN_FAIL
action=fortitoken-activate
serialno=[s] status=failed
msg="Activation of
FortiToken [s] failed,
because [s]."
32168 notice
system
LOG_ID_REACH_VDOM_
LIMIT
32170 alert
system
LOG_ID_ALARM_MSG
action=alarm alarmid=[n]
groupid=[n] msg="[s]"
alarm
32171 alert
system
LOG_ID_ALARM_ACK
user="[s]" ui=[s]
action=alarm-ack
alarmid=[n] acktime="[s]"
msg="[s]"
alarm ack
32172 notice
system
LOG_ID_ADD_IP4_LOCAL_
POL
[s]
32173 notice
system
LOG_ID_CHG_IP4_LOCAL_
POL
[s]
32174 notice
system
LOG_ID_DEL_IP4_LOCAL_
POL
[s]
32188 warning
system
LOG_ID_SSL_PROXY_CA_
INIT_FAIL
msg="SSL Proxy CA
initialization failed"
[s]
32200 critical
system
LOG_ID_SHUTDOWN
user="[s]" ui=[s]
action=shutdown
msg="User [s] shutdown
the device from [s].[s]"
shutdown device
32201 critical
system
LOG_ID_LOAD_IMG_SUCC
loaded an image
user="[s]" ui=[s]
action=loaded-image
msg="User [s] loaded the
image from [s], the new
image does not support CC
mode."
32202 critical
system
LOG_ID_RESTORE_IMG
user="[s]" ui=[s]
action=restore-image
msg="User [s] restored the
image from [s] ([s],build[s]
-> [s],build[s])"
Page 611
Description
Activate FortiToken
ID
Severity
Subtype Macro
Format
32203 critical |
warning |
notice
system
LOG_ID_RESTORE_CONF
32204 critical |
notice
system
LOG_ID_RESTORE_FGD_
SVR
32205 critical |
notice
system
LOG_ID_RESTORE_VDOM_
LIC
restore VM license
32206 warning
system
LOG_ID_RESTORE_SCRIPT
restore script
user="system"
action=restore-script
msg="System restored
script [s] from management
station"
32207 warning
system
LOG_ID_RETRIEVE_CONF_
LIST
user="[s]" ui=[s]
action=retrieve-[s]
msg="User [s] failed to
retrieve the [s] list from
management station"
32208 critical
system
32209 critical |
notice
system
LOG_ID_RESTORE_USR_
DEF_IPS
32210 notice
system
LOG_ID_BACKUP_IMG
user="[s]" ui=[s]
action=backup
status=success
msg="Firmware image
backed up to flash disk for
system [s]"
32211 notice
system
LOG_ID_UPLOAD_REVISION
upload revision
user="[s]" ui=[s]
action=upload
status=success msg="User
[s] upload the [s] from [s] to
flash disk"
32212 notice
system
LOG_ID_DEL_REVISION
action=delete
status=success
msg="[s]:[n] has been
deleted from revision data
base"
Page 612
Description
backup image
revision DB deletion
ID
Severity
Subtype Macro
Format
Description
32213 warning
system
LOG_ID_RESTORE_
TEMPLATE
user="system"
action=restore-cfg
msg="System restored [s]
file [s] from management
station"
restore template
32214 warning
system
LOG_ID_RESTORE_FILE
user="system"
action=restore-[s]
msg="System failed to
restore [s] file [s] from
management station"
restore failure
32215 critical
system
LOG_ID_UPT_IMG
user="[s]" ui="[s]"
action=update-image
msg="User [s] loaded a
wrong image from [s]."
update image
32217 warning |
notice
system
LOG_ID_UPD_IPS
user="[s]" ui="[s]"
action=update msg="User
[s] has updated IPS
package by SCP"
32218 warning
system
LOG_ID_UPD_DLP
user="[s]"
ui="Fortimanager"
action=update msg="User
[s] failed to update DLP
fingerprint database by
SCP"
32219 warning
system
LOG_ID_BACKUP_OUTPUT
user="[s]" ui="[s]"
action=backup msg="User
[s] backed up the result of
batch mode commands by
SCP"
32220 warning
system
LOG_ID_BACKUP_
COMMAND
user="[s]" ui="[s]"
action=backup msg="User
[s] backed up the result of
batch mode commands by
SCP"
32221 warning
system
LOG_ID_UPD_VDOM_LIC
user="[s]" ui="[s]"
action=update msg="User
[s] has installed VM license
by SCP"
32222 notice
system
32223 error |
notice
system
LOG_ID_BACKUP_USER_
DEF_IPS
user="[s]" ui=[s]
backup the user-defined IPS
action=backup
signatures failure
status=failure
msg="Administrator [s]
failed to back up the
user-defined IPS signatures
from [s]"
Page 613
ID
Severity
Subtype Macro
Format
Description
32224 notice
system
LOG_ID_BACKUP_LOG
user="[s]" ui=[s]
action=backup msg="User
[s] backed up [s] log from
[s]"
backup log
32225 notice
system
revision DB clearance
LOG_ID_DEL_ALL_REVISION action=delete
status=success
msg="[s]:revision data base
corruption detected, reset."
32226 critical
system
LOG_ID_LOAD_IMG_FAIL
user="[s]" ui=[s]
action=loaded-image
status=failure msg="User
[s] loaded a wrong image
from [s]."
32240 critical
system
LOG_ID_SYS_USB_MODE
32252 critical
system
LOG_ID_FACTORY_RESET
user="[s]" ui=[s]
action=factory-reset
msg="User [s] reset to the
factory settings from [s]"
32253 critical
system
LOG_ID_FORMAT_RAID
config raid
user="[s]" ui=[s]
action=format-rebuild-level
msg="User [s] formatted
the RAID disk from [s]"
32254 critical
system
LOG_ID_ENABLE_RAID
user="[s]" ui=[s]
action=enable-raid
msg="User [s] enabled
RAID from [s]"
config raid
32255 critical
system
LOG_ID_DISABLE_RAID
user="[s]" ui=[s]
action=disable-raid
msg="User [s] disabled
RAID from [s]"
config raid
32300 notice
system
LOG_ID_UPLOAD_RPT_IMG
32301 notice
system
LOG_ID_ADD_VDOM
user="[s]" ui=[s]
action=add-vdom
msg="Virtual domain [s] is
added"
Vdom is added
32302 notice
system
LOG_ID_DEL_VDOM
user="[s]" ui=[s]
action=del-vdom
msg="Virtual domain [s] is
deleted"
Vdom is deleted
Page 614
loaded an image
factory reset
ID
Severity
Subtype Macro
Format
Description
32340 critical
system
32341 notice
system
LOG_ID_LOG_DISK_
DEFAULT_DISABLED
32400 alert
system
LOG_ID_CONF_CHG
user="[s]" ui=[s]
msg="Configuration is
changed in the admin
session"
config changed
32545 critical
system
LOG_ID_SYS_RESTART
user=none ui=none
action=reboot
msg="System will reboot
due to scheduled daily
restart."
System restart
32546 warning
system
LOG_ID_APPLICATION_
CRASH
35001 notice
system
LOG_ID_HA_SYNC_VIRDB
35002 notice
system
LOG_ID_HA_SYNC_ETDB
35003 notice
system
LOG_ID_HA_SYNC_EXDB
35004 notice
system
LOG_ID_HA_SYNC_FLDB
35005 notice
system
LOG_ID_HA_SYNC_IPS
35007 notice
system
LOG_ID_HA_SYNC_AV
35008 notice
system
LOG_ID_HA_SYNC_VCM
35009 notice
system
LOG_ID_HA_SYNC_CID
35010 error
system
LOG_ID_HA_SYNC_FAIL
36880 warning
system
LOG_ID_EVENT_SYSTEM_
MAC_HOST_STORE_LIMIT
msg="Number of detected
user devices exceeds limit
that can be persistently
stored. Detected [n]; can
save [n]."
Page 615
ID
Severity
Subtype Macro
Format
37124 error
vpn
MESGID_NEG_I_P1_ERROR
37125 error
vpn
MESGID_NEG_I_P2_ERROR
37126 error
vpn
MESGID_NEG_NO_STATE_
ERROR
37133 notice
vpn
MESGID_INSTALL_SA
37134 notice
vpn
MESGID_DELETE_P1_SA
37135 notice
vpn
MESGID_DELETE_P2_SA
Page 616
Description
ID
Severity
Subtype Macro
Format
37136 error
vpn
MESGID_DPD_FAILURE
37137 error
vpn
MESGID_CONN_FAILURE
37138 notice
vpn
MESGID_CONN_UPDOWN
37139 notice
vpn
MESGID_P2_UPDOWN
37140 notice
vpn
MESGID_AUTO_IPSEC
msg="auto-ipsec status
change" action=[s]
remip=[s] locip=[s]
remport=[n] locport=[n]
outintf=[s] cookies="[s]"
user="[s]" group="[s]"
xauthuser="[s]"
xauthgroup="[s]"
vpntunnel="[s]" status=[s]
reason="[s]"
Page 617
Description
ID
Severity
Subtype Macro
Format
Description
37141 notice
vpn
MESGID_CONN_STATS
37188 error
vpn
37189 error
vpn
37190 error
vpn
MESGID_NEG_NO_STATE_
ERROR_IKEV2
37197 notice
vpn
37198 notice
vpn
MESGID_DELETE_P1_SA_
IKEV2
Page 618
ID
Severity
Subtype Macro
Format
37199 notice
vpn
MESGID_DELETE_P2_SA_
IKEV2
37200 error
vpn
MESGID_DPD_FAILURE_
IKEV2
37201 error
vpn
MESGID_CONN_FAILURE_
IKEV2
37202 notice
vpn
MESGID_CONN_UPDOWN_
IKEV2
37203 notice
vpn
MESGID_P2_UPDOWN_
IKEV2
37204 notice
vpn
MESGID_CONN_STATS_
IKEV2
msg="IPsec tunnel
IPsec tunnel statistics log
statistics" action=[s]
remip=[s] locip=[s]
remport=[n] locport=[n]
outintf=[s] cookies="[s]"
user="[s]" group="[s]"
vpntunnel="[s]" tunnelip=[s]
tunnelid=[n]
tunneltype="[s]"
duration=[n] sent=[n]
rcvd=[n] nextstat=[n]
tunnel="[s]"
Page 619
Description
ID
Severity
Subtype Macro
Format
Description
37888 notice
system
MESGID_HA_GROUP_
DELETE
37889 notice
system
MESGID_VC_DELETE
msg="Virtual cluster is
deleted" vcluster=[n]
37890 notice
system
MESGID_VC_MOVE_VDOM
msg="Virtual cluster's
vdom is moved" from_
vcluster=[n] to_vcluster=[n]
vdname="[s]"
37891 notice
system
MESGID_VC_ADD_VDOM
msg="Virtual cluster's
vdom is added" to_
vcluster=[n] vdname="[s]"
37892 notice
system
MESGID_VC_MOVE_MEMB_
STATE
37893 notice
system
MESGID_VC_DETECT_
MEMB_DEAD
msg="Virtual cluster
detected member dead"
vcluster=[n] ha_group=[n]
sn="[s]"
37894 notice
system
MESGID_VC_DETECT_
MEMB_JOIN
msg="Virtual cluster
detected member join"
vcluster=[n] ha_group=[n]
sn="[s]"
37895 notice
system
MESGID_VC_ADD_HADEV
37896 notice
system
MESGID_VC_DEL_HADEV
37897 notice
system
MESGID_HADEV_READY
msg="HA device(interface)
ready" ha_role=[s]
devintfname="[s]"
37898 warning
system
MESGID_HADEV_FAIL
msg="HA device(interface)
fail" ha_role=[s]
devintfname="[s]"
37899 notice
system
MESGID_HADEV_PEERINFO
msg="HA device(interface)
peerinfo" ha_role=[s]
devintfname="[s]"
HA device(interface) peerinfo
log
37900 notice
system
MESGID_HBDEV_DELETE
msg="Heartbeat
device(interface) delete"
devintfname="[s]"
Heartbeat device(interface)
delete log
37901 critical
system
MESGID_HBDEV_DOWN
msg="Heartbeat
Heartbeat device(interface)
device(interface) down" ha_ down log
role=[s] hbdn_reason="[s]"
devintfname="[s]"
Page 620
ID
Severity
Subtype Macro
Format
Description
Heartbeat device(interface) up
log
MESGID_HBDEV_UP
msg="Heartbeat
device(interface) up" ha_
role=[s] devintfname="[s]"
MESGID_SYNC_STATUS
MESGID_HA_ACTIVITY
38010 alert
user
LOG_ID_FIPS_ENCRY_FAIL
user="[s]" ui=[s]
action=encryption
cipher=aes-128-cbc
status=failed msg="EVP
encryption failed"
Encryption failed
38011 alert
user
LOG_ID_FIPS_DECRY_FAIL
user="[s]" ui=[s]
action=decryption
cipher=aes-128-cbc
status=failed msg="EVP
decryption failed"
Decryption failed
38012 notice
user
LOG_ID_ENTROPY_TOKEN
user=system
action=seeding
msg="Seeding PRNG from
entropy token"
38031 notice
user
LOG_ID_FSSO_LOGON
38032 notice
user
LOG_ID_FSSO_LOGOFF
38033 notice
user
Page 621
ID
Severity
Subtype Macro
Format
38400 notice
system
LOGID_EVENT_NOTIF_
SEND_SUCC
38401 warning
system
LOGID_EVENT_NOTIF_
SEND_FAIL
38402 notice
system
LOGID_EVENT_NOTIF_DNS_
FAIL
hostname="[s]"
service="[s]" profile="[s]"
profiletype="[s]" profile_
vd="[s]" msg="Unable to
resolve hostname."
38403 notice
system
LOGID_EVENT_NOTIF_
INSUFFICIENT_RESOURCE
msg="[s] ([s])"
Insufficient resource
38404 notice
system
LOGID_EVENT_NOTIF_
HOSTNAME_ERROR
hostname="[s]" msg="[s]"
38405 notice
system
LOGID_NOTIF_CODE_
SENDTO_SMS_PHONE
38406 notice
system
LOGID_NOTIF_CODE_
SENDTO_SMS_TO
38407 notice
system
LOGID_NOTIF_CODE_
SENDTO_EMAIL
LOGID_EVENT_OFTP_SSL_
CONNECTED
Page 622
Description
ID
Severity
Subtype Macro
Format
Description
LOGID_EVENT_OFTP_SSL_
DISCONNECTED
LOGID_EVENT_OFTP_SSL_
FAILED
38656 notice
user
LOGID_EVENT_RAD_RPT_
PROTO_ERROR
count=[n] duration=[n]
msg="[s]"
RADIUS
protocol/profile/context error,
missing stop
packet,accounting or other
report log
38657 notice
user
LOGID_EVENT_RAD_RPT_
PROF_NOT_FOUND
count=[n] duration=[n]
msg="[s]"
RADIUS
protocol/profile/context error,
missing stop
packet,accounting or other
report log
38658 notice
user
LOGID_EVENT_RAD_RPT_
CTX_NOT_FOUND
count=[n] duration=[n]
msg="[s]"
RADIUS
protocol/profile/context error,
missing stop
packet,accounting or other
report log
38659 notice
user
LOGID_EVENT_RAD_RPT_
ACCT_STOP_MISSED
count=[n] duration=[n]
msg="[s]"
RADIUS
protocol/profile/context error,
missing stop
packet,accounting or other
report log
38660 notice
user
LOGID_EVENT_RAD_RPT_
ACCT_EVENT
count=[n] duration=[n]
msg="[s]"
RADIUS
protocol/profile/context error,
missing stop
packet,accounting or other
report log
38661 notice
user
LOGID_EVENT_RAD_RPT_
OTHER
count=[n] duration=[n]
msg="[s]"
RADIUS
protocol/profile/context error,
missing stop
packet,accounting or other
report log
38662 notice
user
LOGID_EVENT_RAD_STAT_
PROTO_ERROR
38663 notice
user
LOGID_EVENT_RAD_STAT_
PROF_NOT_FOUND
38664 notice
user
LOGID_EVENT_RAD_STAT_
CTX_NOT_FOUND
Page 623
ID
Severity
Subtype Macro
Format
38665 notice
user
LOGID_EVENT_RAD_STAT_
ACCT_STOP_MISSED
38666 notice
user
LOGID_EVENT_RAD_STAT_
ACCT_EVENT
38667 notice
user
LOGID_EVENT_RAD_STAT_
OTHER
39424 unknown
vpn
LOG_ID_EVENT_SSL_VPN_
USER_TUNNEL_UP
39425 unknown
vpn
LOG_ID_EVENT_SSL_VPN_
USER_TUNNEL_DOWN
39426 unknown
vpn
LOG_ID_EVENT_SSL_VPN_
USER_SSL_LOGIN_FAIL
39936 unknown
vpn
LOG_ID_EVENT_SSL_VPN_
SESSION_WEB_TUNNEL_
STATS
39937 unknown
vpn
LOG_ID_EVENT_SSL_VPN_
SESSION_WEBAPP_DENY
39938 unknown
vpn
LOG_ID_EVENT_SSL_VPN_
SESSION_WEBAPP_PASS
action="[s]"
SSL user event log
tunneltype="[s]" tunnel_
id=[n] remote_ip=[s] tunnel_
ip=[s] user="[s]" group="[s]"
[s][s][s] app-type="[s]"
msg="[s]"
Page 624
Description
ID
Severity
Subtype Macro
Format
39939 unknown
vpn
LOG_ID_EVENT_SSL_VPN_
SESSION_WEBAPP_
TIMEOUT
39940 unknown
vpn
LOG_ID_EVENT_SSL_VPN_
SESSION_WEBAPP_CLOSE
39941 unknown
vpn
LOG_ID_EVENT_SSL_VPN_
SESSION_SYS_BUSY
39942 unknown
vpn
LOG_ID_EVENT_SSL_VPN_
SESSION_CERT_OK
39943 unknown
vpn
LOG_ID_EVENT_SSL_VPN_
SESSION_NEW_CON
39944 unknown
vpn
LOG_ID_EVENT_SSL_VPN_
SESSION_ALERT
39945 unknown
vpn
LOG_ID_EVENT_SSL_VPN_
SESSION_EXIT_FAIL
39946 unknown
vpn
LOG_ID_EVENT_SSL_VPN_
SESSION_EXIT_ERR
action="[s]"
SSL user event log
tunneltype="[s]" tunnel_
id=[n] remote_ip=[s] tunnel_
ip=[s] user="[s]" group="[s]"
[s][s][s] reason="[s]"
msg="[s]"
Page 625
Description
ID
Severity
Subtype Macro
Format
39947 unknown
vpn
LOG_ID_EVENT_SSL_VPN_
SESSION_TUNNEL_UP
39948 unknown
vpn
LOG_ID_EVENT_SSL_VPN_
SESSION_TUNNEL_DOWN
39949 unknown
vpn
LOG_ID_EVENT_SSL_VPN_
SESSION_TUNNEL_STATS
39950 unknown
vpn
LOG_ID_EVENT_SSL_VPN_
SESSION_TUNNEL_
UNKNOWNTAG
39951 unknown
vpn
LOG_ID_EVENT_SSL_VPN_
SESSION_TUNNEL_ERROR
39952 unknown
vpn
LOG_ID_EVENT_SSL_VPN_
SESSION_ENTER_
CONSERVE_MODE
39953 unknown
vpn
LOG_ID_EVENT_SSL_VPN_
SESSION_LEAVE_
CONSERVE_MODE
40001 unknown
vpn
LOG_ID_PPTP_TUNNEL_UP
action=[s] tunnel_id=[n]
[s]tunneltype=[s] remote_
ip=[s] tunnel_ip=[s]
user="[s]" group="[s]"
[s][s][s][s]msg="[s] [s]"
Page 626
Description
ID
Severity
Subtype Macro
Format
Description
40002 unknown
vpn
LOG_ID_PPTP_TUNNEL_
DOWN
action=[s] tunnel_id=[n]
[s]tunneltype=[s] remote_
ip=[s] tunnel_ip=[s]
user="[s]" group="[s]"
[s][s][s][s]msg="[s] [s]"
40003 unknown
vpn
LOG_ID_PPTP_TUNNEL_
STAT
action=[s] tunnel_id=[n]
[s]tunneltype=[s] remote_
ip=[s] tunnel_ip=[s]
user="[s]" group="[s]"
[s][s][s][s]msg="[s] [s]"
40014 warning
vpn
LOG_ID_PPTP_REACH_
MAX_CON
40016 warning
vpn
LOG_ID_L2TPD_SVR_
DISCON
action=disconnect
status=success
reason="interface not
found" msg="L2TPD
closed all client
connections in vdom '[s]'
because failed to find
interface by device index"
L2TPD disconnection
40017 warning
vpn
LOG_ID_L2TPD_CLIENT_
CON_FAIL
action=connect
status=failure reason="no
ip available" msg="No IP
addresses left to assign in
virtual domain: [s]"
LOG_ID_L2TPD_CLIENT_
DISCON
action=disconnect
status=success
msg="Client [n].[n].[n].[n]
control connection (id [n])
finished"
40021 debug
vpn
LOG_ID_PPTP_NOT_CONIG
status=failure
action=connect
msg="PPTP: connection
request in unconfigured
virtual domain: [s]"
40022 warning
vpn
LOG_ID_PPTP_NO_IP_AVAIL
status=failure
action=connect
msg="PPTP: No IP
addresses left to assign in
virtual domain: [s]"
No ip available
40024 warning
vpn
LOG_ID_PPTP_OUT_MEM
Page 627
ID
Severity
Subtype Macro
Format
Description
40034 notice
vpn
LOG_ID_PPTP_START
action=start
status=success
msg="PPTPD started
successfully"
PPTPD start
40035 error
vpn
LOG_ID_PPTP_START_FAIL
action=start status=failure
reason="failed to create
socket" msg="PPTPD
failed to start because
failed to create socket"
PPTPD start
40036 notice
vpn
LOG_ID_PPTP_EXIT
LOG_ID_PPTPD_SVR_
DISCON
action=disconnect
status=success
reason="PPTP setting is
changed" msg="PPTPD
closed all client
connections in vdom '[s]'
because PPTP setting was
changed"
LOG_ID_PPTPD_CLIENT_
CON
LOG_ID_PPTPD_CLIENT_
DISCON
action=disconnect
status=success
msg="Client [n].[n].[n].[n]
control connection
finished"
40101 unknown
vpn
LOG_ID_L2TP_TUNNEL_UP
action=[s] tunnel_id=[n]
[s]tunneltype=[s] remote_
ip=[s] tunnel_ip=[s]
user="[s]" group="[s]"
[s][s][s][s]msg="[s] [s]"
40102 unknown
vpn
LOG_ID_L2TP_TUNNEL_
DOWN
action=[s] tunnel_id=[n]
[s]tunneltype=[s] remote_
ip=[s] tunnel_ip=[s]
user="[s]" group="[s]"
[s][s][s][s]msg="[s] [s]"
40103 unknown
vpn
LOG_ID_L2TP_TUNNEL_
STAT
action=[s] tunnel_id=[n]
[s]tunneltype=[s] remote_
ip=[s] tunnel_ip=[s]
user="[s]" group="[s]"
[s][s][s][s]msg="[s] [s]"
40114 notice
vpn
LOG_ID_L2TPD_START
action=start
status=success
msg="L2TPD started
successfully"
L2TPD starting
Page 628
PPTPD disconnect
ID
Severity
Subtype Macro
Format
vpn
LOG_ID_L2TPD_EXIT
LOG_ID_L2TPD_CLIENT_
CON
action=connect
status=success
msg="Client [s] control
connection started (id [n]),
assigned ip [n].[n].[n].[n]"
40704 notice
system
LOG_ID_EVENT_SYS_PERF
40960 notice
wad
LOGID_EVENT_WAD_
WEBPROXY_FWD_SRV_
ERROR
fwserver_name="[s]" addr_
type=[s] ip=[s] fqdn="[s]"
port=[n] msg="[s]"
41000 notice
system
LOG_ID_UPD_FGT_SUCC
41001 critical
system
LOG_ID_UPD_FGT_FAIL
41002 notice
system
LOG_ID_UPD_SRC_VIS
status=update src-vis=yes
msg="FortiGate updated
src-vis ([s])"
41003 critical
system
LOG_ID_INVALID_UPD_LIC
action=update
status=failure msg="HA
member [s] does not have
valid license"
41005 notice
system
LOG_ID_UPD_VCM
status=update vcm=yes
msg="FortiGate updated
VCM ([s])"
LOG_ID_EVENT_SSL_VPN_
CERT_LOAD
action="[s]" user="[s]"
ui="[s]" name="[s]"
msg="[s]" cert-type=[s]
Certificate log
LOG_ID_EVENT_SSL_VPN_
CERT_REMOVAL
action="[s]" user="[s]"
ui="[s]" name="[s]"
msg="[s]" cert-type=[s]
Certificate log
LOG_ID_EVENT_SSL_VPN_
CERT_UPDATE
action="[s]" cert-type=[s]
status="[s]" name="[s]"
method="[s]" msg="[s]"
Certificate log
LOG_ID_EVENT_SSL_VPN_
SETTING_UPDATE
action="info" user="[s]"
ui="[s]" msg="User
changed SSL setting"
LOG_ID_EVENT_SSL_VPN_
CERT_ERR
action="[s]" cert-type=[s]
status="[s]" name="[s]"
method="[s]" msg="[s]"
Certificate log
40115 notice
Page 629
Description
ID
Severity
Subtype Macro
Format
Description
Certificate log
LOG_ID_EVENT_SSL_VPN_
CERT_UPDATE_FAILED
action="[s]" cert-type=[s]
status="[s]" name="[s]"
method="[s]" msg="[s]"
43008 notice
user
LOG_ID_EVENT_AUTH_
SUCCESS
Authentication log
src=[s] dst=[s] policyid=3
user="user"
group="usergroup"
ui="HTTP([s])"
action=authentication
status=success
reason="reason"
msg="User user succeeded
in authentication"
43009 notice
user
LOG_ID_EVENT_AUTH_
FAILED
Authentication log
43010 warning
user
LOG_ID_EVENT_AUTH_
LOCKOUT
Authentication log
43011 notice
user
LOG_ID_EVENT_AUTH_
TIME_OUT
Authentication log
43012 notice
user
LOG_ID_EVENT_AUTH_
FSAE_AUTH_SUCCESS
43013 notice
user
LOG_ID_EVENT_AUTH_
FSAE_AUTH_FAIL
43014 notice
user
LOG_ID_EVENT_AUTH_
FSAE_LOGON
src=[s] user="[s]"
server="[s]" action=[s]
msg="[s]"
43015 notice
user
LOG_ID_EVENT_AUTH_
FSAE_LOGOFF
src=[s] user="[s]"
server="[s]" action=[s]
msg="[s]"
Page 630
ID
Severity
Subtype Macro
Format
Description
43016 notice
user
LOG_ID_EVENT_AUTH_
NTLM_AUTH_SUCCESS
43017 notice
user
LOG_ID_EVENT_AUTH_
NTLM_AUTH_FAIL
43018 warning
user
LOG_ID_EVENT_AUTH_
FGOVRD_FAIL
43019 warning
user
LOG_ID_EVENT_AUTH_
FGOVRD_TBL_FULL
43020 notice
user
LOG_ID_EVENT_AUTH_
FGOVRD_SUCCESS
43021 notice
user
LOG_ID_EVENT_AUTH_
ENDPOINT_CHECK
dst=[s] ui="HTTP(0.0.0.0)"
msg="forticlient msg"
Endpoint log
43022 notice
user
LOG_ID_EVENT_AUTH_
ENDPOINT_LICENSE
dst=[s] ui="HTTP(0.0.0.0)"
msg="forticlient msg"
Endpoint log
43023 notice
user
LOG_ID_EVENT_AUTH_
ENDPOINT_DET_RECORD
dst=[s] ui="N/A(0.0.0.0)"
msg="forticlient msg"
Endpoint log
43024 notice
user
LOG_ID_EVENT_AUTH_
ENDPOINT_DET_SESSION
dst=[s] ui="HTTP(0.0.0.0)"
msg="forticlient msg"
Endpoint log
43025 notice
user
LOG_ID_EVENT_AUTH_
PROXY_SUCCESS
43026 notice
user
LOG_ID_EVENT_AUTH_
PROXY_FAILED
43027 notice
user
LOG_ID_EVENT_AUTH_
PROXY_TIME_OUT
Page 631
ID
Severity
Subtype Macro
Format
Description
43028 notice
user
LOG_ID_EVENT_AUTH_
PROXY_AUTHORIZATION_
FAILED
43029 notice
user
LOG_ID_EVENT_AUTH_
WARNING_SUCCESS
43030 warning
user
LOG_ID_EVENT_AUTH_
WARNING_TBL_FULL
LOGID_MMS_STATS
43520 notice
wireless
LOG_ID_EVENT_WIRELESS_
SYS
action="[s]" msg="[s]"
43522 notice
wireless
LOG_ID_EVENT_WIRELESS_
WTP
sn="[s]" ap="[s]"
approfile="[s]" ip=[s]
meshmode="[s]"
snmeshparent="[s]"
action="[s]" reason="[s]"
msg="[s]"
43524 notice
wireless
LOG_ID_EVENT_WIRELESS_
STA
43526 notice
wireless
LOG_ID_EVENT_WIRELESS_
WTPR
43527 notice
wireless
LOG_ID_EVENT_WIRELESS_
ROGUE_CFG
action="[s]" ssid="[s]"
bssid=[s] apstatus=[n]
msg="[s]"
43529 notice
wireless
LOG_ID_EVENT_WIRELESS_
CLB
Page 632
ID
Severity
Subtype Macro
Format
43530 notice
wireless
LOG_ID_EVENT_WIRELESS_
WIDS_WL_BRIDGE
43532 notice
wireless
LOG_ID_EVENT_WIRELESS_
WIDS_NL_PBRESP
43533 notice
wireless
LOG_ID_EVENT_WIRELESS_
WIDS_MAC_OUI
wireless wids
action="[s]"
invalid-OUI-detect log
Threattype="[s]" live=[n]
age=[n] channel=[n] rssi=[n]
Frametype="[s]" DS="[s]"
bssid="[s]" seq=[n]
Encrypt=[n] TAMAC=[s]
manuf="[s]"
sndetected="[s]"
radioiddetected=[n]
msg="[s]" Invalidmac=[s]
43534 notice
wireless
LOG_ID_EVENT_WIRELESS_
WIDS_LONG_DUR
43535 notice
wireless
LOG_ID_EVENT_WIRELESS_
WIDS_WEP_IV
action="[s]"
wireless wids
Threattype="[s]" live=[n]
weak-wepiv-detect log
age=[n] channel=[n] rssi=[n]
Frametype="[s]" DS="[s]"
bssid="[s]" seq=[n]
Encrypt=[n] TAMAC=[s]
manuf="[s]"
sndetected="[s]"
radioiddetected=[n]
msg="[s]" Weakwepiv=[s]
Page 633
Description
ID
Severity
Subtype Macro
Format
Description
43542 notice
wireless
LOG_ID_EVENT_WIRELESS_
WIDS_EAPOL_FLOOD
action="[s]"
Threattype="[s]" live=[n]
TAMAC=[s] manuf="[s]"
sndetected="[s]"
radioiddetected=[n]
msg="[s]" eapoltype=[s]
eapolcnt=[n]
wireless wids
eapol-packet-flood log
43544 notice
wireless
LOG_ID_EVENT_WIRELESS_
WIDS_MGMT_FLOOD
wireless wids
action="[s]"
mgmt-flood-detect log
Threattype="[s]" live=[n]
age=[n] channel=[n] rssi=[n]
Frametype="[s]" DS="[s]"
bssid="[s]" TAMAC=[s]
manuf="[s]"
sndetected="[s]"
radioiddetected=[n]
msg="[s]" mgmtcnt=[n]
43546 notice
wireless
LOG_ID_EVENT_WIRELESS_
WIDS_SPOOF_DEAUTH
43548 notice
wireless
LOG_ID_EVENT_WIRELESS_
WIDS_ASLEAP
43550 notice
wireless
LOG_ID_EVENT_WIRELESS_
STA_LOCATE
43776 notice
system
LOGID_EVENT_NAC_
QUARANTINE
43800 critical
system
LOG_ID_EVENT_ELBC_
BLADE_JOIN
[s]="blade-join" [s]="[n]"
blade joins cluster
[s]="[n]" [s]="[s]" [s]="blade
in slot [n] of chassis [n] is
ready to process traffic"
Page 634
ID
Severity
Subtype Macro
Format
43801 critical
system
LOG_ID_EVENT_ELBC_
BLADE_LEAVE
43802 critical
system
LOG_ID_EVENT_ELBC_
MASTER_BLADE_FOUND
43803 critical
system
LOG_ID_EVENT_ELBC_
MASTER_BLADE_LOST
43804 critical
system
LOG_ID_EVENT_ELBC_
MASTER_BLADE_CHANGE
43805 critical
system
LOG_ID_EVENT_ELBC_
ACTIVE_CHANNEL_FOUND
[s]="channel-activate"
[s]="[n]" [s]="[n]" [s]="[s]"
[s]="[n]" [s]="Channel [n]
(FortiSwitch in slot [n]) of
chassis [n] became active.
there was no previous
active channel"
43806 critical
system
LOG_ID_EVENT_ELBC_
ACTIVE_CHANNEL_LOST
[s]="channel-deactivate"
[s]="[n]" [s]="[n]" [s]="[s]"
[s]="[n]" [s]="Channel [n]
(FortiSwitch in slot [n]) of
chassis [n] became
inactive. there is currently
no active channel."
43807 critical
system
LOG_ID_EVENT_ELBC_
[s]="channel-failover"
ACTIVE_CHANNEL_CHANGE [s]="[n]" [s]="[n]" [s]="[s]"
[s]="[n]" [s]="[n]"
[s]="Channel [n]
(FortiSwitch in slot [n]) of
chassis [n] failed over to
channel [n] (FortiSwitch in
slot [n])."
43808 critical
system
LOG_ID_EVENT_ELBC_
CHASSIS_ACTIVE
[s]="chassis-activated"
[s]="[n]" [s]="[s]"
[s]="chassis [n] became
active and will process
traffic"
Page 635
Description
ID
Severity
Subtype Macro
Format
Description
system
LOG_ID_EVENT_ELBC_
CHASSIS_INACTIVE
[s]="chassis-deactivated"
[s]="[n]" [s]="[s]"
[s]="chassis [n] became
passive and will not
process traffic"
LOG_ID_DNS_RESPONSE
LOGID_EVENT_CONFIG_
PATH
user="[s]" ui="[s]"
action=[s] cfgtid=[n]
cfgpath="[s]" msg="[s]"
LOGID_EVENT_CONFIG_
ATTR
user="[s]" ui="[s]"
action=[s] cfgtid=[n]
cfgpath="[s]" cfgattr=[s]
msg="[s]"
LOGID_EVENT_CONFIG_
OBJATTR
user="[s]" ui="[s]"
action=[s] cfgtid=[n]
cfgpath="[s]" cfgobj="[s]"
cfgattr=[s] msg="[s]"
44801 notice
system
44801
limit=[n]
msg=[Inbound/Outbound]
bandwidth rate exceeded
the shaper limit.
[Inbound/Outbound]
bandwidth rate exceeded
45000 debug
router
LOG_ID_VSD_SSL_RCV_HS
45001 error
router
LOG_ID_VSD_SSL_RCV_
WRG_HS
45002 debug
router
43809 critical
Page 636
ID
Severity
Subtype Macro
Format
45003 error
router
LOG_ID_VSD_SSL_WRG_
HS_LEN
45004 debug
router
SSL ChangeCipherSpec
LOG_ID_VSD_SSL_RCV_CCS serial=[s] policy=[n]
received
identidx=[n] vip="[s]"
src=[s] src-port=[n] dst=[s]
dst-port=[n] action=receive
msg=ChangeCipherSpec
45005 error
router
RSA verification of
Diffie-Hellman parameters
failed
45006 debug
router
LOG_ID_VSD_SSL_SENT_
CCS
serial=[s] policy=[n]
identidx=[n] vip="[s]"
src=[s] src-port=[n] dst=[s]
dst-port=[n] action=send
msg=ChangeCipherSpec
45007 error
router
LOG_ID_VSD_SSL_BAD_
HASH
45009 error
router
LOG_ID_VSD_SSL_DECRY_
FAIL
serial=[s] policy=[n]
identidx=[n] vip="[s]"
src=[s] src-port=[n] dst=[s]
dst-port=[n] action=close
reason=[n] msg="SSL
decryption failure"
45010 debug
router
LOG_ID_VSD_SSL_
SESSION_CLOSED
45011 error
router
LOG_ID_VSD_SSL_LESS_
MINOR
serial=[s] policy=[n]
identidx=[n] vip="[s]"
src=[s] src-port=[n] dst=[s]
dst-port=[n] action=close
min-minor=[n]
recv-minor=[n] msg="SSL
minor below mininum
configured value"
Page 637
Description
ID
Severity
Subtype Macro
Format
Description
45012 warning
router
LOG_ID_VSD_SSL_REACH_
MAX_CON
serial=[s] policy=[n]
identidx=[n] vip="[s]"
src=[s] src-port=[n] dst=[s]
dst-port=[n] action=close
msg="SSL maximum
connections reached"
45013 error
router
LOG_ID_VSD_SSL_NOT_
SUPPORT_CS
serial=[s] policy=[n]
identidx=[n] vip="[s]"
src=[s] src-port=[n] dst=[s]
dst-port=[n] action=close
msg="None of the offered
CipherSuites are
supported"
45016 debug
router
LOG_ID_VSD_SSL_HS_FIN
serial=[s] policy=[n]
identidx=[n] vip="[s]"
src=[s] src-port=[n] dst=[s]
dst-port=[n]
action=complete
msg="SSL Handshake
complete"
45017 error
router
45018 debug
router
LOG_ID_VSD_SSL_MORE_
MINOR
45019 error
router
LOG_ID_VSD_SSL_SENT_
ALERT_ERR
serial=[s] policy=[n]
identidx=[n] vip="[s]"
src=[s] src-port=[n] dst=[s]
dst-port=[n] action=send
level=[n] desc=[n]
msg="SSL Alert sent"
45020 debug
router
LOG_ID_VSD_SSL_
SESSION_EXPIRE
45021 debug
router
LOG_ID_VSD_SSL_SENT_
ALERT
serial=[s] policy=[n]
identidx=[n] vip="[s]"
src=[s] src-port=[n] dst=[s]
dst-port=[n] action=send
level=[n] desc=[n]
msg="SSL Alert sent"
Page 638
ID
Severity
Subtype Macro
Format
45022 debug
router
LOG_ID_VSD_SSL_RCV_CH
45023 debug
router
LOG_ID_VSD_SSL_RCV_SH
45024 debug
router
45025 error |
debug
router
LOG_ID_VSD_SSL_RCV_
ALERT
45027 error
router
LOG_ID_VSD_SSL_INVALID_
CONT_TYPE
45029 error
router
LOG_ID_VSD_SSL_BAD_
CCS_LEN
serial=[s] policy=[n]
identidx=[n] vip="[s]"
src=[s] src-port=[n] dst=[s]
dst-port=[n] action=close
msg="Bad length in SSL
ChangeCipherSpec"
45031 error
router
LOG_ID_VSD_SSL_BAD_DH
serial=[s] policy=[n]
SSL Diffie-Hellman has bad
identidx=[n] vip="[s]"
value
src=[s] src-port=[n] dst=[s]
dst-port=[n]min=[n] max=[n]
received=[n] action=close
msg="[s]"
Page 639
Description
ID
Severity
Subtype Macro
Format
Description
45032 error
router
LOG_ID_VSD_SSL_PUB_
KEY_TOO_BIG
45033 error
router
LOG_ID_VSD_SSL_NOT_
SUPPORT_CM
serial=[s] policy=[n]
identidx=[n] vip="[s]"
src=[s] src-port=[n] dst=[s]
dst-port=[n] action=close
msg="None of the offered
CompressionMethods are
supported"
45056 notice
system
LOG_ID_FCC_EXCEED
action=[s] status=[s]
license_limit=[n]
reason="[s]" repeat=[n]
msg="FortiClient license
maximum has been
reached."
LOG_ID_FCC_ADD
LOG_ID_FCC_CLOSE
45059 notice
system
LOG_ID_FCC_UPGRADE_
SUCC
action=[s] status=[s]
ui="[s]" user="[s]" license_
limit=[s] msg="FortiClient
license has been
upgraded."
45060 error
system
LOG_ID_FCC_UPGRADE_
FAIL
action=[s] status=[s]
ui="[s]" user="[s]"
reason="[s]" msg="Failed
to upgrade FortiClient
license."
45100 warning
system
LOG_ID_EC_REG_FAIL
user="[s]" hostname="[s]"
ip=[n].[n].[n].[n] forticlient_
id=[s] interface=[s]
msg="FortiClient
registration failed due to
blocked UID."
45101 notice
system
LOG_ID_EC_REG_SUCCEED
user="[s]" hostname="[s]"
ip=[n].[n].[n].[n] forticlient_
id=[s] interface=[s]
msg="FortiClient
registration succeeded."
Page 640
ID
Severity
Subtype Macro
Format
Description
FortiClient registration renew
msg
45102 notice
system
45103 notice
system
LOG_ID_EC_REG_BLOCK
45104 notice
system
LOG_ID_EC_REG_UNBLOCK forticlient_id=[s]
FortiClient registration unblock
msg="FortiClient is
msg
unblocked for registration."
45105 notice
system
LOG_ID_EC_REG_DEREG
forticlient_id=[s]
msg="FortiClient is
de-registered."
FortiClient registration
de-register msg
45106 notice
system
LOG_ID_EC_REG_LIC_
UPGRADED
msg="FortiClient
registration license
upgraded."
45107 notice
system
LOG_ID_EC_CONF_
DISTRIBUTED
user="[s]" hostname="[s]"
ip=[n].[n].[n].[n] forticlient_
id=[s] interface=[s]
msg="FortiClient
configuration distributed."
FortiClient configuration
distribute msg
45108 notice
system
LOG_ID_EC_FTCL_UNREG
user="[s]" hostname="[s]"
ip=[n].[n].[n].[n] forticlient_
id=[s] interface=[s]
msg="FortiClient
unregistered."
45109 notice
system
LOG_ID_EC_FTCL_LOGOFF
user="[s]" hostname="[s]"
ip=[n].[n].[n].[n] forticlient_
id=[s] interface=[s]
msg="FortiClient logged
off."
45110 notice
system
LOG_ID_EC_FTCL_ENABLE_
NOTSYNC
user="[s]" hostname="[s]"
ip=[n].[n].[n].[n] forticlient_
id=[s] interface=[s]
msg="FortiClient SYNC_
WITH_FGT disabled."
46000 notice
system
46001 alert
system
LOG_ID_VIP_REAL_SVR_
DISA
46002 notice
system
LOG_ID_VIP_REAL_SVR_UP
vip="[s]"
VIP realserver has become up.
server=[n].[n].[n].[n] port=[n]
status=[s] action=up
msg="ldb server up"
forticlient_id=[s]
FortiClient registration block
msg="FortiClient is blocked msg
for registration."
Page 641
ID
Severity
Subtype Macro
Format
46003 alert
system
LOG_ID_VIP_REAL_SVR_
DOWN
46004 notice
system
LOG_ID_VIP_REAL_SVR_
ENT_HOLDDOWN
46005 alert
system
LOG_ID_VIP_REAL_SVR_
FAIL_HOLDDOWN
46006 debug
system
46084 error
system
LOG_EVENT_REPUTATION_
VDOM_PURGE_ERROR
action=reputation_purge
status=failure reason="[s]"
msg="Failed to complete
reputation db maintenance
for vdom [s]"
LOG_EVENT_REPUTATION_
VDOM_PURGE_SUCCESS
LOG_EVENT_REPUTATION_
ERASE_DATA_ERROR
action=reputation_clear
status=failure reason="[s]"
msg="Failed to erase
reputation db for vdom [s]"
LOG_EVENT_REPUTATION_
ERASE_DATA_SUCCESS
reputation report
action=reputation_clear
status=success
msg="Erased reputation db
for vdom [s]"
LOG_ID_AMC_ENTER_
BYPASS
LOG_ID_AMC_EXIT_BYPASS msg="The AMC card in slot AMC card exited bypass mode
[s] has exited bypass mode
due to [s]."
LOG_ID_ENTER_BYPASS
Page 642
Description
reputation report
ID
Severity
Subtype Macro
Format
Description
Bypass ports pair exited
bypass mode
LOG_ID_EXIT_BYPASS
48000 debug
wad
LOG_ID_WAD_SSL_RCV_HS
48001 error
wad
LOG_ID_WAD_SSL_RCV_
WRG_HS
Page 643